Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe
-
Size
456KB
-
MD5
c69e85961f6e2e796f842233210e437e
-
SHA1
34b164147a6e029de204ec0c1dc2dfd9ca5b9f87
-
SHA256
643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4
-
SHA512
814021b46f56ac366498583938420806651dbf8c28b33f6c7a919d3c51e0c0025919d855ed393342ff2acd47d645bd7fe2aa33fbb1b7048eec6459df6d09ad6f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRu:q7Tc2NYHUrAwfMp3CDRu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4120-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4120 ttnhbt.exe 3192 lxfxllf.exe 2208 842206.exe 1988 86644.exe 1688 nhbnhb.exe 3708 ttbnht.exe 4860 nnhbhh.exe 1644 vjdvp.exe 4416 fflfrlf.exe 1712 rlxxxrl.exe 2288 5lfxxxf.exe 1244 lrfxrfx.exe 4584 u408264.exe 1408 hhnbnh.exe 3640 22260.exe 2780 bnbtnh.exe 4832 6820448.exe 3824 htbttt.exe 1420 82862.exe 5000 nhbttt.exe 1384 q22604.exe 1464 200426.exe 3220 1vpdv.exe 4084 pvvdp.exe 4432 42286.exe 3604 88442.exe 1820 08282.exe 212 422042.exe 2912 lxrrllx.exe 3592 22860.exe 4816 nhbthb.exe 4388 0880224.exe 1592 64266.exe 1512 jdvpj.exe 3620 xllxrxl.exe 1880 jvpdv.exe 2684 22608.exe 1784 nnthth.exe 1588 rxflrlx.exe 3948 rrfxxxr.exe 4604 dddvp.exe 3464 3bhbbb.exe 4708 22044.exe 796 fxxrrll.exe 2332 00048.exe 2580 204488.exe 4332 6088660.exe 1004 280044.exe 4228 bttnhh.exe 1908 28260.exe 2456 5pvvd.exe 4864 xxxrrrr.exe 1452 llxxrrl.exe 3872 rflfxrf.exe 3764 flrxfxr.exe 2184 0268264.exe 2260 40004.exe 628 hbnnhb.exe 960 244888.exe 4820 606666.exe 4128 m2826.exe 4872 bbhhbb.exe 2796 pjddv.exe 2212 lxlfllr.exe -
resource yara_rule behavioral2/memory/4120-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-602-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6208640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2282266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6222660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0440404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c442604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8244884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8008646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4120 4024 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 83 PID 4024 wrote to memory of 4120 4024 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 83 PID 4024 wrote to memory of 4120 4024 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 83 PID 4120 wrote to memory of 3192 4120 ttnhbt.exe 84 PID 4120 wrote to memory of 3192 4120 ttnhbt.exe 84 PID 4120 wrote to memory of 3192 4120 ttnhbt.exe 84 PID 3192 wrote to memory of 2208 3192 lxfxllf.exe 85 PID 3192 wrote to memory of 2208 3192 lxfxllf.exe 85 PID 3192 wrote to memory of 2208 3192 lxfxllf.exe 85 PID 2208 wrote to memory of 1988 2208 842206.exe 86 PID 2208 wrote to memory of 1988 2208 842206.exe 86 PID 2208 wrote to memory of 1988 2208 842206.exe 86 PID 1988 wrote to memory of 1688 1988 86644.exe 87 PID 1988 wrote to memory of 1688 1988 86644.exe 87 PID 1988 wrote to memory of 1688 1988 86644.exe 87 PID 1688 wrote to memory of 3708 1688 nhbnhb.exe 88 PID 1688 wrote to memory of 3708 1688 nhbnhb.exe 88 PID 1688 wrote to memory of 3708 1688 nhbnhb.exe 88 PID 3708 wrote to memory of 4860 3708 ttbnht.exe 