Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe
-
Size
455KB
-
MD5
09e9f5056b0023adbef57c0f93015233
-
SHA1
ff5798bba9c6682831138bcf9204522aaf2ed752
-
SHA256
bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3
-
SHA512
0a9b1cb19c811036ae24a98e49b429e79a9ad054994945caa77e6bf4406eceda9e2d0b9d936868314a768c7190396f86989fef8cb6177cd5be82323301c41ce0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/1348-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-28-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2712-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-145-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1108-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-165-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1752-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-175-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2124-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-222-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/748-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-295-0x0000000076AB0000-0x0000000076BAA000-memory.dmp family_blackmoon behavioral1/memory/2372-294-0x0000000076BB0000-0x0000000076CCF000-memory.dmp family_blackmoon behavioral1/memory/2404-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-345-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2720-364-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2632-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-519-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2928-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-743-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/404-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-812-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/856-925-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-942-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1220-965-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-1079-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-1168-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2472-1203-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-1252-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1348 rlfxffl.exe 2880 hbhthb.exe 2712 bbbtbh.exe 2868 vjjjj.exe 2036 ffllxxf.exe 2704 nntttb.exe 1988 3flfrff.exe 2644 bntnnn.exe 3004 tnbtbb.exe 1220 jvppp.exe 2912 5hbbtn.exe 1424 jvpvd.exe 1980 frxrrrr.exe 1108 lxlrrrx.exe 1316 dvjpd.exe 1804 xfflrrf.exe 1752 vjpjj.exe 2124 3vddd.exe 2956 tnbttt.exe 2564 1jddj.exe 1616 9rlllll.exe 1848 bntbhb.exe 972 btnhbh.exe 1272 djvpv.exe 2244 tbnhhb.exe 548 vjjpp.exe 860 1xlfffr.exe 748 1hntnt.exe 3064 dvjdd.exe 1504 xlxxfxx.exe 2372 1bbttt.exe 1596 xlxrxrx.exe 2100 htnhnn.exe 2000 3pvpp.exe 2756 fxxrrrx.exe 2300 lflrxrr.exe 2720 bnhnnh.exe 2856 hntttn.exe 2896 5pdjp.exe 2892 3lrrrrr.exe 2676 bnhnhb.exe 2632 xxrfxlx.exe 2772 nbtbtt.exe 636 djvpp.exe 2452 1lrrrlr.exe 1992 hnnhtb.exe 1712 nhbbnh.exe 3020 1dvjp.exe 2884 7lflllx.exe 2348 tbtnnn.exe 276 1vppp.exe 1520 vvvdp.exe 1152 9flrxxx.exe 2224 hbhtnb.exe 1564 ppjpd.exe 940 fxrxxxf.exe 588 lrxxxxx.exe 2956 1thbbt.exe 2952 1bhtnn.exe 2420 3vjdj.exe 2572 fxfxrrx.exe 776 7xxrxxx.exe 492 bnhhbn.exe 2016 nhnntn.exe -
