Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe
-
Size
453KB
-
MD5
e5211139ca110e1840e72ef2c22cd410
-
SHA1
c19cbf1998925420adfefc8d43f596288498bc21
-
SHA256
945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83e
-
SHA512
f5603afb7e4fcbfc64ea0d6e505327a05aeb67bb03bfe5e82ac00cb2e7275424af489e1977e237d7d0b5c1d6093db3023310f83e991ea15f6a769ea7720c9d18
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2608-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-1182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-1682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1284 btnhnh.exe 3648 jddpj.exe 1864 1nhbbb.exe 388 jdjdv.exe 1652 nhnhtn.exe 3228 pvvpj.exe 2400 lfxlfxr.exe 4496 vjvvv.exe 2644 1fffxrr.exe 1504 5vvdd.exe 1640 bbnnbt.exe 2796 xxrlllf.exe 3052 tnhttn.exe 4960 llxxrxr.exe 4104 9ttbtt.exe 2376 7jpdv.exe 4768 xrxrrrl.exe 1584 tttnhh.exe 4632 ppdvp.exe 700 hhhbtt.exe 4848 nhtnnh.exe 2872 fxxrlll.exe 3544 bthhnn.exe 1728 7vpjd.exe 1112 ffflffx.exe 1028 thhnhb.exe 1128 7frlxxr.exe 2856 tnnnhh.exe 5104 btnhnn.exe 3932 nthnhn.exe 4432 ttnhhh.exe 336 dpvpj.exe 1560 htnhhh.exe 2068 3jdvj.exe 1748 vddvp.exe 1708 rrfxrlf.exe 1668 bnttnn.exe 2356 pvdvp.exe 3624 rrxlrrl.exe 1956 xflfxxx.exe 2124 tbhbbt.exe 1928 jjdvp.exe 5088 dvvpd.exe 4784 xxlxrrl.exe 64 nnbnhn.exe 4076 bbnnnn.exe 1528 5dvpj.exe 5080 dvdvp.exe 3924 9xfxfff.exe 4932 nhhnnn.exe 4116 vpppp.exe 2016 xxxllll.exe 2372 btbbhb.exe 3200 9pjdv.exe 2668 dpddv.exe 5096 lrffrrr.exe 3108 ttbbbn.exe 3428 ppdpv.exe 3012 vdpdd.exe 1416 rflfxxr.exe 2248 nbnnhb.exe 4496 ppppj.exe 2760 djpjd.exe 4512 lxfxrrl.exe -
resource yara_rule behavioral2/memory/2608-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-779-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 1284 2608 945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe 84 PID 2608 wrote to memory of 1284 2608 945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe 84 PID 2608 wrote to memory of 1284 2608 945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe 84 PID 1284 wrote to memory of 3648 1284 btnhnh.exe 85 PID 1284 wrote to memory of 3648 1284 btnhnh.exe 85 PID 1284 wrote to memory of 3648 1284 btnhnh.exe 85 PID 3648 wrote to memory of 1864 3648 jddpj.exe 86 PID 3648 wrote to memory of 1864 3648 jddpj.exe 86 PID 3648 wrote to memory of 1864 3648 jddpj.exe 86 PID 1864 wrote to memory of 388 1864 1nhbbb.exe 87 PID 1864 wrote to memory of 388 1864 1nhbbb.exe 87 PID 1864 wrote to memory of 388 1864 1nhbbb.exe 87 PID 388 wrote to memory of 1652 388 jdjdv.exe 88 PID 388 wrote to memory of 1652 388 jdjdv.exe 88 PID 388 wrote to memory of 1652 388 jdjdv.exe 88 PID 1652 wrote to memory of 3228 1652 nhnhtn.exe 89 PID 1652 wrote to memory of 3228 1652 nhnhtn.exe 89 PID 1652 wrote to memory of 3228 1652 nhnhtn.exe 89 PID 3228 wrote to memory of 2400 3228 pvvpj.exe 90 PID 3228 wrote to memory of 2400 3228 pvvpj.exe 90 PID 3228 wrote to memory of 2400 3228 pvvpj.exe 90 PID 2400 wrote to memory of 4496 2400 lfxlfxr.exe 91 PID 2400 wrote to memory of 4496 2400 lfxlfxr.exe 91 PID 2400 wrote to memory of 4496 