Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe
-
Size
454KB
-
MD5
41f966c420346180ad88d02de6d5b55f
-
SHA1
e7d96552e987512d3e91abe962aff08bb52d9d26
-
SHA256
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c
-
SHA512
005a2161854de170655b1130a52b2ccfaf7979f6511ba4f393d940e9af4e63624b3eb13272d41e2eb7911dbdf7fba3ea066ebda6054ea94aa03ebe81bacbd736
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2440-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-215-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/608-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-251-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1656-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-270-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2168-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-888-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1952-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-1066-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/760-1136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1208-1197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-1204-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2484-1253-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1748-1302-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/552-1357-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2848 tthtth.exe 1920 rlflxfx.exe 1804 tbbtnb.exe 852 bththn.exe 2412 1lxrxlr.exe 1260 vvpdp.exe 2116 lffrfrl.exe 2736 tnhnnh.exe 2632 vpdjv.exe 2644 hbbhtb.exe 2504 dvddv.exe 2756 bttbnt.exe 2560 tnhtnb.exe 2280 jddpj.exe 1780 pvpvp.exe 2020 3pjvj.exe 1284 lllrflx.exe 832 nttnth.exe 2036 nhhnnt.exe 2024 ddppv.exe 1924 vvjvj.exe 2572 ffxrflf.exe 2824 ntnbbh.exe 2372 jjvjd.exe 2356 rllflxr.exe 608 9nhhbn.exe 1656 jdjjp.exe 1500 hhbnnt.exe 1304 xrlrlrx.exe 2352 ddpvj.exe 2168 pvpvd.exe 988 xrrxlll.exe 2100 lxfxfxx.exe 808 tnntbn.exe 2848 5vpvj.exe 1544 fxffflr.exe 2264 tbthth.exe 2564 5vvjp.exe 1804 djpdv.exe 1080 3rrrllx.exe 2196 7tnbnn.exe 2956 3jppv.exe 2612 jpjdv.exe 2752 1ffrfxl.exe 2732 llxlrrf.exe 2636 nhhtnb.exe 2684 vpdvj.exe 2672 vjjjd.exe 2596 7llfrxr.exe 2416 tbbnbh.exe 2548 9btbnb.exe 2604 1vppp.exe 648 frrrflx.exe 1968 3nbhnb.exe 1668 1nhttb.exe 1272 vjjvv.exe 1796 rlxfrrx.exe 2036 rrlfxff.exe 1344 bbtbbn.exe 1936 7vdjd.exe 2700 pjjpd.exe 1904 5fxxxxl.exe 1772 tnhnbh.exe 1616 9dvvj.exe -
resource yara_rule behavioral1/memory/2440-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-89-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2644-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-108-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2560-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-251-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1656-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-270-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2168-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-453-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/1904-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-1172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-1302-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/552-1357-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/448-1359-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2848 2440 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 28 PID 2440 wrote to memory of 2848 2440 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 28 PID 2440 wrote to memory of 2848 2440 