Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe
-
Size
453KB
-
MD5
84c842440c7a4c2d36db43bc1d018005
-
SHA1
f81db179b3401747130914396e96966fd3235fdd
-
SHA256
a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2
-
SHA512
8e7e999fcb24497c17eab0f1ad808121aebb76fe770deba48599df81b15de91e0741ebe8ddafcd32ca28ea52e6c06e1694e27cef73a0dde2d818246b44dfd2c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3508-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-1246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-1556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-1906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4032 ttnhbb.exe 4928 lflfxrl.exe 4296 htbtth.exe 4880 5pjdd.exe 1944 pdddv.exe 1420 pjpvp.exe 4856 fllfxrl.exe 3172 3hnbtn.exe 1544 lflfrlr.exe 3352 7jjdp.exe 2392 rlrfxrr.exe 1792 hhtntt.exe 456 7vvjv.exe 2220 fxxflll.exe 1644 llrlffx.exe 1968 thhhtb.exe 1452 bbtnhb.exe 4140 jdjdp.exe 2708 9dvpj.exe 1072 5nhtnn.exe 2912 1rxrxxl.exe 4124 lflfllx.exe 2452 1vvpj.exe 1480 xlrlxrl.exe 1060 hhhnnt.exe 1744 dvpjv.exe 4788 3jpdd.exe 3620 rffrlfr.exe 60 lxllxrl.exe 4540 7bttnt.exe 2464 vjjdv.exe 3976 pjvpv.exe 1540 nhbbnn.exe 412 9rrfxrl.exe 4468 7pvvp.exe 956 3rrllll.exe 888 thtbbb.exe 4320 pjvpv.exe 4752 lffxxxx.exe 2820 9fffxxr.exe 2040 hhnhbb.exe 3904 jddpj.exe 2960 llrlrrl.exe 1928 nhtntt.exe 4380 pjpdp.exe 3312 9ddvj.exe 3268 rxfrfxr.exe 4032 bttnnh.exe 2308 pjjdp.exe 1000 lffxrlf.exe 3900 9rxlfrl.exe 3360 ththhh.exe 5096 btbnhh.exe 4172 jvddp.exe 3004 fxrlffx.exe 4252 5hnhbb.exe 4136 5jdjd.exe 3080 xllfxxr.exe 2288 3bthbt.exe 3652 dvvpj.exe 4036 pdvpj.exe 2080 9rllflf.exe 2444 tbhhbt.exe 2004 hthbtn.exe -
resource yara_rule behavioral2/memory/3508-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-735-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3508 wrote to memory of 4032 3508 a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe 82 PID 3508 wrote to memory of 4032 3508 a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe 82 PID 3508 wrote to memory of 4032 3508 a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe 82 PID 4032 wrote to memory of 4928 4032 ttnhbb.exe 83 PID 4032 wrote to memory of 4928 4032 ttnhbb.exe 83 PID 4032 wrote to memory of 4928 4032 ttnhbb.exe 83 PID 4928 wrote to memory of 4296 4928 lflfxrl.exe 84 PID 4928 wrote to memory of 4296 4928 lflfxrl.exe 84 PID 4928 wrote to memory of 4296 4928 lflfxrl.exe 84 PID 4296 wrote to memory of 4880 4296 htbtth.exe 85 PID 4296 wrote to memory of 4880 4296 htbtth.exe 85 PID 4296 wrote to memory of 4880 4296 htbtth.exe 85 PID 4880 wrote to memory of 1944 4880 5pjdd.exe 86 PID 4880 wrote to memory of 1944 4880 5pjdd.exe 86 PID 4880 wrote to memory of 1944 4880 5pjdd.exe 86 PID 1944 wrote to memory of 1420 1944 pdddv.exe 87 PID 1944 wrote to memory of 1420 1944 pdddv.exe 87 PID 1944 wrote to memory of 1420 1944 pdddv.exe 87 PID 1420 wrote to memory of 4856 1420 pjpvp.exe 88 PID 1420 wrote to memory of 4856 1420 pjpvp.exe 88 PID 1420 wrote to memory of 4856 1420 pjpvp.exe 88 PID 4856 wrote to memory of 3172 4856 fllfxrl.exe 89 PID 4856 wrote to memory of 3172 4856 fllfxrl.exe 89 PID 4856 