Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe
-
Size
455KB
-
MD5
9d75713c8d40be85f1f8cc12c6b78f65
-
SHA1
d98f072887518672676202a40293fabd29c095c1
-
SHA256
96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac
-
SHA512
58a4b20db43cfabfa96bb651130d81edf9fe9375622fd920d2ec1e5dbfcb55c767bedc886bafa239490f2a41484d8ab2e5ca59c46d1f932d384fde2378136459
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2588-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-915-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-1834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3836 nhbbtb.exe 3164 hbthtt.exe 1400 pjvpj.exe 4140 ppvdj.exe 1612 7hhbhb.exe 3908 vjdvp.exe 3968 ttnbtn.exe 5084 ddvjd.exe 628 5llffff.exe 1968 djpdv.exe 2512 tnhhbb.exe 2376 5pjvj.exe 4872 lfrlfxl.exe 3216 jpvdj.exe 4588 lfxrffx.exe 3120 bntnhn.exe 3672 jdvpd.exe 1808 xlfxlfr.exe 2924 nbbbnn.exe 732 dpvdv.exe 896 9llxlfx.exe 1596 xfrfrlf.exe 860 bhbnbt.exe 1236 pjddp.exe 3612 fxlfrlx.exe 4420 tbbthb.exe 1388 vvvpd.exe 3356 7xxrlrl.exe 4584 bbbtnh.exe 4224 3ffrfff.exe 1960 jvvpd.exe 4156 bbnbtn.exe 3812 5thbtt.exe 4676 fxxrrrl.exe 3864 rlxlxrl.exe 4528 vjjvj.exe 1712 jjjvp.exe 3084 fxxrrrr.exe 700 nbtnbt.exe 4964 hbnbht.exe 3824 jdpjj.exe 3964 3xxrfxf.exe 3720 ttbtnh.exe 432 dpvdp.exe 1900 fflfxxr.exe 2384 5hbnhb.exe 4324 jvdvj.exe 4696 ddjdv.exe 5064 7xxlxrl.exe 2956 nbnbtn.exe 2360 dvvpj.exe 3980 rfrrxxr.exe 2980 frxrrrl.exe 4140 tbhbtt.exe 4312 djppv.exe 2640 3frrxfr.exe 3156 rrxxffl.exe 3908 7ntnhn.exe 2044 dddvp.exe 1976 lfffxxx.exe 4892 xrrrlff.exe 628 bttbbt.exe 2816 ppvvv.exe 876 7lrlxfl.exe -
resource yara_rule behavioral2/memory/2588-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-915-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 3836 2588 96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe 82 PID 2588 wrote to memory of 3836 2588 96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe 82 PID 2588 wrote to memory of 3836 2588 96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe 82 PID 3836 wrote to memory of 3164 3836 nhbbtb.exe 83 PID 3836 wrote to memory of 3164 3836 nhbbtb.exe 83 PID 3836 wrote to memory of 3164 3836 nhbbtb.exe 83 PID 3164 wrote to memory of 1400 3164 hbthtt.exe 84 PID 3164 wrote to memory of 1400 3164 hbthtt.exe 84 PID 3164 wrote to memory of 1400 3164 hbthtt.exe 84 PID 1400 wrote to memory of 4140 1400 pjvpj.exe 85 PID 1400 wrote to memory of 4140 1400 pjvpj.exe 85 PID 1400 wrote to memory of 4140 1400 pjvpj.exe 85 PID 4140 wrote to memory of 1612 4140 ppvdj.exe 86 PID 4140 wrote to memory of 1612 4140 ppvdj.exe 86 PID 4140 wrote to memory of 1612 4140 ppvdj.exe 86 PID 1612 wrote to memory of 3908 1612 7hhbhb.exe 87 PID 1612 wrote to memory of 3908 1612 7hhbhb.exe 87 PID 1612 wrote to memory of 3908 1612 7hhbhb.exe 87 PID 3908 wrote to memory of 3968 3908 vjdvp.exe 88 PID 3908 wrote to memory of 3968 3908 vjdvp.exe 88 PID 3908 wrote to memory of 3968 3908 vjdvp.exe 88 PID 3968 wrote to memory of 5084 3968 ttnbtn.exe 89 PID 3968 wrote to memory of 5084 3968 ttnbtn.exe 89 PID 3968 wrote to memory of 5084 3968 