Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
-
Size
453KB
-
MD5
6f15a998b54aa1da248ae4e9f5881417
-
SHA1
fa2fdacc0902d688f6f7ec88d7d42ab38cde75e6
-
SHA256
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9
-
SHA512
d9ae53aeffb4e018661274b9b7757e6d03782902cebe00bf6dcd2d489fa7b0ed3b6af9210eb6f1aba9c31e660f8ab9af7b09bad1c9f4d78bafc5562c1ff9e62e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1996-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-1085-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-1164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4232 ttnbnh.exe 2760 rffxrlr.exe 3548 5bttnn.exe 1380 bhtnnh.exe 3204 nnnhbt.exe 2196 9rfxrlf.exe 3296 tnnhbt.exe 1212 lxlfxfl.exe 3032 bttnhh.exe 2920 9vjdj.exe 1616 rrlffxx.exe 3632 3tbnhb.exe 3980 hntntt.exe 3028 djjdd.exe 3280 rlxfxxx.exe 4060 5bttnn.exe 4652 tthnhn.exe 996 flfflff.exe 1624 1ttnhh.exe 2436 nttbtt.exe 1868 dvddv.exe 392 5rlffrl.exe 3328 jdjdv.exe 2432 jvvpd.exe 1608 htnnhh.exe 3768 7bhbbt.exe 3424 7llxrrf.exe 4116 hhnntt.exe 3504 rllxrrf.exe 2700 9tbtbb.exe 760 vpppj.exe 3244 bntnhh.exe 3824 3pvpv.exe 3436 vvdvp.exe 1880 bhnbtn.exe 1032 jpdvv.exe 1656 xllfrlf.exe 1244 bttntn.exe 4084 ppvpd.exe 2388 xrxrxrx.exe 3724 xlllffx.exe 4944 7bnbtn.exe 2328 vjvpj.exe 912 xllflfx.exe 1136 xlxlfxr.exe 984 nhtnnh.exe 4456 3jdvj.exe 3536 xfxrxrl.exe 3336 bhtnhb.exe 2112 pppjd.exe 4232 1pjdv.exe 3196 xxrrrrx.exe 2696 bttnnn.exe 2636 pvpjd.exe 4900 dvpdv.exe 844 rxfxrrl.exe 2428 hthbtn.exe 1288 htbtnn.exe 4400 llxrlll.exe 5116 xffffff.exe 1092 nbtnhb.exe 3140 pjjjd.exe 1892 lxflflf.exe 4868 lrxxrxx.exe -
resource yara_rule behavioral2/memory/1996-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-1085-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4232 1996 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 82 PID 1996 wrote to memory of 4232 1996 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 82 PID 1996 wrote to memory of 4232 1996 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 82 PID 4232 wrote to memory of 2760 4232 ttnbnh.exe 83 PID 4232 wrote to memory of 2760 4232 ttnbnh.exe 83 PID 4232 wrote to memory of 2760 4232 ttnbnh.exe 83 PID 2760 wrote to memory of 3548 2760 rffxrlr.exe 84 PID 2760 wrote to memory of 3548 2760 rffxrlr.exe 84 PID 2760 wrote to memory of 3548 2760 rffxrlr.exe 84 PID 3548 wrote to memory of 1380 3548 5bttnn.exe 85 PID 3548 wrote to memory of 1380 3548 5bttnn.exe 85 PID 3548 wrote to memory of 1380 3548 5bttnn.exe 85 PID 1380 wrote to memory of 3204 1380 bhtnnh.exe 86 PID 1380 wrote to memory of 3204 1380 bhtnnh.exe 86 PID 1380 wrote to memory of 3204 1380 bhtnnh.exe 86 PID 3204 wrote to memory of 2196 3204 nnnhbt.exe 87 PID 3204 wrote to memory of 2196 3204 nnnhbt.exe 87 PID 3204 wrote to memory of 2196 3204 nnnhbt.exe 87 PID 2196 wrote to memory of 3296 2196 9rfxrlf.exe 88 PID 2196 wrote to memory of 3296 2196 9rfxrlf.exe 88 PID 2196 wrote to memory of 3296 2196 9rfxrlf.exe 88 PID 3296 wrote to memory of 1212 3296 tnnhbt.exe 89 PID 3296 wrote to memory of 1212 3296 tnnhbt.exe 89 PID 3296 wrote to memory of 1212 