Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe
-
Size
454KB
-
MD5
8572b8f3c8f07c636900e5610fd55aa4
-
SHA1
705b87bb5b245cf0deda3885aac740fa44b92e4b
-
SHA256
30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6
-
SHA512
81fdc9d3a8521298d6d445403fec2e36477c159a068323afbd79ef27f23ea106bfb0328d809241fb29660135664eaaf04dc840ffc5dd4af010f0b4d04869fca6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2756-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-66-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2564-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-279-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2496-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-710-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-717-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1544-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2804 rrffllr.exe 2364 ffrlxxr.exe 2572 fxfxxrf.exe 2708 3jpvv.exe 2564 3lffllx.exe 1996 pdvvd.exe 1556 vjvvd.exe 1408 nhbnth.exe 2148 jdvjp.exe 2080 btnttn.exe 1616 vvvjv.exe 2924 hhbttt.exe 2896 tbbhht.exe 2916 rlxxffl.exe 2988 7nnttn.exe 352 pjjpp.exe 2208 fffxllx.exe 2344 pdvvd.exe 1896 vjppp.exe 2088 bbnhnn.exe 1736 nhtbhh.exe 2020 xrxflfr.exe 2504 thttbh.exe 1508 7rfxxrr.exe 1560 xrrrlff.exe 2484 ttnbnn.exe 1904 jdppj.exe 1636 5btntn.exe 1416 3jdpv.exe 2496 5rflrlx.exe 2452 nhttnn.exe 2040 fxxflrf.exe 2756 lxfxrll.exe 2696 5dppv.exe 2800 rfrrfxx.exe 2976 fxflxfr.exe 2580 nbttbh.exe 2600 pjvvp.exe 2616 xlrfflr.exe 1724 thtnbb.exe 2596 thnhnh.exe 1124 jvvvp.exe 1664 rflffff.exe 2996 1hnnhh.exe 2120 thhhtn.exe 1964 dvjpj.exe 2340 ffrxrxf.exe 3000 7hbhtb.exe 1616 hbhbbt.exe 2924 pdvvd.exe 2876 rxrlllr.exe 2972 3nhnbh.exe 3056 bbbtnb.exe 2944 jpvdd.exe 1688 lfrrxxr.exe 112 nhnthn.exe 2512 bthnth.exe 2404 pvdjp.exe 2112 jdjjj.exe 1196 xxxfxfl.exe 884 thtbhh.exe 1932 3bbbbb.exe 1324 ddpjp.exe 1788 rrllrfx.exe -
resource yara_rule behavioral1/memory/2756-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-216-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1508-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-970-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2804 2756 30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe 31 PID 2756 wrote to memory of 2804 2756 30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe 31 PID 2756 wrote to memory of 2804 2756 30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe 31 PID 2756 wrote to memory of 2804 2756 30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe 31 PID 2804 wrote to memory of 2364 2804 rrffllr.exe 32 PID 2804 wrote to memory of 2364 2804 rrffllr.exe 32 PID 2804 wrote to memory of 2364 2804 rrffllr.exe 32 PID 2804 wrote to memory of 2364 2804 rrffllr.exe 32 PID 2364 wrote to memory of 2572 2364 ffrlxxr.exe 33 PID 2364 wrote to memory of 2572 2364 ffrlxxr.exe 33 PID 2364 wrote to memory of 2572 2364 ffrlxxr.exe 33 PID 2364 wrote to memory of 2572 2364 ffrlxxr.exe 33 PID 2572 wrote to memory of 2708 2572 fxfxxrf.exe 34 PID 2572 wrote to memory of 2708 2572 fxfxxrf.exe 34 PID 2572 wrote to memory of 2708 2572 fxfxxrf.exe 34 PID 2572 wrote to memory of 2708 2572 fxfxxrf.exe 34 PID 2708 wrote to memory of 2564 2708 3jpvv.exe 35 PID 2708 wrote to memory of 2564 2708 3jpvv.exe 