Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 22:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe
-
Size
454KB
-
MD5
5d80e0916250699c9572dc276cadb2dc
-
SHA1
5e499c67c80b7081ff719d4cb18c19ad1bf20107
-
SHA256
5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124
-
SHA512
b35714c6a00da3ee68028e112c964468ac2cf5e8b7ef16ee9239f61af266dc17e1c987d17fea223712456ee10f091509cf5de53d72feb45141b035181f50d297
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4164-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-1220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4164 lffxrrl.exe 5112 1nbttt.exe 1940 nbttnh.exe 1580 5ffxrfx.exe 1516 tntnhh.exe 980 djpdp.exe 3460 fxrlfll.exe 2188 vpjdj.exe 4824 llrlxxf.exe 3864 hbbtht.exe 1872 9tnhbh.exe 3624 rffxrrl.exe 2764 htttnh.exe 4768 llfrxxl.exe 3080 vjdvp.exe 2356 dddpp.exe 4836 fffxxff.exe 3708 hbbtnn.exe 436 rllfrrl.exe 4848 5jdvj.exe 3628 pppvp.exe 4468 ntbbtt.exe 468 jjvdd.exe 4888 btnhtt.exe 3820 rxffxfx.exe 4660 nntttb.exe 2960 lfxxrxr.exe 1456 btbtnh.exe 4384 dpdvv.exe 1676 lrxrlll.exe 2548 djdjp.exe 3956 xrxllrr.exe 696 7hnntt.exe 1892 1lrfrrx.exe 4904 5bhnnn.exe 1680 vpjdd.exe 3496 pppjd.exe 3744 tntbbh.exe 3100 dvpjd.exe 3424 pjjdp.exe 312 xxrrrfl.exe 4412 tttnhb.exe 1356 jvddv.exe 736 rffxrrl.exe 1648 rlrrxxf.exe 3128 nhhbnn.exe 1732 5djdd.exe 1144 dpvvd.exe 1856 rrxlxxr.exe 4636 bnnhbt.exe 2068 nhhbnn.exe 4832 pdpjd.exe 944 llxrrrr.exe 748 thhbtn.exe 656 vjjdv.exe 3448 xxfrllf.exe 2128 bnhbtt.exe 3556 hhbbtt.exe 3624 vddvv.exe 2208 dvvpp.exe 3164 9flfrrf.exe 4768 nbtnnt.exe 4440 jppjj.exe 2320 fxrlxxr.exe -
resource yara_rule behavioral2/memory/4164-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-696-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 4164 2184 5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe 83 PID 2184 wrote to memory of 4164 2184 5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe 83 PID 2184 wrote to memory of 4164 2184 5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe 83 PID 4164 wrote to memory of 5112 4164 lffxrrl.exe 84 PID 4164 wrote to memory of 5112 4164 lffxrrl.exe 84 PID 4164 wrote to memory of 5112 4164 lffxrrl.exe 84 PID 5112 wrote to memory of 1940 5112 1nbttt.exe 85 PID 5112 wrote to memory of 1940 5112 1nbttt.exe 85 PID 5112 wrote to memory of 1940 5112 1nbttt.exe 85 PID 1940 wrote to memory of 1580 1940 nbttnh.exe 86 PID 1940 wrote to memory of 1580 1940 nbttnh.exe 86 PID 1940 wrote to memory of 1580 1940 nbttnh.exe 86 PID 1580 wrote to memory of 1516 1580 5ffxrfx.exe 87 PID 1580 wrote to memory of 1516 1580 5ffxrfx.exe 87 PID 1580 wrote to memory of 1516 1580 5ffxrfx.exe 87 PID 1516 wrote to memory of 980 1516 tntnhh.exe 88 PID 1516 wrote to memory of 980 1516 tntnhh.exe 88 PID 1516 wrote to memory of 980 1516 tntnhh.exe 88 PID 980 wrote to memory of 3460 980 djpdp.exe 89 PID 980 wrote to memory of 3460 980 djpdp.exe 89 PID 980 wrote to memory of 3460 980 djpdp.exe 89 PID 3460 wrote to memory of 2188 3460 fxrlfll.exe 90 PID 3460 wrote to memory of 2188 3460 fxrlfll.exe 90 PID 3460 wrote to memory of 2188 3460 fxrlfll.exe 90 