Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe
-
Size
454KB
-
MD5
28fd9cab2ad43b3b36292ca16fe31c30
-
SHA1
95dcdfe85964a971d2ada07c5e28bc51c7693880
-
SHA256
9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6
-
SHA512
a5e128521ec0735ba1640969e7977ab3330d97109acebee4d86cf40922f8ac3cc28dccf36e97d4db536247e5fa45e87c8193a5d51720e14ea81fc8956cfeee97
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1428-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-1241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-1520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-1613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 432 hnhbtb.exe 2288 frrlxfx.exe 3100 hbhbtn.exe 924 bbttnt.exe 1488 lflffrr.exe 1756 pdppd.exe 4976 7rffxfx.exe 4004 5vvvp.exe 1320 jddvp.exe 1036 bntttb.exe 1308 fffxfxl.exe 4572 1hbtnt.exe 1384 bbbthh.exe 4436 rffrrlf.exe 4148 1btnhh.exe 440 btnnnn.exe 2180 dpppv.exe 3932 1jdvp.exe 704 rfxrlxx.exe 920 vpjvp.exe 3852 frxlfxr.exe 3640 xrllffx.exe 2796 tnbhtt.exe 4072 fxrllxr.exe 1616 dvdpj.exe 2700 ntnhtt.exe 1652 pppdp.exe 4432 fxfxrrl.exe 4000 7bnhth.exe 3296 xfxrfrf.exe 2184 vpjdv.exe 3736 9lfrlfx.exe 4268 ddjvp.exe 2300 fxlflll.exe 4452 thnbtn.exe 2268 ppppp.exe 112 frrlrrl.exe 3688 btbtnn.exe 4816 7vdpv.exe 4312 xfrlxlf.exe 720 hhtbbh.exe 1132 vpvvp.exe 2392 5lfrfxl.exe 1248 tnhbbb.exe 2492 thhbtn.exe 4048 9lfrllf.exe 452 llrlffx.exe 3300 nhnbtn.exe 1156 jvdpd.exe 980 rllxlfr.exe 4384 lfrlfxl.exe 5048 nnhbtn.exe 1592 9dpdp.exe 2064 rxfxlll.exe 844 tbtttt.exe 4872 vvpjv.exe 1068 dvvjv.exe 3940 fxfxxrr.exe 3096 htthnt.exe 4484 1vpjd.exe 4436 nbhbnn.exe 2692 vvvpj.exe 4728 3xxrllf.exe 1224 9hhthb.exe -
resource yara_rule behavioral2/memory/1428-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-795-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbbh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 432 1428 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 83 PID 1428 wrote to memory of 432 1428 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 83 PID 1428 wrote to memory of 432 1428 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 83 PID 432 wrote to memory of 2288 432 hnhbtb.exe 84 PID 432 wrote to memory of 2288 432 hnhbtb.exe 84 PID 432 wrote to memory of 2288 432 hnhbtb.exe 84 PID 2288 wrote to memory of 3100 2288 frrlxfx.exe 85 PID 2288 wrote to memory of 3100 2288 frrlxfx.exe 85 PID 2288 wrote to memory of 3100 2288 frrlxfx.exe 85 PID 3100 wrote to memory of 924 3100 hbhbtn.exe 86 PID 3100 wrote to memory of 924 3100 hbhbtn.exe 86 PID 3100 wrote to memory of 924 3100 hbhbtn.exe 86 PID 924 wrote to memory of 1488 924 bbttnt.exe 87 PID 924 wrote to memory of 1488 924 bbttnt.exe 87 PID 924 wrote to memory of 1488 924 bbttnt.exe 87 PID 1488 wrote to memory of 1756 1488 lflffrr.exe 88 PID 1488 wrote to memory of 1756 1488 lflffrr.exe 88 PID 1488 wrote to memory of 1756 1488 lflffrr.exe 88 PID 1756 wrote to memory of 4976 1756 pdppd.exe 89 PID 1756 wrote to memory of 4976 1756 pdppd.exe 89 PID 1756 wrote to memory of 4976 1756 pdppd.exe 89 PID 4976 wrote to memory of 4004 4976 7rffxfx.exe 90 PID 4976 wrote to memory of 4004 