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 28 PID 2440 wrote to memory of 2848 2440 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 28 PID 2848 wrote to memory of 1920 2848 tthtth.exe 29 PID 2848 wrote to memory of 1920 2848 tthtth.exe 29 PID 2848 wrote to memory of 1920 2848 tthtth.exe 29 PID 2848 wrote to memory of 1920 2848 tthtth.exe 29 PID 1920 wrote to memory of 1804 1920 rlflxfx.exe 30 PID 1920 wrote to memory of 1804 1920 rlflxfx.exe 30 PID 1920 wrote to memory of 1804 1920 rlflxfx.exe 30 PID 1920 wrote to memory of 1804 1920 rlflxfx.exe 30 PID 1804 wrote to memory of 852 1804 tbbtnb.exe 31 PID 1804 wrote to memory of 852 1804 tbbtnb.exe 31 PID 1804 wrote to memory of 852 1804 tbbtnb.exe 31 PID 1804 wrote to memory of 852 1804 tbbtnb.exe 31 PID 852 wrote to memory of 2412 852 bththn.exe 32 PID 852 wrote to memory of 2412 852 bththn.exe 32 PID 852 wrote to memory of 2412 852 bththn.exe 32 PID 852 wrote to memory of 2412 852 bththn.exe 32 PID 2412 wrote to memory of 1260 2412 1lxrxlr.exe 33 PID 2412 wrote to memory of 1260 2412 1lxrxlr.exe 33 PID 2412 wrote to memory of 1260 2412 1lxrxlr.exe 33 PID 2412 wrote to memory of 1260 2412 1lxrxlr.exe 33 PID 1260 wrote to memory of 2116 1260 vvpdp.exe 34 PID 1260 wrote to memory of 2116 1260 vvpdp.exe 34 PID 1260 wrote to memory of 2116 1260 vvpdp.exe 34 PID 1260 wrote to memory of 2116 1260 vvpdp.exe 34 PID 2116 wrote to memory of 2736 2116 lffrfrl.exe 35 PID 2116 wrote to memory of 2736 2116 lffrfrl.exe 35 PID 2116 wrote to memory of 2736 2116 lffrfrl.exe 35 PID 2116 wrote to memory of 2736 2116 lffrfrl.exe 35 PID 2736 wrote to memory of 2632 2736 tnhnnh.exe 36 PID 2736 wrote to memory of 2632 2736 tnhnnh.exe 36 PID 2736 wrote to memory of 2632 2736 tnhnnh.exe 36 PID 2736 wrote to memory of 2632 2736 tnhnnh.exe 36 PID 2632 wrote to memory of 2644 2632 vpdjv.exe 37 PID 2632 wrote to memory of 2644 2632 vpdjv.exe 37 PID 2632 wrote to memory of 2644 2632 vpdjv.exe 37 PID 2632 wrote to memory of 2644 2632 vpdjv.exe 37 PID 2644 wrote to memory of 2504 2644 hbbhtb.exe 38 PID 2644 wrote to memory of 2504 2644 hbbhtb.exe 38 PID 2644 wrote to memory of 2504 2644 hbbhtb.exe 38 PID 2644 wrote to memory of 2504 2644 hbbhtb.exe 38 PID 2504 wrote to memory of 2756 2504 dvddv.exe 39 PID 2504 wrote to memory of 2756 2504 dvddv.exe 39 PID 2504 wrote to memory of 2756 2504 dvddv.exe 39 PID 2504 wrote to memory of 2756 2504 dvddv.exe 39 PID 2756 wrote to memory of 2560 2756 bttbnt.exe 40 PID 2756 wrote to memory of 2560 2756 bttbnt.exe 40 PID 2756 wrote to memory of 2560 2756 bttbnt.exe 40 PID 2756 wrote to memory of 2560 2756 bttbnt.exe 40 PID 2560 wrote to memory of 2280 2560 tnhtnb.exe 41 PID 2560 wrote to memory of 2280 2560 tnhtnb.exe 41 PID 2560 wrote to memory of 2280 2560 tnhtnb.exe 41 PID 2560 wrote to memory of 2280 2560 tnhtnb.exe 41 PID 2280 wrote to memory of 1780 2280 jddpj.exe 42 PID 2280 wrote to memory of 1780 2280 jddpj.exe 42 PID 2280 wrote to memory of 1780 2280 jddpj.exe 42 PID 2280 wrote to memory of 1780 2280 jddpj.exe 42 PID 1780 wrote to memory of 2020 1780 pvpvp.exe 43 PID 1780 wrote to memory of 2020 1780 pvpvp.exe 43 PID 1780 wrote to memory of 2020 1780 pvpvp.exe 43 PID 1780 wrote to memory of 2020 1780 