Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
-
Size
454KB
-
MD5
6c9da21d88244cb781408df9098bb230
-
SHA1
d531aacd9800e304df526c8e8dcad56f18acc9a1
-
SHA256
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3
-
SHA512
167c74891a181137f60fd1ddc9e459fa9618baf7fb01f4cda50a5c727daf9c18325cdb1a6d1c64c42c88485ac1b74dffebde40653b203ab95f6e2ec1685655bf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2120-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/440-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-282-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2112-295-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2256-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-299-0x00000000777C0000-0x00000000778DF000-memory.dmp family_blackmoon behavioral1/memory/2800-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-371-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2580-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-397-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1872-405-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1972-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-504-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1436-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-619-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1972-703-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2880-752-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/660-765-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1268-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-839-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-884-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-905-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-922-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1372 xlffrll.exe 2972 rxlxxfx.exe 2124 pdvvd.exe 2168 lxrxffl.exe 2732 5jdpv.exe 2200 xlrlxrl.exe 2752 xllrlxr.exe 3020 nhnnbn.exe 2780 xxlrxrl.exe 2608 nbnhbb.exe 2992 jvpjv.exe 1788 tnbtbb.exe 440 bbtnbt.exe 2076 3pjjv.exe 1008 jjdvj.exe 2840 rrrllll.exe 1860 7vjvp.exe 2868 nnhhbn.exe 2852 fflrlrf.exe 2936 jdpjp.exe 1088 5hnhbh.exe 1228 dvjpv.exe 2236 vdjpv.exe 2824 flffllx.exe 948 jpvvj.exe 1628 rrrlxxl.exe 2444 7vvpp.exe 2432 bhbtnh.exe 2412 rrxxrxx.exe 2464 nbhbbt.exe 2112 9llxrfr.exe 2108 7nhtbb.exe 1084 nntbth.exe 532 pvvvv.exe 2800 7djdp.exe 3044 xrrxfxr.exe 2776 5nnhbh.exe 2732 vvdjj.exe 2832 3xfxlrf.exe 2908 hthbnt.exe 1856 jdddp.exe 2580 rrfrxfr.exe 2528 tbtbht.exe 3024 vdddj.exe 2564 xllllxr.exe 1872 bnnhnh.exe 2052 vpdpv.exe 1972 nttnbn.exe 1960 djjjj.exe 1688 flrxlxr.exe 1592 nttnnb.exe 2632 9vdpv.exe 2820 llfxllr.exe 1864 bnnhtb.exe 2844 9ppdp.exe 2392 xxlxrxr.exe 2216 ttntnt.exe 2808 7jjvj.exe 1556 lxrflxr.exe 1752 tnbtbn.exe 1724 pvvpd.exe 1292 lxlxfrr.exe 736 htbbbn.exe 324 vvvjd.exe -
resource yara_rule behavioral1/memory/2120-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/440-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-282-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2256-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-371-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2580-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-703-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2880-752-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/660-765-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1268-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-824-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1260-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-922-0x00000000002C0000-0x00000000002EA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1372 