Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2024, 20:48
Behavioral task
behavioral1
Sample
0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe
-
Size
330KB
-
MD5
4d7bb1480922e2d579b7a494f42c8f70
-
SHA1
96525e3df102ff1822e7fe03d26741b0f58295d8
-
SHA256
0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6
-
SHA512
c8792dcf95f107819f75c923e0221a2a7108f0f337634f2b61b950752e2fb13041325de7d8a3999755580776632b14bdb5397644706f3668f6995157230222c4
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tN:94wFHoStJdSjylh2b77BoTMA9gX59sT1
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4652-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4192-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-709-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-770-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-1046-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-1388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4924 tbnhtn.exe 4652 dddvp.exe 2740 fxxrfxr.exe 1936 vddvj.exe 1420 tnntht.exe 5092 5ffxrlf.exe 3100 9hnnhb.exe 944 jvjvv.exe 224 7thnbn.exe 848 dvvjv.exe 884 ntnbth.exe 404 dpdjv.exe 3636 bnhtnh.exe 2152 jvvvp.exe 5008 jdjdd.exe 3312 tnbthh.exe 1948 jdpjj.exe 4560 1lrlffx.exe 4264 vdpjd.exe 3296 lxfrxlf.exe 3216 tthhhn.exe 772 jvppj.exe 4488 fxfxrrl.exe 3112 tthbtn.exe 4336 vvdjd.exe 3300 7xfxlll.exe 3452 bntnhh.exe 2948 pjjdv.exe 1408 nbnhbt.exe 2132 vpvjp.exe 1064 xrfrlfr.exe 2600 tbtbtt.exe 3620 jvdvp.exe 1860 9lllfxr.exe 3736 pdjjd.exe 4988 rffxrrf.exe 4816 tnbtnh.exe 3512 ddvpd.exe 1564 rlrlffr.exe 3700 thnhbb.exe 2612 hbbnhb.exe 844 dvpjd.exe 5016 hhnhbt.exe 5020 vvvdv.exe 1268 frxlxrf.exe 4928 1xxrffx.exe 3392 ttbnnh.exe 2408 ppvjv.exe 1812 ppdvd.exe 2988 lxrlfxr.exe 1700 nnnbnn.exe 2552 1tttht.exe 1184 rfrlfrr.exe 4396 thbtnh.exe 4652 5ntnbt.exe 4184 djjvv.exe 4500 lfxrfxl.exe 2740 bnhhtn.exe 1488 hnnnhh.exe 1988 3jpvv.exe 4192 vjjpd.exe 3956 xrlfxxr.exe 1240 tnnbtn.exe 3100 5pjdp.exe -
resource yara_rule behavioral2/memory/1776-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000900000002340c-3.dat upx behavioral2/files/0x000700000002346b-9.dat upx behavioral2/memory/4652-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346c-12.dat upx behavioral2/memory/4652-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4924-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1776-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346d-20.dat upx behavioral2/memory/1936-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346e-24.dat upx behavioral2/memory/1420-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346f-28.dat upx behavioral2/files/0x0007000000023470-33.dat upx behavioral2/memory/5092-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023471-38.dat upx behavioral2/memory/3100-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023472-43.dat upx behavioral2/memory/944-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/224-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023473-48.dat upx behavioral2/files/0x0007000000023474-52.dat upx behavioral2/files/0x0007000000023475-57.dat upx