Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 19:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe
-
Size
454KB
-
MD5
bac24140fcd6625645312493829e2ae0
-
SHA1
4c78d1c4c1eea93a9e87f0b9186b88f053087c0f
-
SHA256
b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9
-
SHA512
7216f76d813c5ec28e5da6bc26f921a031d48d6a3bbf6effbfcbbc01dd7c958132bca169330a89304d4e444386d82781e34a35784d78e27295ed03da3905525a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3168-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-993-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 628 btnnhb.exe 4560 djjdj.exe 3260 xrrfxrl.exe 3596 bnnhbb.exe 4940 5jdvd.exe 4428 hbtnhh.exe 1944 rfffxlf.exe 800 bntnhb.exe 3204 1fflfll.exe 4456 hbnntt.exe 1160 tthbbt.exe 3556 9jpdv.exe 1116 xxffxxf.exe 2408 rfrrxxl.exe 224 rxffxxr.exe 3920 9jjdv.exe 516 xfllrrf.exe 2540 tbbthb.exe 1984 xlrlxxx.exe 2908 pdjjd.exe 2592 dvpjd.exe 2296 fxlfxxr.exe 2268 jjdpp.exe 3200 tbnhnt.exe 3960 pvjjj.exe 512 nntnbb.exe 3524 ntbtbb.exe 3860 dvdvj.exe 1224 fxrxfxf.exe 3172 lrxrllf.exe 3912 hthhtt.exe 1500 3ddvp.exe 4384 bhbbtt.exe 2104 vdvpp.exe 1000 9fxrllf.exe 2520 9thtbt.exe 4612 dddpj.exe 1012 lrrfrrx.exe 1480 nbnthh.exe 3972 nnhbtt.exe 2740 pdjvp.exe 3968 xflxxxl.exe 3076 tbbhbt.exe 4936 vpdvv.exe 1588 9tbttt.exe 3464 nhnhhb.exe 3248 3jppd.exe 3608 ffrlfrl.exe 4176 bbtnnn.exe 452 1djvj.exe 4924 vdpjp.exe 4948 rrlffff.exe 4268 1hbtnh.exe 3228 ppjdd.exe 3940 5llfllf.exe 628 nbnnnn.exe 4068 dppjj.exe 4604 5vdpv.exe 916 lfxrrrr.exe 2896 llrrrll.exe 3984 nhbthh.exe 4104 pppjp.exe 3120 frrlfxr.exe 4896 htthbt.exe -
resource yara_rule behavioral2/memory/3168-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-896-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 628 3168 b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe 82 PID 3168 wrote to memory of 628 3168 b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe 82 PID 3168 wrote to memory of 628 3168 b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe 82 PID 628 wrote to memory of 4560 628 btnnhb.exe 83 PID 628 wrote to memory of 4560 628 btnnhb.exe 83 PID 628 wrote to memory of 4560 628 btnnhb.exe 83 PID 4560 wrote to memory of 3260 4560 djjdj.exe 84 PID 4560 wrote to memory of 3260 4560 djjdj.exe 84 PID 4560 wrote to memory of 3260 4560 djjdj.exe 84 PID 3260 wrote to memory of 3596 3260 xrrfxrl.exe 85 PID 3260 wrote to memory of 3596 3260 xrrfxrl.exe 85 PID 3260 wrote to memory of 3596 3260 xrrfxrl.exe 85 PID 3596 wrote to memory of 4940 3596 bnnhbb.exe 86 PID 3596 wrote to memory of 4940 3596 bnnhbb.exe 86 PID 3596 wrote to memory of 4940 3596 bnnhbb.exe 86 PID 4940 wrote to memory of 4428 4940 5jdvd.exe 87 PID 4940 wrote to memory of 4428 4940 5jdvd.exe 87 PID 4940 wrote to memory of 4428 4940 5jdvd.exe 87 PID 4428 wrote to memory of 1944 4428 hbtnhh.exe 88 PID 4428 wrote to memory of 1944 4428 hbtnhh.exe 88 PID 4428 wrote to memory of 1944 4428 hbtnhh.exe 88 PID 1944 wrote to memory of 800 1944 rfffxlf.exe 89 PID 1944 wrote to memory of 800 1944 rfffxlf.exe 89 PID 1944 wrote to memory of 