Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 22:45
Behavioral task
behavioral1
Sample
7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe
-
Size
206KB
-
MD5
17bee1b6db000c6663e2177b40deb59b
-
SHA1
dc66b6b287b2b0b0a22c46fd2f6b763f6c927520
-
SHA256
7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f
-
SHA512
beae320338eecacaca54cae6111c9a3b5390e3cc73af00ec629a2bef8fa5ba9e73f2b427af03468b5491a943ec8bcc1963fa313b3c292e05155454e05bf995fd
-
SSDEEP
6144:rcm4FmowdHoStBuhW246lCXb7YpdnSj6Ksa4:x4wFHoSLjr0+Hsa4
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2988-7-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1356-19-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2836-31-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1568-29-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2784-50-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3064-48-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2828-69-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2680-66-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2668-86-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1680-118-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2088-136-0x0000000000440000-0x0000000000476000-memory.dmp family_blackmoon behavioral1/memory/2088-135-0x0000000000440000-0x0000000000476000-memory.dmp family_blackmoon behavioral1/memory/1956-139-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/640-156-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1848-166-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2656-174-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/804-184-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2408-187-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/316-218-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1188-243-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1660-253-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/616-256-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1892-275-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2204-272-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2740-303-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2788-323-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2812-343-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2624-381-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1760-396-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/380-426-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1460-494-0x00000000002B0000-0x00000000002E6000-memory.dmp family_blackmoon behavioral1/memory/1448-501-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2192-527-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2108-546-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1516-553-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1940-684-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/968-758-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3020-827-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1356 pdvdp.exe 1568 tnttnh.exe 2836 ppdjv.exe 3064 3fxfxfr.exe 2784 btnbbn.exe 2680 hbntht.exe 2828 lfrfrfx.exe 2992 nhtttb.exe 2668 jdpjp.exe 2628 xrfxflr.exe 1748 thtbnt.exe 1680 nhbbht.exe 1592 jvddp.exe 2088 1xxlrfl.exe 1956 5btbtt.exe 380 jdpjp.exe 640 1fxlrlr.exe 1848 btbbnn.exe 2656 vpddj.exe 804 rlffxxl.exe 2408 tnbbhh.exe 656 nnhbbb.exe 1604 jdvdj.exe 316 lfxfllx.exe 1324 bbtbhh.exe 1052 tnhbnn.exe 1188 7xlllrf.exe 1660 thtbtb.exe 616 5djjv.exe 2204 xrlrrxf.exe 1892 7tnhtb.exe 1512 dvpdp.exe 2876 7vpdp.exe 1136 9rxrflr.exe 2740 nhttnt.exe 236 tnbhnb.exe 2704 5djvj.exe 2788 llxfxxl.exe 2892 fxxxrfr.exe 2660 bthntb.exe 2812 ddvjd.exe 2200 vpdvp.exe 2608 lffxffl.exe 2548 lxlrfrx.exe 3008 nnhnhn.exe 2624 9tnnbb.exe 772 pvpvv.exe 996 xrllrrl.exe 1760 9nhnnt.exe 1728 hbnthh.exe 1252 3ppvp.exe 276 xrlrlrl.exe 380 xrfrffr.exe 1792 hbhntt.exe 1864 vpvdp.exe 1572 jvjpj.exe 1596 1rrrxxl.exe 2592 5rffrxf.exe 2408 hbntbb.exe 1784 5nnbbn.exe 656 9vjjp.exe 1604 5djjv.exe 1296 9rrrffl.exe 1460 5llxllr.exe -
