Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe
-
Size
454KB
-
MD5
7cc502f989f0798313678c1cf6a34300
-
SHA1
af9a0d095778ab15757bb1867680fef820d394cb
-
SHA256
f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45
-
SHA512
5874cd7eb802f4fa72825f6405e81ee2bf5bf385041a9de07ac60c6ad56b052cc49aeb07666ead1091a24aa30ad72a2ef6acc1ac00e95dba7d1c41c7e40a86b4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbePY:q7Tc2NYHUrAwfMp3CDPY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/516-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-1050-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-1464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1628 nhthtn.exe 5020 5tttnn.exe 1752 dddvv.exe 4904 1xfxrxr.exe 5012 9lfxrll.exe 1660 pjdvp.exe 4884 9bbthb.exe 3196 9tnhbb.exe 3248 thbhhn.exe 4068 dvjdp.exe 1140 lxxrrrl.exe 4816 xrfrlrl.exe 3544 5hhtnn.exe 4620 xrrllll.exe 2408 hthtnn.exe 4312 hbhbtt.exe 1272 hhhbbb.exe 3844 lxxrrrl.exe 3628 tnnhtn.exe 2828 7rlfrlx.exe 4836 thhhbb.exe 2720 xxxrrll.exe 220 rlfrlxr.exe 4088 hhthbt.exe 828 9jjvp.exe 2128 rlfxlfx.exe 4000 3lrflfx.exe 1964 xflfxrr.exe 1896 tntnnt.exe 4420 pjpjj.exe 4800 3jjjv.exe 5016 jdjdv.exe 1076 lxxrrlx.exe 2096 pjjdv.exe 2980 xllfrlf.exe 3376 3nthtt.exe 1788 thtnbt.exe 1492 1ddvp.exe 372 xllxrfx.exe 956 bntnhb.exe 796 3ddvd.exe 2916 9lllllf.exe 2728 ttbnbt.exe 2804 bbbnht.exe 2392 vpvdd.exe 1420 fxrlrlf.exe 2488 nbhtnn.exe 4268 tbbthh.exe 2344 dvpjv.exe 5008 7xrlxxr.exe 2196 nhnhhn.exe 3992 pdvjd.exe 2140 3lrfrrl.exe 3228 bnbttt.exe 4904 hbbtnh.exe 940 7vddp.exe 1552 xxfxlff.exe 4712 thnhhb.exe 3984 dddvp.exe 4884 fxffllf.exe 2236 lrxrxxr.exe 540 tnntnh.exe 2308 7jpjj.exe 5112 rrxxxxx.exe -
resource yara_rule behavioral2/memory/1628-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 516 wrote to memory of 1628 516 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 84 PID 516 wrote to memory of 1628 516 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 84 PID 516 wrote to memory of 1628 516 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 84 PID 1628 wrote to memory of 5020 1628 nhthtn.exe 85 PID 1628 wrote to memory of 5020 1628 nhthtn.exe 85 PID 1628 wrote to memory of 5020 1628 nhthtn.exe 85 PID 5020 wrote to memory of 1752 5020 5tttnn.exe 86 PID 5020 wrote to memory of 1752 5020 5tttnn.exe 86 PID 5020 wrote to memory of 1752 5020 5tttnn.exe 86 PID 1752 wrote to memory of 4904 1752 dddvv.exe 87 PID 1752 wrote to memory of 4904 1752 dddvv.exe 87 PID 1752 wrote to memory of 4904 1752 dddvv.exe 87 PID 4904 wrote to memory of 5012 4904 1xfxrxr.exe 88 PID 4904 wrote to memory of 5012 4904 1xfxrxr.exe 88 PID 4904 wrote to memory of 5012 4904 1xfxrxr.exe 88 PID 5012 wrote to memory of 1660 5012 9lfxrll.exe 89 PID 5012 wrote to memory of 1660 5012 9lfxrll.exe 89 PID 5012 wrote to memory of 1660 5012 9lfxrll.exe 89 PID 1660 wrote to memory of 4884 1660 pjdvp.exe 90 PID 1660 wrote to memory of 4884 1660 pjdvp.exe 90 PID 1660 wrote to memory of 4884 1660 pjdvp.exe 90 PID 4884 wrote to memory of 3196 4884 9bbthb.exe 91 PID 4884 wrote to memory of 3196 4884 9bbthb.exe 91 PID 4884 