Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe
-
Size
456KB
-
MD5
2613612a2a41da63f47c13019085c150
-
SHA1
2fd7f53b64cdc9cb50a66ec6c4dcb763c5aaf60c
-
SHA256
6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4d
-
SHA512
c3a0fd3cc9348cbcc5a3e1dac128f7fefbf46099f3d48279ac2f23fb4f8d5d7cc22473d3a48e9fbad162b3e236f1e0a03acbf6e1f4e5c012444f036f91c32acb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSn:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2680-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-36-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1264-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-56-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2800-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1484-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2496-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-179-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-185-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2376-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1112-222-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1560-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-468-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2164-480-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2244-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-623-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/844-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-834-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2876-833-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2880-847-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-897-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/548-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-966-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2760-1125-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2400 lfrlrrf.exe 2368 dpddj.exe 2320 9xlfxrr.exe 1264 fxlrfrx.exe 2820 dvjpd.exe 2756 lrxlfrx.exe 2760 3bhhtb.exe 2620 vpjjd.exe 2800 lxlrxrf.exe 2628 nhttnt.exe 2052 9bbhnn.exe 1484 bbttbt.exe 2564 1bbhnn.exe 2700 ppjjp.exe 2496 ntbnht.exe 1876 xlfxrrx.exe 2040 tthtnt.exe 2024 pvjpj.exe 1780 5tnnbh.exe 2932 vvpdj.exe 2376 lfrxlxf.exe 2244 tthbhh.exe 1112 5xrxffl.exe 2580 hhtnbb.exe 1360 1dvpv.exe 2992 lxlffxf.exe 2092 tnhhtt.exe 332 bbntbh.exe 880 bnbbhn.exe 876 ffxfrxl.exe 2120 nttnnh.exe 1560 ffxfxfl.exe 2964 5frxrrf.exe 2364 dpddp.exe 2340 1dppv.exe 2320 xrffrrf.exe 2824 5tthnb.exe 2980 jjvvd.exe 2708 3vjdj.exe 2620 flrlrrx.exe 2712 nhntnn.exe 2772 ttntht.exe 2652 dvddp.exe 2768 xlrrxxf.exe 2176 xlxxllx.exe 676 1bnnnn.exe 664 jvpvd.exe 1388 ddpvv.exe 1184 1lfxfxx.exe 2700 9thhhh.exe 1340 hnbhnn.exe 548 jjvvd.exe 1268 xrrfrfx.exe 1996 1lrrrrf.exe 1244 1hbbhh.exe 2948 pjddj.exe 2904 jppjd.exe 2296 fxlfrfl.exe 2232 ffllrlr.exe 2164 7hbhnt.exe 2244 vpjpp.exe 1136 fxrxffr.exe 2576 lrllxxf.exe 948 hbttbh.exe -
resource yara_rule behavioral1/memory/2680-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-138-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1876-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-759-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2876-833-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/2564-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-1188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1333-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2400 2680 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 30 PID 2680 wrote to memory of 2400 2680 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 