2120 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 31 PID 2120 wrote to memory of 1372 2120 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 31 PID 2120 wrote to memory of 1372 2120 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 31 PID 2120 wrote to memory of 1372 2120 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 31 PID 1372 wrote to memory of 2972 1372 xlffrll.exe 32 PID 1372 wrote to memory of 2972 1372 xlffrll.exe 32 PID 1372 wrote to memory of 2972 1372 xlffrll.exe 32 PID 1372 wrote to memory of 2972 1372 xlffrll.exe 32 PID 2972 wrote to memory of 2124 2972 rxlxxfx.exe 33 PID 2972 wrote to memory of 2124 2972 rxlxxfx.exe 33 PID 2972 wrote to memory of 2124 2972 rxlxxfx.exe 33 PID 2972 wrote to memory of 2124 2972 rxlxxfx.exe 33 PID 2124 wrote to memory of 2168 2124 pdvvd.exe 34 PID 2124 wrote to memory of 2168 2124 pdvvd.exe 34 PID 2124 wrote to memory of 2168 2124 pdvvd.exe 34 PID 2124 wrote to memory of 2168 2124 pdvvd.exe 34 PID 2168 wrote to memory of 2732 2168 lxrxffl.exe 35 PID 2168 wrote to memory of 2732 2168 lxrxffl.exe 35 PID 2168 wrote to memory of 2732 2168 lxrxffl.exe 35 PID 2168 wrote to memory of 2732 2168 lxrxffl.exe 35 PID 2732 wrote to memory of 2200 2732 5jdpv.exe 36 PID 2732 wrote to memory of 2200 2732 5jdpv.exe 36 PID 2732 wrote to memory of 2200 2732 5jdpv.exe 36 PID 2732 wrote to memory of 2200 2732 5jdpv.exe 36 PID 2200 wrote to memory of 2752 2200 xlrlxrl.exe 37 PID 2200 wrote to memory of 2752 2200 xlrlxrl.exe 37 PID 2200 wrote to memory of 2752 2200 xlrlxrl.exe 37 PID 2200 wrote to memory of 2752 2200 xlrlxrl.exe 37 PID 2752 wrote to memory of 3020 2752 xllrlxr.exe 38 PID 2752 wrote to memory of 3020 2752 xllrlxr.exe 38 PID 2752 wrote to memory of 3020 2752 xllrlxr.exe 38 PID 2752 wrote to memory of 3020 2752 xllrlxr.exe 38 PID 3020 wrote to memory of 2780 3020 nhnnbn.exe 39 PID 3020 wrote to memory of 2780 3020 nhnnbn.exe 39 PID 3020 wrote to memory of 2780 3020 nhnnbn.exe 39 PID 3020 wrote to memory of 2780 3020 nhnnbn.exe 39 PID 2780 wrote to memory of 2608 2780 xxlrxrl.exe 40 PID 2780 wrote to memory of 2608 2780 xxlrxrl.exe 40 PID 2780 wrote to memory of 2608 2780 xxlrxrl.exe 40 PID 2780 wrote to memory of 2608 2780 xxlrxrl.exe 40 PID 2608 wrote to memory of 2992 2608 nbnhbb.exe 41 PID 2608 wrote to memory of 2992 2608 nbnhbb.exe 41 PID 2608 wrote to memory of 2992 2608 nbnhbb.exe 41 PID 2608 wrote to memory of 2992 2608 nbnhbb.exe 41 PID 2992 wrote to memory of 1788 2992 jvpjv.exe 42 PID 2992 wrote to memory of 1788 2992 jvpjv.exe 42 PID 2992 wrote to memory of 1788 2992 jvpjv.exe 42 PID 2992 wrote to memory of 1788 2992 jvpjv.exe 42 PID 1788 wrote to memory of 440 1788 tnbtbb.exe 43 PID 1788 wrote to memory of 440 1788 tnbtbb.exe 43 PID 1788 wrote to memory of 440 1788 tnbtbb.exe 43 PID 1788 wrote to memory of 440 1788 tnbtbb.exe 43 PID 440 wrote to memory of 2076 440 bbtnbt.exe 44 PID 440 wrote to memory of 2076 440 bbtnbt.exe 44 PID 440 wrote to memory of 2076 440 bbtnbt.exe 44 PID 440 wrote to memory of 2076 440 bbtnbt.exe 44 PID 2076 wrote to memory of 1008 2076 3pjjv.exe 45 PID 2076 wrote to memory of 1008 2076 3pjjv.exe 45 PID 2076 wrote to memory of 1008 2076 3pjjv.exe 45 PID 2076 wrote to memory of 1008 2076 3pjjv.exe 45 PID 1008 wrote to memory of 2840 1008 jjdvj.exe 46 PID 1008 wrote to memory of 2840 1008 jjdvj.exe 46 PID 1008 wrote to memory of 2840 1008 jjdvj.exe 46 PID 