Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 21:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe
-
Size
454KB
-
MD5
5106befc5d42038c8f6f1579147c79b0
-
SHA1
4b2186fa426f1c642889c17a9f534c2d5901655b
-
SHA256
b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3
-
SHA512
faa2a85581b8100e69d9a51414a225e10bdb555b5f2f30a4dc26ec5b14114fd639ed4f10aa70b53999b87440d016e8674c4b1775d9f8826ff4817057557e5c12
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1408-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-1101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-1452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-1822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2696 tnhthh.exe 4936 llrrrxx.exe 2012 pvvvj.exe 2264 9thnht.exe 60 vpvvv.exe 3216 5flllrr.exe 3320 7tbbhb.exe 2576 tbbbbb.exe 4516 pdppj.exe 1392 vddjv.exe 4028 vjpjp.exe 3492 ffxrrxr.exe 2116 ttnnht.exe 2648 htbtth.exe 1932 jjjpj.exe 5048 lxlfffl.exe 1508 hhnhbb.exe 4348 jjdvp.exe 5076 tbhbtt.exe 4172 jdjjd.exe 2628 bttntn.exe 5012 dpjdv.exe 4492 lffrrrr.exe 3248 bbnbtt.exe 3356 nttbtn.exe 3280 7ppdv.exe 4748 htnntb.exe 1516 5lffrxl.exe 3916 nnnbth.exe 4476 pjvpp.exe 620 rlrxfxl.exe 4932 xrflrxl.exe 2908 httbtt.exe 3632 pppjd.exe 916 tttntb.exe 4816 pjvdp.exe 4912 llrrfll.exe 1376 thnhbb.exe 764 vpjjv.exe 396 lrrfxxx.exe 4048 vppdv.exe 4392 lxxrxxr.exe 4820 1vppp.exe 1244 xrrlflf.exe 1816 3jvdd.exe 1916 rxrfxxl.exe 4920 7nthbn.exe 4968 ppdvp.exe 3436 rrfxrll.exe 4316 nhtthh.exe 4592 vvddv.exe 4220 flrrllr.exe 4760 btttnn.exe 1880 ddpjj.exe 464 fxlfxxl.exe 4228 tnnnbb.exe 1392 dpjdv.exe 3532 fxrfxfx.exe 4928 ttbttt.exe 4656 jdvdd.exe 1076 xxlxrrx.exe 1584 9ntbtb.exe 4720 dvppv.exe 3308 pvjdd.exe -
resource yara_rule behavioral2/memory/1408-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-773-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2696 1408 b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe 83 PID 1408 wrote to memory of 2696 1408 b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe 83 PID 1408 wrote to memory of 2696 1408 b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe 83 PID 2696 wrote to memory of 4936 2696 tnhthh.exe 84 PID 2696 wrote to memory of 4936 2696 tnhthh.exe 84 PID 2696 wrote to memory of 4936 2696 tnhthh.exe 84 PID 4936 wrote to memory of 2012 4936 llrrrxx.exe 85 PID 4936 wrote to memory of 2012 4936 llrrrxx.exe 85 PID 4936 wrote to memory of 2012 4936 llrrrxx.exe 85 PID 2012 wrote to memory of 2264 2012 pvvvj.exe 86 PID 2012 wrote to memory of 2264 2012 pvvvj.exe 86 PID 2012 wrote to memory of 2264 2012 pvvvj.exe 86 PID 2264 wrote to memory of 60 2264 9thnht.exe 87 PID 2264 wrote to memory of 60 2264 9thnht.exe 87 PID 2264 wrote to memory of 60 2264 9thnht.exe 87 PID 60 wrote to memory of 3216 60 vpvvv.exe 88 PID 60 wrote to memory of 3216 60 vpvvv.exe 88 PID 60 wrote to memory of 3216 60 vpvvv.exe 88 PID 3216 wrote to memory of 3320 3216 5flllrr.exe 89 PID 3216 wrote to memory of 3320 3216 5flllrr.exe 89 PID 3216 wrote to memory of 3320 3216 5flllrr.exe 89 PID 3320 wrote to memory of 2576 3320 7tbbhb.exe 90 PID 3320 wrote to memory of 2576 3320 7tbbhb.exe 90 