Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe
-
Size
454KB
-
MD5
1c46f433d5bc771d0de821f7832ac6b8
-
SHA1
052f91b495772a532b78742ee2a534a024286ca4
-
SHA256
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288
-
SHA512
64bfccdb5aba6c5ef87c9c9006ce5369d36b40e616d9306dce50e082dfa646d716488f15f0dc5bd94618b315081d6644282d5700fd6234b320d50c7bdfea49a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/388-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-1808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 388 ttntnt.exe 3044 9hbthh.exe 2560 rrrrlfx.exe 1264 thhbnn.exe 1200 hnthbb.exe 1000 djdvv.exe 4056 lflfffl.exe 912 bnhhbt.exe 536 frrlffx.exe 1552 bntnhh.exe 3084 xrflflr.exe 4036 1vddj.exe 3120 llllflf.exe 2208 fxxrxxx.exe 2540 hbbtnn.exe 3608 5pvpp.exe 1656 jpvjd.exe 2804 ntbtnh.exe 4600 dppjp.exe 1056 xxfxxxx.exe 1540 9pvvv.exe 2940 rfflxxr.exe 628 nhhhbb.exe 4972 pjdvp.exe 4996 rlrrrrl.exe 4040 nnttht.exe 4068 xrrlfxx.exe 1372 httnhh.exe 2676 jvvpd.exe 3696 xrxrxrx.exe 1248 dvdjd.exe 5040 ntbtnn.exe 3936 5rlffff.exe 2688 btbbtt.exe 828 jvvpj.exe 1348 frlfxrl.exe 3796 bnnbtt.exe 4748 pvvpj.exe 3920 5tbtbb.exe 1184 pddpd.exe 2488 7llfxxr.exe 4296 bttnhb.exe 404 1bbtnh.exe 2244 pjjpd.exe 2472 pvdjv.exe 724 flrlllx.exe 4776 nhtnhh.exe 1160 dpvpj.exe 748 fxrlrll.exe 1136 3hhbbb.exe 3612 pvdpv.exe 1812 frlxlfx.exe 4344 tnnbnb.exe 4328 1vpdp.exe 2420 7dvvp.exe 536 flffrll.exe 2640 htbthh.exe 5000 dpdvj.exe 4152 vvpjj.exe 4036 3lfrfxr.exe 4336 9tbnhb.exe 4924 5pvjv.exe 2828 ppvpd.exe 2540 fflfrlf.exe -
resource yara_rule behavioral2/memory/388-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-898-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 388 4768 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 83 PID 4768 wrote to memory of 388 4768 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 83 PID 4768 wrote to memory of 388 4768 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 83 PID 388 wrote to memory of 3044 388 ttntnt.exe 84 PID 388 wrote to memory of 3044 388 ttntnt.exe 84 PID 388 wrote to memory of 3044 388 ttntnt.exe 84 PID 3044 wrote to memory of 2560 3044 9hbthh.exe 85 PID 3044 wrote to memory of 2560 3044 9hbthh.exe 85 PID 3044 wrote to memory of 2560 3044 9hbthh.exe 85 PID 2560 wrote to memory of 1264 2560 rrrrlfx.exe 86 PID 2560 wrote to memory of 1264 2560 rrrrlfx.exe 86 PID 2560 wrote to memory of 1264 2560 rrrrlfx.exe 86 PID 1264 wrote to memory of 1200 1264 thhbnn.exe 87 PID 1264 wrote to memory of 1200 1264 thhbnn.exe 87 PID 1264 wrote to memory of 1200 1264 thhbnn.exe 87 PID 1200 wrote to memory of 1000 1200 hnthbb.exe 88 PID 1200 wrote to memory of 1000 1200 hnthbb.exe 88 PID 1200 wrote to memory of 1000 1200 hnthbb.exe 88 PID 1000 wrote to memory of 4056 1000 djdvv.exe 89 PID 1000 wrote to memory of 4056 1000 djdvv.exe 89 PID 1000 wrote to memory of 4056 1000 djdvv.exe 89 PID 4056 wrote to memory of 912 4056 lflfffl.exe 90 PID 4056 wrote to memory of 912 4056 lflfffl.exe 90 PID 4056 wrote to memory of 912 4056 lflfffl.exe 90 PID 912 wrote to memory of 536 912 bnhhbt.exe 91 PID 912 