89 PID 3708 wrote to memory of 4860 3708 ttbnht.exe 89 PID 3708 wrote to memory of 4860 3708 ttbnht.exe 89 PID 4860 wrote to memory of 1644 4860 nnhbhh.exe 90 PID 4860 wrote to memory of 1644 4860 nnhbhh.exe 90 PID 4860 wrote to memory of 1644 4860 nnhbhh.exe 90 PID 1644 wrote to memory of 4416 1644 vjdvp.exe 91 PID 1644 wrote to memory of 4416 1644 vjdvp.exe 91 PID 1644 wrote to memory of 4416 1644 vjdvp.exe 91 PID 4416 wrote to memory of 1712 4416 fflfrlf.exe 92 PID 4416 wrote to memory of 1712 4416 fflfrlf.exe 92 PID 4416 wrote to memory of 1712 4416 fflfrlf.exe 92 PID 1712 wrote to memory of 2288 1712 rlxxxrl.exe 93 PID 1712 wrote to memory of 2288 1712 rlxxxrl.exe 93 PID 1712 wrote to memory of 2288 1712 rlxxxrl.exe 93 PID 2288 wrote to memory of 1244 2288 5lfxxxf.exe 94 PID 2288 wrote to memory of 1244 2288 5lfxxxf.exe 94 PID 2288 wrote to memory of 1244 2288 5lfxxxf.exe 94 PID 1244 wrote to memory of 4584 1244 lrfxrfx.exe 95 PID 1244 wrote to memory of 4584 1244 lrfxrfx.exe 95 PID 1244 wrote to memory of 4584 1244 lrfxrfx.exe 95 PID 4584 wrote to memory of 1408 4584 u408264.exe 96 PID 4584 wrote to memory of 1408 4584 u408264.exe 96 PID 4584 wrote to memory of 1408 4584 u408264.exe 96 PID 1408 wrote to memory of 3640 1408 hhnbnh.exe 97 PID 1408 wrote to memory of 3640 1408 hhnbnh.exe 97 PID 1408 wrote to memory of 3640 1408 hhnbnh.exe 97 PID 3640 wrote to memory of 2780 3640 22260.exe 98 PID 3640 wrote to memory of 2780 3640 22260.exe 98 PID 3640 wrote to memory of 2780 3640 22260.exe 98 PID 2780 wrote to memory of 4832 2780 bnbtnh.exe 99 PID 2780 wrote to memory of 4832 2780 bnbtnh.exe 99 PID 2780 wrote to memory of 4832 2780 bnbtnh.exe 99 PID 4832 wrote to memory of 3824 4832 6820448.exe 100 PID 4832 wrote to memory of 3824 4832 6820448.exe 100 PID 4832 wrote to memory of 3824 4832 6820448.exe 100 PID 3824 wrote to memory of 1420 3824 htbttt.exe 101 PID 3824 wrote to memory of 1420 3824 htbttt.exe 101 PID 3824 wrote to memory of 1420 3824 htbttt.exe 101 PID 1420 wrote to memory of 5000 1420 82862.exe 102 PID 1420 wrote to memory of 5000 1420 82862.exe 102 PID 1420 wrote to memory of 5000 1420 82862.exe 102 PID 5000 wrote to memory of 1384 5000 nhbttt.exe 103 PID 5000 wrote to memory of 1384 5000 nhbttt.exe 103 PID 5000 wrote to memory of 1384 5000 nhbttt.exe 103 PID 1384 wrote to memory of 1464 1384 q22604.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe"C:\Users\Admin\AppData\Local\Temp\643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\ttnhbt.exec:\ttnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\lxfxllf.exec:\lxfxllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\842206.exec:\842206.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\86644.exec:\86644.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\nhbnhb.exec:\nhbnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\ttbnht.exec:\ttbnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\nnhbhh.exec:\nnhbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\vjdvp.exec:\vjdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\fflfrlf.exec:\fflfrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\rlxxxrl.exec:\rlxxxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\5lfxxxf.exec:\5lfxxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\lrfxrfx.exec:\lrfxrfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\u408264.exec:\u408264.