Analysis
-
max time kernel
120s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 20:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe
-
Size
454KB
-
MD5
c80da34a9cac3fc8c942e1487343c3e0
-
SHA1
d07caa6f4423a008cbb0c8fc70ad88e07c12199b
-
SHA256
546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852
-
SHA512
700a99c680d3fa740350554320fbb08f13fc30db88482d9af9a3891a51b70f5748a3e7c825b1864adfd89af6cee352b987a63d8b571518ab51b59ac779ee0da5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-17-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2672-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-284-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2140-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-332-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2864-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-390-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-545-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1784-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-649-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2884-652-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2164-661-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2916-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-881-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2892 3xxlfrl.exe 2672 nhhnth.exe 2848 ffrxxfr.exe 2864 bhhtht.exe 2076 djjvj.exe 2728 hnhbnb.exe 2584 xllxfrr.exe 2616 hhbnhn.exe 2452 httnht.exe 2228 7rrfllx.exe 2380 5hbhnt.exe 2760 1rlrfrl.exe 1712 9nhnbb.exe 2904 bbhtnh.exe 2092 dvpdp.exe 2936 7pjpp.exe 480 9bthbt.exe 592 9lxlxxl.exe 680 hbttnt.exe 2036 1lxflrf.exe 1316 nhhtbh.exe 2528 lrxffrf.exe 1516 frrlxff.exe 1544 bhhthh.exe 2148 xfrllfl.exe 2044 vpdpd.exe 996 lfrxlxr.exe 1868 1pddp.exe 2320 ffxlxfr.exe 2136 tnhthn.exe 1816 lfllrlr.exe 1328 thhhtn.exe 2140 dddjd.exe 1600 hhbbnt.exe 2812 5hhnbh.exe 2832 llxlflf.exe 2896 fffrffx.exe 2864 ttnbnt.exe 2724 ppjpd.exe 2676 xrrxrxr.exe 2628 bbtbth.exe 2280 7djpp.exe 3068 ddddv.exe 2940 lllrfrr.exe 768 5vjvj.exe 1624 pvpdd.exe 1260 lxlfrrr.exe 1060 3pvjv.exe 2792 7jjpv.exe 1712 rrrxllx.exe 2904 hhhnhn.exe 2928 ddvjv.exe 1660 lxrrxfl.exe 1028 5hhnnn.exe 2212 3ddjv.exe 1792 9rlrrxf.exe 1732 thhhnh.exe 1632 jjdjd.exe 2272 ffxllrl.exe 908 9hbhbh.exe 1928 9jdjd.exe 1064 llffxxr.exe 1932 ntthhh.exe 2284 dvdpv.exe -
resource yara_rule behavioral1/memory/2344-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-652-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2164-661-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2316-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-731-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1httht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2892 2344 546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe 30 PID 2344 wrote to memory of 2892 2344 546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe 30 PID 2344 wrote to memory of 2892 2344 546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe 30 PID 2344 wrote to memory of 2892 2344 546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe 30 PID 2892 wrote to memory of 2672 2892 3xxlfrl.exe 31 PID 2892 wrote to memory of 2672 2892 3xxlfrl.exe 31 PID 2892 wrote to memory of 2672 2892 3xxlfrl.exe 31 PID 2892 wrote to memory of 2672 2892 3xxlfrl.exe 31 PID 2672 wrote to memory of 2848 2672 nhhnth.exe 32 PID 2672 wrote to memory