Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe
-
Size
457KB
-
MD5
29f398db199413059046227728a5e04f
-
SHA1
3a63536dfe9aa33275ee630e418767cf54b0f44f
-
SHA256
bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c
-
SHA512
ffd15ab5ca0b75e92109c41cf26f8cd95c61f5516e0967ac45c9a67f717592031a613038dd896b54049e84bbb010ede081489ea093519eea702640e8e4156de6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw4:q7Tc2NYHUrAwfMp3CDRw4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2308-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-88-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2672-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-115-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2424-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1048-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-245-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1776-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-456-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2336-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-500-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/468-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-611-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2888-697-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2888-696-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2864-711-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-733-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1484 rrrrrrx.exe 2228 lfxxfff.exe 2908 nnhhhn.exe 2804 dvddj.exe 2968 nhnhbb.exe 2932 xrffrrx.exe 2820 3ntnnn.exe 2672 1fxflll.exe 2696 9ddvd.exe 940 5rllxxl.exe 2424 bbhhhh.exe 2284 5fllxxx.exe 2880 tttttt.exe 2952 5xffrrx.exe 2896 tthbhb.exe 2152 3thhnt.exe 2832 9hbbbb.exe 1228 lfrrrlr.exe 2120 hhhnbb.exe 1048 5nttbh.exe 2072 vvddj.exe 2692 nnttbb.exe 1564 ppdvj.exe 3044 tnnhbt.exe 1752 1djjj.exe 1980 3nbbhn.exe 1952 tntbtb.exe 1776 7xlfxxf.exe 3056 bbbbhn.exe 1760 9lxxffl.exe 1696 9nhhnh.exe 2392 rllrlxl.exe 2916 lrxfllr.exe 2912 tnttnn.exe 2800 jjvpp.exe 2812 rrxxfxf.exe 2688 9ntnhh.exe 2676 hhnntt.exe 1756 jjpvp.exe 2700 3rllllx.exe 2772 1tttbt.exe 1088 vdddj.exe 2696 jdjjj.exe 2408 7xxxfll.exe 1944 bbttbb.exe 1660 vvvpp.exe 3068 1rlflff.exe 2872 bthhbn.exe 2976 tntbbt.exe 2864 pjjvd.exe 2148 lfrlrxl.exe 3028 bbhhnh.exe 2176 nhhbbb.exe 864 5vvvp.exe 2336 xxflxfr.exe 2216 3xfxfrr.exe 916 bhtntt.exe 2276 pvvpv.exe 2500 3lfxxff.exe 2360 fxlfflf.exe 468 7bbtbb.exe 2080 7dpvj.exe 1764 xxllffr.exe 2292 1thhbt.exe -
resource yara_rule behavioral1/memory/2308-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-734-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1484 2308 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 30 PID 2308 wrote to memory of 1484 2308 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 30 PID 2308 wrote to memory of 1484 2308 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 30 PID 2308 wrote to memory of 1484 2308 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 30 PID 1484 wrote to memory of 2228 1484 rrrrrrx.exe 31 PID 1484 wrote to memory of 2228 1484 rrrrrrx.exe 31 PID 1484 wrote to memory of 2228 1484 rrrrrrx.exe 31 PID 1484 wrote to memory of 2228 1484 rrrrrrx.exe 31 PID 2228 wrote to memory of 2908 2228 lfxxfff.exe 32 PID 2228 wrote to memory of 2908 2228 lfxxfff.exe 32 PID 2228 wrote to memory of 2908 2228 lfxxfff.exe 