Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 22:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
-
Size
454KB
-
MD5
6c9da21d88244cb781408df9098bb230
-
SHA1
d531aacd9800e304df526c8e8dcad56f18acc9a1
-
SHA256
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3
-
SHA512
167c74891a181137f60fd1ddc9e459fa9618baf7fb01f4cda50a5c727daf9c18325cdb1a6d1c64c42c88485ac1b74dffebde40653b203ab95f6e2ec1685655bf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/220-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-870-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-1188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1880 nhbnbt.exe 748 pvjjd.exe 3552 pvdpv.exe 2352 tttttt.exe 2276 xxxllrl.exe 2104 nnhbtn.exe 2100 nnbtbh.exe 616 3rxxxfl.exe 1964 bhtbtn.exe 3904 lffxxxx.exe 1944 nnnnnn.exe 2324 bhhbth.exe 1220 3llxlfr.exe 1480 ntnhbt.exe 1368 ddpjp.exe 2340 xrrfxfr.exe 4432 ddppj.exe 3700 rlfrfxr.exe 1300 dddpp.exe 2680 lrxrrrx.exe 3480 bttnhb.exe 1752 bnbbtt.exe 3012 htbttt.exe 2124 3xrrrxx.exe 4496 5tthhn.exe 4460 flxrrrr.exe 2836 hbhbbb.exe 1208 nhbbhb.exe 3064 xfxlfrl.exe 2456 btttbb.exe 2044 vvvvv.exe 4380 pjddv.exe 4288 7tbtnn.exe 2308 dddjd.exe 4728 xxrfrfr.exe 748 xxfxrrl.exe 232 nbnhtt.exe 2976 9pjdj.exe 5024 xfllrrl.exe 4352 tntthh.exe 3248 nbnnnt.exe 1304 rrlllll.exe 3368 rrrrrll.exe 3336 btbbtb.exe 1952 5lxrllx.exe 3320 1vjjd.exe 452 rxlffxf.exe 2332 hhhbht.exe 4056 djdjv.exe 2592 rxxfxfr.exe 1684 hhbnbt.exe 5084 jppdv.exe 2224 3frrxrx.exe 2508 bhhhhn.exe 2200 9pdvv.exe 4232 rlxxxxx.exe 4484 bnbtbb.exe 3280 7dddd.exe 1240 fxfxxrr.exe 3108 tbnthh.exe 5000 pvddd.exe 1068 xxffxfx.exe 1548 bnnhnh.exe 4816 pdddp.exe -
resource yara_rule behavioral2/memory/220-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-931-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 220 wrote to memory of 1880 220 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 84 PID 220 wrote to memory of 1880 220 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 84 PID 220 wrote to memory of 1880 220 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 84 PID 1880 wrote to memory of 748 1880 nhbnbt.exe 85 PID 1880 wrote to memory of 748 1880 nhbnbt.exe 85 PID 1880 wrote to memory of 748 1880 nhbnbt.exe 85 PID 748 wrote to memory of 3552 748 pvjjd.exe 86 PID 748 wrote to memory of 3552 748 pvjjd.exe 86 PID 748 wrote to memory of 3552 748 pvjjd.exe 86 PID 3552 wrote to memory of 2352 3552 pvdpv.exe 87 PID 3552 wrote to memory of 2352 3552 pvdpv.exe 87 PID 3552 wrote to memory of 2352 3552 pvdpv.exe 87 PID 2352 wrote to memory of 2276 2352 tttttt.exe 88 PID 2352 wrote to memory of 2276 2352 tttttt.exe 88 PID 2352 wrote to memory of 2276 2352 tttttt.exe 88 PID 2276 wrote to memory of 2104 2276 xxxllrl.exe 89 PID 2276 wrote to memory of 2104 2276 xxxllrl.exe 89 PID 2276 wrote to memory of 2104 2276 xxxllrl.exe 89 PID 2104 wrote to memory of 2100 2104 nnhbtn.exe 91 PID 2104 wrote to memory of 2100 2104 nnhbtn.exe 91 PID 2104 wrote to memory of 2100 2104 nnhbtn.exe 91 PID 2100 wrote to memory of 616 2100 nnbtbh.exe 92 PID 2100 wrote to memory of 616 2100 nnbtbh.exe 92 