Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe
-
Size
454KB
-
MD5
c15fcd440d061fc6fec6fc05d291b1bd
-
SHA1
63059d94c0aac27ca1b772e990feac14df86c717
-
SHA256
9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9
-
SHA512
258de746f0c3b94ca873aa7ae80c7ac9a816eb3210231286d0a277301e884f7f41aa1eb67e6d27f1a5c2c6c8ee78e949875ca14e578174fc5cf53bf0a89b8c74
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/516-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-1526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-1572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 516 xflxlfx.exe 2676 btbnhh.exe 1988 ntbttn.exe 2720 bbhnnh.exe 1632 vdjdp.exe 3628 bttnhb.exe 4516 dpvpv.exe 2340 hntnbt.exe 1460 rrxrffx.exe 3312 xrxrxfl.exe 2972 xrxlxlf.exe 980 jvdvp.exe 2784 htnhbb.exe 740 7lfxxxr.exe 2080 vpjdv.exe 800 lfxfrrf.exe 748 pjpjd.exe 1168 rlrrfxr.exe 3968 htbtth.exe 4392 ntnhtn.exe 2052 htthtn.exe 3896 llrfrlf.exe 1648 htbnhb.exe 368 xrxrlff.exe 3064 ntbthb.exe 1032 rfxrfxr.exe 1048 fflxxrl.exe 2264 rfxfrxf.exe 1628 3htnbh.exe 2512 1xfrfrr.exe 3632 3ttnhh.exe 2920 fflxrlx.exe 760 ddjvj.exe 1416 dvdvp.exe 4252 fxrrllf.exe 1636 ttbthb.exe 3412 htthtb.exe 4540 dddvj.exe 448 lxxrfxr.exe 3100 hnnhtn.exe 2820 pppjp.exe 3388 vppdv.exe 3660 rrxlflf.exe 1668 bntnhb.exe 4164 pdjvd.exe 2132 jvjdv.exe 4332 llrlxrr.exe 5108 nttnbt.exe 656 hthbtt.exe 4668 vvpvj.exe 3608 rlxrrll.exe 4440 btbbnt.exe 3908 nhnhnh.exe 2056 vdjdv.exe 2676 xflxlfx.exe 4948 fxfrfxr.exe 3584 3vppj.exe 768 xrxrfxr.exe 3880 lrrlfxr.exe 4520 hhbbnn.exe 1472 jpdvj.exe 1700 lxlffxf.exe 3344 5fxrlfx.exe 2176 bnnhtn.exe -
resource yara_rule behavioral2/memory/516-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-1526-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 516 2056 9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe 82 PID 2056 wrote to memory of 516 2056 9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe 82 PID 2056 wrote to memory of 516 2056 9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe 82 PID 516 wrote to memory of 2676 516 xflxlfx.exe 83 PID 516 wrote to memory of 2676 516 xflxlfx.exe 83 PID 516 wrote to memory of 2676 516 xflxlfx.exe 83 PID 2676 wrote to memory of 1988 2676 btbnhh.exe 84 PID 2676 wrote to memory of 1988 2676 btbnhh.exe 84 PID 2676 wrote to memory of 1988 2676 btbnhh.exe 84 PID 1988 wrote to memory of 2720 1988 ntbttn.exe 85 PID 1988 wrote to memory of 2720 1988 ntbttn.exe 85 PID 1988 wrote to memory of 2720 1988 ntbttn.exe 85 PID 2720 wrote to memory of 1632 2720 bbhnnh.exe 86 PID 2720 wrote to memory of 1632 2720 bbhnnh.exe 86 PID 2720 wrote to memory of 1632 2720 bbhnnh.exe 86 PID 1632 wrote to memory of 3628 1632 vdjdp.exe 87 PID 1632 wrote to memory of 3628 1632 vdjdp.exe 87 PID 1632 wrote to memory of 3628 1632 vdjdp.exe 87 PID 3628 wrote to memory of 4516 3628 bttnhb.exe 88 PID 3628 wrote to memory of 4516 3628 bttnhb.exe 88 PID 3628 wrote to memory of 4516 3628 bttnhb.exe 88 PID 4516 wrote to memory of 2340 4516 dpvpv.exe 89 PID 4516 wrote to memory of 2340 4516 dpvpv.exe 89 PID 4516 wrote to memory of 2340 4516 dpvpv.exe 89 