Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 21:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe
-
Size
452KB
-
MD5
faac8709757582d5afad06134b35e5e0
-
SHA1
2fede6686b9d39a03c4a312bc28ade7c0871f212
-
SHA256
fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944
-
SHA512
d405e0a8c7fffe024a6d2d81bec7764f4aeb91452f71dca5696a149ee8eb6aea6397826c220f58246cdb6d0bbbb9b2210d01b525b47084627057a0e1f444f564
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1656-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-1129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-1205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2844 dpppd.exe 2068 ntbhnt.exe 3932 hbbttb.exe 2280 46844.exe 4604 llflflf.exe 4168 8280260.exe 2808 620020.exe 4948 86020.exe 2140 664448.exe 4260 08400.exe 1872 48662.exe 1704 bbhhtb.exe 4252 rrrlxlx.exe 2792 4680402.exe 2504 6000044.exe 2640 hnnhbt.exe 3416 vvdvp.exe 2520 9bnhbt.exe 3900 80648.exe 1132 3rxxrxf.exe 3624 08680.exe 4852 pdvvj.exe 2740 802224.exe 4692 8426066.exe 5116 vjddv.exe 2060 02826.exe 4140 222042.exe 756 bhbbnn.exe 4620 1vjdj.exe 4584 826444.exe 4364 e24026.exe 2692 82822.exe 4400 pvppp.exe 4204 dvvpp.exe 404 nnbtbh.exe 3000 004406.exe 1068 hbhnnb.exe 412 jjjdd.exe 3552 866668.exe 2996 06844.exe 1268 lllxxff.exe 2636 dvddv.exe 4052 dpvpj.exe 4392 pdddj.exe 3084 vvppv.exe 4668 6202020.exe 2440 44822.exe 3732 nbnbtb.exe 4300 jvdvp.exe 3936 nhnnnn.exe 2160 rlrfxlf.exe 4988 bhnbtt.exe 3096 20602.exe 1376 224828.exe 3884 bhhhhh.exe 228 fflfxxx.exe 4736 vvvpj.exe 1816 c204066.exe 2712 84482.exe 3428 hbhhbb.exe 3960 dppdp.exe 5024 22686.exe 1396 ddjpp.exe 4072 9pdpj.exe -
resource yara_rule behavioral2/memory/1656-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i264060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k22088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2844 1656 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 85 PID 1656 wrote to memory of 2844 1656 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 85 PID 1656 wrote to memory of 2844 1656 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 85 PID 2844 wrote to memory of 2068 2844 dpppd.exe 86 PID 2844 wrote to memory of 2068 2844 dpppd.exe 86 PID 2844 wrote to memory of 2068 2844 dpppd.exe 86 PID 2068 wrote to memory of 3932 2068 ntbhnt.exe 87 PID 2068 wrote to memory of 3932 2068 ntbhnt.exe 87 PID 2068 wrote to memory of 3932 2068 ntbhnt.exe 87 PID 3932 wrote to memory of 2280 3932 hbbttb.exe 88 PID 3932 wrote to memory of 2280 3932 hbbttb.exe 88 PID 3932 wrote to memory of 2280 3932 hbbttb.exe 88 PID 2280 wrote to memory of 4604 2280 46844.exe 89 PID 2280 wrote to memory of 4604 2280 46844.exe 89 PID 2280 wrote to memory of 4604 2280 46844.exe 89 PID 4604 wrote to memory of 4168 4604 llflflf.exe 90 PID 4604 wrote to memory of 4168 4604 llflflf.exe 90 PID 4604 wrote to memory of 4168 4604 llflflf.exe 90 PID 4168 wrote to memory of 2808 4168 8280260.exe 91 PID 4168 wrote to memory of 2808 4168 8280260.exe 91 PID 4168 wrote to memory of 2808 4168 8280260.exe 91 PID 2808 wrote to memory of 4948 2808 620020.exe 92 PID 