Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:09
Behavioral task
behavioral1
Sample
b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe
-
Size
334KB
-
MD5
a1a7e98274c192ac1581f83ff6967310
-
SHA1
04e1c0c89b9fc6b06039a515ee83117c38b7a10f
-
SHA256
b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4d
-
SHA512
e794773bb23071ea7e808faa6573a4d63b0a20343e6257d4537cd35e7c1e0195328c65e18fe73588ae1f243eb514ff4102da4c3f85b0e37c7b40ca36932ab518
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR:R4wFHoSHYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2868-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3792-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4164-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2832-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-540-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-581-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4164-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-932-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 944 htnbtn.exe 1720 ffxrxrf.exe 3124 ddddp.exe 5064 7tntht.exe 1396 djvjp.exe 4556 rlrfrlx.exe 3700 ntnbtn.exe 744 vppjv.exe 4272 lrlfxrr.exe 4548 9vpjd.exe 1136 dvpdp.exe 1992 bhhtnb.exe 2144 5vpvj.exe 3364 rrlrlfr.exe 2944 hnnbbt.exe 4236 rlrfffl.exe 3088 rffrfxr.exe 5016 nnnbbt.exe 3084 5vdpv.exe 4444 lxrflfx.exe 4064 nnthtn.exe 2116 vpdvp.exe 3332 7bhthb.exe 2644 nnntbb.exe 3792 pddpd.exe 412 bthtbt.exe 2924 9dpdp.exe 3512 lxfrxrx.exe 904 3dpdp.exe 832 bhnbth.exe 4908 djjvp.exe 3196 frrlxrl.exe 316 1hhhtt.exe 4688 btbnhh.exe 1820 vddvp.exe 3952 rffxxxr.exe 3596 btnhbt.exe 556 bbhhnn.exe 4780 vvjvd.exe 3456 rlxxllr.exe 740 hbbbbh.exe 4684 vpjdp.exe 2420 fllfxxr.exe 208 rxlrrlr.exe 3464 bbhnbt.exe 5080 dppdv.exe 3216 1dvpp.exe 4344 5xlflll.exe 4220 hhnhtn.exe 4392 vpvpp.exe 4436 fxlxlll.exe 2868 tbnbnh.exe 4196 bntnbt.exe 4868 lrlfxxr.exe 4060 ttnbnh.exe 2436 nbtnhb.exe 2412 pvvpd.exe 2340 rxfxffx.exe 312 frfxrlf.exe 976 ntthtn.exe 3368 hbnhbt.exe 4856 7vpjd.exe 3648 1vjdv.exe 392 1rrlxxr.exe -
resource yara_rule behavioral2/memory/2868-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b21-3.dat upx behavioral2/memory/2868-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b7d-8.dat upx behavioral2/memory/944-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-11.dat upx behavioral2/memory/1720-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-18.dat upx behavioral2/files/0x000a000000023b85-22.dat upx behavioral2/files/0x000a000000023b86-26.dat upx behavioral2/memory/1396-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-32.dat upx behavioral2/memory/4556-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-37.dat upx behavioral2/files/0x000a000000023b89-41.dat upx behavioral2/memory/744-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-45.dat upx behavioral2/memory/4272-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-51.dat upx behavioral2/memory/4548-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-56.dat upx behavioral2/memory/1136-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-63.dat upx