Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe
-
Size
454KB
-
MD5
97fe22811e61d158a12dbde8d518e4e0
-
SHA1
86234426778fc04d0f99f27676022699c3fbae63
-
SHA256
b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98
-
SHA512
50b6c2cfa4d988ca838a7895486d692e11aea47643bffc71747605b7481fe49755866448fdc20dbaa09ae278f3567009680eae32440f7c84013fe966943e0b62
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3544-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3704 nbnhtn.exe 1516 1pvjd.exe 664 xlxrfrf.exe 3752 3htbnt.exe 4192 9bnhtn.exe 3596 rlfrfxr.exe 3508 xffrfff.exe 3764 pdvjj.exe 3256 lxfllxl.exe 1444 ntnbnh.exe 2348 bthtnh.exe 532 vvdvj.exe 3228 lllflfx.exe 3780 7jvpd.exe 1616 frxflxx.exe 4544 hhhhnb.exe 1760 3vvjj.exe 4200 pvvjv.exe 1540 5ththb.exe 4472 5dpjv.exe 3304 lrxfxrf.exe 4512 hnbbnh.exe 1912 hbthbn.exe 4476 nhthnh.exe 4208 lxxrlfr.exe 4460 jvpdv.exe 1680 9xllrlx.exe 4656 3hthbt.exe 2360 lxxlrlx.exe 2372 1hhbbt.exe 5040 vppjd.exe 2936 xfxxxrr.exe 2244 jppdv.exe 1304 1jvpd.exe 1624 fffrxrl.exe 1592 bhnhbt.exe 3668 nbbbhb.exe 4540 vjvjp.exe 4912 3fxlrlx.exe 4664 bnnbnh.exe 2424 9jdpd.exe 776 lrxxllf.exe 112 lxrlxxr.exe 2056 bhnhbb.exe 4584 tnnbnh.exe 1504 vdvjv.exe 4800 lxxlxrf.exe 4964 xffxrlx.exe 3492 nhbthb.exe 2324 1djdd.exe 4396 lllfrrf.exe 1868 hbthtn.exe 1360 nbbtnh.exe 2060 9djdj.exe 3708 rffxrrl.exe 668 3bbtnh.exe 2364 7jdvp.exe 4560 9rlrllf.exe 1460 tnnnhn.exe 956 thnbhb.exe 3744 dppjd.exe 624 rllfrrl.exe 5088 thbnht.exe 2044 hntnbt.exe -
resource yara_rule behavioral2/memory/3544-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-831-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3544 wrote to memory of 3704 3544 b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe 82 PID 3544 wrote to memory of 3704 3544 b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe 82 PID 3544 wrote to memory of 3704 3544 b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe 82 PID 3704 wrote to memory of 1516 3704 nbnhtn.exe 83 PID 3704 wrote to memory of 1516 3704 nbnhtn.exe 83 PID 3704 wrote to memory of 1516 3704 nbnhtn.exe 83 PID 1516 wrote to memory of 664 1516 1pvjd.exe 84 PID 1516 wrote to memory of 664 1516 1pvjd.exe 84 PID 1516 wrote to memory of 664 1516 1pvjd.exe 84 PID 664 wrote to memory of 3752 664 xlxrfrf.exe 85 PID 664 wrote to memory of 3752 664 xlxrfrf.exe 85 PID 664 wrote to memory of 3752 664 xlxrfrf.exe 85 PID 3752 wrote to memory of 4192 3752 3htbnt.exe 86 PID 3752 wrote to memory of 4192 3752 3htbnt.exe 86 PID 3752 wrote to memory of 4192 3752 3htbnt.exe 86 PID 4192 wrote to memory of 3596 4192 9bnhtn.exe 87 PID 4192 wrote to memory of 3596 4192 9bnhtn.exe 87 PID 4192 wrote to memory of 3596 4192 9bnhtn.exe 87 PID 3596 wrote to memory of 3508 3596 rlfrfxr.exe 88 PID 3596 wrote to memory of 3508 3596 rlfrfxr.exe 88 PID 3596 wrote to memory of 3508 3596 rlfrfxr.exe 88 PID 3508 wrote to memory of 3764 3508 xffrfff.exe 89 PID 3508 wrote to memory of 3764 3508 xffrfff.exe 89 PID 3508 wrote to memory of 3764 3508 xffrfff.exe 89 PID 3764 wrote to memory of 3256 3764 pdvjj.exe 90 PID 