Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
-
Size
456KB
-
MD5
1275ac8c581a0c7b5144340f4c05df69
-
SHA1
da9f1de28ae1eebc93d597b16973d99ba395ca9a
-
SHA256
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c
-
SHA512
8a249fae4020eff9514b4bca0a42edb24a18cc2c0e1a81078c40daf7580bd254f1139f75eb51fc4465c359e730d54a768f85b09194a3c2933dc15fa8711d34d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR6:q7Tc2NYHUrAwfMp3CDR6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/1364-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1884-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-75-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2328-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-92-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2816-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-137-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1612-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-162-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1936-157-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2760-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-179-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1680-193-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2840-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1460-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-686-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1616-717-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-750-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1684-763-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-893-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2692-980-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2488-993-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1716-1019-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1716-1018-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1044-1038-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2272 vddpd.exe 2248 rlrxfxf.exe 2968 pjvdv.exe 2972 lxrxffr.exe 1884 3btbnh.exe 2376 nhbnbb.exe 2596 1bbbhh.exe 2684 vjvvp.exe 2328 7pdvv.exe 2572 nhtbnt.exe 2816 hbnbnh.exe 2688 btntbn.exe 2508 1jddj.exe 1612 hbhntt.exe 872 3djpv.exe 1936 7btbnn.exe 2760 dvdjv.exe 480 1bnhnn.exe 1680 jdjpd.exe 1232 7jvvv.exe 2840 9fxrxxf.exe 2828 hbnnnn.exe 1052 lfrfrlx.exe 1460 3dvvj.exe 924 vpjpv.exe 1356 7thhnt.exe 1428 vpdpp.exe 2824 5lxxxrr.exe 2944 9hbttt.exe 2844 7fxrrrr.exe 1756 bttbbb.exe 1696 9xllrlr.exe 1912 xlflxxf.exe 1588 1djpv.exe 1768 3vjjv.exe 2248 lflrxxf.exe 1540 3rxxflr.exe 2108 hbnttn.exe 2380 1jvdd.exe 2372 lfllxxl.exe 2396 frrrxxl.exe 2636 bthbht.exe 2104 pdpjp.exe 2240 vjpjj.exe 2684 lxfxllf.exe 1512 lxllrrf.exe 2728 nbbhbt.exe 2832 vpdvp.exe 2568 jdjjj.exe 2472 rfrllll.exe 1976 hnbtbb.exe 2508 pjjdp.exe 2768 5ddjd.exe 2524 xrfxffl.exe 2244 bnbbbb.exe 1820 pdvdj.exe 2516 dpvdd.exe 2740 frffllf.exe 2808 3hnnnh.exe 2024 hbnbhn.exe 2852 ppjpv.exe 2880 xrflrrf.exe 2840 thtttb.exe 828 bnbbhh.exe -
resource yara_rule behavioral1/memory/1364-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-72-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2328-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-537-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/896-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-831-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2920-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-993-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1200-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-1297-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrffl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2272 