PID 2188 wrote to memory of 4824 2188 vpjdj.exe 91 PID 2188 wrote to memory of 4824 2188 vpjdj.exe 91 PID 2188 wrote to memory of 4824 2188 vpjdj.exe 91 PID 4824 wrote to memory of 3864 4824 llrlxxf.exe 92 PID 4824 wrote to memory of 3864 4824 llrlxxf.exe 92 PID 4824 wrote to memory of 3864 4824 llrlxxf.exe 92 PID 3864 wrote to memory of 1872 3864 hbbtht.exe 93 PID 3864 wrote to memory of 1872 3864 hbbtht.exe 93 PID 3864 wrote to memory of 1872 3864 hbbtht.exe 93 PID 1872 wrote to memory of 3624 1872 9tnhbh.exe 94 PID 1872 wrote to memory of 3624 1872 9tnhbh.exe 94 PID 1872 wrote to memory of 3624 1872 9tnhbh.exe 94 PID 3624 wrote to memory of 2764 3624 rffxrrl.exe 95 PID 3624 wrote to memory of 2764 3624 rffxrrl.exe 95 PID 3624 wrote to memory of 2764 3624 rffxrrl.exe 95 PID 2764 wrote to memory of 4768 2764 htttnh.exe 96 PID 2764 wrote to memory of 4768 2764 htttnh.exe 96 PID 2764 wrote to memory of 4768 2764 htttnh.exe 96 PID 4768 wrote to memory of 3080 4768 llfrxxl.exe 97 PID 4768 wrote to memory of 3080 4768 llfrxxl.exe 97 PID 4768 wrote to memory of 3080 4768 llfrxxl.exe 97 PID 3080 wrote to memory of 2356 3080 vjdvp.exe 98 PID 3080 wrote to memory of 2356 3080 vjdvp.exe 98 PID 3080 wrote to memory of 2356 3080 vjdvp.exe 98 PID 2356 wrote to memory of 4836 2356 dddpp.exe 99 PID 2356 wrote to memory of 4836 2356 dddpp.exe 99 PID 2356 wrote to memory of 4836 2356 dddpp.exe 99 PID 4836 wrote to memory of 3708 4836 fffxxff.exe 100 PID 4836 wrote to memory of 3708 4836 fffxxff.exe 100 PID 4836 wrote to memory of 3708 4836 fffxxff.exe 100 PID 3708 wrote to memory of 436 3708 hbbtnn.exe 101 PID 3708 wrote to memory of 436 3708 hbbtnn.exe 101 PID 3708 wrote to memory of 436 3708 hbbtnn.exe 101 PID 436 wrote to memory of 4848 436 rllfrrl.exe 102 PID 436 wrote to memory of 4848 436 rllfrrl.exe 102 PID 436 wrote to memory of 4848 436 rllfrrl.exe 102 PID 4848 wrote to memory of 3628 4848 5jdvj.exe 103 PID 4848 wrote to memory of 3628 4848 5jdvj.exe 103 PID 4848 wrote to memory of 3628 4848 5jdvj.exe 103 PID 3628 wrote to memory of 4468 3628 pppvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe"C:\Users\Admin\AppData\Local\Temp\5d205650edfd504b73dc63661a74fc622102a0f20086324d9bca20406be7d124.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\lffxrrl.exec:\lffxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\1nbttt.exec:\1nbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\nbttnh.exec:\nbttnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\5ffxrfx.exec:\5ffxrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\tntnhh.exec:\tntnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\djpdp.exec:\djpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\fxrlfll.exec:\fxrlfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\vpjdj.exec:\vpjdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\llrlxxf.exec:\llrlxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\hbbtht.exec:\hbbtht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\9tnhbh.exec:\9tnhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\rffxrrl.exec:\rffxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\htttnh.exec:\htttnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\llfrxxl.exec:\llfrxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\vjdvp.exec:\vjdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\dddpp.exec:\dddpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\fffxxff.exec:\fffxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\hbbtnn.exec:\hbbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\rllfrrl.exec:\rllfrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\5jdvj.exec:\5jdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\pppvp.exec:\pppvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\ntbbtt.exec:\ntbbtt.exe23⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jjvdd.exec:\jjvdd.exe24⤵
- Executes dropped EXE
PID:468 -
\??\c:\btnhtt.exec:\btnhtt.exe25⤵
- Executes dropped EXE
PID:4888 -
\??\c:\rxffxfx.exec:\rxffxfx.exe26⤵
- Executes dropped EXE
PID:3820 -
\??\c:\nntttb.exec:\nntttb.exe27⤵
- Executes dropped EXE
PID:4660 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe28⤵
- Executes dropped EXE
PID:2960 -
\??\c:\btbtnh.exec:\btbtnh.exe29⤵
- Executes dropped EXE
PID:1456 -
\??\c:\dpdvv.exec:\dpdvv.exe30⤵
- Executes dropped EXE
PID:4384 -
\??\c:\lrxrlll.exec:\lrxrlll.exe31⤵
- Executes dropped EXE
PID:1676 -
\??\c:\djdjp.exec:\djdjp.exe32⤵
- Executes dropped EXE
PID:2548 -
\??\c:\xrxllrr.exec:\xrxllrr.exe33⤵
- Executes dropped EXE
PID:3956 -
\??\c:\7hnntt.exec:\7hnntt.exe34⤵
- Executes dropped EXE
PID:696 -
\??\c:\1lrfrrx.exec:\1lrfrrx.exe35⤵
- Executes dropped EXE
PID:1892 -
\??\c:\5bhnnn.exec:\5bhnnn.exe36⤵
- Executes dropped EXE
PID:4904 -
\??\c:\vpjdd.exec:\vpjdd.exe37⤵
- Executes dropped EXE
PID:1680 -
\??\c:\pppjd.exec:\pppjd.exe38⤵
- Executes dropped EXE
PID:3496 -
\??\c:\tntbbh.exec:\tntbbh.exe39⤵
- Executes dropped EXE
PID:3744 -
\??\c:\dvpjd.exec:\dvpjd.exe40⤵
- Executes dropped EXE
PID:3100 -
\??\c:\pjjdp.exec:\pjjdp.exe41⤵
- Executes dropped EXE
PID:3424 -
\??\c:\xxrrrfl.exec:\xxrrrfl.exe42⤵
- Executes dropped EXE
PID:312 -
\??\c:\tttnhb.exec:\tttnhb.exe43⤵
- Executes dropped EXE
PID:4412 -
\??\c:\jvddv.exec:\jvddv.exe44⤵
- Executes dropped EXE
PID:1356 -
\??\c:\rffxrrl.exec:\rffxrrl.exe45⤵
- Executes dropped EXE
PID:736 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe46⤵
- Executes dropped EXE
PID:1648 -
\??\c:\nhhbnn.exec:\nhhbnn.exe47⤵
- Executes dropped EXE
PID:3128 -
\??\c:\5djdd.exec:\5djdd.exe48⤵
- Executes dropped EXE
PID:1732 -
\??\c:\dpvvd.exec:\dpvvd.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
\??\c:\rrxlxxr.exec:\rrxlxxr.exe50⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bnnhbt.exec:\bnnhbt.exe51⤵
- Executes dropped EXE
PID:4636 -
\??\c:\nhhbnn.exec:\nhhbnn.exe52⤵
- Executes dropped EXE
PID:2068 -
\??\c:\pdpjd.exec:\pdpjd.exe53⤵
- Executes dropped EXE
PID:4832 -
\??\c:\llxrrrr.exec:\llxrrrr.exe54⤵
- Executes dropped EXE
PID:944 -
\??\c:\thhbtn.exec:\thhbtn.exe55⤵
- Executes dropped EXE
PID:748 -
\??\c:\vjjdv.exec:\vjjdv.exe56⤵
- Executes dropped EXE
PID:656 -
\??\c:\xxfrllf.exec:\xxfrllf.exe57⤵
- Executes dropped EXE
PID:3448 -