PID 2340 wrote to memory of 1460 2340 hntnbt.exe 90 PID 2340 wrote to memory of 1460 2340 hntnbt.exe 90 PID 2340 wrote to memory of 1460 2340 hntnbt.exe 90 PID 1460 wrote to memory of 3312 1460 rrxrffx.exe 91 PID 1460 wrote to memory of 3312 1460 rrxrffx.exe 91 PID 1460 wrote to memory of 3312 1460 rrxrffx.exe 91 PID 3312 wrote to memory of 2972 3312 xrxrxfl.exe 92 PID 3312 wrote to memory of 2972 3312 xrxrxfl.exe 92 PID 3312 wrote to memory of 2972 3312 xrxrxfl.exe 92 PID 2972 wrote to memory of 980 2972 xrxlxlf.exe 93 PID 2972 wrote to memory of 980 2972 xrxlxlf.exe 93 PID 2972 wrote to memory of 980 2972 xrxlxlf.exe 93 PID 980 wrote to memory of 2784 980 jvdvp.exe 94 PID 980 wrote to memory of 2784 980 jvdvp.exe 94 PID 980 wrote to memory of 2784 980 jvdvp.exe 94 PID 2784 wrote to memory of 740 2784 htnhbb.exe 95 PID 2784 wrote to memory of 740 2784 htnhbb.exe 95 PID 2784 wrote to memory of 740 2784 htnhbb.exe 95 PID 740 wrote to memory of 2080 740 7lfxxxr.exe 96 PID 740 wrote to memory of 2080 740 7lfxxxr.exe 96 PID 740 wrote to memory of 2080 740 7lfxxxr.exe 96 PID 2080 wrote to memory of 800 2080 vpjdv.exe 97 PID 2080 wrote to memory of 800 2080 vpjdv.exe 97 PID 2080 wrote to memory of 800 2080 vpjdv.exe 97 PID 800 wrote to memory of 748 800 lfxfrrf.exe 98 PID 800 wrote to memory of 748 800 lfxfrrf.exe 98 PID 800 wrote to memory of 748 800 lfxfrrf.exe 98 PID 748 wrote to memory of 1168 748 pjpjd.exe 99 PID 748 wrote to memory of 1168 748 pjpjd.exe 99 PID 748 wrote to memory of 1168 748 pjpjd.exe 99 PID 1168 wrote to memory of 3968 1168 rlrrfxr.exe 100 PID 1168 wrote to memory of 3968 1168 rlrrfxr.exe 100 PID 1168 wrote to memory of 3968 1168 rlrrfxr.exe 100 PID 3968 wrote to memory of 4392 3968 htbtth.exe 101 PID 3968 wrote to memory of 4392 3968 htbtth.exe 101 PID 3968 wrote to memory of 4392 3968 htbtth.exe 101 PID 4392 wrote to memory of 2052 4392 ntnhtn.exe 102 PID 4392 wrote to memory of 2052 4392 ntnhtn.exe 102 PID 4392 wrote to memory of 2052 4392 ntnhtn.exe 102 PID 2052 wrote to memory of 3896 2052 htthtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe"C:\Users\Admin\AppData\Local\Temp\9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\xflxlfx.exec:\xflxlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\btbnhh.exec:\btbnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\ntbttn.exec:\ntbttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\bbhnnh.exec:\bbhnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\vdjdp.exec:\vdjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\bttnhb.exec:\bttnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\dpvpv.exec:\dpvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\hntnbt.exec:\hntnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\rrxrffx.exec:\rrxrffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\xrxrxfl.exec:\xrxrxfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\xrxlxlf.exec:\xrxlxlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\jvdvp.exec:\jvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\htnhbb.exec:\htnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