Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe
-
Size
453KB
-
MD5
a91b92359fd518957432a6c721c0c6e9
-
SHA1
1dc08c771b2f34287ff035903c9a45c6c0fe49d3
-
SHA256
124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724
-
SHA512
cda5e453c799d4e76477c2813a82384d10e7d45fabd39bf1a95edfe72ecda81f4329c23f1d8b0321c7fbf922ecf79fb4c0e5ef9f402ea20d05e9c55f9df4fc83
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1836-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-1421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1836 rrfllrr.exe 1156 nbbtnt.exe 1492 ddjdv.exe 1184 vpvpp.exe 4416 nbhbbb.exe 2872 3pjjj.exe 5116 rffxxxr.exe 3940 bhthhh.exe 2040 xxlrlxr.exe 4976 pjjjj.exe 1172 nbnhbh.exe 1136 ppjdv.exe 4252 fxllflf.exe 2828 rrrlffx.exe 2912 tbhhhn.exe 3432 pppjd.exe 3908 fxlxflx.exe 1784 ddjjj.exe 5024 lxxxllf.exe 3404 jvvpj.exe 2728 nhbnbh.exe 2300 frfrlll.exe 4396 bbtnhh.exe 2320 vpjpp.exe 4168 rlrrllf.exe 3828 9djjp.exe 3216 nntnbh.exe 1636 jdvvv.exe 4624 fxfxxxf.exe 1756 vvdjp.exe 552 dpvvj.exe 1860 ttbbbb.exe 1124 flxxxff.exe 4972 xfxrrxx.exe 3736 tnnhnt.exe 5012 xrxrlfx.exe 4740 jdvjp.exe 4860 rrxrrrl.exe 1364 bthbhb.exe 440 ddvpj.exe 3496 rlxfxlf.exe 856 xrlfxrl.exe 1156 tnbhnb.exe 2636 flrlfxr.exe 2164 tnttth.exe 3212 bbhhbh.exe 1564 pvdvj.exe 1576 fxxrrlr.exe 5088 nnnhbb.exe 3476 dvvvp.exe 4244 rxflxlf.exe 1988 1bnhtt.exe 4032 bbhntb.exe 3616 vvpvj.exe 1456 lxxxrrx.exe 2604 hhthbh.exe 1844 7hnntt.exe 4628 jddvv.exe 2120 frrlffx.exe 2912 1htnhh.exe 2516 3vvdv.exe 2800 jpvvp.exe 3660 3lrlffx.exe 2708 bnbtnn.exe -
resource yara_rule behavioral2/memory/1156-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-736-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1836 2108 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 86 PID 2108 wrote to memory of 1836 2108 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 86 PID 2108 wrote to memory of 1836 2108 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 86 PID 1836 wrote to memory of 1156 1836 rrfllrr.exe 87 PID 1836 wrote to memory of 1156 1836 rrfllrr.exe 87 PID 1836 wrote to memory of 1156 1836 rrfllrr.exe 87 PID 1156 wrote to memory of 1492 1156 nbbtnt.exe 88 PID 1156 wrote to memory of 1492 1156 nbbtnt.exe 88 PID 1156 wrote to memory of 1492 1156 nbbtnt.exe 88 PID 1492 wrote to memory of 1184 1492 ddjdv.exe 89 PID 1492 wrote to memory of 1184 1492 ddjdv.exe 89 PID 1492 wrote to memory of 1184 1492 ddjdv.exe 89 PID 1184 wrote to memory of 4416 1184 vpvpp.exe 90 PID 1184 wrote to memory of 4416 1184 vpvpp.exe 90 PID 1184 wrote to memory of 4416 1184 vpvpp.exe 90 PID 4416 wrote to memory of 2872 4416 nbhbbb.exe 91 PID 4416 wrote to memory of 2872 4416 nbhbbb.exe 91 PID 4416 wrote to memory of 2872 4416 nbhbbb.exe 91 PID 2872 wrote to memory of 5116 2872 3pjjj.exe 92 PID 2872 wrote to memory of 5116 2872 3pjjj.exe 92 PID 2872 wrote to memory of 5116 2872 3pjjj.exe 92 PID 5116 wrote to memory of 3940 5116 rffxxxr.exe 93 PID 5116 wrote to memory of 3940 5116 rffxxxr.exe 93 PID 5116 wrote to memory of 3940 5116 rffxxxr.exe 93 PID 3940 wrote to memory of 2040 3940 bhthhh.exe 94 PID 3940 wrote to memory