Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 00:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe
-
Size
455KB
-
MD5
7e7a4198f30e70f2281bfab4009b8086
-
SHA1
c173c51f410caae9d2505fcec23bbdf29b9e2f3e
-
SHA256
71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534
-
SHA512
69bef9bf05b9be9b3d194958fbfccae69a0ce2eca8878f4d6fe17d323306d5660c7e4d17f10f0cab1a7bd36fdb4e09c06d21fea6d53a432915aae20e1f347054
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2152-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-1052-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2284 5ntnhn.exe 1744 3hbbtt.exe 4068 7rfxfff.exe 4480 htbbtt.exe 3892 jjddd.exe 3696 02482.exe 2908 6028840.exe 3380 jjdvp.exe 4084 88066.exe 3936 9tbnhh.exe 3940 dvdvd.exe 1236 7fllllf.exe 1992 w02604.exe 4432 bthbhb.exe 3960 0684482.exe 2020 k68288.exe 2508 jdjjd.exe 4496 288484.exe 1160 8844822.exe 4812 llxrlxx.exe 1940 bnhbtt.exe 968 s2848.exe 3796 7nnhbh.exe 5008 8448226.exe 2040 tbhhbb.exe 4556 844260.exe 2028 0064204.exe 2904 nbhbnh.exe 952 4264682.exe 1432 rlfrxrr.exe 4840 rlrxlfx.exe 3204 644822.exe 4428 ttnbnh.exe 4928 000826.exe 1344 hhhthb.exe 2956 djpjp.exe 2236 64664.exe 1020 9llflll.exe 512 nnhtht.exe 1264 6660086.exe 4608 20080.exe 5012 ntnbtt.exe 2192 26268.exe 1584 tbtnht.exe 1324 846482.exe 2912 424884.exe 4352 222086.exe 3964 000420.exe 4756 fxfrffx.exe 1408 hhhttn.exe 4488 u004242.exe 1440 0004860.exe 1744 88820.exe 536 5ppdj.exe 4464 hntnnh.exe 2340 thbnth.exe 3568 nntbnh.exe 3612 u846608.exe 2908 04806.exe 3292 44082.exe 3444 ddjdj.exe 4932 bbbnbn.exe 2356 rxxlfrl.exe 3748 5thbnh.exe -
resource yara_rule behavioral2/memory/2152-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-908-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u886442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i664204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8022486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2284 2152 71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe 83 PID 2152 wrote to memory of 2284 2152 71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe 83 PID 2152 wrote to memory of 2284 2152 71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe 83 PID 2284 wrote to memory of 1744 2284 5ntnhn.exe 84 PID 2284 wrote to memory of 1744 2284 5ntnhn.exe 84 PID 2284 wrote to memory of 1744 2284 5ntnhn.exe 84 PID 1744 wrote to memory of 4068 1744 3hbbtt.exe 85 PID 1744 wrote to memory of 4068 1744 3hbbtt.exe 85 PID 1744 wrote to memory of 4068 1744 3hbbtt.exe 85 PID 4068 wrote to memory of 4480 4068 7rfxfff.exe 86 PID 4068 wrote to memory of 4480 4068 7rfxfff.exe 86 PID 4068 wrote to memory of 4480 4068 7rfxfff.exe 86 PID 4480 wrote to memory of 3892 4480 htbbtt.exe 87 PID 4480 wrote to memory of 3892 4480 htbbtt.exe 87 PID 4480 wrote to memory of 3892 4480 htbbtt.exe 87 PID 3892 wrote to memory of 3696 3892 jjddd.exe 88 PID 3892 wrote to memory of 3696 3892 jjddd.exe 88 PID 3892 wrote to memory of 3696 3892 jjddd.exe 88 PID 3696 wrote to memory of 2908 3696 02482.exe 89 PID 3696 wrote to memory of 2908 3696 02482.exe 89 PID 3696 wrote to memory of 2908 3696 02482.exe 89 PID 2908 wrote to memory