Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 23:44
Behavioral task
behavioral1
Sample
90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe
-
Size
68KB
-
MD5
653ea5ab175c0912701b5298f03e30fe
-
SHA1
52980fecf643c11010d555716ba3d234d39e7b2c
-
SHA256
90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4
-
SHA512
8fb951b39f1efb572364650a571e99915df8652146764dc7e759c8fa7926336a76d26894a0938fbe260d917b03b524fe0712467e93af3fee7813345ac0cc28b8
-
SSDEEP
1536:vvQBeOGtrYS3srx93UBWfwC6Ggnouy8rrUxAqQDrzIkss+8D:vhOmTsF93UYfwC6GIoutrAxAqU6s+4
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/828-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/436-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-434-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/432-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-715-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-743-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-756-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-784-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-1116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-1213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-1553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 412 bntbht.exe 920 djpjd.exe 3592 pvjvp.exe 3292 xlfxrrr.exe 4020 bnnbnn.exe 4612 vjvpj.exe 5072 lrrllfx.exe 1840 ntbthb.exe 2964 djjdv.exe 3160 jddvp.exe 4124 xxfrlff.exe 3112 nhtnhb.exe 1696 jpvjv.exe 3120 rlxlfxr.exe 4456 llrrxfl.exe 2480 tbhbtn.exe 2180 dddvj.exe 4712 vpvpp.exe 2924 5ffxfxx.exe 1596 nbbtnn.exe 1736 vjddv.exe 1524 lrxlfxr.exe 544 5tnnhb.exe 4544 jdjdv.exe 552 3frlxxl.exe 2300 xlfxllx.exe 4764 hntnhb.exe 1228 5ntnbh.exe 4416 dpdpj.exe 1692 llxxfff.exe 2316 bhtnhh.exe 2464 xxxrrrr.exe 1324 nbbtnn.exe 1964 3jpjj.exe 744 lrxrlll.exe 3652 lflrfrf.exe 1480 htnbbb.exe 1644 hhbthn.exe 516 vdvpp.exe 4860 rxllfxr.exe 2880 llfrfxr.exe 4444 hbhbtt.exe 2436 5vvdj.exe 2544 jddvv.exe 3752 lflffxf.exe 2240 xrxlfxr.exe 4460 nttnbb.exe 2224 jdpdj.exe 4848 dvvjv.exe 1216 rfrfxlx.exe 4140 ffrlrrr.exe 1656 tntnhh.exe 2540 nnnhtn.exe 2972 ppjdv.exe 2964 pjpdv.exe 264 rlfrllf.exe 4964 5hbbnh.exe 3632 bthhnn.exe 1612 ppvpp.exe 4940 fllfrrx.exe 856 frrlfxr.exe 4464 tttnhn.exe 1364 nnnbbb.exe 2340 pjpdd.exe -
resource yara_rule behavioral2/memory/828-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/828-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023496-6.dat upx behavioral2/files/0x00080000000234f3-10.dat upx behavioral2/memory/412-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f7-13.dat upx behavioral2/memory/920-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f8-21.dat upx behavioral2/memory/3592-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f9-27.dat upx behavioral2/memory/3292-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234fb-34.dat upx behavioral2/memory/4020-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234fc-39.dat upx behavioral2/files/0x00070000000234fd-44.dat upx behavioral2/memory/5072-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234fe-50.dat upx behavioral2/memory/1840-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ff-55.dat upx