Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:54
Behavioral task
behavioral1
Sample
970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe
-
Size
333KB
-
MD5
46cf49e73a08135af2bb988b8042f0c9
-
SHA1
535ce21c0cfa2738ecb32128d88c8fac9a06386a
-
SHA256
970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e
-
SHA512
6bb6195381c115d2f1771b2905da19a57936f61b5a638a1687cb522b5150432f78de866543952ebe8895e3049683ca38e34c9888dc87754ff49a5ddeabda89cd
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbey:R4wFHoSHYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2708-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2392-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-48-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1656-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1656-65-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1108-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1500-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-114-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2928-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1688-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1692-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1876-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2244-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1956-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-252-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1828-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1220-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2792-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1608-348-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2180-357-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2180-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-394-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1436-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-564-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1096-624-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-631-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1784-674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-6189-0x0000000076B20000-0x0000000076C1A000-memory.dmp family_blackmoon behavioral1/memory/2084-6435-0x0000000076C20000-0x0000000076D3F000-memory.dmp family_blackmoon behavioral1/memory/2084-8878-0x0000000076C20000-0x0000000076D3F000-memory.dmp family_blackmoon behavioral1/memory/2084-9610-0x0000000076C20000-0x0000000076D3F000-memory.dmp family_blackmoon behavioral1/memory/2084-9857-0x0000000076C20000-0x0000000076D3F000-memory.dmp family_blackmoon behavioral1/memory/2084-21545-0x0000000076B20000-0x0000000076C1A000-memory.dmp family_blackmoon behavioral1/memory/2084-21544-0x0000000076C20000-0x0000000076D3F000-memory.dmp family_blackmoon behavioral1/memory/2084-24368-0x0000000076C20000-0x0000000076D3F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2776 7htbhh.exe 2768 5bhhnt.exe 2392 fxrlxxf.exe 2596 bbnbnt.exe 2884 5jvjj.exe 2600 nhtbht.exe 1656 nhbnth.exe 1696 1dddv.exe 1108 fxrllxx.exe 1500 bthtnn.exe 2664 lfrrflx.exe 2988 xxlfrfl.exe 2948 fxxlrrx.exe 2904 vvjpd.exe 2928 bbthbh.exe 328 vpjpp.exe 2516 lflllrx.exe 1784 hbbhtb.exe 1928 3jvvj.exe 1688 9bthhn.exe 1692 bbbnbn.exe 760 9tbhbb.exe 2536 dvpvj.exe 904 jdddv.exe 1388 rlfrfrx.exe 1876 1ppdj.exe 2312 xlrfllx.exe 1028 bbtntn.exe 2244 vjdjv.exe 1956 lrxflxr.exe 1584 hhbhtb.exe 1828 3llrfll.exe 1220 7rlllrr.exe 2696 ddjvj.exe 2780 vpjjv.exe 2700 ffrrxxl.exe 2576 9tbbhb.exe 2792 3djjv.exe 2592 9dddp.exe 2732 rlllrxl.exe 2788 nnnhnt.exe 2624 5vpdj.exe 2736 xfxllrx.exe 1608 7xxxflr.exe 1064 bthhnn.exe 2612 pjjvj.exe 1636 pjdvd.exe 1280 7lxxffl.exe 2180 bttthn.exe 3044 1djpd.exe 2988 vvpvj.exe 2944 1rlrxxx.exe 2948 tnbnnt.exe 2924 hbbntn.exe 2936 vvjpd.exe 1980 rlxxlxl.exe 2860 bbthtt.exe 2516 9jdjv.exe 1784 3lrrxrr.exe 1800 1lxxxxf.exe 1928 nnhttb.exe 1932 dddjp.exe 2984 vpvvd.exe 1340 7lxrxxf.exe -