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0009000000012118-8.dat upx behavioral1/memory/1356-9-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2988-7-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1356-13-0x0000000000220000-0x0000000000256000-memory.dmp upx behavioral1/files/0x0009000000016610-17.dat upx behavioral1/memory/1568-20-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1356-19-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0008000000016848-26.dat upx behavioral1/memory/2836-31-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1568-29-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0008000000016aa4-38.dat upx behavioral1/memory/3064-39-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0008000000016c5c-46.dat upx behavioral1/memory/2784-50-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3064-48-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0007000000016cae-57.dat upx behavioral1/files/0x0007000000016cdb-64.dat upx behavioral1/memory/2828-69-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2680-66-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0007000000016d07-75.dat upx behavioral1/files/0x0008000000016d21-83.dat upx behavioral1/memory/2668-86-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00060000000173b8-92.dat upx behavioral1/memory/2628-93-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00060000000173eb-100.dat upx behavioral1/files/0x00060000000175cc-109.dat upx behavioral1/files/0x00060000000175d0-116.dat upx behavioral1/memory/1680-118-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00060000000175f0-126.dat upx behavioral1/files/0x00050000000186f3-133.dat upx behavioral1/memory/2088-135-0x0000000000440000-0x0000000000476000-memory.dmp upx behavioral1/memory/1956-139-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00050000000186f7-146.dat upx behavioral1/memory/640-148-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000500000001871e-157.dat upx behavioral1/memory/640-156-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000500000001872a-164.dat upx behavioral1/memory/1848-166-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000500000001872e-175.dat upx behavioral1/memory/2656-174-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/804-184-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000018736-181.dat upx behavioral1/memory/2408-187-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000018780-193.dat upx behavioral1/files/0x0006000000018b00-199.dat upx behavioral1/files/0x0006000000018b83-209.dat upx behavioral1/memory/316-218-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0008000000016491-216.dat upx behavioral1/memory/1052-227-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0006000000018bcd-226.dat upx behavioral1/files/0x0006000000018bd2-235.dat upx behavioral1/memory/1188-243-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000600000001902b-244.dat upx behavioral1/files/0x000500000001927c-255.dat upx behavioral1/memory/1660-253-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/616-256-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000500000001927e-263.dat upx behavioral1/files/0x0005000000019354-270.dat upx