Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe
-
Size
452KB
-
MD5
9fb45cb4881e004f47e19f5dc623b948
-
SHA1
a1b0a3d67c0556f92f61a541fe879030ab06a590
-
SHA256
0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c
-
SHA512
6a672cc56f109a25bb1772aece23ca370bd83fb8c9590f5d427b77235337b166d97cf97dd5b6760de709b3d5166cf76dd254c5486ffcd92714901c27bc3738d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4620-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-1831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4484 htbthn.exe 2200 tbhtnh.exe 2392 pppjd.exe 2436 frxfxxx.exe 4548 nnnhhb.exe 2416 jdvjd.exe 2396 bhhbtt.exe 1156 xrrllfx.exe 2448 vjdjd.exe 4944 3rrlrrl.exe 4172 tnhbtt.exe 1940 ffrfxxr.exe 3748 bbbtnn.exe 1220 htbttn.exe 2452 ffrlrrx.exe 1960 hbnnhn.exe 1496 jpdjd.exe 3172 bthbhh.exe 740 jjjjd.exe 2224 xxllrff.exe 3836 nbhbbt.exe 4164 bttnhb.exe 4972 pjvvd.exe 4184 ffrfxfx.exe 4692 xrxxxxr.exe 4960 hntnhh.exe 1488 ddjdv.exe 4640 hnnhbt.exe 1764 1nbtnh.exe 3972 dvdvv.exe 4772 thtttn.exe 1172 rfxrllf.exe 4452 nbhtnh.exe 1784 jdjdv.exe 3964 dvvpd.exe 4712 llrrrrf.exe 2052 nbhtnt.exe 3256 tbhtbt.exe 2340 vpvpv.exe 4248 frllfxf.exe 1376 3tntnn.exe 3916 vdjvj.exe 3804 5rxrrlf.exe 3500 hnnhbb.exe 4028 bnthbb.exe 1396 pjjpd.exe 4104 fffrlfx.exe 1720 tnnbbh.exe 4136 tnnhbb.exe 3504 5vvpj.exe 4664 xrrflfx.exe 544 nbbhbt.exe 2308 tntnhh.exe 560 djpjd.exe 4556 xlxlrlr.exe 624 bhnhtt.exe 212 hhhnnn.exe 2436 jdjdd.exe 4228 lfrlrxf.exe 956 hthtbt.exe 816 9dvvj.exe 2416 xlrrrrr.exe 4188 thbbbb.exe 2976 nbnhbt.exe -
resource yara_rule behavioral2/memory/4620-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-1335-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4484 4620 0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe 82 PID 4620 wrote to memory of 4484 4620 0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe 82 PID 4620 wrote to memory of 4484 4620 0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe 82 PID 4484 wrote to memory of 2200 4484 htbthn.exe 83 PID 4484 wrote to memory of 2200 4484 htbthn.exe 83 PID 4484 wrote to memory of 2200 4484 htbthn.exe 83 PID 2200 wrote to memory of 2392 2200 tbhtnh.exe 84 PID 2200 wrote to memory of 2392 2200 tbhtnh.exe 84 PID 2200 wrote to memory of 2392 2200 tbhtnh.exe 84 PID 2392 wrote to memory of 2436 2392 pppjd.exe 85 PID 2392 wrote to memory of 2436 2392 pppjd.exe 85 PID 2392 wrote to memory of 2436 2392 pppjd.exe 85 PID 2436 wrote to memory of 4548 2436 frxfxxx.exe 86 PID 2436 wrote to memory of 4548 2436 frxfxxx.exe 86 PID 2436 wrote to memory of 4548 2436 frxfxxx.exe 86 PID 4548 wrote to memory of 2416 4548 nnnhhb.exe 87 PID 4548 wrote to memory of 2416 4548 nnnhhb.exe 87 PID 4548 wrote to memory of 2416 4548 nnnhhb.exe 87 PID 2416 wrote to memory of 2396 2416 jdvjd.exe 88 PID 2416 wrote to memory of 2396 2416 jdvjd.exe 88 PID 2416 wrote to memory of 2396 2416 jdvjd.exe 88 PID 2396 wrote to memory of 1156 2396 bhhbtt.exe 89 PID 2396 wrote to memory of 1156 2396 bhhbtt.exe 89 PID 2396 wrote to memory of 1156 2396 bhhbtt.exe 89 PID 1156 wrote to memory of 