3764 wrote to memory of 3256 3764 pdvjj.exe 90 PID 3764 wrote to memory of 3256 3764 pdvjj.exe 90 PID 3256 wrote to memory of 1444 3256 lxfllxl.exe 91 PID 3256 wrote to memory of 1444 3256 lxfllxl.exe 91 PID 3256 wrote to memory of 1444 3256 lxfllxl.exe 91 PID 1444 wrote to memory of 2348 1444 ntnbnh.exe 92 PID 1444 wrote to memory of 2348 1444 ntnbnh.exe 92 PID 1444 wrote to memory of 2348 1444 ntnbnh.exe 92 PID 2348 wrote to memory of 532 2348 bthtnh.exe 93 PID 2348 wrote to memory of 532 2348 bthtnh.exe 93 PID 2348 wrote to memory of 532 2348 bthtnh.exe 93 PID 532 wrote to memory of 3228 532 vvdvj.exe 94 PID 532 wrote to memory of 3228 532 vvdvj.exe 94 PID 532 wrote to memory of 3228 532 vvdvj.exe 94 PID 3228 wrote to memory of 3780 3228 lllflfx.exe 95 PID 3228 wrote to memory of 3780 3228 lllflfx.exe 95 PID 3228 wrote to memory of 3780 3228 lllflfx.exe 95 PID 3780 wrote to memory of 1616 3780 7jvpd.exe 96 PID 3780 wrote to memory of 1616 3780 7jvpd.exe 96 PID 3780 wrote to memory of 1616 3780 7jvpd.exe 96 PID 1616 wrote to memory of 4544 1616 frxflxx.exe 97 PID 1616 wrote to memory of 4544 1616 frxflxx.exe 97 PID 1616 wrote to memory of 4544 1616 frxflxx.exe 97 PID 4544 wrote to memory of 1760 4544 hhhhnb.exe 98 PID 4544 wrote to memory of 1760 4544 hhhhnb.exe 98 PID 4544 wrote to memory of 1760 4544 hhhhnb.exe 98 PID 1760 wrote to memory of 4200 1760 3vvjj.exe 99 PID 1760 wrote to memory of 4200 1760 3vvjj.exe 99 PID 1760 wrote to memory of 4200 1760 3vvjj.exe 99 PID 4200 wrote to memory of 1540 4200 pvvjv.exe 100 PID 4200 wrote to memory of 1540 4200 pvvjv.exe 100 PID 4200 wrote to memory of 1540 4200 pvvjv.exe 100 PID 1540 wrote to memory of 4472 1540 5ththb.exe 101 PID 1540 wrote to memory of 4472 1540 5ththb.exe 101 PID 1540 wrote to memory of 4472 1540 5ththb.exe 101 PID 4472 wrote to memory of 3304 4472 5dpjv.exe 102 PID 4472 wrote to memory of 3304 4472 5dpjv.exe 102 PID 4472 wrote to memory of 3304 4472 5dpjv.exe 102 PID 3304 wrote to memory of 4512 3304 lrxfxrf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe"C:\Users\Admin\AppData\Local\Temp\b98ab1d4238c550c514e0def72b1e6369d50e50fe1409a0a3426424251070d98N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\nbnhtn.exec:\nbnhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\1pvjd.exec:\1pvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\xlxrfrf.exec:\xlxrfrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\3htbnt.exec:\3htbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\9bnhtn.exec:\9bnhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\xffrfff.exec:\xffrfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\pdvjj.exec:\pdvjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\lxfllxl.exec:\lxfllxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\ntnbnh.exec:\ntnbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\bthtnh.exec:\bthtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\vvdvj.exec:\vvdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\lllflfx.exec:\lllflfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\7jvpd.exec:\7jvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\frxflxx.exec:\frxflxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\hhhhnb.exec:\hhhhnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\3vvjj.exec:\3vvjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\pvvjv.exec:\pvvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\5ththb.exec:\5ththb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\5dpjv.exec:\5dpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\lrxfxrf.exec:\lrxfxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\hnbbnh.exec:\hnbbnh.exe23⤵
- Executes dropped EXE
PID:4512 -
\??\c:\hbthbn.exec:\hbthbn.exe24⤵
- Executes dropped EXE
PID:1912 -
\??\c:\nhthnh.exec:\nhthnh.exe25⤵
- Executes dropped EXE
PID:4476 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe26⤵
- Executes dropped EXE
PID:4208 -
\??\c:\jvpdv.exec:\jvpdv.exe27⤵
- Executes dropped EXE
PID:4460 -
\??\c:\9xllrlx.exec:\9xllrlx.exe28⤵
- Executes dropped EXE
PID:1680 -
\??\c:\3hthbt.exec:\3hthbt.exe29⤵
- Executes dropped EXE
PID:4656 -
\??\c:\lxxlrlx.exec:\lxxlrlx.exe30⤵
- Executes dropped EXE
PID:2360 -
\??\c:\1hhbbt.exec:\1hhbbt.exe31⤵
- Executes dropped EXE
PID:2372 -
\??\c:\vppjd.exec:\vppjd.exe32⤵
- Executes dropped EXE
PID:5040 -
\??\c:\xfxxxrr.exec:\xfxxxrr.exe33⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jppdv.exec:\jppdv.exe34⤵
- Executes dropped EXE
PID:2244 -
\??\c:\1jvpd.exec:\1jvpd.exe35⤵
- Executes dropped EXE
PID:1304 -
\??\c:\fffrxrl.exec:\fffrxrl.exe36⤵
- Executes dropped EXE
PID:1624 -
\??\c:\bhnhbt.exec:\bhnhbt.exe37⤵
- Executes dropped EXE
PID:1592 -
\??\c:\nbbbhb.exec:\nbbbhb.exe38⤵
- Executes dropped EXE
PID:3668 -
\??\c:\vjvjp.exec:\vjvjp.exe39⤵
- Executes dropped EXE
PID:4540 -
\??\c:\3fxlrlx.exec:\3fxlrlx.exe40⤵
- Executes dropped EXE
PID:4912 -
\??\c:\bnnbnh.exec:\bnnbnh.exe41⤵
- Executes dropped EXE
PID:4664 -
\??\c:\9jdpd.exec:\9jdpd.exe42⤵
- Executes dropped EXE
PID:2424 -
\??\c:\lrxxllf.exec:\lrxxllf.exe43⤵
- Executes dropped EXE
PID:776 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe44⤵
- Executes dropped EXE
PID:112 -
\??\c:\bhnhbb.exec:\bhnhbb.exe45⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tnnbnh.exec:\tnnbnh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584 -
\??\c:\vdvjv.exec:\vdvjv.exe47⤵
- Executes dropped EXE
PID:1504 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe48⤵
- Executes dropped EXE
PID:4800 -
\??\c:\xffxrlx.exec:\xffxrlx.exe49⤵
- Executes dropped EXE
PID:4964 -
\??\c:\nhbthb.exec:\nhbthb.exe50⤵
- Executes dropped EXE
PID:3492 -
\??\c:\1djdd.exec:\1djdd.exe51⤵
- Executes dropped EXE
PID:2324 -
\??\c:\lllfrrf.exec:\lllfrrf.exe52⤵
- Executes dropped EXE
PID:4396 -
\??\c:\hbthtn.exec:\hbthtn.exe53⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nbbtnh.exec:\nbbtnh.exe54⤵
- Executes dropped EXE
PID:1360 -
\??\c:\9djdj.exec:\9djdj.exe55⤵
- Executes dropped EXE
PID:2060 -
\??\c:\rffxrrl.exec:\rffxrrl.exe56⤵
- Executes dropped EXE
PID:3708 -
\??\c:\3bbtnh.exec:\3bbtnh.exe57⤵
- Executes dropped EXE
PID:668 -
\??\c:\7jdvp.exec:\7jdvp.exe58⤵