wrote to memory of 3172 4856 fllfxrl.exe 89 PID 3172 wrote to memory of 1544 3172 3hnbtn.exe 90 PID 3172 wrote to memory of 1544 3172 3hnbtn.exe 90 PID 3172 wrote to memory of 1544 3172 3hnbtn.exe 90 PID 1544 wrote to memory of 3352 1544 lflfrlr.exe 91 PID 1544 wrote to memory of 3352 1544 lflfrlr.exe 91 PID 1544 wrote to memory of 3352 1544 lflfrlr.exe 91 PID 3352 wrote to memory of 2392 3352 7jjdp.exe 92 PID 3352 wrote to memory of 2392 3352 7jjdp.exe 92 PID 3352 wrote to memory of 2392 3352 7jjdp.exe 92 PID 2392 wrote to memory of 1792 2392 rlrfxrr.exe 93 PID 2392 wrote to memory of 1792 2392 rlrfxrr.exe 93 PID 2392 wrote to memory of 1792 2392 rlrfxrr.exe 93 PID 1792 wrote to memory of 456 1792 hhtntt.exe 94 PID 1792 wrote to memory of 456 1792 hhtntt.exe 94 PID 1792 wrote to memory of 456 1792 hhtntt.exe 94 PID 456 wrote to memory of 2220 456 7vvjv.exe 95 PID 456 wrote to memory of 2220 456 7vvjv.exe 95 PID 456 wrote to memory of 2220 456 7vvjv.exe 95 PID 2220 wrote to memory of 1644 2220 fxxflll.exe 96 PID 2220 wrote to memory of 1644 2220 fxxflll.exe 96 PID 2220 wrote to memory of 1644 2220 fxxflll.exe 96 PID 1644 wrote to memory of 1968 1644 llrlffx.exe 97 PID 1644 wrote to memory of 1968 1644 llrlffx.exe 97 PID 1644 wrote to memory of 1968 1644 llrlffx.exe 97 PID 1968 wrote to memory of 1452 1968 thhhtb.exe 98 PID 1968 wrote to memory of 1452 1968 thhhtb.exe 98 PID 1968 wrote to memory of 1452 1968 thhhtb.exe 98 PID 1452 wrote to memory of 4140 1452 bbtnhb.exe 99 PID 1452 wrote to memory of 4140 1452 bbtnhb.exe 99 PID 1452 wrote to memory of 4140 1452 bbtnhb.exe 99 PID 4140 wrote to memory of 2708 4140 jdjdp.exe 100 PID 4140 wrote to memory of 2708 4140 jdjdp.exe 100 PID 4140 wrote to memory of 2708 4140 jdjdp.exe 100 PID 2708 wrote to memory of 1072 2708 9dvpj.exe 101 PID 2708 wrote to memory of 1072 2708 9dvpj.exe 101 PID 2708 wrote to memory of 1072 2708 9dvpj.exe 101 PID 1072 wrote to memory of 2912 1072 5nhtnn.exe 102 PID 1072 wrote to memory of 2912 1072 5nhtnn.exe 102 PID 1072 wrote to memory of 2912 1072 5nhtnn.exe 102 PID 2912 wrote to memory of 4124 2912 1rxrxxl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe"C:\Users\Admin\AppData\Local\Temp\a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\ttnhbb.exec:\ttnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\lflfxrl.exec:\lflfxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\htbtth.exec:\htbtth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\5pjdd.exec:\5pjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\pdddv.exec:\pdddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\pjpvp.exec:\pjpvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\fllfxrl.exec:\fllfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\3hnbtn.exec:\3hnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\lflfrlr.exec:\lflfrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\7jjdp.exec:\7jjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\rlrfxrr.exec:\rlrfxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\hhtntt.exec:\hhtntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\7vvjv.exec:\7vvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\fxxflll.exec:\fxxflll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\llrlffx.exec:\llrlffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\thhhtb.exec:\thhhtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\bbtnhb.exec:\bbtnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\jdjdp.exec:\jdjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\9dvpj.exec:\9dvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5nhtnn.exec:\5nhtnn.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\1rxrxxl.exec:\1rxrxxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\lflfllx.exec:\lflfllx.exe23⤵
- Executes dropped EXE
PID:4124 -
\??\c:\1vvpj.exec:\1vvpj.exe24⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe25⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hhhnnt.exec:\hhhnnt.exe26⤵
- Executes dropped EXE
PID:1060 -
\??\c:\dvpjv.exec:\dvpjv.exe27⤵
- Executes dropped EXE
PID:1744 -
\??\c:\3jpdd.exec:\3jpdd.exe28⤵
- Executes dropped EXE
PID:4788 -
\??\c:\rffrlfr.exec:\rffrlfr.exe29⤵
- Executes dropped EXE
PID:3620 -
\??\c:\lxllxrl.exec:\lxllxrl.exe30⤵
- Executes dropped EXE
PID:60 -
\??\c:\7bttnt.exec:\7bttnt.exe31⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vjjdv.exec:\vjjdv.exe32⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pjvpv.exec:\pjvpv.exe33⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nhbbnn.exec:\nhbbnn.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\9rrfxrl.exec:\9rrfxrl.exe35⤵
- Executes dropped EXE
PID:412 -
\??\c:\7pvvp.exec:\7pvvp.exe36⤵
- Executes dropped EXE
PID:4468 -
\??\c:\3rrllll.exec:\3rrllll.exe37⤵
- Executes dropped EXE
PID:956 -
\??\c:\thtbbb.exec:\thtbbb.exe38⤵
- Executes dropped EXE
PID:888 -
\??\c:\pjvpv.exec:\pjvpv.exe39⤵
- Executes dropped EXE
PID:4320 -
\??\c:\lffxxxx.exec:\lffxxxx.exe40⤵
- Executes dropped EXE
PID:4752 -
\??\c:\9fffxxr.exec:\9fffxxr.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\hhnhbb.exec:\hhnhbb.exe42⤵
- Executes dropped EXE
PID:2040 -
\??\c:\jddpj.exec:\jddpj.exe43⤵
- Executes dropped EXE
PID:3904 -
\??\c:\llrlrrl.exec:\llrlrrl.exe44⤵
- Executes dropped EXE
PID:2960 -
\??\c:\nhtntt.exec:\nhtntt.exe45⤵
- Executes dropped EXE
PID:1928 -
\??\c:\pjpdp.exec:\pjpdp.exe46⤵
- Executes dropped EXE
PID:4380 -
\??\c:\9ddvj.exec:\9ddvj.exe47⤵
- Executes dropped EXE
PID:3312 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe48⤵
- Executes dropped EXE
PID:3268 -
\??\c:\bttnnh.exec:\bttnnh.exe49⤵
- Executes dropped EXE
PID:4032 -
\??\c:\pjjdp.exec:\pjjdp.exe50⤵
- Executes dropped EXE
PID:2308 -
\??\c:\lffxrlf.exec:\lffxrlf.exe51⤵
- Executes dropped EXE
PID:1000 -
\??\c:\9rxlfrl.exec:\9rxlfrl.exe52⤵
- Executes dropped EXE
PID:3900 -
\??\c:\ththhh.exec:\ththhh.exe53⤵
- Executes dropped EXE
PID:3360 -
\??\c:\btbnhh.exec:\btbnhh.exe54⤵
- Executes dropped EXE
PID:5096 -
\??\c:\jvddp.exec:\jvddp.exe55⤵
- Executes dropped EXE
PID:4172 -
\??\c:\fxrlffx.exec:\fxrlffx.exe56⤵
- Executes dropped EXE
PID:3004 -
\??\c:\5hnhbb.exec:\5hnhbb.exe57⤵
- Executes dropped EXE
PID:4252 -
\??\c:\5jdjd.exec:\5jdjd.exe58⤵
- Executes dropped EXE
PID:4136 -
\??\c:\xllfxxr.exec:\xllfxxr.exe59⤵
