Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe
-
Size
454KB
-
MD5
6718fd2576a8af410c2e2d32c2b6c508
-
SHA1
c1f6803bbc9823304d616dbfdbe33fb4cf5ded7c
-
SHA256
983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec
-
SHA512
e7d8992ba4fea854c7324a00b365edd6d21aced86f5d01a40ee5b24a5631168677f97f1f6c8bd836b87c9fa739cee222f8209a1579436f961844d3c5ec974e64
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2684-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-81-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2644-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-112-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-164-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1244-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-183-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1904-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-226-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2260-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-298-0x0000000077820000-0x000000007793F000-memory.dmp family_blackmoon behavioral1/memory/2396-312-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2492-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-339-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/580-397-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2700-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-630-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1092-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-1121-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2716-1160-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1860-1193-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-1257-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-1258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2120 tnbbhh.exe 2964 3jddj.exe 1820 1httbh.exe 2096 1hbhtb.exe 2980 pjjdp.exe 2988 fllxrfr.exe 2476 3nbbhh.exe 2928 nbnnbb.exe 2644 xrflrrx.exe 2628 ppdjv.exe 2052 3rfllxf.exe 1484 tbtbbn.exe 2388 lfflflx.exe 2660 vppvj.exe 2064 1lllflx.exe 852 lflxffr.exe 1928 jdpjv.exe 1044 ddppp.exe 1244 9nhntt.exe 2956 ppjpp.exe 2068 hbnnbh.exe 1704 lxffrlr.exe 1548 5rflrxf.exe 1904 1jdjp.exe 1756 rfffxxf.exe 900 3rlxfff.exe 2260 jjvdp.exe 2428 nhhnbb.exe 1564 vjvpv.exe 988 5lrlrrx.exe 1492 1nthbb.exe 1620 rfrflfx.exe 2292 5hhtnn.exe 2396 pdppv.exe 316 ppjpv.exe 576 vpddj.exe 2492 7xfxxxl.exe 2704 7bnntb.exe 2832 nhtbbh.exe 2808 pjddj.exe 2708 frxrrrx.exe 2624 nttnth.exe 2800 3nnhnn.exe 2736 7dppv.exe 764 rrrfxlx.exe 1836 fxlxrrf.exe 580 bnhntb.exe 664 5vvdv.exe 1388 vpdjp.exe 2700 rrrrrrf.exe 2660 bhbntb.exe 2156 hbtbtt.exe 1792 dpvvv.exe 1880 ffxxlrx.exe 2392 9xxfxlx.exe 1996 5bnttb.exe 2912 ddvdp.exe 2952 5jvjp.exe 2956 lfxxlfr.exe 2192 tnhbnt.exe 2220 thtbbb.exe 1856 vjppd.exe 1136 xflxflx.exe 2580 7bntnn.exe -
resource yara_rule behavioral1/memory/2684-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-218-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1904-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-312-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2492-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-349-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2120 2684 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 30 PID 2684 wrote to memory of 2120 2684 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 30 PID 2684 wrote to memory of 2120 2684 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 30 PID 2684 wrote to memory of 2120 2684 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 