1008 wrote to memory of 2840 1008 jjdvj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\xlffrll.exec:\xlffrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\rxlxxfx.exec:\rxlxxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\pdvvd.exec:\pdvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lxrxffl.exec:\lxrxffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\5jdpv.exec:\5jdpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\xllrlxr.exec:\xllrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\nhnnbn.exec:\nhnnbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\xxlrxrl.exec:\xxlrxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\nbnhbb.exec:\nbnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\jvpjv.exec:\jvpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\tnbtbb.exec:\tnbtbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\bbtnbt.exec:\bbtnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\3pjjv.exec:\3pjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\jjdvj.exec:\jjdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\rrrllll.exec:\rrrllll.exe17⤵
- Executes dropped EXE
PID:2840 -
\??\c:\7vjvp.exec:\7vjvp.exe18⤵
- Executes dropped EXE
PID:1860 -
\??\c:\nnhhbn.exec:\nnhhbn.exe19⤵
- Executes dropped EXE
PID:2868 -
\??\c:\fflrlrf.exec:\fflrlrf.exe20⤵
- Executes dropped EXE
PID:2852 -
\??\c:\jdpjp.exec:\jdpjp.exe21⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5hnhbh.exec:\5hnhbh.exe22⤵
- Executes dropped EXE
PID:1088 -
\??\c:\dvjpv.exec:\dvjpv.exe23⤵
- Executes dropped EXE
PID:1228 -
\??\c:\vdjpv.exec:\vdjpv.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
\??\c:\flffllx.exec:\flffllx.exe25⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jpvvj.exec:\jpvvj.exe26⤵
- Executes dropped EXE
PID:948 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\7vvpp.exec:\7vvpp.exe28⤵
- Executes dropped EXE
PID:2444 -
\??\c:\bhbtnh.exec:\bhbtnh.exe29⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\nbhbbt.exec:\nbhbbt.exe31⤵
- Executes dropped EXE
PID:2464 -
\??\c:\9llxrfr.exec:\9llxrfr.exe32⤵
- Executes dropped EXE
PID:2112 -
\??\c:\7nhtbb.exec:\7nhtbb.exe33⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe34⤵PID:2256
-
\??\c:\nntbth.exec:\nntbth.exe35⤵
- Executes dropped EXE
PID:1084 -
\??\c:\pvvvv.exec:\pvvvv.exe36⤵
- Executes dropped EXE
PID:532 -
\??\c:\7djdp.exec:\7djdp.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\xrrxfxr.exec:\xrrxfxr.exe38⤵
- Executes dropped EXE
PID:3044 -
\??\c:\5nnhbh.exec:\5nnhbh.exe39⤵
- Executes dropped EXE
PID:2776 -
\??\c:\vvdjj.exec:\vvdjj.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\3xfxlrf.exec:\3xfxlrf.exe41⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hthbnt.exec:\hthbnt.exe42⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jdddp.exec:\jdddp.exe43⤵
- Executes dropped EXE
PID:1856 -
\??\c:\rrfrxfr.exec:\rrfrxfr.exe44⤵
- Executes dropped EXE
PID:2580 -
\??\c:\tbtbht.exec:\tbtbht.exe45⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vdddj.exec:\vdddj.exe46⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xllllxr.exec:\xllllxr.exe47⤵
- Executes dropped EXE
PID:2564 -
\??\c:\bnnhnh.exec:\bnnhnh.exe48⤵
- Executes dropped EXE
PID:1872 -
\??\c:\vpdpv.exec:\vpdpv.exe49⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nttnbn.exec:\nttnbn.exe50⤵
- Executes dropped EXE
PID:1972 -
\??\c:\djjjj.exec:\djjjj.exe51⤵
- Executes dropped EXE
PID:1960 -
\??\c:\flrxlxr.exec:\flrxlxr.exe52⤵
- Executes dropped EXE
PID:1688 -
\??\c:\nttnnb.exec:\nttnnb.exe53⤵
