Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe
-
Size
455KB
-
MD5
0aeffe07199f294834e42244c32f75e4
-
SHA1
aed594d1350867a5f01868ec75a0842d7b28e613
-
SHA256
e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a
-
SHA512
5cbca73e396e54940cd6f0773756e09f5fc3e1e1857ce41a8181e91284441fa1c0f246d5ffc37070c453cefea6ccd9151ffbdc4ac2b10845f033b938cbb08235
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4476-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-1144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-1450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 404 nbhnnh.exe 3044 llffxff.exe 3184 3hbbtb.exe 1264 tnnnhh.exe 1912 fxrlllf.exe 1416 tntbbb.exe 4012 pjjpp.exe 2452 nhbtnh.exe 2288 vvppj.exe 4964 nnhbnn.exe 4688 vpvpv.exe 2328 tbbtnh.exe 944 jjjdd.exe 1272 nthbnn.exe 2540 hbbtnn.exe 2704 jjdvp.exe 4540 vvdvp.exe 4280 9rxxxlx.exe 3668 hbhhnn.exe 3048 pjpdd.exe 4460 btttnn.exe 1996 7vvpv.exe 1780 jddvj.exe 212 1rrlfxr.exe 3136 bntnhh.exe 824 lflrllr.exe 2128 jppvv.exe 4984 frrlfxx.exe 3696 vjjjd.exe 3420 rllffff.exe 4420 5ttnhb.exe 1752 llrlrxf.exe 1420 3tnhbb.exe 2612 pdjdd.exe 1496 rrffxlf.exe 1256 bhhbtt.exe 2164 jppjv.exe 5020 bhnnhh.exe 3032 pddpd.exe 4880 fxxrlff.exe 4288 5xxrlrr.exe 4276 ntthbt.exe 3564 1dddv.exe 388 9xfrrrx.exe 3968 hhthnb.exe 4776 bhthbh.exe 448 dpdpv.exe 1200 llrlxxr.exe 1136 lflxxrl.exe 1228 bnhtnb.exe 4056 frxlxxr.exe 2460 nbbtnn.exe 2396 nnhnbt.exe 5044 vpvpj.exe 4584 xlxrlll.exe 2288 7bbnhb.exe 692 ddvdj.exe 3260 1lffffr.exe 4036 tnhbtn.exe 1652 ppdvp.exe 2328 vpvjd.exe 3144 fxxrxrf.exe 4448 htbtnn.exe 1272 jjjdj.exe -
resource yara_rule behavioral2/memory/4476-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-716-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrfff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4476 wrote to memory of 404 4476 e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe 83 PID 4476 wrote to memory of 404 4476 e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe 83 PID 4476 wrote to memory of 404 4476 e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe 83 PID 404 wrote to memory of 3044 404 nbhnnh.exe 84 PID 404 wrote to memory of 3044 404 nbhnnh.exe 84 PID 404 wrote to memory of 3044 404 nbhnnh.exe 84 PID 3044 wrote to memory of 3184 3044 llffxff.exe 85 PID 3044 wrote to memory of 3184 3044 llffxff.exe 85 PID 3044 wrote to memory of 3184 3044 llffxff.exe 85 PID 3184 wrote to memory of 1264 3184 3hbbtb.exe 86 PID 3184 wrote to memory of 1264 3184 3hbbtb.exe 86 PID 3184 wrote to memory of 1264 3184 3hbbtb.exe 86 PID 1264 wrote to memory of 1912 1264 tnnnhh.exe 87 PID 1264 wrote to memory of 1912 1264 tnnnhh.exe 87 PID 1264 wrote to memory of 1912 1264 tnnnhh.exe 87 PID 1912 wrote to memory of 1416 1912 fxrlllf.exe 88 PID 1912 wrote to memory of 1416 1912 fxrlllf.exe 88 PID 1912 wrote to memory of 1416 1912 fxrlllf.exe 88 PID 1416 wrote to memory of 4012 1416 tntbbb.exe 89 PID 1416 wrote to memory of 4012 1416 tntbbb.exe 89 PID 1416 wrote to memory of 4012 1416 tntbbb.exe 89 PID 4012 wrote to memory of 2452 4012 pjjpp.exe 90 PID 4012 wrote to memory of 2452 4012 pjjpp.exe 90 PID 4012 wrote to memory of 2452 4012 