35 PID 2708 wrote to memory of 2564 2708 3jpvv.exe 35 PID 2708 wrote to memory of 2564 2708 3jpvv.exe 35 PID 2564 wrote to memory of 1996 2564 3lffllx.exe 36 PID 2564 wrote to memory of 1996 2564 3lffllx.exe 36 PID 2564 wrote to memory of 1996 2564 3lffllx.exe 36 PID 2564 wrote to memory of 1996 2564 3lffllx.exe 36 PID 1996 wrote to memory of 1556 1996 pdvvd.exe 37 PID 1996 wrote to memory of 1556 1996 pdvvd.exe 37 PID 1996 wrote to memory of 1556 1996 pdvvd.exe 37 PID 1996 wrote to memory of 1556 1996 pdvvd.exe 37 PID 1556 wrote to memory of 1408 1556 vjvvd.exe 38 PID 1556 wrote to memory of 1408 1556 vjvvd.exe 38 PID 1556 wrote to memory of 1408 1556 vjvvd.exe 38 PID 1556 wrote to memory of 1408 1556 vjvvd.exe 38 PID 1408 wrote to memory of 2148 1408 nhbnth.exe 39 PID 1408 wrote to memory of 2148 1408 nhbnth.exe 39 PID 1408 wrote to memory of 2148 1408 nhbnth.exe 39 PID 1408 wrote to memory of 2148 1408 nhbnth.exe 39 PID 2148 wrote to memory of 2080 2148 jdvjp.exe 40 PID 2148 wrote to memory of 2080 2148 jdvjp.exe 40 PID 2148 wrote to memory of 2080 2148 jdvjp.exe 40 PID 2148 wrote to memory of 2080 2148 jdvjp.exe 40 PID 2080 wrote to memory of 1616 2080 btnttn.exe 41 PID 2080 wrote to memory of 1616 2080 btnttn.exe 41 PID 2080 wrote to memory of 1616 2080 btnttn.exe 41 PID 2080 wrote to memory of 1616 2080 btnttn.exe 41 PID 1616 wrote to memory of 2924 1616 vvvjv.exe 42 PID 1616 wrote to memory of 2924 1616 vvvjv.exe 42 PID 1616 wrote to memory of 2924 1616 vvvjv.exe 42 PID 1616 wrote to memory of 2924 1616 vvvjv.exe 42 PID 2924 wrote to memory of 2896 2924 hhbttt.exe 43 PID 2924 wrote to memory of 2896 2924 hhbttt.exe 43 PID 2924 wrote to memory of 2896 2924 hhbttt.exe 43 PID 2924 wrote to memory of 2896 2924 hhbttt.exe 43 PID 2896 wrote to memory of 2916 2896 tbbhht.exe 44 PID 2896 wrote to memory of 2916 2896 tbbhht.exe 44 PID 2896 wrote to memory of 2916 2896 tbbhht.exe 44 PID 2896 wrote to memory of 2916 2896 tbbhht.exe 44 PID 2916 wrote to memory of 2988 2916 rlxxffl.exe 45 PID 2916 wrote to memory of 2988 2916 rlxxffl.exe 45 PID 2916 wrote to memory of 2988 2916 rlxxffl.exe 45 PID 2916 wrote to memory of 2988 2916 rlxxffl.exe 45 PID 2988 wrote to memory of 352 2988 7nnttn.exe 46 PID 2988 wrote to memory of 352 2988 7nnttn.exe 46 PID 2988 wrote to memory of 352 2988 7nnttn.exe 46 PID 2988 wrote to memory of 352 2988 7nnttn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe"C:\Users\Admin\AppData\Local\Temp\30239b51d288f25c35b5d988f5a117ee17af5b6352ea6c03ada32fd14c94cce6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\rrffllr.exec:\rrffllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\fxfxxrf.exec:\fxfxxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\3jpvv.exec:\3jpvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\3lffllx.exec:\3lffllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\pdvvd.exec:\pdvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\vjvvd.exec:\vjvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\nhbnth.exec:\nhbnth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\jdvjp.exec:\jdvjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\btnttn.exec:\btnttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\vvvjv.exec:\vvvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\hhbttt.exec:\hhbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\tbbhht.exec:\tbbhht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rlxxffl.exec:\rlxxffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\7nnttn.exec:\7nnttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\pjjpp.exec:\pjjpp.exe17⤵
