Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe
-
Size
454KB
-
MD5
e7f447eac120811f0a2b4539dccc0771
-
SHA1
66a2f961fbfb85e3f56acf8ab9232af03f714d7f
-
SHA256
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7
-
SHA512
82a118ed96d2bfc17b6da3dd944a87bc5a8309c690da3713b0ac963190355402979f0cf11c6213780a4c8a3542eab3c6587942648ab903d70c483fc5ed7ecbd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4236-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4056 hhhhnn.exe 2420 nbtnhb.exe 4084 bnnhbt.exe 2260 pjpjj.exe 1932 rfrrxxf.exe 5044 ffrllll.exe 3008 vpjvp.exe 780 ffxrrll.exe 2620 5bhbtt.exe 5100 fxrrlll.exe 5040 jjppj.exe 2484 rlrlflf.exe 4480 9llfxff.exe 2936 pjppd.exe 3968 tnnbbt.exe 3468 pvvpj.exe 2376 xrfxllf.exe 3888 5xfxxxf.exe 212 3vvpj.exe 4680 xflrlfx.exe 2204 9lfxxxx.exe 3204 bnbttn.exe 1108 dpvpj.exe 3644 rffxrlf.exe 4384 xxxrlfx.exe 4508 hntnhb.exe 4784 bnhhbb.exe 4092 7djjp.exe 4332 rlxrxrx.exe 2312 9tbtnn.exe 2288 jpjdd.exe 2200 hhbtnn.exe 4408 jvjvp.exe 2416 5fxxrxx.exe 3096 vpvpj.exe 4816 7flflll.exe 3180 bbtnhb.exe 3332 pddvp.exe 1396 9pjdp.exe 2432 xlrxrrr.exe 3100 3hnbtt.exe 208 pdvjp.exe 4612 ffllllf.exe 1216 thtnhb.exe 1644 ppjjp.exe 2600 vppjd.exe 3816 rflffxx.exe 1376 xrfxrrx.exe 4624 1tbnnh.exe 5072 dpdvp.exe 4284 lxllrlr.exe 1724 bnnbht.exe 3308 dppjj.exe 2300 3xxlrrf.exe 2308 rrxrlfx.exe 3912 1ntnhh.exe 2420 pjjdd.exe 3132 3xxlfff.exe 3156 bhthbb.exe 2260 tbbtnh.exe 1616 vpppj.exe 2832 fxfflfr.exe 4968 nnnhhh.exe 1436 pdvpp.exe -
resource yara_rule behavioral2/memory/4236-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-934-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4236 wrote to memory of 4056 4236 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 84 PID 4236 wrote to memory of 4056 4236 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 84 PID 4236 wrote to memory of 4056 4236 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 84 PID 4056 wrote to memory of 2420 4056 hhhhnn.exe 85 PID 4056 wrote to memory of 2420 4056 hhhhnn.exe 85 PID 4056 wrote to memory of 2420 4056 hhhhnn.exe 85 PID 2420 wrote to memory of 4084 2420 nbtnhb.exe 86 PID 2420 wrote to memory of 4084 2420 nbtnhb.exe 86 PID 2420 wrote to memory of 4084 2420 nbtnhb.exe 86 PID 4084 wrote to memory of 2260 4084 bnnhbt.exe 87 PID 4084 wrote to memory of 2260 4084 bnnhbt.exe 87 PID 4084 wrote to memory of 2260 4084 bnnhbt.exe 87 PID 2260 wrote to memory of 1932 2260 pjpjj.exe 88 PID 2260 wrote to memory of 1932 2260 pjpjj.exe 88 PID 2260 wrote to memory of 1932 2260 pjpjj.exe 88 PID 1932 wrote to memory of 5044 1932 rfrrxxf.exe 89 PID 1932 wrote to memory of 5044 1932 rfrrxxf.exe 89 PID 1932 wrote to memory of 5044 1932 rfrrxxf.exe 89 PID 5044 wrote to memory of 3008 5044 ffrllll.exe 90 PID 5044 wrote to memory of 3008 5044 ffrllll.exe 90 PID 5044 wrote to memory of 3008 5044 ffrllll.exe 90 PID 3008 wrote to memory of 780 3008 vpjvp.exe 91 PID 3008 wrote to memory of 780 3008 vpjvp.exe 91 PID 3008 wrote to memory of 780 3008 vpjvp.exe 91 PID 780 wrote to memory of 2620 780 ffxrrll.exe 92 PID 780 