pjjpp.exe 90 PID 2452 wrote to memory of 2288 2452 nhbtnh.exe 91 PID 2452 wrote to memory of 2288 2452 nhbtnh.exe 91 PID 2452 wrote to memory of 2288 2452 nhbtnh.exe 91 PID 2288 wrote to memory of 4964 2288 vvppj.exe 92 PID 2288 wrote to memory of 4964 2288 vvppj.exe 92 PID 2288 wrote to memory of 4964 2288 vvppj.exe 92 PID 4964 wrote to memory of 4688 4964 nnhbnn.exe 93 PID 4964 wrote to memory of 4688 4964 nnhbnn.exe 93 PID 4964 wrote to memory of 4688 4964 nnhbnn.exe 93 PID 4688 wrote to memory of 2328 4688 vpvpv.exe 94 PID 4688 wrote to memory of 2328 4688 vpvpv.exe 94 PID 4688 wrote to memory of 2328 4688 vpvpv.exe 94 PID 2328 wrote to memory of 944 2328 tbbtnh.exe 95 PID 2328 wrote to memory of 944 2328 tbbtnh.exe 95 PID 2328 wrote to memory of 944 2328 tbbtnh.exe 95 PID 944 wrote to memory of 1272 944 jjjdd.exe 96 PID 944 wrote to memory of 1272 944 jjjdd.exe 96 PID 944 wrote to memory of 1272 944 jjjdd.exe 96 PID 1272 wrote to memory of 2540 1272 nthbnn.exe 97 PID 1272 wrote to memory of 2540 1272 nthbnn.exe 97 PID 1272 wrote to memory of 2540 1272 nthbnn.exe 97 PID 2540 wrote to memory of 2704 2540 hbbtnn.exe 98 PID 2540 wrote to memory of 2704 2540 hbbtnn.exe 98 PID 2540 wrote to memory of 2704 2540 hbbtnn.exe 98 PID 2704 wrote to memory of 4540 2704 jjdvp.exe 99 PID 2704 wrote to memory of 4540 2704 jjdvp.exe 99 PID 2704 wrote to memory of 4540 2704 jjdvp.exe 99 PID 4540 wrote to memory of 4280 4540 vvdvp.exe 100 PID 4540 wrote to memory of 4280 4540 vvdvp.exe 100 PID 4540 wrote to memory of 4280 4540 vvdvp.exe 100 PID 4280 wrote to memory of 3668 4280 9rxxxlx.exe 101 PID 4280 wrote to memory of 3668 4280 9rxxxlx.exe 101 PID 4280 wrote to memory of 3668 4280 9rxxxlx.exe 101 PID 3668 wrote to memory of 3048 3668 hbhhnn.exe 102 PID 3668 wrote to memory of 3048 3668 hbhhnn.exe 102 PID 3668 wrote to memory of 3048 3668 hbhhnn.exe 102 PID 3048 wrote to memory of 4460 3048 pjpdd.exe 103 PID 3048 wrote to memory of 4460 3048 pjpdd.exe 103 PID 3048 wrote to memory of 4460 3048 pjpdd.exe 103 PID 4460 wrote to memory of 1996 4460 btttnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe"C:\Users\Admin\AppData\Local\Temp\e24b075a5b7bebfb4c57cca053a67987e7adcf15b77d528310c48b5769adf47a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\nbhnnh.exec:\nbhnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\llffxff.exec:\llffxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\3hbbtb.exec:\3hbbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\tnnnhh.exec:\tnnnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\fxrlllf.exec:\fxrlllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\tntbbb.exec:\tntbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\pjjpp.exec:\pjjpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\nhbtnh.exec:\nhbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\vvppj.exec:\vvppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\nnhbnn.exec:\nnhbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\vpvpv.exec:\vpvpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\tbbtnh.exec:\tbbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\jjjdd.exec:\jjjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