pvpvp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe"C:\Users\Admin\AppData\Local\Temp\600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\tthtth.exec:\tthtth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rlflxfx.exec:\rlflxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\tbbtnb.exec:\tbbtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\bththn.exec:\bththn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\1lxrxlr.exec:\1lxrxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\vvpdp.exec:\vvpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\lffrfrl.exec:\lffrfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\tnhnnh.exec:\tnhnnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\vpdjv.exec:\vpdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\hbbhtb.exec:\hbbhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\dvddv.exec:\dvddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\bttbnt.exec:\bttbnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\tnhtnb.exec:\tnhtnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\jddpj.exec:\jddpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\pvpvp.exec:\pvpvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\3pjvj.exec:\3pjvj.exe17⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lllrflx.exec:\lllrflx.exe18⤵
- Executes dropped EXE
PID:1284 -
\??\c:\nttnth.exec:\nttnth.exe19⤵
- Executes dropped EXE
PID:832 -
\??\c:\nhhnnt.exec:\nhhnnt.exe20⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ddppv.exec:\ddppv.exe21⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vvjvj.exec:\vvjvj.exe22⤵
- Executes dropped EXE
PID:1924 -
\??\c:\ffxrflf.exec:\ffxrflf.exe23⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ntnbbh.exec:\ntnbbh.exe24⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jjvjd.exec:\jjvjd.exe25⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rllflxr.exec:\rllflxr.exe26⤵
- Executes dropped EXE
PID:2356 -
\??\c:\9nhhbn.exec:\9nhhbn.exe27⤵
- Executes dropped EXE
PID:608 -
\??\c:\jdjjp.exec:\jdjjp.exe28⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hhbnnt.exec:\hhbnnt.exe29⤵
- Executes dropped EXE
PID:1500 -
\??\c:\xrlrlrx.exec:\xrlrlrx.exe30⤵
- Executes dropped EXE
PID:1304 -
\??\c:\ddpvj.exec:\ddpvj.exe31⤵
- Executes dropped EXE
PID:2352 -
\??\c:\pvpvd.exec:\pvpvd.exe32⤵
- Executes dropped EXE
PID:2168 -
\??\c:\xrrxlll.exec:\xrrxlll.exe33⤵
- Executes dropped EXE
PID:988 -
\??\c:\lxfxfxx.exec:\lxfxfxx.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\tnntbn.exec:\tnntbn.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:808 -
\??\c:\5vpvj.exec:\5vpvj.exe36⤵
- Executes dropped EXE
PID:2848 -
\??\c:\fxffflr.exec:\fxffflr.exe37⤵
- Executes dropped EXE
PID:1544 -
\??\c:\tbthth.exec:\tbthth.exe38⤵
- Executes dropped EXE
PID:2264 -
\??\c:\5vvjp.exec:\5vvjp.exe39⤵
- Executes dropped EXE
PID:2564 -
\??\c:\djpdv.exec:\djpdv.exe40⤵
- Executes dropped EXE
PID:1804 -
\??\c:\3rrrllx.exec:\3rrrllx.exe41⤵
- Executes dropped EXE
PID:1080 -
\??\c:\7tnbnn.exec:\7tnbnn.exe42⤵
- Executes dropped EXE
PID:2196 -
\??\c:\3jppv.exec:\3jppv.exe43⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jpjdv.exec:\jpjdv.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\1ffrfxl.exec:\1ffrfxl.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llxlrrf.exec:\llxlrrf.exe46⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nhhtnb.exec:\nhhtnb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\vpdvj.exec:\vpdvj.exe48⤵
- Executes dropped EXE
PID:2684 -
\??\c:\vjjjd.exec:\vjjjd.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7llfrxr.exec:\7llfrxr.exe50⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tbbnbh.exec:\tbbnbh.exe51⤵
- Executes dropped EXE
PID:2416 -
\??\c:\9btbnb.exec:\9btbnb.exe52⤵