of 3380 2908 6028840.exe 90 PID 2908 wrote to memory of 3380 2908 6028840.exe 90 PID 2908 wrote to memory of 3380 2908 6028840.exe 90 PID 3380 wrote to memory of 4084 3380 jjdvp.exe 91 PID 3380 wrote to memory of 4084 3380 jjdvp.exe 91 PID 3380 wrote to memory of 4084 3380 jjdvp.exe 91 PID 4084 wrote to memory of 3936 4084 88066.exe 92 PID 4084 wrote to memory of 3936 4084 88066.exe 92 PID 4084 wrote to memory of 3936 4084 88066.exe 92 PID 3936 wrote to memory of 3940 3936 9tbnhh.exe 93 PID 3936 wrote to memory of 3940 3936 9tbnhh.exe 93 PID 3936 wrote to memory of 3940 3936 9tbnhh.exe 93 PID 3940 wrote to memory of 1236 3940 dvdvd.exe 94 PID 3940 wrote to memory of 1236 3940 dvdvd.exe 94 PID 3940 wrote to memory of 1236 3940 dvdvd.exe 94 PID 1236 wrote to memory of 1992 1236 7fllllf.exe 95 PID 1236 wrote to memory of 1992 1236 7fllllf.exe 95 PID 1236 wrote to memory of 1992 1236 7fllllf.exe 95 PID 1992 wrote to memory of 4432 1992 w02604.exe 96 PID 1992 wrote to memory of 4432 1992 w02604.exe 96 PID 1992 wrote to memory of 4432 1992 w02604.exe 96 PID 4432 wrote to memory of 3960 4432 bthbhb.exe 97 PID 4432 wrote to memory of 3960 4432 bthbhb.exe 97 PID 4432 wrote to memory of 3960 4432 bthbhb.exe 97 PID 3960 wrote to memory of 2020 3960 0684482.exe 98 PID 3960 wrote to memory of 2020 3960 0684482.exe 98 PID 3960 wrote to memory of 2020 3960 0684482.exe 98 PID 2020 wrote to memory of 2508 2020 k68288.exe 99 PID 2020 wrote to memory of 2508 2020 k68288.exe 99 PID 2020 wrote to memory of 2508 2020 k68288.exe 99 PID 2508 wrote to memory of 4496 2508 jdjjd.exe 100 PID 2508 wrote to memory of 4496 2508 jdjjd.exe 100 PID 2508 wrote to memory of 4496 2508 jdjjd.exe 100 PID 4496 wrote to memory of 1160 4496 288484.exe 101 PID 4496 wrote to memory of 1160 4496 288484.exe 101 PID 4496 wrote to memory of 1160 4496 288484.exe 101 PID 1160 wrote to memory of 4812 1160 8844822.exe 102 PID 1160 wrote to memory of 4812 1160 8844822.exe 102 PID 1160 wrote to memory of 4812 1160 8844822.exe 102 PID 4812 wrote to memory of 1940 4812 llxrlxx.exe 103 PID 4812 wrote to memory of 1940 4812 llxrlxx.exe 103 PID 4812 wrote to memory of 1940 4812 llxrlxx.exe 103 PID 1940 wrote to memory of 968 1940 bnhbtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe"C:\Users\Admin\AppData\Local\Temp\71a52b0b2d9a74f6275447bcbb904120a74c1287a759040af67dcaf2ebd0f534.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\5ntnhn.exec:\5ntnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\3hbbtt.exec:\3hbbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\7rfxfff.exec:\7rfxfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\htbbtt.exec:\htbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\jjddd.exec:\jjddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\02482.exec:\02482.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\6028840.exec:\6028840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jjdvp.exec:\jjdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\88066.exec:\88066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\9tbnhh.exec:\9tbnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\dvdvd.exec:\dvdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\7fllllf.exec:\7fllllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\w02604.exec:\w02604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\bthbhb.exec:\bthbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\0684482.exec:\0684482.