Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 13:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe
-
Size
454KB
-
MD5
bf8eb4ea43d8be3880c242d558625e70
-
SHA1
493c7f659ae0e66aa90f4c1d7ecdcd36463bd966
-
SHA256
99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46
-
SHA512
b63953769e2dfeda199d333403f6f5ee079ecefc7e3f42f6a3ff6ce41cdb6dd2302091175ae68d485e6e15c689f70cce53730d814c94dc8e44f95aa2a4bdea6a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4368-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-1013-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-1778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1444 hhthnh.exe 2940 hntbhn.exe 1244 7xrfxll.exe 4932 fxlxrlf.exe 4080 hnthbt.exe 4748 dvddj.exe 4476 xfrlxlr.exe 984 xrrlfff.exe 3884 tbhbtn.exe 832 dvvjd.exe 3060 dvvpj.exe 1920 7htnnh.exe 4844 jvpjv.exe 416 tbhtnh.exe 4540 pjvdd.exe 3740 3rxrfrl.exe 4984 thhhtn.exe 3248 9dvdp.exe 4032 nbbnht.exe 1084 djpdj.exe 2520 rfrlfxr.exe 776 hthtbt.exe 4968 tbnhtn.exe 5072 dpppp.exe 1460 lffflrf.exe 3820 lrxlrfl.exe 4744 vdpdv.exe 228 lxxlfxr.exe 2852 nhhbtn.exe 3540 9hbtnh.exe 4672 7jdpj.exe 964 xlrxrrl.exe 3576 3tbtnn.exe 4808 nhtnnb.exe 1076 dpppj.exe 3784 lrrffrr.exe 392 btbnhb.exe 3056 djpdd.exe 1840 lfxrllf.exe 1988 rrlxrlf.exe 3536 9tnbtt.exe 4552 pdjdv.exe 4880 1rrlffx.exe 408 hnhnbn.exe 1228 bnttht.exe 1312 pjpjp.exe 3104 lxlfrll.exe 1760 ttnhtt.exe 4336 3bbthb.exe 4340 1jdvp.exe 3948 pdpdd.exe 4064 fflfxxr.exe 1684 tnnhnb.exe 1584 btbttb.exe 2268 djpjv.exe 2240 3dvpd.exe 4460 rlrllff.exe 4868 dpdvj.exe 1900 1jjdp.exe 1268 tnnhbt.exe 548 9ffffxr.exe 3048 tbbtnh.exe 4944 9hnhnn.exe 2944 jppdp.exe -
resource yara_rule behavioral2/memory/4368-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4368 wrote to memory of 1444 4368 99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe 82 PID 4368 wrote to memory of 1444 4368 99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe 82 PID 4368 wrote to memory of 1444 4368 99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe 82 PID 1444 wrote to memory of 2940 1444 hhthnh.exe 83 PID 1444 wrote to memory of 2940 1444 hhthnh.exe 83 PID 1444 wrote to memory of 2940 1444 hhthnh.exe 83 PID 2940 wrote to memory of 1244 2940 hntbhn.exe 84 PID 2940 wrote to memory of 1244 2940 hntbhn.exe 84 PID 2940 wrote to memory of 1244 2940 hntbhn.exe 84 PID 1244 wrote to memory of 4932 1244 7xrfxll.exe 85 PID 1244 wrote to memory of 4932 1244 7xrfxll.exe 85 PID 1244 wrote to memory of 4932 1244 7xrfxll.exe 85 PID 4932 wrote to memory of 4080 4932 fxlxrlf.exe 86 PID 4932 wrote to memory of 4080 4932 fxlxrlf.exe 86 PID 4932 wrote to memory of 4080 4932 fxlxrlf.exe 86 PID 4080 wrote to memory of 4748 4080 hnthbt.exe 87 PID 4080 wrote to memory of 4748 4080 hnthbt.exe 87 PID 4080 wrote to memory of 4748 4080 hnthbt.exe 87 PID 4748 wrote to memory of 4476 4748 dvddj.exe 88 PID 4748 wrote to memory of 4476 4748 dvddj.exe 88 PID 4748 wrote to memory of 4476 4748 dvddj.exe 88 PID 4476 wrote to memory of 984 4476 xfrlxlr.exe 89 PID 4476 wrote to memory of 984 4476 xfrlxlr.exe 89 PID 4476 wrote to memory of 984 4476 