Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe
-
Size
454KB
-
MD5
097bdd3c15eed55665edb40dc8b4704e
-
SHA1
9a1188d3d5de91d9678605cef1e5012a6586dbde
-
SHA256
bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281
-
SHA512
c0924a2735b18a9080fdcbef15c72f3705a60704e52f0386ecc635f2839afbac5e7cf8bf2cdd4a7051cf7081374c9f5d2a0e8d7860e86a4e3f440cda6b92b824
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2908-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-105-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2852-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1368-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-370-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/932-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-574-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2232-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-871-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2220-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-934-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2368-995-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-1021-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3008-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-1130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3064 btnthn.exe 2764 1pppd.exe 2908 xrrfffx.exe 2904 ttnbht.exe 2576 vpdjp.exe 2604 1djjp.exe 2600 xrlxffr.exe 2348 rrlxllx.exe 1944 nbhhnn.exe 2800 5vppv.exe 2852 7nthth.exe 2964 7lffrfx.exe 1980 xllxrlr.exe 1848 3pdvj.exe 320 nnhnbn.exe 1756 xfxrxfx.exe 2124 hthtnt.exe 2384 3lffllf.exe 2312 tthbhn.exe 2276 1pdjp.exe 2408 lllxlrl.exe 1368 ddvjv.exe 1648 ffxxfll.exe 960 tnbhbb.exe 1340 dvjpv.exe 1584 nnntht.exe 612 3jdjd.exe 2464 ffrfxfr.exe 1560 5bhhtb.exe 1316 5lfrflf.exe 1152 hbhbhb.exe 1988 xlfrlfr.exe 3056 lfxrfrx.exe 2396 ppjpd.exe 1576 lfxxllf.exe 2700 lxrxxxl.exe 2816 tthtnn.exe 2712 jddpj.exe 2748 rlxflrx.exe 2808 bthnbb.exe 2720 hnbtnh.exe 2568 vvpdp.exe 2564 lfrxxlf.exe 2988 nhbtbh.exe 1028 vpdvp.exe 2620 xlxrrlr.exe 2872 5lfrflr.exe 884 bttntb.exe 2852 pjdjp.exe 2000 frffllf.exe 1484 frrxfrf.exe 932 tnhtbh.exe 776 pjdjp.exe 1904 llflffl.exe 1132 9bbhhn.exe 2420 hnhnbh.exe 2244 5jjpp.exe 2384 rfrxxrx.exe 912 7lfflrx.exe 1236 bbtbnn.exe 1776 jdjjv.exe 1616 rrlrfxl.exe 1368 7tnbbh.exe 1244 nththh.exe -
resource yara_rule behavioral1/memory/2908-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-1123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-1130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-1183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-1199-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 3064 2168 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 30 PID 2168 wrote to memory of 3064 2168 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 30 PID 2168 wrote to memory of 3064 2168 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 30 PID 2168 wrote to memory of 3064 2168 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 30 PID 3064 wrote to memory of 2764 3064 btnthn.exe 31 PID 3064 wrote to memory of 2764 3064 btnthn.exe 31 PID 3064 wrote to memory of 2764 3064 btnthn.exe 31 PID 3064 wrote to memory of 2764 3064 btnthn.exe 31 PID 2764 wrote to memory of 2908 2764 1pppd.exe 32 PID 2764 wrote to memory of 2908 2764 1pppd.exe 32 PID 2764 wrote to memory of 2908 2764 1pppd.exe 