Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe
-
Size
453KB
-
MD5
e4c1fa87cd6106e0871ee7aec5a53a56
-
SHA1
500ac3d042b8ff6f0a4f5ca95d2c5a5f60b1f4d5
-
SHA256
fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0
-
SHA512
37e79e8978aa9c7255d90e1024bd57fb75254bf28174bcc96276f62f3a1ef81f7eac3bedb8c63498441c79b07bfa1c4067dbe540e35d5b7596653c519e06a424
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2872-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-1132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-1493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 808 bntnhb.exe 4500 thnhhb.exe 4864 rrrlfxr.exe 2412 pddpj.exe 1028 bnnnhb.exe 2116 7fxrlfx.exe 4112 ddvvd.exe 2724 flrxxrl.exe 3520 ppddv.exe 3604 7tbttn.exe 4508 hntnbt.exe 2548 jvjdd.exe 1968 lrllfxf.exe 2824 jpvpj.exe 4156 rxxxrrl.exe 1736 bnnhnh.exe 2060 nhhthb.exe 1172 vpjdp.exe 1844 3jjvj.exe 4712 rrxxxxx.exe 1608 7djdd.exe 3544 hntnhb.exe 4092 vjpjv.exe 1348 hhnhtt.exe 4452 vpjdv.exe 5112 7btnbb.exe 464 ddjdd.exe 3884 7ppdv.exe 1648 ffffrrr.exe 4468 5djdv.exe 3260 nnbbtb.exe 1096 xrxlfff.exe 2884 llfrxrf.exe 3348 pdvpv.exe 2248 jvdpj.exe 3436 lfffrrr.exe 5072 nbhbbb.exe 3556 7hbthb.exe 5044 1ppjv.exe 208 frrlxrl.exe 4776 btthbt.exe 3572 vjjvj.exe 1964 1ffxllf.exe 4684 hbnbbb.exe 3052 jvvpd.exe 1684 jdjjj.exe 536 xrfrrrr.exe 1612 thnbtn.exe 1464 jvpjd.exe 3024 9vvpj.exe 4416 frrfxrr.exe 2420 hhnhbt.exe 2528 9ppdv.exe 3516 djpjv.exe 2964 xrrxrxf.exe 2816 ttbbnn.exe 1672 dvjdp.exe 2136 dpvpj.exe 452 xrrrllf.exe 2224 bhbbnn.exe 1004 9vdvd.exe 2848 vjpjp.exe 3668 flxrffr.exe 4472 bhnhbt.exe -
resource yara_rule behavioral2/memory/2872-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-822-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 808 2872 fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe 82 PID 2872 wrote to memory of 808 2872 fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe 82 PID 2872 wrote to memory of 808 2872 fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe 82 PID 808 wrote to memory of 4500 808 bntnhb.exe 83 PID 808 wrote to memory of 4500 808 bntnhb.exe 83 PID 808 wrote to memory of 4500 808 bntnhb.exe 83 PID 4500 wrote to memory of 4864 4500 thnhhb.exe 84 PID 4500 wrote to memory of 4864 4500 thnhhb.exe 84 PID 4500 wrote to memory of 4864 4500 thnhhb.exe 84 PID 4864 wrote to memory of 2412 4864 rrrlfxr.exe 85 PID 4864 wrote to memory of 2412 4864 rrrlfxr.exe 85 PID 4864 wrote to memory of 2412 4864 rrrlfxr.exe 85 PID 2412 wrote to memory of 1028 2412 pddpj.exe 86 PID 2412 wrote to memory of 1028 2412 pddpj.exe 86 PID 2412 wrote to memory of 1028 2412 pddpj.exe 86 PID 1028 wrote to memory of 2116 1028 bnnnhb.exe 87 PID 1028 wrote to memory of 2116 1028 bnnnhb.exe 87 PID 1028 wrote to memory of 2116 1028 bnnnhb.exe 87 PID 2116 wrote to memory of 4112 2116 7fxrlfx.exe 88 PID 2116 wrote to memory of 4112 2116 7fxrlfx.exe 88 PID 2116 wrote to memory of 4112 2116 7fxrlfx.exe 88 PID 4112 wrote to memory of 2724 4112 ddvvd.exe 89 PID 4112 wrote to memory of 2724 4112 ddvvd.exe 89 PID 4112 wrote to memory