wrote to memory of 2620 780 ffxrrll.exe 92 PID 780 wrote to memory of 2620 780 ffxrrll.exe 92 PID 2620 wrote to memory of 5100 2620 5bhbtt.exe 93 PID 2620 wrote to memory of 5100 2620 5bhbtt.exe 93 PID 2620 wrote to memory of 5100 2620 5bhbtt.exe 93 PID 5100 wrote to memory of 5040 5100 fxrrlll.exe 94 PID 5100 wrote to memory of 5040 5100 fxrrlll.exe 94 PID 5100 wrote to memory of 5040 5100 fxrrlll.exe 94 PID 5040 wrote to memory of 2484 5040 jjppj.exe 95 PID 5040 wrote to memory of 2484 5040 jjppj.exe 95 PID 5040 wrote to memory of 2484 5040 jjppj.exe 95 PID 2484 wrote to memory of 4480 2484 rlrlflf.exe 96 PID 2484 wrote to memory of 4480 2484 rlrlflf.exe 96 PID 2484 wrote to memory of 4480 2484 rlrlflf.exe 96 PID 4480 wrote to memory of 2936 4480 9llfxff.exe 97 PID 4480 wrote to memory of 2936 4480 9llfxff.exe 97 PID 4480 wrote to memory of 2936 4480 9llfxff.exe 97 PID 2936 wrote to memory of 3968 2936 pjppd.exe 98 PID 2936 wrote to memory of 3968 2936 pjppd.exe 98 PID 2936 wrote to memory of 3968 2936 pjppd.exe 98 PID 3968 wrote to memory of 3468 3968 tnnbbt.exe 99 PID 3968 wrote to memory of 3468 3968 tnnbbt.exe 99 PID 3968 wrote to memory of 3468 3968 tnnbbt.exe 99 PID 3468 wrote to memory of 2376 3468 pvvpj.exe 100 PID 3468 wrote to memory of 2376 3468 pvvpj.exe 100 PID 3468 wrote to memory of 2376 3468 pvvpj.exe 100 PID 2376 wrote to memory of 3888 2376 xrfxllf.exe 101 PID 2376 wrote to memory of 3888 2376 xrfxllf.exe 101 PID 2376 wrote to memory of 3888 2376 xrfxllf.exe 101 PID 3888 wrote to memory of 212 3888 5xfxxxf.exe 102 PID 3888 wrote to memory of 212 3888 5xfxxxf.exe 102 PID 3888 wrote to memory of 212 3888 5xfxxxf.exe 102 PID 212 wrote to memory of 4680 212 3vvpj.exe 103 PID 212 wrote to memory of 4680 212 3vvpj.exe 103 PID 212 wrote to memory of 4680 212 3vvpj.exe 103 PID 4680 wrote to memory of 2204 4680 xflrlfx.exe 104 PID 4680 wrote to memory of 2204 4680 xflrlfx.exe 104 PID 4680 wrote to memory of 2204 4680 xflrlfx.exe 104 PID 2204 wrote to memory of 3204 2204 9lfxxxx.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe"C:\Users\Admin\AppData\Local\Temp\18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\hhhhnn.exec:\hhhhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\nbtnhb.exec:\nbtnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\bnnhbt.exec:\bnnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\pjpjj.exec:\pjpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\ffrllll.exec:\ffrllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\vpjvp.exec:\vpjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\ffxrrll.exec:\ffxrrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\5bhbtt.exec:\5bhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\fxrrlll.exec:\fxrrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\jjppj.exec:\jjppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\rlrlflf.exec:\rlrlflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\9llfxff.exec:\9llfxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\pjppd.exec:\pjppd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