Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe
-
Size
454KB
-
MD5
7570ea9a3cfbcac336ddc77fa7f781db
-
SHA1
549c44b407e917713dc70a141173d4505adef6e3
-
SHA256
8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142
-
SHA512
329019af00a32a09dd687b6cf2bcf631696ced0384932d6d912d6487bc593971f01ac576df3f89eed20fba5c2f1cfaea6b4a26d17e3d8040e15adcf0f65008e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2012-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-65-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-75-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2436-114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2436-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-125-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1204-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-161-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1620-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-654-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2944-1195-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-1272-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2300-989-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2084-916-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/444-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-662-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2612-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1556 nbtbhh.exe 2696 hbtbbn.exe 2064 hbtbth.exe 2256 hhhtnn.exe 2808 pjddj.exe 2736 xlxxrrf.exe 2856 3nbnhn.exe 2936 jpvdj.exe 2668 flfrrxl.exe 2664 3nnttb.exe 2436 lfrrfxl.exe 1716 bnhhnb.exe 2908 dpjjp.exe 1204 ffxlrfr.exe 704 jjjvd.exe 2116 jdvjv.exe 2076 ntntbn.exe 1620 5ppdj.exe 2336 xffllrl.exe 2128 3nnbhn.exe 1848 ddppd.exe 2588 fxlxflx.exe 1116 hhbbhh.exe 848 pjjdj.exe 2920 1xrxflf.exe 2496 hhbnbn.exe 3024 vjpvj.exe 2032 9lflxlr.exe 1272 vpdvd.exe 1696 xlxxxxl.exe 2408 nhnnhn.exe 2012 vjvdd.exe 1788 7frxlrx.exe 1588 7hbhhn.exe 2252 tnnbnh.exe 2064 7jjdp.exe 2256 xxlrrfr.exe 2808 xrffflx.exe 2220 hbbhht.exe 2736 vvjdp.exe 2860 lfllxxf.exe 2820 rrlrlrr.exe 2632 nhhhnt.exe 2684 pdpvd.exe 2928 jdjdp.exe 1488 xrrlxxl.exe 2948 hbtbnb.exe 2840 tntbtn.exe 1080 vpdpd.exe 1136 jddpd.exe 1692 xrllxxf.exe 2896 xlxflrf.exe 1572 nhtbnb.exe 1244 9dvdd.exe 1108 dvjpv.exe 1284 xlrfrrr.exe 2180 tbbtnb.exe 1904 htnhtt.exe 2964 pjvdd.exe 2208 pjvdv.exe 756 rlrxxfl.exe 2592 nnbthh.exe 692 tnnbhh.exe 1860 5pdvp.exe -
resource yara_rule behavioral1/memory/2012-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-1272-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2300-1263-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/1136-1221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-989-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/636-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-37-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1556 2012 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 30 PID 2012 wrote to memory of 1556 2012 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 30 PID 2012 wrote to memory of 1556 2012 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 30 PID 2012 wrote to memory of 1556 2012 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 30 PID 1556 wrote to memory of 2696 1556 nbtbhh.exe 324 PID 1556 wrote to memory of 2696 1556 nbtbhh.exe 324 PID 1556 wrote to memory of 2696 1556 nbtbhh.exe 324 PID 1556 wrote to memory