- Executes dropped EXE
PID:2548 -
\??\c:\1vppp.exec:\1vppp.exe53⤵
- Executes dropped EXE
PID:2604 -
\??\c:\frrrflx.exec:\frrrflx.exe54⤵
- Executes dropped EXE
PID:648 -
\??\c:\3nbhnb.exec:\3nbhnb.exe55⤵
- Executes dropped EXE
PID:1968 -
\??\c:\1nhttb.exec:\1nhttb.exe56⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vjjvv.exec:\vjjvv.exe57⤵
- Executes dropped EXE
PID:1272 -
\??\c:\rlxfrrx.exec:\rlxfrrx.exe58⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rrlfxff.exec:\rrlfxff.exe59⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bbtbbn.exec:\bbtbbn.exe60⤵
- Executes dropped EXE
PID:1344 -
\??\c:\7vdjd.exec:\7vdjd.exe61⤵
- Executes dropped EXE
PID:1936 -
\??\c:\pjjpd.exec:\pjjpd.exe62⤵
- Executes dropped EXE
PID:2700 -
\??\c:\5fxxxxl.exec:\5fxxxxl.exe63⤵
- Executes dropped EXE
PID:1904 -
\??\c:\tnhnbh.exec:\tnhnbh.exe64⤵
- Executes dropped EXE
PID:1772 -
\??\c:\9dvvj.exec:\9dvvj.exe65⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ddvjd.exec:\ddvjd.exe66⤵PID:2676
-
\??\c:\7rrrlrf.exec:\7rrrlrf.exe67⤵PID:2372
-
\??\c:\ttnbbn.exec:\ttnbbn.exe68⤵PID:2340
-
\??\c:\tthnbh.exec:\tthnbh.exe69⤵PID:1308
-
\??\c:\jdjdp.exec:\jdjdp.exe70⤵PID:1368
-
\??\c:\xrfrlfr.exec:\xrfrlfr.exe71⤵PID:1516
-
\??\c:\frlrrrr.exec:\frlrrrr.exe72⤵PID:848
-
\??\c:\ttbtbn.exec:\ttbtbn.exe73⤵PID:1500
-
\??\c:\ppdjp.exec:\ppdjp.exe74⤵PID:2436
-
\??\c:\1dvvd.exec:\1dvvd.exe75⤵PID:2128
-
\??\c:\lllrflr.exec:\lllrflr.exe76⤵PID:1612
-
\??\c:\xfrxxfx.exec:\xfrxxfx.exe77⤵PID:2144
-
\??\c:\bbthbh.exec:\bbthbh.exe78⤵PID:1736
-
\??\c:\jdvjv.exec:\jdvjv.exe79⤵PID:2912
-
\??\c:\ddvdj.exec:\ddvdj.exe80⤵PID:2080
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe81⤵PID:268
-
\??\c:\btntbb.exec:\btntbb.exe82⤵PID:1584
-
\??\c:\pjjdv.exec:\pjjdv.exe83⤵PID:1732
-
\??\c:\5dpvj.exec:\5dpvj.exe84⤵PID:2264
-
\??\c:\lrlxffr.exec:\lrlxffr.exe85⤵PID:1212
-
\??\c:\hbtbnt.exec:\hbtbnt.exe86⤵PID:548
-
\??\c:\nhhtbn.exec:\nhhtbn.exe87⤵PID:1816
-
\??\c:\3ppvd.exec:\3ppvd.exe88⤵PID:2312
-
\??\c:\jjvdv.exec:\jjvdv.exe89⤵PID:2628
-
\??\c:\xxxfflx.exec:\xxxfflx.exe90⤵PID:2772
-
\??\c:\httnnh.exec:\httnnh.exe91⤵PID:2728
-
\??\c:\vppvp.exec:\vppvp.exe92⤵PID:2640
-
\??\c:\ddpdv.exec:\ddpdv.exe93⤵PID:3020
-
\??\c:\5lrxfrx.exec:\5lrxfrx.exe94⤵PID:2252
-
\??\c:\nnnbht.exec:\nnnbht.exe95⤵PID:2528
-
\??\c:\9tnhnt.exec:\9tnhnt.exe96⤵PID:2680
-
\??\c:\vvvdp.exec:\vvvdp.exe97⤵PID:2556
-
\??\c:\ffxrffr.exec:\ffxrffr.exe98⤵PID:2532
-
\??\c:\lllrlxr.exec:\lllrlxr.exe99⤵PID:2548
-
\??\c:\hbbthb.exec:\hbbthb.exe100⤵PID:2032
-
\??\c:\dddpv.exec:\dddpv.exe101⤵PID:1388
-
\??\c:\dvvvj.exec:\dvvvj.exe102⤵PID:1720
-
\??\c:\ffxrlrf.exec:\ffxrlrf.exe103⤵PID:1716
-
\??\c:\tbbtbn.exec:\tbbtbn.exe104⤵PID:1992
-
\??\c:\jppvj.exec:\jppvj.exe105⤵PID:624
-
\??\c:\vpjpj.exec:\vpjpj.exe106⤵PID:1960
-
\??\c:\xrlxflr.exec:\xrlxflr.exe107⤵PID:2024
-
\??\c:\hnnbtb.exec:\hnnbtb.exe108⤵PID:1952
-
\??\c:\bhbtnb.exec:\bhbtnb.exe109⤵PID:2584
-
\??\c:\pjvdd.exec:\pjvdd.exe110⤵PID:1904
-
\??\c:\llllrxl.exec:\llllrxl.exe111⤵PID:2028
-
\??\c:\rxrfffr.exec:\rxrfffr.exe112⤵PID:2008
-
\??\c:\3bbthn.exec:\3bbthn.exe113⤵PID:2676
-
\??\c:\btnnbb.exec:\btnnbb.exe114⤵PID:1312
-
\??\c:\vdppd.exec:\vdppd.exe115⤵PID:2148
-
\??\c:\xffrfxx.exec:\xffrfxx.exe116⤵PID:1152
-
\??\c:\nnbbnn.exec:\nnbbnn.exe117⤵PID:1712
-
\??\c:\nnnbnt.exec:\nnnbnt.exe118⤵PID:564
-
\??\c:\9jddp.exec:\9jddp.exe119⤵PID:2348
-
\??\c:\9xrfxxl.exec:\9xrfxxl.exe120⤵PID:2888
-
\??\c:\flfrfrf.exec:\flfrfrf.exe121⤵PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-