Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe
-
Size
454KB
-
MD5
a80501940b15fcedd3a26cf059787830
-
SHA1
c9e47f6e866fef0c6f05ab2073dc8dde24794a11
-
SHA256
b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acb
-
SHA512
8b1bd3b5b5908dcc0318d649414c09454122a9a40f72e30316600b4ca55d6d0f1c1669d7665c1b84ebc2f41499a2b7bbcfa6dc26e63aebe4634af2a2b8cd40e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3124-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/604-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-1047-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-1712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 456 bhtnhb.exe 2816 vvjdp.exe 1396 ntbtnt.exe 3748 lrfllfx.exe 4484 hhthnn.exe 4904 dpvvv.exe 5004 9thbtt.exe 1872 pjdvp.exe 3712 bhnhhh.exe 3736 xflfllf.exe 3728 tnnhnn.exe 732 xrrlllf.exe 1608 nhhbnn.exe 2272 vpjdv.exe 3436 7pdpd.exe 4924 xrllfxf.exe 4356 3djdp.exe 2996 3rlfxfx.exe 916 xlxrfrf.exe 2984 hhhnht.exe 532 rfflxlf.exe 2464 hbbtnn.exe 3604 lxrlxrl.exe 3524 xxrlffx.exe 1488 bnthtn.exe 2792 fxxrffr.exe 2244 5ddpd.exe 748 dpvpj.exe 4072 fxrlfxx.exe 376 5vjpd.exe 4572 5xfrllf.exe 1988 hbbtnn.exe 3272 jpjjd.exe 3080 5xlflfx.exe 1512 bhtnnh.exe 1876 pjpjd.exe 4668 rrxrlxr.exe 452 9thhtt.exe 3412 jdpvd.exe 652 1pdpv.exe 3776 rlrxlfx.exe 604 hntnnn.exe 3812 5hhthb.exe 4024 jvjvv.exe 4360 flrffrx.exe 3084 nbhbnh.exe 3124 jdjvd.exe 3504 llfrfrf.exe 2816 nhtnhh.exe 864 hnnbnh.exe 3896 pppjd.exe 4616 1xlflfr.exe 2372 7htnhh.exe 4288 9ddjd.exe 4528 lrlxfxl.exe 5004 nhhbbb.exe 4980 7ttnbt.exe 4848 vjjvj.exe 2224 xfrffrf.exe 3328 bhbnbt.exe 1376 hbbnth.exe 3736 7pdvd.exe 2740 rxrfrlx.exe 3816 rxfxlxl.exe -
resource yara_rule behavioral2/memory/3124-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/604-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-725-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3124 wrote to memory of 456 3124 b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe 82 PID 3124 wrote to memory of 456 3124 b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe 82 PID 3124 wrote to memory of 456 3124 b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe 82 PID 456 wrote to memory of 2816 456 bhtnhb.exe 83 PID 456 wrote to memory of 2816 456 bhtnhb.exe 83 PID 456 wrote to memory of 2816 456 bhtnhb.exe 83 PID 2816 wrote to memory of 1396 2816 vvjdp.exe 84 PID 2816 wrote to memory of 1396 2816 vvjdp.exe 84 PID 2816 wrote to memory of 1396 2816 vvjdp.exe 84 PID 1396 wrote to memory of 3748 1396 ntbtnt.exe 85 PID 1396 wrote to memory of 3748 1396 ntbtnt.exe 85 PID 1396 wrote to memory of 3748 1396 ntbtnt.exe 85 PID 3748 wrote to memory of 4484 3748 lrfllfx.exe 86 PID 3748 wrote to memory of 4484 3748 lrfllfx.exe 86 PID 3748 wrote to memory of 4484 3748 lrfllfx.exe 86 PID 4484 wrote to memory of 4904 4484 hhthnn.exe 87 PID 4484 wrote to memory of 4904 4484 hhthnn.exe 87 PID 4484 wrote to memory of 4904 4484 hhthnn.exe 87 PID 4904 wrote to memory of 5004 4904 dpvvv.exe 88 PID 4904 wrote to memory of 5004 4904 dpvvv.exe 88 PID 4904 wrote to memory of 5004 4904 dpvvv.exe 88 PID 5004 wrote to memory of 1872 5004 9thbtt.exe 89 PID 5004 wrote to memory of 1872 5004 