behavioral2/memory/1992-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-66.dat upx behavioral2/memory/2144-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-72.dat upx behavioral2/files/0x000a000000023b91-76.dat upx behavioral2/memory/4236-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-80.dat upx behavioral2/memory/3088-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-86.dat upx behavioral2/memory/5016-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3084-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-96.dat upx behavioral2/files/0x000b000000023b7f-91.dat upx behavioral2/files/0x000a000000023b96-104.dat upx behavioral2/memory/4064-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2116-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-100.dat upx behavioral2/files/0x000a000000023b97-109.dat upx behavioral2/files/0x000a000000023b98-114.dat upx behavioral2/memory/3332-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-118.dat upx behavioral2/memory/3792-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2644-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-125.dat upx behavioral2/memory/412-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-129.dat upx behavioral2/memory/2924-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-133.dat upx behavioral2/files/0x000b000000023b9d-137.dat upx behavioral2/memory/3512-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9e-143.dat upx behavioral2/memory/904-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9f-148.dat upx behavioral2/files/0x000a000000023ba7-152.dat upx behavioral2/memory/4688-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3596-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/556-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4780-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/208-185-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 944 2868 b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe 82 PID 2868 wrote to memory of 944 2868 b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe 82 PID 2868 wrote to memory of 944 2868 b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe 82 PID 944 wrote to memory of 1720 944 htnbtn.exe 83 PID 944 wrote to memory of 1720 944 htnbtn.exe 83 PID 944 wrote to memory of 1720 944 htnbtn.exe 83 PID 1720 wrote to memory of 3124 1720 ffxrxrf.exe 84 PID 1720 wrote to memory of 3124 1720 ffxrxrf.exe 84 PID 1720 wrote to memory of 3124 1720 ffxrxrf.exe 84 PID 3124 wrote to memory of 5064 3124 ddddp.exe 85 PID 3124 wrote to memory of 5064 3124 ddddp.exe 85 PID 3124 wrote to memory of 5064 3124 ddddp.exe 85 PID 5064 wrote to memory of 1396 5064 7tntht.exe 86 PID 5064 wrote to memory of 1396 5064 7tntht.exe 86 PID 5064 wrote to memory of 1396 5064 7tntht.exe 86 PID 1396 wrote to memory of 4556 1396 djvjp.exe 87 PID 1396 wrote to memory of 4556 1396 djvjp.exe 87 PID 1396 wrote to memory of 4556 1396 djvjp.exe 87 PID 4556 wrote to memory of 3700 4556 rlrfrlx.exe 88 PID 4556 wrote to memory of 3700 4556 rlrfrlx.exe 88 PID 4556 wrote to memory of 3700 4556 rlrfrlx.exe 88 PID 3700 wrote to memory of 744 3700 ntnbtn.exe 89 PID 3700 wrote to memory of 