Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 22:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe
-
Size
454KB
-
MD5
e9d2fcb199de9aa37ac5a6a763b3db5d
-
SHA1
18caafcfc0a2881d2cfd896dd5fe7ba4a87f4643
-
SHA256
7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855
-
SHA512
d4e8656c7ae6f637e7ff0e05e833ce060d39caeb4c9648be0633c2b359e1b24928fa4cdd728bf42e7a52287c9533fb17aacfcfc3539accad6cd56e34e21dbd25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2444-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-1167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-1171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2224 bnnbtn.exe 4736 bbhbtt.exe 4148 tbbnht.exe 4092 jvppd.exe 652 bhhhbt.exe 3544 xxxlfxr.exe 3708 rflxrfx.exe 5084 ntthbt.exe 3112 rlxrfxx.exe 1600 9ffxrxx.exe 216 ppvpj.exe 4720 7thbhh.exe 2708 5lfrffr.exe 4312 ppvpd.exe 4640 rfxrlfx.exe 3032 jvvjv.exe 4860 3hhtnn.exe 4488 vddpd.exe 4264 flxrfxr.exe 3280 pddpj.exe 2188 9rfrfrf.exe 3152 jvjjd.exe 1392 ddvdp.exe 2024 dppjp.exe 1896 xlrlxxr.exe 2856 bnnhbt.exe 2336 jdjdp.exe 2952 jjppj.exe 1716 vppjd.exe 3532 jvpjp.exe 3284 xflxrlf.exe 2608 7dvjv.exe 1640 djpdd.exe 1552 7xrlffr.exe 3608 ttbtnh.exe 3540 vvjvp.exe 1560 fffxllf.exe 2612 lxrlfxr.exe 4892 3nnbnh.exe 764 jvpjv.exe 1300 xxfrlfx.exe 4340 xfrrlfx.exe 4468 tbbnht.exe 3860 jdvpd.exe 636 7xfxrlf.exe 4872 lrlflxf.exe 372 5nnbtt.exe 1052 5llffxx.exe 876 5bbthb.exe 5100 tbthbn.exe 2444 lxlfxlx.exe 2056 frfxffl.exe 4736 5tttnh.exe 864 jdjvj.exe 4028 xllxlfr.exe 1048 bbhttn.exe 1340 tnnbnh.exe 3220 1djvv.exe 536 rlfxllf.exe 1564 hbhbbt.exe 1040 jdjvj.exe 5084 jdpjv.exe 4868 3ffrxrl.exe 3696 bttnnh.exe -
resource yara_rule behavioral2/memory/2444-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-1167-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2224 2444 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 83 PID 2444 wrote to memory of 2224 2444 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 83 PID 2444 wrote to memory of 2224 2444 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 83 PID 2224 wrote to memory of 4736 2224 bnnbtn.exe 84 PID 2224 wrote to memory of 4736 2224 bnnbtn.exe 84 PID 2224 wrote to memory of 4736 2224 bnnbtn.exe 84 PID 4736 wrote to memory of 4148 4736 bbhbtt.exe 85 PID 4736 wrote to memory of 4148 4736 bbhbtt.exe 85 PID 4736 wrote to memory of 4148 4736 bbhbtt.exe 85 PID 4148 wrote to memory of 4092 4148 tbbnht.exe 86 PID 4148 wrote to memory of 4092 4148 tbbnht.exe 86 PID 4148 wrote to memory of 4092 4148 tbbnht.exe 86 PID 4092 wrote to memory of 652 4092 jvppd.exe 87 PID 4092 wrote to memory of 652 4092 jvppd.exe 87 PID 4092 wrote to memory of 652 4092 jvppd.exe 87 PID 652 wrote to memory of 3544 652 bhhhbt.exe 88 PID 652 wrote to memory of 3544 652 bhhhbt.exe 88 PID 652 wrote to memory of 3544 652 bhhhbt.exe 88 PID 3544 wrote to memory of 3708 3544 xxxlfxr.exe 89 PID 3544 wrote to memory of 3708 3544 xxxlfxr.exe 89 PID 3544 wrote to memory of 3708 3544 xxxlfxr.exe 89 PID 3708 wrote to memory of 5084 3708 rflxrfx.exe 90 PID 3708 wrote to memory of 5084 3708 rflxrfx.exe 90 