Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
-
Size
456KB
-
MD5
e91f5d4d855864c328e99d8e25a85c01
-
SHA1
f8f47a89ac1f3f845aa816e944ddb2220f59b124
-
SHA256
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1
-
SHA512
addb76e00ae6566614d920419fd703d8632508db6ec5740d3309def0a7d9ed94cdb71c8b95bed2832c74945c18aa641ddec4eb3c5380a62c45af91523ae9b550
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2092-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-212-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-230-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2080-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-355-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-475-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/980-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-663-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2476-670-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-677-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/668-727-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2356-734-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/808-759-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1596-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-765-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1964-774-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-839-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-917-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-936-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/644-943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2908 xxrlflx.exe 536 jvjpd.exe 1756 fxrxlrf.exe 2936 pvpdp.exe 2684 llxlrxr.exe 2804 9tbhhh.exe 2668 5dvdj.exe 2764 3fxxlrf.exe 2556 tnbhnt.exe 2944 lllrxxr.exe 2312 thbbht.exe 776 jjvpp.exe 2472 9rlrlxl.exe 2272 jjvvj.exe 2284 ffxxlrx.exe 1744 7thnbh.exe 1696 pvvvv.exe 2028 9hbhbh.exe 2832 ttnthn.exe 1616 ppdjj.exe 1944 pppdp.exe 408 jpjpj.exe 2080 pjvvj.exe 980 frfxffl.exe 2220 hbbhbh.exe 2984 5dppd.exe 2856 hntbht.exe 856 djpdp.exe 2292 frlllxl.exe 2092 tbtbbn.exe 2956 dvddj.exe 2964 9fxrxxf.exe 2168 9bbtbh.exe 1756 htnntt.exe 3004 7pdvd.exe 3032 3rrxlrr.exe 2772 bnthbb.exe 2580 5bntth.exe 2668 jpjpv.exe 2788 vpdjd.exe 2820 frflrxr.exe 2572 rxfffxf.exe 2440 nnbnth.exe 1648 ppvjp.exe 1636 djdjj.exe 776 lflfrxr.exe 1680 7xrlxlf.exe 2336 3ttbnn.exe 316 3vjpd.exe 2284 xxxlxlf.exe 1744 ttntnt.exe 1196 rlrrrff.exe 1612 5bbbtb.exe 2644 1jvjp.exe 1740 frrfrrr.exe 1004 1vpjj.exe 1848 xfrfxfl.exe 1944 fxlrflr.exe 1844 thnnth.exe 708 5fxxflf.exe 1556 bbbtbt.exe 980 btntbn.exe 1960 vvvvd.exe 2384 rllxxlx.exe -
resource yara_rule behavioral1/memory/2908-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-355-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2440-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-663-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2028-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-759-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1596-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-765-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1516-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-839-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1148-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-975-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2908 2092 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2092 wrote to memory of 2908 2092 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2092 