Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 04:20
Behavioral task
behavioral1
Sample
9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe
-
Size
334KB
-
MD5
9001bcd4ccc5a1740d8399910760cee7
-
SHA1
8a8c1d975fc0455f6d1e88f256074a066a7bbd04
-
SHA256
9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e
-
SHA512
b017adaca88fe3d6d5eb8e9092bfc28c04515407067cdbbe5f206183919a538a11b6b0b14b34ffbf7d0396d2b54fbe50229390869f7d2fd7e5cad9c44d57e302
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tX:94wFHoStJdSjylh2b77BoTMA9gX59sTf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2976-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/804-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1760-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/684-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1660-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-505-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-594-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-708-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-1049-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-1305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3656 tthttt.exe 4484 frfxrlx.exe 1780 7dvvj.exe 804 btntnb.exe 4688 rxrrlrl.exe 2416 rlrffrl.exe 3112 rlrxfrf.exe 3128 0860066.exe 3952 5bbnbt.exe 3992 844260.exe 972 84042.exe 1100 tnrfxr.exe 4528 rflxfxx.exe 1336 ppvpj.exe 1884 9hbnhb.exe 336 680604.exe 5108 tnhthb.exe 3688 nbhthb.exe 4024 2804606.exe 452 hbtnhh.exe 1120 00884.exe 4796 nnntht.exe 4988 4660286.exe 2028 44648.exe 1576 6086482.exe 2292 8886486.exe 3056 62808.exe 3576 nbnnbh.exe 4844 8082806.exe 8 bttntn.exe 4916 080464.exe 3860 ntbtnh.exe 2788 i840420.exe 1760 pvvpj.exe 1444 800048.exe 4244 0408244.exe 4704 tthbtt.exe 2584 888266.exe 1428 jvpjd.exe 4068 5xxrlfr.exe 652 pjpjv.exe 456 866426.exe 1940 222644.exe 1712 thhnhb.exe 3464 rffxlll.exe 3108 htnhbt.exe 3352 vpvvv.exe 1796 fxlffff.exe 3088 pjddv.exe 1892 602604.exe 2300 a2826.exe 2464 thnhhb.exe 3384 8244040.exe 4680 282260.exe 4880 xllxxll.exe 4388 fxrfxfx.exe 2524 k84204.exe 2976 884866.exe 3572 jvpjd.exe 4904 rrffxxx.exe 1964 0004482.exe 772 468044.exe 684 fxxrrfx.exe 4808 0404822.exe -
resource yara_rule behavioral2/memory/2976-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c90-3.dat upx behavioral2/memory/2976-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-9.dat upx behavioral2/files/0x0007000000023c95-11.dat upx behavioral2/memory/4484-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-19.dat upx behavioral2/memory/804-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1780-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3656-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-24.dat upx behavioral2/files/0x0007000000023c98-28.dat upx behavioral2/memory/4688-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-34.dat upx behavioral2/files/0x0007000000023c9a-37.dat upx behavioral2/memory/3112-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3128-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-42.dat upx behavioral2/files/0x0007000000023c9c-47.dat upx behavioral2/memory/3952-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-52.dat