744 3700 ntnbtn.exe 89 PID 3700 wrote to memory of 744 3700 ntnbtn.exe 89 PID 744 wrote to memory of 4272 744 vppjv.exe 90 PID 744 wrote to memory of 4272 744 vppjv.exe 90 PID 744 wrote to memory of 4272 744 vppjv.exe 90 PID 4272 wrote to memory of 4548 4272 lrlfxrr.exe 91 PID 4272 wrote to memory of 4548 4272 lrlfxrr.exe 91 PID 4272 wrote to memory of 4548 4272 lrlfxrr.exe 91 PID 4548 wrote to memory of 1136 4548 9vpjd.exe 92 PID 4548 wrote to memory of 1136 4548 9vpjd.exe 92 PID 4548 wrote to memory of 1136 4548 9vpjd.exe 92 PID 1136 wrote to memory of 1992 1136 dvpdp.exe 93 PID 1136 wrote to memory of 1992 1136 dvpdp.exe 93 PID 1136 wrote to memory of 1992 1136 dvpdp.exe 93 PID 1992 wrote to memory of 2144 1992 bhhtnb.exe 94 PID 1992 wrote to memory of 2144 1992 bhhtnb.exe 94 PID 1992 wrote to memory of 2144 1992 bhhtnb.exe 94 PID 2144 wrote to memory of 3364 2144 5vpvj.exe 95 PID 2144 wrote to memory of 3364 2144 5vpvj.exe 95 PID 2144 wrote to memory of 3364 2144 5vpvj.exe 95 PID 3364 wrote to memory of 2944 3364 rrlrlfr.exe 96 PID 3364 wrote to memory of 2944 3364 rrlrlfr.exe 96 PID 3364 wrote to memory of 2944 3364 rrlrlfr.exe 96 PID 2944 wrote to memory of 4236 2944 hnnbbt.exe 97 PID 2944 wrote to memory of 4236 2944 hnnbbt.exe 97 PID 2944 wrote to memory of 4236 2944 hnnbbt.exe 97 PID 4236 wrote to memory of 3088 4236 rlrfffl.exe 98 PID 4236 wrote to memory of 3088 4236 rlrfffl.exe 98 PID 4236 wrote to memory of 3088 4236 rlrfffl.exe 98 PID 3088 wrote to memory of 5016 3088 rffrfxr.exe 99 PID 3088 wrote to memory of 5016 3088 rffrfxr.exe 99 PID 3088 wrote to memory of 5016 3088 rffrfxr.exe 99 PID 5016 wrote to memory of 3084 5016 nnnbbt.exe 100 PID 5016 wrote to memory of 3084 5016 nnnbbt.exe 100 PID 5016 wrote to memory of 3084 5016 nnnbbt.exe 100 PID 3084 wrote to memory of 4444 3084 5vdpv.exe 101 PID 3084 wrote to memory of 4444 3084 5vdpv.exe 101 PID 3084 wrote to memory of 4444 3084 5vdpv.exe 101 PID 4444 wrote to memory of 4064 4444 lxrflfx.exe 102 PID 4444 wrote to memory of 4064 4444 lxrflfx.exe 102 PID 4444 wrote to memory of 4064 4444 lxrflfx.exe 102 PID 4064 wrote to memory of 2116 4064 nnthtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe"C:\Users\Admin\AppData\Local\Temp\b8ebfcb5da2e0ffda3415962afeb29bc82aacfe7540f9a2200d2f94b16c30b4dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\htnbtn.exec:\htnbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\ffxrxrf.exec:\ffxrxrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\ddddp.exec:\ddddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\7tntht.exec:\7tntht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\djvjp.exec:\djvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\rlrfrlx.exec:\rlrfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\ntnbtn.exec:\ntnbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\vppjv.exec:\vppjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\lrlfxrr.exec:\lrlfxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\9vpjd.exec:\9vpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\dvpdp.exec:\dvpdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\