3296 tnnhbt.exe 89 PID 1212 wrote to memory of 3032 1212 lxlfxfl.exe 90 PID 1212 wrote to memory of 3032 1212 lxlfxfl.exe 90 PID 1212 wrote to memory of 3032 1212 lxlfxfl.exe 90 PID 3032 wrote to memory of 2920 3032 bttnhh.exe 91 PID 3032 wrote to memory of 2920 3032 bttnhh.exe 91 PID 3032 wrote to memory of 2920 3032 bttnhh.exe 91 PID 2920 wrote to memory of 1616 2920 9vjdj.exe 92 PID 2920 wrote to memory of 1616 2920 9vjdj.exe 92 PID 2920 wrote to memory of 1616 2920 9vjdj.exe 92 PID 1616 wrote to memory of 3632 1616 rrlffxx.exe 93 PID 1616 wrote to memory of 3632 1616 rrlffxx.exe 93 PID 1616 wrote to memory of 3632 1616 rrlffxx.exe 93 PID 3632 wrote to memory of 3980 3632 3tbnhb.exe 94 PID 3632 wrote to memory of 3980 3632 3tbnhb.exe 94 PID 3632 wrote to memory of 3980 3632 3tbnhb.exe 94 PID 3980 wrote to memory of 3028 3980 hntntt.exe 95 PID 3980 wrote to memory of 3028 3980 hntntt.exe 95 PID 3980 wrote to memory of 3028 3980 hntntt.exe 95 PID 3028 wrote to memory of 3280 3028 djjdd.exe 96 PID 3028 wrote to memory of 3280 3028 djjdd.exe 96 PID 3028 wrote to memory of 3280 3028 djjdd.exe 96 PID 3280 wrote to memory of 4060 3280 rlxfxxx.exe 97 PID 3280 wrote to memory of 4060 3280 rlxfxxx.exe 97 PID 3280 wrote to memory of 4060 3280 rlxfxxx.exe 97 PID 4060 wrote to memory of 4652 4060 5bttnn.exe 98 PID 4060 wrote to memory of 4652 4060 5bttnn.exe 98 PID 4060 wrote to memory of 4652 4060 5bttnn.exe 98 PID 4652 wrote to memory of 996 4652 tthnhn.exe 99 PID 4652 wrote to memory of 996 4652 tthnhn.exe 99 PID 4652 wrote to memory of 996 4652 tthnhn.exe 99 PID 996 wrote to memory of 1624 996 flfflff.exe 100 PID 996 wrote to memory of 1624 996 flfflff.exe 100 PID 996 wrote to memory of 1624 996 flfflff.exe 100 PID 1624 wrote to memory of 2436 1624 1ttnhh.exe 101 PID 1624 wrote to memory of 2436 1624 1ttnhh.exe 101 PID 1624 wrote to memory of 2436 1624 1ttnhh.exe 101 PID 2436 wrote to memory of 1868 2436 nttbtt.exe 102 PID 2436 wrote to memory of 1868 2436 nttbtt.exe 102 PID 2436 wrote to memory of 1868 2436 nttbtt.exe 102 PID 1868 wrote to memory of 392 1868 dvddv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\ttnbnh.exec:\ttnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\rffxrlr.exec:\rffxrlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\5bttnn.exec:\5bttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\bhtnnh.exec:\bhtnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\nnnhbt.exec:\nnnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\9rfxrlf.exec:\9rfxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\tnnhbt.exec:\tnnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\lxlfxfl.exec:\lxlfxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\bttnhh.exec:\bttnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\9vjdj.exec:\9vjdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rrlffxx.exec:\rrlffxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\3tbnhb.exec:\3tbnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\hntntt.exec:\hntntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\djjdd.exec:\djjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\rlxfxxx.exec:\rlxfxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\5bttnn.exec:\5bttnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\tthnhn.exec:\tthnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\flfflff.exec:\flfflff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\1ttnhh.exec:\1ttnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\nttbtt.exec:\nttbtt.