upx behavioral2/memory/3992-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c91-57.dat upx behavioral2/files/0x0007000000023c9f-61.dat upx behavioral2/files/0x0007000000023ca0-65.dat upx behavioral2/memory/4528-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1336-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-71.dat upx behavioral2/files/0x0007000000023ca2-75.dat upx behavioral2/files/0x0007000000023ca3-80.dat upx behavioral2/memory/336-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-84.dat upx behavioral2/memory/3688-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-90.dat upx behavioral2/memory/4024-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-96.dat upx behavioral2/memory/4024-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-100.dat upx behavioral2/memory/452-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-106.dat upx behavioral2/memory/1120-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-111.dat upx behavioral2/memory/4988-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-116.dat upx behavioral2/files/0x0007000000023cab-120.dat upx behavioral2/memory/2028-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-126.dat upx behavioral2/memory/1576-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-130.dat upx behavioral2/memory/3056-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-134.dat upx behavioral2/memory/4844-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-140.dat upx behavioral2/files/0x0007000000023cb0-144.dat upx behavioral2/files/0x0007000000023cb1-148.dat upx behavioral2/memory/8-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-154.dat upx behavioral2/memory/1760-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4704-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/652-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1940-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1712-185-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8000422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0244822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3656 2976 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 83 PID 2976 wrote to memory of 3656 2976 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 83 PID 2976 wrote to memory of 3656 2976 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 83 PID 3656 wrote to memory of 4484 3656 tthttt.exe 84 PID 3656 wrote to memory of 4484 3656 tthttt.exe 84 PID 3656 wrote to memory of 4484 3656 tthttt.exe 84 PID 4484 wrote to memory of 1780 4484 frfxrlx.exe 85 PID 4484 wrote to memory of 1780 4484 frfxrlx.exe 85 PID 4484 wrote to memory of 1780 4484 frfxrlx.exe 85 PID 1780 wrote to memory of 804 1780 7dvvj.exe 86 PID 1780 wrote to memory of 804 1780 7dvvj.exe 86 PID 1780 wrote to memory of 804 1780 7dvvj.exe 86 PID 804 wrote to memory of 4688 804 btntnb.exe 87 PID 804 wrote to memory of 4688 804 btntnb.exe 87 PID 804 wrote to memory of 4688 804 btntnb.exe 87 PID 4688 wrote to memory of 2416 4688 rxrrlrl.exe 88 PID 4688 wrote to memory of 2416 4688 rxrrlrl.exe 88 PID 4688 wrote to memory of 2416 4688 rxrrlrl.exe 88 PID 2416 wrote to memory of 3112 2416 rlrffrl.exe 