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\hhnbnh.exec:\hhnbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\22260.exec:\22260.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\bnbtnh.exec:\bnbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\6820448.exec:\6820448.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\htbttt.exec:\htbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\82862.exec:\82862.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\nhbttt.exec:\nhbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\q22604.exec:\q22604.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\200426.exec:\200426.exe23⤵
- Executes dropped EXE
PID:1464 -
\??\c:\1vpdv.exec:\1vpdv.exe24⤵
- Executes dropped EXE
PID:3220 -
\??\c:\pvvdp.exec:\pvvdp.exe25⤵
- Executes dropped EXE
PID:4084 -
\??\c:\42286.exec:\42286.exe26⤵
- Executes dropped EXE
PID:4432 -
\??\c:\88442.exec:\88442.exe27⤵
- Executes dropped EXE
PID:3604 -
\??\c:\08282.exec:\08282.exe28⤵
- Executes dropped EXE
PID:1820 -
\??\c:\422042.exec:\422042.exe29⤵
- Executes dropped EXE
PID:212 -
\??\c:\lxrrllx.exec:\lxrrllx.exe30⤵
- Executes dropped EXE
PID:2912 -
\??\c:\22860.exec:\22860.exe31⤵
- Executes dropped EXE
PID:3592 -
\??\c:\nhbthb.exec:\nhbthb.exe32⤵
- Executes dropped EXE
PID:4816 -
\??\c:\0880224.exec:\0880224.exe33⤵
- Executes dropped EXE
PID:4388 -
\??\c:\64266.exec:\64266.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jdvpj.exec:\jdvpj.exe35⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xllxrxl.exec:\xllxrxl.exe36⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jvpdv.exec:\jvpdv.exe37⤵
- Executes dropped EXE
PID:1880 -
\??\c:\22608.exec:\22608.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nnthth.exec:\nnthth.exe39⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rxflrlx.exec:\rxflrlx.exe40⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rrfxxxr.exec:\rrfxxxr.exe41⤵
- Executes dropped EXE
PID:3948 -
\??\c:\dddvp.exec:\dddvp.exe42⤵
- Executes dropped EXE
PID:4604 -
\??\c:\3bhbbb.exec:\3bhbbb.exe43⤵
- Executes dropped EXE
PID:3464 -
\??\c:\22044.exec:\22044.exe44⤵
- Executes dropped EXE
PID:4708 -
\??\c:\fxxrrll.exec:\fxxrrll.exe45⤵
- Executes dropped EXE
PID:796 -
\??\c:\00048.exec:\00048.exe46⤵
- Executes dropped EXE
PID:2332 -
\??\c:\204488.exec:\204488.exe47⤵
- Executes dropped EXE
PID:2580 -
\??\c:\6088660.exec:\6088660.exe48⤵
- Executes dropped EXE
PID:4332 -
\??\c:\280044.exec:\280044.exe49⤵
- Executes dropped EXE
PID:1004 -
\??\c:\bttnhh.exec:\bttnhh.exe50⤵
- Executes dropped EXE
PID:4228 -
\??\c:\28260.exec:\28260.exe51⤵
- Executes dropped EXE
PID:1908 -
\??\c:\5pvvd.exec:\5pvvd.exe52⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe53⤵
- Executes dropped EXE
PID:4864 -
\??\c:\llxxrrl.exec:\llxxrrl.exe54⤵
- Executes dropped EXE
PID:1452 -
\??\c:\rflfxrf.exec:\rflfxrf.exe55⤵
- Executes dropped EXE
PID:3872 -
\??\c:\flrxfxr.exec:\flrxfxr.exe56⤵
- Executes dropped EXE
PID:3764 -
\??\c:\0268264.exec:\0268264.exe57⤵
- Executes dropped EXE
PID:2184 -
\??\c:\40004.exec:\40004.exe58⤵