PID 3708 wrote to memory of 5084 3708 rflxrfx.exe 90 PID 5084 wrote to memory of 3112 5084 ntthbt.exe 91 PID 5084 wrote to memory of 3112 5084 ntthbt.exe 91 PID 5084 wrote to memory of 3112 5084 ntthbt.exe 91 PID 3112 wrote to memory of 1600 3112 rlxrfxx.exe 92 PID 3112 wrote to memory of 1600 3112 rlxrfxx.exe 92 PID 3112 wrote to memory of 1600 3112 rlxrfxx.exe 92 PID 1600 wrote to memory of 216 1600 9ffxrxx.exe 93 PID 1600 wrote to memory of 216 1600 9ffxrxx.exe 93 PID 1600 wrote to memory of 216 1600 9ffxrxx.exe 93 PID 216 wrote to memory of 4720 216 ppvpj.exe 94 PID 216 wrote to memory of 4720 216 ppvpj.exe 94 PID 216 wrote to memory of 4720 216 ppvpj.exe 94 PID 4720 wrote to memory of 2708 4720 7thbhh.exe 95 PID 4720 wrote to memory of 2708 4720 7thbhh.exe 95 PID 4720 wrote to memory of 2708 4720 7thbhh.exe 95 PID 2708 wrote to memory of 4312 2708 5lfrffr.exe 96 PID 2708 wrote to memory of 4312 2708 5lfrffr.exe 96 PID 2708 wrote to memory of 4312 2708 5lfrffr.exe 96 PID 4312 wrote to memory of 4640 4312 ppvpd.exe 97 PID 4312 wrote to memory of 4640 4312 ppvpd.exe 97 PID 4312 wrote to memory of 4640 4312 ppvpd.exe 97 PID 4640 wrote to memory of 3032 4640 rfxrlfx.exe 98 PID 4640 wrote to memory of 3032 4640 rfxrlfx.exe 98 PID 4640 wrote to memory of 3032 4640 rfxrlfx.exe 98 PID 3032 wrote to memory of 4860 3032 jvvjv.exe 99 PID 3032 wrote to memory of 4860 3032 jvvjv.exe 99 PID 3032 wrote to memory of 4860 3032 jvvjv.exe 99 PID 4860 wrote to memory of 4488 4860 3hhtnn.exe 100 PID 4860 wrote to memory of 4488 4860 3hhtnn.exe 100 PID 4860 wrote to memory of 4488 4860 3hhtnn.exe 100 PID 4488 wrote to memory of 4264 4488 vddpd.exe 101 PID 4488 wrote to memory of 4264 4488 vddpd.exe 101 PID 4488 wrote to memory of 4264 4488 vddpd.exe 101 PID 4264 wrote to memory of 3280 4264 flxrfxr.exe 102 PID 4264 wrote to memory of 3280 4264 flxrfxr.exe 102 PID 4264 wrote to memory of 3280 4264 flxrfxr.exe 102 PID 3280 wrote to memory of 2188 3280 pddpj.exe 103 PID 3280 wrote to memory of 2188 3280 pddpj.exe 103 PID 3280 wrote to memory of 2188 3280 pddpj.exe 103 PID 2188 wrote to memory of 3152 2188 9rfrfrf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe"C:\Users\Admin\AppData\Local\Temp\7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\bnnbtn.exec:\bnnbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\bbhbtt.exec:\bbhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\tbbnht.exec:\tbbnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\jvppd.exec:\jvppd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\bhhhbt.exec:\bhhhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\rflxrfx.exec:\rflxrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\ntthbt.exec:\ntthbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\rlxrfxx.exec:\rlxrfxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\9ffxrxx.exec:\9ffxrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\ppvpj.exec:\ppvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\7thbhh.exec:\7thbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\5lfrffr.exec:\5lfrffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