wrote to memory of 2908 2092 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2092 wrote to memory of 2908 2092 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2908 wrote to memory of 536 2908 xxrlflx.exe 31 PID 2908 wrote to memory of 536 2908 xxrlflx.exe 31 PID 2908 wrote to memory of 536 2908 xxrlflx.exe 31 PID 2908 wrote to memory of 536 2908 xxrlflx.exe 31 PID 536 wrote to memory of 1756 536 jvjpd.exe 64 PID 536 wrote to memory of 1756 536 jvjpd.exe 64 PID 536 wrote to memory of 1756 536 jvjpd.exe 64 PID 536 wrote to memory of 1756 536 jvjpd.exe 64 PID 1756 wrote to memory of 2936 1756 fxrxlrf.exe 33 PID 1756 wrote to memory of 2936 1756 fxrxlrf.exe 33 PID 1756 wrote to memory of 2936 1756 fxrxlrf.exe 33 PID 1756 wrote to memory of 2936 1756 fxrxlrf.exe 33 PID 2936 wrote to memory of 2684 2936 pvpdp.exe 34 PID 2936 wrote to memory of 2684 2936 pvpdp.exe 34 PID 2936 wrote to memory of 2684 2936 pvpdp.exe 34 PID 2936 wrote to memory of 2684 2936 pvpdp.exe 34 PID 2684 wrote to memory of 2804 2684 llxlrxr.exe 35 PID 2684 wrote to memory of 2804 2684 llxlrxr.exe 35 PID 2684 wrote to memory of 2804 2684 llxlrxr.exe 35 PID 2684 wrote to memory of 2804 2684 llxlrxr.exe 35 PID 2804 wrote to memory of 2668 2804 9tbhhh.exe 69 PID 2804 wrote to memory of 2668 2804 9tbhhh.exe 69 PID 2804 wrote to memory of 2668 2804 9tbhhh.exe 69 PID 2804 wrote to memory of 2668 2804 9tbhhh.exe 69 PID 2668 wrote to memory of 2764 2668 5dvdj.exe 37 PID 2668 wrote to memory of 2764 2668 5dvdj.exe 37 PID 2668 wrote to memory of 2764 2668 5dvdj.exe 37 PID 2668 wrote to memory of 2764 2668 5dvdj.exe 37 PID 2764 wrote to memory of 2556 2764 3fxxlrf.exe 39 PID 2764 wrote to memory of 2556 2764 3fxxlrf.exe 39 PID 2764 wrote to memory of 2556 2764 3fxxlrf.exe 39 PID 2764 wrote to memory of 2556 2764 3fxxlrf.exe 39 PID 2556 wrote to memory of 2944 2556 tnbhnt.exe 40 PID 2556 wrote to memory of 2944 2556 tnbhnt.exe 40 PID 2556 wrote to memory of 2944 2556 tnbhnt.exe 40 PID 2556 wrote to memory of 2944 2556 tnbhnt.exe 40 PID 2944 wrote to memory of 2312 2944 lllrxxr.exe 41 PID 2944 wrote to memory of 2312 2944 lllrxxr.exe 41 PID 2944 wrote to memory of 2312 2944 lllrxxr.exe 41 PID 2944 wrote to memory of 2312 2944 lllrxxr.exe 41 PID 2312 wrote to memory of 776 2312 thbbht.exe 76 PID 2312 wrote to memory of 776 2312 thbbht.exe 76 PID 2312 wrote to memory of 776 2312 thbbht.exe 76 PID 2312 wrote to memory of 776 2312 thbbht.exe 76 PID 776 wrote to memory of 2472 776 jjvpp.exe 43 PID 776 wrote to memory of 2472 776 jjvpp.exe 43 PID 776 wrote to memory of 2472 776 jjvpp.exe 43 PID 776 wrote to memory of 2472 776 jjvpp.exe 43 PID 2472 wrote to memory of 2272 2472 9rlrlxl.exe 44 PID 2472 wrote to memory of 2272 2472 9rlrlxl.exe 44 PID 2472 wrote to memory of 2272 2472 9rlrlxl.exe 44 PID 2472 wrote to memory of 2272 2472 9rlrlxl.exe 44 PID 2272 wrote to memory of 2284 2272 jjvvj.exe 80 PID 2272 wrote to memory of 2284 2272 jjvvj.exe 80 PID 2272 wrote to memory of 2284 2272 jjvvj.exe 80 PID 2272 wrote to memory of 2284 2272 jjvvj.exe 80 PID 2284 wrote to memory of 1744 2284 ffxxlrx.exe 81 PID 2284 wrote to memory of 1744 2284 ffxxlrx.exe 81 PID 2284 wrote to memory of 1744 2284 ffxxlrx.exe 81 PID 2284 wrote to memory of 1744 2284 ffxxlrx.