2808 wrote to memory of 4948 2808 620020.exe 92 PID 2808 wrote to memory of 4948 2808 620020.exe 92 PID 4948 wrote to memory of 2140 4948 86020.exe 93 PID 4948 wrote to memory of 2140 4948 86020.exe 93 PID 4948 wrote to memory of 2140 4948 86020.exe 93 PID 2140 wrote to memory of 4260 2140 664448.exe 94 PID 2140 wrote to memory of 4260 2140 664448.exe 94 PID 2140 wrote to memory of 4260 2140 664448.exe 94 PID 4260 wrote to memory of 1872 4260 08400.exe 95 PID 4260 wrote to memory of 1872 4260 08400.exe 95 PID 4260 wrote to memory of 1872 4260 08400.exe 95 PID 1872 wrote to memory of 1704 1872 48662.exe 96 PID 1872 wrote to memory of 1704 1872 48662.exe 96 PID 1872 wrote to memory of 1704 1872 48662.exe 96 PID 1704 wrote to memory of 4252 1704 bbhhtb.exe 97 PID 1704 wrote to memory of 4252 1704 bbhhtb.exe 97 PID 1704 wrote to memory of 4252 1704 bbhhtb.exe 97 PID 4252 wrote to memory of 2792 4252 rrrlxlx.exe 98 PID 4252 wrote to memory of 2792 4252 rrrlxlx.exe 98 PID 4252 wrote to memory of 2792 4252 rrrlxlx.exe 98 PID 2792 wrote to memory of 2504 2792 4680402.exe 99 PID 2792 wrote to memory of 2504 2792 4680402.exe 99 PID 2792 wrote to memory of 2504 2792 4680402.exe 99 PID 2504 wrote to memory of 2640 2504 6000044.exe 100 PID 2504 wrote to memory of 2640 2504 6000044.exe 100 PID 2504 wrote to memory of 2640 2504 6000044.exe 100 PID 2640 wrote to memory of 3416 2640 hnnhbt.exe 101 PID 2640 wrote to memory of 3416 2640 hnnhbt.exe 101 PID 2640 wrote to memory of 3416 2640 hnnhbt.exe 101 PID 3416 wrote to memory of 2520 3416 vvdvp.exe 102 PID 3416 wrote to memory of 2520 3416 vvdvp.exe 102 PID 3416 wrote to memory of 2520 3416 vvdvp.exe 102 PID 2520 wrote to memory of 3900 2520 9bnhbt.exe 103 PID 2520 wrote to memory of 3900 2520 9bnhbt.exe 103 PID 2520 wrote to memory of 3900 2520 9bnhbt.exe 103 PID 3900 wrote to memory of 1132 3900 80648.exe 104 PID 3900 wrote to memory of 1132 3900 80648.exe 104 PID 3900 wrote to memory of 1132 3900 80648.exe 104 PID 1132 wrote to memory of 3624 1132 3rxxrxf.exe 105 PID 1132 wrote to memory of 3624 1132 3rxxrxf.exe 105 PID 1132 wrote to memory of 3624 1132 3rxxrxf.exe 105 PID 3624 wrote to memory of 4852 3624 08680.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe"C:\Users\Admin\AppData\Local\Temp\fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\dpppd.exec:\dpppd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\ntbhnt.exec:\ntbhnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\hbbttb.exec:\hbbttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\46844.exec:\46844.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\llflflf.exec:\llflflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\8280260.exec:\8280260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\620020.exec:\620020.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\86020.exec:\86020.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\664448.exec:\664448.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\08400.exec:\08400.