of 2696 1556 nbtbhh.exe 324 PID 2696 wrote to memory of 2064 2696 hbtbbn.exe 890 PID 2696 wrote to memory of 2064 2696 hbtbbn.exe 890 PID 2696 wrote to memory of 2064 2696 hbtbbn.exe 890 PID 2696 wrote to memory of 2064 2696 hbtbbn.exe 890 PID 2064 wrote to memory of 2256 2064 hbtbth.exe 33 PID 2064 wrote to memory of 2256 2064 hbtbth.exe 33 PID 2064 wrote to memory of 2256 2064 hbtbth.exe 33 PID 2064 wrote to memory of 2256 2064 hbtbth.exe 33 PID 2256 wrote to memory of 2808 2256 hhhtnn.exe 67 PID 2256 wrote to memory of 2808 2256 hhhtnn.exe 67 PID 2256 wrote to memory of 2808 2256 hhhtnn.exe 67 PID 2256 wrote to memory of 2808 2256 hhhtnn.exe 67 PID 2808 wrote to memory of 2736 2808 pjddj.exe 35 PID 2808 wrote to memory of 2736 2808 pjddj.exe 35 PID 2808 wrote to memory of 2736 2808 pjddj.exe 35 PID 2808 wrote to memory of 2736 2808 pjddj.exe 35 PID 2736 wrote to memory of 2856 2736 xlxxrrf.exe 113 PID 2736 wrote to memory of 2856 2736 xlxxrrf.exe 113 PID 2736 wrote to memory of 2856 2736 xlxxrrf.exe 113 PID 2736 wrote to memory of 2856 2736 xlxxrrf.exe 113 PID 2856 wrote to memory of 2936 2856 3nbnhn.exe 37 PID 2856 wrote to memory of 2936 2856 3nbnhn.exe 37 PID 2856 wrote to memory of 2936 2856 3nbnhn.exe 37 PID 2856 wrote to memory of 2936 2856 3nbnhn.exe 37 PID 2936 wrote to memory of 2668 2936 jpvdj.exe 335 PID 2936 wrote to memory of 2668 2936 jpvdj.exe 335 PID 2936 wrote to memory of 2668 2936 jpvdj.exe 335 PID 2936 wrote to memory of 2668 2936 jpvdj.exe 335 PID 2668 wrote to memory of 2664 2668 flfrrxl.exe 161 PID 2668 wrote to memory of 2664 2668 flfrrxl.exe 161 PID 2668 wrote to memory of 2664 2668 flfrrxl.exe 161 PID 2668 wrote to memory of 2664 2668 flfrrxl.exe 161 PID 2664 wrote to memory of 2436 2664 3nnttb.exe 511 PID 2664 wrote to memory of 2436 2664 3nnttb.exe 511 PID 2664 wrote to memory of 2436 2664 3nnttb.exe 511 PID 2664 wrote to memory of 2436 2664 3nnttb.exe 511 PID 2436 wrote to memory of 1716 2436 lfrrfxl.exe 162 PID 2436 wrote to memory of 1716 2436 lfrrfxl.exe 162 PID 2436 wrote to memory of 1716 2436 lfrrfxl.exe 162 PID 2436 wrote to memory of 1716 2436 lfrrfxl.exe 162 PID 1716 wrote to memory of 2908 1716 bnhhnb.exe 121 PID 1716 wrote to memory of 2908 1716 bnhhnb.exe 121 PID 1716 wrote to memory of 2908 1716 bnhhnb.exe 121 PID 1716 wrote to memory of 2908 1716 bnhhnb.exe 121 PID 2908 wrote to memory of 1204 2908 dpjjp.exe 43 PID 2908 wrote to memory of 1204 2908 dpjjp.exe 43 PID 2908 wrote to memory of 1204 2908 dpjjp.exe 43 PID 2908 wrote to memory of 1204 2908 dpjjp.exe 43 PID 1204 wrote to memory of 704 1204 ffxlrfr.exe 44 PID 1204 wrote to memory of 704 1204 ffxlrfr.exe 44 PID 1204 wrote to memory of 704 1204 ffxlrfr.exe 44 PID 1204 wrote to memory of 704 1204 ffxlrfr.exe 44 PID 704 wrote to memory of 2116 704 jjjvd.exe 864 PID 704 wrote to memory of 2116 704 jjjvd.exe 864 PID 704 wrote to memory of 2116 704 jjjvd.exe 864 PID 704 wrote to memory of 2116 704 jjjvd.exe 864
Processes
-
