Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 21:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe
-
Size
453KB
-
MD5
372f6f8aaabb6dd679f8f98c60440050
-
SHA1
3230f4dcdd9ccf744f8da0d8a2026896d035fee9
-
SHA256
1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9
-
SHA512
6b55f80dc81e35fe0067fe75ba67ff6003b63d3c9f3c1d29062cef904c9294a5465e12335c942e6d21148e2c9335b35a886bdcd60a68c37a2a89e1f3451ce59f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2292-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-1358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 nhthtn.exe 2292 1jdpj.exe 3920 7xrlrlf.exe 1064 bbhbhb.exe 2944 bnthth.exe 2756 7flxxrx.exe 936 bnnbtn.exe 3380 3ffrrlr.exe 3224 pddpp.exe 808 pppdd.exe 3212 lxfrrll.exe 100 lxrrrrr.exe 4312 1dvjv.exe 2040 1hthbb.exe 3428 vpjvj.exe 4928 ffrlrxr.exe 2300 hthbnh.exe 1444 dppdv.exe 2188 bhhbnh.exe 1744 vddpd.exe 4444 lfrllfr.exe 4760 nhbtnb.exe 3300 vpvjv.exe 1704 5ffxrrl.exe 4976 btnhtt.exe 4908 7rrlxxf.exe 1680 ntthtn.exe 732 7jdvj.exe 3804 hbhthb.exe 2912 vppdp.exe 4128 jddpv.exe 4364 pjdvv.exe 4868 rrrflfx.exe 3348 7rrxrlx.exe 3288 bnnbtn.exe 5080 9jdpd.exe 3272 bhhthb.exe 4948 bbhbhb.exe 4368 7vvpj.exe 320 5xfrfxx.exe 892 hhnnnh.exe 548 dpjvp.exe 4340 nbnbht.exe 4568 bbbntn.exe 4792 dvpjd.exe 4644 vjjdd.exe 3160 rrxllll.exe 3648 hnhnbt.exe 2144 vjjvj.exe 4740 5xxxrfx.exe 3712 tnhhtt.exe 3436 3pjvp.exe 2176 vddjv.exe 488 lxxxffl.exe 464 nthhtb.exe 1888 1vpjv.exe 2276 fflfxxl.exe 1640 9htnhb.exe 1348 dppdv.exe 2244 dpjvv.exe 4824 fllrrrf.exe 4880 nnbnbt.exe 3380 jdvpj.exe 3224 5jvpd.exe -
resource yara_rule behavioral2/memory/2292-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-654-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3436 wrote to memory of 2176 3436 1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe 82 PID 3436 wrote to memory of 2176 3436 1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe 82 PID 3436 wrote to memory of 2176 3436 1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe 82 PID 2176 wrote to memory of 2292 2176 nhthtn.exe 83 PID 2176 wrote to memory of 2292 2176 nhthtn.exe 83 PID 2176 wrote to memory of 2292 2176 nhthtn.exe 83 PID 2292 wrote to memory of 3920 2292 1jdpj.exe 84 PID 2292 wrote to memory of 3920 2292 1jdpj.exe 84 PID 2292 wrote to memory of 3920 2292 1jdpj.exe 84 PID 3920 wrote to memory of 1064 3920 7xrlrlf.exe 85 PID 3920 wrote to memory of 1064 3920 7xrlrlf.exe 85 PID 3920 wrote to memory of 1064 3920 7xrlrlf.exe 85 PID 1064 wrote to memory of 2944 1064 bbhbhb.exe 86 PID 1064 wrote to memory of 2944 1064 bbhbhb.exe 86 PID 1064 wrote to memory of 2944 1064 bbhbhb.exe 86 PID 2944 wrote to memory of 2756 2944 bnthth.exe 87 PID 2944 wrote to memory of 2756 2944 bnthth.exe 87 PID 2944 wrote to memory of 2756 2944 bnthth.exe 87 PID 2756 wrote to memory of 936 2756 7flxxrx.exe 88 PID 2756 wrote to memory of 936 2756 7flxxrx.exe 88 PID 2756 wrote to memory of 936 2756 7flxxrx.exe 88 PID 936 wrote to memory of 3380 936 bnnbtn.exe 89 PID 936 wrote to memory of 3380 936 bnnbtn.exe 89 PID 936 wrote to memory of 3380 936 bnnbtn.exe 89 