\7lfxxxr.exec:\7lfxxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\vpjdv.exec:\vpjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\pjpjd.exec:\pjpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\rlrrfxr.exec:\rlrrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\htbtth.exec:\htbtth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\ntnhtn.exec:\ntnhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\htthtn.exec:\htthtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\llrfrlf.exec:\llrfrlf.exe23⤵
- Executes dropped EXE
PID:3896 -
\??\c:\htbnhb.exec:\htbnhb.exe24⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xrxrlff.exec:\xrxrlff.exe25⤵
- Executes dropped EXE
PID:368 -
\??\c:\ntbthb.exec:\ntbthb.exe26⤵
- Executes dropped EXE
PID:3064 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe27⤵
- Executes dropped EXE
PID:1032 -
\??\c:\fflxxrl.exec:\fflxxrl.exe28⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rfxfrxf.exec:\rfxfrxf.exe29⤵
- Executes dropped EXE
PID:2264 -
\??\c:\3htnbh.exec:\3htnbh.exe30⤵
- Executes dropped EXE
PID:1628 -
\??\c:\1xfrfrr.exec:\1xfrfrr.exe31⤵
- Executes dropped EXE
PID:2512 -
\??\c:\3ttnhh.exec:\3ttnhh.exe32⤵
- Executes dropped EXE
PID:3632 -
\??\c:\fflxrlx.exec:\fflxrlx.exe33⤵
- Executes dropped EXE
PID:2920 -
\??\c:\ddjvj.exec:\ddjvj.exe34⤵
- Executes dropped EXE
PID:760 -
\??\c:\dvdvp.exec:\dvdvp.exe35⤵
- Executes dropped EXE
PID:1416 -
\??\c:\fxrrllf.exec:\fxrrllf.exe36⤵
- Executes dropped EXE
PID:4252 -
\??\c:\ttbthb.exec:\ttbthb.exe37⤵
- Executes dropped EXE
PID:1636 -
\??\c:\htthtb.exec:\htthtb.exe38⤵
- Executes dropped EXE
PID:3412 -
\??\c:\dddvj.exec:\dddvj.exe39⤵
- Executes dropped EXE
PID:4540 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe40⤵
- Executes dropped EXE
PID:448 -
\??\c:\hnnhtn.exec:\hnnhtn.exe41⤵
- Executes dropped EXE
PID:3100 -
\??\c:\pppjp.exec:\pppjp.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vppdv.exec:\vppdv.exe43⤵
- Executes dropped EXE
PID:3388 -
\??\c:\rrxlflf.exec:\rrxlflf.exe44⤵
- Executes dropped EXE
PID:3660 -
\??\c:\bntnhb.exec:\bntnhb.exe45⤵
- Executes dropped EXE
PID:1668 -
\??\c:\pdjvd.exec:\pdjvd.exe46⤵
- Executes dropped EXE
PID:4164 -
\??\c:\jvjdv.exec:\jvjdv.exe47⤵
- Executes dropped EXE
PID:2132 -
\??\c:\llrlxrr.exec:\llrlxrr.exe48⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nttnbt.exec:\nttnbt.exe49⤵
- Executes dropped EXE
PID:5108 -
\??\c:\hthbtt.exec:\hthbtt.exe50⤵
- Executes dropped EXE
PID:656 -
\??\c:\vvpvj.exec:\vvpvj.exe51⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rlxrrll.exec:\rlxrrll.exe52⤵
- Executes dropped EXE
PID:3608 -
\??\c:\btbbnt.exec:\btbbnt.exe53⤵
- Executes dropped EXE
PID:4440 -
\??\c:\nhnhnh.exec:\nhnhnh.exe54⤵
- Executes dropped EXE
PID:3908 -
\??\c:\vdjdv.exec:\vdjdv.exe55⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xflxlfx.exec:\xflxlfx.exe56⤵
- Executes dropped EXE
PID:2676 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe57⤵
- Executes dropped EXE
PID:4948 -
\??\c:\3vppj.exec:\3vppj.exe58⤵
- Executes dropped EXE
PID:3584 -
\??\c:\xrxrfxr.exec:\xrxrfxr.exe59⤵
