Analysis
-
max time kernel
120s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe
-
Size
455KB
-
MD5
78bfed5b815582c768bd18dce3241f67
-
SHA1
14898a99e3a33ad92668e36adbb569066b473909
-
SHA256
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9
-
SHA512
98e1ae6dfefd0e9d7d5a8abfc7bffb256aeb6a9bf2e3b0b340ac908bf2433cdd4ad3085fe5d613b6738eac386d4f854bae7942e160406cd725b270abe29614d6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1068-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-1465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-1583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4860 htttnn.exe 1180 xrxrrlr.exe 936 bnhthn.exe 524 bntnbb.exe 4896 dddpd.exe 1308 1jjdp.exe 2076 lxlxxrx.exe 2208 tttnbh.exe 3928 vdjdp.exe 3612 1hbbnt.exe 3940 3vpdv.exe 4832 5jjdd.exe 4208 lffxxxr.exe 3168 5pppd.exe 4736 flrfrlf.exe 4348 hbbnhb.exe 3784 jjjdj.exe 1824 xlfrlfx.exe 4668 9tbnhh.exe 2912 xffxxrx.exe 5052 btbbbh.exe 1140 vvjpp.exe 2256 xllxxrl.exe 2552 pdpjv.exe 5024 pvvjd.exe 3900 hbthhb.exe 2728 btthtn.exe 4008 lxxrfxx.exe 4396 5nnhhh.exe 1584 jdpjd.exe 4176 bbtbnb.exe 1128 dppdp.exe 3828 hhhttn.exe 4212 xrrflff.exe 4912 9tnnbt.exe 2360 7htnbt.exe 2684 vdjdj.exe 1984 1llxrlf.exe 208 ththhb.exe 1660 5nnhbt.exe 2096 3vvjd.exe 2236 rffrfxr.exe 3848 nbhttn.exe 2952 pppjd.exe 2612 rfxlxrf.exe 4496 xrrxrrl.exe 1004 nbhtbt.exe 1964 pdvpp.exe 1364 pddvp.exe 4564 lrlfrll.exe 3444 tnnhth.exe 3596 jddvp.exe 3796 5lxrfxl.exe 4544 1hbthn.exe 1836 pjvjd.exe 5060 xllxlfr.exe 524 lffxfxl.exe 3004 hnthbh.exe 1700 thnnbh.exe 4352 pjjdp.exe 3056 lllxlfx.exe 3396 hhnnnn.exe 3212 pjvpd.exe 1404 ffxlxrf.exe -
resource yara_rule behavioral2/memory/1068-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-842-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 4860 1068 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 84 PID 1068 wrote to memory of 4860 1068 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 84 PID 1068 wrote to memory of 4860 1068 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 84 PID 4860 wrote to memory of 1180 4860 htttnn.exe 85 PID 4860 wrote to memory of 1180 4860 htttnn.exe 85 PID 4860 wrote to memory of 1180 4860 htttnn.exe 85 PID 1180 wrote to memory of 936 1180 xrxrrlr.exe 86 PID 1180 wrote to memory of 936 1180 xrxrrlr.exe 86 PID 1180 wrote to memory of 936 1180 xrxrrlr.exe 86 PID 936 wrote to memory of 524 936 bnhthn.exe 87 PID 936 wrote to memory of 524 936 bnhthn.exe 87 PID 936 wrote to memory of 524 936 bnhthn.exe 87 PID 524 wrote to memory of 4896 524 bntnbb.exe 88 PID 524 wrote to memory of 4896 524 bntnbb.exe 88 PID 524 wrote to memory of 4896 524 bntnbb.exe 88 PID 4896 wrote to memory of 1308 4896 dddpd.exe 89 PID 4896 wrote to memory of 1308 4896 dddpd.exe 89 PID 4896 wrote to memory of 1308 4896 dddpd.exe 89 PID 1308 wrote to memory of 2076 1308 1jjdp.exe 90 PID 1308 wrote to memory of 2076 1308 1jjdp.exe 90 PID 1308 wrote to memory of 2076 1308 1jjdp.exe 90 PID 2076 wrote to memory of 2208 2076 lxlxxrx.exe 91 PID 2076 wrote to memory of 2208 2076 lxlxxrx.exe 91 PID 2076 