Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:51
Behavioral task
behavioral1
Sample
6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe
-
Size
331KB
-
MD5
0d94534926a8c71e666fe09be6078cf0
-
SHA1
48543ed2021b9a0e28f4a9f474509ed76f223f48
-
SHA256
6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955c
-
SHA512
f4226c988eb684142c917fb60a1e2bb7e42918444a78ce23ab3fad7e755a97912c5f27067f5cf0145ce2b5397b4d6c1ae8902116a9e270b60e14dfef595d224a
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbem:R4wFHoSHYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2536-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2060-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2260-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/980-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1248-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1200-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2924-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1504-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2156-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1184-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/824-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2480-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1492-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2260-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2608-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2072-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-427-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1996-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-467-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/872-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2180-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-596-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-618-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1656-698-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/600-798-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-867-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-868-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2260-1139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-6814-0x0000000076C40000-0x0000000076D5F000-memory.dmp family_blackmoon behavioral1/memory/3032-8335-0x0000000076C40000-0x0000000076D5F000-memory.dmp family_blackmoon behavioral1/memory/3032-21749-0x0000000076C40000-0x0000000076D5F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1920 9rllxxf.exe 2060 hhtttb.exe 2980 vjdvj.exe 2720 5lfrllf.exe 2848 dvjdp.exe 2996 lfxfllx.exe 2260 9bbnbh.exe 2880 vvjpj.exe 2660 rfffrxl.exe 2632 btntbn.exe 308 lffrxff.exe 980 lfxrrxf.exe 1544 bhttth.exe 1248 fxrlrxl.exe 1200 hhbtbb.exe 2924 vpjpj.exe 2600 xxfxfrf.exe 1656 1jjdv.exe 1504 xrfllxr.exe 2156 vdvpj.exe 1184 xrrxffr.exe 1684 dvpvp.exe 824 llxlxrx.exe 3024 5nhtnn.exe 1532 pvpdd.exe 284 bbnhht.exe 1604 tbnbtb.exe 1620 xxrxxxr.exe 2480 bnhhtt.exe 2264 5jvdj.exe 1296 xlxxlxl.exe 268 3nbtnn.exe 1608 dpdvj.exe 1552 1fflllr.exe 3040 nhhhhn.exe 2536 3jddd.exe 1492 frflflr.exe 1908 bbnhnb.exe 2056 dvvjp.exe 2476 btnnbb.exe 2716 btthnt.exe 2836 ddvdv.exe 2888 xxrxffr.exe 2848 xfxrrxr.exe 2804 hbbbnh.exe 2744 jjvdp.exe 2260 5ddpd.exe 2872 1xrfrxl.exe 2784 fxrrflr.exe 2608 hhhtnb.exe 996 tnttbn.exe 2160 jdppp.exe 1712 9lfrlxf.exe 1748 rrlfrfr.exe 1388 hhbtbt.exe 2812 nbhbbb.exe 2512 vppjv.exe 2072 xlffllr.exe 2936 fxxllrl.exe 2788 bnbhbh.exe 2940 pjvjj.exe 1788 lxfxxxx.exe 1356 7xllxlr.exe 1996 tntttt.exe -