1364 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 28 PID 1364 wrote to memory of 2272 1364 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 28 PID 1364 wrote to memory of 2272 1364 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 28 PID 1364 wrote to memory of 2272 1364 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 28 PID 2272 wrote to memory of 2248 2272 vddpd.exe 29 PID 2272 wrote to memory of 2248 2272 vddpd.exe 29 PID 2272 wrote to memory of 2248 2272 vddpd.exe 29 PID 2272 wrote to memory of 2248 2272 vddpd.exe 29 PID 2248 wrote to memory of 2968 2248 rlrxfxf.exe 30 PID 2248 wrote to memory of 2968 2248 rlrxfxf.exe 30 PID 2248 wrote to memory of 2968 2248 rlrxfxf.exe 30 PID 2248 wrote to memory of 2968 2248 rlrxfxf.exe 30 PID 2968 wrote to memory of 2972 2968 pjvdv.exe 31 PID 2968 wrote to memory of 2972 2968 pjvdv.exe 31 PID 2968 wrote to memory of 2972 2968 pjvdv.exe 31 PID 2968 wrote to memory of 2972 2968 pjvdv.exe 31 PID 2972 wrote to memory of 1884 2972 lxrxffr.exe 32 PID 2972 wrote to memory of 1884 2972 lxrxffr.exe 32 PID 2972 wrote to memory of 1884 2972 lxrxffr.exe 32 PID 2972 wrote to memory of 1884 2972 lxrxffr.exe 32 PID 1884 wrote to memory of 2376 1884 3btbnh.exe 33 PID 1884 wrote to memory of 2376 1884 3btbnh.exe 33 PID 1884 wrote to memory of 2376 1884 3btbnh.exe 33 PID 1884 wrote to memory of 2376 1884 3btbnh.exe 33 PID 2376 wrote to memory of 2596 2376 nhbnbb.exe 34 PID 2376 wrote to memory of 2596 2376 nhbnbb.exe 34 PID 2376 wrote to memory of 2596 2376 nhbnbb.exe 34 PID 2376 wrote to memory of 2596 2376 nhbnbb.exe 34 PID 2596 wrote to memory of 2684 2596 1bbbhh.exe 35 PID 2596 wrote to memory of 2684 2596 1bbbhh.exe 35 PID 2596 wrote to memory of 2684 2596 1bbbhh.exe 35 PID 2596 wrote to memory of 2684 2596 1bbbhh.exe 35 PID 2684 wrote to memory of 2328 2684 vjvvp.exe 36 PID 2684 wrote to memory of 2328 2684 vjvvp.exe 36 PID 2684 wrote to memory of 2328 2684 vjvvp.exe 36 PID 2684 wrote to memory of 2328 2684 vjvvp.exe 36 PID 2328 wrote to memory of 2572 2328 7pdvv.exe 37 PID 2328 wrote to memory of 2572 2328 7pdvv.exe 37 PID 2328 wrote to memory of 2572 2328 7pdvv.exe 37 PID 2328 wrote to memory of 2572 2328 7pdvv.exe 37 PID 2572 wrote to memory of 2816 2572 nhtbnt.exe 38 PID 2572 wrote to memory of 2816 2572 nhtbnt.exe 38 PID 2572 wrote to memory of 2816 2572 nhtbnt.exe 38 PID 2572 wrote to memory of 2816 2572 nhtbnt.exe 38 PID 2816 wrote to memory of 2688 2816 hbnbnh.exe 39 PID 2816 wrote to memory of 2688 2816 hbnbnh.exe 39 PID 2816 wrote to memory of 2688 2816 hbnbnh.exe 39 PID 2816 wrote to memory of 2688 2816 hbnbnh.exe 39 PID 2688 wrote to memory of 2508 2688 btntbn.exe 40 PID 2688 wrote to memory of 2508 2688 btntbn.exe 40 PID 2688 wrote to memory of 2508 2688 btntbn.exe 40 PID 2688 wrote to memory of 2508 2688 btntbn.exe 40 PID 2508 wrote to memory of 1612 2508 1jddj.exe 41 PID 2508 wrote to memory of 1612 2508 1jddj.exe 41 PID 2508 wrote to memory of 1612 2508 1jddj.exe 41 PID 2508 wrote to memory of 1612 2508 1jddj.exe 41 PID 1612 wrote to memory of 872 1612 hbhntt.exe 42 PID 1612 wrote to memory of 872 1612 hbhntt.exe 42 PID 1612 wrote to memory of 872 1612 hbhntt.exe 42 PID 1612 wrote to memory of 872 1612 hbhntt.exe 42 PID 872 wrote to memory of 1936 872 3djpv.exe 43 PID 872 wrote to memory of 1936 872 3djpv.exe 43 PID 872 wrote to memory of 1936 872 3djpv.exe 43 PID 872 wrote to memory of 1936 872 3djpv.