of 2848 2672 nhhnth.exe 32 PID 2672 wrote to memory of 2848 2672 nhhnth.exe 32 PID 2672 wrote to memory of 2848 2672 nhhnth.exe 32 PID 2848 wrote to memory of 2864 2848 ffrxxfr.exe 33 PID 2848 wrote to memory of 2864 2848 ffrxxfr.exe 33 PID 2848 wrote to memory of 2864 2848 ffrxxfr.exe 33 PID 2848 wrote to memory of 2864 2848 ffrxxfr.exe 33 PID 2864 wrote to memory of 2076 2864 bhhtht.exe 34 PID 2864 wrote to memory of 2076 2864 bhhtht.exe 34 PID 2864 wrote to memory of 2076 2864 bhhtht.exe 34 PID 2864 wrote to memory of 2076 2864 bhhtht.exe 34 PID 2076 wrote to memory of 2728 2076 djjvj.exe 35 PID 2076 wrote to memory of 2728 2076 djjvj.exe 35 PID 2076 wrote to memory of 2728 2076 djjvj.exe 35 PID 2076 wrote to memory of 2728 2076 djjvj.exe 35 PID 2728 wrote to memory of 2584 2728 hnhbnb.exe 36 PID 2728 wrote to memory of 2584 2728 hnhbnb.exe 36 PID 2728 wrote to memory of 2584 2728 hnhbnb.exe 36 PID 2728 wrote to memory of 2584 2728 hnhbnb.exe 36 PID 2584 wrote to memory of 2616 2584 xllxfrr.exe 37 PID 2584 wrote to memory of 2616 2584 xllxfrr.exe 37 PID 2584 wrote to memory of 2616 2584 xllxfrr.exe 37 PID 2584 wrote to memory of 2616 2584 xllxfrr.exe 37 PID 2616 wrote to memory of 2452 2616 hhbnhn.exe 38 PID 2616 wrote to memory of 2452 2616 hhbnhn.exe 38 PID 2616 wrote to memory of 2452 2616 hhbnhn.exe 38 PID 2616 wrote to memory of 2452 2616 hhbnhn.exe 38 PID 2452 wrote to memory of 2228 2452 httnht.exe 39 PID 2452 wrote to memory of 2228 2452 httnht.exe 39 PID 2452 wrote to memory of 2228 2452 httnht.exe 39 PID 2452 wrote to memory of 2228 2452 httnht.exe 39 PID 2228 wrote to memory of 2380 2228 7rrfllx.exe 40 PID 2228 wrote to memory of 2380 2228 7rrfllx.exe 40 PID 2228 wrote to memory of 2380 2228 7rrfllx.exe 40 PID 2228 wrote to memory of 2380 2228 7rrfllx.exe 40 PID 2380 wrote to memory of 2760 2380 5hbhnt.exe 41 PID 2380 wrote to memory of 2760 2380 5hbhnt.exe 41 PID 2380 wrote to memory of 2760 2380 5hbhnt.exe 41 PID 2380 wrote to memory of 2760 2380 5hbhnt.exe 41 PID 2760 wrote to memory of 1712 2760 1rlrfrl.exe 42 PID 2760 wrote to memory of 1712 2760 1rlrfrl.exe 42 PID 2760 wrote to memory of 1712 2760 1rlrfrl.exe 42 PID 2760 wrote to memory of 1712 2760 1rlrfrl.exe 42 PID 1712 wrote to memory of 2904 1712 9nhnbb.exe 43 PID 1712 wrote to memory of 2904 1712 9nhnbb.exe 43 PID 1712 wrote to memory of 2904 1712 9nhnbb.exe 43 PID 1712 wrote to memory of 2904 1712 9nhnbb.exe 43 PID 2904 wrote to memory of 2092 2904 bbhtnh.exe 44 PID 2904 wrote to memory of 2092 2904 bbhtnh.exe 44 PID 2904 wrote to memory of 2092 2904 bbhtnh.exe 44 PID 2904 wrote to memory of 2092 2904 bbhtnh.exe 44 PID 2092 wrote to memory of 2936 2092 dvpdp.exe 45 PID 2092 wrote to memory of 2936 2092 dvpdp.exe 45 PID 2092 wrote to memory of 2936 2092 dvpdp.exe 45 PID 2092 wrote to memory of 2936 2092 dvpdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe"C:\Users\Admin\AppData\Local\Temp\546e1439dd3c867f02b266fe2ae415c503e90d8eaafd98cdbf05f7f3d0359852N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\3xxlfrl.exec:\3xxlfrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\nhhnth.exec:\nhhnth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\ffrxxfr.exec:\ffrxxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\bhhtht.exec:\bhhtht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\djjvj.exec:\djjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