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\k68288.exec:\k68288.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\jdjjd.exec:\jdjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\288484.exec:\288484.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\8844822.exec:\8844822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\llxrlxx.exec:\llxrlxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\bnhbtt.exec:\bnhbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\s2848.exec:\s2848.exe23⤵
- Executes dropped EXE
PID:968 -
\??\c:\7nnhbh.exec:\7nnhbh.exe24⤵
- Executes dropped EXE
PID:3796 -
\??\c:\8448226.exec:\8448226.exe25⤵
- Executes dropped EXE
PID:5008 -
\??\c:\tbhhbb.exec:\tbhhbb.exe26⤵
- Executes dropped EXE
PID:2040 -
\??\c:\844260.exec:\844260.exe27⤵
- Executes dropped EXE
PID:4556 -
\??\c:\0064204.exec:\0064204.exe28⤵
- Executes dropped EXE
PID:2028 -
\??\c:\nbhbnh.exec:\nbhbnh.exe29⤵
- Executes dropped EXE
PID:2904 -
\??\c:\4264682.exec:\4264682.exe30⤵
- Executes dropped EXE
PID:952 -
\??\c:\rlfrxrr.exec:\rlfrxrr.exe31⤵
- Executes dropped EXE
PID:1432 -
\??\c:\rlrxlfx.exec:\rlrxlfx.exe32⤵
- Executes dropped EXE
PID:4840 -
\??\c:\644822.exec:\644822.exe33⤵
- Executes dropped EXE
PID:3204 -
\??\c:\ttnbnh.exec:\ttnbnh.exe34⤵
- Executes dropped EXE
PID:4428 -
\??\c:\000826.exec:\000826.exe35⤵
- Executes dropped EXE
PID:4928 -
\??\c:\hhhthb.exec:\hhhthb.exe36⤵
- Executes dropped EXE
PID:1344 -
\??\c:\djpjp.exec:\djpjp.exe37⤵
- Executes dropped EXE
PID:2956 -
\??\c:\64664.exec:\64664.exe38⤵
- Executes dropped EXE
PID:2236 -
\??\c:\9llflll.exec:\9llflll.exe39⤵
- Executes dropped EXE
PID:1020 -
\??\c:\nnhtht.exec:\nnhtht.exe40⤵
- Executes dropped EXE
PID:512 -
\??\c:\6660086.exec:\6660086.exe41⤵
- Executes dropped EXE
PID:1264 -
\??\c:\20080.exec:\20080.exe42⤵
- Executes dropped EXE
PID:4608 -
\??\c:\ntnbtt.exec:\ntnbtt.exe43⤵
- Executes dropped EXE
PID:5012 -
\??\c:\26268.exec:\26268.exe44⤵
- Executes dropped EXE
PID:2192 -
\??\c:\tbtnht.exec:\tbtnht.exe45⤵
- Executes dropped EXE
PID:1584 -
\??\c:\846482.exec:\846482.exe46⤵
- Executes dropped EXE
PID:1324 -
\??\c:\424884.exec:\424884.exe47⤵
- Executes dropped EXE
PID:2912 -
\??\c:\222086.exec:\222086.exe48⤵
- Executes dropped EXE
PID:4352 -
\??\c:\000420.exec:\000420.exe49⤵
- Executes dropped EXE
PID:3964 -
\??\c:\fxfrffx.exec:\fxfrffx.exe50⤵
- Executes dropped EXE
PID:4756 -
\??\c:\5dvjv.exec:\5dvjv.exe51⤵PID:4312
-
\??\c:\hhhttn.exec:\hhhttn.exe52⤵
- Executes dropped EXE
PID:1408 -
\??\c:\u004242.exec:\u004242.exe53⤵
- Executes dropped EXE
PID:4488 -
\??\c:\0004860.exec:\0004860.exe54⤵
- Executes dropped EXE
PID:1440 -
\??\c:\88820.exec:\88820.exe55⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5ppdj.exec:\5ppdj.exe56⤵
- Executes dropped EXE
PID:536 -
\??\c:\hntnnh.exec:\hntnnh.exe57⤵
- Executes dropped EXE
PID:4464 -