bhhtnb.exec:\bhhtnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\5vpvj.exec:\5vpvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\rrlrlfr.exec:\rrlrlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\hnnbbt.exec:\hnnbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\rlrfffl.exec:\rlrfffl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\rffrfxr.exec:\rffrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\nnnbbt.exec:\nnnbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\5vdpv.exec:\5vdpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\lxrflfx.exec:\lxrflfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\nnthtn.exec:\nnthtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\vpdvp.exec:\vpdvp.exe23⤵
- Executes dropped EXE
PID:2116 -
\??\c:\7bhthb.exec:\7bhthb.exe24⤵
- Executes dropped EXE
PID:3332 -
\??\c:\nnntbb.exec:\nnntbb.exe25⤵
- Executes dropped EXE
PID:2644 -
\??\c:\pddpd.exec:\pddpd.exe26⤵
- Executes dropped EXE
PID:3792 -
\??\c:\bthtbt.exec:\bthtbt.exe27⤵
- Executes dropped EXE
PID:412 -
\??\c:\9dpdp.exec:\9dpdp.exe28⤵
- Executes dropped EXE
PID:2924 -
\??\c:\lxfrxrx.exec:\lxfrxrx.exe29⤵
- Executes dropped EXE
PID:3512 -
\??\c:\3dpdp.exec:\3dpdp.exe30⤵
- Executes dropped EXE
PID:904 -
\??\c:\bhnbth.exec:\bhnbth.exe31⤵
- Executes dropped EXE
PID:832 -
\??\c:\djjvp.exec:\djjvp.exe32⤵
- Executes dropped EXE
PID:4908 -
\??\c:\frrlxrl.exec:\frrlxrl.exe33⤵
- Executes dropped EXE
PID:3196 -
\??\c:\1hhhtt.exec:\1hhhtt.exe34⤵
- Executes dropped EXE
PID:316 -
\??\c:\btbnhh.exec:\btbnhh.exe35⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vddvp.exec:\vddvp.exe36⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rffxxxr.exec:\rffxxxr.exe37⤵
- Executes dropped EXE
PID:3952 -
\??\c:\btnhbt.exec:\btnhbt.exe38⤵
- Executes dropped EXE
PID:3596 -
\??\c:\bbhhnn.exec:\bbhhnn.exe39⤵
- Executes dropped EXE
PID:556 -
\??\c:\vvjvd.exec:\vvjvd.exe40⤵
- Executes dropped EXE
PID:4780 -
\??\c:\rlxxllr.exec:\rlxxllr.exe41⤵
- Executes dropped EXE
PID:3456 -
\??\c:\hbbbbh.exec:\hbbbbh.exe42⤵
- Executes dropped EXE
PID:740 -
\??\c:\vpjdp.exec:\vpjdp.exe43⤵
- Executes dropped EXE
PID:4684 -
\??\c:\fllfxxr.exec:\fllfxxr.exe44⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rxlrrlr.exec:\rxlrrlr.exe45⤵
- Executes dropped EXE
PID:208 -
\??\c:\bbhnbt.exec:\bbhnbt.exe46⤵
- Executes dropped EXE
PID:3464 -
\??\c:\dppdv.exec:\dppdv.exe47⤵
- Executes dropped EXE
PID:5080 -
\??\c:\1dvpp.exec:\1dvpp.exe48⤵
- Executes dropped EXE
PID:3216 -
\??\c:\5xlflll.exec:\5xlflll.exe49⤵
- Executes dropped EXE
PID:4344 -
\??\c:\hhnhtn.exec:\hhnhtn.exe50⤵
- Executes dropped EXE
PID:4220 -
\??\c:\vpvpp.exec:\vpvpp.exe51⤵
- Executes dropped EXE
PID:4392 -
\??\c:\fxlxlll.exec:\fxlxlll.exe52⤵
- Executes dropped EXE
PID:4436 -
\??\c:\tbnbnh.exec:\tbnbnh.exe53⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bntnbt.exec:\bntnbt.exe54⤵
- Executes dropped EXE
PID:4196 -
\??\c:\lrlfxxr.exec:\lrlfxxr.exe55⤵
- Executes dropped EXE
PID:4868 -
\??\c:\ttnbnh.exec:\ttnbnh.exe56⤵
- Executes dropped EXE
PID:4060 -
\??\c:\nbtnhb.exec:\nbtnhb.exe57⤵
- Executes dropped EXE
PID:2436 -