behavioral2/memory/2964-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3160-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4124-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023500-63.dat upx behavioral2/files/0x0007000000023501-68.dat upx behavioral2/memory/4124-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023502-74.dat upx behavioral2/memory/3112-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023503-80.dat upx behavioral2/memory/1696-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023504-86.dat upx behavioral2/memory/3120-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023505-92.dat upx behavioral2/memory/4456-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023506-100.dat upx behavioral2/memory/2480-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023507-104.dat upx behavioral2/memory/2180-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023508-111.dat upx behavioral2/files/0x0007000000023509-115.dat upx behavioral2/memory/1596-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002350a-122.dat upx behavioral2/files/0x000700000002350b-125.dat upx behavioral2/memory/1736-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002350c-131.dat upx behavioral2/files/0x000700000002350e-136.dat upx behavioral2/memory/4544-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002350f-141.dat upx behavioral2/files/0x0007000000023510-148.dat upx behavioral2/memory/2300-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234f4-154.dat upx behavioral2/files/0x0007000000023511-157.dat upx behavioral2/memory/4764-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1228-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4416-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023513-172.dat upx behavioral2/files/0x0007000000023512-165.dat upx behavioral2/files/0x0007000000023514-177.dat upx behavioral2/files/0x0007000000023515-181.dat upx behavioral2/memory/2316-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3652-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1480-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1644-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4860-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4444-221-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 412 828 90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe 83 PID 828 wrote to memory of 412 828 90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe 83 PID 828 wrote to memory of 412 828 90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe 83 PID 412 wrote to memory of 920 412 bntbht.exe 84 PID 412 wrote to memory of 920 412 bntbht.exe 84 PID 412 wrote to memory of 920 412 bntbht.exe 84 PID 920 wrote to memory of 3592 920 djpjd.exe 85 PID 920 wrote to memory of 3592 920 djpjd.exe 85 PID 920 wrote to memory of 3592 920 djpjd.exe 85 PID 3592 wrote to memory of 3292 3592 pvjvp.exe 86 PID 3592 wrote to memory of 3292 3592 pvjvp.exe 86 PID 3592 wrote to memory of 3292 3592 pvjvp.exe 86 PID 3292 wrote to memory of 4020 3292 xlfxrrr.exe 87 PID 3292 wrote to memory of 4020 3292 xlfxrrr.exe 87 PID 3292 wrote to memory of 4020 3292 xlfxrrr.exe 87 PID 4020 wrote to memory of 4612 4020 bnnbnn.exe 88 PID 4020 wrote to memory of 4612 4020 bnnbnn.exe 88 PID 4020 