\hnhbnb.exec:\hnhbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\xllxfrr.exec:\xllxfrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\hhbnhn.exec:\hhbnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\httnht.exec:\httnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\7rrfllx.exec:\7rrfllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\5hbhnt.exec:\5hbhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\1rlrfrl.exec:\1rlrfrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\9nhnbb.exec:\9nhnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\bbhtnh.exec:\bbhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\dvpdp.exec:\dvpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\7pjpp.exec:\7pjpp.exe17⤵
- Executes dropped EXE
PID:2936 -
\??\c:\9bthbt.exec:\9bthbt.exe18⤵
- Executes dropped EXE
PID:480 -
\??\c:\9lxlxxl.exec:\9lxlxxl.exe19⤵
- Executes dropped EXE
PID:592 -
\??\c:\hbttnt.exec:\hbttnt.exe20⤵
- Executes dropped EXE
PID:680 -
\??\c:\1lxflrf.exec:\1lxflrf.exe21⤵
- Executes dropped EXE
PID:2036 -
\??\c:\nhhtbh.exec:\nhhtbh.exe22⤵
- Executes dropped EXE
PID:1316 -
\??\c:\lrxffrf.exec:\lrxffrf.exe23⤵
- Executes dropped EXE
PID:2528 -
\??\c:\frrlxff.exec:\frrlxff.exe24⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bhhthh.exec:\bhhthh.exe25⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xfrllfl.exec:\xfrllfl.exe26⤵
- Executes dropped EXE
PID:2148 -
\??\c:\vpdpd.exec:\vpdpd.exe27⤵
- Executes dropped EXE
PID:2044 -
\??\c:\lfrxlxr.exec:\lfrxlxr.exe28⤵
- Executes dropped EXE
PID:996 -
\??\c:\1pddp.exec:\1pddp.exe29⤵
- Executes dropped EXE
PID:1868 -
\??\c:\ffxlxfr.exec:\ffxlxfr.exe30⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tnhthn.exec:\tnhthn.exe31⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lfllrlr.exec:\lfllrlr.exe32⤵
- Executes dropped EXE
PID:1816 -
\??\c:\thhhtn.exec:\thhhtn.exe33⤵
- Executes dropped EXE
PID:1328 -
\??\c:\dddjd.exec:\dddjd.exe34⤵
- Executes dropped EXE
PID:2140 -
\??\c:\hhbbnt.exec:\hhbbnt.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5hhnbh.exec:\5hhnbh.exe36⤵
- Executes dropped EXE
PID:2812 -
\??\c:\llxlflf.exec:\llxlflf.exe37⤵
- Executes dropped EXE
PID:2832 -
\??\c:\fffrffx.exec:\fffrffx.exe38⤵
- Executes dropped EXE
PID:2896 -
\??\c:\ttnbnt.exec:\ttnbnt.exe39⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ppjpd.exec:\ppjpd.exe40⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xrrxrxr.exec:\xrrxrxr.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\bbtbth.exec:\bbtbth.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\7djpp.exec:\7djpp.exe43⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ddddv.exec:\ddddv.exe44⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lllrfrr.exec:\lllrfrr.exe45⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5vjvj.exec:\5vjvj.exe46⤵
- Executes dropped EXE
PID:768 -
\??\c:\pvpdd.exec:\pvpdd.exe47⤵
- Executes dropped EXE
PID:1624 -
\??\c:\lxlfrrr.exec:\lxlfrrr.exe48⤵
- Executes dropped EXE
PID:1260 -
\??\c:\3pvjv.exec:\3pvjv.exe49⤵
- Executes dropped EXE
PID:1060 -
\??\c:\7jjpv.exec:\7jjpv.exe50⤵
- Executes dropped EXE
PID:2792 -
\??\c:\rrrxllx.exec:\rrrxllx.exe51⤵
- Executes dropped EXE
PID:1712 -
\??\c:\hhhnhn.exec:\hhhnhn.exe52⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ddvjv.exec:\ddvjv.exe53⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lxrrxfl.exec:\lxrrxfl.exe54⤵
