Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe
-
Size
453KB
-
MD5
77de7dca40d32bdf68aa05e5896c0927
-
SHA1
1c4de4d3137661ba3be3e862afe5cb5ee0ff16a6
-
SHA256
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816
-
SHA512
c40def558feafd4f4ca74b4f3263da803daf3c49aa76486389c44ac8ec3d3dd230af08f40a48f77cb735bd8a0825b6684c0056bf9d37ae86bdc0a03bbb79f59f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1692-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-18-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2656-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-46-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2232-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-65-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-215-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2332-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-321-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-362-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2588-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-467-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2240-474-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2240-493-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1032-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-854-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1692 vvvpp.exe 2200 tthbtn.exe 2656 ffxfrxl.exe 2328 nnbhth.exe 2232 xxxrlxf.exe 2764 3bbbnn.exe 2768 fxxfxfr.exe 2700 hnhnbh.exe 2596 xffxlff.exe 2796 bbnnbh.exe 2604 1lxxllx.exe 2128 ttnbnn.exe 1332 dvpdp.exe 1988 hbthnt.exe 1240 7xxlxlx.exe 1516 bbttbb.exe 2672 bbhhtt.exe 2912 ddjjd.exe 2444 9htthn.exe 3040 ddvvj.exe 1096 fxrflrf.exe 1504 djdjv.exe 824 nnbbnn.exe 2540 ttnhtb.exe 2332 ffxfrfr.exe 848 nhbbtb.exe 1544 lrrlxxl.exe 1028 nnthhh.exe 2404 lrfrxlf.exe 1304 nbhtbt.exe 884 xrlrllf.exe 984 bhbhtb.exe 1588 pjdpv.exe 1804 flfrlxl.exe 2100 tnbhnn.exe 2020 hhbnhh.exe 2204 jddjp.exe 2756 rllrlrl.exe 264 ntnbhh.exe 2812 btnhnn.exe 2772 pvjpj.exe 2952 9fxlflx.exe 2852 xfrxlfl.exe 2844 nhbhbt.exe 2288 dvpvj.exe 2588 lfffrrl.exe 2692 lfxflxf.exe 3064 hhbbnn.exe 2128 3vpvj.exe 1672 xxxfrxl.exe 2384 ntnhbh.exe 2324 hbnbhh.exe 1240 dpjjp.exe 1996 rrxrxlf.exe 2880 3fflxfl.exe 2900 ttbbbb.exe 2240 5ppjd.exe 2668 rrrxlrl.exe 1344 rrflrxl.exe 3040 1btbth.exe 1140 dpjjj.exe 2876 rlfxffl.exe 772 ntnnbh.exe 1604 ttthtb.exe -
resource yara_rule behavioral1/memory/1692-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-65-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2768-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-940-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-1055-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1692-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-1169-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1692 2372 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 2372 wrote to memory of 1692 2372 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 2372 wrote to memory of 1692 2372 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 2372 wrote to memory of 1692 2372 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 1692 wrote to memory of 2200 1692 vvvpp.exe 31 PID 1692 wrote to memory of 2200 1692 vvvpp.exe 31 PID 1692 wrote to memory of 2200 1692 vvvpp.exe 31 PID 1692 wrote to memory of 2200 1692 vvvpp.exe 31 PID 