PID 3380 wrote to memory of 3224 3380 3ffrrlr.exe 90 PID 3380 wrote to memory of 3224 3380 3ffrrlr.exe 90 PID 3380 wrote to memory of 3224 3380 3ffrrlr.exe 90 PID 3224 wrote to memory of 808 3224 pddpp.exe 91 PID 3224 wrote to memory of 808 3224 pddpp.exe 91 PID 3224 wrote to memory of 808 3224 pddpp.exe 91 PID 808 wrote to memory of 3212 808 pppdd.exe 92 PID 808 wrote to memory of 3212 808 pppdd.exe 92 PID 808 wrote to memory of 3212 808 pppdd.exe 92 PID 3212 wrote to memory of 100 3212 lxfrrll.exe 93 PID 3212 wrote to memory of 100 3212 lxfrrll.exe 93 PID 3212 wrote to memory of 100 3212 lxfrrll.exe 93 PID 100 wrote to memory of 4312 100 lxrrrrr.exe 94 PID 100 wrote to memory of 4312 100 lxrrrrr.exe 94 PID 100 wrote to memory of 4312 100 lxrrrrr.exe 94 PID 4312 wrote to memory of 2040 4312 1dvjv.exe 95 PID 4312 wrote to memory of 2040 4312 1dvjv.exe 95 PID 4312 wrote to memory of 2040 4312 1dvjv.exe 95 PID 2040 wrote to memory of 3428 2040 1hthbb.exe 96 PID 2040 wrote to memory of 3428 2040 1hthbb.exe 96 PID 2040 wrote to memory of 3428 2040 1hthbb.exe 96 PID 3428 wrote to memory of 4928 3428 vpjvj.exe 97 PID 3428 wrote to memory of 4928 3428 vpjvj.exe 97 PID 3428 wrote to memory of 4928 3428 vpjvj.exe 97 PID 4928 wrote to memory of 2300 4928 ffrlrxr.exe 98 PID 4928 wrote to memory of 2300 4928 ffrlrxr.exe 98 PID 4928 wrote to memory of 2300 4928 ffrlrxr.exe 98 PID 2300 wrote to memory of 1444 2300 hthbnh.exe 99 PID 2300 wrote to memory of 1444 2300 hthbnh.exe 99 PID 2300 wrote to memory of 1444 2300 hthbnh.exe 99 PID 1444 wrote to memory of 2188 1444 dppdv.exe 100 PID 1444 wrote to memory of 2188 1444 dppdv.exe 100 PID 1444 wrote to memory of 2188 1444 dppdv.exe 100 PID 2188 wrote to memory of 1744 2188 bhhbnh.exe 101 PID 2188 wrote to memory of 1744 2188 bhhbnh.exe 101 PID 2188 wrote to memory of 1744 2188 bhhbnh.exe 101 PID 1744 wrote to memory of 4444 1744 vddpd.exe 102 PID 1744 wrote to memory of 4444 1744 vddpd.exe 102 PID 1744 wrote to memory of 4444 1744 vddpd.exe 102 PID 4444 wrote to memory of 4760 4444 lfrllfr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe"C:\Users\Admin\AppData\Local\Temp\1ffae2f8410d0f94bc2eac7b303df23c89f37f942863371acebe333085e535b9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\nhthtn.exec:\nhthtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\1jdpj.exec:\1jdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\7xrlrlf.exec:\7xrlrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\bbhbhb.exec:\bbhbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\bnthth.exec:\bnthth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\7flxxrx.exec:\7flxxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\bnnbtn.exec:\bnnbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\3ffrrlr.exec:\3ffrrlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\pddpp.exec:\pddpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\pppdd.exec:\pppdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\lxfrrll.exec:\lxfrrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\lxrrrrr.exec:\lxrrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