PID 2100 wrote to memory of 616 2100 nnbtbh.exe 92 PID 616 wrote to memory of 1964 616 3rxxxfl.exe 93 PID 616 wrote to memory of 1964 616 3rxxxfl.exe 93 PID 616 wrote to memory of 1964 616 3rxxxfl.exe 93 PID 1964 wrote to memory of 3904 1964 bhtbtn.exe 94 PID 1964 wrote to memory of 3904 1964 bhtbtn.exe 94 PID 1964 wrote to memory of 3904 1964 bhtbtn.exe 94 PID 3904 wrote to memory of 1944 3904 lffxxxx.exe 95 PID 3904 wrote to memory of 1944 3904 lffxxxx.exe 95 PID 3904 wrote to memory of 1944 3904 lffxxxx.exe 95 PID 1944 wrote to memory of 2324 1944 nnnnnn.exe 96 PID 1944 wrote to memory of 2324 1944 nnnnnn.exe 96 PID 1944 wrote to memory of 2324 1944 nnnnnn.exe 96 PID 2324 wrote to memory of 1220 2324 bhhbth.exe 97 PID 2324 wrote to memory of 1220 2324 bhhbth.exe 97 PID 2324 wrote to memory of 1220 2324 bhhbth.exe 97 PID 1220 wrote to memory of 1480 1220 3llxlfr.exe 98 PID 1220 wrote to memory of 1480 1220 3llxlfr.exe 98 PID 1220 wrote to memory of 1480 1220 3llxlfr.exe 98 PID 1480 wrote to memory of 1368 1480 ntnhbt.exe 99 PID 1480 wrote to memory of 1368 1480 ntnhbt.exe 99 PID 1480 wrote to memory of 1368 1480 ntnhbt.exe 99 PID 1368 wrote to memory of 2340 1368 ddpjp.exe 100 PID 1368 wrote to memory of 2340 1368 ddpjp.exe 100 PID 1368 wrote to memory of 2340 1368 ddpjp.exe 100 PID 2340 wrote to memory of 4432 2340 xrrfxfr.exe 101 PID 2340 wrote to memory of 4432 2340 xrrfxfr.exe 101 PID 2340 wrote to memory of 4432 2340 xrrfxfr.exe 101 PID 4432 wrote to memory of 3700 4432 ddppj.exe 102 PID 4432 wrote to memory of 3700 4432 ddppj.exe 102 PID 4432 wrote to memory of 3700 4432 ddppj.exe 102 PID 3700 wrote to memory of 1300 3700 rlfrfxr.exe 103 PID 3700 wrote to memory of 1300 3700 rlfrfxr.exe 103 PID 3700 wrote to memory of 1300 3700 rlfrfxr.exe 103 PID 1300 wrote to memory of 2680 1300 dddpp.exe 104 PID 1300 wrote to memory of 2680 1300 dddpp.exe 104 PID 1300 wrote to memory of 2680 1300 dddpp.exe 104 PID 2680 wrote to memory of 3480 2680 lrxrrrx.exe 105 PID 2680 wrote to memory of 3480 2680 lrxrrrx.exe 105 PID 2680 wrote to memory of 3480 2680 lrxrrrx.exe 105 PID 3480 wrote to memory of 1752 3480 bttnhb.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\nhbnbt.exec:\nhbnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\pvjjd.exec:\pvjjd.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\pvdpv.exec:\pvdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\tttttt.exec:\tttttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\xxxllrl.exec:\xxxllrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\nnhbtn.exec:\nnhbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\nnbtbh.exec:\nnbtbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\3rxxxfl.exec:\3rxxxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\bhtbtn.exec:\bhtbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\lffxxxx.exec:\lffxxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\nnnnnn.exec:\nnnnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\bhhbth.exec:\bhhbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\3llxlfr.exec:\3llxlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