PID 3320 wrote to memory of 2576 3320 7tbbhb.exe 90 PID 2576 wrote to memory of 4516 2576 tbbbbb.exe 91 PID 2576 wrote to memory of 4516 2576 tbbbbb.exe 91 PID 2576 wrote to memory of 4516 2576 tbbbbb.exe 91 PID 4516 wrote to memory of 1392 4516 pdppj.exe 92 PID 4516 wrote to memory of 1392 4516 pdppj.exe 92 PID 4516 wrote to memory of 1392 4516 pdppj.exe 92 PID 1392 wrote to memory of 4028 1392 vddjv.exe 93 PID 1392 wrote to memory of 4028 1392 vddjv.exe 93 PID 1392 wrote to memory of 4028 1392 vddjv.exe 93 PID 4028 wrote to memory of 3492 4028 vjpjp.exe 94 PID 4028 wrote to memory of 3492 4028 vjpjp.exe 94 PID 4028 wrote to memory of 3492 4028 vjpjp.exe 94 PID 3492 wrote to memory of 2116 3492 ffxrrxr.exe 95 PID 3492 wrote to memory of 2116 3492 ffxrrxr.exe 95 PID 3492 wrote to memory of 2116 3492 ffxrrxr.exe 95 PID 2116 wrote to memory of 2648 2116 ttnnht.exe 96 PID 2116 wrote to memory of 2648 2116 ttnnht.exe 96 PID 2116 wrote to memory of 2648 2116 ttnnht.exe 96 PID 2648 wrote to memory of 1932 2648 htbtth.exe 97 PID 2648 wrote to memory of 1932 2648 htbtth.exe 97 PID 2648 wrote to memory of 1932 2648 htbtth.exe 97 PID 1932 wrote to memory of 5048 1932 jjjpj.exe 98 PID 1932 wrote to memory of 5048 1932 jjjpj.exe 98 PID 1932 wrote to memory of 5048 1932 jjjpj.exe 98 PID 5048 wrote to memory of 1508 5048 lxlfffl.exe 99 PID 5048 wrote to memory of 1508 5048 lxlfffl.exe 99 PID 5048 wrote to memory of 1508 5048 lxlfffl.exe 99 PID 1508 wrote to memory of 4348 1508 hhnhbb.exe 100 PID 1508 wrote to memory of 4348 1508 hhnhbb.exe 100 PID 1508 wrote to memory of 4348 1508 hhnhbb.exe 100 PID 4348 wrote to memory of 5076 4348 jjdvp.exe 101 PID 4348 wrote to memory of 5076 4348 jjdvp.exe 101 PID 4348 wrote to memory of 5076 4348 jjdvp.exe 101 PID 5076 wrote to memory of 4172 5076 tbhbtt.exe 102 PID 5076 wrote to memory of 4172 5076 tbhbtt.exe 102 PID 5076 wrote to memory of 4172 5076 tbhbtt.exe 102 PID 4172 wrote to memory of 2628 4172 jdjjd.exe 103 PID 4172 wrote to memory of 2628 4172 jdjjd.exe 103 PID 4172 wrote to memory of 2628 4172 jdjjd.exe 103 PID 2628 wrote to memory of 5012 2628 bttntn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe"C:\Users\Admin\AppData\Local\Temp\b06f9023e6d8e48196d6f50cd4d9098bc91387b8f88bbf17bdfd4f9076a9e3b3N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\tnhthh.exec:\tnhthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\llrrrxx.exec:\llrrrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\pvvvj.exec:\pvvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\9thnht.exec:\9thnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\vpvvv.exec:\vpvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\5flllrr.exec:\5flllrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\7tbbhb.exec:\7tbbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\tbbbbb.exec:\tbbbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\pdppj.exec:\pdppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\vddjv.exec:\vddjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\vjpjp.exec:\vjpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\ffxrrxr.exec:\ffxrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