89 PID 2416 wrote to memory of 3112 2416 rlrffrl.exe 89 PID 2416 wrote to memory of 3112 2416 rlrffrl.exe 89 PID 3112 wrote to memory of 3128 3112 rlrxfrf.exe 90 PID 3112 wrote to memory of 3128 3112 rlrxfrf.exe 90 PID 3112 wrote to memory of 3128 3112 rlrxfrf.exe 90 PID 3128 wrote to memory of 3952 3128 0860066.exe 91 PID 3128 wrote to memory of 3952 3128 0860066.exe 91 PID 3128 wrote to memory of 3952 3128 0860066.exe 91 PID 3952 wrote to memory of 3992 3952 5bbnbt.exe 92 PID 3952 wrote to memory of 3992 3952 5bbnbt.exe 92 PID 3952 wrote to memory of 3992 3952 5bbnbt.exe 92 PID 3992 wrote to memory of 972 3992 844260.exe 93 PID 3992 wrote to memory of 972 3992 844260.exe 93 PID 3992 wrote to memory of 972 3992 844260.exe 93 PID 972 wrote to memory of 1100 972 84042.exe 94 PID 972 wrote to memory of 1100 972 84042.exe 94 PID 972 wrote to memory of 1100 972 84042.exe 94 PID 1100 wrote to memory of 4528 1100 tnrfxr.exe 95 PID 1100 wrote to memory of 4528 1100 tnrfxr.exe 95 PID 1100 wrote to memory of 4528 1100 tnrfxr.exe 95 PID 4528 wrote to memory of 1336 4528 rflxfxx.exe 96 PID 4528 wrote to memory of 1336 4528 rflxfxx.exe 96 PID 4528 wrote to memory of 1336 4528 rflxfxx.exe 96 PID 1336 wrote to memory of 1884 1336 ppvpj.exe 97 PID 1336 wrote to memory of 1884 1336 ppvpj.exe 97 PID 1336 wrote to memory of 1884 1336 ppvpj.exe 97 PID 1884 wrote to memory of 336 1884 9hbnhb.exe 98 PID 1884 wrote to memory of 336 1884 9hbnhb.exe 98 PID 1884 wrote to memory of 336 1884 9hbnhb.exe 98 PID 336 wrote to memory of 5108 336 680604.exe 99 PID 336 wrote to memory of 5108 336 680604.exe 99 PID 336 wrote to memory of 5108 336 680604.exe 99 PID 5108 wrote to memory of 3688 5108 tnhthb.exe 100 PID 5108 wrote to memory of 3688 5108 tnhthb.exe 100 PID 5108 wrote to memory of 3688 5108 tnhthb.exe 100 PID 3688 wrote to memory of 4024 3688 nbhthb.exe 101 PID 3688 wrote to memory of 4024 3688 nbhthb.exe 101 PID 3688 wrote to memory of 4024 3688 nbhthb.exe 101 PID 4024 wrote to memory of 452 4024 2804606.exe 102 PID 4024 wrote to memory of 452 4024 2804606.exe 102 PID 4024 wrote to memory of 452 4024 2804606.exe 102 PID 452 wrote to memory of 1120 452 hbtnhh.exe 103 PID 452 wrote to memory of 1120 452 hbtnhh.exe 103 PID 452 wrote to memory of 1120 452 hbtnhh.exe 103 PID 1120 wrote to memory of 4796 1120 00884.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe"C:\Users\Admin\AppData\Local\Temp\9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\tthttt.exec:\tthttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\frfxrlx.exec:\frfxrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\7dvvj.exec:\7dvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\btntnb.exec:\btntnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\rxrrlrl.exec:\rxrrlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\rlrffrl.exec:\rlrffrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rlrxfrf.exec:\rlrxfrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\0860066.exec:\0860066.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\5bbnbt.exec:\5bbnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\844260.exec:\844260.