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\xxrlflx.exec:\xxrlflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jvjpd.exec:\jvjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\fxrxlrf.exec:\fxrxlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\pvpdp.exec:\pvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\llxlrxr.exec:\llxlrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9tbhhh.exec:\9tbhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\5dvdj.exec:\5dvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\3fxxlrf.exec:\3fxxlrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\tnbhnt.exec:\tnbhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\lllrxxr.exec:\lllrxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\thbbht.exec:\thbbht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jjvpp.exec:\jjvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\9rlrlxl.exec:\9rlrlxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\jjvvj.exec:\jjvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\ffxxlrx.exec:\ffxxlrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\7thnbh.exec:\7thnbh.exe17⤵
- Executes dropped EXE
PID:1744 -
\??\c:\pvvvv.exec:\pvvvv.exe18⤵
- Executes dropped EXE
PID:1696 -
\??\c:\9hbhbh.exec:\9hbhbh.exe19⤵
- Executes dropped EXE
PID:2028 -
\??\c:\ttnthn.exec:\ttnthn.exe20⤵
- Executes dropped EXE
PID:2832 -
\??\c:\ppdjj.exec:\ppdjj.exe21⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pppdp.exec:\pppdp.exe22⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jpjpj.exec:\jpjpj.exe23⤵
- Executes dropped EXE
PID:408 -
\??\c:\pjvvj.exec:\pjvvj.exe24⤵
- Executes dropped EXE
PID:2080 -
\??\c:\frfxffl.exec:\frfxffl.exe25⤵
- Executes dropped EXE
PID:980 -
\??\c:\hbbhbh.exec:\hbbhbh.exe26⤵
- Executes dropped EXE
PID:2220 -
\??\c:\5dppd.exec:\5dppd.exe27⤵
- Executes dropped EXE
PID:2984 -
\??\c:\hntbht.exec:\hntbht.exe28⤵
- Executes dropped EXE
PID:2856 -
\??\c:\djpdp.exec:\djpdp.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
\??\c:\frlllxl.exec:\frlllxl.exe30⤵
- Executes dropped EXE
PID:2292 -
\??\c:\tbtbbn.exec:\tbtbbn.exe31⤵
- Executes dropped EXE
PID:2092 -
\??\c:\dvddj.exec:\dvddj.exe32⤵
- Executes dropped EXE
PID:2956 -
\??\c:\9fxrxxf.exec:\9fxrxxf.exe33⤵
- Executes dropped EXE
PID:2964 -
\??\c:\9bbtbh.exec:\9bbtbh.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\htnntt.exec:\htnntt.exe35⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7pdvd.exec:\7pdvd.exe36⤵
- Executes dropped EXE
PID:3004 -
\??\c:\3rrxlrr.exec:\3rrxlrr.exe37⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bnthbb.exec:\bnthbb.exe38⤵
- Executes dropped EXE
PID:2772 -
\??\c:\5bntth.exec:\5bntth.exe39⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jpjpv.exec:\jpjpv.exe40⤵
- Executes dropped EXE
PID:2668 -
\??\c:\vpdjd.exec:\vpdjd.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\frflrxr.exec:\frflrxr.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rxfffxf.exec:\rxfffxf.exe43⤵
- Executes dropped EXE
PID:2572 -
\??\c:\nnbnth.exec:\nnbnth.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\ppvjp.exec:\ppvjp.exe45⤵
- Executes dropped EXE
PID:1648 -
\??\c:\djdjj.exec:\djdjj.exe46⤵
- Executes dropped EXE
PID:1636 -
\??\c:\lflfrxr.exec:\lflfrxr.exe47⤵
- Executes dropped EXE
PID:776 -
\??\c:\7xrlxlf.exec:\7xrlxlf.exe48⤵
- Executes dropped EXE
PID:1680 -
\??\c:\3ttbnn.exec:\3ttbnn.exe49⤵
- Executes dropped EXE
PID:2336 -
\??\c:\3vjpd.exec:\3vjpd.exe50⤵
- Executes dropped EXE
PID:316 -
\??\c:\xxxlxlf.exec:\xxxlxlf.exe51⤵
- Executes dropped EXE
PID:2284 -
\??\c:\ttntnt.exec:\ttntnt.exe52⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rlrrrff.exec:\rlrrrff.exe53⤵