\ttnnht.exec:\ttnnht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\htbtth.exec:\htbtth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jjjpj.exec:\jjjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\lxlfffl.exec:\lxlfffl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\hhnhbb.exec:\hhnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\jjdvp.exec:\jjdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\tbhbtt.exec:\tbhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\jdjjd.exec:\jdjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\bttntn.exec:\bttntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\dpjdv.exec:\dpjdv.exe23⤵
- Executes dropped EXE
PID:5012 -
\??\c:\lffrrrr.exec:\lffrrrr.exe24⤵
- Executes dropped EXE
PID:4492 -
\??\c:\bbnbtt.exec:\bbnbtt.exe25⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nttbtn.exec:\nttbtn.exe26⤵
- Executes dropped EXE
PID:3356 -
\??\c:\7ppdv.exec:\7ppdv.exe27⤵
- Executes dropped EXE
PID:3280 -
\??\c:\htnntb.exec:\htnntb.exe28⤵
- Executes dropped EXE
PID:4748 -
\??\c:\5lffrxl.exec:\5lffrxl.exe29⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nnnbth.exec:\nnnbth.exe30⤵
- Executes dropped EXE
PID:3916 -
\??\c:\pjvpp.exec:\pjvpp.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476 -
\??\c:\rlrxfxl.exec:\rlrxfxl.exe32⤵
- Executes dropped EXE
PID:620 -
\??\c:\xrflrxl.exec:\xrflrxl.exe33⤵
- Executes dropped EXE
PID:4932 -
\??\c:\httbtt.exec:\httbtt.exe34⤵
- Executes dropped EXE
PID:2908 -
\??\c:\pppjd.exec:\pppjd.exe35⤵
- Executes dropped EXE
PID:3632 -
\??\c:\tttntb.exec:\tttntb.exe36⤵
- Executes dropped EXE
PID:916 -
\??\c:\pjvdp.exec:\pjvdp.exe37⤵
- Executes dropped EXE
PID:4816 -
\??\c:\llrrfll.exec:\llrrfll.exe38⤵
- Executes dropped EXE
PID:4912 -
\??\c:\thnhbb.exec:\thnhbb.exe39⤵
- Executes dropped EXE
PID:1376 -
\??\c:\vpjjv.exec:\vpjjv.exe40⤵
- Executes dropped EXE
PID:764 -
\??\c:\lrrfxxx.exec:\lrrfxxx.exe41⤵
- Executes dropped EXE
PID:396 -
\??\c:\vppdv.exec:\vppdv.exe42⤵
- Executes dropped EXE
PID:4048 -
\??\c:\lxxrxxr.exec:\lxxrxxr.exe43⤵
- Executes dropped EXE
PID:4392 -
\??\c:\1vppp.exec:\1vppp.exe44⤵
- Executes dropped EXE
PID:4820 -
\??\c:\xrrlflf.exec:\xrrlflf.exe45⤵
- Executes dropped EXE
PID:1244 -
\??\c:\3jvdd.exec:\3jvdd.exe46⤵
- Executes dropped EXE
PID:1816 -
\??\c:\rxrfxxl.exec:\rxrfxxl.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
\??\c:\7nthbn.exec:\7nthbn.exe48⤵
- Executes dropped EXE
PID:4920 -
\??\c:\ppdvp.exec:\ppdvp.exe49⤵
- Executes dropped EXE
PID:4968 -
\??\c:\rrfxrll.exec:\rrfxrll.exe50⤵
- Executes dropped EXE
PID:3436 -
\??\c:\nhtthh.exec:\nhtthh.exe51⤵
- Executes dropped EXE
PID:4316 -
\??\c:\vvddv.exec:\vvddv.exe52⤵
- Executes dropped EXE
PID:4592 -
\??\c:\flrrllr.exec:\flrrllr.exe53⤵
- Executes dropped EXE
PID:4220 -
\??\c:\btttnn.exec:\btttnn.exe54⤵
- Executes dropped EXE
PID:4760 -
\??\c:\ddpjj.exec:\ddpjj.exe55⤵
- Executes dropped EXE
PID:1880 -
\??\c:\fxlfxxl.exec:\fxlfxxl.exe56⤵
- Executes dropped EXE
PID:464 -
\??\c:\tnnnbb.exec:\tnnnbb.exe57⤵
- Executes dropped EXE
PID:4228 -
\??\c:\dpjdv.exec:\dpjdv.exe58⤵
- Executes dropped EXE
PID:1392 -
