Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 21:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe
-
Size
453KB
-
MD5
30af677f840dab1de3a5aa63e3f959e1
-
SHA1
70ee9544183d8c91d638921b675318c39f17d9e7
-
SHA256
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707
-
SHA512
d0b66a7c0cad8e46f6d2d0f8d9e1db532ad6a3e58a87a8421952c422f62054773ab383b7984ef8147d1a397e98d271240ea87b339986436f34c15108a5fd47a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2228-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1041-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-1048-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-1814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3060 7llxxrr.exe 4340 ntnbht.exe 264 3pjvj.exe 3940 vvvjv.exe 3896 hnhbnn.exe 2372 rlfrfxr.exe 1652 hbbnnh.exe 4848 xlffrxl.exe 4980 jjdpj.exe 1376 rxrfrlx.exe 2940 ppvjv.exe 2140 5thbnb.exe 2528 pjvjv.exe 1088 lxrxfxl.exe 3852 7tthnb.exe 2416 9ddjp.exe 8 rlrfrfx.exe 884 lfrlfll.exe 2796 7rrllfr.exe 1436 dvdvv.exe 4832 nbtnbh.exe 1760 ttbtbb.exe 2344 pddvj.exe 2060 nhnhbt.exe 1464 vjpdd.exe 4284 9ffxllf.exe 3324 dvpjv.exe 4520 hbthbb.exe 1500 dvdjd.exe 4572 hnnbhb.exe 1988 pdpvj.exe 3352 bbtnnn.exe 4540 dpdpv.exe 1864 xxxlfrl.exe 5008 bhbhtt.exe 4740 vvpdp.exe 676 jppvv.exe 4592 xrrlffx.exe 3980 tntbnh.exe 2868 jjjdp.exe 3812 lxflrlx.exe 4956 7xrfrrf.exe 2400 bhhbnb.exe 1380 pdjdv.exe 3240 fffrflx.exe 696 nnbtnh.exe 2676 dvdvv.exe 4128 xrllllf.exe 1480 5nnnhh.exe 4616 7bthtn.exe 4500 rrxrfxf.exe 4068 lffrrfl.exe 1700 bnbtnh.exe 5004 9pdjv.exe 4052 lfllxrl.exe 1736 flxrlfx.exe 1076 5hbntn.exe 4848 9vpdj.exe 3464 xflfxfx.exe 4672 lfrlxrx.exe 2740 5ntnhh.exe 3036 flrlfxr.exe 2140 httnbb.exe 4800 nbtnbt.exe -
resource yara_rule behavioral2/memory/2228-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-941-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 3060 2228 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 82 PID 2228 wrote to memory of 3060 2228 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 82 PID 2228 wrote to memory of 3060 2228 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 82 PID 3060 wrote to memory of 4340 3060 7llxxrr.exe 83 PID 3060 wrote to memory of 4340 3060 7llxxrr.exe 83 PID 3060 wrote to memory of 4340 3060 7llxxrr.exe 83 PID 4340 wrote to memory of 264 4340 ntnbht.exe 84 PID 4340 wrote to memory of 264 4340 ntnbht.exe 84 PID 4340 wrote to memory of 264 4340 ntnbht.exe 84 PID 264 wrote to memory of 3940 264 3pjvj.exe 85 PID 264 wrote to memory of 3940 264 3pjvj.exe 85 PID 264 wrote to memory of 3940 264 3pjvj.exe 85 PID 3940 wrote to memory of 3896 3940 vvvjv.exe 86 PID 3940 wrote to memory of 3896 3940 vvvjv.exe 86 PID 3940 wrote to memory of 3896 3940 vvvjv.exe 86 PID 3896 wrote to memory of 2372 3896 hnhbnn.exe 87 PID 3896 wrote to memory of 2372 3896 hnhbnn.exe 87 PID 3896 wrote to memory of 2372 3896 hnhbnn.exe 87 PID 2372 wrote to memory of 1652 2372 rlfrfxr.exe 88 PID 2372 wrote to memory of 1652 2372 rlfrfxr.exe 88 PID 2372 wrote to memory of 1652 2372 rlfrfxr.exe 88 PID 1652 wrote to memory of 