xfrlxlr.exe 89 PID 984 wrote to memory of 3884 984 xrrlfff.exe 90 PID 984 wrote to memory of 3884 984 xrrlfff.exe 90 PID 984 wrote to memory of 3884 984 xrrlfff.exe 90 PID 3884 wrote to memory of 832 3884 tbhbtn.exe 91 PID 3884 wrote to memory of 832 3884 tbhbtn.exe 91 PID 3884 wrote to memory of 832 3884 tbhbtn.exe 91 PID 832 wrote to memory of 3060 832 dvvjd.exe 92 PID 832 wrote to memory of 3060 832 dvvjd.exe 92 PID 832 wrote to memory of 3060 832 dvvjd.exe 92 PID 3060 wrote to memory of 1920 3060 dvvpj.exe 93 PID 3060 wrote to memory of 1920 3060 dvvpj.exe 93 PID 3060 wrote to memory of 1920 3060 dvvpj.exe 93 PID 1920 wrote to memory of 4844 1920 7htnnh.exe 94 PID 1920 wrote to memory of 4844 1920 7htnnh.exe 94 PID 1920 wrote to memory of 4844 1920 7htnnh.exe 94 PID 4844 wrote to memory of 416 4844 jvpjv.exe 95 PID 4844 wrote to memory of 416 4844 jvpjv.exe 95 PID 4844 wrote to memory of 416 4844 jvpjv.exe 95 PID 416 wrote to memory of 4540 416 tbhtnh.exe 96 PID 416 wrote to memory of 4540 416 tbhtnh.exe 96 PID 416 wrote to memory of 4540 416 tbhtnh.exe 96 PID 4540 wrote to memory of 3740 4540 pjvdd.exe 97 PID 4540 wrote to memory of 3740 4540 pjvdd.exe 97 PID 4540 wrote to memory of 3740 4540 pjvdd.exe 97 PID 3740 wrote to memory of 4984 3740 3rxrfrl.exe 98 PID 3740 wrote to memory of 4984 3740 3rxrfrl.exe 98 PID 3740 wrote to memory of 4984 3740 3rxrfrl.exe 98 PID 4984 wrote to memory of 3248 4984 thhhtn.exe 99 PID 4984 wrote to memory of 3248 4984 thhhtn.exe 99 PID 4984 wrote to memory of 3248 4984 thhhtn.exe 99 PID 3248 wrote to memory of 4032 3248 9dvdp.exe 100 PID 3248 wrote to memory of 4032 3248 9dvdp.exe 100 PID 3248 wrote to memory of 4032 3248 9dvdp.exe 100 PID 4032 wrote to memory of 1084 4032 nbbnht.exe 101 PID 4032 wrote to memory of 1084 4032 nbbnht.exe 101 PID 4032 wrote to memory of 1084 4032 nbbnht.exe 101 PID 1084 wrote to memory of 2520 1084 djpdj.exe 102 PID 1084 wrote to memory of 2520 1084 djpdj.exe 102 PID 1084 wrote to memory of 2520 1084 djpdj.exe 102 PID 2520 wrote to memory of 776 2520 rfrlfxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe"C:\Users\Admin\AppData\Local\Temp\99d333732becfbb7c15bad43fcc9867d053ac39dce639cf966a72850a4e86d46N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\hhthnh.exec:\hhthnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\hntbhn.exec:\hntbhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\7xrfxll.exec:\7xrfxll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\fxlxrlf.exec:\fxlxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\hnthbt.exec:\hnthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\dvddj.exec:\dvddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\xfrlxlr.exec:\xfrlxlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\xrrlfff.exec:\xrrlfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\tbhbtn.exec:\tbhbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\dvvjd.exec:\dvvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\dvvpj.exec:\dvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\7htnnh.exec:\7htnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\jvpjv.exec:\jvpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\tbhtnh.exec:\tbhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