2200 wrote to memory of 2656 2200 tthbtn.exe 32 PID 2200 wrote to memory of 2656 2200 tthbtn.exe 32 PID 2200 wrote to memory of 2656 2200 tthbtn.exe 32 PID 2200 wrote to memory of 2656 2200 tthbtn.exe 32 PID 2656 wrote to memory of 2328 2656 ffxfrxl.exe 33 PID 2656 wrote to memory of 2328 2656 ffxfrxl.exe 33 PID 2656 wrote to memory of 2328 2656 ffxfrxl.exe 33 PID 2656 wrote to memory of 2328 2656 ffxfrxl.exe 33 PID 2328 wrote to memory of 2232 2328 nnbhth.exe 34 PID 2328 wrote to memory of 2232 2328 nnbhth.exe 34 PID 2328 wrote to memory of 2232 2328 nnbhth.exe 34 PID 2328 wrote to memory of 2232 2328 nnbhth.exe 34 PID 2232 wrote to memory of 2764 2232 xxxrlxf.exe 35 PID 2232 wrote to memory of 2764 2232 xxxrlxf.exe 35 PID 2232 wrote to memory of 2764 2232 xxxrlxf.exe 35 PID 2232 wrote to memory of 2764 2232 xxxrlxf.exe 35 PID 2764 wrote to memory of 2768 2764 3bbbnn.exe 36 PID 2764 wrote to memory of 2768 2764 3bbbnn.exe 36 PID 2764 wrote to memory of 2768 2764 3bbbnn.exe 36 PID 2764 wrote to memory of 2768 2764 3bbbnn.exe 36 PID 2768 wrote to memory of 2700 2768 fxxfxfr.exe 37 PID 2768 wrote to memory of 2700 2768 fxxfxfr.exe 37 PID 2768 wrote to memory of 2700 2768 fxxfxfr.exe 37 PID 2768 wrote to memory of 2700 2768 fxxfxfr.exe 37 PID 2700 wrote to memory of 2596 2700 hnhnbh.exe 38 PID 2700 wrote to memory of 2596 2700 hnhnbh.exe 38 PID 2700 wrote to memory of 2596 2700 hnhnbh.exe 38 PID 2700 wrote to memory of 2596 2700 hnhnbh.exe 38 PID 2596 wrote to memory of 2796 2596 xffxlff.exe 39 PID 2596 wrote to memory of 2796 2596 xffxlff.exe 39 PID 2596 wrote to memory of 2796 2596 xffxlff.exe 39 PID 2596 wrote to memory of 2796 2596 xffxlff.exe 39 PID 2796 wrote to memory of 2604 2796 bbnnbh.exe 40 PID 2796 wrote to memory of 2604 2796 bbnnbh.exe 40 PID 2796 wrote to memory of 2604 2796 bbnnbh.exe 40 PID 2796 wrote to memory of 2604 2796 bbnnbh.exe 40 PID 2604 wrote to memory of 2128 2604 1lxxllx.exe 41 PID 2604 wrote to memory of 2128 2604 1lxxllx.exe 41 PID 2604 wrote to memory of 2128 2604 1lxxllx.exe 41 PID 2604 wrote to memory of 2128 2604 1lxxllx.exe 41 PID 2128 wrote to memory of 1332 2128 ttnbnn.exe 42 PID 2128 wrote to memory of 1332 2128 ttnbnn.exe 42 PID 2128 wrote to memory of 1332 2128 ttnbnn.exe 42 PID 2128 wrote to memory of 1332 2128 ttnbnn.exe 42 PID 1332 wrote to memory of 1988 1332 dvpdp.exe 43 PID 1332 wrote to memory of 1988 1332 dvpdp.exe 43 PID 1332 wrote to memory of 1988 1332 dvpdp.exe 43 PID 1332 wrote to memory of 1988 1332 dvpdp.exe 43 PID 1988 wrote to memory of 1240 1988 hbthnt.exe 44 PID 1988 wrote to memory of 1240 1988 hbthnt.exe 44 PID 1988 wrote to memory of 1240 1988 hbthnt.exe 44 PID 1988 wrote to memory of 1240 1988 hbthnt.exe 44 PID 1240 wrote to memory of 1516 1240 7xxlxlx.exe 45 PID 1240 wrote to memory of 1516 1240 7xxlxlx.exe 45 PID 1240 wrote to memory of 1516 1240 7xxlxlx.exe 45 PID 1240 wrote to memory of 1516 1240 