Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
-
Size
454KB
-
MD5
b0ed066228c36f715ac3b14440c01d17
-
SHA1
0fe302f0f6cded692d118304d762df9e8ed6cbf8
-
SHA256
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245
-
SHA512
de74dbd511c625feca3a8a88a46dc6ac565e37e7a61f22c1607ce11e9dde7e412eceea2c10b04f8f29bb33b5e5930b477ad3027404a8c4223f0c0ab635a55c27
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/704-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-1131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-1249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-1322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-1500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 880 nbnhbt.exe 2628 9btnhh.exe 3380 9hhhbh.exe 3332 dvjdd.exe 5064 5lfxxxx.exe 2052 7lrlllf.exe 2120 1ntbbb.exe 512 pdjpp.exe 1860 rlfffff.exe 4012 rllffff.exe 4880 htbttn.exe 2668 bntbbb.exe 1564 vjjjd.exe 2108 rxfxrlf.exe 1508 xlxrrrr.exe 4900 7hnnnn.exe 4348 1dvvp.exe 1976 vdvvv.exe 2868 flxfxxr.exe 5092 bbhnhb.exe 2984 thtnhh.exe 1068 vpvvp.exe 3216 rfrfxrl.exe 2044 9tnhbt.exe 4740 bhtnhh.exe 1852 pddvp.exe 4772 3fffxxx.exe 3328 fllfrfr.exe 1616 hnbtnh.exe 4868 jvdvj.exe 2056 dvppj.exe 3756 lfrlrlr.exe 3180 tbhbtb.exe 2708 pdvpj.exe 4500 jddvp.exe 2036 rrfrlfx.exe 3572 9rxrxxr.exe 3988 nhhhbb.exe 3472 dvdpd.exe 4496 pjjvd.exe 2444 1rrlfxr.exe 1176 nbbnhb.exe 5072 hbthtt.exe 3616 pjjvp.exe 3452 1ffxlll.exe 3664 rlrlxrx.exe 1800 hbtnhh.exe 388 ppvvj.exe 4316 vdjdd.exe 4160 frxflrx.exe 704 7nbthb.exe 4520 htbtnh.exe 4716 dvvvp.exe 3320 xlllffl.exe 2540 ttbnhh.exe 1120 hnttnh.exe 636 3jdvp.exe 2380 rxxxrlf.exe 2052 fxfrlxr.exe 2160 ttbtnn.exe 3948 dvdvp.exe 1020 xlllfff.exe 1860 xflxlfx.exe 4616 hhnhtn.exe -
resource yara_rule behavioral2/memory/704-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-883-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 704 wrote to memory of 880 704 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 83 PID 704 wrote to memory of 880 704 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 83 PID 704 wrote to memory of 880 704 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 83 PID 880 wrote to memory of 2628 880 nbnhbt.exe 84 PID 880 wrote to memory of 2628 880 nbnhbt.exe 84 PID 880 wrote to memory of 2628 880 nbnhbt.exe 84 PID 2628 wrote to memory of 3380 2628 9btnhh.exe 85 PID 2628 wrote to memory of 3380 2628 9btnhh.exe 85 PID 2628 wrote to memory of 3380 2628 9btnhh.exe 85 PID 3380 wrote to memory of 3332 3380 9hhhbh.exe 86 PID 3380 wrote to memory of 3332 3380 9hhhbh.exe 86 PID 3380 wrote to memory of 3332 3380 9hhhbh.exe 86 PID 3332 wrote to memory of 5064 3332 dvjdd.exe 87 PID 3332 wrote to memory of 5064 3332 dvjdd.exe 87 PID 3332 wrote to memory of 5064 3332 dvjdd.exe 87 PID 5064 wrote to memory of 2052 5064 5lfxxxx.exe 141 PID 5064 wrote to memory of 2052 5064 5lfxxxx.exe 141 PID 5064 wrote to memory of 2052 5064 5lfxxxx.exe 141 PID 2052 wrote to memory of 2120 2052 7lrlllf.exe 89 PID 2052 wrote to memory of 2120 2052 7lrlllf.exe 89 PID 2052 wrote to memory of 2120 2052 7lrlllf.exe 89 PID 2120 wrote to memory of 512 2120 1ntbbb.exe 90 