of 2040 3940 bhthhh.exe 94 PID 3940 wrote to memory of 2040 3940 bhthhh.exe 94 PID 2040 wrote to memory of 4976 2040 xxlrlxr.exe 95 PID 2040 wrote to memory of 4976 2040 xxlrlxr.exe 95 PID 2040 wrote to memory of 4976 2040 xxlrlxr.exe 95 PID 4976 wrote to memory of 1172 4976 pjjjj.exe 96 PID 4976 wrote to memory of 1172 4976 pjjjj.exe 96 PID 4976 wrote to memory of 1172 4976 pjjjj.exe 96 PID 1172 wrote to memory of 1136 1172 nbnhbh.exe 98 PID 1172 wrote to memory of 1136 1172 nbnhbh.exe 98 PID 1172 wrote to memory of 1136 1172 nbnhbh.exe 98 PID 1136 wrote to memory of 4252 1136 ppjdv.exe 99 PID 1136 wrote to memory of 4252 1136 ppjdv.exe 99 PID 1136 wrote to memory of 4252 1136 ppjdv.exe 99 PID 4252 wrote to memory of 2828 4252 fxllflf.exe 100 PID 4252 wrote to memory of 2828 4252 fxllflf.exe 100 PID 4252 wrote to memory of 2828 4252 fxllflf.exe 100 PID 2828 wrote to memory of 2912 2828 rrrlffx.exe 102 PID 2828 wrote to memory of 2912 2828 rrrlffx.exe 102 PID 2828 wrote to memory of 2912 2828 rrrlffx.exe 102 PID 2912 wrote to memory of 3432 2912 tbhhhn.exe 103 PID 2912 wrote to memory of 3432 2912 tbhhhn.exe 103 PID 2912 wrote to memory of 3432 2912 tbhhhn.exe 103 PID 3432 wrote to memory of 3908 3432 pppjd.exe 104 PID 3432 wrote to memory of 3908 3432 pppjd.exe 104 PID 3432 wrote to memory of 3908 3432 pppjd.exe 104 PID 3908 wrote to memory of 1784 3908 fxlxflx.exe 105 PID 3908 wrote to memory of 1784 3908 fxlxflx.exe 105 PID 3908 wrote to memory of 1784 3908 fxlxflx.exe 105 PID 1784 wrote to memory of 5024 1784 ddjjj.exe 106 PID 1784 wrote to memory of 5024 1784 ddjjj.exe 106 PID 1784 wrote to memory of 5024 1784 ddjjj.exe 106 PID 5024 wrote to memory of 3404 5024 lxxxllf.exe 107 PID 5024 wrote to memory of 3404 5024 lxxxllf.exe 107 PID 5024 wrote to memory of 3404 5024 lxxxllf.exe 107 PID 3404 wrote to memory of 2728 3404 jvvpj.exe 109 PID 3404 wrote to memory of 2728 3404 jvvpj.exe 109 PID 3404 wrote to memory of 2728 3404 jvvpj.exe 109 PID 2728 wrote to memory of 2300 2728 nhbnbh.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe"C:\Users\Admin\AppData\Local\Temp\124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\rrfllrr.exec:\rrfllrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\nbbtnt.exec:\nbbtnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\ddjdv.exec:\ddjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\vpvpp.exec:\vpvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\nbhbbb.exec:\nbhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\3pjjj.exec:\3pjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\rffxxxr.exec:\rffxxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\bhthhh.exec:\bhthhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\xxlrlxr.exec:\xxlrlxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\pjjjj.exec:\pjjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\nbnhbh.exec:\nbnhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\ppjdv.exec:\ppjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\fxllflf.exec:\fxllflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\rrrlffx.exec:\rrrlffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tbhhhn.exec:\tbhhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\pppjd.exec:\pppjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\fxlxflx.exec:\fxlxflx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\ddjjj.exec:\ddjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\lxxxllf.exec:\lxxxllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\jvvpj.exec:\jvvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\nhbnbh.exec:\nhbnbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\frfrlll.exec:\frfrlll.exe23⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bbtnhh.exec:\bbtnhh.exe24⤵
- Executes dropped EXE
PID:4396 -
\??\c:\vpjpp.exec:\vpjpp.exe25⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rlrrllf.exec:\rlrrllf.exe26⤵
- Executes dropped EXE
PID:4168 -
\??\c:\9djjp.exec:\9djjp.exe27⤵
- Executes dropped EXE
PID:3828 -
\??\c:\nntnbh.exec:\nntnbh.exe28⤵
- Executes dropped EXE
PID:3216 -
\??\c:\jdvvv.exec:\jdvvv.exe29⤵
- Executes dropped EXE
PID:1636 -
\??\c:\fxfxxxf.exec:\fxfxxxf.exe30⤵
- Executes dropped EXE
PID:4624 -
\??\c:\vvdjp.exec:\vvdjp.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dpvvj.exec:\dpvvj.exe32⤵
- Executes dropped EXE
PID:552 -
\??\c:\ttbbbb.exec:\ttbbbb.exe33⤵
- Executes dropped EXE
PID:1860 -
\??\c:\flxxxff.exec:\flxxxff.exe34⤵
- Executes dropped EXE
PID:1124 -
\??\c:\xfxrrxx.exec:\xfxrrxx.exe35⤵
- Executes dropped EXE
PID:4972 -
\??\c:\tnnhnt.exec:\tnnhnt.exe36⤵
- Executes dropped EXE
PID:3736 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe37⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jdvjp.exec:\jdvjp.exe38⤵
- Executes dropped EXE
PID:4740 -
\??\c:\rrxrrrl.exec:\rrxrrrl.exe39⤵
- Executes dropped EXE
PID:4860 -
\??\c:\bthbhb.exec:\bthbhb.exe40⤵
- Executes dropped EXE
PID:1364 -
\??\c:\ddvpj.exec:\ddvpj.exe41⤵
- Executes dropped EXE
PID:440 -
\??\c:\rlxfxlf.exec:\rlxfxlf.exe42⤵
- Executes dropped EXE
PID:3496 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe43⤵
- Executes dropped EXE
PID:856 -
\??\c:\tnbhnb.exec:\tnbhnb.exe44⤵
- Executes dropped EXE
PID:1156 -
\??\c:\flrlfxr.exec:\flrlfxr.exe45⤵
- Executes dropped EXE
PID:2636 -
\??\c:\tnttth.exec:\tnttth.exe46⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bbhhbh.exec:\bbhhbh.exe47⤵
- Executes dropped EXE
PID:3212 -
\??\c:\pvdvj.exec:\pvdvj.exe48⤵
- Executes dropped EXE
PID:1564 -
\??\c:\fxxrrlr.exec:\fxxrrlr.exe49⤵
- Executes dropped EXE
PID:1576 -
\??\c:\nnnhbb.exec:\nnnhbb.exe50⤵
- Executes dropped EXE
PID:5088 -
\??\c:\dvvvp.exec:\dvvvp.exe51⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rxflxlf.exec:\rxflxlf.exe52⤵
- Executes dropped EXE
PID:4244 -
\??\c:\1bnhtt.exec:\1bnhtt.exe53⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bbhntb.exec:\bbhntb.exe54⤵
- Executes dropped EXE
PID:4032 -
\??\c:\vvpvj.exec:\vvpvj.exe55⤵
- Executes dropped EXE
PID:3616 -
\??\c:\lxxxrrx.exec:\lxxxrrx.exe56⤵
- Executes dropped EXE
PID:1456 -
\??\c:\hhthbh.exec:\hhthbh.exe57⤵
- Executes dropped EXE
PID:2604 -
\??\c:\7hnntt.exec:\7hnntt.exe58⤵
- Executes dropped EXE
PID:1844 -
\??\c:\jddvv.exec:\jddvv.exe59⤵