C:\Users\Admin\AppData\Local\Temp\8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe"C:\Users\Admin\AppData\Local\Temp\8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\nbtbhh.exec:\nbtbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\hbtbbn.exec:\hbtbbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hbtbth.exec:\hbtbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\hhhtnn.exec:\hhhtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\pjddj.exec:\pjddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\xlxxrrf.exec:\xlxxrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\3nbnhn.exec:\3nbnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jpvdj.exec:\jpvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\flfrrxl.exec:\flfrrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\3nnttb.exec:\3nnttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\lfrrfxl.exec:\lfrrfxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\bnhhnb.exec:\bnhhnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\dpjjp.exec:\dpjjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\ffxlrfr.exec:\ffxlrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\jjjvd.exec:\jjjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\jdvjv.exec:\jdvjv.exe17⤵
- Executes dropped EXE
PID:2116 -
\??\c:\ntntbn.exec:\ntntbn.exe18⤵
- Executes dropped EXE
PID:2076 -
\??\c:\5ppdj.exec:\5ppdj.exe19⤵
- Executes dropped EXE
PID:1620 -
\??\c:\xffllrl.exec:\xffllrl.exe20⤵
- Executes dropped EXE
PID:2336 -
\??\c:\3nnbhn.exec:\3nnbhn.exe21⤵
- Executes dropped EXE
PID:2128 -
\??\c:\ddppd.exec:\ddppd.exe22⤵
- Executes dropped EXE
PID:1848 -
\??\c:\fxlxflx.exec:\fxlxflx.exe23⤵
- Executes dropped EXE
PID:2588 -
\??\c:\hhbbhh.exec:\hhbbhh.exe24⤵
- Executes dropped EXE
PID:1116 -
\??\c:\pjjdj.exec:\pjjdj.exe25⤵
- Executes dropped EXE
PID:848 -
\??\c:\1xrxflf.exec:\1xrxflf.exe26⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hhbnbn.exec:\hhbnbn.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\vjpvj.exec:\vjpvj.exe28⤵
- Executes dropped EXE
PID:3024 -
\??\c:\9lflxlr.exec:\9lflxlr.exe29⤵
- Executes dropped EXE
PID:2032 -
\??\c:\vpdvd.exec:\vpdvd.exe30⤵
- Executes dropped EXE
PID:1272 -
\??\c:\xlxxxxl.exec:\xlxxxxl.exe31⤵
- Executes dropped EXE
PID:1696 -
\??\c:\nhnnhn.exec:\nhnnhn.exe32⤵
- Executes dropped EXE
PID:2408 -
\??\c:\vjvdd.exec:\vjvdd.exe33⤵
- Executes dropped EXE
PID:2012 -
\??\c:\7frxlrx.exec:\7frxlrx.exe34⤵
- Executes dropped EXE
PID:1788 -
\??\c:\7hbhhn.exec:\7hbhhn.exe35⤵
- Executes dropped EXE
PID:1588 -
\??\c:\tnnbnh.exec:\tnnbnh.exe36⤵
- Executes dropped EXE
PID:2252 -
\??\c:\7jjdp.exec:\7jjdp.exe37⤵
- Executes dropped EXE
PID:2064 -
\??\c:\xxlrrfr.exec:\xxlrrfr.exe38⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xrffflx.exec:\xrffflx.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hbbhht.exec:\hbbhht.exe40⤵
- Executes dropped EXE
PID:2220 -
\??\c:\vvjdp.exec:\vvjdp.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lfllxxf.exec:\lfllxxf.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rrlrlrr.exec:\rrlrlrr.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\nhhhnt.exec:\nhhhnt.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\pdpvd.exec:\pdpvd.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\jdjdp.exec:\jdjdp.exe46⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe47⤵
- Executes dropped EXE
PID:1488 -
\??\c:\hbtbnb.exec:\hbtbnb.exe48⤵
- Executes dropped EXE
PID:2948 -
\??\c:\tntbtn.exec:\tntbtn.exe49⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vpdpd.exec:\vpdpd.exe50⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jddpd.exec:\jddpd.exe51⤵
- Executes dropped EXE
PID:1136 -
\??\c:\xrllxxf.exec:\xrllxxf.exe52⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xlxflrf.exec:\xlxflrf.exe53⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nhtbnb.exec:\nhtbnb.exe54⤵