behavioral2/memory/884-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023476-64.dat upx behavioral2/memory/404-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023468-67.dat upx behavioral2/memory/3636-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2152-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023477-73.dat upx behavioral2/files/0x0007000000023478-77.dat upx behavioral2/memory/5008-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023479-82.dat upx behavioral2/memory/1948-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3312-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1948-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347a-88.dat upx behavioral2/files/0x000700000002347b-93.dat upx behavioral2/memory/4560-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347c-98.dat upx behavioral2/memory/4264-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347d-103.dat upx behavioral2/files/0x000700000002347e-107.dat upx behavioral2/memory/772-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347f-111.dat upx behavioral2/files/0x0007000000023480-117.dat upx behavioral2/memory/4488-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3112-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023481-123.dat upx behavioral2/files/0x0007000000023483-126.dat upx behavioral2/memory/4336-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023484-131.dat upx behavioral2/memory/3300-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3452-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023485-136.dat upx behavioral2/files/0x0007000000023486-142.dat upx behavioral2/memory/1408-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023487-147.dat upx behavioral2/files/0x0007000000023488-152.dat upx behavioral2/memory/1064-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2132-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023489-157.dat upx behavioral2/memory/2600-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 4924 1776 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 82 PID 1776 wrote to memory of 4924 1776 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 82 PID 1776 wrote to memory of 4924 1776 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 82 PID 4924 wrote to memory of 4652 4924 tbnhtn.exe 83 PID 4924 wrote to memory of 4652 4924 tbnhtn.exe 83 PID 4924 wrote to memory of 4652 4924 tbnhtn.exe 83 PID 4652 wrote to memory of 2740 4652 dddvp.exe 84 PID 4652 wrote to memory of 2740 4652 dddvp.exe 84 PID 4652 wrote to memory of 2740 4652 dddvp.exe 84 PID 2740 wrote to memory of 1936 2740 fxxrfxr.exe 85 PID 2740 wrote to memory of 1936 2740 fxxrfxr.exe 85 PID 2740 wrote to memory of 1936 2740 fxxrfxr.exe 85 PID 1936 wrote to memory of 1420 1936 vddvj.exe 86 PID 1936 wrote to memory of 1420 1936 vddvj.exe 86 PID 1936 wrote to memory of 1420 1936 vddvj.exe 86 PID 1420 wrote to memory of 5092 1420 tnntht.exe 87 PID 1420 wrote to memory of 5092 1420 tnntht.exe 87 PID 1420 wrote to memory of 5092 1420 tnntht.exe 87 PID 5092 wrote to memory of 3100 5092 5ffxrlf.exe 88 PID 5092 wrote to memory of 3100 5092 5ffxrlf.exe 88 PID 5092 wrote to memory of 3100 5092 5ffxrlf.exe 88 PID 