- Executes dropped EXE
PID:4628 -
\??\c:\frrlffx.exec:\frrlffx.exe60⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1htnhh.exec:\1htnhh.exe61⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3vvdv.exec:\3vvdv.exe62⤵
- Executes dropped EXE
PID:2516 -
\??\c:\jpvvp.exec:\jpvvp.exe63⤵
- Executes dropped EXE
PID:2800 -
\??\c:\3lrlffx.exec:\3lrlffx.exe64⤵
- Executes dropped EXE
PID:3660 -
\??\c:\bnbtnn.exec:\bnbtnn.exe65⤵
- Executes dropped EXE
PID:2708 -
\??\c:\vpvpv.exec:\vpvpv.exe66⤵PID:1676
-
\??\c:\xxfffff.exec:\xxfffff.exe67⤵PID:3744
-
\??\c:\ntbnht.exec:\ntbnht.exe68⤵PID:3080
-
\??\c:\pdjjv.exec:\pdjjv.exe69⤵PID:2748
-
\??\c:\lfrlffr.exec:\lfrlffr.exe70⤵PID:4116
-
\??\c:\3llllll.exec:\3llllll.exe71⤵PID:3316
-
\??\c:\tbnnnt.exec:\tbnnnt.exe72⤵PID:1936
-
\??\c:\ppjpj.exec:\ppjpj.exe73⤵PID:1580
-
\??\c:\7rrrlrl.exec:\7rrrlrl.exe74⤵PID:2244
-
\??\c:\nhhbtn.exec:\nhhbtn.exe75⤵PID:2176
-
\??\c:\1pppj.exec:\1pppj.exe76⤵PID:3020
-
\??\c:\3lrllll.exec:\3lrllll.exe77⤵PID:3828
-
\??\c:\5lrlfxr.exec:\5lrlfxr.exe78⤵PID:3216
-
\??\c:\httnbb.exec:\httnbb.exe79⤵PID:2684
-
\??\c:\1djdj.exec:\1djdj.exe80⤵PID:3912
-
\??\c:\rfrfxlx.exec:\rfrfxlx.exe81⤵PID:4608
-
\??\c:\5hbbtn.exec:\5hbbtn.exe82⤵PID:4680
-
\??\c:\dvdvp.exec:\dvdvp.exe83⤵PID:3848
-
\??\c:\xxrrrrl.exec:\xxrrrrl.exe84⤵PID:1124
-
\??\c:\flfxrxf.exec:\flfxrxf.exe85⤵PID:4868
-
\??\c:\3ttbtt.exec:\3ttbtt.exe86⤵PID:3736
-
\??\c:\jdvpj.exec:\jdvpj.exe87⤵PID:3632
-
\??\c:\ffllfrr.exec:\ffllfrr.exe88⤵PID:1572
-
\??\c:\thnhhb.exec:\thnhhb.exe89⤵PID:4476
-
\??\c:\pjppp.exec:\pjppp.exe90⤵PID:2456
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe91⤵PID:1924
-
\??\c:\fffxflr.exec:\fffxflr.exe92⤵PID:2680
-
\??\c:\hbnbnh.exec:\hbnbnh.exe93⤵PID:1404
-
\??\c:\vjjdv.exec:\vjjdv.exe94⤵PID:4712
-
\??\c:\rllflll.exec:\rllflll.exe95⤵PID:452
-
\??\c:\7nbbtb.exec:\7nbbtb.exe96⤵PID:2648
-
\??\c:\nhbnbt.exec:\nhbnbt.exe97⤵PID:3612
-
\??\c:\xfrrllr.exec:\xfrrllr.exe98⤵PID:4416
-
\??\c:\tthhhh.exec:\tthhhh.exe99⤵PID:4848
-
\??\c:\ddddd.exec:\ddddd.exe100⤵PID:400
-
\??\c:\1xxrrrl.exec:\1xxrrrl.exe101⤵PID:4768
-
\??\c:\lrlxxlf.exec:\lrlxxlf.exe102⤵PID:2356
-
\??\c:\bbttbh.exec:\bbttbh.exe103⤵PID:3812
-
\??\c:\jvvpj.exec:\jvvpj.exe104⤵PID:1268
-
\??\c:\lxflrfl.exec:\lxflrfl.exe105⤵PID:4164
-
\??\c:\9httbb.exec:\9httbb.exe106⤵PID:3548
-
\??\c:\tbhbbt.exec:\tbhbbt.exe107⤵
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\vdjjv.exec:\vdjjv.exe108⤵PID:1844
-
\??\c:\llffflf.exec:\llffflf.exe109⤵PID:2940
-
\??\c:\1nnnnt.exec:\1nnnnt.exe110⤵PID:4092
-
\??\c:\1vjdv.exec:\1vjdv.exe111⤵PID:2936
-
\??\c:\pdppp.exec:\pdppp.exe112⤵PID:832
-
\??\c:\lfrlllx.exec:\lfrlllx.exe113⤵PID:1512
-
\??\c:\ttnnnt.exec:\ttnnnt.exe114⤵PID:3080
-
\??\c:\9vjdv.exec:\9vjdv.exe115⤵PID:4776
-
\??\c:\ffrrlrr.exec:\ffrrlrr.exe116⤵PID:1584
-
\??\c:\btnnhb.exec:\btnnhb.exe117⤵PID:3096
-
\??\c:\hnhhbb.exec:\hnhhbb.exe118⤵PID:3184
-
\??\c:\xrfxxxx.exec:\xrfxxxx.exe119⤵PID:1580
-
\??\c:\lfxxxrr.exec:\lfxxxrr.exe120⤵PID:712
-
\??\c:\nhnnhb.exec:\nhnnhb.exe121⤵PID:3936
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe122⤵PID:3588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-