Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe
-
Size
453KB
-
MD5
225b39f75561347d98c87422cdc6ff2a
-
SHA1
d87f4008ff8dd07a13ab161242afc342be20c376
-
SHA256
b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8
-
SHA512
4d9e267536a991e34208c56cd0c73f04c2ca3f98493977fb38873fb1ba0d57d7df635c15ba46176d7cf504b53bd739ba1fb8736fc1cc858357d95ce92c2953e2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/940-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-1342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-1379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-1386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1532 rxxlfrl.exe 772 bbbttb.exe 2936 tbhhhb.exe 1872 fxrffll.exe 4808 htnbtn.exe 3124 nhnhbb.exe 3612 7ffrlxr.exe 1796 xxlfrlf.exe 5068 vdppj.exe 216 vvpjd.exe 1956 rflfxxr.exe 1596 lffxrrl.exe 3428 htbthb.exe 1344 vvpjv.exe 4368 ddpvd.exe 3012 lllfxrr.exe 1460 bnthbb.exe 1752 nbhnnh.exe 2236 bhbbtn.exe 3960 1pppj.exe 5056 7hbbtb.exe 1888 vjddv.exe 4380 fllfxrl.exe 3644 dpjjd.exe 4376 xxlrxxl.exe 4248 tbhhhb.exe 4392 hntntt.exe 2500 7xxrllf.exe 1528 jjpjd.exe 3212 5xfffrl.exe 2368 hbhtnn.exe 736 3tnhbt.exe 3848 jdjdp.exe 4360 pvjdd.exe 2172 3ffxrrl.exe 4560 thnhhh.exe 3280 fxrfrxl.exe 4648 rlflxfx.exe 4860 bhhhbb.exe 3052 jdvpd.exe 2596 7rxlffr.exe 4332 rlrllfx.exe 2980 jpjdv.exe 3248 rlrlffx.exe 4024 1fllflf.exe 1328 bbbbnt.exe 4232 jpppd.exe 4128 lrxrffx.exe 2708 hbnhhh.exe 1872 5pvjj.exe 388 fxrrffl.exe 3752 7xrllff.exe 1592 hhtttt.exe 4188 jppdv.exe 628 rxxlflf.exe 816 tthbbh.exe 1920 tnbthb.exe 4876 djjdv.exe 3380 1xfxffx.exe 1376 llflxll.exe 1344 hbnhbb.exe 3012 jjjjv.exe 4996 ffffxxx.exe 3660 hhtnnh.exe -
resource yara_rule behavioral2/memory/940-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-788-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 940 wrote to memory of 1532 940 b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe 82 PID 940 wrote to memory of 1532 940 b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe 82 PID 940 wrote to memory of 1532 940 b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe 82 PID 1532 wrote to memory of 772 1532 rxxlfrl.exe 83 PID 1532 wrote to memory of 772 1532 rxxlfrl.exe 83 PID 1532 wrote to memory of 772 1532 rxxlfrl.exe 83 PID 772 wrote to memory of 2936 772 bbbttb.exe 84 PID 772 wrote to memory of 2936 772 bbbttb.exe 84 PID 772 wrote to memory of 2936 772 bbbttb.exe 84 PID 2936 wrote to memory of 1872 2936 tbhhhb.exe 85 PID 2936 wrote to memory of 1872 2936 tbhhhb.exe 85 PID 2936 wrote to memory of 1872 2936 tbhhhb.exe 85 PID 1872 wrote to memory of 4808 1872 fxrffll.exe 86 PID 1872 wrote to memory of 4808 1872 fxrffll.exe 86 PID 1872 wrote to memory of 4808 1872 fxrffll.exe 86 PID 4808 wrote to memory of 3124 4808 htnbtn.exe 87 PID 4808 wrote to memory of 3124 4808 htnbtn.exe 87 PID 4808 wrote to memory of 3124 4808 htnbtn.exe 87 PID 3124 wrote to memory of 3612 3124 nhnhbb.exe 88 PID 3124 wrote to memory of 3612 3124 nhnhbb.exe 88 PID 3124 wrote to memory of 3612 3124 nhnhbb.exe 88 PID 3612 wrote to memory of 1796 3612 7ffrlxr.exe 89 PID 3612 wrote to