resource yara_rule behavioral1/memory/2708-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d00000001277d-5.dat upx behavioral1/memory/2708-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015f4e-15.dat upx behavioral1/memory/2776-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2768-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015fa6-24.dat upx behavioral1/memory/2768-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000160da-32.dat upx behavioral1/memory/2392-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016141-40.dat upx behavioral1/memory/2884-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2596-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000162e4-51.dat upx behavioral1/memory/2884-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000164de-58.dat upx behavioral1/memory/1656-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016dd9-67.dat upx behavioral1/files/0x0006000000016de9-74.dat upx behavioral1/memory/1108-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1696-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016df5-82.dat upx behavioral1/files/0x0006000000016df8-90.dat upx behavioral1/memory/1500-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016edc-99.dat upx behavioral1/files/0x0006000000016f02-107.dat upx behavioral1/files/0x000600000001707f-116.dat upx behavioral1/memory/2948-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174b4-123.dat upx behavioral1/files/0x00060000000174f8-130.dat upx behavioral1/memory/328-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2928-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017570-139.dat upx behavioral1/files/0x00060000000175f1-149.dat upx behavioral1/files/0x00060000000175f7-155.dat upx behavioral1/files/0x000c000000015dac-162.dat upx behavioral1/memory/1688-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000018683-170.dat upx behavioral1/memory/1692-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018697-177.dat upx behavioral1/files/0x0005000000018706-185.dat upx behavioral1/files/0x000500000001870c-192.dat upx behavioral1/files/0x000500000001871c-199.dat upx behavioral1/files/0x0005000000018745-206.dat upx behavioral1/memory/1876-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018be7-214.dat upx behavioral1/files/0x0006000000018d7b-222.dat upx behavioral1/memory/2312-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018d83-229.dat upx behavioral1/files/0x0006000000018fdf-237.dat upx behavioral1/memory/2244-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019056-245.dat upx behavioral1/memory/1956-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1828-255-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019203-254.dat upx behavioral1/memory/2780-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2700-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1220-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2700-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2576-291-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2792-297-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2592-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2624-315-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2776 2708 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 