wrote to memory of 3196 4884 9bbthb.exe 91 PID 3196 wrote to memory of 3248 3196 9tnhbb.exe 92 PID 3196 wrote to memory of 3248 3196 9tnhbb.exe 92 PID 3196 wrote to memory of 3248 3196 9tnhbb.exe 92 PID 3248 wrote to memory of 4068 3248 thbhhn.exe 93 PID 3248 wrote to memory of 4068 3248 thbhhn.exe 93 PID 3248 wrote to memory of 4068 3248 thbhhn.exe 93 PID 4068 wrote to memory of 1140 4068 dvjdp.exe 94 PID 4068 wrote to memory of 1140 4068 dvjdp.exe 94 PID 4068 wrote to memory of 1140 4068 dvjdp.exe 94 PID 1140 wrote to memory of 4816 1140 lxxrrrl.exe 95 PID 1140 wrote to memory of 4816 1140 lxxrrrl.exe 95 PID 1140 wrote to memory of 4816 1140 lxxrrrl.exe 95 PID 4816 wrote to memory of 3544 4816 xrfrlrl.exe 96 PID 4816 wrote to memory of 3544 4816 xrfrlrl.exe 96 PID 4816 wrote to memory of 3544 4816 xrfrlrl.exe 96 PID 3544 wrote to memory of 4620 3544 5hhtnn.exe 97 PID 3544 wrote to memory of 4620 3544 5hhtnn.exe 97 PID 3544 wrote to memory of 4620 3544 5hhtnn.exe 97 PID 4620 wrote to memory of 2408 4620 xrrllll.exe 98 PID 4620 wrote to memory of 2408 4620 xrrllll.exe 98 PID 4620 wrote to memory of 2408 4620 xrrllll.exe 98 PID 2408 wrote to memory of 4312 2408 hthtnn.exe 99 PID 2408 wrote to memory of 4312 2408 hthtnn.exe 99 PID 2408 wrote to memory of 4312 2408 hthtnn.exe 99 PID 4312 wrote to memory of 1272 4312 hbhbtt.exe 100 PID 4312 wrote to memory of 1272 4312 hbhbtt.exe 100 PID 4312 wrote to memory of 1272 4312 hbhbtt.exe 100 PID 1272 wrote to memory of 3844 1272 hhhbbb.exe 101 PID 1272 wrote to memory of 3844 1272 hhhbbb.exe 101 PID 1272 wrote to memory of 3844 1272 hhhbbb.exe 101 PID 3844 wrote to memory of 3628 3844 lxxrrrl.exe 102 PID 3844 wrote to memory of 3628 3844 lxxrrrl.exe 102 PID 3844 wrote to memory of 3628 3844 lxxrrrl.exe 102 PID 3628 wrote to memory of 2828 3628 tnnhtn.exe 103 PID 3628 wrote to memory of 2828 3628 tnnhtn.exe 103 PID 3628 wrote to memory of 2828 3628 tnnhtn.exe 103 PID 2828 wrote to memory of 4836 2828 7rlfrlx.exe 104 PID 2828 wrote to memory of 4836 2828 7rlfrlx.exe 104 PID 2828 wrote to memory of 4836 2828 7rlfrlx.exe 104 PID 4836 wrote to memory of 2720 4836 thhhbb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe"C:\Users\Admin\AppData\Local\Temp\f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\nhthtn.exec:\nhthtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\5tttnn.exec:\5tttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\dddvv.exec:\dddvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\1xfxrxr.exec:\1xfxrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\9lfxrll.exec:\9lfxrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\pjdvp.exec:\pjdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\9bbthb.exec:\9bbthb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\9tnhbb.exec:\9tnhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\thbhhn.exec:\thbhhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\dvjdp.exec:\dvjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\xrfrlrl.exec:\xrfrlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\5hhtnn.exec:\5hhtnn.