Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe
-
Size
455KB
-
MD5
a2274dfecb86572db0953f8203880261
-
SHA1
7132f17b8d6801df9aaa1ec6797c43b65f492571
-
SHA256
c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2
-
SHA512
dc5e3b06713e4a64de3ed40dfd6a76e05f5e2eb398113c001df8d34abf38ebc302f661e7531bb42f094d15b898a4fec7ee017d9c790c36facb378773c42437ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4176-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-1124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-1162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-1453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2060 nttnhh.exe 4724 htbttt.exe 3588 ntnhbt.exe 5076 vjjvv.exe 4500 xxxffff.exe 1716 vvdpv.exe 224 lflfrlr.exe 4772 xfrlxxr.exe 1224 btnttt.exe 5080 7rrlfff.exe 2576 jpjpv.exe 5112 nbhbnn.exe 3100 xrxlllr.exe 1720 hbnnbb.exe 4948 vvvvp.exe 1364 bnntnb.exe 2180 xrrlflf.exe 1372 fxrlffx.exe 2872 bbttnn.exe 3728 jvjdv.exe 4860 djvpj.exe 1892 xrfrffl.exe 2444 rfllfff.exe 2692 dpdjp.exe 4892 lrfxxrf.exe 2036 dvpjj.exe 908 9ffxxrr.exe 3332 bttnnn.exe 3164 jjjjj.exe 4292 pvvpj.exe 4236 rlllrxr.exe 440 tnttnt.exe 3396 xrfrfll.exe 1752 dvdvp.exe 4824 rfrlxfx.exe 3176 rrrfxxr.exe 1776 dddpv.exe 860 5xxrffx.exe 2476 bbbnhb.exe 3448 vpdvv.exe 2968 jddpj.exe 1192 7xxrrrf.exe 1000 nnhbtb.exe 4548 1xfxrxx.exe 2248 btthtt.exe 1092 rxxrrrx.exe 3088 hhhhhh.exe 4372 btttnt.exe 3160 dvvdv.exe 552 hhhbtt.exe 2936 pjvpd.exe 3916 ppjdv.exe 5088 frrlfxr.exe 4776 hhhhhh.exe 5008 nnhnnh.exe 4440 dppjd.exe 4444 xfllfll.exe 1716 bttnhb.exe 100 3ppjd.exe 344 fflxxlf.exe 2376 7ffxrrl.exe 1928 bbnhbt.exe 4464 djjvp.exe 3224 rrrfrrf.exe -
resource yara_rule behavioral2/memory/4176-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-730-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4176 wrote to memory of 2060 4176 c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe 83 PID 4176 wrote to memory of 2060 4176 c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe 83 PID 4176 wrote to memory of 2060 4176 c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe 83 PID 2060 wrote to memory of 4724 2060 nttnhh.exe 84 PID 2060 wrote to memory of 4724 2060 nttnhh.exe 84 PID 2060 wrote to memory of 4724 2060 nttnhh.exe 84 PID 4724 wrote to memory of 3588 4724 htbttt.exe 85 PID 4724 wrote to memory of 3588 4724 htbttt.exe 85 PID 4724 wrote to memory of 3588 4724 htbttt.exe 85 PID 3588 wrote to memory of 5076 3588 ntnhbt.exe 86 PID 3588 wrote to memory of 5076 3588 ntnhbt.exe 86 PID 3588 wrote to memory of 5076 3588 ntnhbt.exe 86 PID 5076 wrote to memory of 4500 5076 vjjvv.exe 87 PID 5076 wrote to memory of 4500 5076 vjjvv.exe 87 PID 5076 wrote to memory of 4500 5076 vjjvv.exe 87 PID 4500 wrote to memory of 1716 4500 xxxffff.exe 88 PID 4500 wrote to memory of 1716 4500 xxxffff.exe 88 PID 4500 wrote to memory of 1716 4500 xxxffff.exe 88 PID 1716 wrote to memory of 224 1716 vvdpv.exe 89 PID 1716 wrote to memory of 224 1716 vvdpv.exe 89 PID 1716 wrote to memory of 224 1716 vvdpv.exe 89 PID 224 wrote to memory of 4772 224 lflfrlr.exe 90 PID 224 wrote to memory of 4772 224 lflfrlr.exe 90 PID 224 wrote to memory of 