3100 wrote to memory of 944 3100 9hnnhb.exe 89 PID 3100 wrote to memory of 944 3100 9hnnhb.exe 89 PID 3100 wrote to memory of 944 3100 9hnnhb.exe 89 PID 944 wrote to memory of 224 944 jvjvv.exe 90 PID 944 wrote to memory of 224 944 jvjvv.exe 90 PID 944 wrote to memory of 224 944 jvjvv.exe 90 PID 224 wrote to memory of 848 224 7thnbn.exe 91 PID 224 wrote to memory of 848 224 7thnbn.exe 91 PID 224 wrote to memory of 848 224 7thnbn.exe 91 PID 848 wrote to memory of 884 848 dvvjv.exe 92 PID 848 wrote to memory of 884 848 dvvjv.exe 92 PID 848 wrote to memory of 884 848 dvvjv.exe 92 PID 884 wrote to memory of 404 884 ntnbth.exe 93 PID 884 wrote to memory of 404 884 ntnbth.exe 93 PID 884 wrote to memory of 404 884 ntnbth.exe 93 PID 404 wrote to memory of 3636 404 dpdjv.exe 94 PID 404 wrote to memory of 3636 404 dpdjv.exe 94 PID 404 wrote to memory of 3636 404 dpdjv.exe 94 PID 3636 wrote to memory of 2152 3636 bnhtnh.exe 95 PID 3636 wrote to memory of 2152 3636 bnhtnh.exe 95 PID 3636 wrote to memory of 2152 3636 bnhtnh.exe 95 PID 2152 wrote to memory of 5008 2152 jvvvp.exe 96 PID 2152 wrote to memory of 5008 2152 jvvvp.exe 96 PID 2152 wrote to memory of 5008 2152 jvvvp.exe 96 PID 5008 wrote to memory of 3312 5008 jdjdd.exe 97 PID 5008 wrote to memory of 3312 5008 jdjdd.exe 97 PID 5008 wrote to memory of 3312 5008 jdjdd.exe 97 PID 3312 wrote to memory of 1948 3312 tnbthh.exe 98 PID 3312 wrote to memory of 1948 3312 tnbthh.exe 98 PID 3312 wrote to memory of 1948 3312 tnbthh.exe 98 PID 1948 wrote to memory of 4560 1948 jdpjj.exe 99 PID 1948 wrote to memory of 4560 1948 jdpjj.exe 99 PID 1948 wrote to memory of 4560 1948 jdpjj.exe 99 PID 4560 wrote to memory of 4264 4560 1lrlffx.exe 100 PID 4560 wrote to memory of 4264 4560 1lrlffx.exe 100 PID 4560 wrote to memory of 4264 4560 1lrlffx.exe 100 PID 4264 wrote to memory of 3296 4264 vdpjd.exe 101 PID 4264 wrote to memory of 3296 4264 vdpjd.exe 101 PID 4264 wrote to memory of 3296 4264 vdpjd.exe 101 PID 3296 wrote to memory of 3216 3296 lxfrxlf.exe 102 PID 3296 wrote to memory of 3216 3296 lxfrxlf.exe 102 PID 3296 wrote to memory of 3216 3296 lxfrxlf.exe 102 PID 3216 wrote to memory of 772 3216 tthhhn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe"C:\Users\Admin\AppData\Local\Temp\0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\tbnhtn.exec:\tbnhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\dddvp.exec:\dddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vddvj.exec:\vddvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\tnntht.exec:\tnntht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\5ffxrlf.exec:\5ffxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\9hnnhb.exec:\9hnnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\jvjvv.exec:\jvjvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\7thnbn.exec:\7thnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\dvvjv.exec:\dvvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\ntnbth.exec:\ntnbth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\dpdjv.exec:\dpdjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\bnhtnh.exec:\bnhtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