behavioral1/memory/1892-275-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2204-272-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019372-281.dat upx behavioral1/files/0x000500000001938f-289.dat upx behavioral1/memory/1136-296-0x0000000000400000-0x0000000000436000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1356 2988 7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe 31 PID 2988 wrote to memory of 1356 2988 7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe 31 PID 2988 wrote to memory of 1356 2988 7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe 31 PID 2988 wrote to memory of 1356 2988 7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe 31 PID 1356 wrote to memory of 1568 1356 pdvdp.exe 32 PID 1356 wrote to memory of 1568 1356 pdvdp.exe 32 PID 1356 wrote to memory of 1568 1356 pdvdp.exe 32 PID 1356 wrote to memory of 1568 1356 pdvdp.exe 32 PID 1568 wrote to memory of 2836 1568 tnttnh.exe 33 PID 1568 wrote to memory of 2836 1568 tnttnh.exe 33 PID 1568 wrote to memory of 2836 1568 tnttnh.exe 33 PID 1568 wrote to memory of 2836 1568 tnttnh.exe 33 PID 2836 wrote to memory of 3064 2836 ppdjv.exe 34 PID 2836 wrote to memory of 3064 2836 ppdjv.exe 34 PID 2836 wrote to memory of 3064 2836 ppdjv.exe 34 PID 2836 wrote to memory of 3064 2836 ppdjv.exe 34 PID 3064 wrote to memory of 2784 3064 3fxfxfr.exe 35 PID 3064 wrote to memory of 2784 3064 3fxfxfr.exe 35 PID 3064 wrote to memory of 2784 3064 3fxfxfr.exe 35 PID 3064 wrote to memory of 2784 3064 3fxfxfr.exe 35 PID 2784 wrote to memory of 2680 2784 btnbbn.exe 36 PID 2784 wrote to memory of 2680 2784 btnbbn.exe 36 PID 2784 wrote to memory of 2680 2784 btnbbn.exe 36 PID 2784 wrote to memory of 2680 2784 btnbbn.exe 36 PID 2680 wrote to memory of 2828 2680 hbntht.exe 37 PID 2680 wrote to memory of 2828 2680 hbntht.exe 37 PID 2680 wrote to memory of 2828 2680 hbntht.exe 37 PID 2680 wrote to memory of 2828 2680 hbntht.exe 37 PID 2828 wrote to memory of 2992 2828 lfrfrfx.exe 38 PID 2828 wrote to memory of 2992 2828 lfrfrfx.exe 38 PID 2828 wrote to memory of 2992 2828 lfrfrfx.exe 38 PID 2828 wrote to memory of 2992 2828 lfrfrfx.exe 38 PID 2992 wrote to memory of 2668 2992 nhtttb.exe 39 PID 2992 wrote to memory of 2668 2992 nhtttb.exe 39 PID 2992 wrote to memory of 2668 2992 nhtttb.exe 39 PID 2992 wrote to memory of 2668 2992 nhtttb.exe 39 PID 2668 wrote to memory of 2628 2668 jdpjp.exe 40 PID 2668 wrote to memory of 2628 2668 jdpjp.exe 40 PID 2668 wrote to memory of 2628 2668 jdpjp.exe 40 PID 2668 wrote to memory of 2628 2668 jdpjp.exe 40 PID 2628 wrote to memory of 1748 2628 xrfxflr.exe 41 PID 2628 wrote to memory of 1748 2628 xrfxflr.exe 41 PID 2628 wrote to memory of 1748 2628 xrfxflr.exe 41 PID 2628 wrote to memory of 1748 2628 xrfxflr.exe 41 PID 1748 wrote to memory of 1680 1748 thtbnt.exe 42 PID 1748 wrote to memory of 1680 1748 thtbnt.exe 42 PID 1748 wrote to memory of 1680 1748 thtbnt.exe 42 PID 1748 wrote to memory of 1680 1748 thtbnt.exe 42 PID 1680 wrote to memory of 1592 1680 nhbbht.exe 43 PID 1680 wrote to memory of 1592 1680 nhbbht.exe 43 PID 1680 wrote to memory of 1592 1680 nhbbht.exe 43 PID 1680 wrote to memory of 1592 1680 nhbbht.exe 43 PID 1592 wrote to memory of 2088 1592 jvddp.exe 44 PID 1592 wrote to memory of 2088 1592 jvddp.exe 44 PID 1592 wrote to memory of 2088 1592 jvddp.exe 44 PID 1592 wrote to memory of 2088 1592 jvddp.exe 44 PID 2088 wrote to memory of 1956 2088 1xxlrfl.exe 45 PID 2088 wrote to memory of 1956 2088 1xxlrfl.exe 45 PID 2088 wrote to memory of 1956 2088 1xxlrfl.exe 45 PID 2088 wrote to memory of 1956 2088 1xxlrfl.exe 45 PID 1956 wrote to memory of 380 1956 5btbtt.exe 46 PID 1956 wrote to memory of 380 1956 5btbtt.exe 46 PID 1956 wrote to