800 1944 rfffxlf.exe 89 PID 800 wrote to memory of 3204 800 bntnhb.exe 90 PID 800 wrote to memory of 3204 800 bntnhb.exe 90 PID 800 wrote to memory of 3204 800 bntnhb.exe 90 PID 3204 wrote to memory of 4456 3204 1fflfll.exe 91 PID 3204 wrote to memory of 4456 3204 1fflfll.exe 91 PID 3204 wrote to memory of 4456 3204 1fflfll.exe 91 PID 4456 wrote to memory of 1160 4456 hbnntt.exe 92 PID 4456 wrote to memory of 1160 4456 hbnntt.exe 92 PID 4456 wrote to memory of 1160 4456 hbnntt.exe 92 PID 1160 wrote to memory of 3556 1160 tthbbt.exe 93 PID 1160 wrote to memory of 3556 1160 tthbbt.exe 93 PID 1160 wrote to memory of 3556 1160 tthbbt.exe 93 PID 3556 wrote to memory of 1116 3556 9jpdv.exe 94 PID 3556 wrote to memory of 1116 3556 9jpdv.exe 94 PID 3556 wrote to memory of 1116 3556 9jpdv.exe 94 PID 1116 wrote to memory of 2408 1116 xxffxxf.exe 95 PID 1116 wrote to memory of 2408 1116 xxffxxf.exe 95 PID 1116 wrote to memory of 2408 1116 xxffxxf.exe 95 PID 2408 wrote to memory of 224 2408 rfrrxxl.exe 96 PID 2408 wrote to memory of 224 2408 rfrrxxl.exe 96 PID 2408 wrote to memory of 224 2408 rfrrxxl.exe 96 PID 224 wrote to memory of 3920 224 rxffxxr.exe 97 PID 224 wrote to memory of 3920 224 rxffxxr.exe 97 PID 224 wrote to memory of 3920 224 rxffxxr.exe 97 PID 3920 wrote to memory of 516 3920 9jjdv.exe 98 PID 3920 wrote to memory of 516 3920 9jjdv.exe 98 PID 3920 wrote to memory of 516 3920 9jjdv.exe 98 PID 516 wrote to memory of 2540 516 xfllrrf.exe 99 PID 516 wrote to memory of 2540 516 xfllrrf.exe 99 PID 516 wrote to memory of 2540 516 xfllrrf.exe 99 PID 2540 wrote to memory of 1984 2540 tbbthb.exe 100 PID 2540 wrote to memory of 1984 2540 tbbthb.exe 100 PID 2540 wrote to memory of 1984 2540 tbbthb.exe 100 PID 1984 wrote to memory of 2908 1984 xlrlxxx.exe 101 PID 1984 wrote to memory of 2908 1984 xlrlxxx.exe 101 PID 1984 wrote to memory of 2908 1984 xlrlxxx.exe 101 PID 2908 wrote to memory of 2592 2908 pdjjd.exe 102 PID 2908 wrote to memory of 2592 2908 pdjjd.exe 102 PID 2908 wrote to memory of 2592 2908 pdjjd.exe 102 PID 2592 wrote to memory of 2296 2592 dvpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe"C:\Users\Admin\AppData\Local\Temp\b3048883b50661013cf000f65f5a2bbbc1eaa54cd7ceaa91d615deb0b6d62ce9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\btnnhb.exec:\btnnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\djjdj.exec:\djjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\bnnhbb.exec:\bnnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\5jdvd.exec:\5jdvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\hbtnhh.exec:\hbtnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\rfffxlf.exec:\rfffxlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\bntnhb.exec:\bntnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\1fflfll.exec:\1fflfll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\hbnntt.exec:\hbnntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\tthbbt.exec:\tthbbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\9jpdv.exec:\9jpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