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\vddpd.exec:\vddpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\rlrxfxf.exec:\rlrxfxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\pjvdv.exec:\pjvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\lxrxffr.exec:\lxrxffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\3btbnh.exec:\3btbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\nhbnbb.exec:\nhbnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\1bbbhh.exec:\1bbbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vjvvp.exec:\vjvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\7pdvv.exec:\7pdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\nhtbnt.exec:\nhtbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\hbnbnh.exec:\hbnbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\btntbn.exec:\btntbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\1jddj.exec:\1jddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\hbhntt.exec:\hbhntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\3djpv.exec:\3djpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\7btbnn.exec:\7btbnn.exe17⤵
- Executes dropped EXE
PID:1936 -
\??\c:\dvdjv.exec:\dvdjv.exe18⤵
- Executes dropped EXE
PID:2760 -
\??\c:\1bnhnn.exec:\1bnhnn.exe19⤵
- Executes dropped EXE
PID:480 -
\??\c:\jdjpd.exec:\jdjpd.exe20⤵
- Executes dropped EXE
PID:1680 -
\??\c:\7jvvv.exec:\7jvvv.exe21⤵
- Executes dropped EXE
PID:1232 -
\??\c:\9fxrxxf.exec:\9fxrxxf.exe22⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hbnnnn.exec:\hbnnnn.exe23⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lfrfrlx.exec:\lfrfrlx.exe24⤵
- Executes dropped EXE
PID:1052 -
\??\c:\3dvvj.exec:\3dvvj.exe25⤵
- Executes dropped EXE
PID:1460 -
\??\c:\vpjpv.exec:\vpjpv.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\7thhnt.exec:\7thhnt.exe27⤵
- Executes dropped EXE
PID:1356 -
\??\c:\vpdpp.exec:\vpdpp.exe28⤵
- Executes dropped EXE
PID:1428 -
\??\c:\5lxxxrr.exec:\5lxxxrr.exe29⤵
- Executes dropped EXE
PID:2824 -
\??\c:\9hbttt.exec:\9hbttt.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\7fxrrrr.exec:\7fxrrrr.exe31⤵
- Executes dropped EXE
PID:2844 -
\??\c:\bttbbb.exec:\bttbbb.exe32⤵
- Executes dropped EXE
PID:1756 -
\??\c:\9xllrlr.exec:\9xllrlr.exe33⤵
- Executes dropped EXE
PID:1696 -
\??\c:\xlflxxf.exec:\xlflxxf.exe34⤵
- Executes dropped EXE
PID:1912 -
\??\c:\1djpv.exec:\1djpv.exe35⤵
- Executes dropped EXE
PID:1588 -
\??\c:\3vjjv.exec:\3vjjv.exe36⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lflrxxf.exec:\lflrxxf.exe37⤵
- Executes dropped EXE
PID:2248 -
\??\c:\3rxxflr.exec:\3rxxflr.exe38⤵
- Executes dropped EXE
PID:1540 -
\??\c:\hbnttn.exec:\hbnttn.exe39⤵
- Executes dropped EXE
PID:2108 -
\??\c:\1jvdd.exec:\1jvdd.exe40⤵
- Executes dropped EXE
PID:2380 -
\??\c:\lfllxxl.exec:\lfllxxl.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\frrrxxl.exec:\frrrxxl.exe42⤵
- Executes dropped EXE
PID:2396 -
\??\c:\bthbht.exec:\bthbht.exe43⤵
- Executes dropped EXE
PID:2636 -
\??\c:\pdpjp.exec:\pdpjp.exe44⤵
- Executes dropped EXE
PID:2104 -
\??\c:\vjpjj.exec:\vjpjj.exe45⤵
- Executes dropped EXE
PID:2240 -
\??\c:\lxfxllf.exec:\lxfxllf.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\lxllrrf.exec:\lxllrrf.exe47⤵
- Executes dropped EXE
PID:1512 -
\??\c:\nbbhbt.exec:\nbbhbt.exe48⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vpdvp.exec:\vpdvp.exe49⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jdjjj.exec:\jdjjj.exe50⤵
- Executes dropped EXE
PID:2568 -
\??\c:\rfrllll.exec:\rfrllll.exe51⤵
- Executes dropped EXE
PID:2472 -
\??\c:\hnbtbb.exec:\hnbtbb.exe52⤵
- Executes dropped EXE