9thbtt.exe 89 PID 5004 wrote to memory of 1872 5004 9thbtt.exe 89 PID 1872 wrote to memory of 3712 1872 pjdvp.exe 90 PID 1872 wrote to memory of 3712 1872 pjdvp.exe 90 PID 1872 wrote to memory of 3712 1872 pjdvp.exe 90 PID 3712 wrote to memory of 3736 3712 bhnhhh.exe 91 PID 3712 wrote to memory of 3736 3712 bhnhhh.exe 91 PID 3712 wrote to memory of 3736 3712 bhnhhh.exe 91 PID 3736 wrote to memory of 3728 3736 xflfllf.exe 92 PID 3736 wrote to memory of 3728 3736 xflfllf.exe 92 PID 3736 wrote to memory of 3728 3736 xflfllf.exe 92 PID 3728 wrote to memory of 732 3728 tnnhnn.exe 93 PID 3728 wrote to memory of 732 3728 tnnhnn.exe 93 PID 3728 wrote to memory of 732 3728 tnnhnn.exe 93 PID 732 wrote to memory of 1608 732 xrrlllf.exe 94 PID 732 wrote to memory of 1608 732 xrrlllf.exe 94 PID 732 wrote to memory of 1608 732 xrrlllf.exe 94 PID 1608 wrote to memory of 2272 1608 nhhbnn.exe 95 PID 1608 wrote to memory of 2272 1608 nhhbnn.exe 95 PID 1608 wrote to memory of 2272 1608 nhhbnn.exe 95 PID 2272 wrote to memory of 3436 2272 vpjdv.exe 96 PID 2272 wrote to memory of 3436 2272 vpjdv.exe 96 PID 2272 wrote to memory of 3436 2272 vpjdv.exe 96 PID 3436 wrote to memory of 4924 3436 7pdpd.exe 97 PID 3436 wrote to memory of 4924 3436 7pdpd.exe 97 PID 3436 wrote to memory of 4924 3436 7pdpd.exe 97 PID 4924 wrote to memory of 4356 4924 xrllfxf.exe 98 PID 4924 wrote to memory of 4356 4924 xrllfxf.exe 98 PID 4924 wrote to memory of 4356 4924 xrllfxf.exe 98 PID 4356 wrote to memory of 2996 4356 3djdp.exe 99 PID 4356 wrote to memory of 2996 4356 3djdp.exe 99 PID 4356 wrote to memory of 2996 4356 3djdp.exe 99 PID 2996 wrote to memory of 916 2996 3rlfxfx.exe 100 PID 2996 wrote to memory of 916 2996 3rlfxfx.exe 100 PID 2996 wrote to memory of 916 2996 3rlfxfx.exe 100 PID 916 wrote to memory of 2984 916 xlxrfrf.exe 101 PID 916 wrote to memory of 2984 916 xlxrfrf.exe 101 PID 916 wrote to memory of 2984 916 xlxrfrf.exe 101 PID 2984 wrote to memory of 532 2984 hhhnht.exe 102 PID 2984 wrote to memory of 532 2984 hhhnht.exe 102 PID 2984 wrote to memory of 532 2984 hhhnht.exe 102 PID 532 wrote to memory of 2464 532 rfflxlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe"C:\Users\Admin\AppData\Local\Temp\b0db4171ff7aea3b44daa0d546adf4292d9460d8d2a82ef0015d32c5feb76acbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\bhtnhb.exec:\bhtnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\vvjdp.exec:\vvjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\ntbtnt.exec:\ntbtnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\lrfllfx.exec:\lrfllfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\hhthnn.exec:\hhthnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\dpvvv.exec:\dpvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\9thbtt.exec:\9thbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\pjdvp.exec:\pjdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\bhnhhh.exec:\bhnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\xflfllf.exec:\xflfllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\tnnhnn.exec:\tnnhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\xrrlllf.exec:\xrrlllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