4772 224 lflfrlr.exe 90 PID 4772 wrote to memory of 1224 4772 xfrlxxr.exe 91 PID 4772 wrote to memory of 1224 4772 xfrlxxr.exe 91 PID 4772 wrote to memory of 1224 4772 xfrlxxr.exe 91 PID 1224 wrote to memory of 5080 1224 btnttt.exe 92 PID 1224 wrote to memory of 5080 1224 btnttt.exe 92 PID 1224 wrote to memory of 5080 1224 btnttt.exe 92 PID 5080 wrote to memory of 2576 5080 7rrlfff.exe 93 PID 5080 wrote to memory of 2576 5080 7rrlfff.exe 93 PID 5080 wrote to memory of 2576 5080 7rrlfff.exe 93 PID 2576 wrote to memory of 5112 2576 jpjpv.exe 94 PID 2576 wrote to memory of 5112 2576 jpjpv.exe 94 PID 2576 wrote to memory of 5112 2576 jpjpv.exe 94 PID 5112 wrote to memory of 3100 5112 nbhbnn.exe 95 PID 5112 wrote to memory of 3100 5112 nbhbnn.exe 95 PID 5112 wrote to memory of 3100 5112 nbhbnn.exe 95 PID 3100 wrote to memory of 1720 3100 xrxlllr.exe 96 PID 3100 wrote to memory of 1720 3100 xrxlllr.exe 96 PID 3100 wrote to memory of 1720 3100 xrxlllr.exe 96 PID 1720 wrote to memory of 4948 1720 hbnnbb.exe 97 PID 1720 wrote to memory of 4948 1720 hbnnbb.exe 97 PID 1720 wrote to memory of 4948 1720 hbnnbb.exe 97 PID 4948 wrote to memory of 1364 4948 vvvvp.exe 98 PID 4948 wrote to memory of 1364 4948 vvvvp.exe 98 PID 4948 wrote to memory of 1364 4948 vvvvp.exe 98 PID 1364 wrote to memory of 2180 1364 bnntnb.exe 99 PID 1364 wrote to memory of 2180 1364 bnntnb.exe 99 PID 1364 wrote to memory of 2180 1364 bnntnb.exe 99 PID 2180 wrote to memory of 1372 2180 xrrlflf.exe 100 PID 2180 wrote to memory of 1372 2180 xrrlflf.exe 100 PID 2180 wrote to memory of 1372 2180 xrrlflf.exe 100 PID 1372 wrote to memory of 2872 1372 fxrlffx.exe 101 PID 1372 wrote to memory of 2872 1372 fxrlffx.exe 101 PID 1372 wrote to memory of 2872 1372 fxrlffx.exe 101 PID 2872 wrote to memory of 3728 2872 bbttnn.exe 102 PID 2872 wrote to memory of 3728 2872 bbttnn.exe 102 PID 2872 wrote to memory of 3728 2872 bbttnn.exe 102 PID 3728 wrote to memory of 4860 3728 jvjdv.exe 103 PID 3728 wrote to memory of 4860 3728 jvjdv.exe 103 PID 3728 wrote to memory of 4860 3728 jvjdv.exe 103 PID 4860 wrote to memory of 1892 4860 djvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe"C:\Users\Admin\AppData\Local\Temp\c7073809f0170ecd04afa241a3229e04e6fcc3f3e7a5a5085a410edfe15cb1a2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\nttnhh.exec:\nttnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\htbttt.exec:\htbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\ntnhbt.exec:\ntnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\vjjvv.exec:\vjjvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\xxxffff.exec:\xxxffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\vvdpv.exec:\vvdpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\lflfrlr.exec:\lflfrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\xfrlxxr.exec:\xfrlxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\btnttt.exec:\btnttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\7rrlfff.exec:\7rrlfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\jpjpv.exec:\jpjpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\nbhbnn.exec:\nbhbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\xrxlllr.exec:\xrxlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\hbnnbb.exec:\hbnnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\vvvvp.exec:\vvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\bnntnb.exec:\bnntnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\xrrlflf.exec:\xrrlflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\fxrlffx.exec:\fxrlffx.