\1dvjv.exec:\1dvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\1hthbb.exec:\1hthbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\vpjvj.exec:\vpjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\ffrlrxr.exec:\ffrlrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\hthbnh.exec:\hthbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\dppdv.exec:\dppdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\bhhbnh.exec:\bhhbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\vddpd.exec:\vddpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\lfrllfr.exec:\lfrllfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\nhbtnb.exec:\nhbtnb.exe23⤵
- Executes dropped EXE
PID:4760 -
\??\c:\vpvjv.exec:\vpvjv.exe24⤵
- Executes dropped EXE
PID:3300 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe25⤵
- Executes dropped EXE
PID:1704 -
\??\c:\btnhtt.exec:\btnhtt.exe26⤵
- Executes dropped EXE
PID:4976 -
\??\c:\7rrlxxf.exec:\7rrlxxf.exe27⤵
- Executes dropped EXE
PID:4908 -
\??\c:\ntthtn.exec:\ntthtn.exe28⤵
- Executes dropped EXE
PID:1680 -
\??\c:\7jdvj.exec:\7jdvj.exe29⤵
- Executes dropped EXE
PID:732 -
\??\c:\hbhthb.exec:\hbhthb.exe30⤵
- Executes dropped EXE
PID:3804 -
\??\c:\vppdp.exec:\vppdp.exe31⤵
- Executes dropped EXE
PID:2912 -
\??\c:\jddpv.exec:\jddpv.exe32⤵
- Executes dropped EXE
PID:4128 -
\??\c:\pjdvv.exec:\pjdvv.exe33⤵
- Executes dropped EXE
PID:4364 -
\??\c:\rrrflfx.exec:\rrrflfx.exe34⤵
- Executes dropped EXE
PID:4868 -
\??\c:\7rrxrlx.exec:\7rrxrlx.exe35⤵
- Executes dropped EXE
PID:3348 -
\??\c:\bnnbtn.exec:\bnnbtn.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\9jdpd.exec:\9jdpd.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\bhhthb.exec:\bhhthb.exe38⤵
- Executes dropped EXE
PID:3272 -
\??\c:\bbhbhb.exec:\bbhbhb.exe39⤵
- Executes dropped EXE
PID:4948 -
\??\c:\7vvpj.exec:\7vvpj.exe40⤵
- Executes dropped EXE
PID:4368 -
\??\c:\5xfrfxx.exec:\5xfrfxx.exe41⤵
- Executes dropped EXE
PID:320 -
\??\c:\hhnnnh.exec:\hhnnnh.exe42⤵
- Executes dropped EXE
PID:892 -
\??\c:\dpjvp.exec:\dpjvp.exe43⤵
- Executes dropped EXE
PID:548 -
\??\c:\nbnbht.exec:\nbnbht.exe44⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bbbntn.exec:\bbbntn.exe45⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dvpjd.exec:\dvpjd.exe46⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vjjdd.exec:\vjjdd.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644 -
\??\c:\rrxllll.exec:\rrxllll.exe48⤵
- Executes dropped EXE
PID:3160 -
\??\c:\hnhnbt.exec:\hnhnbt.exe49⤵
- Executes dropped EXE
PID:3648 -
\??\c:\vjjvj.exec:\vjjvj.exe50⤵
- Executes dropped EXE
PID:2144 -
\??\c:\5xxxrfx.exec:\5xxxrfx.exe51⤵
- Executes dropped EXE
PID:4740 -
\??\c:\tnhhtt.exec:\tnhhtt.exe52⤵
- Executes dropped EXE
PID:3712 -
\??\c:\3pjvp.exec:\3pjvp.exe53⤵
- Executes dropped EXE
PID:3436 -
\??\c:\vddjv.exec:\vddjv.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lxxxffl.exec:\lxxxffl.exe55⤵
- Executes dropped EXE
PID:488 -
\??\c:\nthhtb.exec:\nthhtb.exe56⤵
- Executes dropped EXE
PID:464 -
\??\c:\1vpjv.exec:\1vpjv.exe57⤵
- Executes dropped EXE
PID:1888 -
\??\c:\fflfxxl.exec:\fflfxxl.exe58⤵
