Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe
-
Size
455KB
-
MD5
38614abd97b11955c9f24156c9a140ff
-
SHA1
ecdd2fc2445d75086644ac0d90b05110b7fa29f2
-
SHA256
31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621
-
SHA512
fcbb802958f97cea6c53ea4d159f7872fca5f90350f88a771c7e193619fb2c0066a3fe0aabdf460f137026fac437351deea4604528d202ac83d162e484d89abc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1496-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/520-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-1683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-1942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1984 nhtbhn.exe 4956 bhtnnt.exe 4688 4066422.exe 2188 820266.exe 2964 28826.exe 3592 1pjvv.exe 1952 4644404.exe 3100 q68822.exe 4188 pvdpv.exe 232 0860488.exe 972 7vvdp.exe 2880 nbhthh.exe 868 08204.exe 520 vpvjv.exe 948 44480.exe 4108 9vjdj.exe 5068 80402.exe 4492 tnnbnn.exe 4396 5nnbnh.exe 3980 o882048.exe 392 jdvpj.exe 3916 dppjp.exe 4792 lffrfxr.exe 2396 bntnbb.exe 2948 04486.exe 3900 jdjdj.exe 1408 m2820.exe 4160 q84862.exe 2384 fxrxlrl.exe 2840 pvdvp.exe 2436 rrxrlfx.exe 2676 266426.exe 1420 8686420.exe 3500 bhhthb.exe 3852 24480.exe 2864 8606820.exe 2560 jvjvj.exe 1828 lrrfrlf.exe 1960 tnthbh.exe 1128 k26026.exe 1920 xrxlrlx.exe 4308 rfrlxrf.exe 2376 844262.exe 1720 844826.exe 1808 0680040.exe 4956 dppjj.exe 1640 fxfxlfx.exe 1184 46426.exe 2136 4220820.exe 2964 06426.exe 3592 htnbnh.exe 1964 424826.exe 1952 hbhbtt.exe 2468 0802624.exe 2092 tnnhtt.exe 2708 640066.exe 4928 048062.exe 3376 i848604.exe 1096 bnhthb.exe 632 pvjdj.exe 3068 thhhhh.exe 4876 2048604.exe 2064 28860.exe 1940 602646.exe -
resource yara_rule behavioral2/memory/1496-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-1437-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2826482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k84088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q06048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4226608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i804882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c886088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q00426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1984 1496 31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe 83 PID 1496 wrote to memory of 1984 1496 31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe 83 PID 1496 wrote to memory of 1984 1496 31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe 83 PID 1984 wrote to memory of 4956 1984 nhtbhn.exe 84 PID 1984 wrote to memory of 4956 1984 nhtbhn.exe 84 PID 1984 wrote to memory of 4956 1984 nhtbhn.exe 84 PID 4956 wrote to memory of 4688 4956 bhtnnt.exe 85 PID 4956 wrote to memory of 4688 4956 bhtnnt.exe 85 PID 4956 wrote to memory of 4688 4956 bhtnnt.exe 85 PID 4688 wrote to memory of 2188 4688 4066422.exe 86 PID 4688 wrote to memory of 2188 4688 4066422.exe 86 PID 4688 wrote to memory of 2188 4688 4066422.exe 86 PID 2188 wrote to memory of 2964 2188 820266.exe 87 PID 2188 wrote to memory of 2964 2188 820266.exe 87 PID 2188 wrote to memory of 2964 2188 820266.exe 87 PID 2964 wrote to memory of 3592 2964 28826.exe 88 PID 2964 wrote to memory of 3592 2964 28826.exe 88 PID 2964 wrote to memory of 3592 