memory of 1796 3612 7ffrlxr.exe 89 PID 3612 wrote to memory of 1796 3612 7ffrlxr.exe 89 PID 1796 wrote to memory of 5068 1796 xxlfrlf.exe 90 PID 1796 wrote to memory of 5068 1796 xxlfrlf.exe 90 PID 1796 wrote to memory of 5068 1796 xxlfrlf.exe 90 PID 5068 wrote to memory of 216 5068 vdppj.exe 91 PID 5068 wrote to memory of 216 5068 vdppj.exe 91 PID 5068 wrote to memory of 216 5068 vdppj.exe 91 PID 216 wrote to memory of 1956 216 vvpjd.exe 92 PID 216 wrote to memory of 1956 216 vvpjd.exe 92 PID 216 wrote to memory of 1956 216 vvpjd.exe 92 PID 1956 wrote to memory of 1596 1956 rflfxxr.exe 93 PID 1956 wrote to memory of 1596 1956 rflfxxr.exe 93 PID 1956 wrote to memory of 1596 1956 rflfxxr.exe 93 PID 1596 wrote to memory of 3428 1596 lffxrrl.exe 94 PID 1596 wrote to memory of 3428 1596 lffxrrl.exe 94 PID 1596 wrote to memory of 3428 1596 lffxrrl.exe 94 PID 3428 wrote to memory of 1344 3428 htbthb.exe 95 PID 3428 wrote to memory of 1344 3428 htbthb.exe 95 PID 3428 wrote to memory of 1344 3428 htbthb.exe 95 PID 1344 wrote to memory of 4368 1344 vvpjv.exe 96 PID 1344 wrote to memory of 4368 1344 vvpjv.exe 96 PID 1344 wrote to memory of 4368 1344 vvpjv.exe 96 PID 4368 wrote to memory of 3012 4368 ddpvd.exe 97 PID 4368 wrote to memory of 3012 4368 ddpvd.exe 97 PID 4368 wrote to memory of 3012 4368 ddpvd.exe 97 PID 3012 wrote to memory of 1460 3012 lllfxrr.exe 98 PID 3012 wrote to memory of 1460 3012 lllfxrr.exe 98 PID 3012 wrote to memory of 1460 3012 lllfxrr.exe 98 PID 1460 wrote to memory of 1752 1460 bnthbb.exe 99 PID 1460 wrote to memory of 1752 1460 bnthbb.exe 99 PID 1460 wrote to memory of 1752 1460 bnthbb.exe 99 PID 1752 wrote to memory of 2236 1752 nbhnnh.exe 100 PID 1752 wrote to memory of 2236 1752 nbhnnh.exe 100 PID 1752 wrote to memory of 2236 1752 nbhnnh.exe 100 PID 2236 wrote to memory of 3960 2236 bhbbtn.exe 101 PID 2236 wrote to memory of 3960 2236 bhbbtn.exe 101 PID 2236 wrote to memory of 3960 2236 bhbbtn.exe 101 PID 3960 wrote to memory of 5056 3960 1pppj.exe 102 PID 3960 wrote to memory of 5056 3960 1pppj.exe 102 PID 3960 wrote to memory of 5056 3960 1pppj.exe 102 PID 5056 wrote to memory of 1888 5056 7hbbtb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe"C:\Users\Admin\AppData\Local\Temp\b6f26bad09bd190952947a20b8173968e7ab0594188aa468ad22f3cc9a501aa8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\bbbttb.exec:\bbbttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\tbhhhb.exec:\tbhhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\fxrffll.exec:\fxrffll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\htnbtn.exec:\htnbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\nhnhbb.exec:\nhnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\7ffrlxr.exec:\7ffrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\xxlfrlf.exec:\xxlfrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\vdppj.exec:\vdppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\vvpjd.exec:\vvpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\rflfxxr.exec:\rflfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\lffxrrl.exec:\lffxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\htbthb.exec:\htbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\vvpjv.exec:\vvpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\ddpvd.exec:\ddpvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\lllfxrr.exec:\lllfxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\bnthbb.exec:\bnthbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\nbhnnh.exec:\nbhnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\bhbbtn.exec:\bhbbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\1pppj.exec:\1pppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\7hbbtb.exec:\7hbbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\vjddv.exec:\vjddv.exe23⤵
- Executes dropped EXE
PID:1888 -
\??\c:\fllfxrl.exec:\fllfxrl.exe24⤵
- Executes dropped EXE
PID:4380 -
\??\c:\dpjjd.exec:\dpjjd.exe25⤵
- Executes dropped EXE
PID:3644 -
\??\c:\xxlrxxl.exec:\xxlrxxl.exe26⤵
- Executes dropped EXE
PID:4376 -
\??\c:\tbhhhb.exec:\tbhhhb.exe27⤵
- Executes dropped EXE
PID:4248 -
\??\c:\hntntt.exec:\hntntt.exe28⤵
- Executes dropped EXE
PID:4392 -
\??\c:\7xxrllf.exec:\7xxrllf.exe29⤵
- Executes dropped EXE
PID:2500 -
\??\c:\jjpjd.exec:\jjpjd.exe30⤵
- Executes dropped EXE
PID:1528 -
\??\c:\5xfffrl.exec:\5xfffrl.exe31⤵
- Executes dropped EXE
PID:3212 -
\??\c:\hbhtnn.exec:\hbhtnn.exe32⤵
- Executes dropped EXE
PID:2368 -
\??\c:\3tnhbt.exec:\3tnhbt.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
\??\c:\jdjdp.exec:\jdjdp.exe34⤵
- Executes dropped EXE
PID:3848 -
\??\c:\pvjdd.exec:\pvjdd.exe35⤵
- Executes dropped EXE
PID:4360 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\thnhhh.exec:\thnhhh.exe37⤵
- Executes dropped EXE
PID:4560 -
\??\c:\fxrfrxl.exec:\fxrfrxl.exe38⤵
- Executes dropped EXE
PID:3280 -
\??\c:\rlflxfx.exec:\rlflxfx.exe39⤵
- Executes dropped EXE
PID:4648 -
\??\c:\bhhhbb.exec:\bhhhbb.exe40⤵
- Executes dropped EXE
PID:4860 -
\??\c:\jdvpd.exec:\jdvpd.exe41⤵
- Executes dropped EXE
PID:3052 -
\??\c:\7rxlffr.exec:\7rxlffr.exe42⤵
- Executes dropped EXE
PID:2596 -
\??\c:\rlrllfx.exec:\rlrllfx.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\jpjdv.exec:\jpjdv.exe44⤵
- Executes dropped EXE
PID:2980 -
\??\c:\rlrlffx.exec:\rlrlffx.exe45⤵
- Executes dropped EXE
PID:3248 -
\??\c:\1fllflf.exec:\1fllflf.exe46⤵
- Executes dropped EXE
PID:4024 -
\??\c:\bbbbnt.exec:\bbbbnt.exe47⤵
- Executes dropped EXE
PID:1328 -
\??\c:\jpppd.exec:\jpppd.exe48⤵
- Executes dropped EXE
PID:4232 -
\??\c:\lrxrffx.exec:\lrxrffx.exe49⤵
- Executes dropped EXE
PID:4128 -
\??\c:\hbnhhh.exec:\hbnhhh.exe50⤵
- Executes dropped EXE
PID:2708 -
\??\c:\5pvjj.exec:\5pvjj.exe51⤵
- Executes dropped EXE
PID:1872 -
\??\c:\fxrrffl.exec:\fxrrffl.exe52⤵
- Executes dropped EXE
PID:388 -
\??\c:\7xrllff.exec:\7xrllff.exe53⤵
- Executes dropped EXE
PID:3752 -
\??\c:\hhtttt.exec:\hhtttt.exe54⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jppdv.exec:\jppdv.exe55⤵
- Executes dropped EXE
PID:4188 -
\??\c:\rxxlflf.exec:\rxxlflf.exe56⤵
- Executes dropped EXE
PID:628 -
\??\c:\tthbbh.exec:\tthbbh.exe57⤵
- Executes dropped EXE
PID:816 -
\??\c:\tnbthb.exec:\tnbthb.exe58⤵