\jvvvp.exec:\jvvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\jdjdd.exec:\jdjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\tnbthh.exec:\tnbthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\jdpjj.exec:\jdpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\1lrlffx.exec:\1lrlffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\vdpjd.exec:\vdpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\lxfrxlf.exec:\lxfrxlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\tthhhn.exec:\tthhhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\jvppj.exec:\jvppj.exe23⤵
- Executes dropped EXE
PID:772 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe24⤵
- Executes dropped EXE
PID:4488 -
\??\c:\tthbtn.exec:\tthbtn.exe25⤵
- Executes dropped EXE
PID:3112 -
\??\c:\vvdjd.exec:\vvdjd.exe26⤵
- Executes dropped EXE
PID:4336 -
\??\c:\7xfxlll.exec:\7xfxlll.exe27⤵
- Executes dropped EXE
PID:3300 -
\??\c:\bntnhh.exec:\bntnhh.exe28⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pjjdv.exec:\pjjdv.exe29⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nbnhbt.exec:\nbnhbt.exe30⤵
- Executes dropped EXE
PID:1408 -
\??\c:\vpvjp.exec:\vpvjp.exe31⤵
- Executes dropped EXE
PID:2132 -
\??\c:\xrfrlfr.exec:\xrfrlfr.exe32⤵
- Executes dropped EXE
PID:1064 -
\??\c:\tbtbtt.exec:\tbtbtt.exe33⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jvdvp.exec:\jvdvp.exe34⤵
- Executes dropped EXE
PID:3620 -
\??\c:\9lllfxr.exec:\9lllfxr.exe35⤵
- Executes dropped EXE
PID:1860 -
\??\c:\pdjjd.exec:\pdjjd.exe36⤵
- Executes dropped EXE
PID:3736 -
\??\c:\rffxrrf.exec:\rffxrrf.exe37⤵
- Executes dropped EXE
PID:4988 -
\??\c:\tnbtnh.exec:\tnbtnh.exe38⤵
- Executes dropped EXE
PID:4816 -
\??\c:\ddvpd.exec:\ddvpd.exe39⤵
- Executes dropped EXE
PID:3512 -
\??\c:\rlrlffr.exec:\rlrlffr.exe40⤵
- Executes dropped EXE
PID:1564 -
\??\c:\thnhbb.exec:\thnhbb.exe41⤵
- Executes dropped EXE
PID:3700 -
\??\c:\hbbnhb.exec:\hbbnhb.exe42⤵
- Executes dropped EXE
PID:2612 -
\??\c:\dvpjd.exec:\dvpjd.exe43⤵
- Executes dropped EXE
PID:844 -
\??\c:\hhnhbt.exec:\hhnhbt.exe44⤵
- Executes dropped EXE
PID:5016 -
\??\c:\vvvdv.exec:\vvvdv.exe45⤵
- Executes dropped EXE
PID:5020 -
\??\c:\frxlxrf.exec:\frxlxrf.exe46⤵
- Executes dropped EXE
PID:1268 -
\??\c:\1xxrffx.exec:\1xxrffx.exe47⤵
- Executes dropped EXE
PID:4928 -
\??\c:\ttbnnh.exec:\ttbnnh.exe48⤵
- Executes dropped EXE
PID:3392 -
\??\c:\ppvjv.exec:\ppvjv.exe49⤵
- Executes dropped EXE
PID:2408 -
\??\c:\ppdvd.exec:\ppdvd.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe51⤵
- Executes dropped EXE
PID:2988 -
\??\c:\nnnbnn.exec:\nnnbnn.exe52⤵
- Executes dropped EXE
PID:1700 -
\??\c:\1tttht.exec:\1tttht.exe53⤵
- Executes dropped EXE
PID:2552 -
\??\c:\vjpdv.exec:\vjpdv.exe54⤵PID:4376
-
\??\c:\rfrlfrr.exec:\rfrlfrr.exe55⤵
- Executes dropped EXE
PID:1184 -
\??\c:\thbtnh.exec:\thbtnh.exe56⤵
- Executes dropped EXE
PID:4396 -
\??\c:\5ntnbt.exec:\5ntnbt.exe57⤵
- Executes dropped EXE
PID:4652 -
\??\c:\djjvv.exec:\djjvv.exe58⤵
- Executes dropped EXE
PID:4184 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe59⤵
- Executes dropped EXE
PID:4500 -