- Executes dropped EXE
PID:352 -
\??\c:\fffxllx.exec:\fffxllx.exe18⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pdvvd.exec:\pdvvd.exe19⤵
- Executes dropped EXE
PID:2344 -
\??\c:\vjppp.exec:\vjppp.exe20⤵
- Executes dropped EXE
PID:1896 -
\??\c:\bbnhnn.exec:\bbnhnn.exe21⤵
- Executes dropped EXE
PID:2088 -
\??\c:\nhtbhh.exec:\nhtbhh.exe22⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xrxflfr.exec:\xrxflfr.exe23⤵
- Executes dropped EXE
PID:2020 -
\??\c:\thttbh.exec:\thttbh.exe24⤵
- Executes dropped EXE
PID:2504 -
\??\c:\7rfxxrr.exec:\7rfxxrr.exe25⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xrrrlff.exec:\xrrrlff.exe26⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ttnbnn.exec:\ttnbnn.exe27⤵
- Executes dropped EXE
PID:2484 -
\??\c:\jdppj.exec:\jdppj.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\5btntn.exec:\5btntn.exe29⤵
- Executes dropped EXE
PID:1636 -
\??\c:\3jdpv.exec:\3jdpv.exe30⤵
- Executes dropped EXE
PID:1416 -
\??\c:\5rflrlx.exec:\5rflrlx.exe31⤵
- Executes dropped EXE
PID:2496 -
\??\c:\nhttnn.exec:\nhttnn.exe32⤵
- Executes dropped EXE
PID:2452 -
\??\c:\fxxflrf.exec:\fxxflrf.exe33⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lxfxrll.exec:\lxfxrll.exe34⤵
- Executes dropped EXE
PID:2756 -
\??\c:\5dppv.exec:\5dppv.exe35⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rfrrfxx.exec:\rfrrfxx.exe36⤵
- Executes dropped EXE
PID:2800 -
\??\c:\fxflxfr.exec:\fxflxfr.exe37⤵
- Executes dropped EXE
PID:2976 -
\??\c:\nbttbh.exec:\nbttbh.exe38⤵
- Executes dropped EXE
PID:2580 -
\??\c:\pjvvp.exec:\pjvvp.exe39⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xlrfflr.exec:\xlrfflr.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\thtnbb.exec:\thtnbb.exe41⤵
- Executes dropped EXE
PID:1724 -
\??\c:\thnhnh.exec:\thnhnh.exe42⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jvvvp.exec:\jvvvp.exe43⤵
- Executes dropped EXE
PID:1124 -
\??\c:\rflffff.exec:\rflffff.exe44⤵
- Executes dropped EXE
PID:1664 -
\??\c:\1hnnhh.exec:\1hnnhh.exe45⤵
- Executes dropped EXE
PID:2996 -
\??\c:\thhhtn.exec:\thhhtn.exe46⤵
- Executes dropped EXE
PID:2120 -
\??\c:\dvjpj.exec:\dvjpj.exe47⤵
- Executes dropped EXE
PID:1964 -
\??\c:\ffrxrxf.exec:\ffrxrxf.exe48⤵
- Executes dropped EXE
PID:2340 -
\??\c:\7hbhtb.exec:\7hbhtb.exe49⤵
- Executes dropped EXE
PID:3000 -
\??\c:\hbhbbt.exec:\hbhbbt.exe50⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pdvvd.exec:\pdvvd.exe51⤵
- Executes dropped EXE
PID:2924 -
\??\c:\rxrlllr.exec:\rxrlllr.exe52⤵
- Executes dropped EXE
PID:2876 -
\??\c:\3nhnbh.exec:\3nhnbh.exe53⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bbbtnb.exec:\bbbtnb.exe54⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jpvdd.exec:\jpvdd.exe55⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lfrrxxr.exec:\lfrrxxr.exe56⤵
- Executes dropped EXE
PID:1688 -
\??\c:\nhnthn.exec:\nhnthn.exe57⤵
- Executes dropped EXE
PID:112 -
