Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe
-
Size
453KB
-
MD5
ac6d2f880b699956bd5c398c01614960
-
SHA1
6aa4e65846bf8748a06ad4ae86c81a8f1f9d1761
-
SHA256
d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8
-
SHA512
1efc20b3daf849abb6ef8591979df8eb402642a35275d334a2f50fa063220edb995019e4bad77db09205e8fc1b8c7eea66071dc927cfca487a84caf27c5ebaa7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2588-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 btnhbb.exe 3592 46442.exe 3504 httnhb.exe 3664 rlfrfxx.exe 4868 ntbnbb.exe 2724 xxxxffl.exe 3720 20442.exe 3812 2824046.exe 5008 fxxrfxr.exe 1364 jvpjd.exe 2916 bntnbt.exe 1720 6408226.exe 3304 k68642.exe 3996 jvjpp.exe 1660 68080.exe 1816 hnbthh.exe 4488 8664860.exe 2560 dvdpj.exe 4756 vjvjv.exe 2384 6628002.exe 4208 nttnbb.exe 4660 vvdvd.exe 1332 8028620.exe 4600 9nnbnh.exe 1164 g0820.exe 4276 s2428.exe 2488 26648.exe 1484 2404220.exe 688 pdjvp.exe 1004 xfrxrlf.exe 1864 pdvpd.exe 4560 o062262.exe 4000 m2488.exe 2452 48486.exe 4608 e80402.exe 1584 xxflxrl.exe 3108 44042.exe 3216 bthbtt.exe 3404 nthbbt.exe 4188 rlfxllf.exe 1388 86882.exe 4564 jvjdp.exe 3500 86862.exe 1216 1vjvj.exe 860 lffrlfr.exe 4384 6806000.exe 4028 hntnhh.exe 2956 08420.exe 228 66602.exe 4820 rxlffxr.exe 4768 ttbtnn.exe 4268 088648.exe 2084 jpvvp.exe 2888 0682244.exe 544 6026268.exe 3148 xxxxrxr.exe 2156 04042.exe 632 xxxrlff.exe 1572 pjvpd.exe 2836 pdpdv.exe 1876 48426.exe 3916 426486.exe 4632 q88604.exe 1324 nbbhtt.exe -
resource yara_rule behavioral2/memory/2588-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-707-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 228 2588 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 83 PID 2588 wrote to memory of 228 2588 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 83 PID 2588 wrote to memory of 228 2588 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 83 PID 228 wrote to memory of 3592 228 btnhbb.exe 84 PID 228 wrote to memory of 3592 228 btnhbb.exe 84 PID 228 wrote to memory of 3592 228 btnhbb.exe 84 PID 3592 wrote to memory of 3504 3592 46442.exe 85 PID 3592 wrote to memory of 3504 3592 46442.exe 85 PID 3592 wrote to memory of 3504 3592 46442.exe 85 PID 3504 wrote to memory of 3664 3504 httnhb.exe 86 PID 3504 wrote to memory of 3664 3504 httnhb.exe 86 PID 3504 wrote to memory of 3664 3504 httnhb.exe 86 PID 3664 wrote to memory of 4868 3664 rlfrfxx.exe 87 PID 3664 wrote to memory of 4868 3664 rlfrfxx.exe 87 PID 3664 wrote to memory of 4868 3664 rlfrfxx.exe 87 PID 4868 wrote to memory of 2724 4868 ntbnbb.exe 88 PID 4868 wrote to memory of 2724 4868 ntbnbb.exe 88 PID 4868 wrote to memory of 2724 4868 ntbnbb.exe 88 PID 2724 wrote to memory of 3720 2724 xxxxffl.exe 89 PID 2724 wrote to memory of 3720 2724 xxxxffl.exe 89 PID 2724 wrote to memory of 3720 2724 xxxxffl.exe 89 PID 3720 wrote to memory of 3812 3720 20442.exe 90 PID 3720 wrote to memory of 3812 3720 20442.exe 90 PID 3720 wrote to memory of 3812 3720 20442.exe 90 PID 3812 wrote to memory of 5008 3812 2824046.exe 91 PID 3812 wrote