Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:23
Behavioral task
behavioral1
Sample
bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe
-
Size
333KB
-
MD5
fda14bc2c50db6ed23e5edaecdf0ead2
-
SHA1
630d01d7d0a408fa390f0a6402511a30b91b226a
-
SHA256
bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6
-
SHA512
6cc9a8173bf5877067259d2e5ef304e5535f641cb307f229ca57147a3f7f2a1d6edf7ad981809f7b4266960fb087c5522da3d3769c5aa161ad289d76e1f60371
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe2:R4wFHoSHYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2596-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/592-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2260-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1500-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1476-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1548-242-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1864-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1548-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1752-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1428-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1612-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1756-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2332-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1984-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/592-592-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2348-647-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-766-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2660-819-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1896-9248-0x00000000772E0000-0x00000000773FF000-memory.dmp family_blackmoon behavioral1/memory/1896-15916-0x00000000772E0000-0x00000000773FF000-memory.dmp family_blackmoon behavioral1/memory/1896-17030-0x00000000772E0000-0x00000000773FF000-memory.dmp family_blackmoon behavioral1/memory/1896-21682-0x00000000772E0000-0x00000000773FF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2596 fffllrf.exe 2856 btnntb.exe 2612 ppjpd.exe 2836 hbtnbn.exe 2636 9vppv.exe 2312 5bhbnn.exe 592 vvjdj.exe 800 1rlllrx.exe 1728 nbnntn.exe 2080 ppdjj.exe 2532 lxfxxrx.exe 1960 ntbhhh.exe 2956 9pdpp.exe 2912 1rflrxf.exe 2944 hthhnt.exe 2908 jpvjd.exe 2260 nthbht.exe 2780 vpvdj.exe 1064 3rxxrrr.exe 2136 nbhnbh.exe 1500 vpvvv.exe 2032 rfxllff.exe 2124 hthhnt.exe 1476 pjpjj.exe 2204 rllrfrr.exe 1528 bhhbtt.exe 1716 vdvdd.exe 924 5lfxxrl.exe 2428 bnttbb.exe 1548 jvjjd.exe 1864 3frlxfl.exe 1200 3hnnnh.exe 1752 ffxlfrf.exe 1428 3rffffl.exe 2744 thnhhn.exe 2748 pppdj.exe 1700 xrlrffl.exe 2336 xlflllr.exe 3020 btbbhb.exe 2700 dvpvp.exe 2652 xxlfllx.exe 2368 bhnttn.exe 2256 bththh.exe 2320 jdvvj.exe 592 9xfrfrx.exe 1048 thbbbb.exe 800 ddpvp.exe 1728 vpvvd.exe 2536 fxxrflf.exe 2512 nhtthn.exe 2628 pvjvv.exe 2968 jjpjp.exe 2976 3xlfrrf.exe 2316 rfllllr.exe 2912 tnbbhn.exe 2340 pjvvv.exe 2876 fxlrxrf.exe 1424 xrxxrrx.exe 1612 9tntbh.exe 2264 jvddv.exe 1756 lxrflfl.exe 1820 7lfrrxx.exe 2004 httnbb.exe 2168 vpvvv.exe -