\ppvpd.exec:\ppvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\jvvjv.exec:\jvvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\3hhtnn.exec:\3hhtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\vddpd.exec:\vddpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\flxrfxr.exec:\flxrfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\pddpj.exec:\pddpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\9rfrfrf.exec:\9rfrfrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\jvjjd.exec:\jvjjd.exe23⤵
- Executes dropped EXE
PID:3152 -
\??\c:\ddvdp.exec:\ddvdp.exe24⤵
- Executes dropped EXE
PID:1392 -
\??\c:\dppjp.exec:\dppjp.exe25⤵
- Executes dropped EXE
PID:2024 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe26⤵
- Executes dropped EXE
PID:1896 -
\??\c:\bnnhbt.exec:\bnnhbt.exe27⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jdjdp.exec:\jdjdp.exe28⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jjppj.exec:\jjppj.exe29⤵
- Executes dropped EXE
PID:2952 -
\??\c:\vppjd.exec:\vppjd.exe30⤵
- Executes dropped EXE
PID:1716 -
\??\c:\jvpjp.exec:\jvpjp.exe31⤵
- Executes dropped EXE
PID:3532 -
\??\c:\xflxrlf.exec:\xflxrlf.exe32⤵
- Executes dropped EXE
PID:3284 -
\??\c:\7dvjv.exec:\7dvjv.exe33⤵
- Executes dropped EXE
PID:2608 -
\??\c:\djpdd.exec:\djpdd.exe34⤵
- Executes dropped EXE
PID:1640 -
\??\c:\7xrlffr.exec:\7xrlffr.exe35⤵
- Executes dropped EXE
PID:1552 -
\??\c:\ttbtnh.exec:\ttbtnh.exe36⤵
- Executes dropped EXE
PID:3608 -
\??\c:\vvjvp.exec:\vvjvp.exe37⤵
- Executes dropped EXE
PID:3540 -
\??\c:\fffxllf.exec:\fffxllf.exe38⤵
- Executes dropped EXE
PID:1560 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\3nnbnh.exec:\3nnbnh.exe40⤵
- Executes dropped EXE
PID:4892 -
\??\c:\jvpjv.exec:\jvpjv.exe41⤵
- Executes dropped EXE
PID:764 -
\??\c:\xxfrlfx.exec:\xxfrlfx.exe42⤵
- Executes dropped EXE
PID:1300 -
\??\c:\xfrrlfx.exec:\xfrrlfx.exe43⤵
- Executes dropped EXE
PID:4340 -
\??\c:\tbbnht.exec:\tbbnht.exe44⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jdvpd.exec:\jdvpd.exe45⤵
- Executes dropped EXE
PID:3860 -
\??\c:\7xfxrlf.exec:\7xfxrlf.exe46⤵
- Executes dropped EXE
PID:636 -
\??\c:\lrlflxf.exec:\lrlflxf.exe47⤵
- Executes dropped EXE
PID:4872 -
\??\c:\5nnbtt.exec:\5nnbtt.exe48⤵
- Executes dropped EXE
PID:372 -
\??\c:\5llffxx.exec:\5llffxx.exe49⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5bbthb.exec:\5bbthb.exe50⤵
- Executes dropped EXE
PID:876 -
\??\c:\tbthbn.exec:\tbthbn.exe51⤵
- Executes dropped EXE
PID:5100 -
\??\c:\lxlfxlx.exec:\lxlfxlx.exe52⤵
- Executes dropped EXE
PID:2444 -
\??\c:\frfxffl.exec:\frfxffl.exe53⤵
- Executes dropped EXE
PID:2056 -
\??\c:\5tttnh.exec:\5tttnh.exe54⤵
- Executes dropped EXE
PID:4736 -
\??\c:\jdjvj.exec:\jdjvj.exe55⤵
- Executes dropped EXE
PID:864 -
\??\c:\xllxlfr.exec:\xllxlfr.exe56⤵
- Executes dropped EXE
PID:4028 -
\??\c:\bbhttn.exec:\bbhttn.exe57⤵
- Executes dropped EXE
PID:1048 -
\??\c:\tnnbnh.exec:\tnnbnh.exe58⤵
- Executes dropped EXE
PID:1340 -
\??\c:\1djvv.exec:\1djvv.exe59⤵
- Executes dropped EXE
PID:3220 -
\??\c:\rlfxllf.exec:\rlfxllf.exe60⤵
- Executes dropped EXE