\??\c:\pjvdd.exec:\pjvdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\3rxrfrl.exec:\3rxrfrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\thhhtn.exec:\thhhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\9dvdp.exec:\9dvdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\nbbnht.exec:\nbbnht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\djpdj.exec:\djpdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\hthtbt.exec:\hthtbt.exe23⤵
- Executes dropped EXE
PID:776 -
\??\c:\tbnhtn.exec:\tbnhtn.exe24⤵
- Executes dropped EXE
PID:4968 -
\??\c:\dpppp.exec:\dpppp.exe25⤵
- Executes dropped EXE
PID:5072 -
\??\c:\lffflrf.exec:\lffflrf.exe26⤵
- Executes dropped EXE
PID:1460 -
\??\c:\lrxlrfl.exec:\lrxlrfl.exe27⤵
- Executes dropped EXE
PID:3820 -
\??\c:\vdpdv.exec:\vdpdv.exe28⤵
- Executes dropped EXE
PID:4744 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe29⤵
- Executes dropped EXE
PID:228 -
\??\c:\nhhbtn.exec:\nhhbtn.exe30⤵
- Executes dropped EXE
PID:2852 -
\??\c:\9hbtnh.exec:\9hbtnh.exe31⤵
- Executes dropped EXE
PID:3540 -
\??\c:\7jdpj.exec:\7jdpj.exe32⤵
- Executes dropped EXE
PID:4672 -
\??\c:\xlrxrrl.exec:\xlrxrrl.exe33⤵
- Executes dropped EXE
PID:964 -
\??\c:\3tbtnn.exec:\3tbtnn.exe34⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nhtnnb.exec:\nhtnnb.exe35⤵
- Executes dropped EXE
PID:4808 -
\??\c:\dpppj.exec:\dpppj.exe36⤵
- Executes dropped EXE
PID:1076 -
\??\c:\lrrffrr.exec:\lrrffrr.exe37⤵
- Executes dropped EXE
PID:3784 -
\??\c:\btbnhb.exec:\btbnhb.exe38⤵
- Executes dropped EXE
PID:392 -
\??\c:\djpdd.exec:\djpdd.exe39⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lfxrllf.exec:\lfxrllf.exe40⤵
- Executes dropped EXE
PID:1840 -
\??\c:\rrlxrlf.exec:\rrlxrlf.exe41⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9tnbtt.exec:\9tnbtt.exe42⤵
- Executes dropped EXE
PID:3536 -
\??\c:\pdjdv.exec:\pdjdv.exe43⤵
- Executes dropped EXE
PID:4552 -
\??\c:\1rrlffx.exec:\1rrlffx.exe44⤵
- Executes dropped EXE
PID:4880 -
\??\c:\hnhnbn.exec:\hnhnbn.exe45⤵
- Executes dropped EXE
PID:408 -
\??\c:\bnttht.exec:\bnttht.exe46⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pjpjp.exec:\pjpjp.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312 -
\??\c:\lxlfrll.exec:\lxlfrll.exe48⤵
- Executes dropped EXE
PID:3104 -
\??\c:\ttnhtt.exec:\ttnhtt.exe49⤵
- Executes dropped EXE
PID:1760 -
\??\c:\3bbthb.exec:\3bbthb.exe50⤵
- Executes dropped EXE
PID:4336 -
\??\c:\1jdvp.exec:\1jdvp.exe51⤵
- Executes dropped EXE
PID:4340 -
\??\c:\pdpdd.exec:\pdpdd.exe52⤵
- Executes dropped EXE
PID:3948 -
\??\c:\fflfxxr.exec:\fflfxxr.exe53⤵
- Executes dropped EXE
PID:4064 -
\??\c:\tnnhnb.exec:\tnnhnb.exe54⤵
- Executes dropped EXE
PID:1684 -
\??\c:\btbttb.exec:\btbttb.exe55⤵
- Executes dropped EXE
PID:1584 -
\??\c:\djpjv.exec:\djpjv.exe56⤵
- Executes dropped EXE
PID:2268 -
\??\c:\3dvpd.exec:\3dvpd.exe57⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rlrllff.exec:\rlrllff.exe58⤵
- Executes dropped EXE
PID:4460 -
\??\c:\dpdvj.exec:\dpdvj.exe59⤵