wrote to memory of 4612 4020 bnnbnn.exe 88 PID 4612 wrote to memory of 5072 4612 vjvpj.exe 89 PID 4612 wrote to memory of 5072 4612 vjvpj.exe 89 PID 4612 wrote to memory of 5072 4612 vjvpj.exe 89 PID 5072 wrote to memory of 1840 5072 lrrllfx.exe 91 PID 5072 wrote to memory of 1840 5072 lrrllfx.exe 91 PID 5072 wrote to memory of 1840 5072 lrrllfx.exe 91 PID 1840 wrote to memory of 2964 1840 ntbthb.exe 92 PID 1840 wrote to memory of 2964 1840 ntbthb.exe 92 PID 1840 wrote to memory of 2964 1840 ntbthb.exe 92 PID 2964 wrote to memory of 3160 2964 djjdv.exe 93 PID 2964 wrote to memory of 3160 2964 djjdv.exe 93 PID 2964 wrote to memory of 3160 2964 djjdv.exe 93 PID 3160 wrote to memory of 4124 3160 jddvp.exe 94 PID 3160 wrote to memory of 4124 3160 jddvp.exe 94 PID 3160 wrote to memory of 4124 3160 jddvp.exe 94 PID 4124 wrote to memory of 3112 4124 xxfrlff.exe 95 PID 4124 wrote to memory of 3112 4124 xxfrlff.exe 95 PID 4124 wrote to memory of 3112 4124 xxfrlff.exe 95 PID 3112 wrote to memory of 1696 3112 nhtnhb.exe 96 PID 3112 wrote to memory of 1696 3112 nhtnhb.exe 96 PID 3112 wrote to memory of 1696 3112 nhtnhb.exe 96 PID 1696 wrote to memory of 3120 1696 jpvjv.exe 98 PID 1696 wrote to memory of 3120 1696 jpvjv.exe 98 PID 1696 wrote to memory of 3120 1696 jpvjv.exe 98 PID 3120 wrote to memory of 4456 3120 rlxlfxr.exe 99 PID 3120 wrote to memory of 4456 3120 rlxlfxr.exe 99 PID 3120 wrote to memory of 4456 3120 rlxlfxr.exe 99 PID 4456 wrote to memory of 2480 4456 llrrxfl.exe 100 PID 4456 wrote to memory of 2480 4456 llrrxfl.exe 100 PID 4456 wrote to memory of 2480 4456 llrrxfl.exe 100 PID 2480 wrote to memory of 2180 2480 tbhbtn.exe 101 PID 2480 wrote to memory of 2180 2480 tbhbtn.exe 101 PID 2480 wrote to memory of 2180 2480 tbhbtn.exe 101 PID 2180 wrote to memory of 4712 2180 dddvj.exe 102 PID 2180 wrote to memory of 4712 2180 dddvj.exe 102 PID 2180 wrote to memory of 4712 2180 dddvj.exe 102 PID 4712 wrote to memory of 2924 4712 vpvpp.exe 103 PID 4712 wrote to memory of 2924 4712 vpvpp.exe 103 PID 4712 wrote to memory of 2924 4712 vpvpp.exe 103 PID 2924 wrote to memory of 1596 2924 5ffxfxx.exe 104 PID 2924 wrote to memory of 1596 2924 5ffxfxx.exe 104 PID 2924 wrote to memory of 1596 2924 5ffxfxx.exe 104 PID 1596 wrote to memory of 1736 1596 nbbtnn.exe 105 PID 1596 wrote to memory of 1736 1596 nbbtnn.exe 105 PID 1596 wrote to memory of 1736 1596 nbbtnn.exe 105 PID 1736 wrote to memory of 1524 1736 vjddv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe"C:\Users\Admin\AppData\Local\Temp\90037aa475fe9247c5d8b963358c03bb66ed74810225efb8c3a51e4d573383f4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\bntbht.exec:\bntbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\djpjd.exec:\djpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\pvjvp.exec:\pvjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\bnnbnn.exec:\bnnbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\vjvpj.exec:\vjvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\lrrllfx.exec:\lrrllfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\ntbthb.exec:\ntbthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\djjdv.exec:\djjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\jddvp.exec:\jddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\xxfrlff.exec:\xxfrlff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\nhtnhb.exec:\nhtnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\jpvjv.exec:\jpvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\rlxlfxr.exec:\rlxlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\llrrxfl.exec:\llrrxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\tbhbtn.exec:\tbhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\dddvj.exec:\dddvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vpvpp.exec:\vpvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\5ffxfxx.exec:\5ffxfxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\nbbtnn.exec:\nbbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\vjddv.exec:\vjddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe23⤵
- Executes dropped EXE
PID:1524 -
\??\c:\5tnnhb.exec:\5tnnhb.exe24⤵
- Executes dropped EXE
PID:544 -
\??\c:\jdjdv.exec:\jdjdv.exe25⤵
- Executes dropped EXE
PID:4544 -
\??\c:\3frlxxl.exec:\3frlxxl.exe26⤵
- Executes dropped EXE
PID:552 -
\??\c:\xlfxllx.exec:\xlfxllx.exe27⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hntnhb.exec:\hntnhb.exe28⤵
- Executes dropped EXE
PID:4764 -
\??\c:\5ntnbh.exec:\5ntnbh.exe29⤵
- Executes dropped EXE
PID:1228 -
\??\c:\dpdpj.exec:\dpdpj.exe30⤵
- Executes dropped EXE
PID:4416 -
\??\c:\llxxfff.exec:\llxxfff.exe31⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bhtnhh.exec:\bhtnhh.exe32⤵
- Executes dropped EXE
PID:2316 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe33⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nbbtnn.exec:\nbbtnn.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324 -
\??\c:\3jpjj.exec:\3jpjj.exe35⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lrxrlll.exec:\lrxrlll.exe36⤵
- Executes dropped EXE
PID:744 -
\??\c:\lflrfrf.exec:\lflrfrf.exe37⤵
- Executes dropped EXE
PID:3652 -
\??\c:\htnbbb.exec:\htnbbb.exe38⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hhbthn.exec:\hhbthn.exe39⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vdvpp.exec:\vdvpp.exe40⤵
- Executes dropped EXE
PID:516 -
\??\c:\rxllfxr.exec:\rxllfxr.exe41⤵
- Executes dropped EXE
PID:4860 -
\??\c:\llfrfxr.exec:\llfrfxr.exe42⤵
- Executes dropped EXE
PID:2880 -
\??\c:\hbhbtt.exec:\hbhbtt.exe43⤵
- Executes dropped EXE
PID:4444 -
\??\c:\5vvdj.exec:\5vvdj.exe44⤵
- Executes dropped EXE
PID:2436 -
\??\c:\jddvv.exec:\jddvv.exe45⤵
- Executes dropped EXE
PID:2544 -
\??\c:\lflffxf.exec:\lflffxf.exe46⤵
- Executes dropped EXE
PID:3752 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe47⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nttnbb.exec:\nttnbb.exe48⤵
- Executes dropped EXE
PID:4460 -
\??\c:\jdpdj.exec:\jdpdj.exe49⤵
- Executes dropped EXE
PID:2224 -
\??\c:\dvvjv.exec:\dvvjv.exe50⤵
- Executes dropped EXE
PID:4848 -
\??\c:\rfrfxlx.exec:\rfrfxlx.exe51⤵
- Executes dropped EXE
PID:1216 -
\??\c:\ffrlrrr.exec:\ffrlrrr.exe52⤵
- Executes dropped EXE
PID:4140 -
\??\c:\tntnhh.exec:\tntnhh.exe53⤵
- Executes dropped EXE
PID:1656 -
\??\c:\nnnhtn.exec:\nnnhtn.exe54⤵
- Executes dropped EXE
PID:2540 -
\??\c:\ppjdv.exec:\ppjdv.exe55⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pjpdv.exec:\pjpdv.exe56⤵