\??\c:\bthnth.exec:\bthnth.exe58⤵
- Executes dropped EXE
PID:2512 -
\??\c:\pvdjp.exec:\pvdjp.exe59⤵
- Executes dropped EXE
PID:2404 -
\??\c:\jdjjj.exec:\jdjjj.exe60⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xxxfxfl.exec:\xxxfxfl.exe61⤵
- Executes dropped EXE
PID:1196 -
\??\c:\thtbhh.exec:\thtbhh.exe62⤵
- Executes dropped EXE
PID:884 -
\??\c:\3bbbbb.exec:\3bbbbb.exe63⤵
- Executes dropped EXE
PID:1932 -
\??\c:\ddpjp.exec:\ddpjp.exe64⤵
- Executes dropped EXE
PID:1324 -
\??\c:\rrllrfx.exec:\rrllrfx.exe65⤵
- Executes dropped EXE
PID:1788 -
\??\c:\bthhbt.exec:\bthhbt.exe66⤵PID:328
-
\??\c:\hhtbtb.exec:\hhtbtb.exe67⤵PID:844
-
\??\c:\ddddd.exec:\ddddd.exe68⤵PID:2528
-
\??\c:\9rflrlr.exec:\9rflrlr.exe69⤵PID:632
-
\??\c:\lfrxfxl.exec:\lfrxfxl.exe70⤵PID:2460
-
\??\c:\hbtbnt.exec:\hbtbnt.exe71⤵PID:3060
-
\??\c:\vpdjp.exec:\vpdjp.exe72⤵PID:1920
-
\??\c:\vvjpd.exec:\vvjpd.exe73⤵PID:2384
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe74⤵PID:1000
-
\??\c:\hbtbhn.exec:\hbtbhn.exe75⤵PID:2388
-
\??\c:\vjpdd.exec:\vjpdd.exe76⤵PID:264
-
\??\c:\jdpvj.exec:\jdpvj.exe77⤵PID:2040
-
\??\c:\9xrxllr.exec:\9xrxllr.exe78⤵PID:1644
-
\??\c:\nhnbbh.exec:\nhnbbh.exe79⤵PID:2700
-
\??\c:\jdppd.exec:\jdppd.exe80⤵PID:3028
-
\??\c:\vpddj.exec:\vpddj.exe81⤵PID:2780
-
\??\c:\7lfxrrx.exec:\7lfxrrx.exe82⤵PID:2572
-
\??\c:\hbnnhn.exec:\hbnnhn.exe83⤵PID:2560
-
\??\c:\1dpdp.exec:\1dpdp.exe84⤵PID:2556
-
\??\c:\dvjjp.exec:\dvjjp.exe85⤵PID:2588
-
\??\c:\1xxffff.exec:\1xxffff.exe86⤵PID:1844
-
\??\c:\bthhtb.exec:\bthhtb.exe87⤵PID:2016
-
\??\c:\pjvjp.exec:\pjvjp.exe88⤵PID:1408
-
\??\c:\dvddp.exec:\dvddp.exe89⤵PID:2996
-
\??\c:\ffrxflx.exec:\ffrxflx.exe90⤵PID:2120
-
\??\c:\bbbbtt.exec:\bbbbtt.exe91⤵PID:776
-
\??\c:\ntnttt.exec:\ntnttt.exe92⤵PID:2908
-
\??\c:\ppvdd.exec:\ppvdd.exe93⤵PID:2776
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe94⤵PID:2832
-
\??\c:\rrllxfl.exec:\rrllxfl.exe95⤵
- System Location Discovery: System Language Discovery
PID:2864 -
\??\c:\hbbhtb.exec:\hbbhtb.exe96⤵PID:992
-
\??\c:\7pddv.exec:\7pddv.exe97⤵PID:2956
-
\??\c:\pjpvp.exec:\pjpvp.exe98⤵PID:1784
-
\??\c:\3frxxfr.exec:\3frxxfr.exe99⤵
- System Location Discovery: System Language Discovery
PID:2036 -
\??\c:\hbtntt.exec:\hbtntt.exe100⤵PID:2784
-
\??\c:\nhtthb.exec:\nhtthb.exe101⤵PID:2376
-
\??\c:\jdvdp.exec:\jdvdp.exe102⤵PID:2392
-
\??\c:\rrfrxfr.exec:\rrfrxfr.exe103⤵PID:1880
-
\??\c:\btntbh.exec:\btntbh.exe104⤵PID:444
-
\??\c:\btbnth.exec:\btbnth.exe105⤵PID:624
-
\??\c:\pjvdp.exec:\pjvdp.exe106⤵PID:952
-
\??\c:\jjdjj.exec:\jjdjj.exe107⤵PID:2328
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe108⤵PID:1544
-
\??\c:\3hbhbh.exec:\3hbhbh.exe109⤵PID:2348
-
\??\c:\tnbhtb.exec:\tnbhtb.exe110⤵PID:900
-
\??\c:\ppdvj.exec:\ppdvj.exe111⤵PID:2308
-
\??\c:\rllrxxf.exec:\rllrxxf.exe112⤵PID:1984
-
\??\c:\7xrxflx.exec:\7xrxflx.exe113⤵PID:2184
-
\??\c:\bnhnhh.exec:\bnhnhh.exe114⤵PID:2244
-
\??\c:\1tttbh.exec:\1tttbh.exe115⤵PID:1212
-
\??\c:\5dvdp.exec:\5dvdp.exe116⤵PID:2192
-
\??\c:\flrlrxl.exec:\flrlrxl.exe117⤵PID:2468
-
\??\c:\7rfflll.exec:\7rfflll.exe118⤵PID:1000
-
\??\c:\9nhhnn.exec:\9nhhnn.exe119⤵PID:2764
-
\??\c:\jdvdd.exec:\jdvdd.exe120⤵PID:1532
-
\??\c:\1xrrxrf.exec:\1xrrxrf.exe121⤵PID:2804
-
\??\c:\9nhhhb.exec:\9nhhhb.exe122⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-