4848 1652 hbbnnh.exe 89 PID 1652 wrote to memory of 4848 1652 hbbnnh.exe 89 PID 1652 wrote to memory of 4848 1652 hbbnnh.exe 89 PID 4848 wrote to memory of 4980 4848 xlffrxl.exe 90 PID 4848 wrote to memory of 4980 4848 xlffrxl.exe 90 PID 4848 wrote to memory of 4980 4848 xlffrxl.exe 90 PID 4980 wrote to memory of 1376 4980 jjdpj.exe 91 PID 4980 wrote to memory of 1376 4980 jjdpj.exe 91 PID 4980 wrote to memory of 1376 4980 jjdpj.exe 91 PID 1376 wrote to memory of 2940 1376 rxrfrlx.exe 92 PID 1376 wrote to memory of 2940 1376 rxrfrlx.exe 92 PID 1376 wrote to memory of 2940 1376 rxrfrlx.exe 92 PID 2940 wrote to memory of 2140 2940 ppvjv.exe 93 PID 2940 wrote to memory of 2140 2940 ppvjv.exe 93 PID 2940 wrote to memory of 2140 2940 ppvjv.exe 93 PID 2140 wrote to memory of 2528 2140 5thbnb.exe 94 PID 2140 wrote to memory of 2528 2140 5thbnb.exe 94 PID 2140 wrote to memory of 2528 2140 5thbnb.exe 94 PID 2528 wrote to memory of 1088 2528 pjvjv.exe 95 PID 2528 wrote to memory of 1088 2528 pjvjv.exe 95 PID 2528 wrote to memory of 1088 2528 pjvjv.exe 95 PID 1088 wrote to memory of 3852 1088 lxrxfxl.exe 96 PID 1088 wrote to memory of 3852 1088 lxrxfxl.exe 96 PID 1088 wrote to memory of 3852 1088 lxrxfxl.exe 96 PID 3852 wrote to memory of 2416 3852 7tthnb.exe 97 PID 3852 wrote to memory of 2416 3852 7tthnb.exe 97 PID 3852 wrote to memory of 2416 3852 7tthnb.exe 97 PID 2416 wrote to memory of 8 2416 9ddjp.exe 98 PID 2416 wrote to memory of 8 2416 9ddjp.exe 98 PID 2416 wrote to memory of 8 2416 9ddjp.exe 98 PID 8 wrote to memory of 884 8 rlrfrfx.exe 99 PID 8 wrote to memory of 884 8 rlrfrfx.exe 99 PID 8 wrote to memory of 884 8 rlrfrfx.exe 99 PID 884 wrote to memory of 2796 884 lfrlfll.exe 100 PID 884 wrote to memory of 2796 884 lfrlfll.exe 100 PID 884 wrote to memory of 2796 884 lfrlfll.exe 100 PID 2796 wrote to memory of 1436 2796 7rrllfr.exe 101 PID 2796 wrote to memory of 1436 2796 7rrllfr.exe 101 PID 2796 wrote to memory of 1436 2796 7rrllfr.exe 101 PID 1436 wrote to memory of 4832 1436 dvdvv.exe 102 PID 1436 wrote to memory of 4832 1436 dvdvv.exe 102 PID 1436 wrote to memory of 4832 1436 dvdvv.exe 102 PID 4832 wrote to memory of 1760 4832 nbtnbh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe"C:\Users\Admin\AppData\Local\Temp\5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\7llxxrr.exec:\7llxxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\ntnbht.exec:\ntnbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\3pjvj.exec:\3pjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\vvvjv.exec:\vvvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\hnhbnn.exec:\hnhbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\hbbnnh.exec:\hbbnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\xlffrxl.exec:\xlffrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\jjdpj.exec:\jjdpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\ppvjv.exec:\ppvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\5thbnb.exec:\5thbnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\pjvjv.exec:\pjvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