wrote to memory of 536 912 bnhhbt.exe 91 PID 912 wrote to memory of 536 912 bnhhbt.exe 91 PID 536 wrote to memory of 1552 536 frrlffx.exe 92 PID 536 wrote to memory of 1552 536 frrlffx.exe 92 PID 536 wrote to memory of 1552 536 frrlffx.exe 92 PID 1552 wrote to memory of 3084 1552 bntnhh.exe 93 PID 1552 wrote to memory of 3084 1552 bntnhh.exe 93 PID 1552 wrote to memory of 3084 1552 bntnhh.exe 93 PID 3084 wrote to memory of 4036 3084 xrflflr.exe 94 PID 3084 wrote to memory of 4036 3084 xrflflr.exe 94 PID 3084 wrote to memory of 4036 3084 xrflflr.exe 94 PID 4036 wrote to memory of 3120 4036 1vddj.exe 95 PID 4036 wrote to memory of 3120 4036 1vddj.exe 95 PID 4036 wrote to memory of 3120 4036 1vddj.exe 95 PID 3120 wrote to memory of 2208 3120 llllflf.exe 96 PID 3120 wrote to memory of 2208 3120 llllflf.exe 96 PID 3120 wrote to memory of 2208 3120 llllflf.exe 96 PID 2208 wrote to memory of 2540 2208 fxxrxxx.exe 97 PID 2208 wrote to memory of 2540 2208 fxxrxxx.exe 97 PID 2208 wrote to memory of 2540 2208 fxxrxxx.exe 97 PID 2540 wrote to memory of 3608 2540 hbbtnn.exe 98 PID 2540 wrote to memory of 3608 2540 hbbtnn.exe 98 PID 2540 wrote to memory of 3608 2540 hbbtnn.exe 98 PID 3608 wrote to memory of 1656 3608 5pvpp.exe 99 PID 3608 wrote to memory of 1656 3608 5pvpp.exe 99 PID 3608 wrote to memory of 1656 3608 5pvpp.exe 99 PID 1656 wrote to memory of 2804 1656 jpvjd.exe 100 PID 1656 wrote to memory of 2804 1656 jpvjd.exe 100 PID 1656 wrote to memory of 2804 1656 jpvjd.exe 100 PID 2804 wrote to memory of 4600 2804 ntbtnh.exe 101 PID 2804 wrote to memory of 4600 2804 ntbtnh.exe 101 PID 2804 wrote to memory of 4600 2804 ntbtnh.exe 101 PID 4600 wrote to memory of 1056 4600 dppjp.exe 102 PID 4600 wrote to memory of 1056 4600 dppjp.exe 102 PID 4600 wrote to memory of 1056 4600 dppjp.exe 102 PID 1056 wrote to memory of 1540 1056 xxfxxxx.exe 103 PID 1056 wrote to memory of 1540 1056 xxfxxxx.exe 103 PID 1056 wrote to memory of 1540 1056 xxfxxxx.exe 103 PID 1540 wrote to memory of 2940 1540 9pvvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe"C:\Users\Admin\AppData\Local\Temp\95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\ttntnt.exec:\ttntnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\9hbthh.exec:\9hbthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\rrrrlfx.exec:\rrrrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\thhbnn.exec:\thhbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\hnthbb.exec:\hnthbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\djdvv.exec:\djdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\lflfffl.exec:\lflfffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\bnhhbt.exec:\bnhhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\frrlffx.exec:\frrlffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\bntnhh.exec:\bntnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\xrflflr.exec:\xrflflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\1vddj.exec:\1vddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\llllflf.exec:\llllflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\fxxrxxx.exec:\fxxrxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\hbbtnn.exec:\hbbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\5pvpp.exec:\5pvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\jpvjd.exec:\jpvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\ntbtnh.exec:\ntbtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\dppjp.exec:\dppjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\9pvvv.exec:\9pvvv.