- Executes dropped EXE
PID:3080 -
\??\c:\3bthbt.exec:\3bthbt.exe60⤵
- Executes dropped EXE
PID:2288 -
\??\c:\dvvpj.exec:\dvvpj.exe61⤵
- Executes dropped EXE
PID:3652 -
\??\c:\pdvpj.exec:\pdvpj.exe62⤵
- Executes dropped EXE
PID:4036 -
\??\c:\9rllflf.exec:\9rllflf.exe63⤵
- Executes dropped EXE
PID:2080 -
\??\c:\tbhhbt.exec:\tbhhbt.exe64⤵
- Executes dropped EXE
PID:2444 -
\??\c:\hthbtn.exec:\hthbtn.exe65⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ddpjd.exec:\ddpjd.exe66⤵PID:812
-
\??\c:\lfrllrl.exec:\lfrllrl.exe67⤵PID:640
-
\??\c:\nhhtnh.exec:\nhhtnh.exe68⤵PID:1948
-
\??\c:\djvvp.exec:\djvvp.exe69⤵PID:3968
-
\??\c:\1xlxlfr.exec:\1xlxlfr.exe70⤵PID:3236
-
\??\c:\5hnhtn.exec:\5hnhtn.exe71⤵PID:2732
-
\??\c:\dpdvp.exec:\dpdvp.exe72⤵PID:2972
-
\??\c:\lllfxxr.exec:\lllfxxr.exe73⤵PID:2136
-
\??\c:\nnntnh.exec:\nnntnh.exe74⤵PID:2708
-
\??\c:\bhbthh.exec:\bhbthh.exe75⤵PID:1960
-
\??\c:\7dvdp.exec:\7dvdp.exe76⤵PID:2916
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe77⤵PID:2036
-
\??\c:\thhbtn.exec:\thhbtn.exe78⤵PID:4124
-
\??\c:\7djdp.exec:\7djdp.exe79⤵PID:2516
-
\??\c:\rlrflfx.exec:\rlrflfx.exe80⤵PID:2452
-
\??\c:\thhbtn.exec:\thhbtn.exe81⤵PID:4904
-
\??\c:\hhnhbt.exec:\hhnhbt.exe82⤵PID:2488
-
\??\c:\dpvjv.exec:\dpvjv.exe83⤵PID:5084
-
\??\c:\rxxrfxl.exec:\rxxrfxl.exe84⤵PID:3180
-
\??\c:\hbthbt.exec:\hbthbt.exe85⤵PID:2340
-
\??\c:\9bbnnh.exec:\9bbnnh.exe86⤵PID:3840
-
\??\c:\jvdpj.exec:\jvdpj.exe87⤵PID:2952
-
\??\c:\xlrffxr.exec:\xlrffxr.exe88⤵PID:2232
-
\??\c:\hthbnh.exec:\hthbnh.exe89⤵PID:5088
-
\??\c:\tnhbtn.exec:\tnhbtn.exe90⤵PID:4272
-
\??\c:\dppjv.exec:\dppjv.exe91⤵PID:2672
-
\??\c:\7xrxllf.exec:\7xrxllf.exe92⤵PID:3240
-
\??\c:\thtnnb.exec:\thtnnb.exe93⤵PID:4820
-
\??\c:\vjpjd.exec:\vjpjd.exe94⤵PID:2168
-
\??\c:\lllxrlx.exec:\lllxrlx.exe95⤵PID:2280
-
\??\c:\tnnhbb.exec:\tnnhbb.exe96⤵PID:2344
-
\??\c:\btbtbt.exec:\btbtbt.exe97⤵PID:888
-
\??\c:\5pdvj.exec:\5pdvj.exe98⤵
- System Location Discovery: System Language Discovery
PID:4200 -
\??\c:\lxlfllf.exec:\lxlfllf.exe99⤵PID:4752
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe100⤵PID:2820
-
\??\c:\bbbhbt.exec:\bbbhbt.exe101⤵PID:2040
-
\??\c:\vppjd.exec:\vppjd.exe102⤵PID:2992
-
\??\c:\1jpjj.exec:\1jpjj.exe103⤵PID:1720
-
\??\c:\xxfxfxx.exec:\xxfxfxx.exe104⤵PID:2068
-
\??\c:\nhhbnh.exec:\nhhbnh.exe105⤵
- System Location Discovery: System Language Discovery
PID:3956 -
\??\c:\1jdvp.exec:\1jdvp.exe106⤵PID:2704
-
\??\c:\7flxlxr.exec:\7flxlxr.exe107⤵PID:2396
-
\??\c:\lxffflf.exec:\lxffflf.exe108⤵PID:2936
-
\??\c:\tthttt.exec:\tthttt.exe109⤵PID:2200
-
\??\c:\9jdvp.exec:\9jdvp.exe110⤵PID:1012
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe111⤵PID:4072
-
\??\c:\btbnhh.exec:\btbnhh.exe112⤵PID:1132
-
\??\c:\7hnnnn.exec:\7hnnnn.exe113⤵PID:1420
-
\??\c:\pppjd.exec:\pppjd.exe114⤵PID:2028
-
\??\c:\fxxxxff.exec:\fxxxxff.exe115⤵PID:4856
-
\??\c:\btthhb.exec:\btthhb.exe116⤵PID:3672
-
\??\c:\dvvpj.exec:\dvvpj.exe117⤵PID:4136
-
\??\c:\jdjjj.exec:\jdjjj.exe118⤵PID:3080
-
\??\c:\xfllfxx.exec:\xfllfxx.exe119⤵PID:220
-
\??\c:\ntnbtn.exec:\ntnbtn.exe120⤵PID:2356
-
\??\c:\jdjdj.exec:\jdjdj.exe121⤵PID:1860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-