\tnnbbt.exec:\tnnbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\pvvpj.exec:\pvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\xrfxllf.exec:\xrfxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\5xfxxxf.exec:\5xfxxxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\3vvpj.exec:\3vvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\xflrlfx.exec:\xflrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\9lfxxxx.exec:\9lfxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\bnbttn.exec:\bnbttn.exe23⤵
- Executes dropped EXE
PID:3204 -
\??\c:\dpvpj.exec:\dpvpj.exe24⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rffxrlf.exec:\rffxrlf.exe25⤵
- Executes dropped EXE
PID:3644 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe26⤵
- Executes dropped EXE
PID:4384 -
\??\c:\hntnhb.exec:\hntnhb.exe27⤵
- Executes dropped EXE
PID:4508 -
\??\c:\bnhhbb.exec:\bnhhbb.exe28⤵
- Executes dropped EXE
PID:4784 -
\??\c:\7djjp.exec:\7djjp.exe29⤵
- Executes dropped EXE
PID:4092 -
\??\c:\rlxrxrx.exec:\rlxrxrx.exe30⤵
- Executes dropped EXE
PID:4332 -
\??\c:\9tbtnn.exec:\9tbtnn.exe31⤵
- Executes dropped EXE
PID:2312 -
\??\c:\jpjdd.exec:\jpjdd.exe32⤵
- Executes dropped EXE
PID:2288 -
\??\c:\hhbtnn.exec:\hhbtnn.exe33⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jvjvp.exec:\jvjvp.exe34⤵
- Executes dropped EXE
PID:4408 -
\??\c:\5fxxrxx.exec:\5fxxrxx.exe35⤵
- Executes dropped EXE
PID:2416 -
\??\c:\vpvpj.exec:\vpvpj.exe36⤵
- Executes dropped EXE
PID:3096 -
\??\c:\7flflll.exec:\7flflll.exe37⤵
- Executes dropped EXE
PID:4816 -
\??\c:\bbtnhb.exec:\bbtnhb.exe38⤵
- Executes dropped EXE
PID:3180 -
\??\c:\pddvp.exec:\pddvp.exe39⤵
- Executes dropped EXE
PID:3332 -
\??\c:\9pjdp.exec:\9pjdp.exe40⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xlrxrrr.exec:\xlrxrrr.exe41⤵
- Executes dropped EXE
PID:2432 -
\??\c:\3hnbtt.exec:\3hnbtt.exe42⤵
- Executes dropped EXE
PID:3100 -
\??\c:\pdvjp.exec:\pdvjp.exe43⤵
- Executes dropped EXE
PID:208 -
\??\c:\ffllllf.exec:\ffllllf.exe44⤵
- Executes dropped EXE
PID:4612 -
\??\c:\thtnhb.exec:\thtnhb.exe45⤵
- Executes dropped EXE
PID:1216 -
\??\c:\ppjjp.exec:\ppjjp.exe46⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vppjd.exec:\vppjd.exe47⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rflffxx.exec:\rflffxx.exe48⤵
- Executes dropped EXE
PID:3816 -
\??\c:\xrfxrrx.exec:\xrfxrrx.exe49⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1tbnnh.exec:\1tbnnh.exe50⤵
- Executes dropped EXE
PID:4624 -
\??\c:\dpdvp.exec:\dpdvp.exe51⤵
- Executes dropped EXE
PID:5072 -
\??\c:\lxllrlr.exec:\lxllrlr.exe52⤵
- Executes dropped EXE
PID:4284 -
\??\c:\bnnbht.exec:\bnnbht.exe53⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dppjj.exec:\dppjj.exe54⤵
- Executes dropped EXE
PID:3308 -
\??\c:\3xxlrrf.exec:\3xxlrrf.exe55⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe56⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1ntnhh.exec:\1ntnhh.exe57⤵
- Executes dropped EXE
PID:3912 -
\??\c:\pjjdd.exec:\pjjdd.exe58⤵
- Executes dropped EXE
PID:2420 -
\??\c:\3xxlfff.exec:\3xxlfff.exe59⤵