PID 2120 wrote to memory of 512 2120 1ntbbb.exe 90 PID 2120 wrote to memory of 512 2120 1ntbbb.exe 90 PID 512 wrote to memory of 1860 512 pdjpp.exe 91 PID 512 wrote to memory of 1860 512 pdjpp.exe 91 PID 512 wrote to memory of 1860 512 pdjpp.exe 91 PID 1860 wrote to memory of 4012 1860 rlfffff.exe 92 PID 1860 wrote to memory of 4012 1860 rlfffff.exe 92 PID 1860 wrote to memory of 4012 1860 rlfffff.exe 92 PID 4012 wrote to memory of 4880 4012 rllffff.exe 93 PID 4012 wrote to memory of 4880 4012 rllffff.exe 93 PID 4012 wrote to memory of 4880 4012 rllffff.exe 93 PID 4880 wrote to memory of 2668 4880 htbttn.exe 94 PID 4880 wrote to memory of 2668 4880 htbttn.exe 94 PID 4880 wrote to memory of 2668 4880 htbttn.exe 94 PID 2668 wrote to memory of 1564 2668 bntbbb.exe 95 PID 2668 wrote to memory of 1564 2668 bntbbb.exe 95 PID 2668 wrote to memory of 1564 2668 bntbbb.exe 95 PID 1564 wrote to memory of 2108 1564 vjjjd.exe 96 PID 1564 wrote to memory of 2108 1564 vjjjd.exe 96 PID 1564 wrote to memory of 2108 1564 vjjjd.exe 96 PID 2108 wrote to memory of 1508 2108 rxfxrlf.exe 97 PID 2108 wrote to memory of 1508 2108 rxfxrlf.exe 97 PID 2108 wrote to memory of 1508 2108 rxfxrlf.exe 97 PID 1508 wrote to memory of 4900 1508 xlxrrrr.exe 98 PID 1508 wrote to memory of 4900 1508 xlxrrrr.exe 98 PID 1508 wrote to memory of 4900 1508 xlxrrrr.exe 98 PID 4900 wrote to memory of 4348 4900 7hnnnn.exe 99 PID 4900 wrote to memory of 4348 4900 7hnnnn.exe 99 PID 4900 wrote to memory of 4348 4900 7hnnnn.exe 99 PID 4348 wrote to memory of 1976 4348 1dvvp.exe 153 PID 4348 wrote to memory of 1976 4348 1dvvp.exe 153 PID 4348 wrote to memory of 1976 4348 1dvvp.exe 153 PID 1976 wrote to memory of 2868 1976 vdvvv.exe 101 PID 1976 wrote to memory of 2868 1976 vdvvv.exe 101 PID 1976 wrote to memory of 2868 1976 vdvvv.exe 101 PID 2868 wrote to memory of 5092 2868 flxfxxr.exe 102 PID 2868 wrote to memory of 5092 2868 flxfxxr.exe 102 PID 2868 wrote to memory of 5092 2868 flxfxxr.exe 102 PID 5092 wrote to memory of 2984 5092 bbhnhb.exe 103 PID 5092 wrote to memory of 2984 5092 bbhnhb.exe 103 PID 5092 wrote to memory of 2984 5092 bbhnhb.exe 103 PID 2984 wrote to memory of 1068 2984 thtnhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\nbnhbt.exec:\nbnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\9btnhh.exec:\9btnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\9hhhbh.exec:\9hhhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\dvjdd.exec:\dvjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\5lfxxxx.exec:\5lfxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\7lrlllf.exec:\7lrlllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\1ntbbb.exec:\1ntbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\pdjpp.exec:\pdjpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\rlfffff.exec:\rlfffff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\rllffff.exec:\rllffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\htbttn.exec:\htbttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\bntbbb.exec:\bntbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\vjjjd.exec:\vjjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\7hnnnn.exec:\7hnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\1dvvp.exec:\1dvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\vdvvv.exec:\vdvvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\flxfxxr.exec:\flxfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\bbhnhb.exec:\bbhnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\thtnhh.exec:\thtnhh.