memory of 380 1956 5btbtt.exe 46 PID 1956 wrote to memory of 380 1956 5btbtt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe"C:\Users\Admin\AppData\Local\Temp\7042be390e53a37d37482b28460e2177b93ef10414195960d8f9636af28a9e8f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\pdvdp.exec:\pdvdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\tnttnh.exec:\tnttnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\ppdjv.exec:\ppdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\3fxfxfr.exec:\3fxfxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\btnbbn.exec:\btnbbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\hbntht.exec:\hbntht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\lfrfrfx.exec:\lfrfrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\nhtttb.exec:\nhtttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\jdpjp.exec:\jdpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xrfxflr.exec:\xrfxflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\thtbnt.exec:\thtbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\nhbbht.exec:\nhbbht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\jvddp.exec:\jvddp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\1xxlrfl.exec:\1xxlrfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\5btbtt.exec:\5btbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\jdpjp.exec:\jdpjp.exe17⤵
- Executes dropped EXE
PID:380 -
\??\c:\1fxlrlr.exec:\1fxlrlr.exe18⤵
- Executes dropped EXE
PID:640 -
\??\c:\btbbnn.exec:\btbbnn.exe19⤵
- Executes dropped EXE
PID:1848 -
\??\c:\vpddj.exec:\vpddj.exe20⤵
- Executes dropped EXE
PID:2656 -
\??\c:\rlffxxl.exec:\rlffxxl.exe21⤵
- Executes dropped EXE
PID:804 -
\??\c:\tnbbhh.exec:\tnbbhh.exe22⤵
- Executes dropped EXE
PID:2408 -
\??\c:\nnhbbb.exec:\nnhbbb.exe23⤵
- Executes dropped EXE
PID:656 -
\??\c:\jdvdj.exec:\jdvdj.exe24⤵
- Executes dropped EXE
PID:1604 -
\??\c:\lfxfllx.exec:\lfxfllx.exe25⤵
- Executes dropped EXE
PID:316 -
\??\c:\bbtbhh.exec:\bbtbhh.exe26⤵
- Executes dropped EXE
PID:1324 -
\??\c:\tnhbnn.exec:\tnhbnn.exe27⤵
- Executes dropped EXE
PID:1052 -
\??\c:\7xlllrf.exec:\7xlllrf.exe28⤵
- Executes dropped EXE
PID:1188 -
\??\c:\thtbtb.exec:\thtbtb.exe29⤵
- Executes dropped EXE
PID:1660 -
\??\c:\5djjv.exec:\5djjv.exe30⤵
- Executes dropped EXE
PID:616 -
\??\c:\xrlrrxf.exec:\xrlrrxf.exe31⤵
- Executes dropped EXE
PID:2204 -
\??\c:\7tnhtb.exec:\7tnhtb.exe32⤵
- Executes dropped EXE
PID:1892 -
\??\c:\dvpdp.exec:\dvpdp.exe33⤵
- Executes dropped EXE
PID:1512 -
\??\c:\7vpdp.exec:\7vpdp.exe34⤵
- Executes dropped EXE
PID:2876 -
\??\c:\9rxrflr.exec:\9rxrflr.exe35⤵
- Executes dropped EXE
PID:1136 -
\??\c:\nhttnt.exec:\nhttnt.exe36⤵
- Executes dropped EXE
PID:2740 -
\??\c:\tnbhnb.exec:\tnbhnb.exe37⤵
- Executes dropped EXE
PID:236 -
\??\c:\5djvj.exec:\5djvj.exe38⤵
- Executes dropped EXE
PID:2704 -
\??\c:\llxfxxl.exec:\llxfxxl.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\fxxxrfr.exec:\fxxxrfr.exe40⤵
- Executes dropped EXE
PID:2892 -
\??\c:\bthntb.exec:\bthntb.exe41⤵
- Executes dropped EXE
PID:2660 -
\??\c:\ddvjd.exec:\ddvjd.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vpdvp.exec:\vpdvp.exe43⤵
- Executes dropped EXE
PID:2200 -
\??\c:\lffxffl.exec:\lffxffl.exe44⤵
- Executes dropped EXE
PID:2608 -
\??\c:\lxlrfrx.exec:\lxlrfrx.exe45⤵
- Executes dropped EXE
PID:2548 -
\??\c:\nnhnhn.exec:\nnhnhn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\9tnnbb.exec:\9tnnbb.exe47⤵
- Executes dropped EXE
PID:2624 -
\??\c:\pvpvv.exec:\pvpvv.exe48⤵
- Executes dropped EXE
PID:772 -
\??\c:\xrllrrl.exec:\xrllrrl.exe49⤵
- Executes dropped EXE
PID:996 -
\??\c:\9nhnnt.exec:\9nhnnt.exe50⤵
- Executes dropped EXE