of 2724 4112 ddvvd.exe 89 PID 2724 wrote to memory of 3520 2724 flrxxrl.exe 90 PID 2724 wrote to memory of 3520 2724 flrxxrl.exe 90 PID 2724 wrote to memory of 3520 2724 flrxxrl.exe 90 PID 3520 wrote to memory of 3604 3520 ppddv.exe 91 PID 3520 wrote to memory of 3604 3520 ppddv.exe 91 PID 3520 wrote to memory of 3604 3520 ppddv.exe 91 PID 3604 wrote to memory of 4508 3604 7tbttn.exe 92 PID 3604 wrote to memory of 4508 3604 7tbttn.exe 92 PID 3604 wrote to memory of 4508 3604 7tbttn.exe 92 PID 4508 wrote to memory of 2548 4508 hntnbt.exe 93 PID 4508 wrote to memory of 2548 4508 hntnbt.exe 93 PID 4508 wrote to memory of 2548 4508 hntnbt.exe 93 PID 2548 wrote to memory of 1968 2548 jvjdd.exe 94 PID 2548 wrote to memory of 1968 2548 jvjdd.exe 94 PID 2548 wrote to memory of 1968 2548 jvjdd.exe 94 PID 1968 wrote to memory of 2824 1968 lrllfxf.exe 95 PID 1968 wrote to memory of 2824 1968 lrllfxf.exe 95 PID 1968 wrote to memory of 2824 1968 lrllfxf.exe 95 PID 2824 wrote to memory of 4156 2824 jpvpj.exe 96 PID 2824 wrote to memory of 4156 2824 jpvpj.exe 96 PID 2824 wrote to memory of 4156 2824 jpvpj.exe 96 PID 4156 wrote to memory of 1736 4156 rxxxrrl.exe 97 PID 4156 wrote to memory of 1736 4156 rxxxrrl.exe 97 PID 4156 wrote to memory of 1736 4156 rxxxrrl.exe 97 PID 1736 wrote to memory of 2060 1736 bnnhnh.exe 98 PID 1736 wrote to memory of 2060 1736 bnnhnh.exe 98 PID 1736 wrote to memory of 2060 1736 bnnhnh.exe 98 PID 2060 wrote to memory of 1172 2060 nhhthb.exe 99 PID 2060 wrote to memory of 1172 2060 nhhthb.exe 99 PID 2060 wrote to memory of 1172 2060 nhhthb.exe 99 PID 1172 wrote to memory of 1844 1172 vpjdp.exe 100 PID 1172 wrote to memory of 1844 1172 vpjdp.exe 100 PID 1172 wrote to memory of 1844 1172 vpjdp.exe 100 PID 1844 wrote to memory of 4712 1844 3jjvj.exe 101 PID 1844 wrote to memory of 4712 1844 3jjvj.exe 101 PID 1844 wrote to memory of 4712 1844 3jjvj.exe 101 PID 4712 wrote to memory of 1608 4712 rrxxxxx.exe 102 PID 4712 wrote to memory of 1608 4712 rrxxxxx.exe 102 PID 4712 wrote to memory of 1608 4712 rrxxxxx.exe 102 PID 1608 wrote to memory of 3544 1608 7djdd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe"C:\Users\Admin\AppData\Local\Temp\fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bntnhb.exec:\bntnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\thnhhb.exec:\thnhhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\pddpj.exec:\pddpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\bnnnhb.exec:\bnnnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\7fxrlfx.exec:\7fxrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\ddvvd.exec:\ddvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\flrxxrl.exec:\flrxxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\ppddv.exec:\ppddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\7tbttn.exec:\7tbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\hntnbt.exec:\hntnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\jvjdd.exec:\jvjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\lrllfxf.exec:\lrllfxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