resource yara_rule behavioral1/memory/2824-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012029-8.dat upx behavioral1/memory/2596-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2824-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015dc3-17.dat upx behavioral1/files/0x0007000000015e25-26.dat upx behavioral1/memory/2856-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2856-23-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2836-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2612-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015f1b-32.dat upx behavioral1/memory/2836-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015f2a-41.dat upx behavioral1/memory/2636-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000162b8-50.dat upx behavioral1/files/0x000a000000016d46-58.dat upx behavioral1/memory/2312-57-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/memory/800-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/592-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019030-65.dat upx behavioral1/memory/800-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1728-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001903d-76.dat upx behavioral1/files/0x000500000001920f-84.dat upx behavioral1/files/0x0005000000019228-92.dat upx behavioral1/memory/2080-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2080-91-0x00000000003C0000-0x00000000003E7000-memory.dmp upx behavioral1/files/0x0005000000019234-100.dat upx behavioral1/files/0x0005000000019241-110.dat upx behavioral1/memory/1960-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1960-107-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001925c-116.dat upx behavioral1/files/0x0005000000019273-123.dat upx behavioral1/files/0x00050000000192f0-130.dat upx behavioral1/files/0x000500000001932a-138.dat upx behavioral1/files/0x000500000001933e-147.dat upx behavioral1/memory/2260-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019346-155.dat upx behavioral1/memory/2780-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2780-154-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/files/0x0034000000015d5c-163.dat upx behavioral1/files/0x0005000000019384-171.dat upx behavioral1/memory/1500-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193a2-178.dat upx behavioral1/files/0x00050000000193af-188.dat upx behavioral1/files/0x00050000000193c9-198.dat upx behavioral1/memory/1476-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193f8-204.dat upx behavioral1/files/0x00050000000193fa-211.dat upx behavioral1/files/0x0005000000019408-218.dat upx behavioral1/memory/924-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019494-228.dat upx behavioral1/files/0x00050000000194a7-234.dat upx behavioral1/files/0x00050000000194b4-243.dat upx behavioral1/memory/1864-247-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1548-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d4-252.dat upx behavioral1/files/0x00050000000194da-259.dat upx behavioral1/memory/1752-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2744-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1428-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2748-283-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1700-289-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/memory/3020-302-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2596 2824 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 30 PID 2824 wrote to memory of 2596 2824 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 30 PID 2824 wrote to memory of 2596 2824 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 30 PID 2824 wrote to memory of 2596 2824 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 30 PID 2596 wrote to memory of 2856 2596 fffllrf.exe 31 PID 2596 wrote to memory of 2856 2596 fffllrf.exe 31 PID 