\nhhbnn.exec:\nhhbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\vpjdv.exec:\vpjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\7pdpd.exec:\7pdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\xrllfxf.exec:\xrllfxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\3djdp.exec:\3djdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\3rlfxfx.exec:\3rlfxfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\xlxrfrf.exec:\xlxrfrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\hhhnht.exec:\hhhnht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\rfflxlf.exec:\rfflxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\hbbtnn.exec:\hbbtnn.exe23⤵
- Executes dropped EXE
PID:2464 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe24⤵
- Executes dropped EXE
PID:3604 -
\??\c:\xxrlffx.exec:\xxrlffx.exe25⤵
- Executes dropped EXE
PID:3524 -
\??\c:\bnthtn.exec:\bnthtn.exe26⤵
- Executes dropped EXE
PID:1488 -
\??\c:\fxxrffr.exec:\fxxrffr.exe27⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5ddpd.exec:\5ddpd.exe28⤵
- Executes dropped EXE
PID:2244 -
\??\c:\dpvpj.exec:\dpvpj.exe29⤵
- Executes dropped EXE
PID:748 -
\??\c:\fxrlfxx.exec:\fxrlfxx.exe30⤵
- Executes dropped EXE
PID:4072 -
\??\c:\5vjpd.exec:\5vjpd.exe31⤵
- Executes dropped EXE
PID:376 -
\??\c:\5xfrllf.exec:\5xfrllf.exe32⤵
- Executes dropped EXE
PID:4572 -
\??\c:\hbbtnn.exec:\hbbtnn.exe33⤵
- Executes dropped EXE
PID:1988 -
\??\c:\jpjjd.exec:\jpjjd.exe34⤵
- Executes dropped EXE
PID:3272 -
\??\c:\5xlflfx.exec:\5xlflfx.exe35⤵
- Executes dropped EXE
PID:3080 -
\??\c:\bhtnnh.exec:\bhtnnh.exe36⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pjpjd.exec:\pjpjd.exe37⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rrxrlxr.exec:\rrxrlxr.exe38⤵
- Executes dropped EXE
PID:4668 -
\??\c:\9thhtt.exec:\9thhtt.exe39⤵
- Executes dropped EXE
PID:452 -
\??\c:\jdpvd.exec:\jdpvd.exe40⤵
- Executes dropped EXE
PID:3412 -
\??\c:\1pdpv.exec:\1pdpv.exe41⤵
- Executes dropped EXE
PID:652 -
\??\c:\rlrxlfx.exec:\rlrxlfx.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3776 -
\??\c:\hntnnn.exec:\hntnnn.exe43⤵
- Executes dropped EXE
PID:604 -
\??\c:\5hhthb.exec:\5hhthb.exe44⤵
- Executes dropped EXE
PID:3812 -
\??\c:\jvjvv.exec:\jvjvv.exe45⤵
- Executes dropped EXE
PID:4024 -
\??\c:\flrffrx.exec:\flrffrx.exe46⤵
- Executes dropped EXE
PID:4360 -
\??\c:\nbhbnh.exec:\nbhbnh.exe47⤵
- Executes dropped EXE
PID:3084 -
\??\c:\jdjvd.exec:\jdjvd.exe48⤵
- Executes dropped EXE
PID:3124 -
\??\c:\llfrfrf.exec:\llfrfrf.exe49⤵
- Executes dropped EXE
PID:3504 -
\??\c:\nhtnhh.exec:\nhtnhh.exe50⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hnnbnh.exec:\hnnbnh.exe51⤵
- Executes dropped EXE
PID:864 -
\??\c:\pppjd.exec:\pppjd.exe52⤵
- Executes dropped EXE
PID:3896 -
\??\c:\1xlflfr.exec:\1xlflfr.exe53⤵
- Executes dropped EXE
PID:4616 -
\??\c:\7htnhh.exec:\7htnhh.exe54⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9ddjd.exec:\9ddjd.exe55⤵
- Executes dropped EXE
PID:4288 -
\??\c:\lrlxfxl.exec:\lrlxfxl.exe56⤵
- Executes dropped EXE
PID:4528 -
\??\c:\nhhbbb.exec:\nhhbbb.exe57⤵
- Executes dropped EXE
PID:5004 -
\??\c:\7ttnbt.exec:\7ttnbt.exe58⤵
- Executes dropped EXE
PID:4980 -