ttnbtn.exe 89 PID 5084 wrote to memory of 628 5084 ddvjd.exe 90 PID 5084 wrote to memory of 628 5084 ddvjd.exe 90 PID 5084 wrote to memory of 628 5084 ddvjd.exe 90 PID 628 wrote to memory of 1968 628 5llffff.exe 91 PID 628 wrote to memory of 1968 628 5llffff.exe 91 PID 628 wrote to memory of 1968 628 5llffff.exe 91 PID 1968 wrote to memory of 2512 1968 djpdv.exe 92 PID 1968 wrote to memory of 2512 1968 djpdv.exe 92 PID 1968 wrote to memory of 2512 1968 djpdv.exe 92 PID 2512 wrote to memory of 2376 2512 tnhhbb.exe 93 PID 2512 wrote to memory of 2376 2512 tnhhbb.exe 93 PID 2512 wrote to memory of 2376 2512 tnhhbb.exe 93 PID 2376 wrote to memory of 4872 2376 5pjvj.exe 94 PID 2376 wrote to memory of 4872 2376 5pjvj.exe 94 PID 2376 wrote to memory of 4872 2376 5pjvj.exe 94 PID 4872 wrote to memory of 3216 4872 lfrlfxl.exe 95 PID 4872 wrote to memory of 3216 4872 lfrlfxl.exe 95 PID 4872 wrote to memory of 3216 4872 lfrlfxl.exe 95 PID 3216 wrote to memory of 4588 3216 jpvdj.exe 96 PID 3216 wrote to memory of 4588 3216 jpvdj.exe 96 PID 3216 wrote to memory of 4588 3216 jpvdj.exe 96 PID 4588 wrote to memory of 3120 4588 lfxrffx.exe 97 PID 4588 wrote to memory of 3120 4588 lfxrffx.exe 97 PID 4588 wrote to memory of 3120 4588 lfxrffx.exe 97 PID 3120 wrote to memory of 3672 3120 bntnhn.exe 98 PID 3120 wrote to memory of 3672 3120 bntnhn.exe 98 PID 3120 wrote to memory of 3672 3120 bntnhn.exe 98 PID 3672 wrote to memory of 1808 3672 jdvpd.exe 99 PID 3672 wrote to memory of 1808 3672 jdvpd.exe 99 PID 3672 wrote to memory of 1808 3672 jdvpd.exe 99 PID 1808 wrote to memory of 2924 1808 xlfxlfr.exe 100 PID 1808 wrote to memory of 2924 1808 xlfxlfr.exe 100 PID 1808 wrote to memory of 2924 1808 xlfxlfr.exe 100 PID 2924 wrote to memory of 732 2924 nbbbnn.exe 101 PID 2924 wrote to memory of 732 2924 nbbbnn.exe 101 PID 2924 wrote to memory of 732 2924 nbbbnn.exe 101 PID 732 wrote to memory of 896 732 dpvdv.exe 102 PID 732 wrote to memory of 896 732 dpvdv.exe 102 PID 732 wrote to memory of 896 732 dpvdv.exe 102 PID 896 wrote to memory of 1596 896 9llxlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe"C:\Users\Admin\AppData\Local\Temp\96e20f0268a351477f7c3cc07b945a2d54aad06f3fdf7207eca22ab88d2b27ac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\nhbbtb.exec:\nhbbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\hbthtt.exec:\hbthtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\pjvpj.exec:\pjvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\ppvdj.exec:\ppvdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\7hhbhb.exec:\7hhbhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\vjdvp.exec:\vjdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\ttnbtn.exec:\ttnbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\ddvjd.exec:\ddvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\5llffff.exec:\5llffff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\djpdv.exec:\djpdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\tnhhbb.exec:\tnhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\5pjvj.exec:\5pjvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