30 PID 2680 wrote to memory of 2400 2680 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 30 PID 2680 wrote to memory of 2400 2680 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 30 PID 2400 wrote to memory of 2368 2400 lfrlrrf.exe 31 PID 2400 wrote to memory of 2368 2400 lfrlrrf.exe 31 PID 2400 wrote to memory of 2368 2400 lfrlrrf.exe 31 PID 2400 wrote to memory of 2368 2400 lfrlrrf.exe 31 PID 2368 wrote to memory of 2320 2368 dpddj.exe 32 PID 2368 wrote to memory of 2320 2368 dpddj.exe 32 PID 2368 wrote to memory of 2320 2368 dpddj.exe 32 PID 2368 wrote to memory of 2320 2368 dpddj.exe 32 PID 2320 wrote to memory of 1264 2320 9xlfxrr.exe 33 PID 2320 wrote to memory of 1264 2320 9xlfxrr.exe 33 PID 2320 wrote to memory of 1264 2320 9xlfxrr.exe 33 PID 2320 wrote to memory of 1264 2320 9xlfxrr.exe 33 PID 1264 wrote to memory of 2820 1264 fxlrfrx.exe 34 PID 1264 wrote to memory of 2820 1264 fxlrfrx.exe 34 PID 1264 wrote to memory of 2820 1264 fxlrfrx.exe 34 PID 1264 wrote to memory of 2820 1264 fxlrfrx.exe 34 PID 2820 wrote to memory of 2756 2820 dvjpd.exe 35 PID 2820 wrote to memory of 2756 2820 dvjpd.exe 35 PID 2820 wrote to memory of 2756 2820 dvjpd.exe 35 PID 2820 wrote to memory of 2756 2820 dvjpd.exe 35 PID 2756 wrote to memory of 2760 2756 lrxlfrx.exe 36 PID 2756 wrote to memory of 2760 2756 lrxlfrx.exe 36 PID 2756 wrote to memory of 2760 2756 lrxlfrx.exe 36 PID 2756 wrote to memory of 2760 2756 lrxlfrx.exe 36 PID 2760 wrote to memory of 2620 2760 3bhhtb.exe 37 PID 2760 wrote to memory of 2620 2760 3bhhtb.exe 37 PID 2760 wrote to memory of 2620 2760 3bhhtb.exe 37 PID 2760 wrote to memory of 2620 2760 3bhhtb.exe 37 PID 2620 wrote to memory of 2800 2620 vpjjd.exe 38 PID 2620 wrote to memory of 2800 2620 vpjjd.exe 38 PID 2620 wrote to memory of 2800 2620 vpjjd.exe 38 PID 2620 wrote to memory of 2800 2620 vpjjd.exe 38 PID 2800 wrote to memory of 2628 2800 lxlrxrf.exe 39 PID 2800 wrote to memory of 2628 2800 lxlrxrf.exe 39 PID 2800 wrote to memory of 2628 2800 lxlrxrf.exe 39 PID 2800 wrote to memory of 2628 2800 lxlrxrf.exe 39 PID 2628 wrote to memory of 2052 2628 nhttnt.exe 40 PID 2628 wrote to memory of 2052 2628 nhttnt.exe 40 PID 2628 wrote to memory of 2052 2628 nhttnt.exe 40 PID 2628 wrote to memory of 2052 2628 nhttnt.exe 40 PID 2052 wrote to memory of 1484 2052 9bbhnn.exe 41 PID 2052 wrote to memory of 1484 2052 9bbhnn.exe 41 PID 2052 wrote to memory of 1484 2052 9bbhnn.exe 41 PID 2052 wrote to memory of 1484 2052 9bbhnn.exe 41 PID 1484 wrote to memory of 2564 1484 bbttbt.exe 42 PID 1484 wrote to memory of 2564 1484 bbttbt.exe 42 PID 1484 wrote to memory of 2564 1484 bbttbt.exe 42 PID 1484 wrote to memory of 2564 1484 bbttbt.exe 42 PID 2564 wrote to memory of 2700 2564 1bbhnn.exe 43 PID 2564 wrote to memory of 2700 2564 1bbhnn.exe 43 PID 2564 wrote to memory of 2700 2564 1bbhnn.exe 43 PID 2564 wrote to memory of 2700 2564 1bbhnn.exe 43 PID 2700 wrote to memory of 2496 2700 ppjjp.exe 44 PID 2700 wrote to memory of 2496 2700 ppjjp.exe 44 PID 2700 wrote to memory of 2496 2700 ppjjp.exe 44 PID 2700 wrote to memory of 2496 2700 ppjjp.exe 44 PID 2496 wrote to memory of 1876 2496 ntbnht.exe 45 PID 2496 wrote to memory of 1876 2496 ntbnht.exe 45 PID 2496 wrote to memory of 1876 2496 ntbnht.exe 45 PID 2496 wrote to memory of 1876 2496 