2964 28826.exe 88 PID 3592 wrote to memory of 1952 3592 1pjvv.exe 89 PID 3592 wrote to memory of 1952 3592 1pjvv.exe 89 PID 3592 wrote to memory of 1952 3592 1pjvv.exe 89 PID 1952 wrote to memory of 3100 1952 4644404.exe 90 PID 1952 wrote to memory of 3100 1952 4644404.exe 90 PID 1952 wrote to memory of 3100 1952 4644404.exe 90 PID 3100 wrote to memory of 4188 3100 q68822.exe 91 PID 3100 wrote to memory of 4188 3100 q68822.exe 91 PID 3100 wrote to memory of 4188 3100 q68822.exe 91 PID 4188 wrote to memory of 232 4188 pvdpv.exe 92 PID 4188 wrote to memory of 232 4188 pvdpv.exe 92 PID 4188 wrote to memory of 232 4188 pvdpv.exe 92 PID 232 wrote to memory of 972 232 0860488.exe 93 PID 232 wrote to memory of 972 232 0860488.exe 93 PID 232 wrote to memory of 972 232 0860488.exe 93 PID 972 wrote to memory of 2880 972 7vvdp.exe 94 PID 972 wrote to memory of 2880 972 7vvdp.exe 94 PID 972 wrote to memory of 2880 972 7vvdp.exe 94 PID 2880 wrote to memory of 868 2880 nbhthh.exe 95 PID 2880 wrote to memory of 868 2880 nbhthh.exe 95 PID 2880 wrote to memory of 868 2880 nbhthh.exe 95 PID 868 wrote to memory of 520 868 08204.exe 96 PID 868 wrote to memory of 520 868 08204.exe 96 PID 868 wrote to memory of 520 868 08204.exe 96 PID 520 wrote to memory of 948 520 vpvjv.exe 97 PID 520 wrote to memory of 948 520 vpvjv.exe 97 PID 520 wrote to memory of 948 520 vpvjv.exe 97 PID 948 wrote to memory of 4108 948 44480.exe 98 PID 948 wrote to memory of 4108 948 44480.exe 98 PID 948 wrote to memory of 4108 948 44480.exe 98 PID 4108 wrote to memory of 5068 4108 9vjdj.exe 99 PID 4108 wrote to memory of 5068 4108 9vjdj.exe 99 PID 4108 wrote to memory of 5068 4108 9vjdj.exe 99 PID 5068 wrote to memory of 4492 5068 80402.exe 100 PID 5068 wrote to memory of 4492 5068 80402.exe 100 PID 5068 wrote to memory of 4492 5068 80402.exe 100 PID 4492 wrote to memory of 4396 4492 tnnbnn.exe 101 PID 4492 wrote to memory of 4396 4492 tnnbnn.exe 101 PID 4492 wrote to memory of 4396 4492 tnnbnn.exe 101 PID 4396 wrote to memory of 3980 4396 5nnbnh.exe 102 PID 4396 wrote to memory of 3980 4396 5nnbnh.exe 102 PID 4396 wrote to memory of 3980 4396 5nnbnh.exe 102 PID 3980 wrote to memory of 392 3980 o882048.exe 103 PID 3980 wrote to memory of 392 3980 o882048.exe 103 PID 3980 wrote to memory of 392 3980 o882048.exe 103 PID 392 wrote to memory of 3916 392 jdvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe"C:\Users\Admin\AppData\Local\Temp\31a558e8e4d09e9256dd6e00b7a6b1bd6929ca8b2cb20f60ccafc5bd9b8da621.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\nhtbhn.exec:\nhtbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\bhtnnt.exec:\bhtnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\4066422.exec:\4066422.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\820266.exec:\820266.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\28826.exec:\28826.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\1pjvv.exec:\1pjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\4644404.exec:\4644404.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\q68822.exec:\q68822.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\pvdpv.exec:\pvdpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\0860488.exec:\0860488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\7vvdp.exec:\7vvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\nbhthh.exec:\nbhthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\08204.exec:\08204.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\vpvjv.exec:\vpvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