\lxrxfxl.exec:\lxrxfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\7tthnb.exec:\7tthnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\9ddjp.exec:\9ddjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rlrfrfx.exec:\rlrfrfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\lfrlfll.exec:\lfrlfll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\7rrllfr.exec:\7rrllfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\dvdvv.exec:\dvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\nbtnbh.exec:\nbtnbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\ttbtbb.exec:\ttbtbb.exe23⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pddvj.exec:\pddvj.exe24⤵
- Executes dropped EXE
PID:2344 -
\??\c:\nhnhbt.exec:\nhnhbt.exe25⤵
- Executes dropped EXE
PID:2060 -
\??\c:\vjpdd.exec:\vjpdd.exe26⤵
- Executes dropped EXE
PID:1464 -
\??\c:\9ffxllf.exec:\9ffxllf.exe27⤵
- Executes dropped EXE
PID:4284 -
\??\c:\dvpjv.exec:\dvpjv.exe28⤵
- Executes dropped EXE
PID:3324 -
\??\c:\hbthbb.exec:\hbthbb.exe29⤵
- Executes dropped EXE
PID:4520 -
\??\c:\dvdjd.exec:\dvdjd.exe30⤵
- Executes dropped EXE
PID:1500 -
\??\c:\hnnbhb.exec:\hnnbhb.exe31⤵
- Executes dropped EXE
PID:4572 -
\??\c:\pdpvj.exec:\pdpvj.exe32⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bbtnnn.exec:\bbtnnn.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3352 -
\??\c:\dpdpv.exec:\dpdpv.exe34⤵
- Executes dropped EXE
PID:4540 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe35⤵
- Executes dropped EXE
PID:1864 -
\??\c:\bhbhtt.exec:\bhbhtt.exe36⤵
- Executes dropped EXE
PID:5008 -
\??\c:\vvpdp.exec:\vvpdp.exe37⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jppvv.exec:\jppvv.exe38⤵
- Executes dropped EXE
PID:676 -
\??\c:\xrrlffx.exec:\xrrlffx.exe39⤵
- Executes dropped EXE
PID:4592 -
\??\c:\tntbnh.exec:\tntbnh.exe40⤵
- Executes dropped EXE
PID:3980 -
\??\c:\jjjdp.exec:\jjjdp.exe41⤵
- Executes dropped EXE
PID:2868 -
\??\c:\lxflrlx.exec:\lxflrlx.exe42⤵
- Executes dropped EXE
PID:3812 -
\??\c:\7xrfrrf.exec:\7xrfrrf.exe43⤵
- Executes dropped EXE
PID:4956 -
\??\c:\bhhbnb.exec:\bhhbnb.exe44⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pdjdv.exec:\pdjdv.exe45⤵
- Executes dropped EXE
PID:1380 -
\??\c:\fffrflx.exec:\fffrflx.exe46⤵
- Executes dropped EXE
PID:3240 -
\??\c:\nnbtnh.exec:\nnbtnh.exe47⤵
- Executes dropped EXE
PID:696 -
\??\c:\dvdvv.exec:\dvdvv.exe48⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xrllllf.exec:\xrllllf.exe49⤵
- Executes dropped EXE
PID:4128 -
\??\c:\5nnnhh.exec:\5nnnhh.exe50⤵
- Executes dropped EXE
PID:1480 -
\??\c:\7bthtn.exec:\7bthtn.exe51⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rrxrfxf.exec:\rrxrfxf.exe52⤵
- Executes dropped EXE
PID:4500 -
\??\c:\lffrrfl.exec:\lffrrfl.exe53⤵
- Executes dropped EXE
PID:4068 -
\??\c:\bnbtnh.exec:\bnbtnh.exe54⤵
- Executes dropped EXE
PID:1700 -
\??\c:\9pdjv.exec:\9pdjv.exe55⤵
- Executes dropped EXE
PID:5004 -
\??\c:\lfllxrl.exec:\lfllxrl.exe56⤵
- Executes dropped EXE
PID:4052 -
\??\c:\flxrlfx.exec:\flxrlfx.exe57⤵
- Executes dropped EXE
PID:1736 -
\??\c:\5hbntn.exec:\5hbntn.exe58⤵