\??\c:\fxrfxfx.exec:\fxrfxfx.exe59⤵
- Executes dropped EXE
PID:3532 -
\??\c:\ttbttt.exec:\ttbttt.exe60⤵
- Executes dropped EXE
PID:4928 -
\??\c:\jdvdd.exec:\jdvdd.exe61⤵
- Executes dropped EXE
PID:4656 -
\??\c:\xxlxrrx.exec:\xxlxrrx.exe62⤵
- Executes dropped EXE
PID:1076 -
\??\c:\9ntbtb.exec:\9ntbtb.exe63⤵
- Executes dropped EXE
PID:1584 -
\??\c:\dvppv.exec:\dvppv.exe64⤵
- Executes dropped EXE
PID:4720 -
\??\c:\pvjdd.exec:\pvjdd.exe65⤵
- Executes dropped EXE
PID:3308 -
\??\c:\thbbhn.exec:\thbbhn.exe66⤵PID:3268
-
\??\c:\vppvd.exec:\vppvd.exe67⤵PID:2760
-
\??\c:\vdvdp.exec:\vdvdp.exe68⤵PID:832
-
\??\c:\ffllxff.exec:\ffllxff.exe69⤵PID:4692
-
\??\c:\bbnttt.exec:\bbnttt.exe70⤵PID:4808
-
\??\c:\vvjpd.exec:\vvjpd.exe71⤵PID:4576
-
\??\c:\frlrxlr.exec:\frlrxlr.exe72⤵PID:3376
-
\??\c:\1bhhtb.exec:\1bhhtb.exe73⤵PID:1776
-
\??\c:\tnnnhh.exec:\tnnnhh.exe74⤵PID:3488
-
\??\c:\vvjjp.exec:\vvjjp.exe75⤵PID:3388
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe76⤵PID:3188
-
\??\c:\hhnntb.exec:\hhnntb.exe77⤵PID:1628
-
\??\c:\ddjjj.exec:\ddjjj.exe78⤵PID:4344
-
\??\c:\lxxffxf.exec:\lxxffxf.exe79⤵PID:2772
-
\??\c:\htthnt.exec:\htthnt.exe80⤵PID:4200
-
\??\c:\tbhhhh.exec:\tbhhhh.exe81⤵PID:2120
-
\??\c:\vdjdj.exec:\vdjdj.exe82⤵PID:2336
-
\??\c:\rxllfll.exec:\rxllfll.exe83⤵PID:1516
-
\??\c:\bbntbn.exec:\bbntbn.exe84⤵PID:2036
-
\??\c:\vdjjj.exec:\vdjjj.exe85⤵PID:1664
-
\??\c:\frflllf.exec:\frflllf.exe86⤵PID:3644
-
\??\c:\bnnnhh.exec:\bnnnhh.exe87⤵PID:620
-
\??\c:\jddpv.exec:\jddpv.exe88⤵PID:4976
-
\??\c:\rfrrlrl.exec:\rfrrlrl.exe89⤵PID:3836
-
\??\c:\hnnnnb.exec:\hnnnnb.exe90⤵PID:2444
-
\??\c:\dvjjd.exec:\dvjjd.exe91⤵PID:5080
-
\??\c:\rrxxfxf.exec:\rrxxfxf.exe92⤵PID:3816
-
\??\c:\hhtntt.exec:\hhtntt.exe93⤵PID:1864
-
\??\c:\bnbbtb.exec:\bnbbtb.exe94⤵PID:1468
-
\??\c:\1ddvv.exec:\1ddvv.exe95⤵PID:3760
-
\??\c:\lrrrrfl.exec:\lrrrrfl.exe96⤵PID:396
-
\??\c:\htthht.exec:\htthht.exe97⤵
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\ddddd.exec:\ddddd.exe98⤵PID:2280
-
\??\c:\3fllfff.exec:\3fllfff.exe99⤵PID:224
-
\??\c:\ffllllr.exec:\ffllllr.exe100⤵PID:2252
-
\??\c:\thtbbn.exec:\thtbbn.exe101⤵PID:2912
-
\??\c:\9djjp.exec:\9djjp.exe102⤵PID:4992
-
\??\c:\llffxff.exec:\llffxff.exe103⤵PID:1788
-
\??\c:\5nhntb.exec:\5nhntb.exe104⤵PID:1176
-
\??\c:\3vvpp.exec:\3vvpp.exe105⤵PID:1168
-
\??\c:\lrxxxlf.exec:\lrxxxlf.exe106⤵PID:1552
-
\??\c:\bnbnhh.exec:\bnbnhh.exe107⤵PID:4316
-
\??\c:\btbbhn.exec:\btbbhn.exe108⤵PID:524
-
\??\c:\1pvdd.exec:\1pvdd.exe109⤵PID:2956
-
\??\c:\3flrflx.exec:\3flrflx.exe110⤵PID:1240
-
\??\c:\ttthth.exec:\ttthth.exe111⤵PID:4760
-
\??\c:\jjpvj.exec:\jjpvj.exe112⤵PID:4456
-
\??\c:\fxlfxfx.exec:\fxlfxfx.exe113⤵PID:4880
-
\??\c:\ntnntb.exec:\ntnntb.exe114⤵PID:1604
-
\??\c:\pjvdj.exec:\pjvdj.exe115⤵
- System Location Discovery: System Language Discovery
PID:2688 -
\??\c:\frrxrfx.exec:\frrxrfx.exe116⤵PID:752
-
\??\c:\tbtbth.exec:\tbtbth.exe117⤵PID:4616
-
\??\c:\vvppv.exec:\vvppv.exe118⤵PID:4860
-
\??\c:\9flrflf.exec:\9flrflf.exe119⤵PID:3548
-
\??\c:\nnhnbb.exec:\nnhnbb.exe120⤵PID:2648
-
\??\c:\vvpjd.exec:\vvpjd.exe121⤵PID:3480
-
\??\c:\lrxrxxf.exec:\lrxrxxf.exe122⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-