- Executes dropped EXE
PID:2964 -
\??\c:\rlfrllf.exec:\rlfrllf.exe57⤵
- Executes dropped EXE
PID:264 -
\??\c:\5hbbnh.exec:\5hbbnh.exe58⤵
- Executes dropped EXE
PID:4964 -
\??\c:\bthhnn.exec:\bthhnn.exe59⤵
- Executes dropped EXE
PID:3632 -
\??\c:\ppvpp.exec:\ppvpp.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\fllfrrx.exec:\fllfrrx.exe61⤵
- Executes dropped EXE
PID:4940 -
\??\c:\frrlfxr.exec:\frrlfxr.exe62⤵
- Executes dropped EXE
PID:856 -
\??\c:\tttnhn.exec:\tttnhn.exe63⤵
- Executes dropped EXE
PID:4464 -
\??\c:\nnnbbb.exec:\nnnbbb.exe64⤵
- Executes dropped EXE
PID:1364 -
\??\c:\pjpdd.exec:\pjpdd.exe65⤵
- Executes dropped EXE
PID:2340 -
\??\c:\fxxrffx.exec:\fxxrffx.exe66⤵PID:832
-
\??\c:\rxffrll.exec:\rxffrll.exe67⤵PID:3400
-
\??\c:\hbhbhb.exec:\hbhbhb.exe68⤵PID:1472
-
\??\c:\bhbbnh.exec:\bhbbnh.exe69⤵PID:4868
-
\??\c:\pvddj.exec:\pvddj.exe70⤵PID:3596
-
\??\c:\vpjjd.exec:\vpjjd.exe71⤵PID:3972
-
\??\c:\5xxlfxr.exec:\5xxlfxr.exe72⤵PID:1596
-
\??\c:\9bnbbn.exec:\9bnbbn.exe73⤵PID:1996
-
\??\c:\vppjj.exec:\vppjj.exe74⤵PID:1444
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe75⤵PID:3272
-
\??\c:\llllxxf.exec:\llllxxf.exe76⤵PID:2640
-
\??\c:\5bbnhb.exec:\5bbnhb.exe77⤵PID:3164
-
\??\c:\pvvpj.exec:\pvvpj.exe78⤵PID:5104
-
\??\c:\fxlxllf.exec:\fxlxllf.exe79⤵PID:436
-
\??\c:\9xxrlll.exec:\9xxrlll.exe80⤵PID:2276
-
\??\c:\5btnhb.exec:\5btnhb.exe81⤵PID:2248
-
\??\c:\vjvpp.exec:\vjvpp.exe82⤵PID:1588
-
\??\c:\xfxrllf.exec:\xfxrllf.exe83⤵PID:1536
-
\??\c:\nhhhbt.exec:\nhhhbt.exe84⤵PID:696
-
\??\c:\5hnhhh.exec:\5hnhhh.exe85⤵PID:4220
-
\??\c:\jvdvp.exec:\jvdvp.exe86⤵PID:2956
-
\??\c:\vjpdp.exec:\vjpdp.exe87⤵PID:3608
-
\??\c:\xflfrlf.exec:\xflfrlf.exe88⤵PID:4976
-
\??\c:\fxrrllf.exec:\fxrrllf.exe89⤵PID:1720
-
\??\c:\tbbbnn.exec:\tbbbnn.exe90⤵PID:1964
-
\??\c:\jdvpd.exec:\jdvpd.exe91⤵PID:4656
-
\??\c:\ddjpj.exec:\ddjpj.exe92⤵PID:4528
-
\??\c:\xfllffx.exec:\xfllffx.exe93⤵PID:1480
-
\??\c:\rlrrfxx.exec:\rlrrfxx.exe94⤵PID:4284
-
\??\c:\hnbbth.exec:\hnbbth.exe95⤵PID:456
-
\??\c:\bnbtnh.exec:\bnbtnh.exe96⤵PID:4336
-
\??\c:\7jjdv.exec:\7jjdv.exe97⤵PID:5076
-
\??\c:\dvpdv.exec:\dvpdv.exe98⤵PID:1904
-
\??\c:\9ffrffx.exec:\9ffrffx.exe99⤵PID:3724
-
\??\c:\7bhbnh.exec:\7bhbnh.exe100⤵PID:2544
-
\??\c:\9hhbtn.exec:\9hhbtn.exe101⤵PID:2960
-
\??\c:\nhbnbb.exec:\nhbnbb.exe102⤵PID:3592
-
\??\c:\jvpjv.exec:\jvpjv.exe103⤵PID:4256
-
\??\c:\rffxrxx.exec:\rffxrxx.exe104⤵PID:2484
-
\??\c:\rxxrlrr.exec:\rxxrlrr.exe105⤵PID:1608
-
\??\c:\bttnhn.exec:\bttnhn.exe106⤵PID:3504
-
\??\c:\ddpjd.exec:\ddpjd.exe107⤵PID:2784
-
\??\c:\3jpjj.exec:\3jpjj.exe108⤵PID:3912
-
\??\c:\lfxfxlf.exec:\lfxfxlf.exe109⤵PID:2284
-
\??\c:\xrfrlfr.exec:\xrfrlfr.exe110⤵PID:4840
-
\??\c:\hbttnt.exec:\hbttnt.exe111⤵PID:432
-
\??\c:\vpdpv.exec:\vpdpv.exe112⤵PID:220
-
\??\c:\jdddv.exec:\jdddv.exe113⤵PID:4828
-
\??\c:\rlfflxl.exec:\rlfflxl.exe114⤵PID:3208
-
\??\c:\nhtnbt.exec:\nhtnbt.exe115⤵PID:3036
-
\??\c:\tbttnh.exec:\tbttnh.exe116⤵PID:4508
-
\??\c:\ddjvp.exec:\ddjvp.exe117⤵PID:2872
-
\??\c:\pjpjd.exec:\pjpjd.exe118⤵PID:4420
-
\??\c:\fllfxxr.exec:\fllfxxr.exe119⤵PID:4464
-
\??\c:\fllllll.exec:\fllllll.exe120⤵PID:4888
-
\??\c:\7hbbtt.exec:\7hbbtt.exe121⤵PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-