4976 7rffxfx.exe 90 PID 4976 wrote to memory of 4004 4976 7rffxfx.exe 90 PID 4004 wrote to memory of 1320 4004 5vvvp.exe 91 PID 4004 wrote to memory of 1320 4004 5vvvp.exe 91 PID 4004 wrote to memory of 1320 4004 5vvvp.exe 91 PID 1320 wrote to memory of 1036 1320 jddvp.exe 92 PID 1320 wrote to memory of 1036 1320 jddvp.exe 92 PID 1320 wrote to memory of 1036 1320 jddvp.exe 92 PID 1036 wrote to memory of 1308 1036 bntttb.exe 93 PID 1036 wrote to memory of 1308 1036 bntttb.exe 93 PID 1036 wrote to memory of 1308 1036 bntttb.exe 93 PID 1308 wrote to memory of 4572 1308 fffxfxl.exe 94 PID 1308 wrote to memory of 4572 1308 fffxfxl.exe 94 PID 1308 wrote to memory of 4572 1308 fffxfxl.exe 94 PID 4572 wrote to memory of 1384 4572 1hbtnt.exe 95 PID 4572 wrote to memory of 1384 4572 1hbtnt.exe 95 PID 4572 wrote to memory of 1384 4572 1hbtnt.exe 95 PID 1384 wrote to memory of 4436 1384 bbbthh.exe 96 PID 1384 wrote to memory of 4436 1384 bbbthh.exe 96 PID 1384 wrote to memory of 4436 1384 bbbthh.exe 96 PID 4436 wrote to memory of 4148 4436 rffrrlf.exe 97 PID 4436 wrote to memory of 4148 4436 rffrrlf.exe 97 PID 4436 wrote to memory of 4148 4436 rffrrlf.exe 97 PID 4148 wrote to memory of 440 4148 1btnhh.exe 98 PID 4148 wrote to memory of 440 4148 1btnhh.exe 98 PID 4148 wrote to memory of 440 4148 1btnhh.exe 98 PID 440 wrote to memory of 2180 440 btnnnn.exe 99 PID 440 wrote to memory of 2180 440 btnnnn.exe 99 PID 440 wrote to memory of 2180 440 btnnnn.exe 99 PID 2180 wrote to memory of 3932 2180 dpppv.exe 100 PID 2180 wrote to memory of 3932 2180 dpppv.exe 100 PID 2180 wrote to memory of 3932 2180 dpppv.exe 100 PID 3932 wrote to memory of 704 3932 1jdvp.exe 101 PID 3932 wrote to memory of 704 3932 1jdvp.exe 101 PID 3932 wrote to memory of 704 3932 1jdvp.exe 101 PID 704 wrote to memory of 920 704 rfxrlxx.exe 102 PID 704 wrote to memory of 920 704 rfxrlxx.exe 102 PID 704 wrote to memory of 920 704 rfxrlxx.exe 102 PID 920 wrote to memory of 3852 920 vpjvp.exe 103 PID 920 wrote to memory of 3852 920 vpjvp.exe 103 PID 920 wrote to memory of 3852 920 vpjvp.exe 103 PID 3852 wrote to memory of 3640 3852 frxlfxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe"C:\Users\Admin\AppData\Local\Temp\9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\hnhbtb.exec:\hnhbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\frrlxfx.exec:\frrlxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\hbhbtn.exec:\hbhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\bbttnt.exec:\bbttnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\lflffrr.exec:\lflffrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\pdppd.exec:\pdppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\7rffxfx.exec:\7rffxfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\5vvvp.exec:\5vvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\jddvp.exec:\jddvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\bntttb.exec:\bntttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\fffxfxl.exec:\fffxfxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\1hbtnt.exec:\1hbtnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\bbbthh.exec:\bbbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\rffrrlf.exec:\rffrrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\1btnhh.exec:\1btnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\btnnnn.exec:\btnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\dpppv.exec:\dpppv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\1jdvp.exec:\1jdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\rfxrlxx.exec:\rfxrlxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\vpjvp.exec:\vpjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\frxlfxr.exec:\frxlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\xrllffx.exec:\xrllffx.exe23⤵
- Executes dropped EXE
PID:3640 -
\??\c:\tnbhtt.exec:\tnbhtt.exe24⤵
- Executes dropped EXE
PID:2796 -
\??\c:\fxrllxr.exec:\fxrllxr.exe25⤵
- Executes dropped EXE
PID:4072 -
\??\c:\dvdpj.exec:\dvdpj.exe26⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ntnhtt.exec:\ntnhtt.exe27⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pppdp.exec:\pppdp.exe28⤵
- Executes dropped EXE
PID:1652 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe29⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7bnhth.exec:\7bnhth.exe30⤵
- Executes dropped EXE
PID:4000 -
\??\c:\xfxrfrf.exec:\xfxrfrf.exe31⤵
- Executes dropped EXE
PID:3296 -
\??\c:\vpjdv.exec:\vpjdv.exe32⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9lfrlfx.exec:\9lfrlfx.exe33⤵
- Executes dropped EXE
PID:3736 -
\??\c:\ddjvp.exec:\ddjvp.exe34⤵
- Executes dropped EXE
PID:4268 -
\??\c:\fxlflll.exec:\fxlflll.exe35⤵
- Executes dropped EXE
PID:2300 -
\??\c:\thnbtn.exec:\thnbtn.exe36⤵
- Executes dropped EXE
PID:4452 -
\??\c:\ppppp.exec:\ppppp.exe37⤵
- Executes dropped EXE
PID:2268 -
\??\c:\frrlrrl.exec:\frrlrrl.exe38⤵
- Executes dropped EXE
PID:112 -
\??\c:\btbtnn.exec:\btbtnn.exe39⤵
- Executes dropped EXE
PID:3688 -
\??\c:\7vdpv.exec:\7vdpv.exe40⤵
- Executes dropped EXE
PID:4816 -
\??\c:\xfrlxlf.exec:\xfrlxlf.exe41⤵
- Executes dropped EXE
PID:4312 -
\??\c:\hhtbbh.exec:\hhtbbh.exe42⤵
- Executes dropped EXE
PID:720 -
\??\c:\vpvvp.exec:\vpvvp.exe43⤵
- Executes dropped EXE
PID:1132 -
\??\c:\5lfrfxl.exec:\5lfrfxl.exe44⤵
- Executes dropped EXE
PID:2392 -
\??\c:\tnhbbb.exec:\tnhbbb.exe45⤵
- Executes dropped EXE
PID:1248 -
\??\c:\thhbtn.exec:\thhbtn.exe46⤵
- Executes dropped EXE
PID:2492 -
\??\c:\9lfrllf.exec:\9lfrllf.exe47⤵
- Executes dropped EXE
PID:4048 -
\??\c:\llrlffx.exec:\llrlffx.exe48⤵
- Executes dropped EXE
PID:452 -
\??\c:\nhnbtn.exec:\nhnbtn.exe49⤵
- Executes dropped EXE
PID:3300 -
\??\c:\jvdpd.exec:\jvdpd.exe50⤵
- Executes dropped EXE
PID:1156 -
\??\c:\rllxlfr.exec:\rllxlfr.exe51⤵
- Executes dropped EXE
PID:980 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe52⤵
- Executes dropped EXE
PID:4384 -
\??\c:\nnhbtn.exec:\nnhbtn.exe53⤵
- Executes dropped EXE
PID:5048 -
\??\c:\9dpdp.exec:\9dpdp.exe54⤵
- Executes dropped EXE
PID:1592 -
\??\c:\rxfxlll.exec:\rxfxlll.exe55⤵
- Executes dropped EXE
PID:2064 -
\??\c:\tbtttt.exec:\tbtttt.exe56⤵
- Executes dropped EXE
PID:844 -
\??\c:\vvpjv.exec:\vvpjv.exe57⤵
- Executes dropped EXE
PID:4872 -
\??\c:\dvvjv.exec:\dvvjv.exe58⤵
- Executes dropped EXE