\??\c:\bnhhtn.exec:\bnhhtn.exe60⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hnnnhh.exec:\hnnnhh.exe61⤵
- Executes dropped EXE
PID:1488 -
\??\c:\3jpvv.exec:\3jpvv.exe62⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vjjpd.exec:\vjjpd.exe63⤵
- Executes dropped EXE
PID:4192 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe64⤵
- Executes dropped EXE
PID:3956 -
\??\c:\tnnbtn.exec:\tnnbtn.exe65⤵
- Executes dropped EXE
PID:1240 -
\??\c:\5pjdp.exec:\5pjdp.exe66⤵
- Executes dropped EXE
PID:3100 -
\??\c:\vdpjv.exec:\vdpjv.exe67⤵PID:4072
-
\??\c:\rrfxflr.exec:\rrfxflr.exe68⤵PID:1472
-
\??\c:\bnhtbt.exec:\bnhtbt.exe69⤵PID:320
-
\??\c:\dvppp.exec:\dvppp.exe70⤵PID:2228
-
\??\c:\flrfffl.exec:\flrfffl.exe71⤵PID:972
-
\??\c:\nnnhbh.exec:\nnnhbh.exe72⤵PID:1608
-
\??\c:\htnbnh.exec:\htnbnh.exe73⤵PID:2604
-
\??\c:\vdpjj.exec:\vdpjj.exe74⤵PID:768
-
\??\c:\fffxrll.exec:\fffxrll.exe75⤵PID:1208
-
\??\c:\rrfxlrr.exec:\rrfxlrr.exe76⤵PID:4344
-
\??\c:\htthbn.exec:\htthbn.exe77⤵PID:1424
-
\??\c:\vjpjv.exec:\vjpjv.exe78⤵PID:3212
-
\??\c:\1jpdp.exec:\1jpdp.exe79⤵PID:3496
-
\??\c:\lfxflxx.exec:\lfxflxx.exe80⤵PID:4568
-
\??\c:\9tbhth.exec:\9tbhth.exe81⤵PID:4760
-
\??\c:\vppjj.exec:\vppjj.exe82⤵PID:2100
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe83⤵PID:2188
-
\??\c:\rlrflff.exec:\rlrflff.exe84⤵PID:1220
-
\??\c:\ntbbtt.exec:\ntbbtt.exe85⤵PID:4620
-
\??\c:\1ddvp.exec:\1ddvp.exe86⤵PID:3500
-
\??\c:\dvddd.exec:\dvddd.exe87⤵PID:2368
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe88⤵PID:3412
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe89⤵PID:688
-
\??\c:\hnbthh.exec:\hnbthh.exe90⤵PID:4552
-
\??\c:\vjvdd.exec:\vjvdd.exe91⤵PID:2440
-
\??\c:\jjjvd.exec:\jjjvd.exe92⤵PID:1440
-
\??\c:\5lrlxlf.exec:\5lrlxlf.exe93⤵
- System Location Discovery: System Language Discovery
PID:4632 -
\??\c:\1hbbnh.exec:\1hbbnh.exe94⤵PID:2788
-
\??\c:\5tbtnt.exec:\5tbtnt.exe95⤵PID:1524
-
\??\c:\djpdv.exec:\djpdv.exe96⤵PID:4032
-
\??\c:\frflffx.exec:\frflffx.exe97⤵PID:4280
-
\??\c:\rrxrflf.exec:\rrxrflf.exe98⤵PID:732
-
\??\c:\httnbt.exec:\httnbt.exe99⤵PID:4404
-
\??\c:\bnhbtn.exec:\bnhbtn.exe100⤵PID:1496
-
\??\c:\jppdv.exec:\jppdv.exe101⤵PID:3292
-
\??\c:\djdpd.exec:\djdpd.exe102⤵PID:984
-
\??\c:\rxlfrlx.exec:\rxlfrlx.exe103⤵PID:1868
-
\??\c:\1tnhtn.exec:\1tnhtn.exe104⤵PID:1860
-
\??\c:\bbthtn.exec:\bbthtn.exe105⤵PID:2568
-
\??\c:\9jpjd.exec:\9jpjd.exe106⤵PID:4424
-
\??\c:\xffrrlf.exec:\xffrrlf.exe107⤵PID:2832
-
\??\c:\rrxrrfx.exec:\rrxrrfx.exe108⤵PID:3908
-
\??\c:\bnbnnh.exec:\bnbnnh.exe109⤵PID:4640
-
\??\c:\pdvpj.exec:\pdvpj.exe110⤵PID:2332
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe111⤵PID:4972
-
\??\c:\rllfxfx.exec:\rllfxfx.exe112⤵PID:4732
-
\??\c:\hbtnhb.exec:\hbtnhb.exe113⤵PID:4220
-
\??\c:\ppvjv.exec:\ppvjv.exe114⤵PID:1944
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe115⤵PID:816
-
\??\c:\bnbnht.exec:\bnbnht.exe116⤵PID:5052
-
\??\c:\bbtnhh.exec:\bbtnhh.exe117⤵PID:4904
-
\??\c:\vpddv.exec:\vpddv.exe118⤵PID:1428
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe119⤵PID:2128
-
\??\c:\5xfxllf.exec:\5xfxllf.exe120⤵PID:4912
-
\??\c:\hhbtbt.exec:\hhbtbt.exe121⤵PID:4648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-