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\bbttnn.exec:\bbttnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\jvjdv.exec:\jvjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\djvpj.exec:\djvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\xrfrffl.exec:\xrfrffl.exe23⤵
- Executes dropped EXE
PID:1892 -
\??\c:\rfllfff.exec:\rfllfff.exe24⤵
- Executes dropped EXE
PID:2444 -
\??\c:\dpdjp.exec:\dpdjp.exe25⤵
- Executes dropped EXE
PID:2692 -
\??\c:\lrfxxrf.exec:\lrfxxrf.exe26⤵
- Executes dropped EXE
PID:4892 -
\??\c:\dvpjj.exec:\dvpjj.exe27⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9ffxxrr.exec:\9ffxxrr.exe28⤵
- Executes dropped EXE
PID:908 -
\??\c:\bttnnn.exec:\bttnnn.exe29⤵
- Executes dropped EXE
PID:3332 -
\??\c:\jjjjj.exec:\jjjjj.exe30⤵
- Executes dropped EXE
PID:3164 -
\??\c:\pvvpj.exec:\pvvpj.exe31⤵
- Executes dropped EXE
PID:4292 -
\??\c:\rlllrxr.exec:\rlllrxr.exe32⤵
- Executes dropped EXE
PID:4236 -
\??\c:\tnttnt.exec:\tnttnt.exe33⤵
- Executes dropped EXE
PID:440 -
\??\c:\xrfrfll.exec:\xrfrfll.exe34⤵
- Executes dropped EXE
PID:3396 -
\??\c:\dvdvp.exec:\dvdvp.exe35⤵
- Executes dropped EXE
PID:1752 -
\??\c:\rfrlxfx.exec:\rfrlxfx.exe36⤵
- Executes dropped EXE
PID:4824 -
\??\c:\rrrfxxr.exec:\rrrfxxr.exe37⤵
- Executes dropped EXE
PID:3176 -
\??\c:\dddpv.exec:\dddpv.exe38⤵
- Executes dropped EXE
PID:1776 -
\??\c:\5xxrffx.exec:\5xxrffx.exe39⤵
- Executes dropped EXE
PID:860 -
\??\c:\bbbnhb.exec:\bbbnhb.exe40⤵
- Executes dropped EXE
PID:2476 -
\??\c:\vpdvv.exec:\vpdvv.exe41⤵
- Executes dropped EXE
PID:3448 -
\??\c:\jddpj.exec:\jddpj.exe42⤵
- Executes dropped EXE
PID:2968 -
\??\c:\7xxrrrf.exec:\7xxrrrf.exe43⤵
- Executes dropped EXE
PID:1192 -
\??\c:\nnhbtb.exec:\nnhbtb.exe44⤵
- Executes dropped EXE
PID:1000 -
\??\c:\1xfxrxx.exec:\1xfxrxx.exe45⤵
- Executes dropped EXE
PID:4548 -
\??\c:\btthtt.exec:\btthtt.exe46⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rxxrrrx.exec:\rxxrrrx.exe47⤵
- Executes dropped EXE
PID:1092 -
\??\c:\hhhhhh.exec:\hhhhhh.exe48⤵
- Executes dropped EXE
PID:3088 -
\??\c:\btttnt.exec:\btttnt.exe49⤵
- Executes dropped EXE
PID:4372 -
\??\c:\dvvdv.exec:\dvvdv.exe50⤵
- Executes dropped EXE
PID:3160 -
\??\c:\hhhbtt.exec:\hhhbtt.exe51⤵
- Executes dropped EXE
PID:552 -
\??\c:\pjvpd.exec:\pjvpd.exe52⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ppjdv.exec:\ppjdv.exe53⤵
- Executes dropped EXE
PID:3916 -
\??\c:\frrlfxr.exec:\frrlfxr.exe54⤵
- Executes dropped EXE
PID:5088 -
\??\c:\hhhhhh.exec:\hhhhhh.exe55⤵
- Executes dropped EXE
PID:4776 -
\??\c:\nnhnnh.exec:\nnhnnh.exe56⤵
- Executes dropped EXE
PID:5008 -
\??\c:\dppjd.exec:\dppjd.exe57⤵
- Executes dropped EXE
PID:4440 -
\??\c:\xfllfll.exec:\xfllfll.exe58⤵
- Executes dropped EXE
PID:4444 -
\??\c:\bttnhb.exec:\bttnhb.exe59⤵