resource yara_rule behavioral1/memory/2536-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012117-5.dat upx behavioral1/memory/1920-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2536-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2060-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d0e-17.dat upx behavioral1/memory/1920-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d18-26.dat upx behavioral1/memory/2060-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d21-32.dat upx behavioral1/files/0x0007000000016d31-41.dat upx behavioral1/memory/2720-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2996-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d3a-50.dat upx behavioral1/memory/2260-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d42-58.dat upx behavioral1/memory/2880-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d5e-68.dat upx behavioral1/memory/2660-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018683-76.dat upx behavioral1/memory/2632-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186e4-86.dat upx behavioral1/memory/2660-84-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000186ea-95.dat upx behavioral1/memory/2632-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/980-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186ee-102.dat upx behavioral1/files/0x00050000000186fd-109.dat upx behavioral1/files/0x0005000000018728-119.dat upx behavioral1/memory/1544-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1248-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018784-134.dat upx behavioral1/memory/2924-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1200-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001873d-127.dat upx behavioral1/memory/2924-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878f-142.dat upx behavioral1/memory/1656-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2600-151-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000187a5-150.dat upx behavioral1/files/0x0006000000019023-161.dat upx behavioral1/memory/1504-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c9d-170.dat upx behavioral1/files/0x000500000001925e-177.dat upx behavioral1/memory/2156-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1184-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019261-183.dat upx behavioral1/files/0x0005000000019282-193.dat upx behavioral1/memory/1684-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/824-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019334-201.dat upx behavioral1/files/0x0005000000019350-209.dat upx behavioral1/memory/3024-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b4-216.dat upx behavioral1/files/0x00050000000193c2-223.dat upx behavioral1/files/0x00050000000193e1-232.dat upx behavioral1/files/0x000500000001941e-238.dat upx behavioral1/memory/2480-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019427-246.dat upx behavioral1/files/0x0005000000019431-254.dat upx behavioral1/files/0x0005000000019441-262.dat upx behavioral1/memory/1296-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2536-288-0x0000000000220000-0x0000000000247000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1920 2536 6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe 30 PID 2536 wrote to memory of 1920 2536 6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe 30 PID 2536 wrote to memory of 1920 2536 6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe 30 PID 2536 wrote to memory of 1920 2536 