- Executes dropped EXE
PID:2260 -
\??\c:\hbnnhb.exec:\hbnnhb.exe59⤵
- Executes dropped EXE
PID:628 -
\??\c:\244888.exec:\244888.exe60⤵
- Executes dropped EXE
PID:960 -
\??\c:\606666.exec:\606666.exe61⤵
- Executes dropped EXE
PID:4820 -
\??\c:\m2826.exec:\m2826.exe62⤵
- Executes dropped EXE
PID:4128 -
\??\c:\bbhhbb.exec:\bbhhbb.exe63⤵
- Executes dropped EXE
PID:4872 -
\??\c:\pjddv.exec:\pjddv.exe64⤵
- Executes dropped EXE
PID:2796 -
\??\c:\lxlfllr.exec:\lxlfllr.exe65⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jpdvv.exec:\jpdvv.exe66⤵PID:4108
-
\??\c:\rfrllxr.exec:\rfrllxr.exe67⤵PID:4484
-
\??\c:\dppjj.exec:\dppjj.exe68⤵PID:4748
-
\??\c:\tbbbtt.exec:\tbbbtt.exe69⤵PID:4684
-
\??\c:\0004264.exec:\0004264.exe70⤵PID:2372
-
\??\c:\vppjd.exec:\vppjd.exe71⤵PID:4712
-
\??\c:\8442608.exec:\8442608.exe72⤵PID:2772
-
\??\c:\06208.exec:\06208.exe73⤵PID:4464
-
\??\c:\nbhbnh.exec:\nbhbnh.exe74⤵PID:3392
-
\??\c:\rfxrxxf.exec:\rfxrxxf.exe75⤵PID:3744
-
\??\c:\llfxlfr.exec:\llfxlfr.exe76⤵PID:1292
-
\??\c:\xlrllff.exec:\xlrllff.exe77⤵PID:1464
-
\??\c:\1lxrlfx.exec:\1lxrlfx.exe78⤵PID:3220
-
\??\c:\04604.exec:\04604.exe79⤵PID:1148
-
\??\c:\nnthbb.exec:\nnthbb.exe80⤵PID:2856
-
\??\c:\66260.exec:\66260.exe81⤵PID:2860
-
\??\c:\bhhbht.exec:\bhhbht.exe82⤵PID:2800
-
\??\c:\4404860.exec:\4404860.exe83⤵PID:4560
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe84⤵PID:1616
-
\??\c:\666084.exec:\666084.exe85⤵PID:2072
-
\??\c:\4882660.exec:\4882660.exe86⤵PID:184
-
\??\c:\400044.exec:\400044.exe87⤵PID:232
-
\??\c:\c442604.exec:\c442604.exe88⤵
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\260466.exec:\260466.exe89⤵PID:3592
-
\??\c:\42426.exec:\42426.exe90⤵PID:3712
-
\??\c:\428226.exec:\428226.exe91⤵PID:1620
-
\??\c:\4688822.exec:\4688822.exe92⤵PID:1664
-
\??\c:\nhtntt.exec:\nhtntt.exe93⤵PID:3984
-
\??\c:\tbnhhh.exec:\tbnhhh.exe94⤵PID:2324
-
\??\c:\8244884.exec:\8244884.exe95⤵
- System Location Discovery: System Language Discovery
PID:3432 -
\??\c:\5hnhhh.exec:\5hnhhh.exe96⤵PID:4524
-
\??\c:\80882.exec:\80882.exe97⤵PID:1428
-
\??\c:\xxxrrll.exec:\xxxrrll.exe98⤵PID:2840
-
\??\c:\0682268.exec:\0682268.exe99⤵PID:3376
-
\??\c:\266602.exec:\266602.exe100⤵PID:4720
-
\??\c:\42266.exec:\42266.exe101⤵PID:2536
-
\??\c:\xrrxrrr.exec:\xrrxrrr.exe102⤵PID:4268
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe103⤵PID:4644
-
\??\c:\frrlllf.exec:\frrlllf.exe104⤵PID:8
-
\??\c:\9lllfll.exec:\9lllfll.exe105⤵PID:3216
-
\??\c:\lrffxxx.exec:\lrffxxx.exe106⤵PID:4444
-
\??\c:\vdjdj.exec:\vdjdj.exe107⤵PID:1716
-
\??\c:\608622.exec:\608622.exe108⤵PID:4332
-
\??\c:\046202.exec:\046202.exe109⤵PID:4352
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe110⤵PID:2392
-
\??\c:\0644882.exec:\0644882.exe111⤵PID:4772
-
\??\c:\nhhhbb.exec:\nhhhbb.exe112⤵PID:3780
-
\??\c:\bttnhh.exec:\bttnhh.exe113⤵PID:4028
-
\??\c:\lxxlrll.exec:\lxxlrll.exe114⤵PID:2144
-
\??\c:\6666082.exec:\6666082.exe115⤵PID:824
-
\??\c:\22826.exec:\22826.exe116⤵PID:2768
-
\??\c:\424620.exec:\424620.exe117⤵PID:1584
-
\??\c:\a8020.exec:\a8020.exe118⤵PID:2984
-
\??\c:\68820.exec:\68820.exe119⤵PID:2004
-
\??\c:\jpvdp.exec:\jpvdp.exe120⤵PID:4860
-
\??\c:\3flfrrx.exec:\3flfrrx.exe121⤵PID:4880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-