32 PID 2708 wrote to memory of 2776 2708 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 32 PID 2708 wrote to memory of 2776 2708 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 32 PID 2708 wrote to memory of 2776 2708 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 32 PID 2776 wrote to memory of 2768 2776 7htbhh.exe 33 PID 2776 wrote to memory of 2768 2776 7htbhh.exe 33 PID 2776 wrote to memory of 2768 2776 7htbhh.exe 33 PID 2776 wrote to memory of 2768 2776 7htbhh.exe 33 PID 2768 wrote to memory of 2392 2768 5bhhnt.exe 34 PID 2768 wrote to memory of 2392 2768 5bhhnt.exe 34 PID 2768 wrote to memory of 2392 2768 5bhhnt.exe 34 PID 2768 wrote to memory of 2392 2768 5bhhnt.exe 34 PID 2392 wrote to memory of 2596 2392 fxrlxxf.exe 35 PID 2392 wrote to memory of 2596 2392 fxrlxxf.exe 35 PID 2392 wrote to memory of 2596 2392 fxrlxxf.exe 35 PID 2392 wrote to memory of 2596 2392 fxrlxxf.exe 35 PID 2596 wrote to memory of 2884 2596 bbnbnt.exe 36 PID 2596 wrote to memory of 2884 2596 bbnbnt.exe 36 PID 2596 wrote to memory of 2884 2596 bbnbnt.exe 36 PID 2596 wrote to memory of 2884 2596 bbnbnt.exe 36 PID 2884 wrote to memory of 2600 2884 5jvjj.exe 37 PID 2884 wrote to memory of 2600 2884 5jvjj.exe 37 PID 2884 wrote to memory of 2600 2884 5jvjj.exe 37 PID 2884 wrote to memory of 2600 2884 5jvjj.exe 37 PID 2600 wrote to memory of 1656 2600 nhtbht.exe 38 PID 2600 wrote to memory of 1656 2600 nhtbht.exe 38 PID 2600 wrote to memory of 1656 2600 nhtbht.exe 38 PID 2600 wrote to memory of 1656 2600 nhtbht.exe 38 PID 1656 wrote to memory of 1696 1656 nhbnth.exe 39 PID 1656 wrote to memory of 1696 1656 nhbnth.exe 39 PID 1656 wrote to memory of 1696 1656 nhbnth.exe 39 PID 1656 wrote to memory of 1696 1656 nhbnth.exe 39 PID 1696 wrote to memory of 1108 1696 1dddv.exe 40 PID 1696 wrote to memory of 1108 1696 1dddv.exe 40 PID 1696 wrote to memory of 1108 1696 1dddv.exe 40 PID 1696 wrote to memory of 1108 1696 1dddv.exe 40 PID 1108 wrote to memory of 1500 1108 fxrllxx.exe 41 PID 1108 wrote to memory of 1500 1108 fxrllxx.exe 41 PID 1108 wrote to memory of 1500 1108 fxrllxx.exe 41 PID 1108 wrote to memory of 1500 1108 fxrllxx.exe 41 PID 1500 wrote to memory of 2664 1500 bthtnn.exe 42 PID 1500 wrote to memory of 2664 1500 bthtnn.exe 42 PID 1500 wrote to memory of 2664 1500 bthtnn.exe 42 PID 1500 wrote to memory of 2664 1500 bthtnn.exe 42 PID 2664 wrote to memory of 2988 2664 lfrrflx.exe 43 PID 2664 wrote to memory of 2988 2664 lfrrflx.exe 43 PID 2664 wrote to memory of 2988 2664 lfrrflx.exe 43 PID 2664 wrote to memory of 2988 2664 lfrrflx.exe 43 PID 2988 wrote to memory of 2948 2988 xxlfrfl.exe 44 PID 2988 wrote to memory of 2948 2988 xxlfrfl.exe 44 PID 2988 wrote to memory of 2948 2988 xxlfrfl.exe 44 PID 2988 wrote to memory of 2948 2988 xxlfrfl.exe 44 PID 2948 wrote to memory of 2904 2948 fxxlrrx.exe 45 PID 2948 wrote to memory of 2904 2948 fxxlrrx.exe 45 PID 2948 wrote to memory of 2904 2948 fxxlrrx.exe 45 PID 2948 wrote to memory of 2904 2948 fxxlrrx.exe 45 PID 2904 wrote to memory of 2928 2904 vvjpd.exe 46 PID 2904 wrote to memory of 2928 2904 vvjpd.exe 46 PID 2904 wrote to memory of 2928 2904 vvjpd.exe 46 PID 2904 wrote to memory of 2928 2904 vvjpd.exe 46 PID 2928 wrote to memory of 328 2928 bbthbh.exe 47 PID 2928 wrote to memory of 328 2928 bbthbh.exe 47 PID 2928 wrote to memory of 328 2928 bbthbh.exe 47 PID 2928 wrote to memory of 328 2928 bbthbh.