\jpvpj.exec:\jpvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\rxxxrrl.exec:\rxxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\bnnhnh.exec:\bnnhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\nhhthb.exec:\nhhthb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\vpjdp.exec:\vpjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\3jjvj.exec:\3jjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\7djdd.exec:\7djdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\hntnhb.exec:\hntnhb.exe23⤵
- Executes dropped EXE
PID:3544 -
\??\c:\vjpjv.exec:\vjpjv.exe24⤵
- Executes dropped EXE
PID:4092 -
\??\c:\hhnhtt.exec:\hhnhtt.exe25⤵
- Executes dropped EXE
PID:1348 -
\??\c:\vpjdv.exec:\vpjdv.exe26⤵
- Executes dropped EXE
PID:4452 -
\??\c:\7btnbb.exec:\7btnbb.exe27⤵
- Executes dropped EXE
PID:5112 -
\??\c:\ddjdd.exec:\ddjdd.exe28⤵
- Executes dropped EXE
PID:464 -
\??\c:\7ppdv.exec:\7ppdv.exe29⤵
- Executes dropped EXE
PID:3884 -
\??\c:\ffffrrr.exec:\ffffrrr.exe30⤵
- Executes dropped EXE
PID:1648 -
\??\c:\5djdv.exec:\5djdv.exe31⤵
- Executes dropped EXE
PID:4468 -
\??\c:\nnbbtb.exec:\nnbbtb.exe32⤵
- Executes dropped EXE
PID:3260 -
\??\c:\xrxlfff.exec:\xrxlfff.exe33⤵
- Executes dropped EXE
PID:1096 -
\??\c:\llfrxrf.exec:\llfrxrf.exe34⤵
- Executes dropped EXE
PID:2884 -
\??\c:\pdvpv.exec:\pdvpv.exe35⤵
- Executes dropped EXE
PID:3348 -
\??\c:\jvdpj.exec:\jvdpj.exe36⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lfffrrr.exec:\lfffrrr.exe37⤵
- Executes dropped EXE
PID:3436 -
\??\c:\nbhbbb.exec:\nbhbbb.exe38⤵
- Executes dropped EXE
PID:5072 -
\??\c:\7hbthb.exec:\7hbthb.exe39⤵
- Executes dropped EXE
PID:3556 -
\??\c:\1ppjv.exec:\1ppjv.exe40⤵
- Executes dropped EXE
PID:5044 -
\??\c:\frrlxrl.exec:\frrlxrl.exe41⤵
- Executes dropped EXE
PID:208 -
\??\c:\btthbt.exec:\btthbt.exe42⤵
- Executes dropped EXE
PID:4776 -
\??\c:\vjjvj.exec:\vjjvj.exe43⤵
- Executes dropped EXE
PID:3572 -
\??\c:\1ffxllf.exec:\1ffxllf.exe44⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hbnbbb.exec:\hbnbbb.exe45⤵
- Executes dropped EXE
PID:4684 -
\??\c:\jvvpd.exec:\jvvpd.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdjjj.exec:\jdjjj.exe47⤵
- Executes dropped EXE
PID:1684 -
\??\c:\xrfrrrr.exec:\xrfrrrr.exe48⤵
- Executes dropped EXE
PID:536 -
\??\c:\thnbtn.exec:\thnbtn.exe49⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jvpjd.exec:\jvpjd.exe50⤵
- Executes dropped EXE
PID:1464 -
\??\c:\9vvpj.exec:\9vvpj.exe51⤵
- Executes dropped EXE
PID:3024 -
\??\c:\frrfxrr.exec:\frrfxrr.exe52⤵
- Executes dropped EXE
PID:4416 -
\??\c:\hhnhbt.exec:\hhnhbt.exe53⤵
- Executes dropped EXE
PID:2420 -
\??\c:\9ppdv.exec:\9ppdv.exe54⤵
- Executes dropped EXE
PID:2528 -
\??\c:\djpjv.exec:\djpjv.exe55⤵
- Executes dropped EXE
PID:3516 -
\??\c:\xrrxrxf.exec:\xrrxrxf.exe56⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ttbbnn.exec:\ttbbnn.exe57⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dvjdp.exec:\dvjdp.exe58⤵
- Executes dropped EXE
PID:1672 -
\??\c:\dpvpj.exec:\dpvpj.exe59⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xrrrllf.exec:\xrrrllf.exe60⤵