2448 1156 xrrllfx.exe 90 PID 1156 wrote to memory of 2448 1156 xrrllfx.exe 90 PID 1156 wrote to memory of 2448 1156 xrrllfx.exe 90 PID 2448 wrote to memory of 4944 2448 vjdjd.exe 91 PID 2448 wrote to memory of 4944 2448 vjdjd.exe 91 PID 2448 wrote to memory of 4944 2448 vjdjd.exe 91 PID 4944 wrote to memory of 4172 4944 3rrlrrl.exe 92 PID 4944 wrote to memory of 4172 4944 3rrlrrl.exe 92 PID 4944 wrote to memory of 4172 4944 3rrlrrl.exe 92 PID 4172 wrote to memory of 1940 4172 tnhbtt.exe 93 PID 4172 wrote to memory of 1940 4172 tnhbtt.exe 93 PID 4172 wrote to memory of 1940 4172 tnhbtt.exe 93 PID 1940 wrote to memory of 3748 1940 ffrfxxr.exe 94 PID 1940 wrote to memory of 3748 1940 ffrfxxr.exe 94 PID 1940 wrote to memory of 3748 1940 ffrfxxr.exe 94 PID 3748 wrote to memory of 1220 3748 bbbtnn.exe 95 PID 3748 wrote to memory of 1220 3748 bbbtnn.exe 95 PID 3748 wrote to memory of 1220 3748 bbbtnn.exe 95 PID 1220 wrote to memory of 2452 1220 htbttn.exe 96 PID 1220 wrote to memory of 2452 1220 htbttn.exe 96 PID 1220 wrote to memory of 2452 1220 htbttn.exe 96 PID 2452 wrote to memory of 1960 2452 ffrlrrx.exe 97 PID 2452 wrote to memory of 1960 2452 ffrlrrx.exe 97 PID 2452 wrote to memory of 1960 2452 ffrlrrx.exe 97 PID 1960 wrote to memory of 1496 1960 hbnnhn.exe 98 PID 1960 wrote to memory of 1496 1960 hbnnhn.exe 98 PID 1960 wrote to memory of 1496 1960 hbnnhn.exe 98 PID 1496 wrote to memory of 3172 1496 jpdjd.exe 99 PID 1496 wrote to memory of 3172 1496 jpdjd.exe 99 PID 1496 wrote to memory of 3172 1496 jpdjd.exe 99 PID 3172 wrote to memory of 740 3172 bthbhh.exe 100 PID 3172 wrote to memory of 740 3172 bthbhh.exe 100 PID 3172 wrote to memory of 740 3172 bthbhh.exe 100 PID 740 wrote to memory of 2224 740 jjjjd.exe 101 PID 740 wrote to memory of 2224 740 jjjjd.exe 101 PID 740 wrote to memory of 2224 740 jjjjd.exe 101 PID 2224 wrote to memory of 3836 2224 xxllrff.exe 102 PID 2224 wrote to memory of 3836 2224 xxllrff.exe 102 PID 2224 wrote to memory of 3836 2224 xxllrff.exe 102 PID 3836 wrote to memory of 4164 3836 nbhbbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe"C:\Users\Admin\AppData\Local\Temp\0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\htbthn.exec:\htbthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\tbhtnh.exec:\tbhtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\pppjd.exec:\pppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\frxfxxx.exec:\frxfxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\nnnhhb.exec:\nnnhhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\jdvjd.exec:\jdvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\bhhbtt.exec:\bhhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\xrrllfx.exec:\xrrllfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\vjdjd.exec:\vjdjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\3rrlrrl.exec:\3rrlrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\tnhbtt.exec:\tnhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\ffrfxxr.exec:\ffrfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\bbbtnn.exec:\bbbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\htbttn.exec:\htbttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\ffrlrrx.exec:\ffrlrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\hbnnhn.exec:\hbnnhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\jpdjd.exec:\jpdjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\bthbhh.exec:\bthbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\jjjjd.exec:\jjjjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\xxllrff.exec:\xxllrff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\nbhbbt.exec:\nbhbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\bttnhb.exec:\bttnhb.exe23⤵
- Executes dropped EXE
PID:4164 -
\??\c:\pjvvd.exec:\pjvvd.exe24⤵
- Executes dropped EXE
PID:4972 -
\??\c:\ffrfxfx.exec:\ffrfxfx.exe25⤵
- Executes dropped EXE
PID:4184 -
\??\c:\xrxxxxr.exec:\xrxxxxr.exe26⤵
- Executes dropped EXE
PID:4692 -
\??\c:\hntnhh.exec:\hntnhh.exe27⤵
- Executes dropped EXE
PID:4960 -
\??\c:\ddjdv.exec:\ddjdv.exe28⤵
- Executes dropped EXE
PID:1488 -
\??\c:\hnnhbt.exec:\hnnhbt.exe29⤵
- Executes dropped EXE
PID:4640 -
\??\c:\1nbtnh.exec:\1nbtnh.exe30⤵
- Executes dropped EXE
PID:1764 -
\??\c:\dvdvv.exec:\dvdvv.exe31⤵
- Executes dropped EXE
PID:3972 -
\??\c:\thtttn.exec:\thtttn.exe32⤵
- Executes dropped EXE
PID:4772 -
\??\c:\rfxrllf.exec:\rfxrllf.exe33⤵
- Executes dropped EXE
PID:1172 -
\??\c:\nbhtnh.exec:\nbhtnh.exe34⤵
- Executes dropped EXE
PID:4452 -
\??\c:\jdjdv.exec:\jdjdv.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
\??\c:\dvvpd.exec:\dvvpd.exe36⤵
- Executes dropped EXE
PID:3964 -
\??\c:\llrrrrf.exec:\llrrrrf.exe37⤵
- Executes dropped EXE
PID:4712 -
\??\c:\nbhtnt.exec:\nbhtnt.exe38⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tbhtbt.exec:\tbhtbt.exe39⤵
- Executes dropped EXE
PID:3256 -
\??\c:\vpvpv.exec:\vpvpv.exe40⤵
- Executes dropped EXE
PID:2340 -
\??\c:\frllfxf.exec:\frllfxf.exe41⤵
- Executes dropped EXE
PID:4248 -
\??\c:\3tntnn.exec:\3tntnn.exe42⤵
- Executes dropped EXE
PID:1376 -
\??\c:\vdjvj.exec:\vdjvj.exe43⤵
- Executes dropped EXE
PID:3916 -
\??\c:\5rxrrlf.exec:\5rxrrlf.exe44⤵
- Executes dropped EXE
PID:3804 -
\??\c:\hnnhbb.exec:\hnnhbb.exe45⤵
- Executes dropped EXE
PID:3500 -
\??\c:\bnthbb.exec:\bnthbb.exe46⤵
- Executes dropped EXE
PID:4028 -
\??\c:\pjjpd.exec:\pjjpd.exe47⤵
- Executes dropped EXE
PID:1396 -
\??\c:\fffrlfx.exec:\fffrlfx.exe48⤵
- Executes dropped EXE
PID:4104 -
\??\c:\tnnbbh.exec:\tnnbbh.exe49⤵
- Executes dropped EXE
PID:1720 -
\??\c:\tnnhbb.exec:\tnnhbb.exe50⤵
- Executes dropped EXE
PID:4136 -
\??\c:\5vvpj.exec:\5vvpj.exe51⤵
- Executes dropped EXE
PID:3504 -
\??\c:\xrrflfx.exec:\xrrflfx.exe52⤵
- Executes dropped EXE
PID:4664 -
\??\c:\nbbhbt.exec:\nbbhbt.exe53⤵
- Executes dropped EXE
PID:544 -
\??\c:\tntnhh.exec:\tntnhh.exe54⤵
- Executes dropped EXE
PID:2308 -
\??\c:\djpjd.exec:\djpjd.exe55⤵
- Executes dropped EXE
PID:560 -
\??\c:\xlxlrlr.exec:\xlxlrlr.exe56⤵
- Executes dropped EXE
PID:4556 -
\??\c:\bhnhtt.exec:\bhnhtt.exe57⤵
- Executes dropped EXE
PID:624 -
\??\c:\hhhnnn.exec:\hhhnnn.exe58⤵
- Executes dropped EXE
PID:212 -