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe"C:\Users\Admin\AppData\Local\Temp\970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\7htbhh.exec:\7htbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\5bhhnt.exec:\5bhhnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\fxrlxxf.exec:\fxrlxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\bbnbnt.exec:\bbnbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\5jvjj.exec:\5jvjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\nhtbht.exec:\nhtbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\nhbnth.exec:\nhbnth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\1dddv.exec:\1dddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\fxrllxx.exec:\fxrllxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\bthtnn.exec:\bthtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\lfrrflx.exec:\lfrrflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\xxlfrfl.exec:\xxlfrfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\fxxlrrx.exec:\fxxlrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\vvjpd.exec:\vvjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\bbthbh.exec:\bbthbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\vpjpp.exec:\vpjpp.exe17⤵
- Executes dropped EXE
PID:328 -
\??\c:\lflllrx.exec:\lflllrx.exe18⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hbbhtb.exec:\hbbhtb.exe19⤵
- Executes dropped EXE
PID:1784 -
\??\c:\3jvvj.exec:\3jvvj.exe20⤵
- Executes dropped EXE
PID:1928 -
\??\c:\9bthhn.exec:\9bthhn.exe21⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bbbnbn.exec:\bbbnbn.exe22⤵
- Executes dropped EXE
PID:1692 -
\??\c:\9tbhbb.exec:\9tbhbb.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
\??\c:\dvpvj.exec:\dvpvj.exe24⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jdddv.exec:\jdddv.exe25⤵
- Executes dropped EXE
PID:904 -
\??\c:\rlfrfrx.exec:\rlfrfrx.exe26⤵
- Executes dropped EXE
PID:1388 -
\??\c:\1ppdj.exec:\1ppdj.exe27⤵
- Executes dropped EXE
PID:1876 -
\??\c:\xlrfllx.exec:\xlrfllx.exe28⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bbtntn.exec:\bbtntn.exe29⤵
- Executes dropped EXE
PID:1028 -
\??\c:\vjdjv.exec:\vjdjv.exe30⤵
- Executes dropped EXE
PID:2244 -
\??\c:\lrxflxr.exec:\lrxflxr.exe31⤵
- Executes dropped EXE
PID:1956 -
\??\c:\hhbhtb.exec:\hhbhtb.exe32⤵
- Executes dropped EXE
PID:1584 -
\??\c:\3llrfll.exec:\3llrfll.exe33⤵
- Executes dropped EXE
PID:1828 -
\??\c:\7rlllrr.exec:\7rlllrr.exe34⤵
- Executes dropped EXE
PID:1220 -
\??\c:\ddjvj.exec:\ddjvj.exe35⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vpjjv.exec:\vpjjv.exe36⤵
- Executes dropped EXE
PID:2780 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe37⤵
- Executes dropped EXE
PID:2700 -
\??\c:\9tbbhb.exec:\9tbbhb.exe38⤵
- Executes dropped EXE
PID:2576 -
\??\c:\3djjv.exec:\3djjv.exe39⤵
- Executes dropped EXE
PID:2792 -
\??\c:\9dddp.exec:\9dddp.exe40⤵
- Executes dropped EXE
PID:2592 -
\??\c:\rlllrxl.exec:\rlllrxl.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nnnhnt.exec:\nnnhnt.exe42⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5vpdj.exec:\5vpdj.exe43⤵
- Executes dropped EXE
PID:2624 -
\??\c:\xfxllrx.exec:\xfxllrx.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\7xxxflr.exec:\7xxxflr.exe45⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bthhnn.exec:\bthhnn.exe46⤵
- Executes dropped EXE
PID:1064 -
\??\c:\pjjvj.exec:\pjjvj.exe47⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pjdvd.exec:\pjdvd.exe48⤵
- Executes dropped EXE
PID:1636 -
\??\c:\7lxxffl.exec:\7lxxffl.exe49⤵
- Executes dropped EXE
PID:1280 -
\??\c:\bttthn.exec:\bttthn.exe50⤵
- Executes dropped EXE
PID:2180 -
\??\c:\1djpd.exec:\1djpd.exe51⤵
- Executes dropped EXE
PID:3044 -
\??\c:\vvpvj.exec:\vvpvj.exe52⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1rlrxxx.exec:\1rlrxxx.exe53⤵