\jpvdj.exec:\jpvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\lfxrffx.exec:\lfxrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\bntnhn.exec:\bntnhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\jdvpd.exec:\jdvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\nbbbnn.exec:\nbbbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\dpvdv.exec:\dpvdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\9llxlfx.exec:\9llxlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\xfrfrlf.exec:\xfrfrlf.exe23⤵
- Executes dropped EXE
PID:1596 -
\??\c:\bhbnbt.exec:\bhbnbt.exe24⤵
- Executes dropped EXE
PID:860 -
\??\c:\pjddp.exec:\pjddp.exe25⤵
- Executes dropped EXE
PID:1236 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe26⤵
- Executes dropped EXE
PID:3612 -
\??\c:\tbbthb.exec:\tbbthb.exe27⤵
- Executes dropped EXE
PID:4420 -
\??\c:\vvvpd.exec:\vvvpd.exe28⤵
- Executes dropped EXE
PID:1388 -
\??\c:\7xxrlrl.exec:\7xxrlrl.exe29⤵
- Executes dropped EXE
PID:3356 -
\??\c:\bbbtnh.exec:\bbbtnh.exe30⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3ffrfff.exec:\3ffrfff.exe31⤵
- Executes dropped EXE
PID:4224 -
\??\c:\jvvpd.exec:\jvvpd.exe32⤵
- Executes dropped EXE
PID:1960 -
\??\c:\bbnbtn.exec:\bbnbtn.exe33⤵
- Executes dropped EXE
PID:4156 -
\??\c:\5thbtt.exec:\5thbtt.exe34⤵
- Executes dropped EXE
PID:3812 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe35⤵
- Executes dropped EXE
PID:4676 -
\??\c:\rlxlxrl.exec:\rlxlxrl.exe36⤵
- Executes dropped EXE
PID:3864 -
\??\c:\vjjvj.exec:\vjjvj.exe37⤵
- Executes dropped EXE
PID:4528 -
\??\c:\jjjvp.exec:\jjjvp.exe38⤵
- Executes dropped EXE
PID:1712 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe39⤵
- Executes dropped EXE
PID:3084 -
\??\c:\nbtnbt.exec:\nbtnbt.exe40⤵
- Executes dropped EXE
PID:700 -
\??\c:\hbnbht.exec:\hbnbht.exe41⤵
- Executes dropped EXE
PID:4964 -
\??\c:\jdpjj.exec:\jdpjj.exe42⤵
- Executes dropped EXE
PID:3824 -
\??\c:\3xxrfxf.exec:\3xxrfxf.exe43⤵
- Executes dropped EXE
PID:3964 -
\??\c:\ttbtnh.exec:\ttbtnh.exe44⤵
- Executes dropped EXE
PID:3720 -
\??\c:\dpvdp.exec:\dpvdp.exe45⤵
- Executes dropped EXE
PID:432 -
\??\c:\fflfxxr.exec:\fflfxxr.exe46⤵
- Executes dropped EXE
PID:1900 -
\??\c:\5hbnhb.exec:\5hbnhb.exe47⤵
- Executes dropped EXE
PID:2384 -
\??\c:\jvdvj.exec:\jvdvj.exe48⤵
- Executes dropped EXE
PID:4324 -
\??\c:\ddjdv.exec:\ddjdv.exe49⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7xxlxrl.exec:\7xxlxrl.exe50⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nbnbtn.exec:\nbnbtn.exe51⤵
- Executes dropped EXE
PID:2956 -
\??\c:\dvvpj.exec:\dvvpj.exe52⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rfrrxxr.exec:\rfrrxxr.exe53⤵
- Executes dropped EXE
PID:3980 -
\??\c:\frxrrrl.exec:\frxrrrl.exe54⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tbhbtt.exec:\tbhbtt.exe55⤵
- Executes dropped EXE
PID:4140 -
\??\c:\djppv.exec:\djppv.exe56⤵
- Executes dropped EXE
PID:4312 -
\??\c:\3frrxfr.exec:\3frrxfr.exe57⤵
- Executes dropped EXE
PID:2640 -
\??\c:\rrxxffl.exec:\rrxxffl.exe58⤵
- Executes dropped EXE
PID:3156 -
\??\c:\7ntnhn.exec:\7ntnhn.exe59⤵