- Executes dropped EXE
PID:2364 -
\??\c:\9rlrllf.exec:\9rlrllf.exe59⤵
- Executes dropped EXE
PID:4560 -
\??\c:\tnnnhn.exec:\tnnnhn.exe60⤵
- Executes dropped EXE
PID:1460 -
\??\c:\thnbhb.exec:\thnbhb.exe61⤵
- Executes dropped EXE
PID:956 -
\??\c:\dppjd.exec:\dppjd.exe62⤵
- Executes dropped EXE
PID:3744 -
\??\c:\rllfrrl.exec:\rllfrrl.exe63⤵
- Executes dropped EXE
PID:624 -
\??\c:\thbnht.exec:\thbnht.exe64⤵
- Executes dropped EXE
PID:5088 -
\??\c:\hntnbt.exec:\hntnbt.exe65⤵
- Executes dropped EXE
PID:2044 -
\??\c:\3vvjv.exec:\3vvjv.exe66⤵PID:1636
-
\??\c:\5lrxlfr.exec:\5lrxlfr.exe67⤵PID:3988
-
\??\c:\rlrffxl.exec:\rlrffxl.exe68⤵PID:1244
-
\??\c:\bbbnbh.exec:\bbbnbh.exe69⤵PID:2692
-
\??\c:\jjdpv.exec:\jjdpv.exe70⤵PID:4852
-
\??\c:\xflfrlf.exec:\xflfrlf.exe71⤵PID:3360
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe72⤵PID:1596
-
\??\c:\1nhbnh.exec:\1nhbnh.exe73⤵PID:1720
-
\??\c:\vvpjv.exec:\vvpjv.exe74⤵PID:1616
-
\??\c:\xflfffx.exec:\xflfffx.exe75⤵PID:3612
-
\??\c:\httnbt.exec:\httnbt.exe76⤵PID:2468
-
\??\c:\jpddd.exec:\jpddd.exe77⤵PID:212
-
\??\c:\pjdvp.exec:\pjdvp.exe78⤵PID:1920
-
\??\c:\fxlxrll.exec:\fxlxrll.exe79⤵PID:1340
-
\??\c:\9tbtnt.exec:\9tbtnt.exe80⤵PID:652
-
\??\c:\dppdv.exec:\dppdv.exe81⤵PID:684
-
\??\c:\djdvd.exec:\djdvd.exe82⤵PID:4856
-
\??\c:\fflfffx.exec:\fflfffx.exe83⤵PID:3796
-
\??\c:\7nnnht.exec:\7nnnht.exe84⤵PID:5028
-
\??\c:\pvvjd.exec:\pvvjd.exe85⤵PID:2920
-
\??\c:\ddjvj.exec:\ddjvj.exe86⤵PID:716
-
\??\c:\xlxlfff.exec:\xlxlfff.exe87⤵PID:4564
-
\??\c:\bhnhtb.exec:\bhnhtb.exe88⤵PID:5016
-
\??\c:\7xxlxxl.exec:\7xxlxxl.exe89⤵PID:2748
-
\??\c:\bnhbhb.exec:\bnhbhb.exe90⤵PID:1216
-
\??\c:\nbthhb.exec:\nbthhb.exe91⤵PID:1844
-
\??\c:\jvjvd.exec:\jvjvd.exe92⤵PID:4656
-
\??\c:\1flfxxf.exec:\1flfxxf.exe93⤵PID:1452
-
\??\c:\bbbtnn.exec:\bbbtnn.exe94⤵PID:4284
-
\??\c:\pjpvp.exec:\pjpvp.exe95⤵PID:4904
-
\??\c:\3ddpv.exec:\3ddpv.exe96⤵PID:5040
-
\??\c:\3lrflfr.exec:\3lrflfr.exe97⤵PID:2936
-
\??\c:\3nhbtt.exec:\3nhbtt.exe98⤵PID:4536
-
\??\c:\pdpjd.exec:\pdpjd.exe99⤵PID:2844
-
\??\c:\vpdpj.exec:\vpdpj.exe100⤵PID:3832
-
\??\c:\frfrflr.exec:\frfrflr.exe101⤵PID:1752
-
\??\c:\bttnhb.exec:\bttnhb.exe102⤵PID:1668
-
\??\c:\dppjj.exec:\dppjj.exe103⤵PID:2456
-
\??\c:\rflfrlx.exec:\rflfrlx.exe104⤵PID:4960
-
\??\c:\lrxrllf.exec:\lrxrllf.exe105⤵PID:4936
-
\??\c:\5bhbtt.exec:\5bhbtt.exe106⤵PID:2172
-
\??\c:\pddpd.exec:\pddpd.exe107⤵PID:1808
-
\??\c:\xlrfrrx.exec:\xlrfrrx.exe108⤵PID:3656
-
\??\c:\nhnhnn.exec:\nhnhnn.exe109⤵PID:2476
-
\??\c:\3pvpp.exec:\3pvpp.exe110⤵PID:2056
-
\??\c:\1ppdv.exec:\1ppdv.exe111⤵PID:392
-
\??\c:\9rlxlfr.exec:\9rlxlfr.exe112⤵PID:2296
-
\??\c:\btbhbn.exec:\btbhbn.exe113⤵PID:4580
-
\??\c:\tnhhtb.exec:\tnhhtb.exe114⤵PID:1772
-
\??\c:\vjdvp.exec:\vjdvp.exe115⤵PID:732
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe116⤵PID:4388
-
\??\c:\ntbttn.exec:\ntbttn.exe117⤵PID:4360
-
\??\c:\vvvpd.exec:\vvvpd.exe118⤵PID:4136
-
\??\c:\rflfxxr.exec:\rflfxxr.exe119⤵PID:3704
-
\??\c:\thnhbt.exec:\thnhbt.exe120⤵PID:2388
-
\??\c:\vvpjd.exec:\vvpjd.exe121⤵PID:664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-