PID:536 -
\??\c:\hbhbbt.exec:\hbhbbt.exe61⤵
- Executes dropped EXE
PID:1564 -
\??\c:\jdjvj.exec:\jdjvj.exe62⤵
- Executes dropped EXE
PID:1040 -
\??\c:\jdpjv.exec:\jdpjv.exe63⤵
- Executes dropped EXE
PID:5084 -
\??\c:\3ffrxrl.exec:\3ffrxrl.exe64⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bttnnh.exec:\bttnnh.exe65⤵
- Executes dropped EXE
PID:3696 -
\??\c:\jpvjp.exec:\jpvjp.exe66⤵PID:3952
-
\??\c:\7xxrlfr.exec:\7xxrlfr.exe67⤵PID:512
-
\??\c:\xrfflfr.exec:\xrfflfr.exe68⤵PID:5088
-
\??\c:\thnhtn.exec:\thnhtn.exe69⤵PID:640
-
\??\c:\dpvdj.exec:\dpvdj.exe70⤵PID:4760
-
\??\c:\3frrlfx.exec:\3frrlfx.exe71⤵PID:3996
-
\??\c:\rllfxrl.exec:\rllfxrl.exe72⤵PID:4032
-
\??\c:\thhbnh.exec:\thhbnh.exe73⤵PID:1568
-
\??\c:\pdjvv.exec:\pdjvv.exe74⤵PID:1624
-
\??\c:\vpjdj.exec:\vpjdj.exe75⤵PID:1900
-
\??\c:\fflxlrl.exec:\fflxlrl.exe76⤵PID:4184
-
\??\c:\1tttnh.exec:\1tttnh.exe77⤵PID:4824
-
\??\c:\dppdp.exec:\dppdp.exe78⤵PID:2200
-
\??\c:\xflfflf.exec:\xflfflf.exe79⤵PID:1604
-
\??\c:\frxrrll.exec:\frxrrll.exe80⤵PID:1164
-
\??\c:\7hhbnh.exec:\7hhbnh.exe81⤵PID:3280
-
\??\c:\nbhbtn.exec:\nbhbtn.exe82⤵PID:1528
-
\??\c:\ddppp.exec:\ddppp.exe83⤵PID:2404
-
\??\c:\fxrlrrf.exec:\fxrlrrf.exe84⤵PID:812
-
\??\c:\9ttnbt.exec:\9ttnbt.exe85⤵PID:468
-
\??\c:\1bbbtn.exec:\1bbbtn.exe86⤵PID:1780
-
\??\c:\dpvvp.exec:\dpvvp.exe87⤵PID:1080
-
\??\c:\1rfxlff.exec:\1rfxlff.exe88⤵PID:4228
-
\??\c:\frlfxrx.exec:\frlfxrx.exe89⤵PID:2856
-
\??\c:\3thbbt.exec:\3thbbt.exe90⤵PID:4704
-
\??\c:\7vdpd.exec:\7vdpd.exe91⤵PID:2756
-
\??\c:\7rlrflx.exec:\7rlrflx.exe92⤵PID:4292
-
\??\c:\rrfrlfx.exec:\rrfrlfx.exe93⤵PID:3532
-
\??\c:\nhnhhb.exec:\nhnhhb.exe94⤵PID:4888
-
\??\c:\9pjvd.exec:\9pjvd.exe95⤵PID:2912
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe96⤵PID:2324
-
\??\c:\9rrfrlx.exec:\9rrfrlx.exe97⤵PID:4528
-
\??\c:\5bhttn.exec:\5bhttn.exe98⤵PID:3456
-
\??\c:\djpjv.exec:\djpjv.exe99⤵PID:4544
-
\??\c:\ddppj.exec:\ddppj.exe100⤵PID:3608
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe101⤵PID:3540
-
\??\c:\nbbtnh.exec:\nbbtnh.exe102⤵PID:1916
-
\??\c:\dpdvj.exec:\dpdvj.exe103⤵PID:2352
-
\??\c:\frxlxrl.exec:\frxlxrl.exe104⤵PID:2624
-
\??\c:\3xrlfxr.exec:\3xrlfxr.exe105⤵PID:392
-
\??\c:\1bhnbb.exec:\1bhnbb.exe106⤵PID:3372
-
\??\c:\dvvpv.exec:\dvvpv.exe107⤵PID:4188
-
\??\c:\rllxlxr.exec:\rllxlxr.exe108⤵PID:4468
-
\??\c:\fxfxffx.exec:\fxfxffx.exe109⤵
- System Location Discovery: System Language Discovery
PID:3860 -
\??\c:\tbnhbb.exec:\tbnhbb.exe110⤵PID:1304
-
\??\c:\9vdpd.exec:\9vdpd.exe111⤵PID:2280
-
\??\c:\vppjd.exec:\vppjd.exe112⤵PID:3740
-
\??\c:\xlrfrlr.exec:\xlrfrlr.exe113⤵PID:2112
-
\??\c:\7bbnbh.exec:\7bbnbh.exe114⤵PID:3232
-
\??\c:\dvdvd.exec:\dvdvd.exe115⤵PID:4384
-
\??\c:\jvdjv.exec:\jvdjv.exe116⤵
- System Location Discovery: System Language Discovery
PID:1268 -
\??\c:\lffxlff.exec:\lffxlff.exe117⤵PID:3268
-
\??\c:\lllffff.exec:\lllffff.exe118⤵PID:2044
-
\??\c:\1tnnbb.exec:\1tnnbb.exe119⤵PID:4992
-
\??\c:\1vvjv.exec:\1vvjv.exe120⤵PID:4952
-
\??\c:\5rxllfr.exec:\5rxllfr.exe121⤵PID:4028
-
\??\c:\lxlfrxr.exec:\lxlfrxr.exe122⤵PID:2300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-