2596 wrote to memory of 2856 2596 fffllrf.exe 31 PID 2596 wrote to memory of 2856 2596 fffllrf.exe 31 PID 2856 wrote to memory of 2612 2856 btnntb.exe 32 PID 2856 wrote to memory of 2612 2856 btnntb.exe 32 PID 2856 wrote to memory of 2612 2856 btnntb.exe 32 PID 2856 wrote to memory of 2612 2856 btnntb.exe 32 PID 2612 wrote to memory of 2836 2612 ppjpd.exe 33 PID 2612 wrote to memory of 2836 2612 ppjpd.exe 33 PID 2612 wrote to memory of 2836 2612 ppjpd.exe 33 PID 2612 wrote to memory of 2836 2612 ppjpd.exe 33 PID 2836 wrote to memory of 2636 2836 hbtnbn.exe 34 PID 2836 wrote to memory of 2636 2836 hbtnbn.exe 34 PID 2836 wrote to memory of 2636 2836 hbtnbn.exe 34 PID 2836 wrote to memory of 2636 2836 hbtnbn.exe 34 PID 2636 wrote to memory of 2312 2636 9vppv.exe 35 PID 2636 wrote to memory of 2312 2636 9vppv.exe 35 PID 2636 wrote to memory of 2312 2636 9vppv.exe 35 PID 2636 wrote to memory of 2312 2636 9vppv.exe 35 PID 2312 wrote to memory of 592 2312 5bhbnn.exe 36 PID 2312 wrote to memory of 592 2312 5bhbnn.exe 36 PID 2312 wrote to memory of 592 2312 5bhbnn.exe 36 PID 2312 wrote to memory of 592 2312 5bhbnn.exe 36 PID 592 wrote to memory of 800 592 vvjdj.exe 37 PID 592 wrote to memory of 800 592 vvjdj.exe 37 PID 592 wrote to memory of 800 592 vvjdj.exe 37 PID 592 wrote to memory of 800 592 vvjdj.exe 37 PID 800 wrote to memory of 1728 800 1rlllrx.exe 38 PID 800 wrote to memory of 1728 800 1rlllrx.exe 38 PID 800 wrote to memory of 1728 800 1rlllrx.exe 38 PID 800 wrote to memory of 1728 800 1rlllrx.exe 38 PID 1728 wrote to memory of 2080 1728 nbnntn.exe 39 PID 1728 wrote to memory of 2080 1728 nbnntn.exe 39 PID 1728 wrote to memory of 2080 1728 nbnntn.exe 39 PID 1728 wrote to memory of 2080 1728 nbnntn.exe 39 PID 2080 wrote to memory of 2532 2080 ppdjj.exe 40 PID 2080 wrote to memory of 2532 2080 ppdjj.exe 40 PID 2080 wrote to memory of 2532 2080 ppdjj.exe 40 PID 2080 wrote to memory of 2532 2080 ppdjj.exe 40 PID 2532 wrote to memory of 1960 2532 lxfxxrx.exe 41 PID 2532 wrote to memory of 1960 2532 lxfxxrx.exe 41 PID 2532 wrote to memory of 1960 2532 lxfxxrx.exe 41 PID 2532 wrote to memory of 1960 2532 lxfxxrx.exe 41 PID 1960 wrote to memory of 2956 1960 ntbhhh.exe 42 PID 1960 wrote to memory of 2956 1960 ntbhhh.exe 42 PID 1960 wrote to memory of 2956 1960 ntbhhh.exe 42 PID 1960 wrote to memory of 2956 1960 ntbhhh.exe 42 PID 2956 wrote to memory of 2912 2956 9pdpp.exe 43 PID 2956 wrote to memory of 2912 2956 9pdpp.exe 43 PID 2956 wrote to memory of 2912 2956 9pdpp.exe 43 PID 2956 wrote to memory of 2912 2956 9pdpp.exe 43 PID 2912 wrote to memory of 2944 2912 1rflrxf.exe 44 PID 2912 wrote to memory of 2944 2912 1rflrxf.exe 44 PID 2912 wrote to memory of 2944 2912 1rflrxf.exe 44 PID 2912 wrote to memory of 2944 2912 1rflrxf.exe 44 PID 2944 wrote to memory of 2908 2944 hthhnt.exe 45 PID 2944 wrote to memory of 2908 2944 hthhnt.exe 45 PID 2944 wrote to memory of 2908 2944 hthhnt.exe 45 PID 2944 wrote to memory of 2908 2944 hthhnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe"C:\Users\Admin\AppData\Local\Temp\bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\fffllrf.exec:\fffllrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\btnntb.exec:\btnntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\ppjpd.exec:\ppjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\hbtnbn.exec:\hbtnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\9vppv.exec:\9vppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\5bhbnn.exec:\5bhbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\vvjdj.exec:\vvjdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\1rlllrx.exec:\1rlllrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\nbnntn.exec:\nbnntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\ppdjj.exec:\ppdjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lxfxxrx.exec:\lxfxxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ntbhhh.exec:\ntbhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\9pdpp.exec:\9pdpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\1rflrxf.exec:\1rflrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hthhnt.exec:\hthhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\jpvjd.exec:\jpvjd.exe17⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nthbht.exec:\nthbht.exe18⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vpvdj.exec:\vpvdj.exe19⤵
- Executes dropped EXE
PID:2780 -
\??\c:\3rxxrrr.exec:\3rxxrrr.exe20⤵
- Executes dropped EXE
PID:1064 -
\??\c:\nbhnbh.exec:\nbhnbh.exe21⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vpvvv.exec:\vpvvv.exe22⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rfxllff.exec:\rfxllff.exe23⤵
- Executes dropped EXE
PID:2032 -
\??\c:\hthhnt.exec:\hthhnt.exe24⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pjpjj.exec:\pjpjj.exe25⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rllrfrr.exec:\rllrfrr.exe26⤵
- Executes dropped EXE
PID:2204 -
\??\c:\bhhbtt.exec:\bhhbtt.exe27⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vdvdd.exec:\vdvdd.exe28⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5lfxxrl.exec:\5lfxxrl.exe29⤵
- Executes dropped EXE
PID:924 -
\??\c:\bnttbb.exec:\bnttbb.exe30⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jvjjd.exec:\jvjjd.exe31⤵
- Executes dropped EXE
PID:1548 -
\??\c:\3frlxfl.exec:\3frlxfl.exe32⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3hnnnh.exec:\3hnnnh.exe33⤵
- Executes dropped EXE
PID:1200 -
\??\c:\ffxlfrf.exec:\ffxlfrf.exe34⤵
- Executes dropped EXE
PID:1752 -
\??\c:\3rffffl.exec:\3rffffl.exe35⤵
- Executes dropped EXE
PID:1428 -
\??\c:\thnhhn.exec:\thnhhn.exe36⤵
- Executes dropped EXE
PID:2744 -
\??\c:\pppdj.exec:\pppdj.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xrlrffl.exec:\xrlrffl.exe38⤵
- Executes dropped EXE
PID:1700 -
\??\c:\xlflllr.exec:\xlflllr.exe39⤵
- Executes dropped EXE
PID:2336 -
\??\c:\btbbhb.exec:\btbbhb.exe40⤵
- Executes dropped EXE
PID:3020 -
\??\c:\dvpvp.exec:\dvpvp.exe41⤵
- Executes dropped EXE
PID:2700 -
\??\c:\xxlfllx.exec:\xxlfllx.exe42⤵
- Executes dropped EXE
PID:2652 -
\??\c:\bhnttn.exec:\bhnttn.exe43⤵
- Executes dropped EXE
PID:2368 -
\??\c:\bththh.exec:\bththh.exe44⤵
- Executes dropped EXE
PID:2256 -
\??\c:\jdvvj.exec:\jdvvj.exe45⤵
- Executes dropped EXE
PID:2320 -
\??\c:\9xfrfrx.exec:\9xfrfrx.exe46⤵
- Executes dropped EXE
PID:592 -
\??\c:\thbbbb.exec:\thbbbb.exe47⤵
- Executes dropped EXE
PID:1048 -
\??\c:\ddpvp.exec:\ddpvp.exe48⤵
- Executes dropped EXE
PID:800 -
\??\c:\vpvvd.exec:\vpvvd.exe49⤵
- Executes dropped EXE
PID:1728 -
\??\c:\fxxrflf.exec:\fxxrflf.exe50⤵
- Executes dropped EXE
PID:2536 -
\??\c:\nhtthn.exec:\nhtthn.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
\??\c:\pvjvv.exec:\pvjvv.exe52⤵
- Executes dropped EXE
PID:2628 -
\??\c:\jjpjp.exec:\jjpjp.exe53⤵
- Executes dropped EXE
PID:2968 -
\??\c:\3xlfrrf.exec:\3xlfrrf.exe54⤵
- Executes dropped EXE