\ntnhbt.exec:\ntnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\ddpjp.exec:\ddpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\xrrfxfr.exec:\xrrfxfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\ddppj.exec:\ddppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\dddpp.exec:\dddpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\lrxrrrx.exec:\lrxrrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\bttnhb.exec:\bttnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\bnbbtt.exec:\bnbbtt.exe23⤵
- Executes dropped EXE
PID:1752 -
\??\c:\htbttt.exec:\htbttt.exe24⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3xrrrxx.exec:\3xrrrxx.exe25⤵
- Executes dropped EXE
PID:2124 -
\??\c:\5tthhn.exec:\5tthhn.exe26⤵
- Executes dropped EXE
PID:4496 -
\??\c:\flxrrrr.exec:\flxrrrr.exe27⤵
- Executes dropped EXE
PID:4460 -
\??\c:\hbhbbb.exec:\hbhbbb.exe28⤵
- Executes dropped EXE
PID:2836 -
\??\c:\nhbbhb.exec:\nhbbhb.exe29⤵
- Executes dropped EXE
PID:1208 -
\??\c:\xfxlfrl.exec:\xfxlfrl.exe30⤵
- Executes dropped EXE
PID:3064 -
\??\c:\btttbb.exec:\btttbb.exe31⤵
- Executes dropped EXE
PID:2456 -
\??\c:\vvvvv.exec:\vvvvv.exe32⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pjddv.exec:\pjddv.exe33⤵
- Executes dropped EXE
PID:4380 -
\??\c:\7tbtnn.exec:\7tbtnn.exe34⤵
- Executes dropped EXE
PID:4288 -
\??\c:\dddjd.exec:\dddjd.exe35⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xxrfrfr.exec:\xxrfrfr.exe36⤵
- Executes dropped EXE
PID:4728 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe37⤵
- Executes dropped EXE
PID:748 -
\??\c:\nbnhtt.exec:\nbnhtt.exe38⤵
- Executes dropped EXE
PID:232 -
\??\c:\9pjdj.exec:\9pjdj.exe39⤵
- Executes dropped EXE
PID:2976 -
\??\c:\xfllrrl.exec:\xfllrrl.exe40⤵
- Executes dropped EXE
PID:5024 -
\??\c:\tntthh.exec:\tntthh.exe41⤵
- Executes dropped EXE
PID:4352 -
\??\c:\nbnnnt.exec:\nbnnnt.exe42⤵
- Executes dropped EXE
PID:3248 -
\??\c:\rrlllll.exec:\rrlllll.exe43⤵
- Executes dropped EXE
PID:1304 -
\??\c:\rrrrrll.exec:\rrrrrll.exe44⤵
- Executes dropped EXE
PID:3368 -
\??\c:\btbbtb.exec:\btbbtb.exe45⤵
- Executes dropped EXE
PID:3336 -
\??\c:\5lxrllx.exec:\5lxrllx.exe46⤵
- Executes dropped EXE
PID:1952 -
\??\c:\1vjjd.exec:\1vjjd.exe47⤵
- Executes dropped EXE
PID:3320 -
\??\c:\rxlffxf.exec:\rxlffxf.exe48⤵
- Executes dropped EXE
PID:452 -
\??\c:\hhhbht.exec:\hhhbht.exe49⤵
- Executes dropped EXE
PID:2332 -
\??\c:\djdjv.exec:\djdjv.exe50⤵
- Executes dropped EXE
PID:4056 -
\??\c:\rxxfxfr.exec:\rxxfxfr.exe51⤵
- Executes dropped EXE
PID:2592 -
\??\c:\hhbnbt.exec:\hhbnbt.exe52⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jppdv.exec:\jppdv.exe53⤵
- Executes dropped EXE
PID:5084 -
\??\c:\3frrxrx.exec:\3frrxrx.exe54⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bhhhhn.exec:\bhhhhn.exe55⤵
- Executes dropped EXE
PID:2508 -
\??\c:\9pdvv.exec:\9pdvv.exe56⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rlxxxxx.exec:\rlxxxxx.exe57⤵
- Executes dropped EXE
PID:4232 -
\??\c:\bnbtbb.exec:\bnbtbb.exe58⤵
- Executes dropped EXE
PID:4484 -
\??\c:\7dddd.exec:\7dddd.exe59⤵
- Executes dropped EXE