ntbnht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe"C:\Users\Admin\AppData\Local\Temp\6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\lfrlrrf.exec:\lfrlrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\dpddj.exec:\dpddj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\9xlfxrr.exec:\9xlfxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\fxlrfrx.exec:\fxlrfrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\dvjpd.exec:\dvjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\lrxlfrx.exec:\lrxlfrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\3bhhtb.exec:\3bhhtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vpjjd.exec:\vpjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\lxlrxrf.exec:\lxlrxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nhttnt.exec:\nhttnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\9bbhnn.exec:\9bbhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\bbttbt.exec:\bbttbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\1bbhnn.exec:\1bbhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\ppjjp.exec:\ppjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ntbnht.exec:\ntbnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\xlfxrrx.exec:\xlfxrrx.exe17⤵
- Executes dropped EXE
PID:1876 -
\??\c:\tthtnt.exec:\tthtnt.exe18⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pvjpj.exec:\pvjpj.exe19⤵
- Executes dropped EXE
PID:2024 -
\??\c:\5tnnbh.exec:\5tnnbh.exe20⤵
- Executes dropped EXE
PID:1780 -
\??\c:\vvpdj.exec:\vvpdj.exe21⤵
- Executes dropped EXE
PID:2932 -
\??\c:\lfrxlxf.exec:\lfrxlxf.exe22⤵
- Executes dropped EXE
PID:2376 -
\??\c:\tthbhh.exec:\tthbhh.exe23⤵
- Executes dropped EXE
PID:2244 -
\??\c:\5xrxffl.exec:\5xrxffl.exe24⤵
- Executes dropped EXE
PID:1112 -
\??\c:\hhtnbb.exec:\hhtnbb.exe25⤵
- Executes dropped EXE
PID:2580 -
\??\c:\1dvpv.exec:\1dvpv.exe26⤵
- Executes dropped EXE
PID:1360 -
\??\c:\lxlffxf.exec:\lxlffxf.exe27⤵
- Executes dropped EXE
PID:2992 -
\??\c:\tnhhtt.exec:\tnhhtt.exe28⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bbntbh.exec:\bbntbh.exe29⤵
- Executes dropped EXE
PID:332 -
\??\c:\bnbbhn.exec:\bnbbhn.exe30⤵
- Executes dropped EXE
PID:880 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe31⤵
- Executes dropped EXE
PID:876 -
\??\c:\nttnnh.exec:\nttnnh.exe32⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ffxfxfl.exec:\ffxfxfl.exe33⤵
- Executes dropped EXE
PID:1560 -
\??\c:\5frxrrf.exec:\5frxrrf.exe34⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dpddp.exec:\dpddp.exe35⤵
- Executes dropped EXE
PID:2364 -
\??\c:\1dppv.exec:\1dppv.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\xrffrrf.exec:\xrffrrf.exe37⤵
- Executes dropped EXE
PID:2320 -
\??\c:\5tthnb.exec:\5tthnb.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jjvvd.exec:\jjvvd.exe39⤵
- Executes dropped EXE
PID:2980 -
\??\c:\3vjdj.exec:\3vjdj.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\flrlrrx.exec:\flrlrrx.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nhntnn.exec:\nhntnn.exe42⤵
- Executes dropped EXE
PID:2712 -
\??\c:\ttntht.exec:\ttntht.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dvddp.exec:\dvddp.exe44⤵
- Executes dropped EXE
PID:2652 -
\??\c:\xlrrxxf.exec:\xlrrxxf.exe45⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xlxxllx.exec:\xlxxllx.exe46⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1bnnnn.exec:\1bnnnn.exe47⤵
- Executes dropped EXE
PID:676 -
\??\c:\jvpvd.exec:\jvpvd.exe48⤵
- Executes dropped EXE
PID:664 -
\??\c:\ddpvv.exec:\ddpvv.exe49⤵
- Executes dropped EXE
PID:1388 -
\??\c:\1lfxfxx.exec:\1lfxfxx.exe50⤵
- Executes dropped EXE
PID:1184 -
\??\c:\9thhhh.exec:\9thhhh.exe51⤵
- Executes dropped EXE
PID:2700 -
\??\c:\hnbhnn.exec:\hnbhnn.exe52⤵
- Executes dropped EXE
PID:1340 -
\??\c:\jjvvd.exec:\jjvvd.exe53⤵
- Executes dropped EXE