resource yara_rule behavioral1/memory/1348-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-48-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2036-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-1079-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1168-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2656-1179-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1644-1308-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 1348 2376 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 30 PID 2376 wrote to memory of 1348 2376 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 30 PID 2376 wrote to memory of 1348 2376 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 30 PID 2376 wrote to memory of 1348 2376 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 30 PID 1348 wrote to memory of 2880 1348 rlfxffl.exe 31 PID 1348 wrote to memory of 2880 1348 rlfxffl.exe 31 PID 1348 wrote to memory of 2880 1348 rlfxffl.exe 31 PID 1348 wrote to memory of 2880 1348 rlfxffl.exe 31 PID 2880 wrote to memory of 2712 2880 hbhthb.exe 32 PID 2880 wrote to memory of 2712 2880 hbhthb.exe 32 PID 2880 wrote to memory of 2712 2880 hbhthb.exe 32 PID 2880 wrote to memory of 2712 2880 hbhthb.exe 32 PID 2712 wrote to memory of 2868 2712 bbbtbh.exe 33 PID 2712 wrote to memory of 2868 2712 bbbtbh.exe 33 PID 2712 wrote to memory of 2868 2712 bbbtbh.exe 33 PID 2712 wrote to memory of 2868 2712 bbbtbh.exe 33 PID 2868 wrote to memory of 2036 2868 vjjjj.exe 34 PID 2868 wrote to memory of 2036 2868 vjjjj.exe 34 PID 2868 wrote to memory of 2036 2868 vjjjj.exe 34 PID 2868 wrote to memory of 2036 2868 vjjjj.exe 34 PID 2036 wrote to memory of 2704 2036 ffllxxf.exe 35 PID 2036 wrote to memory of 2704 2036 ffllxxf.exe 35 PID 2036 wrote to memory of 2704 2036 ffllxxf.exe 35 PID 2036 wrote to memory of 2704 2036 ffllxxf.exe 35 PID 2704 wrote to memory of 1988 2704 nntttb.exe 36 PID 2704 wrote to memory of 1988 2704 nntttb.exe 36 PID 2704 wrote to memory of 1988 2704 nntttb.exe 36 PID 2704 wrote to memory of 1988 2704 nntttb.exe 36 PID 1988 wrote to memory of 2644 1988 3flfrff.exe 37 PID 1988 wrote to memory of 2644 1988 3flfrff.exe 37 PID 1988 wrote to memory of 2644 1988 3flfrff.exe 37 PID 1988 wrote to memory of 2644 1988 3flfrff.exe 37 PID 2644 wrote to memory of 3004 2644 bntnnn.exe 38 PID 2644 wrote to memory of 3004 2644 bntnnn.exe 38 PID 2644 wrote to memory of 3004 2644 bntnnn.exe 38 PID 2644 wrote to memory of 3004 2644 bntnnn.exe 38 PID 3004 wrote to memory of 1220 3004 tnbtbb.exe 39 PID 3004 wrote to memory of 1220 3004 tnbtbb.exe 39 PID 3004 wrote to memory of 1220 3004 tnbtbb.exe 39 PID 3004 wrote to memory of 1220 3004 tnbtbb.exe 39 PID 1220 wrote to memory of 2912 1220 jvppp.exe 40 PID 1220 wrote to memory of 2912 1220 jvppp.exe 40 PID 1220 wrote to memory of 2912 1220 jvppp.exe 40 PID 1220 wrote to memory of 2912 1220 jvppp.exe 40 PID 2912 wrote to memory of 1424 2912 5hbbtn.exe 41 PID 2912 wrote to memory of 1424 2912 5hbbtn.exe 41 PID 2912 wrote to memory of 1424 2912 5hbbtn.exe 41 PID 2912 wrote to memory of 1424 2912 5hbbtn.exe 41 PID 1424 wrote to memory of 1980 1424 jvpvd.exe 42 PID 1424 wrote to memory of 1980 1424 jvpvd.exe 42 PID 1424 wrote to memory of 1980 1424 jvpvd.exe 42 PID 1424 wrote to memory of 1980 1424 jvpvd.exe 42 PID 1980 wrote to memory of 1108 1980 frxrrrr.exe 43 PID 1980 wrote to memory of 1108 1980 frxrrrr.exe 43 PID 1980 wrote to memory of 1108 1980 frxrrrr.exe 43 PID 1980 wrote to memory of 1108 1980 frxrrrr.exe 43 PID 1108 wrote to memory of 1316 1108 lxlrrrx.exe 44 PID 1108 wrote to memory of 1316 1108 lxlrrrx.exe 44 PID 1108 wrote to memory of 1316 1108 lxlrrrx.exe 44 PID 1108 wrote to memory of 1316 1108 lxlrrrx.exe 44 PID 1316 wrote to memory of 1804 1316 dvjpd.exe 45 PID 1316 wrote to memory of 1804 1316 dvjpd.exe 45 PID 1316 wrote to memory of 1804 1316 dvjpd.exe 45 PID 1316 wrote to memory of 1804 1316 dvjpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe"C:\Users\Admin\AppData\Local\Temp\bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\rlfxffl.exec:\rlfxffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\hbhthb.exec:\hbhthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\bbbtbh.exec:\bbbtbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\vjjjj.exec:\vjjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\ffllxxf.exec:\ffllxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\nntttb.exec:\nntttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\3flfrff.exec:\3flfrff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\bntnnn.exec:\bntnnn.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\tnbtbb.exec:\tnbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\jvppp.exec:\jvppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\5hbbtn.exec:\5hbbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\jvpvd.exec:\jvpvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\frxrrrr.exec:\frxrrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\lxlrrrx.exec:\lxlrrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\dvjpd.exec:\dvjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\xfflrrf.exec:\xfflrrf.exe17⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vjpjj.exec:\vjpjj.exe18⤵
- Executes dropped EXE
PID:1752 -
\??\c:\3vddd.exec:\3vddd.exe19⤵
- Executes dropped EXE
PID:2124 -
\??\c:\tnbttt.exec:\tnbttt.exe20⤵
- Executes dropped EXE
PID:2956 -
\??\c:\1jddj.exec:\1jddj.exe21⤵
- Executes dropped EXE
PID:2564 -
\??\c:\9rlllll.exec:\9rlllll.exe22⤵
- Executes dropped EXE
PID:1616 -
\??\c:\bntbhb.exec:\bntbhb.exe23⤵
- Executes dropped EXE
PID:1848 -
\??\c:\btnhbh.exec:\btnhbh.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\djvpv.exec:\djvpv.exe25⤵
- Executes dropped EXE
PID:1272 -
\??\c:\tbnhhb.exec:\tbnhhb.exe26⤵
- Executes dropped EXE
PID:2244 -
\??\c:\vjjpp.exec:\vjjpp.exe27⤵
- Executes dropped EXE
PID:548 -
\??\c:\1xlfffr.exec:\1xlfffr.exe28⤵
- Executes dropped EXE
PID:860 -
\??\c:\1hntnt.exec:\1hntnt.exe29⤵
- Executes dropped EXE
PID:748 -
\??\c:\dvjdd.exec:\dvjdd.exe30⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xlxxfxx.exec:\xlxxfxx.exe31⤵
- Executes dropped EXE
PID:1504 -
\??\c:\1bbttt.exec:\1bbttt.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pvvvd.exec:\pvvvd.exe33⤵PID:2404
-
\??\c:\xlxrxrx.exec:\xlxrxrx.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\htnhnn.exec:\htnhnn.exe35⤵
- Executes dropped EXE
PID:2100 -
\??\c:\3pvpp.exec:\3pvpp.exe36⤵
- Executes dropped EXE
PID:2000 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe37⤵
- Executes dropped EXE
PID:2756 -
\??\c:\lflrxrr.exec:\lflrxrr.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bnhnnh.exec:\bnhnnh.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\hntttn.exec:\hntttn.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\5pdjp.exec:\5pdjp.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\3lrrrrr.exec:\3lrrrrr.exe42⤵
- Executes dropped EXE
PID:2892 -
\??\c:\bnhnhb.exec:\bnhnhb.exe43⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xxrfxlx.exec:\xxrfxlx.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nbtbtt.exec:\nbtbtt.exe45⤵
- Executes dropped EXE
PID:2772 -
\??\c:\djvpp.exec:\djvpp.exe46⤵
- Executes dropped EXE
PID:636 -
\??\c:\1lrrrlr.exec:\1lrrrlr.exe47⤵
- Executes dropped EXE
PID:2452 -
\??\c:\hnnhtb.exec:\hnnhtb.exe48⤵
- Executes dropped EXE
PID:1992 -
\??\c:\nhbbnh.exec:\nhbbnh.exe49⤵
- Executes dropped EXE
PID:1712 -
\??\c:\1dvjp.exec:\1dvjp.exe50⤵
- Executes dropped EXE
PID:3020 -
\??\c:\7lflllx.exec:\7lflllx.exe51⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tbtnnn.exec:\tbtnnn.exe52⤵
- Executes dropped EXE