30 PID 2120 wrote to memory of 2964 2120 tnbbhh.exe 31 PID 2120 wrote to memory of 2964 2120 tnbbhh.exe 31 PID 2120 wrote to memory of 2964 2120 tnbbhh.exe 31 PID 2120 wrote to memory of 2964 2120 tnbbhh.exe 31 PID 2964 wrote to memory of 1820 2964 3jddj.exe 32 PID 2964 wrote to memory of 1820 2964 3jddj.exe 32 PID 2964 wrote to memory of 1820 2964 3jddj.exe 32 PID 2964 wrote to memory of 1820 2964 3jddj.exe 32 PID 1820 wrote to memory of 2096 1820 1httbh.exe 33 PID 1820 wrote to memory of 2096 1820 1httbh.exe 33 PID 1820 wrote to memory of 2096 1820 1httbh.exe 33 PID 1820 wrote to memory of 2096 1820 1httbh.exe 33 PID 2096 wrote to memory of 2980 2096 1hbhtb.exe 34 PID 2096 wrote to memory of 2980 2096 1hbhtb.exe 34 PID 2096 wrote to memory of 2980 2096 1hbhtb.exe 34 PID 2096 wrote to memory of 2980 2096 1hbhtb.exe 34 PID 2980 wrote to memory of 2988 2980 pjjdp.exe 35 PID 2980 wrote to memory of 2988 2980 pjjdp.exe 35 PID 2980 wrote to memory of 2988 2980 pjjdp.exe 35 PID 2980 wrote to memory of 2988 2980 pjjdp.exe 35 PID 2988 wrote to memory of 2476 2988 fllxrfr.exe 36 PID 2988 wrote to memory of 2476 2988 fllxrfr.exe 36 PID 2988 wrote to memory of 2476 2988 fllxrfr.exe 36 PID 2988 wrote to memory of 2476 2988 fllxrfr.exe 36 PID 2476 wrote to memory of 2928 2476 3nbbhh.exe 37 PID 2476 wrote to memory of 2928 2476 3nbbhh.exe 37 PID 2476 wrote to memory of 2928 2476 3nbbhh.exe 37 PID 2476 wrote to memory of 2928 2476 3nbbhh.exe 37 PID 2928 wrote to memory of 2644 2928 nbnnbb.exe 38 PID 2928 wrote to memory of 2644 2928 nbnnbb.exe 38 PID 2928 wrote to memory of 2644 2928 nbnnbb.exe 38 PID 2928 wrote to memory of 2644 2928 nbnnbb.exe 38 PID 2644 wrote to memory of 2628 2644 xrflrrx.exe 39 PID 2644 wrote to memory of 2628 2644 xrflrrx.exe 39 PID 2644 wrote to memory of 2628 2644 xrflrrx.exe 39 PID 2644 wrote to memory of 2628 2644 xrflrrx.exe 39 PID 2628 wrote to memory of 2052 2628 ppdjv.exe 40 PID 2628 wrote to memory of 2052 2628 ppdjv.exe 40 PID 2628 wrote to memory of 2052 2628 ppdjv.exe 40 PID 2628 wrote to memory of 2052 2628 ppdjv.exe 40 PID 2052 wrote to memory of 1484 2052 3rfllxf.exe 41 PID 2052 wrote to memory of 1484 2052 3rfllxf.exe 41 PID 2052 wrote to memory of 1484 2052 3rfllxf.exe 41 PID 2052 wrote to memory of 1484 2052 3rfllxf.exe 41 PID 1484 wrote to memory of 2388 1484 tbtbbn.exe 42 PID 1484 wrote to memory of 2388 1484 tbtbbn.exe 42 PID 1484 wrote to memory of 2388 1484 tbtbbn.exe 42 PID 1484 wrote to memory of 2388 1484 tbtbbn.exe 42 PID 2388 wrote to memory of 2660 2388 lfflflx.exe 43 PID 2388 wrote to memory of 2660 2388 lfflflx.exe 43 PID 2388 wrote to memory of 2660 2388 lfflflx.exe 43 PID 2388 wrote to memory of 2660 2388 lfflflx.exe 43 PID 2660 wrote to memory of 2064 2660 vppvj.exe 44 PID 2660 wrote to memory of 2064 2660 vppvj.exe 44 PID 2660 wrote to memory of 2064 2660 vppvj.exe 44 PID 2660 wrote to memory of 2064 2660 vppvj.exe 44 PID 2064 wrote to memory of 852 2064 1lllflx.exe 45 PID 2064 wrote to memory of 852 2064 1lllflx.exe 45 PID 2064 wrote to memory of 852 2064 1lllflx.exe 45 PID 2064 wrote to memory of 852 2064 