32 PID 2764 wrote to memory of 2908 2764 1pppd.exe 32 PID 2908 wrote to memory of 2904 2908 xrrfffx.exe 33 PID 2908 wrote to memory of 2904 2908 xrrfffx.exe 33 PID 2908 wrote to memory of 2904 2908 xrrfffx.exe 33 PID 2908 wrote to memory of 2904 2908 xrrfffx.exe 33 PID 2904 wrote to memory of 2576 2904 ttnbht.exe 34 PID 2904 wrote to memory of 2576 2904 ttnbht.exe 34 PID 2904 wrote to memory of 2576 2904 ttnbht.exe 34 PID 2904 wrote to memory of 2576 2904 ttnbht.exe 34 PID 2576 wrote to memory of 2604 2576 vpdjp.exe 35 PID 2576 wrote to memory of 2604 2576 vpdjp.exe 35 PID 2576 wrote to memory of 2604 2576 vpdjp.exe 35 PID 2576 wrote to memory of 2604 2576 vpdjp.exe 35 PID 2604 wrote to memory of 2600 2604 1djjp.exe 36 PID 2604 wrote to memory of 2600 2604 1djjp.exe 36 PID 2604 wrote to memory of 2600 2604 1djjp.exe 36 PID 2604 wrote to memory of 2600 2604 1djjp.exe 36 PID 2600 wrote to memory of 2348 2600 xrlxffr.exe 37 PID 2600 wrote to memory of 2348 2600 xrlxffr.exe 37 PID 2600 wrote to memory of 2348 2600 xrlxffr.exe 37 PID 2600 wrote to memory of 2348 2600 xrlxffr.exe 37 PID 2348 wrote to memory of 1944 2348 rrlxllx.exe 38 PID 2348 wrote to memory of 1944 2348 rrlxllx.exe 38 PID 2348 wrote to memory of 1944 2348 rrlxllx.exe 38 PID 2348 wrote to memory of 1944 2348 rrlxllx.exe 38 PID 1944 wrote to memory of 2800 1944 nbhhnn.exe 39 PID 1944 wrote to memory of 2800 1944 nbhhnn.exe 39 PID 1944 wrote to memory of 2800 1944 nbhhnn.exe 39 PID 1944 wrote to memory of 2800 1944 nbhhnn.exe 39 PID 2800 wrote to memory of 2852 2800 5vppv.exe 40 PID 2800 wrote to memory of 2852 2800 5vppv.exe 40 PID 2800 wrote to memory of 2852 2800 5vppv.exe 40 PID 2800 wrote to memory of 2852 2800 5vppv.exe 40 PID 2852 wrote to memory of 2964 2852 7nthth.exe 41 PID 2852 wrote to memory of 2964 2852 7nthth.exe 41 PID 2852 wrote to memory of 2964 2852 7nthth.exe 41 PID 2852 wrote to memory of 2964 2852 7nthth.exe 41 PID 2964 wrote to memory of 1980 2964 7lffrfx.exe 42 PID 2964 wrote to memory of 1980 2964 7lffrfx.exe 42 PID 2964 wrote to memory of 1980 2964 7lffrfx.exe 42 PID 2964 wrote to memory of 1980 2964 7lffrfx.exe 42 PID 1980 wrote to memory of 1848 1980 xllxrlr.exe 43 PID 1980 wrote to memory of 1848 1980 xllxrlr.exe 43 PID 1980 wrote to memory of 1848 1980 xllxrlr.exe 43 PID 1980 wrote to memory of 1848 1980 xllxrlr.exe 43 PID 1848 wrote to memory of 320 1848 3pdvj.exe 44 PID 1848 wrote to memory of 320 1848 3pdvj.exe 44 PID 1848 wrote to memory of 320 1848 3pdvj.exe 44 PID 1848 wrote to memory of 320 1848 3pdvj.exe 44 PID 320 wrote to memory of 1756 320 nnhnbn.exe 45 PID 320 wrote to memory of 1756 320 nnhnbn.exe 45 PID 320 wrote to memory of 1756 320 nnhnbn.exe 45 PID 320 wrote to memory of 1756 320 nnhnbn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe"C:\Users\Admin\AppData\Local\Temp\bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\btnthn.exec:\btnthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\1pppd.exec:\1pppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\xrrfffx.exec:\xrrfffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\ttnbht.exec:\ttnbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\vpdjp.exec:\vpdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\1djjp.exec:\1djjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\xrlxffr.exec:\xrlxffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\rrlxllx.exec:\rrlxllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\nbhhnn.exec:\nbhhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\5vppv.exec:\5vppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\7nthth.exec:\7nthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\7lffrfx.exec:\7lffrfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\xllxrlr.exec:\xllxrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\3pdvj.exec:\3pdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\nnhnbn.exec:\nnhnbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\xfxrxfx.exec:\xfxrxfx.exe17⤵
- Executes dropped EXE
PID:1756 -
\??\c:\hthtnt.exec:\hthtnt.exe18⤵
- Executes dropped EXE
PID:2124 -
\??\c:\3lffllf.exec:\3lffllf.exe19⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tthbhn.exec:\tthbhn.exe20⤵
- Executes dropped EXE
PID:2312 -
\??\c:\1pdjp.exec:\1pdjp.exe21⤵
- Executes dropped EXE
PID:2276 -
\??\c:\lllxlrl.exec:\lllxlrl.exe22⤵
- Executes dropped EXE
PID:2408 -
\??\c:\ddvjv.exec:\ddvjv.exe23⤵
- Executes dropped EXE
PID:1368 -
\??\c:\ffxxfll.exec:\ffxxfll.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\tnbhbb.exec:\tnbhbb.exe25⤵
- Executes dropped EXE
PID:960 -
\??\c:\dvjpv.exec:\dvjpv.exe26⤵
- Executes dropped EXE
PID:1340 -
\??\c:\nnntht.exec:\nnntht.exe27⤵
- Executes dropped EXE
PID:1584 -
\??\c:\3jdjd.exec:\3jdjd.exe28⤵
- Executes dropped EXE
PID:612 -
\??\c:\ffrfxfr.exec:\ffrfxfr.exe29⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5bhhtb.exec:\5bhhtb.exe30⤵
- Executes dropped EXE
PID:1560 -
\??\c:\5lfrflf.exec:\5lfrflf.exe31⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hbhbhb.exec:\hbhbhb.exe32⤵
- Executes dropped EXE
PID:1152 -
\??\c:\xlfrlfr.exec:\xlfrlfr.exe33⤵
- Executes dropped EXE
PID:1988 -
\??\c:\lfxrfrx.exec:\lfxrfrx.exe34⤵
- Executes dropped EXE
PID:3056 -
\??\c:\ppjpd.exec:\ppjpd.exe35⤵
- Executes dropped EXE
PID:2396 -
\??\c:\lfxxllf.exec:\lfxxllf.exe36⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lxrxxxl.exec:\lxrxxxl.exe37⤵
- Executes dropped EXE
PID:2700 -
\??\c:\tthtnn.exec:\tthtnn.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jddpj.exec:\jddpj.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rlxflrx.exec:\rlxflrx.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\bthnbb.exec:\bthnbb.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hnbtnh.exec:\hnbtnh.exe42⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vvpdp.exec:\vvpdp.exe43⤵
- Executes dropped EXE
PID:2568 -
\??\c:\lfrxxlf.exec:\lfrxxlf.exe44⤵
- Executes dropped EXE
PID:2564 -
\??\c:\nhbtbh.exec:\nhbtbh.exe45⤵
- Executes dropped EXE
PID:2988 -
\??\c:\vpdvp.exec:\vpdvp.exe46⤵
- Executes dropped EXE
PID:1028 -
\??\c:\xlxrrlr.exec:\xlxrrlr.exe47⤵
- Executes dropped EXE
PID:2620 -
\??\c:\5lfrflr.exec:\5lfrflr.exe48⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bttntb.exec:\bttntb.exe49⤵
- Executes dropped EXE
PID:884 -
\??\c:\pjdjp.exec:\pjdjp.exe50⤵
- Executes dropped EXE
PID:2852 -
\??\c:\frffllf.exec:\frffllf.exe51⤵
- Executes dropped EXE
PID:2000 -
\??\c:\frrxfrf.exec:\frrxfrf.exe52⤵
- Executes dropped EXE
PID:1484 -
\??\c:\tnhtbh.exec:\tnhtbh.exe53⤵
- Executes dropped EXE
PID:932 -
\??\c:\pjdjp.exec:\pjdjp.exe54⤵
- Executes dropped EXE
PID:776 -
\??\c:\llflffl.exec:\llflffl.exe55⤵
- Executes dropped EXE
PID:1904 -