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\48662.exec:\48662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\bbhhtb.exec:\bbhhtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\rrrlxlx.exec:\rrrlxlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\4680402.exec:\4680402.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\6000044.exec:\6000044.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\hnnhbt.exec:\hnnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\vvdvp.exec:\vvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\9bnhbt.exec:\9bnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\80648.exec:\80648.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\3rxxrxf.exec:\3rxxrxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\08680.exec:\08680.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\pdvvj.exec:\pdvvj.exe23⤵
- Executes dropped EXE
PID:4852 -
\??\c:\802224.exec:\802224.exe24⤵
- Executes dropped EXE
PID:2740 -
\??\c:\8426066.exec:\8426066.exe25⤵
- Executes dropped EXE
PID:4692 -
\??\c:\vjddv.exec:\vjddv.exe26⤵
- Executes dropped EXE
PID:5116 -
\??\c:\02826.exec:\02826.exe27⤵
- Executes dropped EXE
PID:2060 -
\??\c:\222042.exec:\222042.exe28⤵
- Executes dropped EXE
PID:4140 -
\??\c:\bhbbnn.exec:\bhbbnn.exe29⤵
- Executes dropped EXE
PID:756 -
\??\c:\1vjdj.exec:\1vjdj.exe30⤵
- Executes dropped EXE
PID:4620 -
\??\c:\826444.exec:\826444.exe31⤵
- Executes dropped EXE
PID:4584 -
\??\c:\e24026.exec:\e24026.exe32⤵
- Executes dropped EXE
PID:4364 -
\??\c:\82822.exec:\82822.exe33⤵
- Executes dropped EXE
PID:2692 -
\??\c:\pvppp.exec:\pvppp.exe34⤵
- Executes dropped EXE
PID:4400 -
\??\c:\dvvpp.exec:\dvvpp.exe35⤵
- Executes dropped EXE
PID:4204 -
\??\c:\nnbtbh.exec:\nnbtbh.exe36⤵
- Executes dropped EXE
PID:404 -
\??\c:\004406.exec:\004406.exe37⤵
- Executes dropped EXE
PID:3000 -
\??\c:\hbhnnb.exec:\hbhnnb.exe38⤵
- Executes dropped EXE
PID:1068 -
\??\c:\jjjdd.exec:\jjjdd.exe39⤵
- Executes dropped EXE
PID:412 -
\??\c:\866668.exec:\866668.exe40⤵
- Executes dropped EXE
PID:3552 -
\??\c:\06844.exec:\06844.exe41⤵
- Executes dropped EXE
PID:2996 -
\??\c:\lllxxff.exec:\lllxxff.exe42⤵
- Executes dropped EXE
PID:1268 -
\??\c:\dvddv.exec:\dvddv.exe43⤵
- Executes dropped EXE
PID:2636 -
\??\c:\dpvpj.exec:\dpvpj.exe44⤵
- Executes dropped EXE
PID:4052 -
\??\c:\pdddj.exec:\pdddj.exe45⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vvppv.exec:\vvppv.exe46⤵
- Executes dropped EXE
PID:3084 -
\??\c:\6202020.exec:\6202020.exe47⤵
- Executes dropped EXE
PID:4668 -
\??\c:\44822.exec:\44822.exe48⤵
- Executes dropped EXE
PID:2440 -
\??\c:\nbnbtb.exec:\nbnbtb.exe49⤵
- Executes dropped EXE
PID:3732 -
\??\c:\jvdvp.exec:\jvdvp.exe50⤵
- Executes dropped EXE
PID:4300 -
\??\c:\nhnnnn.exec:\nhnnnn.exe51⤵
- Executes dropped EXE
PID:3936 -
\??\c:\rlrfxlf.exec:\rlrfxlf.exe52⤵
- Executes dropped EXE
PID:2160 -
\??\c:\bhnbtt.exec:\bhnbtt.exe53⤵
- Executes dropped EXE
PID:4988 -
\??\c:\20602.exec:\20602.exe54⤵
- Executes dropped EXE
PID:3096 -
\??\c:\224828.exec:\224828.exe55⤵
- Executes dropped EXE
PID:1376 -
\??\c:\bhhhhh.exec:\bhhhhh.exe56⤵
- Executes dropped EXE
PID:3884 -
\??\c:\fflfxxx.exec:\fflfxxx.exe57⤵
- Executes dropped EXE
PID:228 -
\??\c:\vvvpj.exec:\vvvpj.exe58⤵