1lllflx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe"C:\Users\Admin\AppData\Local\Temp\983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\tnbbhh.exec:\tnbbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\3jddj.exec:\3jddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\1httbh.exec:\1httbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\1hbhtb.exec:\1hbhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\pjjdp.exec:\pjjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\fllxrfr.exec:\fllxrfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\3nbbhh.exec:\3nbbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\nbnnbb.exec:\nbnnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\xrflrrx.exec:\xrflrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\ppdjv.exec:\ppdjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\3rfllxf.exec:\3rfllxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\tbtbbn.exec:\tbtbbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\lfflflx.exec:\lfflflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\vppvj.exec:\vppvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\1lllflx.exec:\1lllflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\lflxffr.exec:\lflxffr.exe17⤵
- Executes dropped EXE
PID:852 -
\??\c:\jdpjv.exec:\jdpjv.exe18⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ddppp.exec:\ddppp.exe19⤵
- Executes dropped EXE
PID:1044 -
\??\c:\9nhntt.exec:\9nhntt.exe20⤵
- Executes dropped EXE
PID:1244 -
\??\c:\ppjpp.exec:\ppjpp.exe21⤵
- Executes dropped EXE
PID:2956 -
\??\c:\hbnnbh.exec:\hbnnbh.exe22⤵
- Executes dropped EXE
PID:2068 -
\??\c:\lxffrlr.exec:\lxffrlr.exe23⤵
- Executes dropped EXE
PID:1704 -
\??\c:\5rflrxf.exec:\5rflrxf.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\1jdjp.exec:\1jdjp.exe25⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rfffxxf.exec:\rfffxxf.exe26⤵
- Executes dropped EXE
PID:1756 -
\??\c:\3rlxfff.exec:\3rlxfff.exe27⤵
- Executes dropped EXE
PID:900 -
\??\c:\jjvdp.exec:\jjvdp.exe28⤵
- Executes dropped EXE
PID:2260 -
\??\c:\nhhnbb.exec:\nhhnbb.exe29⤵
- Executes dropped EXE
PID:2428 -
\??\c:\vjvpv.exec:\vjvpv.exe30⤵
- Executes dropped EXE
PID:1564 -
\??\c:\5lrlrrx.exec:\5lrlrrx.exe31⤵
- Executes dropped EXE
PID:988 -
\??\c:\1nthbb.exec:\1nthbb.exe32⤵
- Executes dropped EXE
PID:1492 -
\??\c:\rfrflfx.exec:\rfrflfx.exe33⤵
- Executes dropped EXE
PID:1620 -
\??\c:\5hhtnn.exec:\5hhtnn.exe34⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vjdjp.exec:\vjdjp.exe35⤵PID:1580
-
\??\c:\pdppv.exec:\pdppv.exe36⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ppjpv.exec:\ppjpv.exe37⤵
- Executes dropped EXE
PID:316 -
\??\c:\vpddj.exec:\vpddj.exe38⤵
- Executes dropped EXE
PID:576 -
\??\c:\7xfxxxl.exec:\7xfxxxl.exe39⤵
- Executes dropped EXE
PID:2492 -
\??\c:\7bnntb.exec:\7bnntb.exe40⤵
- Executes dropped EXE
PID:2704 -
\??\c:\nhtbbh.exec:\nhtbbh.exe41⤵
- Executes dropped EXE
PID:2832 -
\??\c:\pjddj.exec:\pjddj.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\frxrrrx.exec:\frxrrrx.exe43⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nttnth.exec:\nttnth.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\3nnhnn.exec:\3nnhnn.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7dppv.exec:\7dppv.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rrrfxlx.exec:\rrrfxlx.exe47⤵
- Executes dropped EXE
PID:764 -
\??\c:\fxlxrrf.exec:\fxlxrrf.exe48⤵
- Executes dropped EXE
PID:1836 -
\??\c:\bnhntb.exec:\bnhntb.exe49⤵
- Executes dropped EXE
PID:580 -
\??\c:\5vvdv.exec:\5vvdv.exe50⤵
- Executes dropped EXE
PID:664 -
\??\c:\vpdjp.exec:\vpdjp.exe51⤵
- Executes dropped EXE
PID:1388 -
\??\c:\rrrrrrf.exec:\rrrrrrf.exe52⤵
- Executes dropped EXE
PID:2700 -
\??\c:\bhbntb.exec:\bhbntb.exe53⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hbtbtt.exec:\hbtbtt.exe54⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dpvvv.exec:\dpvvv.exe55⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffxxlrx.exec:\ffxxlrx.exe56⤵