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\vpvvp.exec:\vpvvp.exe23⤵
- Executes dropped EXE
PID:1068 -
\??\c:\rfrfxrl.exec:\rfrfxrl.exe24⤵
- Executes dropped EXE
PID:3216 -
\??\c:\9tnhbt.exec:\9tnhbt.exe25⤵
- Executes dropped EXE
PID:2044 -
\??\c:\bhtnhh.exec:\bhtnhh.exe26⤵
- Executes dropped EXE
PID:4740 -
\??\c:\pddvp.exec:\pddvp.exe27⤵
- Executes dropped EXE
PID:1852 -
\??\c:\3fffxxx.exec:\3fffxxx.exe28⤵
- Executes dropped EXE
PID:4772 -
\??\c:\fllfrfr.exec:\fllfrfr.exe29⤵
- Executes dropped EXE
PID:3328 -
\??\c:\hnbtnh.exec:\hnbtnh.exe30⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jvdvj.exec:\jvdvj.exe31⤵
- Executes dropped EXE
PID:4868 -
\??\c:\dvppj.exec:\dvppj.exe32⤵
- Executes dropped EXE
PID:2056 -
\??\c:\lfrlrlr.exec:\lfrlrlr.exe33⤵
- Executes dropped EXE
PID:3756 -
\??\c:\tbhbtb.exec:\tbhbtb.exe34⤵
- Executes dropped EXE
PID:3180 -
\??\c:\pdvpj.exec:\pdvpj.exe35⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
PID:4500 -
\??\c:\rrfrlfx.exec:\rrfrlfx.exe37⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9rxrxxr.exec:\9rxrxxr.exe38⤵
- Executes dropped EXE
PID:3572 -
\??\c:\nhhhbb.exec:\nhhhbb.exe39⤵
- Executes dropped EXE
PID:3988 -
\??\c:\dvdpd.exec:\dvdpd.exe40⤵
- Executes dropped EXE
PID:3472 -
\??\c:\pjjvd.exec:\pjjvd.exe41⤵
- Executes dropped EXE
PID:4496 -
\??\c:\1rrlfxr.exec:\1rrlfxr.exe42⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nbbnhb.exec:\nbbnhb.exe43⤵
- Executes dropped EXE
PID:1176 -
\??\c:\hbthtt.exec:\hbthtt.exe44⤵
- Executes dropped EXE
PID:5072 -
\??\c:\pjjvp.exec:\pjjvp.exe45⤵
- Executes dropped EXE
PID:3616 -
\??\c:\1ffxlll.exec:\1ffxlll.exe46⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rlrlxrx.exec:\rlrlxrx.exe47⤵
- Executes dropped EXE
PID:3664 -
\??\c:\hbtnhh.exec:\hbtnhh.exe48⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ppvvj.exec:\ppvvj.exe49⤵
- Executes dropped EXE
PID:388 -
\??\c:\vdjdd.exec:\vdjdd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\frxflrx.exec:\frxflrx.exe51⤵
- Executes dropped EXE
PID:4160 -
\??\c:\7nbthb.exec:\7nbthb.exe52⤵
- Executes dropped EXE
PID:704 -
\??\c:\htbtnh.exec:\htbtnh.exe53⤵
- Executes dropped EXE
PID:4520 -
\??\c:\dvvvp.exec:\dvvvp.exe54⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xlllffl.exec:\xlllffl.exe55⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ttbnhh.exec:\ttbnhh.exe56⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hnttnh.exec:\hnttnh.exe57⤵
- Executes dropped EXE
PID:1120 -
\??\c:\3jdvp.exec:\3jdvp.exe58⤵
- Executes dropped EXE
PID:636 -
\??\c:\rxxxrlf.exec:\rxxxrlf.exe59⤵
- Executes dropped EXE
PID:2380 -
\??\c:\fxfrlxr.exec:\fxfrlxr.exe60⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ttbtnn.exec:\ttbtnn.exe61⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dvdvp.exec:\dvdvp.exe62⤵