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\rfflxxr.exec:\rfflxxr.exe23⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nhhhbb.exec:\nhhhbb.exe24⤵
- Executes dropped EXE
PID:628 -
\??\c:\pjdvp.exec:\pjdvp.exe25⤵
- Executes dropped EXE
PID:4972 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe26⤵
- Executes dropped EXE
PID:4996 -
\??\c:\nnttht.exec:\nnttht.exe27⤵
- Executes dropped EXE
PID:4040 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe28⤵
- Executes dropped EXE
PID:4068 -
\??\c:\httnhh.exec:\httnhh.exe29⤵
- Executes dropped EXE
PID:1372 -
\??\c:\jvvpd.exec:\jvvpd.exe30⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe31⤵
- Executes dropped EXE
PID:3696 -
\??\c:\dvdjd.exec:\dvdjd.exe32⤵
- Executes dropped EXE
PID:1248 -
\??\c:\ntbtnn.exec:\ntbtnn.exe33⤵
- Executes dropped EXE
PID:5040 -
\??\c:\5rlffff.exec:\5rlffff.exe34⤵
- Executes dropped EXE
PID:3936 -
\??\c:\btbbtt.exec:\btbbtt.exe35⤵
- Executes dropped EXE
PID:2688 -
\??\c:\jvvpj.exec:\jvvpj.exe36⤵
- Executes dropped EXE
PID:828 -
\??\c:\frlfxrl.exec:\frlfxrl.exe37⤵
- Executes dropped EXE
PID:1348 -
\??\c:\bnnbtt.exec:\bnnbtt.exe38⤵
- Executes dropped EXE
PID:3796 -
\??\c:\pvvpj.exec:\pvvpj.exe39⤵
- Executes dropped EXE
PID:4748 -
\??\c:\5tbtbb.exec:\5tbtbb.exe40⤵
- Executes dropped EXE
PID:3920 -
\??\c:\pddpd.exec:\pddpd.exe41⤵
- Executes dropped EXE
PID:1184 -
\??\c:\7llfxxr.exec:\7llfxxr.exe42⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bttnhb.exec:\bttnhb.exe43⤵
- Executes dropped EXE
PID:4296 -
\??\c:\1bbtnh.exec:\1bbtnh.exe44⤵
- Executes dropped EXE
PID:404 -
\??\c:\pjjpd.exec:\pjjpd.exe45⤵
- Executes dropped EXE
PID:2244 -
\??\c:\pvdjv.exec:\pvdjv.exe46⤵
- Executes dropped EXE
PID:2472 -
\??\c:\flrlllx.exec:\flrlllx.exe47⤵
- Executes dropped EXE
PID:724 -
\??\c:\nhtnhh.exec:\nhtnhh.exe48⤵
- Executes dropped EXE
PID:4776 -
\??\c:\dpvpj.exec:\dpvpj.exe49⤵
- Executes dropped EXE
PID:1160 -
\??\c:\fxrlrll.exec:\fxrlrll.exe50⤵
- Executes dropped EXE
PID:748 -
\??\c:\3hhbbb.exec:\3hhbbb.exe51⤵
- Executes dropped EXE
PID:1136 -
\??\c:\pvdpv.exec:\pvdpv.exe52⤵
- Executes dropped EXE
PID:3612 -
\??\c:\frlxlfx.exec:\frlxlfx.exe53⤵
- Executes dropped EXE
PID:1812 -
\??\c:\tnnbnb.exec:\tnnbnb.exe54⤵
- Executes dropped EXE
PID:4344 -
\??\c:\1vpdp.exec:\1vpdp.exe55⤵
- Executes dropped EXE
PID:4328 -
\??\c:\7dvvp.exec:\7dvvp.exe56⤵
- Executes dropped EXE
PID:2420 -
\??\c:\flffrll.exec:\flffrll.exe57⤵
- Executes dropped EXE
PID:536 -
\??\c:\htbthh.exec:\htbthh.exe58⤵
- Executes dropped EXE
PID:2640 -
\??\c:\dpdvj.exec:\dpdvj.exe59⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vvpjj.exec:\vvpjj.exe60⤵