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\84042.exec:\84042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\tnrfxr.exec:\tnrfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\rflxfxx.exec:\rflxfxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\ppvpj.exec:\ppvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\9hbnhb.exec:\9hbnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\680604.exec:\680604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\tnhthb.exec:\tnhthb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\nbhthb.exec:\nbhthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\2804606.exec:\2804606.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\hbtnhh.exec:\hbtnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\00884.exec:\00884.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\nnntht.exec:\nnntht.exe23⤵
- Executes dropped EXE
PID:4796 -
\??\c:\4660286.exec:\4660286.exe24⤵
- Executes dropped EXE
PID:4988 -
\??\c:\44648.exec:\44648.exe25⤵
- Executes dropped EXE
PID:2028 -
\??\c:\6086482.exec:\6086482.exe26⤵
- Executes dropped EXE
PID:1576 -
\??\c:\8886486.exec:\8886486.exe27⤵
- Executes dropped EXE
PID:2292 -
\??\c:\62808.exec:\62808.exe28⤵
- Executes dropped EXE
PID:3056 -
\??\c:\nbnnbh.exec:\nbnnbh.exe29⤵
- Executes dropped EXE
PID:3576 -
\??\c:\8082806.exec:\8082806.exe30⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bttntn.exec:\bttntn.exe31⤵
- Executes dropped EXE
PID:8 -
\??\c:\080464.exec:\080464.exe32⤵
- Executes dropped EXE
PID:4916 -
\??\c:\ntbtnh.exec:\ntbtnh.exe33⤵
- Executes dropped EXE
PID:3860 -
\??\c:\i840420.exec:\i840420.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pvvpj.exec:\pvvpj.exe35⤵
- Executes dropped EXE
PID:1760 -
\??\c:\800048.exec:\800048.exe36⤵
- Executes dropped EXE
PID:1444 -
\??\c:\0408244.exec:\0408244.exe37⤵
- Executes dropped EXE
PID:4244 -
\??\c:\tthbtt.exec:\tthbtt.exe38⤵
- Executes dropped EXE
PID:4704 -
\??\c:\888266.exec:\888266.exe39⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jvpjd.exec:\jvpjd.exe40⤵
- Executes dropped EXE
PID:1428 -
\??\c:\5xxrlfr.exec:\5xxrlfr.exe41⤵
- Executes dropped EXE
PID:4068 -
\??\c:\pjpjv.exec:\pjpjv.exe42⤵
- Executes dropped EXE
PID:652 -
\??\c:\866426.exec:\866426.exe43⤵
- Executes dropped EXE
PID:456 -
\??\c:\222644.exec:\222644.exe44⤵
- Executes dropped EXE
PID:1940 -
\??\c:\thhnhb.exec:\thhnhb.exe45⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rffxlll.exec:\rffxlll.exe46⤵
- Executes dropped EXE
PID:3464 -
\??\c:\htnhbt.exec:\htnhbt.exe47⤵
- Executes dropped EXE
PID:3108 -
\??\c:\vpvvv.exec:\vpvvv.exe48⤵
- Executes dropped EXE
PID:3352 -
\??\c:\fxlffff.exec:\fxlffff.exe49⤵
- Executes dropped EXE
PID:1796 -
\??\c:\pjddv.exec:\pjddv.exe50⤵
- Executes dropped EXE
PID:3088 -
\??\c:\602604.exec:\602604.exe51⤵
- Executes dropped EXE
PID:1892 -
\??\c:\a2826.exec:\a2826.exe52⤵
- Executes dropped EXE
PID:2300 -
\??\c:\thnhhb.exec:\thnhhb.exe53⤵
- Executes dropped EXE
PID:2464 -
\??\c:\8244040.exec:\8244040.exe54⤵
- Executes dropped EXE
PID:3384 -
\??\c:\282260.exec:\282260.exe55⤵
- Executes dropped EXE
PID:4680 -
\??\c:\xllxxll.exec:\xllxxll.exe56⤵
- Executes dropped EXE
PID:4880 -
\??\c:\fxrfxfx.exec:\fxrfxfx.exe57⤵