6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe 30 PID 1920 wrote to memory of 2060 1920 9rllxxf.exe 31 PID 1920 wrote to memory of 2060 1920 9rllxxf.exe 31 PID 1920 wrote to memory of 2060 1920 9rllxxf.exe 31 PID 1920 wrote to memory of 2060 1920 9rllxxf.exe 31 PID 2060 wrote to memory of 2980 2060 hhtttb.exe 32 PID 2060 wrote to memory of 2980 2060 hhtttb.exe 32 PID 2060 wrote to memory of 2980 2060 hhtttb.exe 32 PID 2060 wrote to memory of 2980 2060 hhtttb.exe 32 PID 2980 wrote to memory of 2720 2980 vjdvj.exe 33 PID 2980 wrote to memory of 2720 2980 vjdvj.exe 33 PID 2980 wrote to memory of 2720 2980 vjdvj.exe 33 PID 2980 wrote to memory of 2720 2980 vjdvj.exe 33 PID 2720 wrote to memory of 2848 2720 5lfrllf.exe 34 PID 2720 wrote to memory of 2848 2720 5lfrllf.exe 34 PID 2720 wrote to memory of 2848 2720 5lfrllf.exe 34 PID 2720 wrote to memory of 2848 2720 5lfrllf.exe 34 PID 2848 wrote to memory of 2996 2848 dvjdp.exe 35 PID 2848 wrote to memory of 2996 2848 dvjdp.exe 35 PID 2848 wrote to memory of 2996 2848 dvjdp.exe 35 PID 2848 wrote to memory of 2996 2848 dvjdp.exe 35 PID 2996 wrote to memory of 2260 2996 lfxfllx.exe 36 PID 2996 wrote to memory of 2260 2996 lfxfllx.exe 36 PID 2996 wrote to memory of 2260 2996 lfxfllx.exe 36 PID 2996 wrote to memory of 2260 2996 lfxfllx.exe 36 PID 2260 wrote to memory of 2880 2260 9bbnbh.exe 37 PID 2260 wrote to memory of 2880 2260 9bbnbh.exe 37 PID 2260 wrote to memory of 2880 2260 9bbnbh.exe 37 PID 2260 wrote to memory of 2880 2260 9bbnbh.exe 37 PID 2880 wrote to memory of 2660 2880 vvjpj.exe 38 PID 2880 wrote to memory of 2660 2880 vvjpj.exe 38 PID 2880 wrote to memory of 2660 2880 vvjpj.exe 38 PID 2880 wrote to memory of 2660 2880 vvjpj.exe 38 PID 2660 wrote to memory of 2632 2660 rfffrxl.exe 39 PID 2660 wrote to memory of 2632 2660 rfffrxl.exe 39 PID 2660 wrote to memory of 2632 2660 rfffrxl.exe 39 PID 2660 wrote to memory of 2632 2660 rfffrxl.exe 39 PID 2632 wrote to memory of 308 2632 btntbn.exe 40 PID 2632 wrote to memory of 308 2632 btntbn.exe 40 PID 2632 wrote to memory of 308 2632 btntbn.exe 40 PID 2632 wrote to memory of 308 2632 btntbn.exe 40 PID 308 wrote to memory of 980 308 lffrxff.exe 41 PID 308 wrote to memory of 980 308 lffrxff.exe 41 PID 308 wrote to memory of 980 308 lffrxff.exe 41 PID 308 wrote to memory of 980 308 lffrxff.exe 41 PID 980 wrote to memory of 1544 980 lfxrrxf.exe 42 PID 980 wrote to memory of 1544 980 lfxrrxf.exe 42 PID 980 wrote to memory of 1544 980 lfxrrxf.exe 42 PID 980 wrote to memory of 1544 980 lfxrrxf.exe 42 PID 1544 wrote to memory of 1248 1544 bhttth.exe 43 PID 1544 wrote to memory of 1248 1544 bhttth.exe 43 PID 1544 wrote to memory of 1248 1544 bhttth.exe 43 PID 1544 wrote to memory of 1248 1544 bhttth.exe 43 PID 1248 wrote to memory of 1200 1248 fxrlrxl.exe 44 PID 1248 wrote to memory of 1200 1248 fxrlrxl.exe 44 PID 1248 wrote to memory of 1200 1248 fxrlrxl.exe 44 PID 1248 wrote to memory of 1200 1248 fxrlrxl.exe 44 PID 1200 wrote to memory of 2924 1200 hhbtbb.exe 45 PID 1200 wrote to memory of 2924 1200 hhbtbb.exe 45 PID 1200 wrote to memory of 2924 1200 hhbtbb.exe 45 PID 1200 wrote to memory of 2924 1200 hhbtbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe"C:\Users\Admin\AppData\Local\Temp\6650f01432a457f6a17044db68c6cf75e27330bc705f059e210c17cc525d955cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\9rllxxf.exec:\9rllxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\hhtttb.exec:\hhtttb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\vjdvj.exec:\vjdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\5lfrllf.exec:\5lfrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\dvjdp.exec:\dvjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\lfxfllx.exec:\lfxfllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\9bbnbh.exec:\9bbnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vvjpj.exec:\vvjpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\rfffrxl.exec:\rfffrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\btntbn.exec:\btntbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\lffrxff.exec:\lffrxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\lfxrrxf.exec:\lfxrrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\bhttth.exec:\bhttth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\fxrlrxl.exec:\fxrlrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\hhbtbb.exec:\hhbtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\vpjpj.exec:\vpjpj.exe17⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xxfxfrf.exec:\xxfxfrf.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
\??\c:\1jjdv.exec:\1jjdv.exe19⤵
- Executes dropped EXE
PID:1656 -
\??\c:\xrfllxr.exec:\xrfllxr.exe20⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vdvpj.exec:\vdvpj.exe21⤵
- Executes dropped EXE
PID:2156 -
\??\c:\xrrxffr.exec:\xrrxffr.exe22⤵
- Executes dropped EXE
PID:1184 -
\??\c:\dvpvp.exec:\dvpvp.exe23⤵
- Executes dropped EXE
PID:1684 -
\??\c:\llxlxrx.exec:\llxlxrx.exe24⤵
- Executes dropped EXE
PID:824 -
\??\c:\5nhtnn.exec:\5nhtnn.exe25⤵
- Executes dropped EXE
PID:3024 -
\??\c:\pvpdd.exec:\pvpdd.exe26⤵
- Executes dropped EXE
PID:1532 -
\??\c:\bbnhht.exec:\bbnhht.exe27⤵
- Executes dropped EXE
PID:284 -
\??\c:\tbnbtb.exec:\tbnbtb.exe28⤵
- Executes dropped EXE
PID:1604 -
\??\c:\xxrxxxr.exec:\xxrxxxr.exe29⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bnhhtt.exec:\bnhhtt.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\5jvdj.exec:\5jvdj.exe31⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xlxxlxl.exec:\xlxxlxl.exe32⤵
- Executes dropped EXE
PID:1296 -
\??\c:\3nbtnn.exec:\3nbtnn.exe33⤵
- Executes dropped EXE
PID:268 -
\??\c:\dpdvj.exec:\dpdvj.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\1fflllr.exec:\1fflllr.exe35⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nhhhhn.exec:\nhhhhn.exe36⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3jddd.exec:\3jddd.exe37⤵
- Executes dropped EXE
PID:2536 -
\??\c:\frflflr.exec:\frflflr.exe38⤵
- Executes dropped EXE
PID:1492 -
\??\c:\bbnhnb.exec:\bbnhnb.exe39⤵
- Executes dropped EXE
PID:1908 -
\??\c:\dvvjp.exec:\dvvjp.exe40⤵
- Executes dropped EXE
PID:2056 -
\??\c:\btnnbb.exec:\btnnbb.exe41⤵
- Executes dropped EXE
PID:2476 -
\??\c:\btthnt.exec:\btthnt.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ddvdv.exec:\ddvdv.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
\??\c:\xxrxffr.exec:\xxrxffr.exe44⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xfxrrxr.exec:\xfxrrxr.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\hbbbnh.exec:\hbbbnh.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jjvdp.exec:\jjvdp.exe47⤵
- Executes dropped EXE
PID:2744 -
\??\c:\5ddpd.exec:\5ddpd.exe48⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1xrfrxl.exec:\1xrfrxl.exe49⤵
- Executes dropped EXE
PID:2872 -
\??\c:\fxrrflr.exec:\fxrrflr.exe50⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hhhtnb.exec:\hhhtnb.exe51⤵
- Executes dropped EXE
PID:2608 -
\??\c:\tnttbn.exec:\tnttbn.exe52⤵
- Executes dropped EXE
PID:996 -
\??\c:\jdppp.exec:\jdppp.exe53⤵