PID:1068 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe59⤵
- Executes dropped EXE
PID:3940 -
\??\c:\htthnt.exec:\htthnt.exe60⤵
- Executes dropped EXE
PID:3096 -
\??\c:\1vpjd.exec:\1vpjd.exe61⤵
- Executes dropped EXE
PID:4484 -
\??\c:\nbhbnn.exec:\nbhbnn.exe62⤵
- Executes dropped EXE
PID:4436 -
\??\c:\vvvpj.exec:\vvvpj.exe63⤵
- Executes dropped EXE
PID:2692 -
\??\c:\3xxrllf.exec:\3xxrllf.exe64⤵
- Executes dropped EXE
PID:4728 -
\??\c:\9hhthb.exec:\9hhthb.exe65⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bnnhtn.exec:\bnnhtn.exe66⤵PID:1388
-
\??\c:\pvdvv.exec:\pvdvv.exe67⤵PID:2192
-
\??\c:\lfxrrxr.exec:\lfxrrxr.exe68⤵PID:2696
-
\??\c:\5bhbtb.exec:\5bhbtb.exe69⤵PID:4960
-
\??\c:\5vdpd.exec:\5vdpd.exe70⤵PID:1504
-
\??\c:\rfxlxlx.exec:\rfxlxlx.exe71⤵PID:2588
-
\??\c:\frrlfxf.exec:\frrlfxf.exe72⤵PID:396
-
\??\c:\dppjj.exec:\dppjj.exe73⤵PID:2524
-
\??\c:\llfrlff.exec:\llfrlff.exe74⤵PID:4800
-
\??\c:\tthhnt.exec:\tthhnt.exe75⤵PID:2796
-
\??\c:\pjjdd.exec:\pjjdd.exe76⤵PID:1552
-
\??\c:\pjjvp.exec:\pjjvp.exe77⤵PID:3064
-
\??\c:\xrlrrrf.exec:\xrlrrrf.exe78⤵PID:4040
-
\??\c:\bntnnn.exec:\bntnnn.exe79⤵PID:1844
-
\??\c:\9jjpj.exec:\9jjpj.exe80⤵PID:2960
-
\??\c:\pdjdd.exec:\pdjdd.exe81⤵PID:1904
-
\??\c:\xrfxlll.exec:\xrfxlll.exe82⤵PID:3944
-
\??\c:\thhbtn.exec:\thhbtn.exe83⤵PID:4600
-
\??\c:\bnttnt.exec:\bnttnt.exe84⤵PID:536
-
\??\c:\dpdvp.exec:\dpdvp.exe85⤵PID:3748
-
\??\c:\lxlffff.exec:\lxlffff.exe86⤵PID:3472
-
\??\c:\tntnnn.exec:\tntnnn.exe87⤵PID:1708
-
\??\c:\dpvpd.exec:\dpvpd.exe88⤵PID:3632
-
\??\c:\rffrxrl.exec:\rffrxrl.exe89⤵PID:652
-
\??\c:\3ttnhb.exec:\3ttnhb.exe90⤵PID:2336
-
\??\c:\jjvvv.exec:\jjvvv.exe91⤵PID:4924
-
\??\c:\lxlfrfx.exec:\lxlfrfx.exe92⤵PID:112
-
\??\c:\bttttb.exec:\bttttb.exe93⤵PID:2320
-
\??\c:\hhhhbh.exec:\hhhhbh.exe94⤵PID:4816
-
\??\c:\pdpjv.exec:\pdpjv.exe95⤵PID:3644
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe96⤵PID:4544
-
\??\c:\flxlllx.exec:\flxlllx.exe97⤵PID:432
-
\??\c:\5hnnhn.exec:\5hnnhn.exe98⤵PID:4388
-
\??\c:\3dpdp.exec:\3dpdp.exe99⤵PID:4348
-
\??\c:\lxfrffx.exec:\lxfrffx.exe100⤵PID:4796
-
\??\c:\lrfrrlr.exec:\lrfrrlr.exe101⤵PID:3292
-
\??\c:\btnhtn.exec:\btnhtn.exe102⤵PID:3260
-
\??\c:\jddpd.exec:\jddpd.exe103⤵PID:1056
-
\??\c:\7ddvd.exec:\7ddvd.exe104⤵PID:2252
-
\??\c:\llllxxx.exec:\llllxxx.exe105⤵
- System Location Discovery: System Language Discovery
PID:4792 -
\??\c:\ntbthh.exec:\ntbthh.exe106⤵PID:4548
-
\??\c:\jdpjv.exec:\jdpjv.exe107⤵PID:980
-
\??\c:\fflfrrx.exec:\fflfrrx.exe108⤵PID:1148
-
\??\c:\hbhbtb.exec:\hbhbtb.exe109⤵PID:4852
-
\??\c:\vvvdp.exec:\vvvdp.exe110⤵PID:4004
-
\??\c:\9jvjd.exec:\9jvjd.exe111⤵PID:2472
-
\??\c:\fllxrlf.exec:\fllxrlf.exe112⤵PID:3496
-
\??\c:\rrrrllf.exec:\rrrrllf.exe113⤵PID:844
-
\??\c:\tnhbbb.exec:\tnhbbb.exe114⤵PID:3500
-
\??\c:\1pdvp.exec:\1pdvp.exe115⤵PID:2840
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe116⤵PID:1784
-
\??\c:\tntnhh.exec:\tntnhh.exe117⤵PID:4764
-
\??\c:\5jvpp.exec:\5jvpp.exe118⤵PID:4244
-
\??\c:\9jppj.exec:\9jppj.exe119⤵PID:3520
-
\??\c:\rxxfllr.exec:\rxxfllr.exe120⤵PID:2712
-
\??\c:\hhnnhh.exec:\hhnnhh.exe121⤵PID:4848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-