- Executes dropped EXE
PID:1880 -
\??\c:\9xxfxlx.exec:\9xxfxlx.exe57⤵
- Executes dropped EXE
PID:2392 -
\??\c:\5bnttb.exec:\5bnttb.exe58⤵
- Executes dropped EXE
PID:1996 -
\??\c:\ddvdp.exec:\ddvdp.exe59⤵
- Executes dropped EXE
PID:2912 -
\??\c:\5jvjp.exec:\5jvjp.exe60⤵
- Executes dropped EXE
PID:2952 -
\??\c:\lfxxlfr.exec:\lfxxlfr.exe61⤵
- Executes dropped EXE
PID:2956 -
\??\c:\tnhbnt.exec:\tnhbnt.exe62⤵
- Executes dropped EXE
PID:2192 -
\??\c:\thtbbb.exec:\thtbbb.exe63⤵
- Executes dropped EXE
PID:2220 -
\??\c:\vjppd.exec:\vjppd.exe64⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xflxflx.exec:\xflxflx.exe65⤵
- Executes dropped EXE
PID:1136 -
\??\c:\7bntnn.exec:\7bntnn.exe66⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3tbbbt.exec:\3tbbbt.exe67⤵PID:956
-
\??\c:\9pdjv.exec:\9pdjv.exe68⤵PID:1764
-
\??\c:\xrffflf.exec:\xrffflf.exe69⤵PID:900
-
\??\c:\xfrlxxf.exec:\xfrlxxf.exe70⤵PID:1840
-
\??\c:\btntbb.exec:\btntbb.exe71⤵PID:2092
-
\??\c:\jdppd.exec:\jdppd.exe72⤵
- System Location Discovery: System Language Discovery
PID:868 -
\??\c:\vvdjp.exec:\vvdjp.exe73⤵PID:1564
-
\??\c:\9xrrrxx.exec:\9xrrrxx.exe74⤵PID:1376
-
\??\c:\tthnhn.exec:\tthnhn.exe75⤵PID:1700
-
\??\c:\dvpjd.exec:\dvpjd.exe76⤵PID:2108
-
\??\c:\9vjjj.exec:\9vjjj.exe77⤵
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\ffllrrx.exec:\ffllrrx.exe78⤵PID:2292
-
\??\c:\hbnntt.exec:\hbnntt.exe79⤵PID:1588
-
\??\c:\bbbhbb.exec:\bbbhbb.exe80⤵PID:2540
-
\??\c:\1pjvj.exec:\1pjvj.exe81⤵PID:1032
-
\??\c:\5flflrl.exec:\5flflrl.exe82⤵PID:2144
-
\??\c:\lrrllff.exec:\lrrllff.exe83⤵PID:2820
-
\??\c:\hntthn.exec:\hntthn.exe84⤵PID:1688
-
\??\c:\jvpjv.exec:\jvpjv.exe85⤵PID:2704
-
\??\c:\9vvdp.exec:\9vvdp.exe86⤵PID:2468
-
\??\c:\xlrrrrx.exec:\xlrrrrx.exe87⤵PID:2844
-
\??\c:\bthnbb.exec:\bthnbb.exe88⤵PID:2852
-
\??\c:\vjvvv.exec:\vjvvv.exe89⤵PID:2344
-
\??\c:\vpppv.exec:\vpppv.exe90⤵PID:2616
-
\??\c:\9rflxfl.exec:\9rflxfl.exe91⤵PID:2736
-
\??\c:\bthhnn.exec:\bthhnn.exe92⤵PID:1092
-
\??\c:\hbnhhb.exec:\hbnhhb.exe93⤵PID:1836
-
\??\c:\jjjvj.exec:\jjjvj.exe94⤵PID:844
-
\??\c:\7xxxxxl.exec:\7xxxxxl.exe95⤵PID:664
-
\??\c:\lxllffl.exec:\lxllffl.exe96⤵PID:2388
-
\??\c:\9htttt.exec:\9htttt.exe97⤵PID:2700
-
\??\c:\dvpdv.exec:\dvpdv.exe98⤵PID:2660
-
\??\c:\pjvvd.exec:\pjvvd.exe99⤵PID:2868
-
\??\c:\xrfflxl.exec:\xrfflxl.exe100⤵PID:1792
-
\??\c:\tnbhtn.exec:\tnbhtn.exe101⤵PID:268
-
\??\c:\bhthth.exec:\bhthth.exe102⤵PID:1256
-
\??\c:\dvppp.exec:\dvppp.exe103⤵PID:1996
-
\??\c:\5rffflr.exec:\5rffflr.exe104⤵PID:1780
-
\??\c:\nnbnhn.exec:\nnbnhn.exe105⤵PID:2168
-
\??\c:\5nbbhh.exec:\5nbbhh.exe106⤵PID:2296
-
\??\c:\jdvdp.exec:\jdvdp.exe107⤵
- System Location Discovery: System Language Discovery
PID:1632 -
\??\c:\fxxxfff.exec:\fxxxfff.exe108⤵PID:2060
-
\??\c:\fxxxxxf.exec:\fxxxxxf.exe109⤵PID:1856
-
\??\c:\thtthh.exec:\thtthh.exe110⤵PID:636
-
\??\c:\dpjpp.exec:\dpjpp.exe111⤵
- System Location Discovery: System Language Discovery
PID:2036 -
\??\c:\vpdvd.exec:\vpdvd.exe112⤵PID:1540
-
\??\c:\llxxflr.exec:\llxxflr.exe113⤵PID:1764
-
\??\c:\7nhbbb.exec:\7nhbbb.exe114⤵PID:2436
-
\??\c:\ttnnnn.exec:\ttnnnn.exe115⤵PID:1840
-
\??\c:\vvdvp.exec:\vvdvp.exe116⤵PID:332
-
\??\c:\xrfllll.exec:\xrfllll.exe117⤵PID:868
-
\??\c:\xlrrxxl.exec:\xlrrxxl.exe118⤵PID:1708
-
\??\c:\9btnhh.exec:\9btnhh.exe119⤵PID:988
-
\??\c:\vvpvd.exec:\vvpvd.exe120⤵PID:1700
-
\??\c:\vjvjj.exec:\vjvjj.exe121⤵PID:2072
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe122⤵PID:1580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-