- Executes dropped EXE
PID:1572 -
\??\c:\9dvdd.exec:\9dvdd.exe55⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dvjpv.exec:\dvjpv.exe56⤵
- Executes dropped EXE
PID:1108 -
\??\c:\xlrfrrr.exec:\xlrfrrr.exe57⤵
- Executes dropped EXE
PID:1284 -
\??\c:\tbbtnb.exec:\tbbtnb.exe58⤵
- Executes dropped EXE
PID:2180 -
\??\c:\htnhtt.exec:\htnhtt.exe59⤵
- Executes dropped EXE
PID:1904 -
\??\c:\pjvdd.exec:\pjvdd.exe60⤵
- Executes dropped EXE
PID:2964 -
\??\c:\pjvdv.exec:\pjvdv.exe61⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rlrxxfl.exec:\rlrxxfl.exe62⤵
- Executes dropped EXE
PID:756 -
\??\c:\nnbthh.exec:\nnbthh.exe63⤵
- Executes dropped EXE
PID:2592 -
\??\c:\tnnbhh.exec:\tnnbhh.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\5pdvp.exec:\5pdvp.exe65⤵
- Executes dropped EXE
PID:1860 -
\??\c:\5ppdj.exec:\5ppdj.exe66⤵PID:404
-
\??\c:\lrlxlrl.exec:\lrlxlrl.exe67⤵PID:1792
-
\??\c:\1xfxflx.exec:\1xfxflx.exe68⤵PID:1984
-
\??\c:\nbtbhn.exec:\nbtbhn.exe69⤵PID:1596
-
\??\c:\pvvjd.exec:\pvvjd.exe70⤵PID:1912
-
\??\c:\vpjpd.exec:\vpjpd.exe71⤵PID:2052
-
\??\c:\xrfrflx.exec:\xrfrflx.exe72⤵PID:1796
-
\??\c:\frffllr.exec:\frffllr.exe73⤵PID:2016
-
\??\c:\htnbnh.exec:\htnbnh.exe74⤵PID:1720
-
\??\c:\vdvvj.exec:\vdvvj.exe75⤵PID:2988
-
\??\c:\pddjv.exec:\pddjv.exe76⤵PID:2108
-
\??\c:\rxxrlxl.exec:\rxxrlxl.exe77⤵PID:2584
-
\??\c:\hbhhbb.exec:\hbhhbb.exe78⤵PID:1580
-
\??\c:\tbbttt.exec:\tbbttt.exe79⤵PID:2384
-
\??\c:\pjvdv.exec:\pjvdv.exe80⤵PID:1640
-
\??\c:\7vpjj.exec:\7vpjj.exe81⤵PID:2816
-
\??\c:\rlfrfll.exec:\rlfrfll.exe82⤵PID:2756
-
\??\c:\nhhtbh.exec:\nhhtbh.exe83⤵PID:2644
-
\??\c:\btnbnn.exec:\btnbnn.exe84⤵PID:2764
-
\??\c:\jvjvd.exec:\jvjvd.exe85⤵PID:2856
-
\??\c:\ddpvj.exec:\ddpvj.exe86⤵PID:2980
-
\??\c:\5frlxfl.exec:\5frlxfl.exe87⤵PID:2612
-
\??\c:\tbhnnn.exec:\tbhnnn.exe88⤵PID:2944
-
\??\c:\bntbhh.exec:\bntbhh.exe89⤵PID:2344
-
\??\c:\7jdjv.exec:\7jdjv.exe90⤵PID:1536
-
\??\c:\lllrlrr.exec:\lllrlrr.exe91⤵PID:2200
-
\??\c:\7flrlrf.exec:\7flrlrf.exe92⤵PID:2888
-
\??\c:\hntthh.exec:\hntthh.exe93⤵PID:2908
-
\??\c:\hbtthn.exec:\hbtthn.exe94⤵PID:840
-
\??\c:\pppjd.exec:\pppjd.exe95⤵PID:2900
-
\??\c:\rlfflxf.exec:\rlfflxf.exe96⤵PID:1628
-
\??\c:\ffrrxff.exec:\ffrrxff.exe97⤵PID:1328
-
\??\c:\hhbbtn.exec:\hhbbtn.exe98⤵PID:1908
-
\??\c:\hbhhtn.exec:\hbhhtn.exe99⤵PID:1752
-
\??\c:\jdpvd.exec:\jdpvd.exe100⤵PID:1140
-
\??\c:\9pjpp.exec:\9pjpp.exe101⤵PID:2228
-
\??\c:\xlxfffl.exec:\xlxfffl.exe102⤵PID:2292
-
\??\c:\xxrfffl.exec:\xxrfffl.exe103⤵PID:2100
-
\??\c:\bnhhtb.exec:\bnhhtb.exe104⤵PID:980
-
\??\c:\5jppd.exec:\5jppd.exe105⤵PID:1064
-
\??\c:\vpdjv.exec:\vpdjv.exe106⤵PID:1636
-
\??\c:\lrxllrf.exec:\lrxllrf.exe107⤵PID:1116
-
\??\c:\5ffrflf.exec:\5ffrflf.exe108⤵PID:696
-
\??\c:\bhtbnh.exec:\bhtbnh.exe109⤵PID:1532
-
\??\c:\btntbb.exec:\btntbb.exe110⤵PID:2280
-
\??\c:\jdvpd.exec:\jdvpd.exe111⤵PID:1708
-
\??\c:\9pppd.exec:\9pppd.exe112⤵PID:2464
-
\??\c:\fxfflrx.exec:\fxfflrx.exe113⤵PID:280
-
\??\c:\rxxfrrf.exec:\rxxfrrf.exe114⤵PID:444
-
\??\c:\hhttnh.exec:\hhttnh.exe115⤵PID:2416
-
\??\c:\jdvdv.exec:\jdvdv.exe116⤵PID:1704
-
\??\c:\1flrlrf.exec:\1flrlrf.exe117⤵PID:1944
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe118⤵PID:1548
-
\??\c:\htbbnh.exec:\htbbnh.exe119⤵PID:2372
-
\??\c:\hbbntn.exec:\hbbntn.exe120⤵PID:636
-
\??\c:\jdppv.exec:\jdppv.exe121⤵PID:2248
-
\??\c:\jjjvj.exec:\jjjvj.exe122⤵PID:1292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-