- Executes dropped EXE
PID:1592 -
\??\c:\9vdpv.exec:\9vdpv.exe54⤵
- Executes dropped EXE
PID:2632 -
\??\c:\llfxllr.exec:\llfxllr.exe55⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bnnhtb.exec:\bnnhtb.exe56⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9ppdp.exec:\9ppdp.exe57⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xxlxrxr.exec:\xxlxrxr.exe58⤵
- Executes dropped EXE
PID:2392 -
\??\c:\ttntnt.exec:\ttntnt.exe59⤵
- Executes dropped EXE
PID:2216 -
\??\c:\7jjvj.exec:\7jjvj.exe60⤵
- Executes dropped EXE
PID:2808 -
\??\c:\lxrflxr.exec:\lxrflxr.exe61⤵
- Executes dropped EXE
PID:1556 -
\??\c:\tnbtbn.exec:\tnbtbn.exe62⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pvvpd.exec:\pvvpd.exe63⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lxlxfrr.exec:\lxlxfrr.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1292 -
\??\c:\htbbbn.exec:\htbbbn.exe65⤵
- Executes dropped EXE
PID:736 -
\??\c:\vvvjd.exec:\vvvjd.exe66⤵
- Executes dropped EXE
PID:324 -
\??\c:\9llfrxx.exec:\9llfrxx.exe67⤵PID:2144
-
\??\c:\thbthn.exec:\thbthn.exe68⤵PID:1524
-
\??\c:\dpdpp.exec:\dpdpp.exe69⤵PID:2420
-
\??\c:\pvvpj.exec:\pvvpj.exe70⤵PID:2288
-
\??\c:\rlflffl.exec:\rlflffl.exe71⤵PID:2184
-
\??\c:\bnbbtn.exec:\bnbbtn.exe72⤵PID:1000
-
\??\c:\djvpv.exec:\djvpv.exe73⤵PID:1436
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe74⤵PID:2164
-
\??\c:\btnnbt.exec:\btnnbt.exe75⤵PID:2296
-
\??\c:\3vjjj.exec:\3vjjj.exe76⤵PID:1976
-
\??\c:\jddjv.exec:\jddjv.exe77⤵PID:1372
-
\??\c:\fxllrxl.exec:\fxllrxl.exe78⤵PID:2956
-
\??\c:\9hbbhh.exec:\9hbbhh.exe79⤵PID:2952
-
\??\c:\pvdvd.exec:\pvdvd.exe80⤵PID:564
-
\??\c:\rfrfrrf.exec:\rfrfrrf.exe81⤵PID:2724
-
\??\c:\hbttbb.exec:\hbttbb.exe82⤵PID:2624
-
\??\c:\vppjj.exec:\vppjj.exe83⤵PID:2744
-
\??\c:\bbtbnt.exec:\bbtbnt.exe84⤵PID:2648
-
\??\c:\7fxlxff.exec:\7fxlxff.exe85⤵PID:2736
-
\??\c:\nnhbtn.exec:\nnhbtn.exe86⤵PID:2696
-
\??\c:\vdddp.exec:\vdddp.exe87⤵PID:2548
-
\??\c:\3lrfllr.exec:\3lrfllr.exe88⤵PID:2552
-
\??\c:\bbbnnh.exec:\bbbnnh.exe89⤵PID:2436
-
\??\c:\1ppvp.exec:\1ppvp.exe90⤵PID:2324
-
\??\c:\7xxllxr.exec:\7xxllxr.exe91⤵PID:2992
-
\??\c:\hbtttt.exec:\hbtttt.exe92⤵PID:568
-
\??\c:\1ppjv.exec:\1ppjv.exe93⤵PID:2052
-
\??\c:\7xrllfx.exec:\7xrllfx.exe94⤵PID:1972
-
\??\c:\tnhhnh.exec:\tnhhnh.exe95⤵PID:1720
-
\??\c:\vjvpd.exec:\vjvpd.exe96⤵PID:1688
-
\??\c:\llfxrrr.exec:\llfxrrr.exe97⤵PID:2592
-
\??\c:\thbbnt.exec:\thbbnt.exe98⤵PID:2600
-
\??\c:\vdpdj.exec:\vdpdj.exe99⤵PID:2876
-
\??\c:\xrffrlr.exec:\xrffrlr.exe100⤵PID:2628
-
\??\c:\3nbbth.exec:\3nbbth.exe101⤵PID:2084
-
\??\c:\9dppv.exec:\9dppv.exe102⤵PID:2880
-
\??\c:\xlfxflr.exec:\xlfxflr.exe103⤵PID:1456
-
\??\c:\7hhhht.exec:\7hhhht.exe104⤵PID:660
-
\??\c:\pvvjp.exec:\pvvjp.exe105⤵PID:1268
-
\??\c:\9fxrlxf.exec:\9fxrlxf.exe106⤵PID:1640
-
\??\c:\bhbbhn.exec:\bhbbhn.exe107⤵PID:1916
-
\??\c:\pdjvv.exec:\pdjvv.exe108⤵PID:900
-
\??\c:\fxxrrll.exec:\fxxrrll.exe109⤵PID:2356
-
\??\c:\7tnnnh.exec:\7tnnnh.exe110⤵PID:948
-
\??\c:\tthbth.exec:\tthbth.exe111⤵PID:3056
-
\??\c:\vjvpj.exec:\vjvpj.exe112⤵PID:1904
-
\??\c:\lfrrrlr.exec:\lfrrrlr.exe113⤵PID:2056
-
\??\c:\djpjp.exec:\djpjp.exe114⤵PID:2432
-
\??\c:\vpvvv.exec:\vpvvv.exe115⤵PID:808
-
\??\c:\frrllfr.exec:\frrllfr.exe116⤵PID:1012
-
\??\c:\bbtbhb.exec:\bbtbhb.exe117⤵PID:1440
-
\??\c:\3ddpj.exec:\3ddpj.exe118⤵PID:1260
-
\??\c:\7llffxr.exec:\7llffxr.exe119⤵PID:2296
-
\??\c:\7ttbth.exec:\7ttbth.exe120⤵PID:1636
-
\??\c:\pjddp.exec:\pjddp.exe121⤵PID:2344
-
\??\c:\9lrflrr.exec:\9lrflrr.exe122⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-