32 PID 2228 wrote to memory of 2908 2228 lfxxfff.exe 32 PID 2908 wrote to memory of 2804 2908 nnhhhn.exe 33 PID 2908 wrote to memory of 2804 2908 nnhhhn.exe 33 PID 2908 wrote to memory of 2804 2908 nnhhhn.exe 33 PID 2908 wrote to memory of 2804 2908 nnhhhn.exe 33 PID 2804 wrote to memory of 2968 2804 dvddj.exe 34 PID 2804 wrote to memory of 2968 2804 dvddj.exe 34 PID 2804 wrote to memory of 2968 2804 dvddj.exe 34 PID 2804 wrote to memory of 2968 2804 dvddj.exe 34 PID 2968 wrote to memory of 2932 2968 nhnhbb.exe 35 PID 2968 wrote to memory of 2932 2968 nhnhbb.exe 35 PID 2968 wrote to memory of 2932 2968 nhnhbb.exe 35 PID 2968 wrote to memory of 2932 2968 nhnhbb.exe 35 PID 2932 wrote to memory of 2820 2932 xrffrrx.exe 36 PID 2932 wrote to memory of 2820 2932 xrffrrx.exe 36 PID 2932 wrote to memory of 2820 2932 xrffrrx.exe 36 PID 2932 wrote to memory of 2820 2932 xrffrrx.exe 36 PID 2820 wrote to memory of 2672 2820 3ntnnn.exe 37 PID 2820 wrote to memory of 2672 2820 3ntnnn.exe 37 PID 2820 wrote to memory of 2672 2820 3ntnnn.exe 37 PID 2820 wrote to memory of 2672 2820 3ntnnn.exe 37 PID 2672 wrote to memory of 2696 2672 1fxflll.exe 38 PID 2672 wrote to memory of 2696 2672 1fxflll.exe 38 PID 2672 wrote to memory of 2696 2672 1fxflll.exe 38 PID 2672 wrote to memory of 2696 2672 1fxflll.exe 38 PID 2696 wrote to memory of 940 2696 9ddvd.exe 39 PID 2696 wrote to memory of 940 2696 9ddvd.exe 39 PID 2696 wrote to memory of 940 2696 9ddvd.exe 39 PID 2696 wrote to memory of 940 2696 9ddvd.exe 39 PID 940 wrote to memory of 2424 940 5rllxxl.exe 40 PID 940 wrote to memory of 2424 940 5rllxxl.exe 40 PID 940 wrote to memory of 2424 940 5rllxxl.exe 40 PID 940 wrote to memory of 2424 940 5rllxxl.exe 40 PID 2424 wrote to memory of 2284 2424 bbhhhh.exe 41 PID 2424 wrote to memory of 2284 2424 bbhhhh.exe 41 PID 2424 wrote to memory of 2284 2424 bbhhhh.exe 41 PID 2424 wrote to memory of 2284 2424 bbhhhh.exe 41 PID 2284 wrote to memory of 2880 2284 5fllxxx.exe 42 PID 2284 wrote to memory of 2880 2284 5fllxxx.exe 42 PID 2284 wrote to memory of 2880 2284 5fllxxx.exe 42 PID 2284 wrote to memory of 2880 2284 5fllxxx.exe 42 PID 2880 wrote to memory of 2952 2880 tttttt.exe 43 PID 2880 wrote to memory of 2952 2880 tttttt.exe 43 PID 2880 wrote to memory of 2952 2880 tttttt.exe 43 PID 2880 wrote to memory of 2952 2880 tttttt.exe 43 PID 2952 wrote to memory of 2896 2952 5xffrrx.exe 44 PID 2952 wrote to memory of 2896 2952 5xffrrx.exe 44 PID 2952 wrote to memory of 2896 2952 5xffrrx.exe 44 PID 2952 wrote to memory of 2896 2952 5xffrrx.exe 44 PID 2896 wrote to memory of 2152 2896 tthbhb.exe 45 PID 2896 wrote to memory of 2152 2896 tthbhb.exe 45 PID 2896 wrote to memory of 2152 2896 tthbhb.exe 45 PID 2896 wrote to memory of 2152 2896 tthbhb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe"C:\Users\Admin\AppData\Local\Temp\bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\rrrrrrx.exec:\rrrrrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\lfxxfff.exec:\lfxxfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\nnhhhn.exec:\nnhhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\dvddj.exec:\dvddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\nhnhbb.exec:\nhnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\xrffrrx.exec:\xrffrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\3ntnnn.exec:\3ntnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