\xxffxxf.exec:\xxffxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\rfrrxxl.exec:\rfrrxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\rxffxxr.exec:\rxffxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\9jjdv.exec:\9jjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\xfllrrf.exec:\xfllrrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\tbbthb.exec:\tbbthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\pdjjd.exec:\pdjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\dvpjd.exec:\dvpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe23⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jjdpp.exec:\jjdpp.exe24⤵
- Executes dropped EXE
PID:2268 -
\??\c:\tbnhnt.exec:\tbnhnt.exe25⤵
- Executes dropped EXE
PID:3200 -
\??\c:\pvjjj.exec:\pvjjj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3960 -
\??\c:\nntnbb.exec:\nntnbb.exe27⤵
- Executes dropped EXE
PID:512 -
\??\c:\ntbtbb.exec:\ntbtbb.exe28⤵
- Executes dropped EXE
PID:3524 -
\??\c:\dvdvj.exec:\dvdvj.exe29⤵
- Executes dropped EXE
PID:3860 -
\??\c:\fxrxfxf.exec:\fxrxfxf.exe30⤵
- Executes dropped EXE
PID:1224 -
\??\c:\lrxrllf.exec:\lrxrllf.exe31⤵
- Executes dropped EXE
PID:3172 -
\??\c:\hthhtt.exec:\hthhtt.exe32⤵
- Executes dropped EXE
PID:3912 -
\??\c:\3ddvp.exec:\3ddvp.exe33⤵
- Executes dropped EXE
PID:1500 -
\??\c:\bhbbtt.exec:\bhbbtt.exe34⤵
- Executes dropped EXE
PID:4384 -
\??\c:\vdvpp.exec:\vdvpp.exe35⤵
- Executes dropped EXE
PID:2104 -
\??\c:\9fxrllf.exec:\9fxrllf.exe36⤵
- Executes dropped EXE
PID:1000 -
\??\c:\9thtbt.exec:\9thtbt.exe37⤵
- Executes dropped EXE
PID:2520 -
\??\c:\dddpj.exec:\dddpj.exe38⤵
- Executes dropped EXE
PID:4612 -
\??\c:\lrrfrrx.exec:\lrrfrrx.exe39⤵
- Executes dropped EXE
PID:1012 -
\??\c:\nbnthh.exec:\nbnthh.exe40⤵
- Executes dropped EXE
PID:1480 -
\??\c:\nnhbtt.exec:\nnhbtt.exe41⤵
- Executes dropped EXE
PID:3972 -
\??\c:\pdjvp.exec:\pdjvp.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xflxxxl.exec:\xflxxxl.exe43⤵
- Executes dropped EXE
PID:3968 -
\??\c:\tbbhbt.exec:\tbbhbt.exe44⤵
- Executes dropped EXE
PID:3076 -
\??\c:\vpdvv.exec:\vpdvv.exe45⤵
- Executes dropped EXE
PID:4936 -
\??\c:\9tbttt.exec:\9tbttt.exe46⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nhnhhb.exec:\nhnhhb.exe47⤵
- Executes dropped EXE
PID:3464 -
\??\c:\3jppd.exec:\3jppd.exe48⤵
- Executes dropped EXE
PID:3248 -
\??\c:\ffrlfrl.exec:\ffrlfrl.exe49⤵
- Executes dropped EXE
PID:3608 -
\??\c:\bbtnnn.exec:\bbtnnn.exe50⤵
- Executes dropped EXE
PID:4176 -
\??\c:\1djvj.exec:\1djvj.exe51⤵
- Executes dropped EXE
PID:452 -
\??\c:\vdpjp.exec:\vdpjp.exe52⤵
- Executes dropped EXE
PID:4924 -
\??\c:\rrlffff.exec:\rrlffff.exe53⤵
- Executes dropped EXE
PID:4948 -
\??\c:\1hbtnh.exec:\1hbtnh.exe54⤵
- Executes dropped EXE
PID:4268 -
\??\c:\ppjdd.exec:\ppjdd.exe55⤵
- Executes dropped EXE
PID:3228 -
\??\c:\5llfllf.exec:\5llfllf.exe56⤵
- Executes dropped EXE
PID:3940 -
\??\c:\nbnnnn.exec:\nbnnnn.exe57⤵
- Executes dropped EXE
PID:628 -
\??\c:\dppjj.exec:\dppjj.exe58⤵
- Executes dropped EXE
PID:4068 -
\??\c:\5vdpv.exec:\5vdpv.exe59⤵
- Executes dropped EXE