7xxlxlx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe"C:\Users\Admin\AppData\Local\Temp\b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\vvvpp.exec:\vvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\tthbtn.exec:\tthbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\nnbhth.exec:\nnbhth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\xxxrlxf.exec:\xxxrlxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\3bbbnn.exec:\3bbbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\fxxfxfr.exec:\fxxfxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\hnhnbh.exec:\hnhnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\xffxlff.exec:\xffxlff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\bbnnbh.exec:\bbnnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\1lxxllx.exec:\1lxxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\ttnbnn.exec:\ttnbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\dvpdp.exec:\dvpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\hbthnt.exec:\hbthnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\7xxlxlx.exec:\7xxlxlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\bbttbb.exec:\bbttbb.exe17⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bbhhtt.exec:\bbhhtt.exe18⤵
- Executes dropped EXE
PID:2672 -
\??\c:\ddjjd.exec:\ddjjd.exe19⤵
- Executes dropped EXE
PID:2912 -
\??\c:\9htthn.exec:\9htthn.exe20⤵
- Executes dropped EXE
PID:2444 -
\??\c:\ddvvj.exec:\ddvvj.exe21⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fxrflrf.exec:\fxrflrf.exe22⤵
- Executes dropped EXE
PID:1096 -
\??\c:\djdjv.exec:\djdjv.exe23⤵
- Executes dropped EXE
PID:1504 -
\??\c:\nnbbnn.exec:\nnbbnn.exe24⤵
- Executes dropped EXE
PID:824 -
\??\c:\ttnhtb.exec:\ttnhtb.exe25⤵
- Executes dropped EXE
PID:2540 -
\??\c:\ffxfrfr.exec:\ffxfrfr.exe26⤵
- Executes dropped EXE
PID:2332 -
\??\c:\nhbbtb.exec:\nhbbtb.exe27⤵
- Executes dropped EXE
PID:848 -
\??\c:\lrrlxxl.exec:\lrrlxxl.exe28⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nnthhh.exec:\nnthhh.exe29⤵
- Executes dropped EXE
PID:1028 -
\??\c:\lrfrxlf.exec:\lrfrxlf.exe30⤵
- Executes dropped EXE
PID:2404 -
\??\c:\nbhtbt.exec:\nbhtbt.exe31⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xrlrllf.exec:\xrlrllf.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\bhbhtb.exec:\bhbhtb.exe33⤵
- Executes dropped EXE
PID:984 -
\??\c:\pjdpv.exec:\pjdpv.exe34⤵
- Executes dropped EXE
PID:1588 -
\??\c:\flfrlxl.exec:\flfrlxl.exe35⤵
- Executes dropped EXE
PID:1804 -
\??\c:\tnbhnn.exec:\tnbhnn.exe36⤵
- Executes dropped EXE
PID:2100 -
\??\c:\hhbnhh.exec:\hhbnhh.exe37⤵
- Executes dropped EXE
PID:2020 -
\??\c:\jddjp.exec:\jddjp.exe38⤵
- Executes dropped EXE
PID:2204 -
\??\c:\rllrlrl.exec:\rllrlrl.exe39⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ntnbhh.exec:\ntnbhh.exe40⤵
- Executes dropped EXE
PID:264 -
\??\c:\btnhnn.exec:\btnhnn.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\pvjpj.exec:\pvjpj.exe42⤵
- Executes dropped EXE
PID:2772 -
\??\c:\9fxlflx.exec:\9fxlflx.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\xfrxlfl.exec:\xfrxlfl.exe44⤵
- Executes dropped EXE
PID:2852 -
\??\c:\nhbhbt.exec:\nhbhbt.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dvpvj.exec:\dvpvj.exe46⤵
- Executes dropped EXE
PID:2288 -
\??\c:\lfffrrl.exec:\lfffrrl.exe47⤵
- Executes dropped EXE
PID:2588 -
\??\c:\lfxflxf.exec:\lfxflxf.exe48⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hhbbnn.exec:\hhbbnn.exe49⤵
- Executes dropped EXE
PID:3064 -
\??\c:\3vpvj.exec:\3vpvj.exe50⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xxxfrxl.exec:\xxxfrxl.exe51⤵
- Executes dropped EXE
PID:1672 -
\??\c:\ntnhbh.exec:\ntnhbh.exe52⤵
- Executes dropped EXE
PID:2384 -
\??\c:\hbnbhh.exec:\hbnbhh.exe53⤵
- Executes dropped EXE
PID:2324 -
\??\c:\dpjjp.exec:\dpjjp.exe54⤵