\??\c:\44480.exec:\44480.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\9vjdj.exec:\9vjdj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\80402.exec:\80402.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\tnnbnn.exec:\tnnbnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\5nnbnh.exec:\5nnbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\o882048.exec:\o882048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\jdvpj.exec:\jdvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\dppjp.exec:\dppjp.exe23⤵
- Executes dropped EXE
PID:3916 -
\??\c:\lffrfxr.exec:\lffrfxr.exe24⤵
- Executes dropped EXE
PID:4792 -
\??\c:\bntnbb.exec:\bntnbb.exe25⤵
- Executes dropped EXE
PID:2396 -
\??\c:\04486.exec:\04486.exe26⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jdjdj.exec:\jdjdj.exe27⤵
- Executes dropped EXE
PID:3900 -
\??\c:\m2820.exec:\m2820.exe28⤵
- Executes dropped EXE
PID:1408 -
\??\c:\q84862.exec:\q84862.exe29⤵
- Executes dropped EXE
PID:4160 -
\??\c:\fxrxlrl.exec:\fxrxlrl.exe30⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pvdvp.exec:\pvdvp.exe31⤵
- Executes dropped EXE
PID:2840 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe32⤵
- Executes dropped EXE
PID:2436 -
\??\c:\266426.exec:\266426.exe33⤵
- Executes dropped EXE
PID:2676 -
\??\c:\8686420.exec:\8686420.exe34⤵
- Executes dropped EXE
PID:1420 -
\??\c:\bhhthb.exec:\bhhthb.exe35⤵
- Executes dropped EXE
PID:3500 -
\??\c:\24480.exec:\24480.exe36⤵
- Executes dropped EXE
PID:3852 -
\??\c:\8606820.exec:\8606820.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\jvjvj.exec:\jvjvj.exe38⤵
- Executes dropped EXE
PID:2560 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe39⤵
- Executes dropped EXE
PID:1828 -
\??\c:\tnthbh.exec:\tnthbh.exe40⤵
- Executes dropped EXE
PID:1960 -
\??\c:\k26026.exec:\k26026.exe41⤵
- Executes dropped EXE
PID:1128 -
\??\c:\xrxlrlx.exec:\xrxlrlx.exe42⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rfrlxrf.exec:\rfrlxrf.exe43⤵
- Executes dropped EXE
PID:4308 -
\??\c:\844262.exec:\844262.exe44⤵
- Executes dropped EXE
PID:2376 -
\??\c:\844826.exec:\844826.exe45⤵
- Executes dropped EXE
PID:1720 -
\??\c:\0680040.exec:\0680040.exe46⤵
- Executes dropped EXE
PID:1808 -
\??\c:\dppjj.exec:\dppjj.exe47⤵
- Executes dropped EXE
PID:4956 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe48⤵
- Executes dropped EXE
PID:1640 -
\??\c:\46426.exec:\46426.exe49⤵
- Executes dropped EXE
PID:1184 -
\??\c:\4220820.exec:\4220820.exe50⤵
- Executes dropped EXE
PID:2136 -
\??\c:\06426.exec:\06426.exe51⤵
- Executes dropped EXE
PID:2964 -
\??\c:\htnbnh.exec:\htnbnh.exe52⤵
- Executes dropped EXE
PID:3592 -
\??\c:\424826.exec:\424826.exe53⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hbhbtt.exec:\hbhbtt.exe54⤵
- Executes dropped EXE
PID:1952 -
\??\c:\0802624.exec:\0802624.exe55⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tnnhtt.exec:\tnnhtt.exe56⤵
- Executes dropped EXE
PID:2092 -