- Executes dropped EXE
PID:2160 -
\??\c:\9lfrlxf.exec:\9lfrlxf.exe54⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rrlfrfr.exec:\rrlfrfr.exe55⤵
- Executes dropped EXE
PID:1748 -
\??\c:\hhbtbt.exec:\hhbtbt.exe56⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nbhbbb.exec:\nbhbbb.exe57⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vppjv.exec:\vppjv.exe58⤵
- Executes dropped EXE
PID:2512 -
\??\c:\xlffllr.exec:\xlffllr.exe59⤵
- Executes dropped EXE
PID:2072 -
\??\c:\fxxllrl.exec:\fxxllrl.exe60⤵
- Executes dropped EXE
PID:2936 -
\??\c:\bnbhbh.exec:\bnbhbh.exe61⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pjvjj.exec:\pjvjj.exe62⤵
- Executes dropped EXE
PID:2940 -
\??\c:\lxfxxxx.exec:\lxfxxxx.exe63⤵
- Executes dropped EXE
PID:1788 -
\??\c:\7xllxlr.exec:\7xllxlr.exe64⤵
- Executes dropped EXE
PID:1356 -
\??\c:\tntttt.exec:\tntttt.exe65⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pvpdp.exec:\pvpdp.exe66⤵PID:1812
-
\??\c:\xxxlrlx.exec:\xxxlrlx.exe67⤵PID:348
-
\??\c:\fxflrxl.exec:\fxflrxl.exe68⤵PID:3020
-
\??\c:\nhttbt.exec:\nhttbt.exe69⤵PID:1684
-
\??\c:\pjvvp.exec:\pjvvp.exe70⤵PID:1952
-
\??\c:\7vjdd.exec:\7vjdd.exe71⤵PID:1172
-
\??\c:\xlflrxr.exec:\xlflrxr.exe72⤵PID:872
-
\??\c:\3htttt.exec:\3htttt.exe73⤵PID:2968
-
\??\c:\thtbnn.exec:\thtbnn.exe74⤵PID:1472
-
\??\c:\pjjjv.exec:\pjjjv.exe75⤵PID:2248
-
\??\c:\llxfffr.exec:\llxfffr.exe76⤵PID:892
-
\??\c:\rrflrxf.exec:\rrflrxf.exe77⤵PID:2212
-
\??\c:\5hbbbn.exec:\5hbbbn.exe78⤵PID:1832
-
\??\c:\vpjpj.exec:\vpjpj.exe79⤵PID:2508
-
\??\c:\jdpvj.exec:\jdpvj.exe80⤵PID:976
-
\??\c:\rfxxlrf.exec:\rfxxlrf.exe81⤵PID:3000
-
\??\c:\3bnnbh.exec:\3bnnbh.exe82⤵PID:2288
-
\??\c:\bthnbb.exec:\bthnbb.exe83⤵PID:1344
-
\??\c:\jjppv.exec:\jjppv.exe84⤵PID:1644
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe85⤵PID:1964
-
\??\c:\5lrlrxx.exec:\5lrlrxx.exe86⤵PID:1512
-
\??\c:\1hnnnb.exec:\1hnnnb.exe87⤵PID:1028
-
\??\c:\5bnnbb.exec:\5bnnbb.exe88⤵PID:2544
-
\??\c:\pjvvj.exec:\pjvvj.exe89⤵PID:2312
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe90⤵PID:2056
-
\??\c:\lfflrxr.exec:\lfflrxr.exe91⤵PID:2180
-
\??\c:\3btbbb.exec:\3btbbb.exe92⤵PID:2844
-
\??\c:\jjvvd.exec:\jjvvd.exe93⤵PID:2768
-
\??\c:\7vpjj.exec:\7vpjj.exe94⤵PID:2824
-
\??\c:\frflrrl.exec:\frflrrl.exe95⤵PID:2900
-
\??\c:\bbbhnn.exec:\bbbhnn.exe96⤵PID:2820
-
\??\c:\nnhbhb.exec:\nnhbhb.exe97⤵PID:2880
-
\??\c:\jdppv.exec:\jdppv.exe98⤵PID:2776
-
\??\c:\lflrxlx.exec:\lflrxlx.exe99⤵PID:2660
-
\??\c:\3rrxfxf.exec:\3rrxfxf.exe100⤵PID:1960
-
\??\c:\tnbnhn.exec:\tnbnhn.exe101⤵PID:2112
-
\??\c:\bbtbnh.exec:\bbtbnh.exe102⤵PID:1984
-
\??\c:\jvjdv.exec:\jvjdv.exe103⤵PID:272
-
\??\c:\lfxfxlf.exec:\lfxfxlf.exe104⤵PID:2928
-
\??\c:\lllrxfr.exec:\lllrxfr.exe105⤵PID:2920
-
\??\c:\bthbhn.exec:\bthbhn.exe106⤵PID:2876
-
\??\c:\ppddd.exec:\ppddd.exe107⤵PID:1892
-
\??\c:\pppvp.exec:\pppvp.exe108⤵PID:2916
-
\??\c:\rllllxl.exec:\rllllxl.exe109⤵PID:2700
-
\??\c:\hhtnht.exec:\hhtnht.exe110⤵PID:2680
-
\??\c:\hhtbnn.exec:\hhtbnn.exe111⤵PID:1568
-
\??\c:\dddvd.exec:\dddvd.exe112⤵PID:1656
-
\??\c:\jvppd.exec:\jvppd.exe113⤵PID:2464
-
\??\c:\1lrrlrx.exec:\1lrrlrx.exe114⤵PID:2500
-
\??\c:\bbtthb.exec:\bbtthb.exe115⤵PID:2324
-
\??\c:\nhttbh.exec:\nhttbh.exe116⤵PID:1812
-
\??\c:\pjddp.exec:\pjddp.exe117⤵PID:348
-
\??\c:\dvjjj.exec:\dvjjj.exe118⤵PID:3020
-
\??\c:\9ffrrlr.exec:\9ffrrlr.exe119⤵PID:1104
-
\??\c:\rlflxxl.exec:\rlflxxl.exe120⤵PID:1280
-
\??\c:\btnntb.exec:\btnntb.exe121⤵PID:1828
-
\??\c:\bbhnnb.exec:\bbhnnb.exe122⤵PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-