PID:2348 -
\??\c:\1vppp.exec:\1vppp.exe53⤵
- Executes dropped EXE
PID:276 -
\??\c:\vvvdp.exec:\vvvdp.exe54⤵
- Executes dropped EXE
PID:1520 -
\??\c:\9flrxxx.exec:\9flrxxx.exe55⤵
- Executes dropped EXE
PID:1152 -
\??\c:\hbhtnb.exec:\hbhtnb.exe56⤵
- Executes dropped EXE
PID:2224 -
\??\c:\ppjpd.exec:\ppjpd.exe57⤵
- Executes dropped EXE
PID:1564 -
\??\c:\fxrxxxf.exec:\fxrxxxf.exe58⤵
- Executes dropped EXE
PID:940 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe59⤵
- Executes dropped EXE
PID:588 -
\??\c:\1thbbt.exec:\1thbbt.exe60⤵
- Executes dropped EXE
PID:2956 -
\??\c:\1bhtnn.exec:\1bhtnn.exe61⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3vjdj.exec:\3vjdj.exe62⤵
- Executes dropped EXE
PID:2420 -
\??\c:\fxfxrrx.exec:\fxfxrrx.exe63⤵
- Executes dropped EXE
PID:2572 -
\??\c:\7xxrxxx.exec:\7xxrxxx.exe64⤵
- Executes dropped EXE
PID:776 -
\??\c:\bnhhbn.exec:\bnhhbn.exe65⤵
- Executes dropped EXE
PID:492 -
\??\c:\nhnntn.exec:\nhnntn.exe66⤵
- Executes dropped EXE
PID:2016 -
\??\c:\3pdvp.exec:\3pdvp.exe67⤵PID:2056
-
\??\c:\rlxrxrr.exec:\rlxrxrr.exe68⤵PID:2244
-
\??\c:\lxrllfl.exec:\lxrllfl.exe69⤵PID:1484
-
\??\c:\btntbt.exec:\btntbt.exe70⤵PID:1436
-
\??\c:\7jvdd.exec:\7jvdd.exe71⤵PID:2468
-
\??\c:\1jvvv.exec:\1jvvv.exe72⤵PID:748
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe73⤵PID:2364
-
\??\c:\tnbntt.exec:\tnbntt.exe74⤵PID:1792
-
\??\c:\nnbbnn.exec:\nnbbnn.exe75⤵PID:2916
-
\??\c:\dpjvp.exec:\dpjvp.exe76⤵PID:1560
-
\??\c:\9dpdd.exec:\9dpdd.exe77⤵PID:1708
-
\??\c:\rrlflrl.exec:\rrlflrl.exe78⤵PID:2268
-
\??\c:\hhnnnt.exec:\hhnnnt.exe79⤵PID:2748
-
\??\c:\5dppd.exec:\5dppd.exe80⤵PID:2808
-
\??\c:\pdpvv.exec:\pdpvv.exe81⤵PID:2928
-
\??\c:\frflxxf.exec:\frflxxf.exe82⤵PID:2932
-
\??\c:\tbntth.exec:\tbntth.exe83⤵PID:2696
-
\??\c:\hhnntb.exec:\hhnntb.exe84⤵PID:2776
-
\??\c:\pjddp.exec:\pjddp.exe85⤵PID:2824
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe86⤵PID:2740
-
\??\c:\nhtbhn.exec:\nhtbhn.exe87⤵PID:2496
-
\??\c:\5ntnhh.exec:\5ntnhh.exe88⤵PID:2644
-
\??\c:\vjpjj.exec:\vjpjj.exe89⤵PID:1772
-
\??\c:\jvddj.exec:\jvddj.exe90⤵PID:636
-
\??\c:\rlrrxrl.exec:\rlrrxrl.exe91⤵PID:892
-
\??\c:\9hbhbt.exec:\9hbhbt.exe92⤵PID:1992
-
\??\c:\vpddj.exec:\vpddj.exe93⤵PID:1372
-
\??\c:\ddjvp.exec:\ddjvp.exe94⤵PID:3020
-
\??\c:\flrrrlf.exec:\flrrrlf.exe95⤵PID:1648
-
\??\c:\3nnhnh.exec:\3nnhnh.exe96⤵PID:1476
-
\??\c:\1nthbt.exec:\1nthbt.exe97⤵PID:276
-
\??\c:\7jvvv.exec:\7jvvv.exe98⤵PID:1604
-
\??\c:\fxfxrll.exec:\fxfxrll.exe99⤵PID:2116
-
\??\c:\nbnthh.exec:\nbnthh.exe100⤵PID:2224
-
\??\c:\hbnhbh.exec:\hbnhbh.exe101⤵PID:1512
-
\??\c:\pvddj.exec:\pvddj.exe102⤵
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\1lxrlff.exec:\1lxrlff.exe103⤵PID:588
-
\??\c:\3lrrrrr.exec:\3lrrrrr.exe104⤵PID:404
-
\??\c:\7tbbhh.exec:\7tbbhh.exe105⤵PID:2952
-
\??\c:\pdpjj.exec:\pdpjj.exe106⤵PID:696
-
\??\c:\pdjdd.exec:\pdjdd.exe107⤵PID:2572
-
\??\c:\3rlffff.exec:\3rlffff.exe108⤵PID:316
-
\??\c:\7nbnhh.exec:\7nbnhh.exe109⤵PID:492
-
\??\c:\hthbbt.exec:\hthbbt.exe110⤵PID:1760
-
\??\c:\5vjdd.exec:\5vjdd.exe111⤵PID:2568
-
\??\c:\frfrrlr.exec:\frfrrlr.exe112⤵PID:2260
-
\??\c:\xllrxxf.exec:\xllrxxf.exe113⤵PID:1484
-
\??\c:\htnnbt.exec:\htnnbt.exe114⤵
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\jvdvd.exec:\jvdvd.exe115⤵PID:1040
-
\??\c:\9pjjj.exec:\9pjjj.exe116⤵PID:2008
-
\??\c:\3lrllll.exec:\3lrllll.exe117⤵PID:900
-
\??\c:\httttn.exec:\httttn.exe118⤵PID:1592
-
\??\c:\htbnnh.exec:\htbnnh.exe119⤵PID:3012
-
\??\c:\jpjdd.exec:\jpjdd.exe120⤵PID:1596
-
\??\c:\5frrrlr.exec:\5frrrlr.exe121⤵PID:2160
-
\??\c:\xlflrrx.exec:\xlflrrx.exe122⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-