PID:1976 -
\??\c:\pjjdp.exec:\pjjdp.exe53⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5ddjd.exec:\5ddjd.exe54⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xrfxffl.exec:\xrfxffl.exe55⤵
- Executes dropped EXE
PID:2524 -
\??\c:\bnbbbb.exec:\bnbbbb.exe56⤵
- Executes dropped EXE
PID:2244 -
\??\c:\pdvdj.exec:\pdvdj.exe57⤵
- Executes dropped EXE
PID:1820 -
\??\c:\dpvdd.exec:\dpvdd.exe58⤵
- Executes dropped EXE
PID:2516 -
\??\c:\frffllf.exec:\frffllf.exe59⤵
- Executes dropped EXE
PID:2740 -
\??\c:\3hnnnh.exec:\3hnnnh.exe60⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hbnbhn.exec:\hbnbhn.exe61⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ppjpv.exec:\ppjpv.exe62⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xrflrrf.exec:\xrflrrf.exe63⤵
- Executes dropped EXE
PID:2880 -
\??\c:\thtttb.exec:\thtttb.exe64⤵
- Executes dropped EXE
PID:2840 -
\??\c:\bnbbhh.exec:\bnbbhh.exe65⤵
- Executes dropped EXE
PID:828 -
\??\c:\jvdvj.exec:\jvdvj.exe66⤵PID:1092
-
\??\c:\9xrrrxf.exec:\9xrrrxf.exe67⤵PID:1960
-
\??\c:\rlxxfxf.exec:\rlxxfxf.exe68⤵PID:1600
-
\??\c:\nhnbhb.exec:\nhnbhb.exe69⤵PID:1536
-
\??\c:\pjddj.exec:\pjddj.exe70⤵PID:1196
-
\??\c:\frllrrx.exec:\frllrrx.exe71⤵PID:896
-
\??\c:\bthhnn.exec:\bthhnn.exe72⤵PID:2960
-
\??\c:\vjvdv.exec:\vjvdv.exe73⤵PID:2156
-
\??\c:\ppdjv.exec:\ppdjv.exe74⤵PID:2052
-
\??\c:\1rllrxl.exec:\1rllrxl.exe75⤵PID:2844
-
\??\c:\nbhbbt.exec:\nbhbbt.exe76⤵PID:888
-
\??\c:\tnbbnn.exec:\tnbbnn.exe77⤵PID:2340
-
\??\c:\9ddjv.exec:\9ddjv.exe78⤵PID:2408
-
\??\c:\rrfflfl.exec:\rrfflfl.exe79⤵PID:2400
-
\??\c:\nbnnbb.exec:\nbnnbb.exe80⤵PID:1908
-
\??\c:\nbhnbt.exec:\nbhnbt.exe81⤵PID:1768
-
\??\c:\pdjjp.exec:\pdjjp.exe82⤵PID:2984
-
\??\c:\7fxxxrx.exec:\7fxxxrx.exe83⤵PID:1792
-
\??\c:\bnbbbb.exec:\bnbbbb.exe84⤵PID:2076
-
\??\c:\ppjpv.exec:\ppjpv.exe85⤵PID:328
-
\??\c:\7xlxllx.exec:\7xlxllx.exe86⤵PID:804
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe87⤵PID:2548
-
\??\c:\tththb.exec:\tththb.exe88⤵PID:2608
-
\??\c:\ddvvd.exec:\ddvvd.exe89⤵PID:2676
-
\??\c:\vpvvd.exec:\vpvvd.exe90⤵PID:2092
-
\??\c:\xfrxlrl.exec:\xfrxlrl.exe91⤵PID:2492
-
\??\c:\nhbbnh.exec:\nhbbnh.exe92⤵PID:2616
-
\??\c:\nbbbnh.exec:\nbbbnh.exe93⤵PID:2692
-
\??\c:\jvjpj.exec:\jvjpj.exe94⤵PID:2456
-
\??\c:\lxxfxrl.exec:\lxxfxrl.exe95⤵PID:2688
-
\??\c:\xxrlxxl.exec:\xxrlxxl.exe96⤵PID:2704
-
\??\c:\hhbbhh.exec:\hhbbhh.exe97⤵PID:1616
-
\??\c:\jjdjv.exec:\jjdjv.exe98⤵PID:1896
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe99⤵PID:2768
-
\??\c:\5frrxxl.exec:\5frrxxl.exe100⤵PID:2524
-
\??\c:\9bhttt.exec:\9bhttt.exe101⤵PID:1684
-
\??\c:\jdppv.exec:\jdppv.exe102⤵PID:532
-
\??\c:\1frlrlr.exec:\1frlrlr.exe103⤵PID:2516
-
\??\c:\1lfxfxf.exec:\1lfxfxf.exe104⤵PID:660
-
\??\c:\bnbthb.exec:\bnbthb.exe105⤵PID:1796
-
\??\c:\9vpjp.exec:\9vpjp.exe106⤵PID:2812
-
\??\c:\5vjjp.exec:\5vjjp.exe107⤵PID:2872
-
\??\c:\rlxflfl.exec:\rlxflfl.exe108⤵PID:2892
-
\??\c:\1bhhtt.exec:\1bhhtt.exe109⤵PID:440
-
\??\c:\hhtbtb.exec:\hhtbtb.exe110⤵PID:2496
-
\??\c:\3pvdj.exec:\3pvdj.exe111⤵PID:1396
-
\??\c:\rlxffxf.exec:\rlxffxf.exe112⤵PID:1960
-
\??\c:\fxllffl.exec:\fxllffl.exe113⤵PID:1600
-
\??\c:\hbbbnn.exec:\hbbbnn.exe114⤵PID:1356
-
\??\c:\1pjpv.exec:\1pjpv.exe115⤵PID:1360
-
\??\c:\5vjdd.exec:\5vjdd.exe116⤵PID:896
-
\??\c:\lfxxlfr.exec:\lfxxlfr.exe117⤵PID:2148
-
\??\c:\tbthnn.exec:\tbthnn.exe118⤵PID:2216
-
\??\c:\pjpvp.exec:\pjpvp.exe119⤵PID:2068
-
\??\c:\3dppv.exec:\3dppv.exe120⤵PID:2096
-
\??\c:\rfrrlxf.exec:\rfrrlxf.exe121⤵PID:2140
-
\??\c:\hbnbtn.exec:\hbnbtn.exe122⤵PID:1968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-