\??\c:\9bbhhn.exec:\9bbhhn.exe56⤵
- Executes dropped EXE
PID:1132 -
\??\c:\hnhnbh.exec:\hnhnbh.exe57⤵
- Executes dropped EXE
PID:2420 -
\??\c:\5jjpp.exec:\5jjpp.exe58⤵
- Executes dropped EXE
PID:2244 -
\??\c:\rfrxxrx.exec:\rfrxxrx.exe59⤵
- Executes dropped EXE
PID:2384 -
\??\c:\7lfflrx.exec:\7lfflrx.exe60⤵
- Executes dropped EXE
PID:912 -
\??\c:\bbtbnn.exec:\bbtbnn.exe61⤵
- Executes dropped EXE
PID:1236 -
\??\c:\jdjjv.exec:\jdjjv.exe62⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rrlrfxl.exec:\rrlrfxl.exe63⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7tnbbh.exec:\7tnbbh.exe64⤵
- Executes dropped EXE
PID:1368 -
\??\c:\nththh.exec:\nththh.exe65⤵
- Executes dropped EXE
PID:1244 -
\??\c:\7vjpv.exec:\7vjpv.exe66⤵PID:2940
-
\??\c:\llfrflx.exec:\llfrflx.exe67⤵PID:2104
-
\??\c:\7lrxxfl.exec:\7lrxxfl.exe68⤵PID:1732
-
\??\c:\hhnbbb.exec:\hhnbbb.exe69⤵PID:2084
-
\??\c:\vvpdp.exec:\vvpdp.exe70⤵PID:1660
-
\??\c:\lflrxff.exec:\lflrxff.exe71⤵PID:2320
-
\??\c:\lffllrf.exec:\lffllrf.exe72⤵PID:1804
-
\??\c:\btnbnb.exec:\btnbnb.exe73⤵PID:2132
-
\??\c:\dvjvj.exec:\dvjvj.exe74⤵PID:1316
-
\??\c:\5rfrffl.exec:\5rfrffl.exe75⤵PID:2944
-
\??\c:\rlflrfr.exec:\rlflrfr.exe76⤵PID:2028
-
\??\c:\9btnnh.exec:\9btnnh.exe77⤵PID:1276
-
\??\c:\dddjv.exec:\dddjv.exe78⤵PID:2232
-
\??\c:\fxlfrxr.exec:\fxlfrxr.exe79⤵PID:2912
-
\??\c:\hbnbnb.exec:\hbnbnb.exe80⤵PID:2740
-
\??\c:\bhthbn.exec:\bhthbn.exe81⤵PID:2752
-
\??\c:\pjjpv.exec:\pjjpv.exe82⤵PID:2584
-
\??\c:\ffrrxrl.exec:\ffrrxrl.exe83⤵PID:2712
-
\??\c:\frllrrf.exec:\frllrrf.exe84⤵PID:2744
-
\??\c:\btntbn.exec:\btntbn.exe85⤵PID:2808
-
\??\c:\jjvjj.exec:\jjvjj.exe86⤵PID:2664
-
\??\c:\7ffrxxx.exec:\7ffrxxx.exe87⤵PID:3024
-
\??\c:\1tnbnt.exec:\1tnbnt.exe88⤵PID:2992
-
\??\c:\bbnhnh.exec:\bbnhnh.exe89⤵PID:2348
-
\??\c:\ddjpd.exec:\ddjpd.exe90⤵PID:1968
-
\??\c:\fxrfflx.exec:\fxrfflx.exe91⤵PID:2652
-
\??\c:\nbhbnh.exec:\nbhbnh.exe92⤵PID:1320
-
\??\c:\ppdpv.exec:\ppdpv.exe93⤵PID:2788
-
\??\c:\jjdjv.exec:\jjdjv.exe94⤵PID:764
-
\??\c:\rfxflrf.exec:\rfxflrf.exe95⤵PID:760
-
\??\c:\xrxfrxf.exec:\xrxfrxf.exe96⤵PID:1156
-
\??\c:\nnhthn.exec:\nnhthn.exe97⤵PID:1484
-
\??\c:\jjdpv.exec:\jjdpv.exe98⤵PID:932
-
\??\c:\xlffxfr.exec:\xlffxfr.exe99⤵PID:580
-
\??\c:\rlxflrl.exec:\rlxflrl.exe100⤵PID:3044
-
\??\c:\nnntnb.exec:\nnntnb.exe101⤵PID:2404
-
\??\c:\vvpvd.exec:\vvpvd.exe102⤵PID:2932
-
\??\c:\5ppdd.exec:\5ppdd.exe103⤵
- System Location Discovery: System Language Discovery
PID:2528 -
\??\c:\3lxxrrx.exec:\3lxxrrx.exe104⤵PID:2928
-
\??\c:\ttnbtt.exec:\ttnbtt.exe105⤵PID:2352
-
\??\c:\5nnbnh.exec:\5nnbnh.exe106⤵PID:1080
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe107⤵PID:2408
-
\??\c:\xxxxxfx.exec:\xxxxxfx.exe108⤵PID:900
-
\??\c:\hbnthh.exec:\hbnthh.exe109⤵PID:2500
-
\??\c:\bbnthn.exec:\bbnthn.exe110⤵PID:1512
-
\??\c:\5dvjv.exec:\5dvjv.exe111⤵PID:1312
-
\??\c:\1rllfff.exec:\1rllfff.exe112⤵PID:2104
-
\??\c:\tnntht.exec:\tnntht.exe113⤵PID:2968
-
\??\c:\7nbhtb.exec:\7nbhtb.exe114⤵PID:984
-
\??\c:\9vjjp.exec:\9vjjp.exe115⤵PID:3016
-
\??\c:\9rrxfrl.exec:\9rrxfrl.exe116⤵PID:2508
-
\??\c:\1hbbnt.exec:\1hbbnt.exe117⤵PID:1804
-
\??\c:\pdvjp.exec:\pdvjp.exe118⤵PID:2632
-
\??\c:\fxxfrfx.exec:\fxxfrfx.exe119⤵PID:892
-
\??\c:\7hbnhn.exec:\7hbnhn.exe120⤵PID:2036
-
\??\c:\jjdpd.exec:\jjdpd.exe121⤵PID:3036
-
\??\c:\1rlrrxf.exec:\1rlrrxf.exe122⤵PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-