PID:2976 -
\??\c:\rfllllr.exec:\rfllllr.exe55⤵
- Executes dropped EXE
PID:2316 -
\??\c:\tnbbhn.exec:\tnbbhn.exe56⤵
- Executes dropped EXE
PID:2912 -
\??\c:\pjvvv.exec:\pjvvv.exe57⤵
- Executes dropped EXE
PID:2340 -
\??\c:\fxlrxrf.exec:\fxlrxrf.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
\??\c:\xrxxrrx.exec:\xrxxrrx.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\9tntbh.exec:\9tntbh.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jvddv.exec:\jvddv.exe61⤵
- Executes dropped EXE
PID:2264 -
\??\c:\lxrflfl.exec:\lxrflfl.exe62⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7lfrrxx.exec:\7lfrrxx.exe63⤵
- Executes dropped EXE
PID:1820 -
\??\c:\httnbb.exec:\httnbb.exe64⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vpvvv.exec:\vpvvv.exe65⤵
- Executes dropped EXE
PID:2168 -
\??\c:\pppvv.exec:\pppvv.exe66⤵PID:3060
-
\??\c:\9fffrrx.exec:\9fffrrx.exe67⤵PID:2172
-
\??\c:\lfxxfff.exec:\lfxxfff.exe68⤵PID:1608
-
\??\c:\hbhnnn.exec:\hbhnnn.exe69⤵PID:1328
-
\??\c:\dvjdd.exec:\dvjdd.exe70⤵PID:1808
-
\??\c:\5vjvd.exec:\5vjvd.exe71⤵PID:1540
-
\??\c:\xrlllff.exec:\xrlllff.exe72⤵PID:852
-
\??\c:\frflllr.exec:\frflllr.exe73⤵PID:1312
-
\??\c:\nhnthh.exec:\nhnthh.exe74⤵PID:568
-
\??\c:\hbnnhh.exec:\hbnnhh.exe75⤵PID:1616
-
\??\c:\pdpjp.exec:\pdpjp.exe76⤵PID:2492
-
\??\c:\xrrxxll.exec:\xrrxxll.exe77⤵PID:2332
-
\??\c:\rlxlllr.exec:\rlxlllr.exe78⤵PID:2696
-
\??\c:\tnbbnt.exec:\tnbbnt.exe79⤵PID:1620
-
\??\c:\1pppv.exec:\1pppv.exe80⤵PID:1248
-
\??\c:\vvvjd.exec:\vvvjd.exe81⤵PID:2112
-
\??\c:\5rllffl.exec:\5rllffl.exe82⤵PID:2712
-
\??\c:\ntntnt.exec:\ntntnt.exe83⤵PID:1596
-
\??\c:\nbnhbh.exec:\nbnhbh.exe84⤵PID:2812
-
\??\c:\pdjpv.exec:\pdjpv.exe85⤵PID:1700
-
\??\c:\llxfllr.exec:\llxfllr.exe86⤵PID:2236
-
\??\c:\tnnbhn.exec:\tnnbhn.exe87⤵PID:3020
-
\??\c:\bhntnn.exec:\bhntnn.exe88⤵PID:2836
-
\??\c:\7pddj.exec:\7pddj.exe89⤵PID:2652
-
\??\c:\llfrrlf.exec:\llfrrlf.exe90⤵PID:1868
-
\??\c:\lxrrrll.exec:\lxrrrll.exe91⤵PID:1984
-
\??\c:\hntnnh.exec:\hntnnh.exe92⤵PID:560
-
\??\c:\jdjjv.exec:\jdjjv.exe93⤵PID:592
-
\??\c:\rfflxfr.exec:\rfflxfr.exe94⤵PID:1496
-
\??\c:\xlrrxxx.exec:\xlrrxxx.exe95⤵PID:800
-
\??\c:\bnhhnn.exec:\bnhhnn.exe96⤵PID:1968
-
\??\c:\3nnbbb.exec:\3nnbbb.exe97⤵PID:2532
-
\??\c:\ppdpv.exec:\ppdpv.exe98⤵PID:2096
-
\??\c:\lfxxrlx.exec:\lfxxrlx.exe99⤵PID:2628
-
\??\c:\nbntbb.exec:\nbntbb.exe100⤵PID:2572
-
\??\c:\dpdvd.exec:\dpdvd.exe101⤵PID:2976
-
\??\c:\vjvvp.exec:\vjvvp.exe102⤵PID:2316
-
\??\c:\3xrllll.exec:\3xrllll.exe103⤵PID:2348
-
\??\c:\xrlrfxl.exec:\xrlrfxl.exe104⤵PID:2352
-
\??\c:\nhnbnn.exec:\nhnbnn.exe105⤵PID:680
-
\??\c:\jvvjp.exec:\jvvjp.exe106⤵PID:2768
-
\??\c:\3vjjv.exec:\3vjjv.exe107⤵PID:552
-
\??\c:\1fxrfxf.exec:\1fxrfxf.exe108⤵PID:1296
-
\??\c:\xlfrfrx.exec:\xlfrfrx.exe109⤵PID:1064
-
\??\c:\tttbnt.exec:\tttbnt.exe110⤵PID:2496
-
\??\c:\jvjdd.exec:\jvjdd.exe111⤵PID:1676
-
\??\c:\xfllrrx.exec:\xfllrrx.exe112⤵
- System Location Discovery: System Language Discovery
PID:308 -
\??\c:\rfxrrlf.exec:\rfxrrlf.exe113⤵PID:3060
-
\??\c:\hhhbhh.exec:\hhhbhh.exe114⤵PID:2324
-
\??\c:\pjppp.exec:\pjppp.exe115⤵PID:1608
-
\??\c:\3jdvj.exec:\3jdvj.exe116⤵PID:1076
-
\??\c:\rlxxfll.exec:\rlxxfll.exe117⤵PID:1696
-
\??\c:\nhthhh.exec:\nhthhh.exe118⤵PID:1540
-
\??\c:\djvvp.exec:\djvvp.exe119⤵PID:616
-
\??\c:\dppdj.exec:\dppdj.exe120⤵PID:1784
-
\??\c:\lfllxrf.exec:\lfllxrf.exe121⤵PID:568
-
\??\c:\rlrxxxf.exec:\rlrxxxf.exe122⤵PID:2128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-