to memory of 5008 3812 2824046.exe 91 PID 3812 wrote to memory of 5008 3812 2824046.exe 91 PID 5008 wrote to memory of 1364 5008 fxxrfxr.exe 92 PID 5008 wrote to memory of 1364 5008 fxxrfxr.exe 92 PID 5008 wrote to memory of 1364 5008 fxxrfxr.exe 92 PID 1364 wrote to memory of 2916 1364 jvpjd.exe 93 PID 1364 wrote to memory of 2916 1364 jvpjd.exe 93 PID 1364 wrote to memory of 2916 1364 jvpjd.exe 93 PID 2916 wrote to memory of 1720 2916 bntnbt.exe 94 PID 2916 wrote to memory of 1720 2916 bntnbt.exe 94 PID 2916 wrote to memory of 1720 2916 bntnbt.exe 94 PID 1720 wrote to memory of 3304 1720 6408226.exe 95 PID 1720 wrote to memory of 3304 1720 6408226.exe 95 PID 1720 wrote to memory of 3304 1720 6408226.exe 95 PID 3304 wrote to memory of 3996 3304 k68642.exe 96 PID 3304 wrote to memory of 3996 3304 k68642.exe 96 PID 3304 wrote to memory of 3996 3304 k68642.exe 96 PID 3996 wrote to memory of 1660 3996 jvjpp.exe 97 PID 3996 wrote to memory of 1660 3996 jvjpp.exe 97 PID 3996 wrote to memory of 1660 3996 jvjpp.exe 97 PID 1660 wrote to memory of 1816 1660 68080.exe 98 PID 1660 wrote to memory of 1816 1660 68080.exe 98 PID 1660 wrote to memory of 1816 1660 68080.exe 98 PID 1816 wrote to memory of 4488 1816 hnbthh.exe 99 PID 1816 wrote to memory of 4488 1816 hnbthh.exe 99 PID 1816 wrote to memory of 4488 1816 hnbthh.exe 99 PID 4488 wrote to memory of 2560 4488 8664860.exe 100 PID 4488 wrote to memory of 2560 4488 8664860.exe 100 PID 4488 wrote to memory of 2560 4488 8664860.exe 100 PID 2560 wrote to memory of 4756 2560 dvdpj.exe 101 PID 2560 wrote to memory of 4756 2560 dvdpj.exe 101 PID 2560 wrote to memory of 4756 2560 dvdpj.exe 101 PID 4756 wrote to memory of 2384 4756 vjvjv.exe 102 PID 4756 wrote to memory of 2384 4756 vjvjv.exe 102 PID 4756 wrote to memory of 2384 4756 vjvjv.exe 102 PID 2384 wrote to memory of 4208 2384 6628002.exe 103 PID 2384 wrote to memory of 4208 2384 6628002.exe 103 PID 2384 wrote to memory of 4208 2384 6628002.exe 103 PID 4208 wrote to memory of 4660 4208 nttnbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe"C:\Users\Admin\AppData\Local\Temp\d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\btnhbb.exec:\btnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\46442.exec:\46442.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\httnhb.exec:\httnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\rlfrfxx.exec:\rlfrfxx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\ntbnbb.exec:\ntbnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\xxxxffl.exec:\xxxxffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\20442.exec:\20442.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\2824046.exec:\2824046.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\jvpjd.exec:\jvpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\bntnbt.exec:\bntnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\6408226.exec:\6408226.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\k68642.exec:\k68642.