PID:4604 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe60⤵
- Executes dropped EXE
PID:916 -
\??\c:\llrrrll.exec:\llrrrll.exe61⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nhbthh.exec:\nhbthh.exe62⤵
- Executes dropped EXE
PID:3984 -
\??\c:\pppjp.exec:\pppjp.exe63⤵
- Executes dropped EXE
PID:4104 -
\??\c:\frrlfxr.exec:\frrlfxr.exe64⤵
- Executes dropped EXE
PID:3120 -
\??\c:\htthbt.exec:\htthbt.exe65⤵
- Executes dropped EXE
PID:4896 -
\??\c:\nhbthb.exec:\nhbthb.exe66⤵PID:2020
-
\??\c:\3vdvd.exec:\3vdvd.exe67⤵PID:2232
-
\??\c:\ffllrrl.exec:\ffllrrl.exe68⤵PID:3640
-
\??\c:\xffxrlf.exec:\xffxrlf.exe69⤵PID:408
-
\??\c:\nttnht.exec:\nttnht.exe70⤵PID:708
-
\??\c:\vpdvp.exec:\vpdvp.exe71⤵PID:1644
-
\??\c:\xrfrlff.exec:\xrfrlff.exe72⤵PID:2976
-
\??\c:\hnnhtn.exec:\hnnhtn.exe73⤵PID:940
-
\??\c:\nthbnt.exec:\nthbnt.exe74⤵PID:4280
-
\??\c:\9lfxllx.exec:\9lfxllx.exe75⤵PID:1760
-
\??\c:\bhbthb.exec:\bhbthb.exe76⤵PID:2468
-
\??\c:\3jdvp.exec:\3jdvp.exe77⤵PID:4460
-
\??\c:\3xrfxrx.exec:\3xrfxrx.exe78⤵PID:224
-
\??\c:\nhtnhb.exec:\nhtnhb.exe79⤵PID:3548
-
\??\c:\5vdpp.exec:\5vdpp.exe80⤵PID:3664
-
\??\c:\5dppd.exec:\5dppd.exe81⤵PID:4284
-
\??\c:\fllfxlf.exec:\fllfxlf.exe82⤵PID:1040
-
\??\c:\hbbtnb.exec:\hbbtnb.exe83⤵PID:1984
-
\??\c:\pjjvp.exec:\pjjvp.exe84⤵PID:4208
-
\??\c:\djpdp.exec:\djpdp.exe85⤵PID:2480
-
\??\c:\rlrxlfr.exec:\rlrxlfr.exe86⤵PID:1324
-
\??\c:\nbbhtn.exec:\nbbhtn.exe87⤵
- System Location Discovery: System Language Discovery
PID:3428 -
\??\c:\ddpjv.exec:\ddpjv.exe88⤵PID:4996
-
\??\c:\lrxrrrx.exec:\lrxrrrx.exe89⤵PID:4200
-
\??\c:\rfxxrlr.exec:\rfxxrlr.exe90⤵PID:3688
-
\??\c:\nhbtnh.exec:\nhbtnh.exe91⤵PID:2052
-
\??\c:\pdddd.exec:\pdddd.exe92⤵PID:2900
-
\??\c:\dpvjv.exec:\dpvjv.exe93⤵PID:2736
-
\??\c:\xlxlfrl.exec:\xlxlfrl.exe94⤵PID:2816
-
\??\c:\hbbbtn.exec:\hbbbtn.exe95⤵PID:4832
-
\??\c:\jvvdd.exec:\jvvdd.exe96⤵PID:1748
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe97⤵PID:2596
-
\??\c:\ttbtnn.exec:\ttbtnn.exe98⤵PID:3172
-
\??\c:\1htttn.exec:\1htttn.exe99⤵PID:3236
-
\??\c:\vpdvj.exec:\vpdvj.exe100⤵PID:1392
-
\??\c:\xrfrrrf.exec:\xrfrrrf.exe101⤵PID:4720
-
\??\c:\ntnhbt.exec:\ntnhbt.exe102⤵PID:4084
-
\??\c:\bthtnt.exec:\bthtnt.exe103⤵PID:64
-
\??\c:\djppp.exec:\djppp.exe104⤵PID:4868
-
\??\c:\rxfxfxf.exec:\rxfxfxf.exe105⤵PID:2076
-
\??\c:\3nnbtt.exec:\3nnbtt.exe106⤵PID:1176
-
\??\c:\jvpvd.exec:\jvpvd.exe107⤵PID:368
-
\??\c:\fxxrllf.exec:\fxxrllf.exe108⤵PID:4624
-
\??\c:\xrrrflx.exec:\xrrrflx.exe109⤵PID:5052
-
\??\c:\tbhbbb.exec:\tbhbbb.exe110⤵PID:2536
-
\??\c:\3pvpj.exec:\3pvpj.exe111⤵PID:1232
-
\??\c:\jdjdv.exec:\jdjdv.exe112⤵PID:2472
-
\??\c:\hhnbbh.exec:\hhnbbh.exe113⤵PID:4528
-
\??\c:\jjppp.exec:\jjppp.exe114⤵PID:4548
-
\??\c:\xrflxfl.exec:\xrflxfl.exe115⤵PID:2372
-
\??\c:\bnnhhb.exec:\bnnhhb.exe116⤵PID:3248
-
\??\c:\bnthbb.exec:\bnthbb.exe117⤵PID:3608
-
\??\c:\ppdvd.exec:\ppdvd.exe118⤵PID:912
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe119⤵PID:1596
-
\??\c:\1hnhhb.exec:\1hnhhb.exe120⤵PID:4296
-
\??\c:\dpvjj.exec:\dpvjj.exe121⤵PID:4948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-