- Executes dropped EXE
PID:2276 -
\??\c:\9htnhb.exec:\9htnhb.exe59⤵
- Executes dropped EXE
PID:1640 -
\??\c:\dppdv.exec:\dppdv.exe60⤵
- Executes dropped EXE
PID:1348 -
\??\c:\dpjvv.exec:\dpjvv.exe61⤵
- Executes dropped EXE
PID:2244 -
\??\c:\fllrrrf.exec:\fllrrrf.exe62⤵
- Executes dropped EXE
PID:4824 -
\??\c:\nnbnbt.exec:\nnbnbt.exe63⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jdvpj.exec:\jdvpj.exe64⤵
- Executes dropped EXE
PID:3380 -
\??\c:\5jvpd.exec:\5jvpd.exe65⤵
- Executes dropped EXE
PID:3224 -
\??\c:\fxfrxfx.exec:\fxfrxfx.exe66⤵PID:2652
-
\??\c:\5btbnh.exec:\5btbnh.exe67⤵PID:5008
-
\??\c:\vjvpd.exec:\vjvpd.exe68⤵PID:5060
-
\??\c:\pdpdj.exec:\pdpdj.exe69⤵PID:2544
-
\??\c:\9fxlxrf.exec:\9fxlxrf.exe70⤵PID:748
-
\??\c:\7hbntn.exec:\7hbntn.exe71⤵PID:3620
-
\??\c:\ddddj.exec:\ddddj.exe72⤵PID:1968
-
\??\c:\rfrxrlf.exec:\rfrxrlf.exe73⤵PID:212
-
\??\c:\nhhtnh.exec:\nhhtnh.exe74⤵PID:4864
-
\??\c:\5vvpp.exec:\5vvpp.exe75⤵PID:4120
-
\??\c:\pddpj.exec:\pddpj.exe76⤵PID:3092
-
\??\c:\1rfxlrl.exec:\1rfxlrl.exe77⤵PID:2728
-
\??\c:\bhhthb.exec:\bhhthb.exe78⤵PID:3136
-
\??\c:\pdpjv.exec:\pdpjv.exe79⤵
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\9dpdv.exec:\9dpdv.exe80⤵PID:3996
-
\??\c:\fxrffxf.exec:\fxrffxf.exe81⤵PID:4548
-
\??\c:\3ntnhb.exec:\3ntnhb.exe82⤵PID:2896
-
\??\c:\jdvpp.exec:\jdvpp.exe83⤵PID:4088
-
\??\c:\9jvjp.exec:\9jvjp.exe84⤵PID:4844
-
\??\c:\rlxxrll.exec:\rlxxrll.exe85⤵PID:2616
-
\??\c:\bbbtbb.exec:\bbbtbb.exe86⤵PID:2164
-
\??\c:\jdvjv.exec:\jdvjv.exe87⤵PID:3616
-
\??\c:\rlrfrll.exec:\rlrfrll.exe88⤵PID:4524
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe89⤵PID:3592
-
\??\c:\htttnt.exec:\htttnt.exe90⤵PID:4908
-
\??\c:\5ddpj.exec:\5ddpj.exe91⤵PID:1616
-
\??\c:\frxxlll.exec:\frxxlll.exe92⤵PID:2368
-
\??\c:\thtnhh.exec:\thtnhh.exe93⤵PID:4476
-
\??\c:\thnbtt.exec:\thnbtt.exe94⤵PID:3368
-
\??\c:\vpvvp.exec:\vpvvp.exe95⤵PID:4664
-
\??\c:\xxfxrfx.exec:\xxfxrfx.exe96⤵PID:3504
-
\??\c:\9hbtnn.exec:\9hbtnn.exe97⤵PID:4128
-
\??\c:\httnbt.exec:\httnbt.exe98⤵PID:4276
-
\??\c:\vdjdj.exec:\vdjdj.exe99⤵PID:3512
-
\??\c:\lxlfrxr.exec:\lxlfrxr.exe100⤵PID:2964
-
\??\c:\hbbttt.exec:\hbbttt.exe101⤵PID:3348
-
\??\c:\1bnbtt.exec:\1bnbtt.exe102⤵PID:1488
-
\??\c:\9djdv.exec:\9djdv.exe103⤵PID:4680
-
\??\c:\rrxxfxf.exec:\rrxxfxf.exe104⤵PID:3272
-
\??\c:\nnhhbh.exec:\nnhhbh.exe105⤵PID:3156
-
\??\c:\9pjdv.exec:\9pjdv.exe106⤵PID:1448
-
\??\c:\flxxlrx.exec:\flxxlrx.exe107⤵PID:1872
-
\??\c:\bnnhbt.exec:\bnnhbt.exe108⤵PID:4788
-
\??\c:\3btntt.exec:\3btntt.exe109⤵PID:5048
-
\??\c:\9ppjj.exec:\9ppjj.exe110⤵PID:3208
-
\??\c:\fxrlxxx.exec:\fxrlxxx.exe111⤵PID:4340
-
\??\c:\rrrrxxr.exec:\rrrrxxr.exe112⤵PID:4568
-
\??\c:\tnnthh.exec:\tnnthh.exe113⤵PID:4792
-
\??\c:\7bhbtt.exec:\7bhbtt.exe114⤵PID:4644
-
\??\c:\vdjdv.exec:\vdjdv.exe115⤵PID:2052
-
\??\c:\rrxxfxx.exec:\rrxxfxx.exe116⤵PID:3404
-
\??\c:\9ntntn.exec:\9ntntn.exe117⤵PID:4856
-
\??\c:\pddvj.exec:\pddvj.exe118⤵PID:3716
-
\??\c:\fxlfffl.exec:\fxlfffl.exe119⤵PID:3852
-
\??\c:\btbbtn.exec:\btbbtn.exe120⤵PID:3712
-
\??\c:\nhnbbt.exec:\nhnbbt.exe121⤵PID:3436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-