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\jvjpp.exec:\jvjpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\68080.exec:\68080.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\hnbthh.exec:\hnbthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\8664860.exec:\8664860.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\dvdpj.exec:\dvdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\vjvjv.exec:\vjvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\6628002.exec:\6628002.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\nttnbb.exec:\nttnbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\vvdvd.exec:\vvdvd.exe23⤵
- Executes dropped EXE
PID:4660 -
\??\c:\8028620.exec:\8028620.exe24⤵
- Executes dropped EXE
PID:1332 -
\??\c:\9nnbnh.exec:\9nnbnh.exe25⤵
- Executes dropped EXE
PID:4600 -
\??\c:\g0820.exec:\g0820.exe26⤵
- Executes dropped EXE
PID:1164 -
\??\c:\s2428.exec:\s2428.exe27⤵
- Executes dropped EXE
PID:4276 -
\??\c:\26648.exec:\26648.exe28⤵
- Executes dropped EXE
PID:2488 -
\??\c:\2404220.exec:\2404220.exe29⤵
- Executes dropped EXE
PID:1484 -
\??\c:\pdjvp.exec:\pdjvp.exe30⤵
- Executes dropped EXE
PID:688 -
\??\c:\xfrxrlf.exec:\xfrxrlf.exe31⤵
- Executes dropped EXE
PID:1004 -
\??\c:\pdvpd.exec:\pdvpd.exe32⤵
- Executes dropped EXE
PID:1864 -
\??\c:\o062262.exec:\o062262.exe33⤵
- Executes dropped EXE
PID:4560 -
\??\c:\m2488.exec:\m2488.exe34⤵
- Executes dropped EXE
PID:4000 -
\??\c:\48486.exec:\48486.exe35⤵
- Executes dropped EXE
PID:2452 -
\??\c:\e80402.exec:\e80402.exe36⤵
- Executes dropped EXE
PID:4608 -
\??\c:\xxflxrl.exec:\xxflxrl.exe37⤵
- Executes dropped EXE
PID:1584 -
\??\c:\44042.exec:\44042.exe38⤵
- Executes dropped EXE
PID:3108 -
\??\c:\bthbtt.exec:\bthbtt.exe39⤵
- Executes dropped EXE
PID:3216 -
\??\c:\nthbbt.exec:\nthbbt.exe40⤵
- Executes dropped EXE
PID:3404 -
\??\c:\rlfxllf.exec:\rlfxllf.exe41⤵
- Executes dropped EXE
PID:4188 -
\??\c:\86882.exec:\86882.exe42⤵
- Executes dropped EXE
PID:1388 -
\??\c:\jvjdp.exec:\jvjdp.exe43⤵
- Executes dropped EXE
PID:4564 -
\??\c:\86862.exec:\86862.exe44⤵
- Executes dropped EXE
PID:3500 -
\??\c:\1vjvj.exec:\1vjvj.exe45⤵
- Executes dropped EXE
PID:1216 -
\??\c:\lffrlfr.exec:\lffrlfr.exe46⤵
- Executes dropped EXE
PID:860 -
\??\c:\6806000.exec:\6806000.exe47⤵
- Executes dropped EXE
PID:4384 -
\??\c:\hntnhh.exec:\hntnhh.exe48⤵
- Executes dropped EXE
PID:4028 -
\??\c:\08420.exec:\08420.exe49⤵
- Executes dropped EXE
PID:2956 -
\??\c:\66602.exec:\66602.exe50⤵
- Executes dropped EXE
PID:228 -
\??\c:\rxlffxr.exec:\rxlffxr.exe51⤵
- Executes dropped EXE
PID:4820 -
\??\c:\ttbtnn.exec:\ttbtnn.exe52⤵
- Executes dropped EXE
PID:4768 -
\??\c:\088648.exec:\088648.exe53⤵
- Executes dropped EXE
PID:4268 -
\??\c:\jpvvp.exec:\jpvvp.exe54⤵
- Executes dropped EXE
PID:2084 -
\??\c:\0682244.exec:\0682244.exe55⤵
- Executes dropped EXE
PID:2888 -
\??\c:\6026268.exec:\6026268.exe56⤵
- Executes dropped EXE
PID:544 -
\??\c:\xxxxrxr.exec:\xxxxrxr.exe57⤵
- Executes dropped EXE
PID:3148 -
\??\c:\04042.exec:\04042.exe58⤵
- Executes dropped EXE
PID:2156 -
\??\c:\xxxrlff.exec:\xxxrlff.exe59⤵