2400 lfxlfxr.exe 91 PID 4496 wrote to memory of 2644 4496 vjvvv.exe 92 PID 4496 wrote to memory of 2644 4496 vjvvv.exe 92 PID 4496 wrote to memory of 2644 4496 vjvvv.exe 92 PID 2644 wrote to memory of 1504 2644 1fffxrr.exe 93 PID 2644 wrote to memory of 1504 2644 1fffxrr.exe 93 PID 2644 wrote to memory of 1504 2644 1fffxrr.exe 93 PID 1504 wrote to memory of 1640 1504 5vvdd.exe 94 PID 1504 wrote to memory of 1640 1504 5vvdd.exe 94 PID 1504 wrote to memory of 1640 1504 5vvdd.exe 94 PID 1640 wrote to memory of 2796 1640 bbnnbt.exe 95 PID 1640 wrote to memory of 2796 1640 bbnnbt.exe 95 PID 1640 wrote to memory of 2796 1640 bbnnbt.exe 95 PID 2796 wrote to memory of 3052 2796 xxrlllf.exe 96 PID 2796 wrote to memory of 3052 2796 xxrlllf.exe 96 PID 2796 wrote to memory of 3052 2796 xxrlllf.exe 96 PID 3052 wrote to memory of 4960 3052 tnhttn.exe 97 PID 3052 wrote to memory of 4960 3052 tnhttn.exe 97 PID 3052 wrote to memory of 4960 3052 tnhttn.exe 97 PID 4960 wrote to memory of 4104 4960 llxxrxr.exe 98 PID 4960 wrote to memory of 4104 4960 llxxrxr.exe 98 PID 4960 wrote to memory of 4104 4960 llxxrxr.exe 98 PID 4104 wrote to memory of 2376 4104 9ttbtt.exe 99 PID 4104 wrote to memory of 2376 4104 9ttbtt.exe 99 PID 4104 wrote to memory of 2376 4104 9ttbtt.exe 99 PID 2376 wrote to memory of 4768 2376 7jpdv.exe 100 PID 2376 wrote to memory of 4768 2376 7jpdv.exe 100 PID 2376 wrote to memory of 4768 2376 7jpdv.exe 100 PID 4768 wrote to memory of 1584 4768 xrxrrrl.exe 101 PID 4768 wrote to memory of 1584 4768 xrxrrrl.exe 101 PID 4768 wrote to memory of 1584 4768 xrxrrrl.exe 101 PID 1584 wrote to memory of 4632 1584 tttnhh.exe 102 PID 1584 wrote to memory of 4632 1584 tttnhh.exe 102 PID 1584 wrote to memory of 4632 1584 tttnhh.exe 102 PID 4632 wrote to memory of 700 4632 ppdvp.exe 103 PID 4632 wrote to memory of 700 4632 ppdvp.exe 103 PID 4632 wrote to memory of 700 4632 ppdvp.exe 103 PID 700 wrote to memory of 4848 700 hhhbtt.exe 104 PID 700 wrote to memory of 4848 700 hhhbtt.exe 104 PID 700 wrote to memory of 4848 700 hhhbtt.exe 104 PID 4848 wrote to memory of 2872 4848 nhtnnh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe"C:\Users\Admin\AppData\Local\Temp\945f8995c638b331510bd7a5fc6cfc13993fbe04d01e07eb83fab6a0a7c1a83eN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\btnhnh.exec:\btnhnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\jddpj.exec:\jddpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\1nhbbb.exec:\1nhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\jdjdv.exec:\jdjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\nhnhtn.exec:\nhnhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\pvvpj.exec:\pvvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\vjvvv.exec:\vjvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\1fffxrr.exec:\1fffxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5vvdd.exec:\5vvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\bbnnbt.exec:\bbnnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\xxrlllf.exec:\xxrlllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\tnhttn.exec:\tnhttn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\llxxrxr.exec:\llxxrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\9ttbtt.exec:\9ttbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\7jpdv.exec:\7jpdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\tttnhh.exec:\tttnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\ppdvp.exec:\ppdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\hhhbtt.exec:\hhhbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\nhtnnh.exec:\nhtnnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\fxxrlll.exec:\fxxrlll.exe23⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bthhnn.exec:\bthhnn.exe24⤵
- Executes dropped EXE
PID:3544 -
\??\c:\7vpjd.exec:\7vpjd.exe25⤵
- Executes dropped EXE
PID:1728 -
\??\c:\ffflffx.exec:\ffflffx.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1112 -
\??\c:\thhnhb.exec:\thhnhb.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\7frlxxr.exec:\7frlxxr.exe28⤵
- Executes dropped EXE
PID:1128 -
\??\c:\tnnnhh.exec:\tnnnhh.exe29⤵
- Executes dropped EXE
PID:2856 -
\??\c:\btnhnn.exec:\btnhnn.exe30⤵
- Executes dropped EXE
PID:5104 -
\??\c:\nthnhn.exec:\nthnhn.exe31⤵
- Executes dropped EXE
PID:3932 -
\??\c:\ttnhhh.exec:\ttnhhh.exe32⤵
- Executes dropped EXE
PID:4432 -
\??\c:\dpvpj.exec:\dpvpj.exe33⤵
- Executes dropped EXE
PID:336 -
\??\c:\htnhhh.exec:\htnhhh.exe34⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3jdvj.exec:\3jdvj.exe35⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vddvp.exec:\vddvp.exe36⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rrfxrlf.exec:\rrfxrlf.exe37⤵
- Executes dropped EXE
PID:1708 -
\??\c:\bnttnn.exec:\bnttnn.exe38⤵
- Executes dropped EXE
PID:1668 -
\??\c:\pvdvp.exec:\pvdvp.exe39⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rrxlrrl.exec:\rrxlrrl.exe40⤵
- Executes dropped EXE
PID:3624 -
\??\c:\xflfxxx.exec:\xflfxxx.exe41⤵
- Executes dropped EXE
PID:1956 -
\??\c:\tbhbbt.exec:\tbhbbt.exe42⤵
- Executes dropped EXE
PID:2124 -
\??\c:\jjdvp.exec:\jjdvp.exe43⤵
- Executes dropped EXE
PID:1928 -
\??\c:\dvvpd.exec:\dvvpd.exe44⤵
- Executes dropped EXE
PID:5088 -
\??\c:\xxlxrrl.exec:\xxlxrrl.exe45⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nnbnhn.exec:\nnbnhn.exe46⤵
- Executes dropped EXE
PID:64 -
\??\c:\bbnnnn.exec:\bbnnnn.exe47⤵
- Executes dropped EXE
PID:4076 -
\??\c:\5dvpj.exec:\5dvpj.exe48⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dvdvp.exec:\dvdvp.exe49⤵
- Executes dropped EXE
PID:5080 -
\??\c:\9xfxfff.exec:\9xfxfff.exe50⤵
- Executes dropped EXE
PID:3924 -
\??\c:\nhhnnn.exec:\nhhnnn.exe51⤵
- Executes dropped EXE
PID:4932 -
\??\c:\vpppp.exec:\vpppp.exe52⤵
- Executes dropped EXE
PID:4116 -
\??\c:\xxxllll.exec:\xxxllll.exe53⤵
- Executes dropped EXE
PID:2016 -
\??\c:\btbbhb.exec:\btbbhb.exe54⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9pjdv.exec:\9pjdv.exe55⤵
- Executes dropped EXE
PID:3200 -
\??\c:\dpddv.exec:\dpddv.exe56⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lrffrrr.exec:\lrffrrr.exe57⤵
- Executes dropped EXE
PID:5096 -
\??\c:\ttbbbn.exec:\ttbbbn.exe58⤵
- Executes dropped EXE
PID:3108 -
\??\c:\ppdpv.exec:\ppdpv.exe59⤵
- Executes dropped EXE
PID:3428 -
\??\c:\vdpdd.exec:\vdpdd.exe60⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rflfxxr.exec:\rflfxxr.exe61⤵
- Executes dropped EXE
PID:1416 -
\??\c:\nbnnhb.exec:\nbnnhb.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\ppppj.exec:\ppppj.exe63⤵
- Executes dropped EXE
PID:4496 -
\??\c:\djpjd.exec:\djpjd.exe64⤵
- Executes dropped EXE
PID:2760 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe65⤵
- Executes dropped EXE
PID:4512 -
\??\c:\fllfffl.exec:\fllfffl.exe66⤵PID:3168
-
\??\c:\tbhbtn.exec:\tbhbtn.exe67⤵PID:4656
-
\??\c:\vjpjv.exec:\vjpjv.exe68⤵PID:320
-
\??\c:\llxxxll.exec:\llxxxll.exe69⤵PID:5076
-
\??\c:\xrrlffx.exec:\xrrlffx.exe70⤵PID:3152
-
\??\c:\nnnhbb.exec:\nnnhbb.exe71⤵PID:4324
-
\??\c:\pdjdd.exec:\pdjdd.exe72⤵PID:2988
-
\??\c:\xrfffff.exec:\xrfffff.exe73⤵PID:1048
-
\??\c:\rrfrrrl.exec:\rrfrrrl.exe74⤵PID:2284
-
\??\c:\tbtnhb.exec:\tbtnhb.exe75⤵PID:4080
-
\??\c:\9dddj.exec:\9dddj.exe76⤵PID:4632
-
\??\c:\frrfrlx.exec:\frrfrlx.exe77⤵PID:3336
-
\??\c:\xxrlxlf.exec:\xxrlxlf.exe78⤵PID:3292
-
\??\c:\3hnhbn.exec:\3hnhbn.exe79⤵PID:3608
-
\??\c:\pppdj.exec:\pppdj.exe80⤵PID:1220
-
\??\c:\rxfrxrl.exec:\rxfrxrl.exe81⤵PID:5068
-
\??\c:\httnhh.exec:\httnhh.exe82⤵PID:3048
-
\??\c:\bnhnbt.exec:\bnhnbt.exe83⤵PID:2592
-
\??\c:\dpjjv.exec:\dpjjv.exe84⤵PID:1112
-
\??\c:\xffrfxl.exec:\xffrfxl.exe85⤵PID:1624
-
\??\c:\nhtthb.exec:\nhtthb.exe86⤵PID:2832
-
\??\c:\bhhbhn.exec:\bhhbhn.exe87⤵PID:1128
-
\??\c:\dvvjv.exec:\dvvjv.exe88⤵PID:4864
-
\??\c:\7ffrfxl.exec:\7ffrfxl.exe89⤵PID:512
-
\??\c:\1hbthb.exec:\1hbthb.exe90⤵PID:5104
-
\??\c:\1ttntn.exec:\1ttntn.exe91⤵PID:3556
-
\??\c:\pppdp.exec:\pppdp.exe92⤵PID:4996
-
\??\c:\flrrllx.exec:\flrrllx.exe93⤵PID:3632
-
\??\c:\flrlflf.exec:\flrlflf.exe94⤵PID:5028
-
\??\c:\hbthhb.exec:\hbthhb.exe95⤵PID:1764
-
\??\c:\9ppdp.exec:\9ppdp.exe96⤵PID:4788
-
\??\c:\3rfxlfx.exec:\3rfxlfx.exe97⤵PID:2704
-
\??\c:\rffrlfr.exec:\rffrlfr.exe98⤵PID:1944
-
\??\c:\hhhthb.exec:\hhhthb.exe99⤵PID:2912
-
\??\c:\jdjvd.exec:\jdjvd.exe100⤵PID:2356
-
\??\c:\pvvpd.exec:\pvvpd.exe101⤵PID:3624
-
\??\c:\xrllrfx.exec:\xrllrfx.exe102⤵PID:1532
-
\??\c:\btbntn.exec:\btbntn.exe103⤵PID:3364
-
\??\c:\dpjvd.exec:\dpjvd.exe104⤵PID:3456
-
\??\c:\dpvjv.exec:\dpvjv.exe105⤵PID:5088
-
\??\c:\xllxfxl.exec:\xllxfxl.exe106⤵PID:4780
-
\??\c:\hntnbt.exec:\hntnbt.exe107⤵PID:368
-
\??\c:\nhnbnh.exec:\nhnbnh.exe108⤵PID:2436
-
\??\c:\pdvpv.exec:\pdvpv.exe109⤵PID:4416
-
\??\c:\lflxfxl.exec:\lflxfxl.exe110⤵PID:1540
-
\??\c:\frfxrlx.exec:\frfxrlx.exe111⤵PID:2608
-
\??\c:\tnhbnb.exec:\tnhbnb.exe112⤵PID:3560
-
\??\c:\vpdjj.exec:\vpdjj.exe113⤵PID:3272
-
\??\c:\jvdpd.exec:\jvdpd.exe114⤵PID:2860
-
\??\c:\lxfrlxx.exec:\lxfrlxx.exe115⤵PID:1960
-
\??\c:\bthhhb.exec:\bthhhb.exe116⤵PID:2876
-
\??\c:\htnbhb.exec:\htnbhb.exe117⤵PID:3496
-
\??\c:\dppjp.exec:\dppjp.exe118⤵PID:4544
-
\??\c:\rxlxlfr.exec:\rxlxlfr.exe119⤵PID:4572
-
\??\c:\hhhthb.exec:\hhhthb.exe120⤵PID:4556
-
\??\c:\nnnhhb.exec:\nnnhhb.exe121⤵PID:752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-