PID:548 -
\??\c:\xrrfrfx.exec:\xrrfrfx.exe54⤵
- Executes dropped EXE
PID:1268 -
\??\c:\1lrrrrf.exec:\1lrrrrf.exe55⤵
- Executes dropped EXE
PID:1996 -
\??\c:\1hbbhh.exec:\1hbbhh.exe56⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjddj.exec:\pjddj.exe57⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jppjd.exec:\jppjd.exe58⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fxlfrfl.exec:\fxlfrfl.exe59⤵
- Executes dropped EXE
PID:2296 -
\??\c:\ffllrlr.exec:\ffllrlr.exe60⤵
- Executes dropped EXE
PID:2232 -
\??\c:\7hbhnt.exec:\7hbhnt.exe61⤵
- Executes dropped EXE
PID:2164 -
\??\c:\vpjpp.exec:\vpjpp.exe62⤵
- Executes dropped EXE
PID:2244 -
\??\c:\fxrxffr.exec:\fxrxffr.exe63⤵
- Executes dropped EXE
PID:1136 -
\??\c:\lrllxxf.exec:\lrllxxf.exe64⤵
- Executes dropped EXE
PID:2576 -
\??\c:\hbttbh.exec:\hbttbh.exe65⤵
- Executes dropped EXE
PID:948 -
\??\c:\vvvdv.exec:\vvvdv.exe66⤵PID:2436
-
\??\c:\ffrfrxr.exec:\ffrfrxr.exe67⤵PID:2200
-
\??\c:\rrrxllx.exec:\rrrxllx.exe68⤵PID:1232
-
\??\c:\ttbhnt.exec:\ttbhnt.exe69⤵PID:332
-
\??\c:\vvdjp.exec:\vvdjp.exe70⤵PID:1492
-
\??\c:\jdppp.exec:\jdppp.exe71⤵PID:2444
-
\??\c:\5ffflrf.exec:\5ffflrf.exe72⤵PID:2148
-
\??\c:\xrffllr.exec:\xrffllr.exe73⤵PID:2124
-
\??\c:\bbhnhh.exec:\bbhnhh.exe74⤵PID:1560
-
\??\c:\vvvjj.exec:\vvvjj.exe75⤵PID:2384
-
\??\c:\dvvjv.exec:\dvvjv.exe76⤵PID:1688
-
\??\c:\5rlxflx.exec:\5rlxflx.exe77⤵PID:1480
-
\??\c:\btnbbb.exec:\btnbbb.exe78⤵PID:2336
-
\??\c:\3nbbbt.exec:\3nbbbt.exe79⤵
- System Location Discovery: System Language Discovery
PID:2804 -
\??\c:\pdppp.exec:\pdppp.exe80⤵PID:2752
-
\??\c:\7xlfrrr.exec:\7xlfrrr.exe81⤵PID:2756
-
\??\c:\xrfflrx.exec:\xrfflrx.exe82⤵PID:2976
-
\??\c:\nnbthn.exec:\nnbthn.exe83⤵PID:2872
-
\??\c:\vpdjp.exec:\vpdjp.exe84⤵PID:2348
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe85⤵PID:2664
-
\??\c:\xxrfrrf.exec:\xxrfrrf.exe86⤵PID:2648
-
\??\c:\5hbnbb.exec:\5hbnbb.exe87⤵PID:2640
-
\??\c:\hbnhnn.exec:\hbnhnn.exe88⤵PID:1640
-
\??\c:\9jvvd.exec:\9jvvd.exe89⤵PID:844
-
\??\c:\1xlrflr.exec:\1xlrflr.exe90⤵PID:664
-
\??\c:\3lxxfxl.exec:\3lxxfxl.exe91⤵PID:832
-
\??\c:\nnhttb.exec:\nnhttb.exe92⤵PID:2868
-
\??\c:\vjdpd.exec:\vjdpd.exe93⤵PID:836
-
\??\c:\dvvvd.exec:\dvvvd.exe94⤵PID:852
-
\??\c:\frflxxf.exec:\frflxxf.exe95⤵PID:1888
-
\??\c:\nnhhth.exec:\nnhhth.exe96⤵PID:1936
-
\??\c:\5thhnt.exec:\5thhnt.exe97⤵PID:1884
-
\??\c:\pjjdj.exec:\pjjdj.exe98⤵PID:2180
-
\??\c:\xrlxlxl.exec:\xrlxlxl.exe99⤵
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\9lfxfff.exec:\9lfxfff.exe100⤵PID:3056
-
\??\c:\btnhnn.exec:\btnhnn.exe101⤵PID:1704
-
\??\c:\ppddd.exec:\ppddd.exe102⤵PID:2224
-
\??\c:\vpjjv.exec:\vpjjv.exe103⤵PID:1856
-
\??\c:\rlxflrx.exec:\rlxflrx.exe104⤵PID:448
-
\??\c:\7xlfllr.exec:\7xlfllr.exe105⤵PID:1756
-
\??\c:\hbnntb.exec:\hbnntb.exe106⤵PID:1596
-
\??\c:\jjvvj.exec:\jjvvj.exe107⤵PID:1500
-
\??\c:\9xrxflr.exec:\9xrxflr.exe108⤵PID:2992
-
\??\c:\xrlrlxl.exec:\xrlrlxl.exe109⤵PID:1476
-
\??\c:\tnnbtt.exec:\tnnbtt.exe110⤵PID:2200
-
\??\c:\pvjjj.exec:\pvjjj.exe111⤵PID:1676
-
\??\c:\ddpjp.exec:\ddpjp.exe112⤵PID:3012
-
\??\c:\3lffflr.exec:\3lffflr.exe113⤵PID:1348
-
\??\c:\nhtthn.exec:\nhtthn.exe114⤵PID:2444
-
\??\c:\bthhnn.exec:\bthhnn.exe115⤵PID:2136
-
\??\c:\7jppp.exec:\7jppp.exe116⤵PID:2124
-
\??\c:\lfxrrxx.exec:\lfxrrxx.exe117⤵PID:2876
-
\??\c:\xxrfxxl.exec:\xxrfxxl.exe118⤵PID:2144
-
\??\c:\bthhnt.exec:\bthhnt.exe119⤵PID:2880
-
\??\c:\9pddd.exec:\9pddd.exe120⤵PID:1480
-
\??\c:\3lrrrxf.exec:\3lrrrxf.exe121⤵PID:2336
-
\??\c:\rrxflrx.exec:\rrxflrx.exe122⤵PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-