- Executes dropped EXE
PID:1920 -
\??\c:\djjdv.exec:\djjdv.exe59⤵
- Executes dropped EXE
PID:4876 -
\??\c:\1xfxffx.exec:\1xfxffx.exe60⤵
- Executes dropped EXE
PID:3380 -
\??\c:\llflxll.exec:\llflxll.exe61⤵
- Executes dropped EXE
PID:1376 -
\??\c:\hbnhbb.exec:\hbnhbb.exe62⤵
- Executes dropped EXE
PID:1344 -
\??\c:\jjjjv.exec:\jjjjv.exe63⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ffffxxx.exec:\ffffxxx.exe64⤵
- Executes dropped EXE
PID:4996 -
\??\c:\hhtnnh.exec:\hhtnnh.exe65⤵
- Executes dropped EXE
PID:3660 -
\??\c:\djdpp.exec:\djdpp.exe66⤵PID:804
-
\??\c:\dvdpd.exec:\dvdpd.exe67⤵PID:1516
-
\??\c:\lrxrlff.exec:\lrxrlff.exe68⤵PID:4436
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe69⤵PID:3520
-
\??\c:\fxffxfx.exec:\fxffxfx.exe70⤵PID:4508
-
\??\c:\1ttbtt.exec:\1ttbtt.exe71⤵PID:856
-
\??\c:\5jdpj.exec:\5jdpj.exe72⤵PID:1892
-
\??\c:\3lxlxfr.exec:\3lxlxfr.exe73⤵PID:4100
-
\??\c:\7bbtnn.exec:\7bbtnn.exe74⤵PID:4524
-
\??\c:\tthhth.exec:\tthhth.exe75⤵PID:1668
-
\??\c:\vdpdv.exec:\vdpdv.exe76⤵PID:2968
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe77⤵PID:2264
-
\??\c:\bnbtnn.exec:\bnbtnn.exe78⤵PID:2500
-
\??\c:\dvddp.exec:\dvddp.exe79⤵PID:960
-
\??\c:\jvjdd.exec:\jvjdd.exe80⤵PID:4556
-
\??\c:\xrxxxrr.exec:\xrxxxrr.exe81⤵PID:3068
-
\??\c:\thbtnn.exec:\thbtnn.exe82⤵PID:460
-
\??\c:\dddvp.exec:\dddvp.exe83⤵PID:2056
-
\??\c:\xxrlffx.exec:\xxrlffx.exe84⤵PID:2052
-
\??\c:\nhttbb.exec:\nhttbb.exe85⤵PID:1120
-
\??\c:\htnhhh.exec:\htnhhh.exe86⤵PID:4488
-
\??\c:\1vvpd.exec:\1vvpd.exe87⤵PID:2020
-
\??\c:\frffrrx.exec:\frffrrx.exe88⤵PID:3032
-
\??\c:\7ntbtb.exec:\7ntbtb.exe89⤵PID:1536
-
\??\c:\ppddj.exec:\ppddj.exe90⤵PID:3280
-
\??\c:\7fxrffx.exec:\7fxrffx.exe91⤵PID:908
-
\??\c:\xxffxxx.exec:\xxffxxx.exe92⤵PID:4060
-
\??\c:\tntnhh.exec:\tntnhh.exe93⤵PID:4844
-
\??\c:\jdpjj.exec:\jdpjj.exe94⤵PID:1372
-
\??\c:\flrllff.exec:\flrllff.exe95⤵PID:2596
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe96⤵PID:3476
-
\??\c:\hbtnhh.exec:\hbtnhh.exe97⤵PID:2980
-
\??\c:\djjdv.exec:\djjdv.exe98⤵PID:2364
-
\??\c:\xlrrlll.exec:\xlrrlll.exe99⤵PID:4940
-
\??\c:\lrrxrxf.exec:\lrrxrxf.exe100⤵PID:4124
-
\??\c:\hbnhnn.exec:\hbnhnn.exe101⤵PID:3084
-
\??\c:\vjpjv.exec:\vjpjv.exe102⤵PID:1772
-
\??\c:\rrrffrr.exec:\rrrffrr.exe103⤵PID:1164
-
\??\c:\thnnhn.exec:\thnnhn.exe104⤵PID:4240
-
\??\c:\hntnhh.exec:\hntnhh.exe105⤵PID:3124
-
\??\c:\vvvvj.exec:\vvvvj.exe106⤵PID:4076
-
\??\c:\xfxrllf.exec:\xfxrllf.exe107⤵PID:3040
-
\??\c:\nhbtnh.exec:\nhbtnh.exe108⤵PID:4720
-
\??\c:\vjpvv.exec:\vjpvv.exe109⤵PID:4892
-
\??\c:\9xrfllf.exec:\9xrfllf.exe110⤵PID:4828
-
\??\c:\1nbthh.exec:\1nbthh.exe111⤵PID:1448
-
\??\c:\vvvvj.exec:\vvvvj.exe112⤵PID:2108
-
\??\c:\jdvdd.exec:\jdvdd.exe113⤵PID:916
-
\??\c:\rlxrfrr.exec:\rlxrfrr.exe114⤵PID:5004
-
\??\c:\3tttnn.exec:\3tttnn.exe115⤵PID:3380
-
\??\c:\7pvvp.exec:\7pvvp.exe116⤵PID:4012
-
\??\c:\rrxrrxr.exec:\rrxrrxr.exe117⤵PID:3972
-
\??\c:\nbtttt.exec:\nbtttt.exe118⤵PID:3584
-
\??\c:\9dvpp.exec:\9dvpp.exe119⤵PID:1460
-
\??\c:\1djdv.exec:\1djdv.exe120⤵PID:1604
-
\??\c:\lfrxffl.exec:\lfrxffl.exe121⤵PID:4048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-