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\xrrllll.exec:\xrrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\hthtnn.exec:\hthtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\hbhbtt.exec:\hbhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\hhhbbb.exec:\hhhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\tnnhtn.exec:\tnnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\7rlfrlx.exec:\7rlfrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\thhhbb.exec:\thhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\xxxrrll.exec:\xxxrrll.exe23⤵
- Executes dropped EXE
PID:2720 -
\??\c:\rlfrlxr.exec:\rlfrlxr.exe24⤵
- Executes dropped EXE
PID:220 -
\??\c:\hhthbt.exec:\hhthbt.exe25⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9jjvp.exec:\9jjvp.exe26⤵
- Executes dropped EXE
PID:828 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe27⤵
- Executes dropped EXE
PID:2128 -
\??\c:\3lrflfx.exec:\3lrflfx.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000 -
\??\c:\xflfxrr.exec:\xflfxrr.exe29⤵
- Executes dropped EXE
PID:1964 -
\??\c:\tntnnt.exec:\tntnnt.exe30⤵
- Executes dropped EXE
PID:1896 -
\??\c:\pjpjj.exec:\pjpjj.exe31⤵
- Executes dropped EXE
PID:4420 -
\??\c:\3jjjv.exec:\3jjjv.exe32⤵
- Executes dropped EXE
PID:4800 -
\??\c:\jdjdv.exec:\jdjdv.exe33⤵
- Executes dropped EXE
PID:5016 -
\??\c:\lxxrrlx.exec:\lxxrrlx.exe34⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pjjdv.exec:\pjjdv.exe35⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xllfrlf.exec:\xllfrlf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
\??\c:\3nthtt.exec:\3nthtt.exe37⤵
- Executes dropped EXE
PID:3376 -
\??\c:\thtnbt.exec:\thtnbt.exe38⤵
- Executes dropped EXE
PID:1788 -
\??\c:\1ddvp.exec:\1ddvp.exe39⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xllxrfx.exec:\xllxrfx.exe40⤵
- Executes dropped EXE
PID:372 -
\??\c:\bntnhb.exec:\bntnhb.exe41⤵
- Executes dropped EXE
PID:956 -
\??\c:\3ddvd.exec:\3ddvd.exe42⤵
- Executes dropped EXE
PID:796 -
\??\c:\9lllllf.exec:\9lllllf.exe43⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ttbnbt.exec:\ttbnbt.exe44⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bbbnht.exec:\bbbnht.exe45⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vpvdd.exec:\vpvdd.exe46⤵
- Executes dropped EXE
PID:2392 -
\??\c:\fxrlrlf.exec:\fxrlrlf.exe47⤵
- Executes dropped EXE
PID:1420 -
\??\c:\nbhtnn.exec:\nbhtnn.exe48⤵
- Executes dropped EXE
PID:2488 -
\??\c:\tbbthh.exec:\tbbthh.exe49⤵
- Executes dropped EXE
PID:4268 -
\??\c:\dvpjv.exec:\dvpjv.exe50⤵
- Executes dropped EXE
PID:2344 -
\??\c:\7xrlxxr.exec:\7xrlxxr.exe51⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nhnhhn.exec:\nhnhhn.exe52⤵
- Executes dropped EXE
PID:2196 -
\??\c:\pdvjd.exec:\pdvjd.exe53⤵
- Executes dropped EXE
PID:3992 -
\??\c:\3lrfrrl.exec:\3lrfrrl.exe54⤵
- Executes dropped EXE
PID:2140 -
\??\c:\bnbttt.exec:\bnbttt.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228 -
\??\c:\hbbtnh.exec:\hbbtnh.exe56⤵
- Executes dropped EXE
PID:4904 -
\??\c:\7vddp.exec:\7vddp.exe57⤵
- Executes dropped EXE
PID:940 -
\??\c:\xxfxlff.exec:\xxfxlff.exe58⤵
- Executes dropped EXE