wrote to memory of 2208 2076 lxlxxrx.exe 91 PID 2208 wrote to memory of 3928 2208 tttnbh.exe 92 PID 2208 wrote to memory of 3928 2208 tttnbh.exe 92 PID 2208 wrote to memory of 3928 2208 tttnbh.exe 92 PID 3928 wrote to memory of 3612 3928 vdjdp.exe 93 PID 3928 wrote to memory of 3612 3928 vdjdp.exe 93 PID 3928 wrote to memory of 3612 3928 vdjdp.exe 93 PID 3612 wrote to memory of 3940 3612 1hbbnt.exe 94 PID 3612 wrote to memory of 3940 3612 1hbbnt.exe 94 PID 3612 wrote to memory of 3940 3612 1hbbnt.exe 94 PID 3940 wrote to memory of 4832 3940 3vpdv.exe 95 PID 3940 wrote to memory of 4832 3940 3vpdv.exe 95 PID 3940 wrote to memory of 4832 3940 3vpdv.exe 95 PID 4832 wrote to memory of 4208 4832 5jjdd.exe 96 PID 4832 wrote to memory of 4208 4832 5jjdd.exe 96 PID 4832 wrote to memory of 4208 4832 5jjdd.exe 96 PID 4208 wrote to memory of 3168 4208 lffxxxr.exe 97 PID 4208 wrote to memory of 3168 4208 lffxxxr.exe 97 PID 4208 wrote to memory of 3168 4208 lffxxxr.exe 97 PID 3168 wrote to memory of 4736 3168 5pppd.exe 98 PID 3168 wrote to memory of 4736 3168 5pppd.exe 98 PID 3168 wrote to memory of 4736 3168 5pppd.exe 98 PID 4736 wrote to memory of 4348 4736 flrfrlf.exe 99 PID 4736 wrote to memory of 4348 4736 flrfrlf.exe 99 PID 4736 wrote to memory of 4348 4736 flrfrlf.exe 99 PID 4348 wrote to memory of 3784 4348 hbbnhb.exe 100 PID 4348 wrote to memory of 3784 4348 hbbnhb.exe 100 PID 4348 wrote to memory of 3784 4348 hbbnhb.exe 100 PID 3784 wrote to memory of 1824 3784 jjjdj.exe 101 PID 3784 wrote to memory of 1824 3784 jjjdj.exe 101 PID 3784 wrote to memory of 1824 3784 jjjdj.exe 101 PID 1824 wrote to memory of 4668 1824 xlfrlfx.exe 102 PID 1824 wrote to memory of 4668 1824 xlfrlfx.exe 102 PID 1824 wrote to memory of 4668 1824 xlfrlfx.exe 102 PID 4668 wrote to memory of 2912 4668 9tbnhh.exe 103 PID 4668 wrote to memory of 2912 4668 9tbnhh.exe 103 PID 4668 wrote to memory of 2912 4668 9tbnhh.exe 103 PID 2912 wrote to memory of 5052 2912 xffxxrx.exe 104 PID 2912 wrote to memory of 5052 2912 xffxxrx.exe 104 PID 2912 wrote to memory of 5052 2912 xffxxrx.exe 104 PID 5052 wrote to memory of 1140 5052 btbbbh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe"C:\Users\Admin\AppData\Local\Temp\4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\htttnn.exec:\htttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\bnhthn.exec:\bnhthn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\bntnbb.exec:\bntnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\dddpd.exec:\dddpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\1jjdp.exec:\1jjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\lxlxxrx.exec:\lxlxxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\tttnbh.exec:\tttnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\vdjdp.exec:\vdjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\1hbbnt.exec:\1hbbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\3vpdv.exec:\3vpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\5jjdd.exec:\5jjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\lffxxxr.exec:\lffxxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\5pppd.exec:\5pppd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\flrfrlf.exec:\flrfrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\hbbnhb.exec:\hbbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\jjjdj.exec:\jjjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\9tbnhh.exec:\9tbnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\xffxxrx.exec:\xffxxrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\btbbbh.exec:\btbbbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\vvjpp.exec:\vvjpp.exe23⤵
- Executes dropped EXE
PID:1140 -
\??\c:\xllxxrl.exec:\xllxxrl.exe24⤵
- Executes dropped EXE
PID:2256 -
\??\c:\pdpjv.exec:\pdpjv.exe25⤵
- Executes dropped EXE
PID:2552 -
\??\c:\pvvjd.exec:\pvvjd.exe26⤵
- Executes dropped EXE
PID:5024 -
\??\c:\hbthhb.exec:\hbthhb.exe27⤵
- Executes dropped EXE
PID:3900 -
\??\c:\btthtn.exec:\btthtn.exe28⤵
- Executes dropped EXE
PID:2728 -
\??\c:\lxxrfxx.exec:\lxxrfxx.exe29⤵
- Executes dropped EXE
PID:4008 -
\??\c:\5nnhhh.exec:\5nnhhh.exe30⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jdpjd.exec:\jdpjd.exe31⤵
- Executes dropped EXE
PID:1584 -
\??\c:\bbtbnb.exec:\bbtbnb.exe32⤵
- Executes dropped EXE
PID:4176 -
\??\c:\dppdp.exec:\dppdp.exe33⤵
- Executes dropped EXE
PID:1128 -
\??\c:\hhhttn.exec:\hhhttn.exe34⤵
- Executes dropped EXE
PID:3828 -
\??\c:\xrrflff.exec:\xrrflff.exe35⤵
- Executes dropped EXE
PID:4212 -
\??\c:\9tnnbt.exec:\9tnnbt.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4912 -
\??\c:\7htnbt.exec:\7htnbt.exe37⤵
- Executes dropped EXE
PID:2360 -
\??\c:\vdjdj.exec:\vdjdj.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\1llxrlf.exec:\1llxrlf.exe39⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ththhb.exec:\ththhb.exe40⤵
- Executes dropped EXE
PID:208 -
\??\c:\5nnhbt.exec:\5nnhbt.exe41⤵
- Executes dropped EXE
PID:1660 -
\??\c:\3vvjd.exec:\3vvjd.exe42⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rffrfxr.exec:\rffrfxr.exe43⤵
- Executes dropped EXE
PID:2236 -
\??\c:\nbhttn.exec:\nbhttn.exe44⤵
- Executes dropped EXE
PID:3848 -
\??\c:\pppjd.exec:\pppjd.exe45⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rfxlxrf.exec:\rfxlxrf.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\xrrxrrl.exec:\xrrxrrl.exe47⤵
- Executes dropped EXE
PID:4496 -
\??\c:\nbhtbt.exec:\nbhtbt.exe48⤵
- Executes dropped EXE
PID:1004 -
\??\c:\pdvpp.exec:\pdvpp.exe49⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pddvp.exec:\pddvp.exe50⤵
- Executes dropped EXE
PID:1364 -
\??\c:\lrlfrll.exec:\lrlfrll.exe51⤵
- Executes dropped EXE
PID:4564 -
\??\c:\tnnhth.exec:\tnnhth.exe52⤵
- Executes dropped EXE
PID:3444 -
\??\c:\jddvp.exec:\jddvp.exe53⤵
- Executes dropped EXE
PID:3596 -
\??\c:\5lxrfxl.exec:\5lxrfxl.exe54⤵
- Executes dropped EXE
PID:3796 -
\??\c:\1hbthn.exec:\1hbthn.exe55⤵
- Executes dropped EXE
PID:4544 -
\??\c:\pjvjd.exec:\pjvjd.exe56⤵
- Executes dropped EXE
PID:1836 -
\??\c:\xllxlfr.exec:\xllxlfr.exe57⤵
- Executes dropped EXE
PID:5060 -
\??\c:\lffxfxl.exec:\lffxfxl.exe58⤵
- Executes dropped EXE
PID:524 -