- Executes dropped EXE
PID:1076 -
\??\c:\9vpdj.exec:\9vpdj.exe59⤵
- Executes dropped EXE
PID:4848 -
\??\c:\xflfxfx.exec:\xflfxfx.exe60⤵
- Executes dropped EXE
PID:3464 -
\??\c:\lfrlxrx.exec:\lfrlxrx.exe61⤵
- Executes dropped EXE
PID:4672 -
\??\c:\5ntnhh.exec:\5ntnhh.exe62⤵
- Executes dropped EXE
PID:2740 -
\??\c:\flrlfxr.exec:\flrlfxr.exe63⤵
- Executes dropped EXE
PID:3036 -
\??\c:\httnbb.exec:\httnbb.exe64⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nbtnbt.exec:\nbtnbt.exe65⤵
- Executes dropped EXE
PID:4800 -
\??\c:\9pvpv.exec:\9pvpv.exe66⤵PID:4452
-
\??\c:\rrxfrlx.exec:\rrxfrlx.exe67⤵PID:1196
-
\??\c:\nhbnbt.exec:\nhbnbt.exe68⤵PID:2036
-
\??\c:\jdvpj.exec:\jdvpj.exe69⤵PID:4356
-
\??\c:\flxlfxl.exec:\flxlfxl.exe70⤵PID:1980
-
\??\c:\xxfrlll.exec:\xxfrlll.exe71⤵PID:3928
-
\??\c:\nbbnnh.exec:\nbbnnh.exe72⤵PID:916
-
\??\c:\dddjd.exec:\dddjd.exe73⤵PID:4212
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe74⤵PID:2796
-
\??\c:\9tthhh.exec:\9tthhh.exe75⤵PID:3592
-
\??\c:\thnbtn.exec:\thnbtn.exe76⤵PID:3064
-
\??\c:\dvjdj.exec:\dvjdj.exe77⤵PID:5056
-
\??\c:\fxrfrlx.exec:\fxrfrlx.exe78⤵PID:1760
-
\??\c:\5thbnh.exec:\5thbnh.exe79⤵PID:4996
-
\??\c:\pjpdp.exec:\pjpdp.exe80⤵PID:2060
-
\??\c:\dpjdp.exec:\dpjdp.exe81⤵PID:2292
-
\??\c:\5xxlfxr.exec:\5xxlfxr.exe82⤵PID:2144
-
\??\c:\bnnhnt.exec:\bnnhnt.exe83⤵PID:4284
-
\??\c:\jdvpd.exec:\jdvpd.exe84⤵PID:4072
-
\??\c:\jvvpd.exec:\jvvpd.exe85⤵PID:2320
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe86⤵PID:4520
-
\??\c:\5htnbt.exec:\5htnbt.exe87⤵PID:2560
-
\??\c:\vjdpd.exec:\vjdpd.exe88⤵PID:2468
-
\??\c:\pjpdj.exec:\pjpdj.exe89⤵PID:448
-
\??\c:\xrxlxrl.exec:\xrxlxrl.exe90⤵PID:512
-
\??\c:\7nnbtn.exec:\7nnbtn.exe91⤵PID:1084
-
\??\c:\ddjvp.exec:\ddjvp.exe92⤵PID:3264
-
\??\c:\lxrlfxx.exec:\lxrlfxx.exe93⤵PID:4568
-
\??\c:\7fxrxxf.exec:\7fxrxxf.exe94⤵PID:1864
-
\??\c:\ntnbnn.exec:\ntnbnn.exe95⤵PID:4760
-
\??\c:\hnnnbt.exec:\hnnnbt.exe96⤵PID:4740
-
\??\c:\pddpd.exec:\pddpd.exe97⤵PID:1132
-
\??\c:\lxrflrf.exec:\lxrflrf.exe98⤵PID:3644
-
\??\c:\frxlfxr.exec:\frxlfxr.exe99⤵PID:3980
-
\??\c:\ntbthh.exec:\ntbthh.exe100⤵PID:2868
-
\??\c:\3vvjv.exec:\3vvjv.exe101⤵PID:1912
-
\??\c:\1frxlrf.exec:\1frxlrf.exe102⤵PID:2164
-
\??\c:\7xxxlfx.exec:\7xxxlfx.exe103⤵PID:2400
-
\??\c:\5ttthb.exec:\5ttthb.exe104⤵PID:456
-
\??\c:\ttnbnh.exec:\ttnbnh.exe105⤵PID:1984
-
\??\c:\1jvjv.exec:\1jvjv.exe106⤵PID:3552
-
\??\c:\fffxfxf.exec:\fffxfxf.exe107⤵PID:4132
-
\??\c:\1ffrrlf.exec:\1ffrrlf.exe108⤵PID:1256
-
\??\c:\bhnhtt.exec:\bhnhtt.exe109⤵PID:2692
-
\??\c:\9jdvd.exec:\9jdvd.exe110⤵PID:4484
-
\??\c:\5xrflrf.exec:\5xrflrf.exe111⤵PID:4552
-
\??\c:\3frrfxl.exec:\3frrfxl.exe112⤵PID:864
-
\??\c:\hbnhhb.exec:\hbnhhb.exe113⤵PID:2348
-
\??\c:\pdvdv.exec:\pdvdv.exe114⤵PID:4528
-
\??\c:\5jdpd.exec:\5jdpd.exe115⤵PID:4912
-
\??\c:\lfllrlr.exec:\lfllrlr.exe116⤵PID:1652
-
\??\c:\hnnhtn.exec:\hnnhtn.exe117⤵PID:560
-
\??\c:\1ppdp.exec:\1ppdp.exe118⤵PID:3512
-
\??\c:\lfxffxx.exec:\lfxffxx.exe119⤵PID:3728
-
\??\c:\xflxfrr.exec:\xflxfrr.exe120⤵PID:1244
-
\??\c:\nhtbnt.exec:\nhtbnt.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-