- Executes dropped EXE
PID:3908 -
\??\c:\dddvp.exec:\dddvp.exe60⤵
- Executes dropped EXE
PID:2044 -
\??\c:\lfffxxx.exec:\lfffxxx.exe61⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xrrrlff.exec:\xrrrlff.exe62⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bttbbt.exec:\bttbbt.exe63⤵
- Executes dropped EXE
PID:628 -
\??\c:\ppvvv.exec:\ppvvv.exe64⤵
- Executes dropped EXE
PID:2816 -
\??\c:\7lrlxfl.exec:\7lrlxfl.exe65⤵
- Executes dropped EXE
PID:876 -
\??\c:\3lffxxr.exec:\3lffxxr.exe66⤵PID:2512
-
\??\c:\9btnhn.exec:\9btnhn.exe67⤵PID:540
-
\??\c:\1jdvv.exec:\1jdvv.exe68⤵PID:4548
-
\??\c:\3xlrlll.exec:\3xlrlll.exe69⤵PID:760
-
\??\c:\xrxrrll.exec:\xrxrrll.exe70⤵PID:1716
-
\??\c:\btnnnn.exec:\btnnnn.exe71⤵PID:3024
-
\??\c:\pvppj.exec:\pvppj.exe72⤵PID:2832
-
\??\c:\lxlfffx.exec:\lxlfffx.exe73⤵PID:4368
-
\??\c:\fxffxxx.exec:\fxffxxx.exe74⤵PID:1552
-
\??\c:\tttbtt.exec:\tttbtt.exe75⤵PID:3544
-
\??\c:\3jvpp.exec:\3jvpp.exe76⤵PID:880
-
\??\c:\rffxllf.exec:\rffxllf.exe77⤵PID:732
-
\??\c:\xrxxfxr.exec:\xrxxfxr.exe78⤵PID:3228
-
\??\c:\thhtnn.exec:\thhtnn.exe79⤵PID:2720
-
\??\c:\7vjdj.exec:\7vjdj.exe80⤵PID:524
-
\??\c:\9pjdp.exec:\9pjdp.exe81⤵PID:2976
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe82⤵PID:1952
-
\??\c:\htbttn.exec:\htbttn.exe83⤵PID:2132
-
\??\c:\bntnnn.exec:\bntnnn.exe84⤵PID:4888
-
\??\c:\djjpj.exec:\djjpj.exe85⤵PID:2760
-
\??\c:\ppvpj.exec:\ppvpj.exe86⤵PID:4016
-
\??\c:\7xrrlll.exec:\7xrrlll.exe87⤵PID:1388
-
\??\c:\tnnhhb.exec:\tnnhhb.exe88⤵PID:1436
-
\??\c:\1pdvj.exec:\1pdvj.exe89⤵PID:3356
-
\??\c:\5djdp.exec:\5djdp.exe90⤵PID:1856
-
\??\c:\rllxrlf.exec:\rllxrlf.exe91⤵PID:4800
-
\??\c:\nthbnn.exec:\nthbnn.exe92⤵PID:4160
-
\??\c:\dpvpj.exec:\dpvpj.exe93⤵PID:3648
-
\??\c:\1dpvj.exec:\1dpvj.exe94⤵PID:3656
-
\??\c:\xxfxllx.exec:\xxfxllx.exe95⤵PID:3868
-
\??\c:\7tttnn.exec:\7tttnn.exe96⤵PID:1288
-
\??\c:\djjjd.exec:\djjjd.exe97⤵PID:4692
-
\??\c:\jdvpd.exec:\jdvpd.exe98⤵PID:1480
-
\??\c:\xxfxrxx.exec:\xxfxrxx.exe99⤵PID:4608
-
\??\c:\5thbtb.exec:\5thbtb.exe100⤵PID:3400
-
\??\c:\nnnbtt.exec:\nnnbtt.exe101⤵PID:2420
-
\??\c:\dpvdv.exec:\dpvdv.exe102⤵PID:2452
-
\??\c:\xxxrllf.exec:\xxxrllf.exe103⤵PID:1616
-
\??\c:\htttnn.exec:\htttnn.exe104⤵PID:1128
-
\??\c:\nhtttb.exec:\nhtttb.exe105⤵PID:220
-
\??\c:\pvjdv.exec:\pvjdv.exe106⤵PID:3924
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe107⤵PID:4488
-
\??\c:\5hbttb.exec:\5hbttb.exe108⤵PID:1920
-
\??\c:\7tttnn.exec:\7tttnn.exe109⤵PID:3052
-
\??\c:\vdvvp.exec:\vdvvp.exe110⤵PID:4328
-
\??\c:\rllfrlf.exec:\rllfrlf.exe111⤵PID:1140
-
\??\c:\nhntbt.exec:\nhntbt.exe112⤵PID:924
-
\??\c:\3ddvj.exec:\3ddvj.exe113⤵
- System Location Discovery: System Language Discovery
PID:508 -
\??\c:\rrrlfff.exec:\rrrlfff.exe114⤵PID:3164
-
\??\c:\5fffflf.exec:\5fffflf.exe115⤵PID:4996
-
\??\c:\btbtnn.exec:\btbtnn.exe116⤵PID:2604
-
\??\c:\pjjjj.exec:\pjjjj.exe117⤵PID:2472
-
\??\c:\rffxfrl.exec:\rffxfrl.exe118⤵PID:3740
-
\??\c:\lxlfffr.exec:\lxlfffr.exe119⤵PID:4216
-
\??\c:\xrrlllr.exec:\xrrlllr.exe120⤵PID:3060
-
\??\c:\nbnhhh.exec:\nbnhhh.exe121⤵PID:1600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-