- Executes dropped EXE
PID:452 -
\??\c:\bhbbnn.exec:\bhbbnn.exe61⤵
- Executes dropped EXE
PID:2224 -
\??\c:\9vdvd.exec:\9vdvd.exe62⤵
- Executes dropped EXE
PID:1004 -
\??\c:\vjpjp.exec:\vjpjp.exe63⤵
- Executes dropped EXE
PID:2848 -
\??\c:\flxrffr.exec:\flxrffr.exe64⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bhnhbt.exec:\bhnhbt.exe65⤵
- Executes dropped EXE
PID:4472 -
\??\c:\vdjvp.exec:\vdjvp.exe66⤵PID:3836
-
\??\c:\pdjjj.exec:\pdjjj.exe67⤵PID:2952
-
\??\c:\bnnnnt.exec:\bnnnnt.exe68⤵PID:3804
-
\??\c:\pdjvp.exec:\pdjvp.exe69⤵PID:628
-
\??\c:\jpvpj.exec:\jpvpj.exe70⤵PID:2624
-
\??\c:\xxlfxll.exec:\xxlfxll.exe71⤵PID:2512
-
\??\c:\nhnbhb.exec:\nhnbhb.exe72⤵PID:900
-
\??\c:\7nhhbb.exec:\7nhhbb.exe73⤵PID:4780
-
\??\c:\9jpjp.exec:\9jpjp.exe74⤵PID:1428
-
\??\c:\xxrlxxr.exec:\xxrlxxr.exe75⤵PID:1076
-
\??\c:\bnnhbh.exec:\bnnhbh.exe76⤵PID:5004
-
\??\c:\dpppj.exec:\dpppj.exe77⤵PID:4820
-
\??\c:\dvvpp.exec:\dvvpp.exe78⤵PID:1720
-
\??\c:\llrrlff.exec:\llrrlff.exe79⤵PID:4892
-
\??\c:\tbhtnh.exec:\tbhtnh.exe80⤵PID:1292
-
\??\c:\bhtthh.exec:\bhtthh.exe81⤵PID:2944
-
\??\c:\vjpjj.exec:\vjpjj.exe82⤵PID:1140
-
\??\c:\xffxxxr.exec:\xffxxxr.exe83⤵PID:2276
-
\??\c:\ttbnbt.exec:\ttbnbt.exe84⤵PID:2236
-
\??\c:\bnbthh.exec:\bnbthh.exe85⤵PID:612
-
\??\c:\jdvvp.exec:\jdvvp.exe86⤵PID:316
-
\??\c:\7fxrffr.exec:\7fxrffr.exe87⤵PID:944
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe88⤵PID:2372
-
\??\c:\hntnhh.exec:\hntnhh.exe89⤵PID:4880
-
\??\c:\9djjv.exec:\9djjv.exe90⤵PID:1096
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe91⤵PID:2076
-
\??\c:\ffflxxr.exec:\ffflxxr.exe92⤵PID:4792
-
\??\c:\nbbtnb.exec:\nbbtnb.exe93⤵PID:3312
-
\??\c:\httnbb.exec:\httnbb.exe94⤵PID:3064
-
\??\c:\dpppj.exec:\dpppj.exe95⤵PID:2480
-
\??\c:\xflxlfl.exec:\xflxlfl.exe96⤵PID:4764
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe97⤵PID:4412
-
\??\c:\3jpjd.exec:\3jpjd.exe98⤵PID:1724
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe99⤵PID:4392
-
\??\c:\nbhnhb.exec:\nbhnhb.exe100⤵PID:2416
-
\??\c:\dvpjd.exec:\dvpjd.exe101⤵PID:2400
-
\??\c:\hnbnhb.exec:\hnbnhb.exe102⤵PID:1152
-
\??\c:\ttbttn.exec:\ttbttn.exe103⤵PID:4856
-
\??\c:\jvpjv.exec:\jvpjv.exe104⤵PID:1976
-
\??\c:\rfxrrlr.exec:\rfxrrlr.exe105⤵PID:876
-
\??\c:\htbtnn.exec:\htbtnn.exe106⤵PID:3832
-
\??\c:\5jpdd.exec:\5jpdd.exe107⤵PID:1480
-
\??\c:\3hnhbt.exec:\3hnhbt.exe108⤵
- System Location Discovery: System Language Discovery
PID:3340 -
\??\c:\bbhtnh.exec:\bbhtnh.exe109⤵PID:4612
-
\??\c:\vjpdv.exec:\vjpdv.exe110⤵PID:2528
-
\??\c:\llrlfxr.exec:\llrlfxr.exe111⤵PID:1128
-
\??\c:\rlrllll.exec:\rlrllll.exe112⤵PID:1564
-
\??\c:\btnhtt.exec:\btnhtt.exe113⤵PID:3824
-
\??\c:\dvdvj.exec:\dvdvj.exe114⤵PID:4376
-
\??\c:\1xxlllf.exec:\1xxlllf.exe115⤵PID:2184
-
\??\c:\lrlxrrf.exec:\lrlxrrf.exe116⤵PID:2596
-
\??\c:\tbbtnn.exec:\tbbtnn.exe117⤵PID:4072
-
\??\c:\jdpdj.exec:\jdpdj.exe118⤵PID:1968
-
\??\c:\5vvpj.exec:\5vvpj.exe119⤵PID:5008
-
\??\c:\llrfxxr.exec:\llrfxxr.exe120⤵PID:2828
-
\??\c:\nttbhb.exec:\nttbhb.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-