- Executes dropped EXE
PID:1716 -
\??\c:\3ppjd.exec:\3ppjd.exe60⤵
- Executes dropped EXE
PID:100 -
\??\c:\fflxxlf.exec:\fflxxlf.exe61⤵
- Executes dropped EXE
PID:344 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe62⤵
- Executes dropped EXE
PID:2376 -
\??\c:\bbnhbt.exec:\bbnhbt.exe63⤵
- Executes dropped EXE
PID:1928 -
\??\c:\djjvp.exec:\djjvp.exe64⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rrrfrrf.exec:\rrrfrrf.exe65⤵
- Executes dropped EXE
PID:3224 -
\??\c:\rllrlff.exec:\rllrlff.exe66⤵PID:1176
-
\??\c:\jddvp.exec:\jddvp.exe67⤵PID:2380
-
\??\c:\rflxrlf.exec:\rflxrlf.exe68⤵PID:2576
-
\??\c:\rfllfxx.exec:\rfllfxx.exe69⤵PID:1676
-
\??\c:\hnbhnn.exec:\hnbhnn.exe70⤵PID:1568
-
\??\c:\dpdvj.exec:\dpdvj.exe71⤵PID:4936
-
\??\c:\9xflfff.exec:\9xflfff.exe72⤵PID:3648
-
\??\c:\nthbtt.exec:\nthbtt.exe73⤵PID:2512
-
\??\c:\bhnhbt.exec:\bhnhbt.exe74⤵PID:1008
-
\??\c:\djjvp.exec:\djjvp.exe75⤵PID:2780
-
\??\c:\lflxrlf.exec:\lflxrlf.exe76⤵PID:5012
-
\??\c:\nhttnn.exec:\nhttnn.exe77⤵PID:2024
-
\??\c:\dpddp.exec:\dpddp.exe78⤵PID:2900
-
\??\c:\jddvd.exec:\jddvd.exe79⤵PID:4860
-
\??\c:\1rxrlfr.exec:\1rxrlfr.exe80⤵PID:4972
-
\??\c:\nnbtnh.exec:\nnbtnh.exe81⤵PID:3548
-
\??\c:\dpjvj.exec:\dpjvj.exe82⤵PID:1820
-
\??\c:\dvvvd.exec:\dvvvd.exe83⤵PID:832
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe84⤵PID:1228
-
\??\c:\1hbtnh.exec:\1hbtnh.exe85⤵PID:4124
-
\??\c:\btbnnb.exec:\btbnnb.exe86⤵PID:688
-
\??\c:\vvjdd.exec:\vvjdd.exe87⤵PID:908
-
\??\c:\7ffxrrl.exec:\7ffxrrl.exe88⤵PID:4032
-
\??\c:\rxxxllr.exec:\rxxxllr.exe89⤵PID:2240
-
\??\c:\htbttn.exec:\htbttn.exe90⤵PID:3164
-
\??\c:\jpdpj.exec:\jpdpj.exe91⤵PID:1188
-
\??\c:\rxflfxx.exec:\rxflfxx.exe92⤵PID:4236
-
\??\c:\bhnhbn.exec:\bhnhbn.exe93⤵PID:3216
-
\??\c:\nnthbt.exec:\nnthbt.exe94⤵PID:2452
-
\??\c:\jvddd.exec:\jvddd.exe95⤵
- System Location Discovery: System Language Discovery
PID:4224 -
\??\c:\rlrlllf.exec:\rlrlllf.exe96⤵PID:2196
-
\??\c:\tnnhbt.exec:\tnnhbt.exe97⤵PID:2304
-
\??\c:\vdjdv.exec:\vdjdv.exe98⤵PID:808
-
\??\c:\xlrfxxr.exec:\xlrfxxr.exe99⤵PID:748
-
\??\c:\xxxrlll.exec:\xxxrlll.exe100⤵
- System Location Discovery: System Language Discovery
PID:4112 -
\??\c:\ttbthh.exec:\ttbthh.exe101⤵PID:1776
-
\??\c:\pjpdj.exec:\pjpdj.exe102⤵PID:5072
-
\??\c:\jdpjv.exec:\jdpjv.exe103⤵PID:1476
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe104⤵PID:2564
-
\??\c:\nbbthn.exec:\nbbthn.exe105⤵PID:1632
-
\??\c:\dvpjv.exec:\dvpjv.exe106⤵PID:2456
-
\??\c:\7pjvp.exec:\7pjvp.exe107⤵PID:2560
-
\??\c:\flfrlfx.exec:\flfrlfx.exe108⤵PID:4256
-
\??\c:\7ttnhb.exec:\7ttnhb.exe109⤵PID:5104
-
\??\c:\3nthhh.exec:\3nthhh.exe110⤵PID:1580
-
\??\c:\jvpdp.exec:\jvpdp.exe111⤵PID:4364
-
\??\c:\3rxllfr.exec:\3rxllfr.exe112⤵PID:4356
-
\??\c:\fllfrlx.exec:\fllfrlx.exe113⤵PID:4692
-
\??\c:\tnbtnb.exec:\tnbtnb.exe114⤵PID:2060
-
\??\c:\dvpjj.exec:\dvpjj.exe115⤵PID:2328
-
\??\c:\jdpjv.exec:\jdpjv.exe116⤵PID:3184
-
\??\c:\xrxlllx.exec:\xrxlllx.exe117⤵PID:3852
-
\??\c:\httnbt.exec:\httnbt.exe118⤵PID:3036
-
\??\c:\pvjdv.exec:\pvjdv.exe119⤵PID:64
-
\??\c:\dvdpp.exec:\dvdpp.exe120⤵PID:2260
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe121⤵PID:1492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-