- Executes dropped EXE
PID:3948 -
\??\c:\xlllfff.exec:\xlllfff.exe63⤵
- Executes dropped EXE
PID:1020 -
\??\c:\xflxlfx.exec:\xflxlfx.exe64⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hhnhtn.exec:\hhnhtn.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616 -
\??\c:\jddjd.exec:\jddjd.exe66⤵PID:2928
-
\??\c:\jpdpj.exec:\jpdpj.exe67⤵PID:1924
-
\??\c:\xxfxlfx.exec:\xxfxlfx.exe68⤵PID:5032
-
\??\c:\nhbnhb.exec:\nhbnhb.exe69⤵PID:1420
-
\??\c:\1bbttt.exec:\1bbttt.exe70⤵PID:1296
-
\??\c:\jdvvj.exec:\jdvvj.exe71⤵PID:4348
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe72⤵PID:1976
-
\??\c:\nthbtn.exec:\nthbtn.exe73⤵PID:3276
-
\??\c:\jvvpj.exec:\jvvpj.exe74⤵PID:4408
-
\??\c:\xlfllrl.exec:\xlfllrl.exe75⤵PID:376
-
\??\c:\xllxrff.exec:\xllxrff.exe76⤵PID:404
-
\??\c:\bnnnnt.exec:\bnnnnt.exe77⤵PID:5020
-
\??\c:\djddd.exec:\djddd.exe78⤵PID:1088
-
\??\c:\btnhnt.exec:\btnhnt.exe79⤵PID:2856
-
\??\c:\jvpjd.exec:\jvpjd.exe80⤵PID:2196
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe81⤵PID:680
-
\??\c:\hbbtnn.exec:\hbbtnn.exe82⤵PID:3588
-
\??\c:\vjvpp.exec:\vjvpp.exe83⤵PID:2056
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe84⤵PID:2808
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe85⤵PID:2608
-
\??\c:\hhbtnn.exec:\hhbtnn.exe86⤵PID:556
-
\??\c:\dvddj.exec:\dvddj.exe87⤵PID:4416
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe88⤵PID:3220
-
\??\c:\nnbttt.exec:\nnbttt.exe89⤵PID:3304
-
\??\c:\pdjjd.exec:\pdjjd.exe90⤵PID:3424
-
\??\c:\rrfflfr.exec:\rrfflfr.exe91⤵PID:3468
-
\??\c:\3btnhh.exec:\3btnhh.exe92⤵PID:2264
-
\??\c:\djdvd.exec:\djdvd.exe93⤵PID:3104
-
\??\c:\xrlfffl.exec:\xrlfffl.exe94⤵PID:3616
-
\??\c:\5hhhbh.exec:\5hhhbh.exe95⤵PID:1620
-
\??\c:\dvddd.exec:\dvddd.exe96⤵PID:3452
-
\??\c:\ffxxrxx.exec:\ffxxrxx.exe97⤵PID:1800
-
\??\c:\pdjdv.exec:\pdjdv.exe98⤵PID:2716
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe99⤵
- System Location Discovery: System Language Discovery
PID:3720 -
\??\c:\lrxrlll.exec:\lrxrlll.exe100⤵PID:4396
-
\??\c:\3bbtth.exec:\3bbtth.exe101⤵PID:3440
-
\??\c:\jjjjj.exec:\jjjjj.exe102⤵PID:464
-
\??\c:\fxlffff.exec:\fxlffff.exe103⤵PID:3320
-
\??\c:\nbhhbb.exec:\nbhhbb.exe104⤵PID:4300
-
\??\c:\pjvdd.exec:\pjvdd.exe105⤵PID:1568
-
\??\c:\fxffxrl.exec:\fxffxrl.exe106⤵PID:5068
-
\??\c:\bnnhhn.exec:\bnnhhn.exe107⤵PID:456
-
\??\c:\dppjd.exec:\dppjd.exe108⤵
- System Location Discovery: System Language Discovery
PID:4704 -
\??\c:\3pdjd.exec:\3pdjd.exe109⤵PID:4240
-
\??\c:\hbtnnb.exec:\hbtnnb.exe110⤵PID:2052
-
\??\c:\nhnhhh.exec:\nhnhhh.exe111⤵PID:2172
-
\??\c:\jpvpp.exec:\jpvpp.exe112⤵PID:4024
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe113⤵PID:3948
-
\??\c:\tbbtnn.exec:\tbbtnn.exe114⤵PID:2284
-
\??\c:\vdjjd.exec:\vdjjd.exe115⤵PID:1860
-
\??\c:\lfxxffl.exec:\lfxxffl.exe116⤵PID:4616
-
\??\c:\nbtnhh.exec:\nbtnhh.exe117⤵PID:4128
-
\??\c:\lfffffl.exec:\lfffffl.exe118⤵PID:3620
-
\??\c:\hbhbbt.exec:\hbhbbt.exe119⤵PID:4252
-
\??\c:\1vpjj.exec:\1vpjj.exe120⤵PID:4312
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe121⤵PID:4892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-