\nthbnn.exec:\nthbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\hbbtnn.exec:\hbbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\jjdvp.exec:\jjdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\vvdvp.exec:\vvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\9rxxxlx.exec:\9rxxxlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\hbhhnn.exec:\hbhhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\pjpdd.exec:\pjpdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\btttnn.exec:\btttnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\7vvpv.exec:\7vvpv.exe23⤵
- Executes dropped EXE
PID:1996 -
\??\c:\jddvj.exec:\jddvj.exe24⤵
- Executes dropped EXE
PID:1780 -
\??\c:\1rrlfxr.exec:\1rrlfxr.exe25⤵
- Executes dropped EXE
PID:212 -
\??\c:\bntnhh.exec:\bntnhh.exe26⤵
- Executes dropped EXE
PID:3136 -
\??\c:\lflrllr.exec:\lflrllr.exe27⤵
- Executes dropped EXE
PID:824 -
\??\c:\jppvv.exec:\jppvv.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\frrlfxx.exec:\frrlfxx.exe29⤵
- Executes dropped EXE
PID:4984 -
\??\c:\vjjjd.exec:\vjjjd.exe30⤵
- Executes dropped EXE
PID:3696 -
\??\c:\rllffff.exec:\rllffff.exe31⤵
- Executes dropped EXE
PID:3420 -
\??\c:\5ttnhb.exec:\5ttnhb.exe32⤵
- Executes dropped EXE
PID:4420 -
\??\c:\llrlrxf.exec:\llrlrxf.exe33⤵
- Executes dropped EXE
PID:1752 -
\??\c:\3tnhbb.exec:\3tnhbb.exe34⤵
- Executes dropped EXE
PID:1420 -
\??\c:\pdjdd.exec:\pdjdd.exe35⤵
- Executes dropped EXE
PID:2612 -
\??\c:\rrffxlf.exec:\rrffxlf.exe36⤵
- Executes dropped EXE
PID:1496 -
\??\c:\bhhbtt.exec:\bhhbtt.exe37⤵
- Executes dropped EXE
PID:1256 -
\??\c:\jppjv.exec:\jppjv.exe38⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bhnnhh.exec:\bhnnhh.exe39⤵
- Executes dropped EXE
PID:5020 -
\??\c:\pddpd.exec:\pddpd.exe40⤵
- Executes dropped EXE
PID:3032 -
\??\c:\fxxrlff.exec:\fxxrlff.exe41⤵
- Executes dropped EXE
PID:4880 -
\??\c:\5xxrlrr.exec:\5xxrlrr.exe42⤵
- Executes dropped EXE
PID:4288 -
\??\c:\ntthbt.exec:\ntthbt.exe43⤵
- Executes dropped EXE
PID:4276 -
\??\c:\1dddv.exec:\1dddv.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3564 -
\??\c:\9xfrrrx.exec:\9xfrrrx.exe45⤵
- Executes dropped EXE
PID:388 -
\??\c:\hhthnb.exec:\hhthnb.exe46⤵
- Executes dropped EXE
PID:3968 -
\??\c:\bhthbh.exec:\bhthbh.exe47⤵
- Executes dropped EXE
PID:4776 -
\??\c:\dpdpv.exec:\dpdpv.exe48⤵
- Executes dropped EXE
PID:448 -
\??\c:\llrlxxr.exec:\llrlxxr.exe49⤵
- Executes dropped EXE
PID:1200 -
\??\c:\lflxxrl.exec:\lflxxrl.exe50⤵
- Executes dropped EXE
PID:1136 -
\??\c:\bnhtnb.exec:\bnhtnb.exe51⤵
- Executes dropped EXE
PID:1228 -
\??\c:\frxlxxr.exec:\frxlxxr.exe52⤵
- Executes dropped EXE
PID:4056 -
\??\c:\nbbtnn.exec:\nbbtnn.exe53⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nnhnbt.exec:\nnhnbt.exe54⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vpvpj.exec:\vpvpj.exe55⤵
- Executes dropped EXE
PID:5044 -
\??\c:\xlxrlll.exec:\xlxrlll.exe56⤵
- Executes dropped EXE
PID:4584 -
\??\c:\7bbnhb.exec:\7bbnhb.exe57⤵
- Executes dropped EXE
PID:2288 -
\??\c:\ddvdj.exec:\ddvdj.exe58⤵
- Executes dropped EXE
PID:692 -
\??\c:\1lffffr.exec:\1lffffr.exe59⤵
- Executes dropped EXE
PID:3260 -
\??\c:\tnhbtn.exec:\tnhbtn.exe60⤵