- Executes dropped EXE
PID:2944 -
\??\c:\tnbnnt.exec:\tnbnnt.exe54⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hbbntn.exec:\hbbntn.exe55⤵
- Executes dropped EXE
PID:2924 -
\??\c:\vvjpd.exec:\vvjpd.exe56⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rlxxlxl.exec:\rlxxlxl.exe57⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bbthtt.exec:\bbthtt.exe58⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9jdjv.exec:\9jdjv.exe59⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3lrrxrr.exec:\3lrrxrr.exe60⤵
- Executes dropped EXE
PID:1784 -
\??\c:\1lxxxxf.exec:\1lxxxxf.exe61⤵
- Executes dropped EXE
PID:1800 -
\??\c:\nnhttb.exec:\nnhttb.exe62⤵
- Executes dropped EXE
PID:1928 -
\??\c:\dddjp.exec:\dddjp.exe63⤵
- Executes dropped EXE
PID:1932 -
\??\c:\vpvvd.exec:\vpvvd.exe64⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7lxrxxf.exec:\7lxrxxf.exe65⤵
- Executes dropped EXE
PID:1340 -
\??\c:\tnnthn.exec:\tnnthn.exe66⤵PID:952
-
\??\c:\hhtbhh.exec:\hhtbhh.exe67⤵PID:2444
-
\??\c:\dddpd.exec:\dddpd.exe68⤵PID:948
-
\??\c:\3fxflrf.exec:\3fxflrf.exe69⤵PID:2372
-
\??\c:\ffxfxrr.exec:\ffxfxrr.exe70⤵PID:1552
-
\??\c:\3htbnt.exec:\3htbnt.exe71⤵PID:1724
-
\??\c:\pjjpd.exec:\pjjpd.exe72⤵PID:2312
-
\??\c:\llxrxfx.exec:\llxrxfx.exe73⤵PID:1436
-
\??\c:\lfrrffr.exec:\lfrrffr.exe74⤵PID:2236
-
\??\c:\nhthtt.exec:\nhthtt.exe75⤵PID:1208
-
\??\c:\dvjjp.exec:\dvjjp.exe76⤵PID:1956
-
\??\c:\lllrlrf.exec:\lllrlrf.exe77⤵PID:992
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe78⤵PID:1804
-
\??\c:\hhtntt.exec:\hhtntt.exe79⤵PID:1880
-
\??\c:\vvpjp.exec:\vvpjp.exe80⤵PID:1220
-
\??\c:\llflrfl.exec:\llflrfl.exe81⤵PID:2052
-
\??\c:\tthhtn.exec:\tthhtn.exe82⤵PID:2800
-
\??\c:\hbtbtb.exec:\hbtbtb.exe83⤵PID:1572
-
\??\c:\dvpvd.exec:\dvpvd.exe84⤵PID:2812
-
\??\c:\xrrxlrl.exec:\xrrxlrl.exe85⤵PID:2760
-
\??\c:\rlxfxrf.exec:\rlxfxrf.exe86⤵PID:2604
-
\??\c:\5nnbhb.exec:\5nnbhb.exe87⤵
- System Location Discovery: System Language Discovery
PID:2480 -
\??\c:\9vppv.exec:\9vppv.exe88⤵PID:2588
-
\??\c:\lllfxlr.exec:\lllfxlr.exe89⤵PID:2600
-
\??\c:\fffxlfr.exec:\fffxlfr.exe90⤵PID:2092
-
\??\c:\9hhbhn.exec:\9hhbhn.exe91⤵PID:1840
-
\??\c:\tnntnt.exec:\tnntnt.exe92⤵PID:2584
-
\??\c:\jjdjv.exec:\jjdjv.exe93⤵PID:2612
-
\??\c:\llrxrxl.exec:\llrxrxl.exe94⤵PID:1832
-
\??\c:\hnhhbh.exec:\hnhhbh.exe95⤵PID:2112
-
\??\c:\3nnhnn.exec:\3nnhnn.exe96⤵PID:1968
-
\??\c:\jjdjv.exec:\jjdjv.exe97⤵PID:1096
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe98⤵PID:3024
-
\??\c:\nnnthh.exec:\nnnthh.exe99⤵PID:2944
-
\??\c:\bhnhbn.exec:\bhnhbn.exe100⤵PID:3004
-
\??\c:\3vddd.exec:\3vddd.exe101⤵PID:1312
-
\??\c:\7ffxffl.exec:\7ffxffl.exe102⤵PID:2796
-
\??\c:\nnbntb.exec:\nnbntb.exe103⤵PID:2332
-
\??\c:\1htbnt.exec:\1htbnt.exe104⤵PID:2860
-
\??\c:\vjdpj.exec:\vjdpj.exe105⤵PID:1036
-
\??\c:\rlxlflr.exec:\rlxlflr.exe106⤵PID:1784
-
\??\c:\ffflffr.exec:\ffflffr.exe107⤵PID:2344
-
\??\c:\9ththn.exec:\9ththn.exe108⤵PID:1688
-
\??\c:\dddpv.exec:\dddpv.exe109⤵PID:1304
-
\??\c:\dpjpp.exec:\dpjpp.exe110⤵PID:1884
-
\??\c:\lfrfrrf.exec:\lfrfrrf.exe111⤵PID:1476
-
\??\c:\xrfflrr.exec:\xrfflrr.exe112⤵PID:1048
-
\??\c:\tbhhbn.exec:\tbhhbn.exe113⤵PID:1728
-
\??\c:\vjdpd.exec:\vjdpd.exe114⤵PID:1392
-
\??\c:\jjvjv.exec:\jjvjv.exe115⤵PID:1700
-
\??\c:\9fxfrxf.exec:\9fxfrxf.exe116⤵PID:352
-
\??\c:\nhbbhn.exec:\nhbbhn.exe117⤵PID:2520
-
\??\c:\pvvdj.exec:\pvvdj.exe118⤵PID:2892
-
\??\c:\5pdvj.exec:\5pdvj.exe119⤵PID:2032
-
\??\c:\lfrrlll.exec:\lfrrlll.exe120⤵PID:2464
-
\??\c:\tnbnbn.exec:\tnbnbn.exe121⤵PID:1752
-
\??\c:\tnhtnb.exec:\tnhtnb.exe122⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-