\1fxflll.exec:\1fxflll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\9ddvd.exec:\9ddvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\5rllxxl.exec:\5rllxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\bbhhhh.exec:\bbhhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\5fllxxx.exec:\5fllxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\tttttt.exec:\tttttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\5xffrrx.exec:\5xffrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\tthbhb.exec:\tthbhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\3thhnt.exec:\3thhnt.exe17⤵
- Executes dropped EXE
PID:2152 -
\??\c:\9hbbbb.exec:\9hbbbb.exe18⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lfrrrlr.exec:\lfrrrlr.exe19⤵
- Executes dropped EXE
PID:1228 -
\??\c:\hhhnbb.exec:\hhhnbb.exe20⤵
- Executes dropped EXE
PID:2120 -
\??\c:\5nttbh.exec:\5nttbh.exe21⤵
- Executes dropped EXE
PID:1048 -
\??\c:\vvddj.exec:\vvddj.exe22⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nnttbb.exec:\nnttbb.exe23⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ppdvj.exec:\ppdvj.exe24⤵
- Executes dropped EXE
PID:1564 -
\??\c:\tnnhbt.exec:\tnnhbt.exe25⤵
- Executes dropped EXE
PID:3044 -
\??\c:\1djjj.exec:\1djjj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
\??\c:\3nbbhn.exec:\3nbbhn.exe27⤵
- Executes dropped EXE
PID:1980 -
\??\c:\tntbtb.exec:\tntbtb.exe28⤵
- Executes dropped EXE
PID:1952 -
\??\c:\7xlfxxf.exec:\7xlfxxf.exe29⤵
- Executes dropped EXE
PID:1776 -
\??\c:\bbbbhn.exec:\bbbbhn.exe30⤵
- Executes dropped EXE
PID:3056 -
\??\c:\9lxxffl.exec:\9lxxffl.exe31⤵
- Executes dropped EXE
PID:1760 -
\??\c:\9nhhnh.exec:\9nhhnh.exe32⤵
- Executes dropped EXE
PID:1696 -
\??\c:\rllrlxl.exec:\rllrlxl.exe33⤵
- Executes dropped EXE
PID:2392 -
\??\c:\lrxfllr.exec:\lrxfllr.exe34⤵
- Executes dropped EXE
PID:2916 -
\??\c:\tnttnn.exec:\tnttnn.exe35⤵
- Executes dropped EXE
PID:2912 -
\??\c:\jjvpp.exec:\jjvpp.exe36⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rrxxfxf.exec:\rrxxfxf.exe37⤵
- Executes dropped EXE
PID:2812 -
\??\c:\9ntnhh.exec:\9ntnhh.exe38⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hhnntt.exec:\hhnntt.exe39⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jjpvp.exec:\jjpvp.exe40⤵
- Executes dropped EXE
PID:1756 -
\??\c:\3rllllx.exec:\3rllllx.exe41⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1tttbt.exec:\1tttbt.exe42⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vdddj.exec:\vdddj.exe43⤵
- Executes dropped EXE
PID:1088 -
\??\c:\jdjjj.exec:\jdjjj.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\7xxxfll.exec:\7xxxfll.exe45⤵
- Executes dropped EXE
PID:2408 -
\??\c:\bbttbb.exec:\bbttbb.exe46⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vvvpp.exec:\vvvpp.exe47⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1rlflff.exec:\1rlflff.exe48⤵
- Executes dropped EXE
PID:3068 -
\??\c:\bthhbn.exec:\bthhbn.exe49⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tntbbt.exec:\tntbbt.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\pjjvd.exec:\pjjvd.exe51⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lfrlrxl.exec:\lfrlrxl.exe52⤵
- Executes dropped EXE
PID:2148 -
\??\c:\bbhhnh.exec:\bbhhnh.exe53⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nhhbbb.exec:\nhhbbb.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\5vvvp.exec:\5vvvp.exe55⤵