- Executes dropped EXE
PID:4736 -
\??\c:\c204066.exec:\c204066.exe59⤵
- Executes dropped EXE
PID:1816 -
\??\c:\84482.exec:\84482.exe60⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hbhhbb.exec:\hbhhbb.exe61⤵
- Executes dropped EXE
PID:3428 -
\??\c:\dppdp.exec:\dppdp.exe62⤵
- Executes dropped EXE
PID:3960 -
\??\c:\22686.exec:\22686.exe63⤵
- Executes dropped EXE
PID:5024 -
\??\c:\ddjpp.exec:\ddjpp.exe64⤵
- Executes dropped EXE
PID:1396 -
\??\c:\9pdpj.exec:\9pdpj.exe65⤵
- Executes dropped EXE
PID:4072 -
\??\c:\1jjpv.exec:\1jjpv.exe66⤵PID:3144
-
\??\c:\e68884.exec:\e68884.exe67⤵PID:4252
-
\??\c:\4288440.exec:\4288440.exe68⤵PID:2424
-
\??\c:\vvddv.exec:\vvddv.exe69⤵PID:1748
-
\??\c:\bbhtnn.exec:\bbhtnn.exe70⤵PID:1708
-
\??\c:\ntnbht.exec:\ntnbht.exe71⤵PID:3156
-
\??\c:\0640284.exec:\0640284.exe72⤵PID:2236
-
\??\c:\djjdv.exec:\djjdv.exe73⤵PID:1740
-
\??\c:\64222.exec:\64222.exe74⤵PID:2172
-
\??\c:\pvjjd.exec:\pvjjd.exe75⤵PID:4224
-
\??\c:\0268608.exec:\0268608.exe76⤵PID:816
-
\??\c:\0820820.exec:\0820820.exe77⤵PID:1280
-
\??\c:\6066488.exec:\6066488.exe78⤵PID:3104
-
\??\c:\2264204.exec:\2264204.exe79⤵PID:3624
-
\??\c:\682206.exec:\682206.exe80⤵PID:4980
-
\??\c:\frrxflr.exec:\frrxflr.exe81⤵PID:1508
-
\??\c:\bbhhbb.exec:\bbhhbb.exe82⤵
- System Location Discovery: System Language Discovery
PID:4664 -
\??\c:\thnbbn.exec:\thnbbn.exe83⤵PID:1620
-
\??\c:\842262.exec:\842262.exe84⤵PID:3120
-
\??\c:\nnhbbb.exec:\nnhbbb.exe85⤵PID:4140
-
\??\c:\e44286.exec:\e44286.exe86⤵PID:4276
-
\??\c:\1nnhbh.exec:\1nnhbh.exe87⤵PID:944
-
\??\c:\864884.exec:\864884.exe88⤵PID:2132
-
\??\c:\pppvv.exec:\pppvv.exe89⤵PID:4048
-
\??\c:\thntnn.exec:\thntnn.exe90⤵PID:1424
-
\??\c:\60628.exec:\60628.exe91⤵PID:3256
-
\??\c:\bbbbht.exec:\bbbbht.exe92⤵PID:2652
-
\??\c:\4262642.exec:\4262642.exe93⤵PID:628
-
\??\c:\s8440.exec:\s8440.exe94⤵PID:4856
-
\??\c:\e60646.exec:\e60646.exe95⤵PID:1200
-
\??\c:\o022222.exec:\o022222.exe96⤵PID:1876
-
\??\c:\9rxxrxx.exec:\9rxxrxx.exe97⤵PID:2716
-
\??\c:\644488.exec:\644488.exe98⤵PID:1364
-
\??\c:\lflxxxr.exec:\lflxxxr.exe99⤵PID:4484
-
\??\c:\ffxrllf.exec:\ffxrllf.exe100⤵PID:3300
-
\??\c:\24000.exec:\24000.exe101⤵PID:1460
-
\??\c:\1xfrllr.exec:\1xfrllr.exe102⤵PID:2636
-
\??\c:\ttnnhb.exec:\ttnnhb.exe103⤵PID:972
-
\??\c:\bbtntt.exec:\bbtntt.exe104⤵PID:60
-
\??\c:\608222.exec:\608222.exe105⤵PID:3600
-
\??\c:\jjdjp.exec:\jjdjp.exe106⤵PID:5052
-
\??\c:\djpvv.exec:\djpvv.exe107⤵PID:3732
-
\??\c:\tnbbbb.exec:\tnbbbb.exe108⤵PID:3936
-
\??\c:\dpvvv.exec:\dpvvv.exe109⤵PID:4944
-
\??\c:\668484.exec:\668484.exe110⤵PID:3096
-
\??\c:\m2628.exec:\m2628.exe111⤵PID:2284
-
\??\c:\2224440.exec:\2224440.exe112⤵PID:5004
-
\??\c:\3xffflf.exec:\3xffflf.exe113⤵PID:4968
-
\??\c:\xlllrrl.exec:\xlllrrl.exe114⤵PID:1632
-
\??\c:\btbbbb.exec:\btbbbb.exe115⤵PID:4092
-
\??\c:\pjppp.exec:\pjppp.exe116⤵PID:3036
-
\??\c:\jddvj.exec:\jddvj.exe117⤵PID:2312
-
\??\c:\42862.exec:\42862.exe118⤵PID:2012
-
\??\c:\tnbthh.exec:\tnbthh.exe119⤵PID:844
-
\??\c:\084804.exec:\084804.exe120⤵PID:1388
-
\??\c:\8406022.exec:\8406022.exe121⤵PID:4520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-