- Executes dropped EXE
PID:4152 -
\??\c:\3lfrfxr.exec:\3lfrfxr.exe61⤵
- Executes dropped EXE
PID:4036 -
\??\c:\9tbnhb.exec:\9tbnhb.exe62⤵
- Executes dropped EXE
PID:4336 -
\??\c:\5pvjv.exec:\5pvjv.exe63⤵
- Executes dropped EXE
PID:4924 -
\??\c:\ppvpd.exec:\ppvpd.exe64⤵
- Executes dropped EXE
PID:2828 -
\??\c:\fflfrlf.exec:\fflfrlf.exe65⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hbnbnb.exec:\hbnbnb.exe66⤵
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\djjdp.exec:\djjdp.exe67⤵PID:216
-
\??\c:\frlflxr.exec:\frlflxr.exe68⤵
- System Location Discovery: System Language Discovery
PID:228 -
\??\c:\nbhttn.exec:\nbhttn.exe69⤵PID:3752
-
\??\c:\jvdpj.exec:\jvdpj.exe70⤵PID:3620
-
\??\c:\frfrfxr.exec:\frfrfxr.exe71⤵PID:2000
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe72⤵PID:1148
-
\??\c:\7tthth.exec:\7tthth.exe73⤵PID:4464
-
\??\c:\3vvvp.exec:\3vvvp.exe74⤵PID:1996
-
\??\c:\xrrfrrl.exec:\xrrfrrl.exe75⤵PID:2500
-
\??\c:\bbbbnn.exec:\bbbbnn.exe76⤵PID:2112
-
\??\c:\nbbnbt.exec:\nbbnbt.exe77⤵PID:948
-
\??\c:\dddpd.exec:\dddpd.exe78⤵PID:956
-
\??\c:\xffxrlf.exec:\xffxrlf.exe79⤵PID:3576
-
\??\c:\9nhbnh.exec:\9nhbnh.exe80⤵PID:4024
-
\??\c:\dvdvp.exec:\dvdvp.exe81⤵PID:3300
-
\??\c:\vdjdp.exec:\vdjdp.exe82⤵PID:4884
-
\??\c:\lrxflfr.exec:\lrxflfr.exe83⤵PID:1724
-
\??\c:\bnhthb.exec:\bnhthb.exe84⤵PID:4736
-
\??\c:\dvdpd.exec:\dvdpd.exe85⤵PID:2684
-
\??\c:\pvpdj.exec:\pvpdj.exe86⤵PID:2824
-
\??\c:\xllxfxl.exec:\xllxfxl.exe87⤵PID:3188
-
\??\c:\btbtnh.exec:\btbtnh.exe88⤵PID:5040
-
\??\c:\jdjvd.exec:\jdjvd.exe89⤵PID:1388
-
\??\c:\vppjv.exec:\vppjv.exe90⤵PID:1736
-
\??\c:\1xxlfrr.exec:\1xxlfrr.exe91⤵PID:828
-
\??\c:\1hnhbt.exec:\1hnhbt.exe92⤵PID:3460
-
\??\c:\jvvpj.exec:\jvvpj.exe93⤵PID:5048
-
\??\c:\frxrxrf.exec:\frxrxrf.exe94⤵PID:2272
-
\??\c:\bbbthh.exec:\bbbthh.exe95⤵PID:4112
-
\??\c:\ppvpd.exec:\ppvpd.exe96⤵PID:3168
-
\??\c:\jjjdp.exec:\jjjdp.exe97⤵PID:2488
-
\??\c:\5xfrrll.exec:\5xfrrll.exe98⤵PID:4296
-
\??\c:\ffrlxxr.exec:\ffrlxxr.exe99⤵PID:4816
-
\??\c:\ntnbnb.exec:\ntnbnb.exe100⤵PID:3688
-
\??\c:\dpdpv.exec:\dpdpv.exe101⤵PID:3968
-
\??\c:\rlrfxrf.exec:\rlrfxrf.exe102⤵PID:2560
-
\??\c:\7hnbht.exec:\7hnbht.exe103⤵PID:4492
-
\??\c:\djpjv.exec:\djpjv.exe104⤵PID:1264
-
\??\c:\jpvjd.exec:\jpvjd.exe105⤵PID:1416
-
\??\c:\rrffrff.exec:\rrffrff.exe106⤵PID:1424
-
\??\c:\bbhtnb.exec:\bbhtnb.exe107⤵PID:1228
-
\??\c:\pjjdj.exec:\pjjdj.exe108⤵PID:3448
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe109⤵PID:2608
-
\??\c:\hbbtnh.exec:\hbbtnh.exe110⤵PID:1376
-
\??\c:\5ttbtn.exec:\5ttbtn.exe111⤵PID:3348
-
\??\c:\dppjv.exec:\dppjv.exe112⤵PID:1984
-
\??\c:\lrfxlfx.exec:\lrfxlfx.exe113⤵PID:684
-
\??\c:\7ththb.exec:\7ththb.exe114⤵PID:3084
-
\??\c:\dddpd.exec:\dddpd.exe115⤵PID:3140
-
\??\c:\rrfxffl.exec:\rrfxffl.exe116⤵PID:944
-
\??\c:\tbbnbt.exec:\tbbnbt.exe117⤵
- System Location Discovery: System Language Discovery
PID:3416 -
\??\c:\bhnhtt.exec:\bhnhtt.exe118⤵PID:4036
-
\??\c:\dppjv.exec:\dppjv.exe119⤵PID:4336
-
\??\c:\lffxlxr.exec:\lffxlxr.exe120⤵PID:1596
-
\??\c:\httnhh.exec:\httnhh.exe121⤵PID:4912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-