- Executes dropped EXE
PID:4036 -
\??\c:\ppdvp.exec:\ppdvp.exe61⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vpvjd.exec:\vpvjd.exe62⤵
- Executes dropped EXE
PID:2328 -
\??\c:\fxxrxrf.exec:\fxxrxrf.exe63⤵
- Executes dropped EXE
PID:3144 -
\??\c:\htbtnn.exec:\htbtnn.exe64⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jjjdj.exec:\jjjdj.exe65⤵
- Executes dropped EXE
PID:1272 -
\??\c:\9xrxlrf.exec:\9xrxlrf.exe66⤵PID:3248
-
\??\c:\bbnbhb.exec:\bbnbhb.exe67⤵PID:2648
-
\??\c:\ntbttn.exec:\ntbttn.exe68⤵PID:1656
-
\??\c:\xlrlrlx.exec:\xlrlrlx.exe69⤵PID:3292
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe70⤵PID:3272
-
\??\c:\nnbtnn.exec:\nnbtnn.exe71⤵PID:2880
-
\??\c:\jvjvp.exec:\jvjvp.exe72⤵PID:1696
-
\??\c:\xlrlxrx.exec:\xlrlxrx.exe73⤵PID:4456
-
\??\c:\xllfflr.exec:\xllfflr.exe74⤵PID:4460
-
\??\c:\bbnnhh.exec:\bbnnhh.exe75⤵PID:4352
-
\??\c:\vjpjv.exec:\vjpjv.exe76⤵PID:1996
-
\??\c:\pvjdp.exec:\pvjdp.exe77⤵PID:4996
-
\??\c:\lxxrllx.exec:\lxxrllx.exe78⤵PID:4040
-
\??\c:\nhhbth.exec:\nhhbth.exe79⤵PID:4884
-
\??\c:\vjdvj.exec:\vjdvj.exe80⤵PID:2316
-
\??\c:\rlfxlxl.exec:\rlfxlxl.exe81⤵PID:2128
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe82⤵PID:1120
-
\??\c:\nbnhbt.exec:\nbnhbt.exe83⤵PID:4032
-
\??\c:\vpjpj.exec:\vpjpj.exe84⤵PID:2824
-
\??\c:\lxrfxrf.exec:\lxrfxrf.exe85⤵PID:3616
-
\??\c:\btttnh.exec:\btttnh.exe86⤵PID:4936
-
\??\c:\thbnnt.exec:\thbnnt.exe87⤵PID:1388
-
\??\c:\vpvjd.exec:\vpvjd.exe88⤵PID:4888
-
\??\c:\rlrxllf.exec:\rlrxllf.exe89⤵PID:508
-
\??\c:\nthbtt.exec:\nthbtt.exe90⤵
- System Location Discovery: System Language Discovery
PID:4700 -
\??\c:\bhhthb.exec:\bhhthb.exe91⤵PID:3512
-
\??\c:\vpvpd.exec:\vpvpd.exe92⤵PID:1864
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe93⤵PID:2300
-
\??\c:\hbtnnn.exec:\hbtnnn.exe94⤵PID:3392
-
\??\c:\pvpjv.exec:\pvpjv.exe95⤵PID:2980
-
\??\c:\pvvjv.exec:\pvvjv.exe96⤵
- System Location Discovery: System Language Discovery
PID:4596 -
\??\c:\rflxfxr.exec:\rflxfxr.exe97⤵PID:4624
-
\??\c:\htbnbt.exec:\htbnbt.exe98⤵PID:4816
-
\??\c:\7pjvj.exec:\7pjvj.exe99⤵PID:4404
-
\??\c:\lrxrxrx.exec:\lrxrxrx.exe100⤵PID:3688
-
\??\c:\3lrlllf.exec:\3lrlllf.exe101⤵PID:3968
-
\??\c:\nhhbbb.exec:\nhhbbb.exe102⤵PID:3672
-
\??\c:\dvvjj.exec:\dvvjj.exe103⤵PID:448
-
\??\c:\flxlfxr.exec:\flxlfxr.exe104⤵PID:1912
-
\??\c:\bnhtnt.exec:\bnhtnt.exe105⤵
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\7bbbnb.exec:\7bbbnb.exe106⤵PID:3604
-
\??\c:\1dvpd.exec:\1dvpd.exe107⤵PID:4328
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe108⤵PID:4872
-
\??\c:\thhbtt.exec:\thhbtt.exe109⤵PID:3276
-
\??\c:\pvppj.exec:\pvppj.exe110⤵PID:3084
-
\??\c:\ddjvd.exec:\ddjvd.exe111⤵PID:1476
-
\??\c:\flrrlll.exec:\flrrlll.exe112⤵PID:3260
-
\??\c:\bhhbtt.exec:\bhhbtt.exe113⤵PID:4112
-
\??\c:\ttbnbt.exec:\ttbnbt.exe114⤵PID:896
-
\??\c:\pjjdv.exec:\pjjdv.exe115⤵PID:1596
-
\??\c:\lxllrrr.exec:\lxllrrr.exe116⤵PID:4780
-
\??\c:\xlllxxr.exec:\xlllxxr.exe117⤵PID:216
-
\??\c:\nbbtbb.exec:\nbbtbb.exe118⤵PID:2804
-
\??\c:\djvvv.exec:\djvvv.exe119⤵PID:3484
-
\??\c:\pjddv.exec:\pjddv.exe120⤵PID:4540
-
\??\c:\rflfffx.exec:\rflfffx.exe121⤵PID:3292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-