- Executes dropped EXE
PID:1240 -
\??\c:\rrxrxlf.exec:\rrxrxlf.exe55⤵
- Executes dropped EXE
PID:1996 -
\??\c:\3fflxfl.exec:\3fflxfl.exe56⤵
- Executes dropped EXE
PID:2880 -
\??\c:\ttbbbb.exec:\ttbbbb.exe57⤵
- Executes dropped EXE
PID:2900 -
\??\c:\5ppjd.exec:\5ppjd.exe58⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rrrxlrl.exec:\rrrxlrl.exe59⤵
- Executes dropped EXE
PID:2668 -
\??\c:\rrflrxl.exec:\rrflrxl.exe60⤵
- Executes dropped EXE
PID:1344 -
\??\c:\1btbth.exec:\1btbth.exe61⤵
- Executes dropped EXE
PID:3040 -
\??\c:\dpjjj.exec:\dpjjj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
\??\c:\rlfxffl.exec:\rlfxffl.exe63⤵
- Executes dropped EXE
PID:2876 -
\??\c:\ntnnbh.exec:\ntnnbh.exe64⤵
- Executes dropped EXE
PID:772 -
\??\c:\ttthtb.exec:\ttthtb.exe65⤵
- Executes dropped EXE
PID:1604 -
\??\c:\djdjv.exec:\djdjv.exe66⤵PID:1860
-
\??\c:\flxfrrr.exec:\flxfrrr.exe67⤵PID:1716
-
\??\c:\3hnttn.exec:\3hnttn.exe68⤵PID:1532
-
\??\c:\bhhnbh.exec:\bhhnbh.exe69⤵PID:1900
-
\??\c:\jvjjj.exec:\jvjjj.exe70⤵PID:1480
-
\??\c:\9lfllrx.exec:\9lfllrx.exe71⤵PID:1032
-
\??\c:\lffxlrf.exec:\lffxlrf.exe72⤵PID:2404
-
\??\c:\nnnnbb.exec:\nnnnbb.exe73⤵PID:1744
-
\??\c:\ppdjp.exec:\ppdjp.exe74⤵PID:2260
-
\??\c:\ddjpv.exec:\ddjpv.exe75⤵PID:1564
-
\??\c:\xllxfxx.exec:\xllxfxx.exe76⤵PID:1592
-
\??\c:\nnntbh.exec:\nnntbh.exe77⤵PID:776
-
\??\c:\5bnntb.exec:\5bnntb.exe78⤵PID:2112
-
\??\c:\9dvpv.exec:\9dvpv.exe79⤵PID:1440
-
\??\c:\rflllrl.exec:\rflllrl.exe80⤵PID:2024
-
\??\c:\tnbhtt.exec:\tnbhtt.exe81⤵PID:2184
-
\??\c:\7jpvj.exec:\7jpvj.exe82⤵PID:1972
-
\??\c:\xxxfxxr.exec:\xxxfxxr.exe83⤵PID:2780
-
\??\c:\fffrrfx.exec:\fffrrfx.exe84⤵PID:2964
-
\??\c:\nnhtnn.exec:\nnhtnn.exe85⤵PID:2848
-
\??\c:\pvvvj.exec:\pvvvj.exe86⤵PID:2772
-
\??\c:\pjjvd.exec:\pjjvd.exe87⤵PID:2600
-
\??\c:\9lflflf.exec:\9lflflf.exe88⤵PID:2736
-
\??\c:\bbhhtn.exec:\bbhhtn.exe89⤵PID:2844
-
\??\c:\hnthbh.exec:\hnthbh.exe90⤵PID:2624
-
\??\c:\jjjjp.exec:\jjjjp.exe91⤵PID:2588
-
\??\c:\rrxfrfr.exec:\rrxfrfr.exe92⤵PID:2636
-
\??\c:\tnbhnt.exec:\tnbhnt.exe93⤵PID:3060
-
\??\c:\thtntt.exec:\thtntt.exe94⤵PID:1500
-
\??\c:\vdpvd.exec:\vdpvd.exe95⤵PID:2316
-
\??\c:\lxlrxxl.exec:\lxlrxxl.exe96⤵PID:308
-
\??\c:\7nbnbn.exec:\7nbnbn.exe97⤵PID:1912
-
\??\c:\btntbb.exec:\btntbb.exe98⤵PID:1400
-
\??\c:\pvpdp.exec:\pvpdp.exe99⤵PID:572
-
\??\c:\rxxxffr.exec:\rxxxffr.exe100⤵PID:2828
-
\??\c:\xxrrflx.exec:\xxrrflx.exe101⤵PID:3068
-
\??\c:\hhhtnt.exec:\hhhtnt.exe102⤵PID:2208
-
\??\c:\jdpdp.exec:\jdpdp.exe103⤵PID:2932
-
\??\c:\rlflrfl.exec:\rlflrfl.exe104⤵PID:1856
-
\??\c:\9xlrxlr.exec:\9xlrxlr.exe105⤵PID:1852
-
\??\c:\3hhnbb.exec:\3hhnbb.exe106⤵PID:2180
-
\??\c:\9jvjv.exec:\9jvjv.exe107⤵PID:1140
-
\??\c:\lrxlxlf.exec:\lrxlxlf.exe108⤵PID:1684
-
\??\c:\ffrxlfl.exec:\ffrxlfl.exe109⤵PID:1356
-
\??\c:\7nthhb.exec:\7nthhb.exe110⤵PID:840
-
\??\c:\vppvj.exec:\vppvj.exe111⤵PID:2540
-
\??\c:\9fxfrxl.exec:\9fxfrxl.exe112⤵PID:1260
-
\??\c:\xrflrxl.exec:\xrflrxl.exe113⤵PID:2536
-
\??\c:\btnhnn.exec:\btnhnn.exe114⤵PID:2188
-
\??\c:\7ddjv.exec:\7ddjv.exe115⤵PID:2264
-
\??\c:\5btbnt.exec:\5btbnt.exe116⤵PID:2336
-
\??\c:\ppvvp.exec:\ppvvp.exe117⤵PID:2404
-
\??\c:\7frxfrr.exec:\7frxfrr.exe118⤵PID:880
-
\??\c:\btntbh.exec:\btntbh.exe119⤵PID:2072
-
\??\c:\pvdpv.exec:\pvdpv.exe120⤵PID:1268
-
\??\c:\7xrxflx.exec:\7xrxflx.exe121⤵PID:1324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-