\??\c:\pvvpd.exec:\pvvpd.exe58⤵
- Executes dropped EXE
PID:2412 -
\??\c:\rxfxffx.exec:\rxfxffx.exe59⤵
- Executes dropped EXE
PID:2340 -
\??\c:\frfxrlf.exec:\frfxrlf.exe60⤵
- Executes dropped EXE
PID:312 -
\??\c:\ntthtn.exec:\ntthtn.exe61⤵
- Executes dropped EXE
PID:976 -
\??\c:\hbnhbt.exec:\hbnhbt.exe62⤵
- Executes dropped EXE
PID:3368 -
\??\c:\7vpjd.exec:\7vpjd.exe63⤵
- Executes dropped EXE
PID:4856 -
\??\c:\1vjdv.exec:\1vjdv.exe64⤵
- Executes dropped EXE
PID:3648 -
\??\c:\1rrlxxr.exec:\1rrlxxr.exe65⤵
- Executes dropped EXE
PID:392 -
\??\c:\btbnbt.exec:\btbnbt.exe66⤵PID:2308
-
\??\c:\7vvpd.exec:\7vvpd.exe67⤵PID:4164
-
\??\c:\rlfrlxx.exec:\rlfrlxx.exe68⤵PID:112
-
\??\c:\nbhthb.exec:\nbhthb.exe69⤵PID:2788
-
\??\c:\1nnhhb.exec:\1nnhhb.exe70⤵PID:2692
-
\??\c:\jvvdp.exec:\jvvdp.exe71⤵PID:1552
-
\??\c:\dpvpp.exec:\dpvpp.exe72⤵PID:3184
-
\??\c:\lxlxlfx.exec:\lxlxlfx.exe73⤵PID:2948
-
\??\c:\ttnnbn.exec:\ttnnbn.exe74⤵PID:5084
-
\??\c:\dpjvp.exec:\dpjvp.exe75⤵
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\3llxllr.exec:\3llxllr.exe76⤵PID:3460
-
\??\c:\llxrffl.exec:\llxrffl.exe77⤵PID:2760
-
\??\c:\nhhbbn.exec:\nhhbbn.exe78⤵PID:1924
-
\??\c:\1jdpv.exec:\1jdpv.exe79⤵PID:1688
-
\??\c:\9jvjd.exec:\9jvjd.exe80⤵PID:2944
-
\??\c:\3rrlxfx.exec:\3rrlxfx.exe81⤵PID:2076
-
\??\c:\hbhbtb.exec:\hbhbtb.exe82⤵PID:5060
-
\??\c:\ddvpj.exec:\ddvpj.exe83⤵PID:3416
-
\??\c:\vvjvj.exec:\vvjvj.exe84⤵PID:1468
-
\??\c:\xlrxfxx.exec:\xlrxfxx.exe85⤵PID:2704
-
\??\c:\3hhbtn.exec:\3hhbtn.exe86⤵PID:4444
-
\??\c:\9pvpj.exec:\9pvpj.exe87⤵PID:2352
-
\??\c:\fxlxlxr.exec:\fxlxlxr.exe88⤵PID:4144
-
\??\c:\3llfxxl.exec:\3llfxxl.exe89⤵PID:4328
-
\??\c:\bnbtnn.exec:\bnbtnn.exe90⤵PID:4032
-
\??\c:\tnhnth.exec:\tnhnth.exe91⤵PID:5096
-
\??\c:\dddpp.exec:\dddpp.exe92⤵PID:4168
-
\??\c:\9llfffl.exec:\9llfffl.exe93⤵PID:2532
-
\??\c:\jdjpd.exec:\jdjpd.exe94⤵PID:3168
-
\??\c:\9vjdv.exec:\9vjdv.exe95⤵PID:2168
-
\??\c:\7rxrfxr.exec:\7rxrfxr.exe96⤵PID:4376
-
\??\c:\tbttbt.exec:\tbttbt.exe97⤵PID:4204
-
\??\c:\hthnhh.exec:\hthnhh.exe98⤵PID:4364
-
\??\c:\jvpjv.exec:\jvpjv.exe99⤵PID:2828
-
\??\c:\5fxrxlx.exec:\5fxrxlx.exe100⤵PID:2232
-
\??\c:\tbhbtn.exec:\tbhbtn.exe101⤵PID:2296
-
\??\c:\bnnhht.exec:\bnnhht.exe102⤵PID:700
-
\??\c:\jpjdp.exec:\jpjdp.exe103⤵PID:1108
-
\??\c:\dpvpp.exec:\dpvpp.exe104⤵PID:5004
-
\??\c:\xxrxrlx.exec:\xxrxrlx.exe105⤵PID:5020
-
\??\c:\xflfrlf.exec:\xflfrlf.exe106⤵PID:2320
-
\??\c:\bnnhbb.exec:\bnnhbb.exe107⤵PID:3844
-
\??\c:\vpdvv.exec:\vpdvv.exe108⤵PID:2088
-
\??\c:\rllxxrr.exec:\rllxxrr.exe109⤵PID:3388
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe110⤵PID:3932
-
\??\c:\tbhbtn.exec:\tbhbtn.exe111⤵PID:880
-
\??\c:\5hhthb.exec:\5hhthb.exe112⤵PID:2732
-
\??\c:\vjddd.exec:\vjddd.exe113⤵PID:4544
-
\??\c:\xffxrrr.exec:\xffxrrr.exe114⤵PID:556
-
\??\c:\xfflffx.exec:\xfflffx.exe115⤵PID:4780
-
\??\c:\9htnnn.exec:\9htnnn.exe116⤵PID:2236
-
\??\c:\vpvjd.exec:\vpvjd.exe117⤵PID:2880
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe118⤵PID:1976
-
\??\c:\rfxllxx.exec:\rfxllxx.exe119⤵PID:772
-
\??\c:\1hhbnh.exec:\1hhbnh.exe120⤵PID:2988
-
\??\c:\pdvpj.exec:\pdvpj.exe121⤵PID:4904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-