\??\c:\vjjvj.exec:\vjjvj.exe59⤵
- Executes dropped EXE
PID:4848 -
\??\c:\xfrffrf.exec:\xfrffrf.exe60⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bhbnbt.exec:\bhbnbt.exe61⤵
- Executes dropped EXE
PID:3328 -
\??\c:\hbbnth.exec:\hbbnth.exe62⤵
- Executes dropped EXE
PID:1376 -
\??\c:\7pdvd.exec:\7pdvd.exe63⤵
- Executes dropped EXE
PID:3736 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe64⤵
- Executes dropped EXE
PID:2740 -
\??\c:\rxfxlxl.exec:\rxfxlxl.exe65⤵
- Executes dropped EXE
PID:3816 -
\??\c:\htbnnh.exec:\htbnnh.exe66⤵PID:3204
-
\??\c:\vddpv.exec:\vddpv.exe67⤵PID:4268
-
\??\c:\pddpd.exec:\pddpd.exe68⤵PID:3044
-
\??\c:\1frflxl.exec:\1frflxl.exe69⤵PID:4452
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe70⤵PID:3852
-
\??\c:\bnhbnh.exec:\bnhbnh.exe71⤵PID:2568
-
\??\c:\5jdpv.exec:\5jdpv.exe72⤵PID:2936
-
\??\c:\xllrllx.exec:\xllrllx.exe73⤵PID:1156
-
\??\c:\btbtnn.exec:\btbtnn.exe74⤵PID:2424
-
\??\c:\ttbtnn.exec:\ttbtnn.exe75⤵PID:1436
-
\??\c:\jjpdj.exec:\jjpdj.exe76⤵PID:5092
-
\??\c:\5rlrllr.exec:\5rlrllr.exe77⤵
- System Location Discovery: System Language Discovery
PID:1768 -
\??\c:\7pjjj.exec:\7pjjj.exe78⤵PID:1260
-
\??\c:\rxxlrlx.exec:\rxxlrlx.exe79⤵PID:2464
-
\??\c:\lxrfxrf.exec:\lxrfxrf.exe80⤵PID:4824
-
\??\c:\htbtnn.exec:\htbtnn.exe81⤵PID:404
-
\??\c:\pjdjv.exec:\pjdjv.exe82⤵PID:1464
-
\??\c:\rlxlfxf.exec:\rlxlfxf.exe83⤵PID:812
-
\??\c:\ntbtbt.exec:\ntbtbt.exe84⤵PID:4232
-
\??\c:\1hhtbt.exec:\1hhtbt.exe85⤵PID:808
-
\??\c:\1jjvp.exec:\1jjvp.exe86⤵PID:372
-
\??\c:\xrxlxfr.exec:\xrxlxfr.exe87⤵PID:2436
-
\??\c:\frxrlff.exec:\frxrlff.exe88⤵PID:3968
-
\??\c:\nhhbbn.exec:\nhhbbn.exe89⤵PID:1588
-
\??\c:\9djdv.exec:\9djdv.exe90⤵PID:1584
-
\??\c:\7xrrlll.exec:\7xrrlll.exe91⤵PID:2700
-
\??\c:\nthbth.exec:\nthbth.exe92⤵PID:5080
-
\??\c:\pjjpd.exec:\pjjpd.exe93⤵
- System Location Discovery: System Language Discovery
PID:1976 -
\??\c:\vvppj.exec:\vvppj.exe94⤵PID:1696
-
\??\c:\rfrflfr.exec:\rfrflfr.exe95⤵PID:4568
-
\??\c:\btnbnh.exec:\btnbnh.exe96⤵PID:2112
-
\??\c:\pdpdj.exec:\pdpdj.exe97⤵PID:3984
-
\??\c:\dpppv.exec:\dpppv.exe98⤵PID:2356
-
\??\c:\llfrrll.exec:\llfrrll.exe99⤵PID:1448
-
\??\c:\3bbntn.exec:\3bbntn.exe100⤵PID:4476
-
\??\c:\bbbthb.exec:\bbbthb.exe101⤵PID:1780
-
\??\c:\pdvjp.exec:\pdvjp.exe102⤵PID:4748
-
\??\c:\fxlffxf.exec:\fxlffxf.exe103⤵PID:1164
-
\??\c:\fffxlfr.exec:\fffxlfr.exe104⤵PID:2400
-
\??\c:\1nnhbn.exec:\1nnhbn.exe105⤵PID:2228
-
\??\c:\ddpdp.exec:\ddpdp.exe106⤵PID:3288
-
\??\c:\ppvpp.exec:\ppvpp.exe107⤵PID:3084
-
\??\c:\llfrxrl.exec:\llfrxrl.exe108⤵PID:4864
-
\??\c:\5hbnbt.exec:\5hbnbt.exe109⤵PID:3504
-
\??\c:\nnthnh.exec:\nnthnh.exe110⤵PID:2816
-
\??\c:\1ddvj.exec:\1ddvj.exe111⤵PID:864
-
\??\c:\llfxxxf.exec:\llfxxxf.exe112⤵PID:3896
-
\??\c:\tnthbt.exec:\tnthbt.exe113⤵PID:4616
-
\??\c:\bbnhnn.exec:\bbnhnn.exe114⤵PID:2372
-
\??\c:\jjvpd.exec:\jjvpd.exe115⤵PID:4196
-
\??\c:\7xlfrfr.exec:\7xlfrfr.exe116⤵PID:4528
-
\??\c:\hntnbb.exec:\hntnbb.exe117⤵PID:2552
-
\??\c:\5vvpv.exec:\5vvpv.exe118⤵PID:4968
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe119⤵PID:4848
-
\??\c:\thbhhn.exec:\thbhhn.exe120⤵PID:1704
-
\??\c:\7jdpd.exec:\7jdpd.exe121⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-