- Executes dropped EXE
PID:768 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe60⤵
- Executes dropped EXE
PID:3880 -
\??\c:\hhbbnn.exec:\hhbbnn.exe61⤵
- Executes dropped EXE
PID:4520 -
\??\c:\jpdvj.exec:\jpdvj.exe62⤵
- Executes dropped EXE
PID:1472 -
\??\c:\lxlffxf.exec:\lxlffxf.exe63⤵
- Executes dropped EXE
PID:1700 -
\??\c:\5fxrlfx.exec:\5fxrlfx.exe64⤵
- Executes dropped EXE
PID:3344 -
\??\c:\bnnhtn.exec:\bnnhtn.exe65⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jpvpj.exec:\jpvpj.exe66⤵PID:1144
-
\??\c:\fxxlxrl.exec:\fxxlxrl.exe67⤵PID:532
-
\??\c:\rxllfxx.exec:\rxllfxx.exe68⤵PID:1460
-
\??\c:\bbhhtn.exec:\bbhhtn.exe69⤵PID:2040
-
\??\c:\dvpdv.exec:\dvpdv.exe70⤵PID:2260
-
\??\c:\xflxlrl.exec:\xflxlrl.exe71⤵PID:1728
-
\??\c:\tnhnbt.exec:\tnhnbt.exe72⤵PID:512
-
\??\c:\htthtt.exec:\htthtt.exe73⤵PID:4756
-
\??\c:\dpjdp.exec:\dpjdp.exe74⤵PID:3924
-
\??\c:\frrfrlf.exec:\frrfrlf.exe75⤵PID:4748
-
\??\c:\nnnhtn.exec:\nnnhtn.exe76⤵PID:2912
-
\??\c:\hhnthb.exec:\hhnthb.exe77⤵PID:2872
-
\??\c:\djpjv.exec:\djpjv.exe78⤵PID:2984
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe79⤵PID:3036
-
\??\c:\bttntt.exec:\bttntt.exe80⤵PID:4376
-
\??\c:\nbbthh.exec:\nbbthh.exe81⤵PID:2096
-
\??\c:\pjdvj.exec:\pjdvj.exe82⤵PID:2324
-
\??\c:\dvvvp.exec:\dvvvp.exe83⤵PID:1196
-
\??\c:\lffrlfx.exec:\lffrlfx.exe84⤵PID:2864
-
\??\c:\1hnhnn.exec:\1hnhnn.exe85⤵PID:5080
-
\??\c:\vjpjp.exec:\vjpjp.exe86⤵PID:2084
-
\??\c:\dppjv.exec:\dppjv.exe87⤵PID:1100
-
\??\c:\lllfrrl.exec:\lllfrrl.exe88⤵PID:1308
-
\??\c:\5lfxrlf.exec:\5lfxrlf.exe89⤵PID:4744
-
\??\c:\nbhbhb.exec:\nbhbhb.exe90⤵PID:4132
-
\??\c:\dvvpd.exec:\dvvpd.exe91⤵PID:2736
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe92⤵PID:4596
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe93⤵PID:4428
-
\??\c:\ttbttt.exec:\ttbttt.exe94⤵PID:2136
-
\??\c:\pjpjv.exec:\pjpjv.exe95⤵PID:2264
-
\??\c:\xflrlff.exec:\xflrlff.exe96⤵PID:4640
-
\??\c:\fffxrll.exec:\fffxrll.exe97⤵PID:3468
-
\??\c:\tnnhbb.exec:\tnnhbb.exe98⤵PID:4116
-
\??\c:\nbbtbn.exec:\nbbtbn.exe99⤵PID:2484
-
\??\c:\xffxrrl.exec:\xffxrrl.exe100⤵PID:4708
-
\??\c:\7xxrrff.exec:\7xxrrff.exe101⤵PID:2024
-
\??\c:\tbhbtn.exec:\tbhbtn.exe102⤵PID:4776
-
\??\c:\bnbnnn.exec:\bnbnnn.exe103⤵PID:4336
-
\??\c:\pjvpj.exec:\pjvpj.exe104⤵PID:1348
-
\??\c:\1rrfxrl.exec:\1rrfxrl.exe105⤵PID:2140
-
\??\c:\lxffllf.exec:\lxffllf.exe106⤵PID:4540
-
\??\c:\nnnhbb.exec:\nnnhbb.exe107⤵PID:448
-
\??\c:\pdvdp.exec:\pdvdp.exe108⤵PID:3100
-
\??\c:\lflxxlf.exec:\lflxxlf.exe109⤵PID:2820
-
\??\c:\fxflxfx.exec:\fxflxfx.exe110⤵PID:1000
-
\??\c:\nbthtb.exec:\nbthtb.exe111⤵PID:1368
-
\??\c:\pjdvp.exec:\pjdvp.exe112⤵PID:4676
-
\??\c:\rrxfxrr.exec:\rrxfxrr.exe113⤵PID:4196
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe114⤵PID:1312
-
\??\c:\thnbtn.exec:\thnbtn.exe115⤵PID:3604
-
\??\c:\dpvjj.exec:\dpvjj.exe116⤵PID:3752
-
\??\c:\7xlxlrl.exec:\7xlxlrl.exe117⤵PID:3428
-
\??\c:\thhtnh.exec:\thhtnh.exe118⤵PID:868
-
\??\c:\bthbtn.exec:\bthbtn.exe119⤵PID:4444
-
\??\c:\dvjdv.exec:\dvjdv.exe120⤵PID:3588
-
\??\c:\7rlfrrx.exec:\7rlfrrx.exe121⤵PID:4440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-