PID:1552 -
\??\c:\thnhhb.exec:\thnhhb.exe59⤵
- Executes dropped EXE
PID:4712 -
\??\c:\dddvp.exec:\dddvp.exe60⤵
- Executes dropped EXE
PID:3984 -
\??\c:\fxffllf.exec:\fxffllf.exe61⤵
- Executes dropped EXE
PID:4884 -
\??\c:\lrxrxxr.exec:\lrxrxxr.exe62⤵
- Executes dropped EXE
PID:2236 -
\??\c:\tnntnh.exec:\tnntnh.exe63⤵
- Executes dropped EXE
PID:540 -
\??\c:\7jpjj.exec:\7jpjj.exe64⤵
- Executes dropped EXE
PID:2308 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe65⤵
- Executes dropped EXE
PID:5112 -
\??\c:\rrfxffr.exec:\rrfxffr.exe66⤵PID:2292
-
\??\c:\hntnhb.exec:\hntnhb.exe67⤵PID:1140
-
\??\c:\dvpdj.exec:\dvpdj.exe68⤵PID:3588
-
\??\c:\3flfxxr.exec:\3flfxxr.exe69⤵PID:4560
-
\??\c:\thbnth.exec:\thbnth.exe70⤵PID:1680
-
\??\c:\pvvpd.exec:\pvvpd.exe71⤵PID:3556
-
\??\c:\xxrrlfl.exec:\xxrrlfl.exe72⤵PID:2972
-
\??\c:\htbttn.exec:\htbttn.exe73⤵PID:4740
-
\??\c:\pvpjj.exec:\pvpjj.exe74⤵PID:1616
-
\??\c:\lfxrrlf.exec:\lfxrrlf.exe75⤵PID:4980
-
\??\c:\bthbhb.exec:\bthbhb.exe76⤵PID:4344
-
\??\c:\ththnh.exec:\ththnh.exe77⤵PID:2628
-
\??\c:\jpvpj.exec:\jpvpj.exe78⤵PID:2936
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe79⤵PID:2192
-
\??\c:\bhhbtn.exec:\bhhbtn.exe80⤵PID:2552
-
\??\c:\pjjdv.exec:\pjjdv.exe81⤵PID:4996
-
\??\c:\1djjd.exec:\1djjd.exe82⤵PID:4280
-
\??\c:\bbnhnh.exec:\bbnhnh.exe83⤵PID:4580
-
\??\c:\nbtthh.exec:\nbtthh.exe84⤵PID:800
-
\??\c:\3vjvv.exec:\3vjvv.exe85⤵PID:4612
-
\??\c:\5fxlxxr.exec:\5fxlxxr.exe86⤵PID:512
-
\??\c:\hhnhbt.exec:\hhnhbt.exe87⤵PID:1696
-
\??\c:\jdddv.exec:\jdddv.exe88⤵PID:3568
-
\??\c:\frffxxx.exec:\frffxxx.exe89⤵PID:3648
-
\??\c:\9rrlfll.exec:\9rrlfll.exe90⤵PID:2560
-
\??\c:\httnnh.exec:\httnnh.exe91⤵PID:1028
-
\??\c:\5jvjd.exec:\5jvjd.exe92⤵PID:3704
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe93⤵PID:3792
-
\??\c:\nhhhbn.exec:\nhhhbn.exe94⤵PID:2420
-
\??\c:\nbbtnt.exec:\nbbtnt.exe95⤵PID:968
-
\??\c:\vppjv.exec:\vppjv.exe96⤵PID:764
-
\??\c:\rflxrrl.exec:\rflxrrl.exe97⤵PID:1820
-
\??\c:\3rrlffx.exec:\3rrlffx.exe98⤵PID:5032
-
\??\c:\tttntn.exec:\tttntn.exe99⤵PID:3520
-
\??\c:\7dvpj.exec:\7dvpj.exe100⤵PID:2780
-
\??\c:\rlrrlll.exec:\rlrrlll.exe101⤵PID:1424
-
\??\c:\tnthnh.exec:\tnthnh.exe102⤵PID:4928
-
\??\c:\nhthnh.exec:\nhthnh.exe103⤵PID:372
-
\??\c:\jdvjp.exec:\jdvjp.exe104⤵PID:3760
-
\??\c:\lffrffr.exec:\lffrffr.exe105⤵PID:2868
-
\??\c:\3bbthh.exec:\3bbthh.exe106⤵PID:2756
-
\??\c:\dpvpj.exec:\dpvpj.exe107⤵PID:2728
-
\??\c:\rlrfflf.exec:\rlrfflf.exe108⤵PID:4480
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe109⤵PID:2392
-
\??\c:\hbtnbn.exec:\hbtnbn.exe110⤵PID:4984
-
\??\c:\jdpdp.exec:\jdpdp.exe111⤵PID:2488
-
\??\c:\ffxrllf.exec:\ffxrllf.exe112⤵PID:4592
-
\??\c:\7xxrrrl.exec:\7xxrrrl.exe113⤵PID:4212
-
\??\c:\ttbnhb.exec:\ttbnhb.exe114⤵PID:1080
-
\??\c:\jddpj.exec:\jddpj.exe115⤵PID:1628
-
\??\c:\7rlrllr.exec:\7rlrllr.exe116⤵PID:2988
-
\??\c:\btnbtn.exec:\btnbtn.exe117⤵PID:1316
-
\??\c:\bnbtbb.exec:\bnbtbb.exe118⤵PID:744
-
\??\c:\5vvvj.exec:\5vvvj.exe119⤵PID:5052
-
\??\c:\lrlfrrf.exec:\lrlfrrf.exe120⤵PID:4636
-
\??\c:\5lrllfr.exec:\5lrllfr.exe121⤵PID:4240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-