\??\c:\thbnth.exec:\thbnth.exe58⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nntbnh.exec:\nntbnh.exe59⤵
- Executes dropped EXE
PID:3568 -
\??\c:\u846608.exec:\u846608.exe60⤵
- Executes dropped EXE
PID:3612 -
\??\c:\04806.exec:\04806.exe61⤵
- Executes dropped EXE
PID:2908 -
\??\c:\44082.exec:\44082.exe62⤵
- Executes dropped EXE
PID:3292 -
\??\c:\ddjdj.exec:\ddjdj.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3444 -
\??\c:\bbbnbn.exec:\bbbnbn.exe64⤵
- Executes dropped EXE
PID:4932 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe65⤵
- Executes dropped EXE
PID:2356 -
\??\c:\5thbnh.exec:\5thbnh.exe66⤵
- Executes dropped EXE
PID:3748 -
\??\c:\u282226.exec:\u282226.exe67⤵PID:1528
-
\??\c:\bnbbnn.exec:\bnbbnn.exe68⤵PID:3940
-
\??\c:\g0020.exec:\g0020.exe69⤵PID:1820
-
\??\c:\bntnhb.exec:\bntnhb.exe70⤵PID:3956
-
\??\c:\88086.exec:\88086.exe71⤵PID:516
-
\??\c:\llrlxrl.exec:\llrlxrl.exe72⤵PID:3904
-
\??\c:\8262682.exec:\8262682.exe73⤵PID:3960
-
\??\c:\bbbhhh.exec:\bbbhhh.exe74⤵PID:4952
-
\??\c:\820864.exec:\820864.exe75⤵PID:3328
-
\??\c:\tbbntn.exec:\tbbntn.exe76⤵PID:3052
-
\??\c:\q40244.exec:\q40244.exe77⤵PID:1948
-
\??\c:\1jjvj.exec:\1jjvj.exe78⤵PID:4212
-
\??\c:\lxrflxr.exec:\lxrflxr.exe79⤵PID:4476
-
\??\c:\8886048.exec:\8886048.exe80⤵PID:1520
-
\??\c:\6608286.exec:\6608286.exe81⤵PID:4652
-
\??\c:\tnhtht.exec:\tnhtht.exe82⤵PID:2436
-
\??\c:\64604.exec:\64604.exe83⤵PID:1612
-
\??\c:\0808822.exec:\0808822.exe84⤵PID:1144
-
\??\c:\thbthb.exec:\thbthb.exe85⤵PID:2200
-
\??\c:\xrxlrlx.exec:\xrxlrlx.exe86⤵PID:4936
-
\??\c:\vjppd.exec:\vjppd.exe87⤵PID:4052
-
\??\c:\xffrlxr.exec:\xffrlxr.exe88⤵PID:5108
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe89⤵PID:2796
-
\??\c:\860448.exec:\860448.exe90⤵PID:4268
-
\??\c:\2402608.exec:\2402608.exe91⤵PID:952
-
\??\c:\btthth.exec:\btthth.exe92⤵PID:4148
-
\??\c:\q66020.exec:\q66020.exe93⤵PID:1460
-
\??\c:\4620204.exec:\4620204.exe94⤵PID:1272
-
\??\c:\g6622.exec:\g6622.exe95⤵PID:976
-
\??\c:\64080.exec:\64080.exe96⤵PID:720
-
\??\c:\hbnbhb.exec:\hbnbhb.exe97⤵PID:2404
-
\??\c:\26202.exec:\26202.exe98⤵PID:4924
-
\??\c:\hnthnh.exec:\hnthnh.exe99⤵PID:1344
-
\??\c:\dpjjv.exec:\dpjjv.exe100⤵PID:2956
-
\??\c:\jpvjp.exec:\jpvjp.exe101⤵PID:1804
-
\??\c:\vjdpv.exec:\vjdpv.exe102⤵PID:3420
-
\??\c:\822420.exec:\822420.exe103⤵PID:5040
-
\??\c:\466086.exec:\466086.exe104⤵PID:3840
-
\??\c:\24682.exec:\24682.exe105⤵PID:1332
-
\??\c:\0826426.exec:\0826426.exe106⤵PID:2280
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe107⤵PID:644
-
\??\c:\e22200.exec:\e22200.exe108⤵PID:4944
-
\??\c:\2060040.exec:\2060040.exe109⤵PID:2828
-
\??\c:\44448.exec:\44448.exe110⤵PID:828
-
\??\c:\bnhtnb.exec:\bnhtnb.exe111⤵PID:4116
-
\??\c:\622082.exec:\622082.exe112⤵PID:4320
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe113⤵PID:4136
-
\??\c:\s2602.exec:\s2602.exe114⤵PID:2044
-
\??\c:\u842042.exec:\u842042.exe115⤵PID:4384
-
\??\c:\hhhbtn.exec:\hhhbtn.exe116⤵PID:4584
-
\??\c:\jpjvj.exec:\jpjvj.exe117⤵PID:1852
-
\??\c:\hbhthb.exec:\hbhthb.exe118⤵PID:3480
-
\??\c:\3thhtn.exec:\3thhtn.exe119⤵PID:4088
-
\??\c:\dppdj.exec:\dppdj.exe120⤵PID:4748
-
\??\c:\i886426.exec:\i886426.exe121⤵PID:5096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-