\??\c:\640066.exec:\640066.exe57⤵
- Executes dropped EXE
PID:2708 -
\??\c:\048062.exec:\048062.exe58⤵
- Executes dropped EXE
PID:4928 -
\??\c:\i848604.exec:\i848604.exe59⤵
- Executes dropped EXE
PID:3376 -
\??\c:\bnhthb.exec:\bnhthb.exe60⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pvjdj.exec:\pvjdj.exe61⤵
- Executes dropped EXE
PID:632 -
\??\c:\thhhhh.exec:\thhhhh.exe62⤵
- Executes dropped EXE
PID:3068 -
\??\c:\2048604.exec:\2048604.exe63⤵
- Executes dropped EXE
PID:4876 -
\??\c:\28860.exec:\28860.exe64⤵
- Executes dropped EXE
PID:2064 -
\??\c:\602646.exec:\602646.exe65⤵
- Executes dropped EXE
PID:1940 -
\??\c:\nhhthb.exec:\nhhthb.exe66⤵PID:1160
-
\??\c:\5xrlxxr.exec:\5xrlxxr.exe67⤵PID:4044
-
\??\c:\lllfxxl.exec:\lllfxxl.exe68⤵PID:4936
-
\??\c:\nhbthb.exec:\nhbthb.exe69⤵PID:4524
-
\??\c:\pdvjp.exec:\pdvjp.exe70⤵PID:2084
-
\??\c:\26260.exec:\26260.exe71⤵PID:1516
-
\??\c:\7flfxxx.exec:\7flfxxx.exe72⤵PID:1772
-
\??\c:\lllxlfr.exec:\lllxlfr.exe73⤵PID:2248
-
\??\c:\608844.exec:\608844.exe74⤵PID:620
-
\??\c:\9tttbb.exec:\9tttbb.exe75⤵PID:2452
-
\??\c:\8248460.exec:\8248460.exe76⤵PID:2872
-
\??\c:\u848226.exec:\u848226.exe77⤵PID:4236
-
\??\c:\hhbhhh.exec:\hhbhhh.exe78⤵PID:3472
-
\??\c:\8848666.exec:\8848666.exe79⤵PID:5084
-
\??\c:\0442604.exec:\0442604.exe80⤵PID:3844
-
\??\c:\46226.exec:\46226.exe81⤵PID:1112
-
\??\c:\q62648.exec:\q62648.exe82⤵PID:660
-
\??\c:\062600.exec:\062600.exe83⤵PID:2140
-
\??\c:\c688626.exec:\c688626.exe84⤵PID:3396
-
\??\c:\6282448.exec:\6282448.exe85⤵PID:2384
-
\??\c:\44042.exec:\44042.exe86⤵PID:5020
-
\??\c:\tttnbt.exec:\tttnbt.exe87⤵PID:4168
-
\??\c:\862282.exec:\862282.exe88⤵PID:2900
-
\??\c:\dpvpd.exec:\dpvpd.exe89⤵PID:5072
-
\??\c:\rxffrlf.exec:\rxffrlf.exe90⤵PID:1892
-
\??\c:\26600.exec:\26600.exe91⤵PID:4052
-
\??\c:\268260.exec:\268260.exe92⤵PID:4548
-
\??\c:\tbnhtt.exec:\tbnhtt.exe93⤵PID:2972
-
\??\c:\pvdpd.exec:\pvdpd.exe94⤵PID:1908
-
\??\c:\402082.exec:\402082.exe95⤵PID:4332
-
\??\c:\6660820.exec:\6660820.exe96⤵PID:3788
-
\??\c:\q00426.exec:\q00426.exe97⤵
- System Location Discovery: System Language Discovery
PID:2916 -
\??\c:\6688266.exec:\6688266.exe98⤵PID:1080
-
\??\c:\xllxrrf.exec:\xllxrrf.exe99⤵
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\86004.exec:\86004.exe100⤵PID:1960
-
\??\c:\lxlxlfx.exec:\lxlxlfx.exe101⤵PID:1992
-
\??\c:\64048.exec:\64048.exe102⤵PID:5016
-
\??\c:\42260.exec:\42260.exe103⤵PID:1920
-
\??\c:\bbbntn.exec:\bbbntn.exe104⤵PID:4308
-
\??\c:\5fxrfxr.exec:\5fxrfxr.exe105⤵PID:1496
-
\??\c:\0868040.exec:\0868040.exe106⤵PID:4672
-
\??\c:\jddpj.exec:\jddpj.exe107⤵PID:4216
-
\??\c:\84608.exec:\84608.exe108⤵PID:3000
-
\??\c:\8686044.exec:\8686044.exe109⤵PID:3300
-
\??\c:\pvpdp.exec:\pvpdp.exe110⤵PID:3204
-
\??\c:\0660260.exec:\0660260.exe111⤵PID:4152
-
\??\c:\8826266.exec:\8826266.exe112⤵PID:2136
-
\??\c:\0882048.exec:\0882048.exe113⤵PID:2964
-
\??\c:\406004.exec:\406004.exe114⤵PID:1616
-
\??\c:\o644044.exec:\o644044.exe115⤵PID:4344
-
\??\c:\tthhnn.exec:\tthhnn.exe116⤵PID:4500
-
\??\c:\g2840.exec:\g2840.exe117⤵PID:1716
-
\??\c:\240606.exec:\240606.exe118⤵PID:5012
-
\??\c:\frrfxlr.exec:\frrfxlr.exe119⤵PID:3120
-
\??\c:\u442042.exec:\u442042.exe120⤵PID:5028
-
\??\c:\1ddpj.exec:\1ddpj.exe121⤵PID:4484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-