- Executes dropped EXE
PID:4388 -
\??\c:\k84204.exec:\k84204.exe58⤵
- Executes dropped EXE
PID:2524 -
\??\c:\884866.exec:\884866.exe59⤵
- Executes dropped EXE
PID:2976 -
\??\c:\jvpjd.exec:\jvpjd.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3572 -
\??\c:\rrffxxx.exec:\rrffxxx.exe61⤵
- Executes dropped EXE
PID:4904 -
\??\c:\0004482.exec:\0004482.exe62⤵
- Executes dropped EXE
PID:1964 -
\??\c:\468044.exec:\468044.exe63⤵
- Executes dropped EXE
PID:772 -
\??\c:\fxxrrfx.exec:\fxxrrfx.exe64⤵
- Executes dropped EXE
PID:684 -
\??\c:\0404822.exec:\0404822.exe65⤵
- Executes dropped EXE
PID:4808 -
\??\c:\xflfxxx.exec:\xflfxxx.exe66⤵PID:4856
-
\??\c:\pvvvv.exec:\pvvvv.exe67⤵PID:4688
-
\??\c:\tbbhhb.exec:\tbbhhb.exe68⤵PID:1660
-
\??\c:\jppdv.exec:\jppdv.exe69⤵PID:3592
-
\??\c:\vpjvp.exec:\vpjvp.exe70⤵PID:64
-
\??\c:\bbnbtb.exec:\bbnbtb.exe71⤵PID:2908
-
\??\c:\086060.exec:\086060.exe72⤵PID:2588
-
\??\c:\jpdvj.exec:\jpdvj.exe73⤵PID:4256
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe74⤵PID:396
-
\??\c:\w02246.exec:\w02246.exe75⤵PID:2448
-
\??\c:\hjjpdj.exec:\hjjpdj.exe76⤵PID:536
-
\??\c:\btbthb.exec:\btbthb.exe77⤵PID:972
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe78⤵PID:3284
-
\??\c:\nbnhbt.exec:\nbnhbt.exe79⤵PID:3712
-
\??\c:\e84286.exec:\e84286.exe80⤵PID:2156
-
\??\c:\66208.exec:\66208.exe81⤵PID:2152
-
\??\c:\jjvpj.exec:\jjvpj.exe82⤵PID:1884
-
\??\c:\lflrlfx.exec:\lflrlfx.exe83⤵PID:3568
-
\??\c:\fxllffx.exec:\fxllffx.exe84⤵PID:4448
-
\??\c:\7flfxxr.exec:\7flfxxr.exe85⤵PID:3428
-
\??\c:\flrfrlx.exec:\flrfrlx.exe86⤵PID:3588
-
\??\c:\3dddv.exec:\3dddv.exe87⤵PID:4460
-
\??\c:\8242226.exec:\8242226.exe88⤵PID:1480
-
\??\c:\48828.exec:\48828.exe89⤵PID:2668
-
\??\c:\666082.exec:\666082.exe90⤵PID:440
-
\??\c:\o648488.exec:\o648488.exe91⤵PID:4472
-
\??\c:\hbbbtb.exec:\hbbbtb.exe92⤵PID:2520
-
\??\c:\thhbtt.exec:\thhbtt.exe93⤵PID:2808
-
\??\c:\xfllxrf.exec:\xfllxrf.exe94⤵PID:3792
-
\??\c:\tbhhbt.exec:\tbhhbt.exe95⤵PID:4072
-
\??\c:\064266.exec:\064266.exe96⤵PID:1472
-
\??\c:\84086.exec:\84086.exe97⤵PID:3416
-
\??\c:\dpddp.exec:\dpddp.exe98⤵PID:2292
-
\??\c:\228204.exec:\228204.exe99⤵PID:3056
-
\??\c:\rlfrrff.exec:\rlfrrff.exe100⤵PID:516
-
\??\c:\dddjd.exec:\dddjd.exe101⤵PID:4080
-
\??\c:\7nbnbn.exec:\7nbnbn.exe102⤵PID:4604
-
\??\c:\0008604.exec:\0008604.exe103⤵PID:5056
-
\??\c:\9ttnnh.exec:\9ttnnh.exe104⤵PID:520
-
\??\c:\5bhthb.exec:\5bhthb.exe105⤵PID:4456
-
\??\c:\nnbhhn.exec:\nnbhhn.exe106⤵PID:2868
-
\??\c:\c686044.exec:\c686044.exe107⤵PID:4932
-
\??\c:\640426.exec:\640426.exe108⤵PID:1432
-
\??\c:\5llfrxx.exec:\5llfrxx.exe109⤵PID:4928
-
\??\c:\tnnhtn.exec:\tnnhtn.exe110⤵PID:1936
-
\??\c:\02842.exec:\02842.exe111⤵PID:1384
-
\??\c:\400048.exec:\400048.exe112⤵PID:4704
-
\??\c:\08082.exec:\08082.exe113⤵PID:3116
-
\??\c:\btnhhb.exec:\btnhhb.exe114⤵PID:2280
-
\??\c:\flrrrrr.exec:\flrrrrr.exe115⤵PID:1436
-
\??\c:\pdjjd.exec:\pdjjd.exe116⤵PID:1564
-
\??\c:\402222.exec:\402222.exe117⤵PID:5048
-
\??\c:\3tbtbt.exec:\3tbtbt.exe118⤵PID:3344
-
\??\c:\i008608.exec:\i008608.exe119⤵PID:1712
-
\??\c:\o066424.exec:\o066424.exe120⤵PID:3328
-
\??\c:\9vdpd.exec:\9vdpd.exe121⤵PID:4684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-