PID:1760 -
\??\c:\hbnthh.exec:\hbnthh.exe51⤵
- Executes dropped EXE
PID:1728 -
\??\c:\3ppvp.exec:\3ppvp.exe52⤵
- Executes dropped EXE
PID:1252 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe53⤵
- Executes dropped EXE
PID:276 -
\??\c:\xrfrffr.exec:\xrfrffr.exe54⤵
- Executes dropped EXE
PID:380 -
\??\c:\hbhntt.exec:\hbhntt.exe55⤵
- Executes dropped EXE
PID:1792 -
\??\c:\vpvdp.exec:\vpvdp.exe56⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jvjpj.exec:\jvjpj.exe57⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1rrrxxl.exec:\1rrrxxl.exe58⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5rffrxf.exec:\5rffrxf.exe59⤵
- Executes dropped EXE
PID:2592 -
\??\c:\hbntbb.exec:\hbntbb.exe60⤵
- Executes dropped EXE
PID:2408 -
\??\c:\5nnbbn.exec:\5nnbbn.exe61⤵
- Executes dropped EXE
PID:1784 -
\??\c:\9vjjp.exec:\9vjjp.exe62⤵
- Executes dropped EXE
PID:656 -
\??\c:\5djjv.exec:\5djjv.exe63⤵
- Executes dropped EXE
PID:1604 -
\??\c:\9rrrffl.exec:\9rrrffl.exe64⤵
- Executes dropped EXE
PID:1296 -
\??\c:\5llxllr.exec:\5llxllr.exe65⤵
- Executes dropped EXE
PID:1460 -
\??\c:\hbtbnn.exec:\hbtbnn.exe66⤵PID:1448
-
\??\c:\hbbtbh.exec:\hbbtbh.exe67⤵PID:2504
-
\??\c:\jjpvj.exec:\jjpvj.exe68⤵PID:2100
-
\??\c:\5fxrxxf.exec:\5fxrxxf.exe69⤵PID:2116
-
\??\c:\rflrxxf.exec:\rflrxxf.exe70⤵PID:2192
-
\??\c:\3ttbnn.exec:\3ttbnn.exe71⤵PID:1668
-
\??\c:\3htbbb.exec:\3htbbb.exe72⤵PID:1736
-
\??\c:\vjppj.exec:\vjppj.exe73⤵PID:2108
-
\??\c:\pdjjp.exec:\pdjjp.exe74⤵PID:1516
-
\??\c:\lfrlfll.exec:\lfrlfll.exe75⤵PID:2068
-
\??\c:\5bbhnt.exec:\5bbhnt.exe76⤵PID:1356
-
\??\c:\thnnnt.exec:\thnnnt.exe77⤵PID:1136
-
\??\c:\pdjvj.exec:\pdjvj.exe78⤵PID:2740
-
\??\c:\7ppvj.exec:\7ppvj.exe79⤵PID:1896
-
\??\c:\lrfrflr.exec:\lrfrflr.exe80⤵PID:2776
-
\??\c:\lxrflxf.exec:\lxrflxf.exe81⤵PID:2760
-
\??\c:\nhbnbn.exec:\nhbnbn.exe82⤵PID:2560
-
\??\c:\nnbhhb.exec:\nnbhhb.exe83⤵PID:2744
-
\??\c:\dvjvj.exec:\dvjvj.exe84⤵PID:2576
-
\??\c:\dddjd.exec:\dddjd.exe85⤵PID:2724
-
\??\c:\xlrrffl.exec:\xlrrffl.exe86⤵PID:2568
-
\??\c:\tntbnt.exec:\tntbnt.exe87⤵PID:2820
-
\??\c:\htbhbt.exec:\htbhbt.exe88⤵PID:2968
-
\??\c:\pjjpv.exec:\pjjpv.exe89⤵PID:2824
-
\??\c:\dvjjp.exec:\dvjjp.exe90⤵PID:2624
-
\??\c:\frlrflr.exec:\frlrflr.exe91⤵PID:1976
-
\??\c:\5lllrfl.exec:\5lllrfl.exe92⤵PID:1684
-
\??\c:\7nbhth.exec:\7nbhth.exe93⤵PID:1760
-
\??\c:\dvpdp.exec:\dvpdp.exe94⤵PID:1208
-
\??\c:\pjpdp.exec:\pjpdp.exe95⤵PID:1940
-
\??\c:\rlllfff.exec:\rlllfff.exe96⤵PID:1968
-
\??\c:\7xlfxxx.exec:\7xlfxxx.exe97⤵PID:1576
-
\??\c:\5htttb.exec:\5htttb.exe98⤵PID:852
-
\??\c:\1pdpd.exec:\1pdpd.exe99⤵PID:2732
-
\??\c:\7vddp.exec:\7vddp.exe100⤵PID:2640
-
\??\c:\xxrrffl.exec:\xxrrffl.exe101⤵PID:1596
-
\??\c:\rfflrrx.exec:\rfflrrx.exe102⤵PID:804
-
\??\c:\thnthh.exec:\thnthh.exe103⤵PID:2408
-
\??\c:\nhnbhn.exec:\nhnbhn.exe104⤵PID:2996
-
\??\c:\jvjdp.exec:\jvjdp.exe105⤵PID:1800
-
\??\c:\vjjvd.exec:\vjjvd.exe106⤵PID:1796
-
\??\c:\lxrrxfl.exec:\lxrrxfl.exe107⤵PID:968
-
\??\c:\lflfrrr.exec:\lflfrrr.exe108⤵PID:1644
-
\??\c:\hbnthh.exec:\hbnthh.exe109⤵PID:2924
-
\??\c:\nbtbnh.exec:\nbtbnh.exe110⤵PID:2504
-
\??\c:\pdjpd.exec:\pdjpd.exe111⤵PID:2100
-
\??\c:\lxlrflr.exec:\lxlrflr.exe112⤵PID:1376
-
\??\c:\lflfrxf.exec:\lflfrxf.exe113⤵PID:2932
-
\??\c:\9bttbt.exec:\9bttbt.exe114⤵PID:904
-
\??\c:\bbbhtt.exec:\bbbhtt.exe115⤵PID:1892
-
\??\c:\ddvvj.exec:\ddvvj.exe116⤵PID:2260
-
\??\c:\pdvdp.exec:\pdvdp.exe117⤵PID:1516
-
\??\c:\frxxrrl.exec:\frxxrrl.exe118⤵PID:2328
-
\??\c:\xxfxrfl.exec:\xxfxrfl.exe119⤵PID:3020
-
\??\c:\5tnbtb.exec:\5tnbtb.exe120⤵PID:2880
-
\??\c:\5tthnt.exec:\5tthnt.exe121⤵PID:236
-
\??\c:\jdppv.exec:\jdppv.exe122⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-