- Executes dropped EXE
PID:4868 -
\??\c:\1jjdp.exec:\1jjdp.exe60⤵
- Executes dropped EXE
PID:1900 -
\??\c:\tnnhbt.exec:\tnnhbt.exe61⤵
- Executes dropped EXE
PID:1268 -
\??\c:\9ffffxr.exec:\9ffffxr.exe62⤵
- Executes dropped EXE
PID:548 -
\??\c:\tbbtnh.exec:\tbbtnh.exe63⤵
- Executes dropped EXE
PID:3048 -
\??\c:\9hnhnn.exec:\9hnhnn.exe64⤵
- Executes dropped EXE
PID:4944 -
\??\c:\jppdp.exec:\jppdp.exe65⤵
- Executes dropped EXE
PID:2944 -
\??\c:\tnnnbb.exec:\tnnnbb.exe66⤵PID:1376
-
\??\c:\1bbnht.exec:\1bbnht.exe67⤵PID:1272
-
\??\c:\1lxrffr.exec:\1lxrffr.exe68⤵PID:1392
-
\??\c:\1hhbnn.exec:\1hhbnn.exe69⤵PID:2076
-
\??\c:\jpppd.exec:\jpppd.exe70⤵PID:2444
-
\??\c:\5djdj.exec:\5djdj.exe71⤵PID:4936
-
\??\c:\flxrxrl.exec:\flxrxrl.exe72⤵PID:2932
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe73⤵PID:3244
-
\??\c:\nbhbtt.exec:\nbhbtt.exe74⤵PID:4540
-
\??\c:\djjdp.exec:\djjdp.exe75⤵PID:3736
-
\??\c:\pddpj.exec:\pddpj.exe76⤵PID:856
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe77⤵PID:3488
-
\??\c:\tnhtnn.exec:\tnhtnn.exe78⤵PID:3552
-
\??\c:\vdjvj.exec:\vdjvj.exe79⤵PID:3248
-
\??\c:\fllflfx.exec:\fllflfx.exe80⤵PID:2608
-
\??\c:\hnbnhh.exec:\hnbnhh.exe81⤵PID:5116
-
\??\c:\vpvdj.exec:\vpvdj.exe82⤵PID:2840
-
\??\c:\dvvpj.exec:\dvvpj.exe83⤵PID:5004
-
\??\c:\rrxrfxx.exec:\rrxrfxx.exe84⤵PID:2928
-
\??\c:\tnnhbt.exec:\tnnhbt.exe85⤵PID:436
-
\??\c:\bnhbhb.exec:\bnhbhb.exe86⤵PID:4832
-
\??\c:\jvdpp.exec:\jvdpp.exe87⤵PID:2876
-
\??\c:\frrlfxr.exec:\frrlfxr.exe88⤵PID:3032
-
\??\c:\thhbtn.exec:\thhbtn.exe89⤵PID:924
-
\??\c:\5jdpd.exec:\5jdpd.exe90⤵
- System Location Discovery: System Language Discovery
PID:3548 -
\??\c:\5rrfxrf.exec:\5rrfxrf.exe91⤵PID:1504
-
\??\c:\fffxxfx.exec:\fffxxfx.exe92⤵PID:4388
-
\??\c:\tnnhtn.exec:\tnnhtn.exe93⤵PID:3264
-
\??\c:\ppvvj.exec:\ppvvj.exe94⤵PID:1972
-
\??\c:\fxfrllf.exec:\fxfrllf.exe95⤵PID:2860
-
\??\c:\httbbn.exec:\httbbn.exe96⤵PID:4148
-
\??\c:\tnttnh.exec:\tnttnh.exe97⤵PID:964
-
\??\c:\pjvjd.exec:\pjvjd.exe98⤵PID:736
-
\??\c:\pvjvd.exec:\pvjvd.exe99⤵PID:4900
-
\??\c:\xrrlffx.exec:\xrrlffx.exe100⤵PID:4236
-
\??\c:\5hhhnt.exec:\5hhhnt.exe101⤵PID:1076
-
\??\c:\hbntnt.exec:\hbntnt.exe102⤵PID:1120
-
\??\c:\pjvpj.exec:\pjvpj.exe103⤵PID:1416
-
\??\c:\lffxxxf.exec:\lffxxxf.exe104⤵
- System Location Discovery: System Language Discovery
PID:2172 -
\??\c:\1ntnnn.exec:\1ntnnn.exe105⤵PID:1948
-
\??\c:\bhtnnn.exec:\bhtnnn.exe106⤵PID:4392
-
\??\c:\3jjdp.exec:\3jjdp.exe107⤵PID:3340
-
\??\c:\lllfrxr.exec:\lllfrxr.exe108⤵PID:4788
-
\??\c:\rxxffff.exec:\rxxffff.exe109⤵PID:1968
-
\??\c:\nhhnnb.exec:\nhhnnb.exe110⤵PID:4416
-
\??\c:\pdddv.exec:\pdddv.exe111⤵PID:2948
-
\??\c:\5rrlrlf.exec:\5rrlrlf.exe112⤵PID:3336
-
\??\c:\rrfxffl.exec:\rrfxffl.exe113⤵PID:220
-
\??\c:\bhhhbb.exec:\bhhhbb.exe114⤵PID:1664
-
\??\c:\1vpjd.exec:\1vpjd.exe115⤵PID:4772
-
\??\c:\vppjd.exec:\vppjd.exe116⤵PID:4344
-
\??\c:\ffrlrxf.exec:\ffrlrxf.exe117⤵PID:1276
-
\??\c:\btnhth.exec:\btnhth.exe118⤵PID:4592
-
\??\c:\bttthh.exec:\bttthh.exe119⤵PID:4780
-
\??\c:\ppppd.exec:\ppppd.exe120⤵PID:1308
-
\??\c:\rrfxllx.exec:\rrfxllx.exe121⤵PID:5020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-