- Executes dropped EXE
PID:3132 -
\??\c:\bhthbb.exec:\bhthbb.exe60⤵
- Executes dropped EXE
PID:3156 -
\??\c:\tbbtnh.exec:\tbbtnh.exe61⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vpppj.exec:\vpppj.exe62⤵
- Executes dropped EXE
PID:1616 -
\??\c:\fxfflfr.exec:\fxfflfr.exe63⤵
- Executes dropped EXE
PID:2832 -
\??\c:\nnnhhh.exec:\nnnhhh.exe64⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pdvpp.exec:\pdvpp.exe65⤵
- Executes dropped EXE
PID:1436 -
\??\c:\pjjdv.exec:\pjjdv.exe66⤵PID:3464
-
\??\c:\xllfxxr.exec:\xllfxxr.exe67⤵PID:4552
-
\??\c:\bbhbtb.exec:\bbhbtb.exe68⤵PID:2620
-
\??\c:\dvpjd.exec:\dvpjd.exe69⤵PID:4900
-
\??\c:\7lrlllf.exec:\7lrlllf.exe70⤵PID:380
-
\??\c:\btbthh.exec:\btbthh.exe71⤵PID:5040
-
\??\c:\pjdvv.exec:\pjdvv.exe72⤵PID:2220
-
\??\c:\frxxrrr.exec:\frxxrrr.exe73⤵PID:3028
-
\??\c:\5xxrllf.exec:\5xxrllf.exe74⤵PID:4432
-
\??\c:\bbhbhh.exec:\bbhbhh.exe75⤵PID:3216
-
\??\c:\vpdjd.exec:\vpdjd.exe76⤵PID:844
-
\??\c:\jdvpj.exec:\jdvpj.exe77⤵PID:3468
-
\??\c:\9xlrxxx.exec:\9xlrxxx.exe78⤵PID:184
-
\??\c:\bnnnbb.exec:\bnnnbb.exe79⤵PID:1416
-
\??\c:\vdvvd.exec:\vdvvd.exe80⤵PID:3888
-
\??\c:\lllffxr.exec:\lllffxr.exe81⤵PID:3228
-
\??\c:\thhttn.exec:\thhttn.exe82⤵PID:640
-
\??\c:\jdvpj.exec:\jdvpj.exe83⤵
- System Location Discovery: System Language Discovery
PID:4680 -
\??\c:\ddjjp.exec:\ddjjp.exe84⤵PID:2204
-
\??\c:\ffrlllf.exec:\ffrlllf.exe85⤵PID:540
-
\??\c:\ntnnnn.exec:\ntnnnn.exe86⤵PID:2328
-
\??\c:\jvvvd.exec:\jvvvd.exe87⤵PID:1124
-
\??\c:\fxxxrlf.exec:\fxxxrlf.exe88⤵PID:3076
-
\??\c:\bnnbnb.exec:\bnnbnb.exe89⤵PID:2880
-
\??\c:\hbbtnh.exec:\hbbtnh.exe90⤵PID:2912
-
\??\c:\vdddv.exec:\vdddv.exe91⤵PID:4216
-
\??\c:\llxrrll.exec:\llxrrll.exe92⤵PID:4824
-
\??\c:\hnnbtb.exec:\hnnbtb.exe93⤵PID:4668
-
\??\c:\nbnhbt.exec:\nbnhbt.exe94⤵PID:3972
-
\??\c:\1ddpp.exec:\1ddpp.exe95⤵PID:1720
-
\??\c:\xlrlllx.exec:\xlrlllx.exe96⤵PID:1384
-
\??\c:\nhnhhb.exec:\nhnhhb.exe97⤵PID:2332
-
\??\c:\9pjjd.exec:\9pjjd.exe98⤵PID:4368
-
\??\c:\ffffrrr.exec:\ffffrrr.exe99⤵PID:2200
-
\??\c:\bntnnh.exec:\bntnnh.exe100⤵PID:1876
-
\??\c:\dpvdj.exec:\dpvdj.exe101⤵PID:2416
-
\??\c:\rxxrlff.exec:\rxxrlff.exe102⤵PID:3096
-
\??\c:\nhtnnh.exec:\nhtnnh.exe103⤵PID:4816
-
\??\c:\5djjd.exec:\5djjd.exe104⤵PID:4732
-
\??\c:\vppjj.exec:\vppjj.exe105⤵PID:4280
-
\??\c:\1thbtb.exec:\1thbtb.exe106⤵PID:3632
-
\??\c:\3thbtt.exec:\3thbtt.exe107⤵PID:4052
-
\??\c:\pddvp.exec:\pddvp.exe108⤵PID:3100
-
\??\c:\fflfrrl.exec:\fflfrrl.exe109⤵PID:1544
-
\??\c:\ntbtnn.exec:\ntbtnn.exe110⤵PID:4612
-
\??\c:\vdpjd.exec:\vdpjd.exe111⤵PID:1216
-
\??\c:\vdvjd.exec:\vdvjd.exe112⤵PID:940
-
\??\c:\fxfrfxf.exec:\fxfrfxf.exe113⤵PID:2600
-
\??\c:\bbbbbt.exec:\bbbbbt.exe114⤵PID:3816
-
\??\c:\dvjdd.exec:\dvjdd.exe115⤵PID:1376
-
\??\c:\5djdj.exec:\5djdj.exe116⤵PID:1884
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe117⤵PID:4360
-
\??\c:\htbtnh.exec:\htbtnh.exe118⤵PID:4536
-
\??\c:\jddvp.exec:\jddvp.exe119⤵PID:116
-
\??\c:\1lllffx.exec:\1lllffx.exe120⤵PID:1080
-
\??\c:\9thbbb.exec:\9thbbb.exe121⤵PID:5088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-