- Executes dropped EXE
PID:864 -
\??\c:\xxflxfr.exec:\xxflxfr.exe56⤵
- Executes dropped EXE
PID:2336 -
\??\c:\3xfxfrr.exec:\3xfxfrr.exe57⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bhtntt.exec:\bhtntt.exe58⤵
- Executes dropped EXE
PID:916 -
\??\c:\pvvpv.exec:\pvvpv.exe59⤵
- Executes dropped EXE
PID:2276 -
\??\c:\3lfxxff.exec:\3lfxxff.exe60⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fxlfflf.exec:\fxlfflf.exe61⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7bbtbb.exec:\7bbtbb.exe62⤵
- Executes dropped EXE
PID:468 -
\??\c:\7dpvj.exec:\7dpvj.exe63⤵
- Executes dropped EXE
PID:2080 -
\??\c:\xxllffr.exec:\xxllffr.exe64⤵
- Executes dropped EXE
PID:1764 -
\??\c:\1thhbt.exec:\1thhbt.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\nthhnn.exec:\nthhnn.exe66⤵PID:2620
-
\??\c:\pjjjj.exec:\pjjjj.exe67⤵PID:2476
-
\??\c:\3ffxxrr.exec:\3ffxxrr.exe68⤵PID:2096
-
\??\c:\7fxxfff.exec:\7fxxfff.exe69⤵PID:2472
-
\??\c:\hhnhhh.exec:\hhnhhh.exe70⤵PID:1520
-
\??\c:\pjpjj.exec:\pjpjj.exe71⤵PID:2308
-
\??\c:\pppjp.exec:\pppjp.exe72⤵PID:1724
-
\??\c:\5rrlrll.exec:\5rrlrll.exe73⤵PID:1676
-
\??\c:\hhhhbb.exec:\hhhhbb.exe74⤵PID:2560
-
\??\c:\vvdvd.exec:\vvdvd.exe75⤵PID:2192
-
\??\c:\jjjjj.exec:\jjjjj.exe76⤵PID:2916
-
\??\c:\rrllllx.exec:\rrllllx.exe77⤵PID:2784
-
\??\c:\nnhtbn.exec:\nnhtbn.exe78⤵PID:2800
-
\??\c:\hnbbhh.exec:\hnbbhh.exe79⤵PID:2856
-
\??\c:\dvpjp.exec:\dvpjp.exe80⤵PID:2708
-
\??\c:\7lrxfff.exec:\7lrxfff.exe81⤵PID:2652
-
\??\c:\rrrlrrx.exec:\rrrlrrx.exe82⤵PID:2716
-
\??\c:\5tntnn.exec:\5tntnn.exe83⤵PID:2672
-
\??\c:\vpvjj.exec:\vpvjj.exe84⤵PID:2400
-
\??\c:\pjjdj.exec:\pjjdj.exe85⤵PID:2848
-
\??\c:\rlrxffr.exec:\rlrxffr.exe86⤵PID:2696
-
\??\c:\thbntb.exec:\thbntb.exe87⤵PID:1780
-
\??\c:\jdddd.exec:\jdddd.exe88⤵PID:2320
-
\??\c:\djjvd.exec:\djjvd.exe89⤵PID:1660
-
\??\c:\flrlrxr.exec:\flrlrxr.exe90⤵PID:2880
-
\??\c:\nntttb.exec:\nntttb.exe91⤵PID:2888
-
\??\c:\tntntn.exec:\tntntn.exe92⤵PID:1840
-
\??\c:\ppppv.exec:\ppppv.exe93⤵PID:2864
-
\??\c:\rrxllff.exec:\rrxllff.exe94⤵PID:2996
-
\??\c:\bbbhhh.exec:\bbbhhh.exe95⤵PID:1848
-
\??\c:\tttbhh.exec:\tttbhh.exe96⤵PID:2176
-
\??\c:\1dvdd.exec:\1dvdd.exe97⤵PID:2116
-
\??\c:\frlfrrr.exec:\frlfrrr.exe98⤵PID:1044
-
\??\c:\hhhhnh.exec:\hhhhnh.exe99⤵PID:2552
-
\??\c:\5hnhhb.exec:\5hnhhb.exe100⤵PID:1680
-
\??\c:\1pvpv.exec:\1pvpv.exe101⤵
- System Location Discovery: System Language Discovery
PID:1604 -
\??\c:\ffrxrrr.exec:\ffrxrrr.exe102⤵PID:2000
-
\??\c:\5nbntn.exec:\5nbntn.exe103⤵PID:2064
-
\??\c:\7btntb.exec:\7btntb.exe104⤵PID:2252
-
\??\c:\vvjjj.exec:\vvjjj.exe105⤵PID:988
-
\??\c:\rlxflrx.exec:\rlxflrx.exe106⤵PID:1984
-
\??\c:\xxflllf.exec:\xxflllf.exe107⤵PID:1372
-
\??\c:\1bnhnb.exec:\1bnhnb.exe108⤵PID:1036
-
\??\c:\ddpjp.exec:\ddpjp.exe109⤵PID:2324
-
\??\c:\5rxrrrx.exec:\5rxrrrx.exe110⤵PID:856
-
\??\c:\xxllffl.exec:\xxllffl.exe111⤵PID:2200
-
\??\c:\5tbbhn.exec:\5tbbhn.exe112⤵PID:2372
-
\??\c:\jddvd.exec:\jddvd.exe113⤵PID:1760
-
\??\c:\dddvv.exec:\dddvv.exe114⤵PID:2228
-
\??\c:\xxxxxxr.exec:\xxxxxxr.exe115⤵PID:1916
-
\??\c:\rrrrrlr.exec:\rrrrrlr.exe116⤵PID:2948
-
\??\c:\bhtbbb.exec:\bhtbbb.exe117⤵PID:2912
-
\??\c:\ppvpp.exec:\ppvpp.exe118⤵PID:2168
-
\??\c:\lxlxrrf.exec:\lxlxrrf.exe119⤵PID:2812
-
\??\c:\nnnbbh.exec:\nnnbbh.exe120⤵PID:2856
-
\??\c:\9nbtbt.exec:\9nbtbt.exe121⤵PID:2344
-
\??\c:\vvddp.exec:\vvddp.exe122⤵PID:2656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-