- Executes dropped EXE
PID:1196 -
\??\c:\5bbbtb.exec:\5bbbtb.exe54⤵
- Executes dropped EXE
PID:1612 -
\??\c:\1jvjp.exec:\1jvjp.exe55⤵
- Executes dropped EXE
PID:2644 -
\??\c:\frrfrrr.exec:\frrfrrr.exe56⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1vpjj.exec:\1vpjj.exe57⤵
- Executes dropped EXE
PID:1004 -
\??\c:\xfrfxfl.exec:\xfrfxfl.exe58⤵
- Executes dropped EXE
PID:1848 -
\??\c:\fxlrflr.exec:\fxlrflr.exe59⤵
- Executes dropped EXE
PID:1944 -
\??\c:\thnnth.exec:\thnnth.exe60⤵
- Executes dropped EXE
PID:1844 -
\??\c:\5fxxflf.exec:\5fxxflf.exe61⤵
- Executes dropped EXE
PID:708 -
\??\c:\bbbtbt.exec:\bbbtbt.exe62⤵
- Executes dropped EXE
PID:1556 -
\??\c:\btntbn.exec:\btntbn.exe63⤵
- Executes dropped EXE
PID:980 -
\??\c:\vvvvd.exec:\vvvvd.exe64⤵
- Executes dropped EXE
PID:1960 -
\??\c:\rllxxlx.exec:\rllxxlx.exe65⤵
- Executes dropped EXE
PID:2384 -
\??\c:\xrxlxxl.exec:\xrxlxxl.exe66⤵PID:2372
-
\??\c:\9thntb.exec:\9thntb.exe67⤵PID:2868
-
\??\c:\1pjpv.exec:\1pjpv.exe68⤵PID:912
-
\??\c:\vpjpd.exec:\vpjpd.exe69⤵PID:2416
-
\??\c:\rlxfllx.exec:\rlxfllx.exe70⤵PID:2388
-
\??\c:\nhbhbb.exec:\nhbhbb.exe71⤵PID:2924
-
\??\c:\7nbhbh.exec:\7nbhbh.exe72⤵PID:2972
-
\??\c:\vjddj.exec:\vjddj.exe73⤵PID:592
-
\??\c:\frffrrx.exec:\frffrrx.exe74⤵PID:2044
-
\??\c:\5tnttb.exec:\5tnttb.exe75⤵PID:272
-
\??\c:\1ttbnn.exec:\1ttbnn.exe76⤵PID:2188
-
\??\c:\jdvdd.exec:\jdvdd.exe77⤵PID:680
-
\??\c:\rlflxxx.exec:\rlflxxx.exe78⤵PID:2676
-
\??\c:\rxrrxfl.exec:\rxrrxfl.exe79⤵PID:3068
-
\??\c:\9hhbnb.exec:\9hhbnb.exe80⤵PID:2696
-
\??\c:\hhbhtn.exec:\hhbhtn.exe81⤵PID:2552
-
\??\c:\9jddp.exec:\9jddp.exe82⤵PID:2680
-
\??\c:\flfxfrf.exec:\flfxfrf.exe83⤵PID:2788
-
\??\c:\3lrrffl.exec:\3lrrffl.exe84⤵PID:2656
-
\??\c:\hhbnth.exec:\hhbnth.exe85⤵PID:2944
-
\??\c:\dppdp.exec:\dppdp.exe86⤵PID:1416
-
\??\c:\jpjpv.exec:\jpjpv.exe87⤵PID:3012
-
\??\c:\7xlxlrx.exec:\7xlxlrx.exe88⤵PID:268
-
\??\c:\btnnth.exec:\btnnth.exe89⤵PID:2476
-
\??\c:\hnhnbh.exec:\hnhnbh.exe90⤵PID:2620
-
\??\c:\vjppv.exec:\vjppv.exe91⤵PID:1456
-
\??\c:\9xlrrxf.exec:\9xlrrxf.exe92⤵PID:2272
-
\??\c:\xxxfrxl.exec:\xxxfrxl.exe93⤵PID:1720
-
\??\c:\1nhnth.exec:\1nhnth.exe94⤵PID:1752
-
\??\c:\1vjpp.exec:\1vjpp.exe95⤵PID:668
-
\??\c:\dvjpv.exec:\dvjpv.exe96⤵PID:1888
-
\??\c:\lxfrxll.exec:\lxfrxll.exe97⤵PID:2028
-
\??\c:\ntnnth.exec:\ntnnth.exe98⤵PID:1576
-
\??\c:\jddvj.exec:\jddvj.exe99⤵PID:2356
-
\??\c:\ffxlxfr.exec:\ffxlxfr.exe100⤵PID:1728
-
\??\c:\rlfrllf.exec:\rlfrllf.exe101⤵PID:1112
-
\??\c:\tbtbtt.exec:\tbtbtt.exe102⤵PID:1412
-
\??\c:\vvpvd.exec:\vvpvd.exe103⤵PID:808
-
\??\c:\vjddv.exec:\vjddv.exe104⤵PID:1596
-
\??\c:\3xxfffl.exec:\3xxfffl.exe105⤵PID:1964
-
\??\c:\1ttbhh.exec:\1ttbhh.exe106⤵PID:1792
-
\??\c:\vpddj.exec:\vpddj.exe107⤵PID:716
-
\??\c:\9vpvp.exec:\9vpvp.exe108⤵PID:832
-
\??\c:\rlffrxx.exec:\rlffrxx.exe109⤵PID:2516
-
\??\c:\ntnthn.exec:\ntnthn.exe110⤵PID:3060
-
\??\c:\pjddv.exec:\pjddv.exe111⤵PID:1516
-
\??\c:\ddpdv.exec:\ddpdv.exe112⤵PID:1540
-
\??\c:\5rlxflr.exec:\5rlxflr.exe113⤵PID:2420
-
\??\c:\ffxfxfl.exec:\ffxfxfl.exe114⤵PID:2972
-
\??\c:\nhbbtn.exec:\nhbbtn.exe115⤵PID:2812
-
\??\c:\dpvjp.exec:\dpvjp.exe116⤵PID:1652
-
\??\c:\rrflfff.exec:\rrflfff.exe117⤵PID:3000
-
\??\c:\5bntbn.exec:\5bntbn.exe118⤵PID:2188
-
\??\c:\9dpvv.exec:\9dpvv.exe119⤵PID:2744
-
\??\c:\7jdvd.exec:\7jdvd.exe120⤵PID:2720
-
\??\c:\rrrfrrf.exec:\rrrfrrf.exe121⤵PID:2748
-
\??\c:\lrxrflx.exec:\lrxrflx.exe122⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-