- Executes dropped EXE
PID:632 -
\??\c:\pjvpd.exec:\pjvpd.exe60⤵
- Executes dropped EXE
PID:1572 -
\??\c:\pdpdv.exec:\pdpdv.exe61⤵
- Executes dropped EXE
PID:2836 -
\??\c:\48426.exec:\48426.exe62⤵
- Executes dropped EXE
PID:1876 -
\??\c:\426486.exec:\426486.exe63⤵
- Executes dropped EXE
PID:3916 -
\??\c:\q88604.exec:\q88604.exe64⤵
- Executes dropped EXE
PID:4632 -
\??\c:\nbbhtt.exec:\nbbhtt.exe65⤵
- Executes dropped EXE
PID:1324 -
\??\c:\bbhnnh.exec:\bbhnnh.exe66⤵PID:5080
-
\??\c:\680048.exec:\680048.exe67⤵PID:4832
-
\??\c:\6844480.exec:\6844480.exe68⤵PID:4080
-
\??\c:\ttbttt.exec:\ttbttt.exe69⤵PID:2096
-
\??\c:\7rffxxx.exec:\7rffxxx.exe70⤵PID:1560
-
\??\c:\426060.exec:\426060.exe71⤵PID:2768
-
\??\c:\280826.exec:\280826.exe72⤵PID:3624
-
\??\c:\266422.exec:\266422.exe73⤵PID:4024
-
\??\c:\824484.exec:\824484.exe74⤵PID:368
-
\??\c:\bnnntt.exec:\bnnntt.exe75⤵PID:2444
-
\??\c:\u008000.exec:\u008000.exe76⤵PID:4252
-
\??\c:\884264.exec:\884264.exe77⤵PID:1300
-
\??\c:\g6226.exec:\g6226.exe78⤵PID:4660
-
\??\c:\xflxrrl.exec:\xflxrrl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2596 -
\??\c:\xllfxrl.exec:\xllfxrl.exe80⤵PID:4600
-
\??\c:\frrxrfx.exec:\frrxrfx.exe81⤵PID:5064
-
\??\c:\8804868.exec:\8804868.exe82⤵PID:1372
-
\??\c:\flfxrrl.exec:\flfxrrl.exe83⤵PID:4224
-
\??\c:\vvjdj.exec:\vvjdj.exe84⤵PID:2368
-
\??\c:\42204.exec:\42204.exe85⤵PID:3740
-
\??\c:\lrxrllf.exec:\lrxrllf.exe86⤵PID:4344
-
\??\c:\28482.exec:\28482.exe87⤵PID:1320
-
\??\c:\6848222.exec:\6848222.exe88⤵PID:3060
-
\??\c:\80882.exec:\80882.exe89⤵PID:404
-
\??\c:\vjjvj.exec:\vjjvj.exe90⤵PID:4568
-
\??\c:\7vjvj.exec:\7vjvj.exe91⤵PID:3132
-
\??\c:\06606.exec:\06606.exe92⤵PID:960
-
\??\c:\8248044.exec:\8248044.exe93⤵PID:4152
-
\??\c:\ppvpj.exec:\ppvpj.exe94⤵PID:2332
-
\??\c:\68084.exec:\68084.exe95⤵PID:2452
-
\??\c:\600466.exec:\600466.exe96⤵PID:2288
-
\??\c:\4626004.exec:\4626004.exe97⤵PID:3356
-
\??\c:\ddpdv.exec:\ddpdv.exe98⤵
- System Location Discovery: System Language Discovery
PID:3160 -
\??\c:\3vvpp.exec:\3vvpp.exe99⤵PID:1748
-
\??\c:\q40604.exec:\q40604.exe100⤵PID:3180
-
\??\c:\u448260.exec:\u448260.exe101⤵PID:4372
-
\??\c:\440262.exec:\440262.exe102⤵PID:2988
-
\??\c:\82260.exec:\82260.exe103⤵PID:4848
-
\??\c:\1vdpj.exec:\1vdpj.exe104⤵PID:1520
-
\??\c:\ppjjj.exec:\ppjjj.exe105⤵PID:2820
-
\??\c:\ddvdp.exec:\ddvdp.exe106⤵PID:3796
-
\??\c:\bbtnhb.exec:\bbtnhb.exe107⤵PID:692
-
\??\c:\1nnhhb.exec:\1nnhhb.exe108⤵PID:4340
-
\??\c:\lrfrllf.exec:\lrfrllf.exe109⤵PID:2436
-
\??\c:\jpddp.exec:\jpddp.exe110⤵PID:1856
-
\??\c:\80226.exec:\80226.exe111⤵PID:4408
-
\??\c:\pddvv.exec:\pddvv.exe112⤵PID:1304
-
\??\c:\jdddv.exec:\jdddv.exe113⤵PID:1212
-
\??\c:\26484.exec:\26484.exe114⤵PID:412
-
\??\c:\hhbtth.exec:\hhbtth.exe115⤵PID:2472
-
\??\c:\06882.exec:\06882.exe116⤵PID:4292
-
\??\c:\c008226.exec:\c008226.exe117⤵PID:3928
-
\??\c:\880608.exec:\880608.exe118⤵PID:1060
-
\??\c:\040242.exec:\040242.exe119⤵PID:3188
-
\??\c:\42862.exec:\42862.exe120⤵PID:3872
-
\??\c:\tntnhh.exec:\tntnhh.exe121⤵PID:4748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-