\??\c:\hnthbh.exec:\hnthbh.exe59⤵
- Executes dropped EXE
PID:3004 -
\??\c:\thnnbh.exec:\thnnbh.exe60⤵
- Executes dropped EXE
PID:1700 -
\??\c:\pjjdp.exec:\pjjdp.exe61⤵
- Executes dropped EXE
PID:4352 -
\??\c:\lllxlfx.exec:\lllxlfx.exe62⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hhnnnn.exec:\hhnnnn.exe63⤵
- Executes dropped EXE
PID:3396 -
\??\c:\pjvpd.exec:\pjvpd.exe64⤵
- Executes dropped EXE
PID:3212 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe65⤵
- Executes dropped EXE
PID:1404 -
\??\c:\rlllxxl.exec:\rlllxxl.exe66⤵PID:400
-
\??\c:\1tbttt.exec:\1tbttt.exe67⤵PID:1900
-
\??\c:\pddvp.exec:\pddvp.exe68⤵PID:1568
-
\??\c:\7pdvv.exec:\7pdvv.exe69⤵PID:4492
-
\??\c:\llxrfrf.exec:\llxrfrf.exe70⤵PID:808
-
\??\c:\tnhbtn.exec:\tnhbtn.exe71⤵PID:4032
-
\??\c:\pjvpd.exec:\pjvpd.exe72⤵PID:4208
-
\??\c:\1jdpv.exec:\1jdpv.exe73⤵PID:1172
-
\??\c:\xffxlff.exec:\xffxlff.exe74⤵PID:3652
-
\??\c:\thnbhb.exec:\thnbhb.exe75⤵PID:64
-
\??\c:\pjjpj.exec:\pjjpj.exe76⤵PID:5096
-
\??\c:\9rfxrrl.exec:\9rfxrrl.exe77⤵PID:2940
-
\??\c:\thhnbt.exec:\thhnbt.exe78⤵PID:1740
-
\??\c:\jddpp.exec:\jddpp.exe79⤵PID:4436
-
\??\c:\3ppjd.exec:\3ppjd.exe80⤵PID:4948
-
\??\c:\7fxlfxl.exec:\7fxlfxl.exe81⤵PID:1460
-
\??\c:\hnttnh.exec:\hnttnh.exe82⤵PID:4780
-
\??\c:\dpjjv.exec:\dpjjv.exe83⤵PID:3720
-
\??\c:\flxfrlx.exec:\flxfrlx.exe84⤵PID:4600
-
\??\c:\frrlffx.exec:\frrlffx.exe85⤵PID:2256
-
\??\c:\pdvjd.exec:\pdvjd.exe86⤵PID:1784
-
\??\c:\jddvp.exec:\jddvp.exe87⤵PID:1512
-
\??\c:\flrxlrl.exec:\flrxlrl.exe88⤵PID:4360
-
\??\c:\nhbbnn.exec:\nhbbnn.exe89⤵PID:3628
-
\??\c:\dddpd.exec:\dddpd.exe90⤵PID:1160
-
\??\c:\5rlfrfx.exec:\5rlfrfx.exe91⤵PID:4716
-
\??\c:\rlrlfxl.exec:\rlrlfxl.exe92⤵PID:4652
-
\??\c:\hhtnnh.exec:\hhtnnh.exe93⤵PID:2776
-
\??\c:\7vdpj.exec:\7vdpj.exe94⤵PID:3096
-
\??\c:\3flxrll.exec:\3flxrll.exe95⤵PID:2244
-
\??\c:\5hnbbt.exec:\5hnbbt.exe96⤵
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\3ttnhh.exec:\3ttnhh.exe97⤵PID:708
-
\??\c:\pvdvj.exec:\pvdvj.exe98⤵PID:3020
-
\??\c:\rffxrlf.exec:\rffxrlf.exe99⤵PID:2368
-
\??\c:\thtthh.exec:\thtthh.exe100⤵PID:4356
-
\??\c:\btnhhb.exec:\btnhhb.exe101⤵PID:1304
-
\??\c:\1jddp.exec:\1jddp.exe102⤵PID:3468
-
\??\c:\rfxfrrf.exec:\rfxfrrf.exe103⤵PID:1756
-
\??\c:\5rllflf.exec:\5rllflf.exe104⤵PID:5084
-
\??\c:\tbbtnh.exec:\tbbtnh.exe105⤵PID:4764
-
\??\c:\3jdvv.exec:\3jdvv.exe106⤵PID:4608
-
\??\c:\rfxrxrf.exec:\rfxrxrf.exe107⤵PID:1892
-
\??\c:\9lllffx.exec:\9lllffx.exe108⤵PID:692
-
\??\c:\9tnhth.exec:\9tnhth.exe109⤵PID:3076
-
\??\c:\jvvpj.exec:\jvvpj.exe110⤵PID:3064
-
\??\c:\5flfrlf.exec:\5flfrlf.exe111⤵PID:1244
-
\??\c:\lffrlff.exec:\lffrlff.exe112⤵PID:1260
-
\??\c:\9hbnhb.exec:\9hbnhb.exe113⤵PID:2264
-
\??\c:\vjjvv.exec:\vjjvv.exe114⤵PID:3504
-
\??\c:\7lrffxf.exec:\7lrffxf.exe115⤵PID:4576
-
\??\c:\nnhbbt.exec:\nnhbbt.exe116⤵PID:4740
-
\??\c:\pdddv.exec:\pdddv.exe117⤵PID:2192
-
\??\c:\fxffffl.exec:\fxffffl.exe118⤵PID:2108
-
\??\c:\rxfrrlf.exec:\rxfrrlf.exe119⤵PID:216
-
\??\c:\tbhthh.exec:\tbhthh.exe120⤵PID:3840
-
\??\c:\pjjdd.exec:\pjjdd.exe121⤵PID:3704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-