\??\c:\bnhbtt.exec:\bnhbtt.exe58⤵
- Executes dropped EXE
PID:2128 -
\??\c:\hhbbtt.exec:\hhbbtt.exe59⤵
- Executes dropped EXE
PID:3556 -
\??\c:\vddvv.exec:\vddvv.exe60⤵
- Executes dropped EXE
PID:3624 -
\??\c:\dvvpp.exec:\dvvpp.exe61⤵
- Executes dropped EXE
PID:2208 -
\??\c:\9flfrrf.exec:\9flfrrf.exe62⤵
- Executes dropped EXE
PID:3164 -
\??\c:\nbtnnt.exec:\nbtnnt.exe63⤵
- Executes dropped EXE
PID:4768 -
\??\c:\jppjj.exec:\jppjj.exe64⤵
- Executes dropped EXE
PID:4440 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe65⤵
- Executes dropped EXE
PID:2320 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe66⤵PID:4760
-
\??\c:\bnbthh.exec:\bnbthh.exe67⤵PID:4684
-
\??\c:\1pvjd.exec:\1pvjd.exe68⤵PID:2828
-
\??\c:\frlxxxx.exec:\frlxxxx.exe69⤵PID:3552
-
\??\c:\7xxrffr.exec:\7xxrffr.exe70⤵PID:2212
-
\??\c:\bnnhbt.exec:\bnnhbt.exe71⤵PID:3152
-
\??\c:\5jdvp.exec:\5jdvp.exe72⤵PID:1176
-
\??\c:\rlrxxfx.exec:\rlrxxfx.exe73⤵PID:3516
-
\??\c:\rffrlfx.exec:\rffrlfx.exe74⤵PID:4676
-
\??\c:\3htnbb.exec:\3htnbb.exe75⤵PID:3392
-
\??\c:\vvdjd.exec:\vvdjd.exe76⤵PID:4012
-
\??\c:\xlxlffr.exec:\xlxlffr.exe77⤵PID:4544
-
\??\c:\lffxrrr.exec:\lffxrrr.exe78⤵PID:708
-
\??\c:\hbthbb.exec:\hbthbb.exe79⤵PID:1064
-
\??\c:\dppvv.exec:\dppvv.exe80⤵PID:3252
-
\??\c:\frxrxlf.exec:\frxrxlf.exe81⤵PID:3928
-
\??\c:\hbbtnh.exec:\hbbtnh.exe82⤵PID:4700
-
\??\c:\hhbtnh.exec:\hhbtnh.exe83⤵PID:700
-
\??\c:\jdjjj.exec:\jdjjj.exe84⤵PID:1328
-
\??\c:\fxrllll.exec:\fxrllll.exe85⤵PID:3996
-
\??\c:\5hbthb.exec:\5hbthb.exe86⤵PID:3956
-
\??\c:\nbbthh.exec:\nbbthh.exe87⤵PID:696
-
\??\c:\vjvpp.exec:\vjvpp.exe88⤵PID:4472
-
\??\c:\rffxrlr.exec:\rffxrlr.exe89⤵PID:3312
-
\??\c:\thhbtn.exec:\thhbtn.exe90⤵PID:3596
-
\??\c:\bnnbnb.exec:\bnnbnb.exe91⤵PID:4356
-
\??\c:\pddvj.exec:\pddvj.exe92⤵PID:3320
-
\??\c:\1xrfrrl.exec:\1xrfrrl.exe93⤵PID:608
-
\??\c:\hhnhhb.exec:\hhnhhb.exe94⤵PID:4000
-
\??\c:\vvdvj.exec:\vvdvj.exe95⤵PID:312
-
\??\c:\vppjd.exec:\vppjd.exe96⤵PID:776
-
\??\c:\lfrfrlf.exec:\lfrfrlf.exe97⤵PID:2184
-
\??\c:\hbbhtb.exec:\hbbhtb.exe98⤵PID:3504
-
\??\c:\1pjvj.exec:\1pjvj.exe99⤵PID:2368
-
\??\c:\rfrfrlf.exec:\rfrfrlf.exe100⤵PID:3616
-
\??\c:\9frfrlr.exec:\9frfrlr.exe101⤵PID:2824
-
\??\c:\bbbbbb.exec:\bbbbbb.exe102⤵PID:2704
-
\??\c:\vjddv.exec:\vjddv.exe103⤵PID:1516
-
\??\c:\xrxrlfl.exec:\xrxrlfl.exe104⤵PID:2864
-
\??\c:\7lrrllf.exec:\7lrrllf.exe105⤵PID:5080
-
\??\c:\ntbbtt.exec:\ntbbtt.exe106⤵PID:408
-
\??\c:\hthhnt.exec:\hthhnt.exe107⤵PID:4908
-
\??\c:\pppjv.exec:\pppjv.exe108⤵PID:760
-
\??\c:\frxrlxf.exec:\frxrlxf.exe109⤵PID:944
-
\??\c:\bntnnh.exec:\bntnnh.exe110⤵PID:748
-
\??\c:\3vpdp.exec:\3vpdp.exe111⤵PID:816
-
\??\c:\pjjvd.exec:\pjjvd.exe112⤵PID:3448
-
\??\c:\ffrlxxl.exec:\ffrlxxl.exe113⤵PID:844
-
\??\c:\thnhhn.exec:\thnhhn.exe114⤵PID:2652
-
\??\c:\jpppd.exec:\jpppd.exe115⤵PID:4624
-
\??\c:\7fxrxrf.exec:\7fxrxrf.exe116⤵PID:3624
-
\??\c:\fllfxfx.exec:\fllfxfx.exe117⤵PID:3764
-
\??\c:\thnnhn.exec:\thnnhn.exe118⤵PID:2208
-
\??\c:\vjdpd.exec:\vjdpd.exe119⤵PID:3524
-
\??\c:\xrxlfrl.exec:\xrxlfrl.exe120⤵PID:4280
-
\??\c:\tttbnh.exec:\tttbnh.exe121⤵PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-