- Executes dropped EXE
PID:1660 -
\??\c:\5hhnnn.exec:\5hhnnn.exe55⤵
- Executes dropped EXE
PID:1028 -
\??\c:\3ddjv.exec:\3ddjv.exe56⤵
- Executes dropped EXE
PID:2212 -
\??\c:\9rlrrxf.exec:\9rlrrxf.exe57⤵
- Executes dropped EXE
PID:1792 -
\??\c:\thhhnh.exec:\thhhnh.exe58⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jjdjd.exec:\jjdjd.exe59⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ffxllrl.exec:\ffxllrl.exe60⤵
- Executes dropped EXE
PID:2272 -
\??\c:\9hbhbh.exec:\9hbhbh.exe61⤵
- Executes dropped EXE
PID:908 -
\??\c:\9jdjd.exec:\9jdjd.exe62⤵
- Executes dropped EXE
PID:1928 -
\??\c:\llffxxr.exec:\llffxxr.exe63⤵
- Executes dropped EXE
PID:1064 -
\??\c:\ntthhh.exec:\ntthhh.exe64⤵
- Executes dropped EXE
PID:1932 -
\??\c:\dvdpv.exec:\dvdpv.exe65⤵
- Executes dropped EXE
PID:2284 -
\??\c:\rrlfrfx.exec:\rrlfrfx.exe66⤵PID:2032
-
\??\c:\nhnhtn.exec:\nhnhtn.exe67⤵PID:2516
-
\??\c:\7dvjp.exec:\7dvjp.exe68⤵PID:1748
-
\??\c:\1rxxlrx.exec:\1rxxlrx.exe69⤵PID:996
-
\??\c:\btnhnt.exec:\btnhnt.exe70⤵PID:1008
-
\??\c:\jdpvv.exec:\jdpvv.exe71⤵PID:2352
-
\??\c:\jjjpj.exec:\jjjpj.exe72⤵PID:2136
-
\??\c:\5frxflx.exec:\5frxflx.exe73⤵
- System Location Discovery: System Language Discovery
PID:2492 -
\??\c:\ttthnt.exec:\ttthnt.exe74⤵PID:2324
-
\??\c:\9vpdp.exec:\9vpdp.exe75⤵PID:2216
-
\??\c:\5lxxllx.exec:\5lxxllx.exe76⤵PID:1608
-
\??\c:\thbbbb.exec:\thbbbb.exe77⤵PID:2656
-
\??\c:\jdddd.exec:\jdddd.exe78⤵PID:2824
-
\??\c:\xlxrrll.exec:\xlxrrll.exe79⤵PID:2848
-
\??\c:\htnnnt.exec:\htnnnt.exe80⤵PID:2900
-
\??\c:\jjdjj.exec:\jjdjj.exe81⤵PID:1784
-
\??\c:\lffflrx.exec:\lffflrx.exe82⤵PID:860
-
\??\c:\thtntn.exec:\thtntn.exe83⤵PID:2612
-
\??\c:\vppvp.exec:\vppvp.exe84⤵PID:2568
-
\??\c:\frxlfxx.exec:\frxlfxx.exe85⤵PID:2584
-
\??\c:\hnhnhn.exec:\hnhnhn.exe86⤵PID:2884
-
\??\c:\ttntnb.exec:\ttntnb.exe87⤵PID:2164
-
\??\c:\pjvvd.exec:\pjvvd.exe88⤵PID:2308
-
\??\c:\rrflrxr.exec:\rrflrxr.exe89⤵PID:2316
-
\??\c:\ttnnhh.exec:\ttnnhh.exe90⤵PID:2780
-
\??\c:\djdvp.exec:\djdvp.exe91⤵PID:2916
-
\??\c:\1rxlfxx.exec:\1rxlfxx.exe92⤵PID:2800
-
\??\c:\rrrlxlf.exec:\rrrlxlf.exe93⤵PID:2288
-
\??\c:\bbhtbt.exec:\bbhtbt.exe94⤵PID:2932
-
\??\c:\vpjdp.exec:\vpjdp.exe95⤵PID:2092
-
\??\c:\1nhhhn.exec:\1nhhhn.exe96⤵PID:2936
-
\??\c:\djjjd.exec:\djjjd.exe97⤵PID:1660
-
\??\c:\ffflrxl.exec:\ffflrxl.exe98⤵PID:1028
-
\??\c:\bhntnn.exec:\bhntnn.exe99⤵PID:2236
-
\??\c:\jddpp.exec:\jddpp.exe100⤵PID:1792
-
\??\c:\ffxlxlx.exec:\ffxlxlx.exe101⤵PID:1804
-
\??\c:\jvjdd.exec:\jvjdd.exe102⤵PID:1632
-
\??\c:\1jjpj.exec:\1jjpj.exe103⤵PID:2972
-
\??\c:\1frxlrx.exec:\1frxlrx.exe104⤵PID:2204
-
\??\c:\bhhntt.exec:\bhhntt.exe105⤵PID:2296
-
\??\c:\jdpvd.exec:\jdpvd.exe106⤵PID:1704
-
\??\c:\llxlxfr.exec:\llxlxfr.exe107⤵PID:976
-
\??\c:\tnhtbb.exec:\tnhtbb.exe108⤵PID:1956
-
\??\c:\vvvjv.exec:\vvvjv.exe109⤵PID:1292
-
\??\c:\lxrrffx.exec:\lxrrffx.exe110⤵PID:2044
-
\??\c:\rlxxxfr.exec:\rlxxxfr.exe111⤵PID:2852
-
\??\c:\7tnnhn.exec:\7tnnhn.exe112⤵PID:2468
-
\??\c:\7ppvj.exec:\7ppvj.exe113⤵PID:696
-
\??\c:\xlxlrfl.exec:\xlxlrfl.exe114⤵PID:2320
-
\??\c:\9hbhth.exec:\9hbhth.exe115⤵PID:2504
-
\??\c:\hhhthb.exec:\hhhthb.exe116⤵PID:2276
-
\??\c:\ddpdp.exec:\ddpdp.exe117⤵PID:1684
-
\??\c:\5xflflx.exec:\5xflflx.exe118⤵PID:1708
-
\??\c:\5hhtnt.exec:\5hhtnt.exe119⤵PID:2668
-
\??\c:\jjvjv.exec:\jjvjv.exe120⤵PID:2840
-
\??\c:\pppdp.exec:\pppdp.exe121⤵PID:2980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-