PID:3280 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe60⤵
- Executes dropped EXE
PID:1240 -
\??\c:\tbnthh.exec:\tbnthh.exe61⤵
- Executes dropped EXE
PID:3108 -
\??\c:\pvddd.exec:\pvddd.exe62⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xxffxfx.exec:\xxffxfx.exe63⤵
- Executes dropped EXE
PID:1068 -
\??\c:\bnnhnh.exec:\bnnhnh.exe64⤵
- Executes dropped EXE
PID:1548 -
\??\c:\pdddp.exec:\pdddp.exe65⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rflffxx.exec:\rflffxx.exe66⤵PID:3260
-
\??\c:\ttbttt.exec:\ttbttt.exe67⤵PID:432
-
\??\c:\ddjdd.exec:\ddjdd.exe68⤵PID:1780
-
\??\c:\lflrlrr.exec:\lflrlrr.exe69⤵PID:4460
-
\??\c:\htthnt.exec:\htthnt.exe70⤵PID:2112
-
\??\c:\vdpjj.exec:\vdpjj.exe71⤵PID:4696
-
\??\c:\jvdjd.exec:\jvdjd.exe72⤵PID:4468
-
\??\c:\flllrxl.exec:\flllrxl.exe73⤵PID:4152
-
\??\c:\3nhbbb.exec:\3nhbbb.exe74⤵
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\7vdvv.exec:\7vdvv.exe75⤵PID:4412
-
\??\c:\vvdvp.exec:\vvdvp.exe76⤵PID:2936
-
\??\c:\7lrrxfl.exec:\7lrrxfl.exe77⤵PID:4788
-
\??\c:\hnhhbb.exec:\hnhhbb.exe78⤵PID:3124
-
\??\c:\jvdvp.exec:\jvdvp.exe79⤵PID:3672
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe80⤵PID:2424
-
\??\c:\nhttnb.exec:\nhttnb.exe81⤵PID:2096
-
\??\c:\jpvvp.exec:\jpvvp.exe82⤵PID:4616
-
\??\c:\ddjdv.exec:\ddjdv.exe83⤵PID:632
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe84⤵PID:4116
-
\??\c:\ppjjj.exec:\ppjjj.exe85⤵PID:1952
-
\??\c:\flrlrrr.exec:\flrlrrr.exe86⤵PID:1944
-
\??\c:\nttnhh.exec:\nttnhh.exe87⤵PID:3576
-
\??\c:\nhbntt.exec:\nhbntt.exe88⤵PID:1096
-
\??\c:\ppvvd.exec:\ppvvd.exe89⤵PID:3492
-
\??\c:\5frlfxr.exec:\5frlfxr.exe90⤵PID:1196
-
\??\c:\tbhbnn.exec:\tbhbnn.exe91⤵PID:2640
-
\??\c:\pjpjj.exec:\pjpjj.exe92⤵PID:4564
-
\??\c:\fxlxlrl.exec:\fxlxlrl.exe93⤵PID:4188
-
\??\c:\xrxrrlf.exec:\xrxrrlf.exe94⤵PID:3952
-
\??\c:\btnnnh.exec:\btnnnh.exe95⤵PID:1256
-
\??\c:\ddvdv.exec:\ddvdv.exe96⤵PID:2376
-
\??\c:\5rrlfxx.exec:\5rrlfxx.exe97⤵PID:2648
-
\??\c:\7bhhnn.exec:\7bhhnn.exe98⤵PID:2964
-
\??\c:\jjjjj.exec:\jjjjj.exe99⤵PID:4872
-
\??\c:\rffffxl.exec:\rffffxl.exe100⤵PID:2084
-
\??\c:\btttnt.exec:\btttnt.exe101⤵PID:2188
-
\??\c:\bhnnnt.exec:\bhnnnt.exe102⤵PID:2036
-
\??\c:\jdppj.exec:\jdppj.exe103⤵PID:2612
-
\??\c:\1rxxrxf.exec:\1rxxrxf.exe104⤵PID:2596
-
\??\c:\tbnhhn.exec:\tbnhhn.exe105⤵PID:4856
-
\??\c:\jjvvp.exec:\jjvvp.exe106⤵PID:4256
-
\??\c:\pdddd.exec:\pdddd.exe107⤵PID:1788
-
\??\c:\frfxfxx.exec:\frfxfxx.exe108⤵PID:2836
-
\??\c:\nhhbtt.exec:\nhhbtt.exe109⤵PID:3696
-
\??\c:\vjjdv.exec:\vjjdv.exe110⤵PID:3064
-
\??\c:\dvdjj.exec:\dvdjj.exe111⤵
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\fflfxxl.exec:\fflfxxl.exe112⤵PID:3296
-
\??\c:\bhhnhh.exec:\bhhnhh.exe113⤵PID:4808
-
\??\c:\vvjdv.exec:\vvjdv.exe114⤵PID:3888
-
\??\c:\lflffff.exec:\lflffff.exe115⤵PID:4400
-
\??\c:\ntbttn.exec:\ntbttn.exe116⤵PID:1156
-
\??\c:\bbnhhb.exec:\bbnhhb.exe117⤵PID:748
-
\??\c:\vjvdj.exec:\vjvdj.exe118⤵PID:3204
-
\??\c:\1xrrlxr.exec:\1xrrlxr.exe119⤵PID:2424
-
\??\c:\hhhhhh.exec:\hhhhhh.exe120⤵PID:1184
-
\??\c:\9pjdd.exec:\9pjdd.exe121⤵PID:4616
-
\??\c:\frrrllf.exec:\frrrllf.exe122⤵PID:972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-