\??\c:\jdjdd.exec:\jdjdd.exe59⤵
- Executes dropped EXE
PID:2436 -
\??\c:\lfrlrxf.exec:\lfrlrxf.exe60⤵
- Executes dropped EXE
PID:4228 -
\??\c:\hthtbt.exec:\hthtbt.exe61⤵
- Executes dropped EXE
PID:956 -
\??\c:\9dvvj.exec:\9dvvj.exe62⤵
- Executes dropped EXE
PID:816 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe63⤵
- Executes dropped EXE
PID:2416 -
\??\c:\thbbbb.exec:\thbbbb.exe64⤵
- Executes dropped EXE
PID:4188 -
\??\c:\nbnhbt.exec:\nbnhbt.exe65⤵
- Executes dropped EXE
PID:2976 -
\??\c:\dppjd.exec:\dppjd.exe66⤵PID:1184
-
\??\c:\xlrxxlf.exec:\xlrxxlf.exe67⤵PID:2644
-
\??\c:\nbbtnn.exec:\nbbtnn.exe68⤵PID:1816
-
\??\c:\dddvp.exec:\dddvp.exe69⤵PID:1996
-
\??\c:\5dvjd.exec:\5dvjd.exe70⤵PID:4540
-
\??\c:\lxfrllf.exec:\lxfrllf.exe71⤵PID:4804
-
\??\c:\bttnhh.exec:\bttnhh.exe72⤵PID:4152
-
\??\c:\vppjd.exec:\vppjd.exe73⤵PID:2064
-
\??\c:\jpvpd.exec:\jpvpd.exe74⤵PID:2084
-
\??\c:\fxxxxrr.exec:\fxxxxrr.exe75⤵PID:2288
-
\??\c:\nhtnnn.exec:\nhtnnn.exe76⤵PID:1600
-
\??\c:\hbtnhh.exec:\hbtnhh.exe77⤵PID:2636
-
\??\c:\dpvvp.exec:\dpvvp.exe78⤵PID:1116
-
\??\c:\fxrxrrr.exec:\fxrxrrr.exe79⤵PID:5060
-
\??\c:\tnnbnh.exec:\tnnbnh.exe80⤵PID:1188
-
\??\c:\ppppj.exec:\ppppj.exe81⤵PID:452
-
\??\c:\rrrxrxl.exec:\rrrxrxl.exe82⤵PID:2224
-
\??\c:\llxrffx.exec:\llxrffx.exe83⤵PID:2972
-
\??\c:\nbnbtt.exec:\nbnbtt.exe84⤵PID:4128
-
\??\c:\pjjvp.exec:\pjjvp.exe85⤵PID:4100
-
\??\c:\vdpjv.exec:\vdpjv.exe86⤵PID:4860
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe87⤵PID:5096
-
\??\c:\nhnbtn.exec:\nhnbtn.exe88⤵PID:440
-
\??\c:\pdjdv.exec:\pdjdv.exe89⤵PID:4140
-
\??\c:\fxxrffx.exec:\fxxrffx.exe90⤵PID:4852
-
\??\c:\nhhbnh.exec:\nhhbnh.exe91⤵PID:368
-
\??\c:\vdjjv.exec:\vdjjv.exe92⤵PID:824
-
\??\c:\jdpjp.exec:\jdpjp.exe93⤵PID:4424
-
\??\c:\fxrfxrr.exec:\fxrfxrr.exe94⤵PID:508
-
\??\c:\tnnhbt.exec:\tnnhbt.exe95⤵PID:3276
-
\??\c:\jpdvj.exec:\jpdvj.exe96⤵PID:4088
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe97⤵PID:2076
-
\??\c:\tnnhbb.exec:\tnnhbb.exe98⤵PID:4636
-
\??\c:\9bhtnn.exec:\9bhtnn.exe99⤵PID:1592
-
\??\c:\vdvpp.exec:\vdvpp.exe100⤵PID:1008
-
\??\c:\rflrlfx.exec:\rflrlfx.exe101⤵PID:4808
-
\??\c:\xllfffx.exec:\xllfffx.exe102⤵PID:4680
-
\??\c:\hhbhbt.exec:\hhbhbt.exe103⤵PID:4712
-
\??\c:\jdjvp.exec:\jdjvp.exe104⤵PID:1700
-
\??\c:\fxxrffx.exec:\fxxrffx.exe105⤵PID:820
-
\??\c:\9tbtnh.exec:\9tbtnh.exe106⤵PID:3772
-
\??\c:\nbbtbb.exec:\nbbtbb.exe107⤵PID:4248
-
\??\c:\jvvpd.exec:\jvvpd.exe108⤵PID:1376
-
\??\c:\rrxlfxr.exec:\rrxlfxr.exe109⤵PID:3916
-
\??\c:\nhhtnh.exec:\nhhtnh.exe110⤵PID:3804
-
\??\c:\bnnhbb.exec:\bnnhbb.exe111⤵PID:3636
-
\??\c:\xxrxrxr.exec:\xxrxrxr.exe112⤵PID:112
-
\??\c:\bntnhb.exec:\bntnhb.exe113⤵PID:5032
-
\??\c:\bbtntn.exec:\bbtntn.exe114⤵PID:5116
-
\??\c:\jppjd.exec:\jppjd.exe115⤵PID:636
-
\??\c:\frlfllr.exec:\frlfllr.exe116⤵PID:1876
-
\??\c:\hhbthh.exec:\hhbthh.exe117⤵PID:4516
-
\??\c:\dvvjp.exec:\dvvjp.exe118⤵PID:1004
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe119⤵PID:2720
-
\??\c:\rllffxx.exec:\rllffxx.exe120⤵PID:2248
-
\??\c:\btbbhb.exec:\btbbhb.exe121⤵PID:2200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-