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\dvddv.exec:\dvddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\5rlffrl.exec:\5rlffrl.exe23⤵
- Executes dropped EXE
PID:392 -
\??\c:\jdjdv.exec:\jdjdv.exe24⤵
- Executes dropped EXE
PID:3328 -
\??\c:\jvvpd.exec:\jvvpd.exe25⤵
- Executes dropped EXE
PID:2432 -
\??\c:\htnnhh.exec:\htnnhh.exe26⤵
- Executes dropped EXE
PID:1608 -
\??\c:\7bhbbt.exec:\7bhbbt.exe27⤵
- Executes dropped EXE
PID:3768 -
\??\c:\7llxrrf.exec:\7llxrrf.exe28⤵
- Executes dropped EXE
PID:3424 -
\??\c:\hhnntt.exec:\hhnntt.exe29⤵
- Executes dropped EXE
PID:4116 -
\??\c:\rllxrrf.exec:\rllxrrf.exe30⤵
- Executes dropped EXE
PID:3504 -
\??\c:\9tbtbb.exec:\9tbtbb.exe31⤵
- Executes dropped EXE
PID:2700 -
\??\c:\vpppj.exec:\vpppj.exe32⤵
- Executes dropped EXE
PID:760 -
\??\c:\bntnhh.exec:\bntnhh.exe33⤵
- Executes dropped EXE
PID:3244 -
\??\c:\3pvpv.exec:\3pvpv.exe34⤵
- Executes dropped EXE
PID:3824 -
\??\c:\vvdvp.exec:\vvdvp.exe35⤵
- Executes dropped EXE
PID:3436 -
\??\c:\bhnbtn.exec:\bhnbtn.exe36⤵
- Executes dropped EXE
PID:1880 -
\??\c:\jpdvv.exec:\jpdvv.exe37⤵
- Executes dropped EXE
PID:1032 -
\??\c:\xllfrlf.exec:\xllfrlf.exe38⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bttntn.exec:\bttntn.exe39⤵
- Executes dropped EXE
PID:1244 -
\??\c:\ppvpd.exec:\ppvpd.exe40⤵
- Executes dropped EXE
PID:4084 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe41⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xlllffx.exec:\xlllffx.exe42⤵
- Executes dropped EXE
PID:3724 -
\??\c:\7bnbtn.exec:\7bnbtn.exe43⤵
- Executes dropped EXE
PID:4944 -
\??\c:\vjvpj.exec:\vjvpj.exe44⤵
- Executes dropped EXE
PID:2328 -
\??\c:\xllflfx.exec:\xllflfx.exe45⤵
- Executes dropped EXE
PID:912 -
\??\c:\xlxlfxr.exec:\xlxlfxr.exe46⤵
- Executes dropped EXE
PID:1136 -
\??\c:\nhtnnh.exec:\nhtnnh.exe47⤵
- Executes dropped EXE
PID:984 -
\??\c:\3jdvj.exec:\3jdvj.exe48⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xfxrxrl.exec:\xfxrxrl.exe49⤵
- Executes dropped EXE
PID:3536 -
\??\c:\bhtnhb.exec:\bhtnhb.exe50⤵
- Executes dropped EXE
PID:3336 -
\??\c:\pppjd.exec:\pppjd.exe51⤵
- Executes dropped EXE
PID:2112 -
\??\c:\1pjdv.exec:\1pjdv.exe52⤵
- Executes dropped EXE
PID:4232 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe53⤵
- Executes dropped EXE
PID:3196 -
\??\c:\bttnnn.exec:\bttnnn.exe54⤵
- Executes dropped EXE
PID:2696 -
\??\c:\pvpjd.exec:\pvpjd.exe55⤵
- Executes dropped EXE
PID:2636 -
\??\c:\dvpdv.exec:\dvpdv.exe56⤵
- Executes dropped EXE
PID:4900 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe57⤵
- Executes dropped EXE
PID:844 -
\??\c:\hthbtn.exec:\hthbtn.exe58⤵
- Executes dropped EXE
PID:2428 -
\??\c:\htbtnn.exec:\htbtnn.exe59⤵
- Executes dropped EXE
PID:1288 -
\??\c:\llxrlll.exec:\llxrlll.exe60⤵
- Executes dropped EXE
PID:4400 -
\??\c:\xffffff.exec:\xffffff.exe61⤵
- Executes dropped EXE
PID:5116 -
\??\c:\nbtnhb.exec:\nbtnhb.exe62⤵
- Executes dropped EXE
PID:1092 -
\??\c:\pjjjd.exec:\pjjjd.exe63⤵
- Executes dropped EXE
PID:3140 -
\??\c:\lxflflf.exec:\lxflflf.exe64⤵
- Executes dropped EXE
PID:1892 -
\??\c:\lrxxrxx.exec:\lrxxrxx.exe65⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bnnttn.exec:\bnnttn.exe66⤵PID:3048
-
\??\c:\pdjdd.exec:\pdjdd.exe67⤵PID:3716
-
\??\c:\rrfxxrl.exec:\rrfxxrl.exe68⤵PID:3672
-
\??\c:\nnbhht.exec:\nnbhht.exe69⤵PID:216
-
\??\c:\7vdvv.exec:\7vdvv.exe70⤵PID:1044
-
\??\c:\5lxrlfr.exec:\5lxrlfr.exe71⤵
- System Location Discovery: System Language Discovery
PID:404 -
\??\c:\1flxrrl.exec:\1flxrrl.exe72⤵PID:4136
-
\??\c:\btnhbn.exec:\btnhbn.exe73⤵PID:1956
-
\??\c:\dvpjd.exec:\dvpjd.exe74⤵PID:3028
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe75⤵PID:1364
-
\??\c:\thtbhh.exec:\thtbhh.exe76⤵PID:2504
-
\??\c:\tnbttt.exec:\tnbttt.exe77⤵PID:2060
-
\??\c:\jpddv.exec:\jpddv.exe78⤵PID:4652
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe79⤵PID:5000
-
\??\c:\1hhhbh.exec:\1hhhbh.exe80⤵PID:3268
-
\??\c:\3pjdd.exec:\3pjdd.exe81⤵PID:4052
-
\??\c:\vvjvp.exec:\vvjvp.exe82⤵PID:2824
-
\??\c:\lxrxrlf.exec:\lxrxrlf.exe83⤵PID:1284
-
\??\c:\hhtnnn.exec:\hhtnnn.exe84⤵PID:4148
-
\??\c:\1vjdd.exec:\1vjdd.exe85⤵PID:3544
-
\??\c:\lrxlfrr.exec:\lrxlfrr.exe86⤵PID:2164
-
\??\c:\hbbtnh.exec:\hbbtnh.exe87⤵PID:4500
-
\??\c:\jjppd.exec:\jjppd.exe88⤵PID:4316
-
\??\c:\5flfffl.exec:\5flfffl.exe89⤵PID:4464
-
\??\c:\5hnhhn.exec:\5hnhhn.exe90⤵PID:412
-
\??\c:\9pjjj.exec:\9pjjj.exe91⤵PID:3520
-
\??\c:\vpvpj.exec:\vpvpj.exe92⤵PID:5024
-
\??\c:\lrrllxx.exec:\lrrllxx.exe93⤵PID:2416
-
\??\c:\9hbtnh.exec:\9hbtnh.exe94⤵PID:3620
-
\??\c:\pppjj.exec:\pppjj.exe95⤵PID:2608
-
\??\c:\9xfxllx.exec:\9xfxllx.exe96⤵PID:380
-
\??\c:\9llfxrl.exec:\9llfxrl.exe97⤵PID:3992
-
\??\c:\thnnhn.exec:\thnnhn.exe98⤵PID:760
-
\??\c:\5ddpj.exec:\5ddpj.exe99⤵PID:2272
-
\??\c:\1llrflx.exec:\1llrflx.exe100⤵PID:5016
-
\??\c:\7ntnnn.exec:\7ntnnn.exe101⤵PID:4032
-
\??\c:\vvvpv.exec:\vvvpv.exe102⤵PID:2880
-
\??\c:\3xxrxfx.exec:\3xxrxfx.exe103⤵PID:4768
-
\??\c:\bhhtth.exec:\bhhtth.exe104⤵PID:1928
-
\??\c:\7ppjj.exec:\7ppjj.exe105⤵PID:4724
-
\??\c:\lffxllf.exec:\lffxllf.exe106⤵PID:4852
-
\??\c:\rrllffx.exec:\rrllffx.exe107⤵PID:1244
-
\??\c:\btbthn.exec:\btbthn.exe108⤵PID:4084
-
\??\c:\9jdvv.exec:\9jdvv.exe109⤵PID:4360
-
\??\c:\5llxrlf.exec:\5llxrlf.exe110⤵PID:1732
-
\??\c:\bnhbbn.exec:\bnhbbn.exe111⤵PID:2396
-
\??\c:\jvdjd.exec:\jvdjd.exe112⤵PID:2328
-
\??\c:\jpvjd.exec:\jpvjd.exe113⤵PID:4236
-
\??\c:\xxflxrl.exec:\xxflxrl.exe114⤵PID:1560
-
\??\c:\nhnbtn.exec:\nhnbtn.exe115⤵PID:1184
-
\??\c:\jvpvj.exec:\jvpvj.exe116⤵PID:4448
-
\??\c:\9llxrrl.exec:\9llxrrl.exe117⤵PID:4380
-
\??\c:\lffxrlf.exec:\lffxrlf.exe118⤵PID:316
-
\??\c:\nnnhhh.exec:\nnnhhh.exe119⤵PID:1180
-
\??\c:\ppvvd.exec:\ppvvd.exe120⤵PID:3796
-
\??\c:\9ddvp.exec:\9ddvp.exe121⤵PID:4232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-