Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe
-
Size
454KB
-
MD5
9266bf7a5d8e0c018e0f74c79b4baa89
-
SHA1
0a21af8b6c9c1eff5e5470c961e0c6f17c02ec79
-
SHA256
cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef
-
SHA512
bca019be20f8afcb8ff846bd6892f82773adc5f1c16911b428eb86c32daac14259addb2a38e8a4548f4ea85a36825ee541962edc115fdea3503b55c5f65d07f5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2228-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-1081-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-1363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-1544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3060 7bbntn.exe 2816 hbtbhh.exe 4968 tnbhhn.exe 4048 xlrrrrr.exe 3896 nnbhnt.exe 3640 pjpjd.exe 1652 htbtnn.exe 4848 7rfxxrr.exe 4980 djjjd.exe 2660 9hhbtb.exe 4992 lxlrfrl.exe 2064 tnbthb.exe 1000 1jjdv.exe 3204 lfrffxx.exe 216 jvvjp.exe 2956 nbtbth.exe 2004 dvdjj.exe 1980 frxlfxr.exe 2148 3nbthh.exe 4432 ffxrllf.exe 2800 tbhhbt.exe 1844 bnbttn.exe 3604 7llfxxr.exe 412 3tbtnn.exe 2844 dpvvj.exe 3836 nthnnt.exe 2292 pvvpj.exe 808 hbttnn.exe 2308 dpvpj.exe 4144 flxxrxr.exe 4572 bnnnnb.exe 1988 3ddjv.exe 3352 3bttnn.exe 4972 djvpj.exe 3960 5ffrxrf.exe 1876 5bhhbh.exe 4740 vvvvp.exe 676 7llfxfx.exe 4592 1bttnn.exe 3980 3ttnbh.exe 1164 pdvpj.exe 5112 lfffxxx.exe 1636 xxxrlfx.exe 912 ntthth.exe 4364 1jjjv.exe 3504 1lrrllf.exe 5024 hhnnbb.exe 4340 vjdpd.exe 4864 7rlfrrl.exe 4416 xxxrlll.exe 4048 ttnbth.exe 3744 pjjjd.exe 3780 3pvpj.exe 3740 1frflfr.exe 5028 nnhbtn.exe 876 1dvvj.exe 1896 djjdp.exe 3700 lxllffl.exe 1704 htthth.exe 2192 vppdj.exe 1668 5ffxllf.exe 732 nnntnn.exe 2160 htthth.exe 888 jdvpp.exe -
resource yara_rule behavioral2/memory/2228-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-1081-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhtbn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 3060 2228 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 82 PID 2228 wrote to memory of 3060 2228 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 82 PID 2228 wrote to memory of 3060 2228 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 82 PID 3060 wrote to memory of 2816 3060 7bbntn.exe 83 PID 3060 wrote to memory of 2816 3060 7bbntn.exe 83 PID 3060 wrote to memory of 2816 3060 7bbntn.exe 83 PID 2816 wrote to memory of 4968 2816 hbtbhh.exe 84 PID 2816 wrote to memory of 4968 2816 hbtbhh.exe 84 PID 2816 wrote to memory of 4968 2816 hbtbhh.exe 84 PID 4968 wrote to memory of 4048 4968 tnbhhn.exe 85 PID 4968 wrote to memory of 4048 4968 tnbhhn.exe 85 PID 4968 wrote to memory of 4048 4968 tnbhhn.exe 85 PID 4048 wrote to memory of 3896 4048 xlrrrrr.exe 86 PID 4048 wrote to memory of 3896 4048 xlrrrrr.exe 86 PID 4048 wrote to memory of 3896 4048 xlrrrrr.exe 86 PID 3896 wrote to memory of 3640 3896 nnbhnt.exe 87 PID 3896 wrote to memory of 3640 3896 nnbhnt.exe 87 PID 3896 wrote to memory of 3640 3896 nnbhnt.exe 87 PID 3640 wrote to memory of 1652 3640 pjpjd.exe 88 PID 3640 wrote to memory of 1652 3640 pjpjd.exe 88 PID 3640 wrote to memory of 1652 3640 pjpjd.exe 88 PID 1652 wrote to memory of 4848 1652 htbtnn.exe 89 PID 1652 wrote to memory of 4848 1652 htbtnn.exe 89 PID 1652 wrote to memory of 4848 1652 htbtnn.exe 89 PID 4848 wrote to memory of 4980 4848 7rfxxrr.exe 90 PID 4848 wrote to memory of 4980 4848 7rfxxrr.exe 90 PID 4848 wrote to memory of 4980 4848 7rfxxrr.exe 90 PID 4980 wrote to memory of 2660 4980 djjjd.exe 91 PID 4980 wrote to memory of 2660 4980 djjjd.exe 91 PID 4980 wrote to memory of 2660 4980 djjjd.exe 91 PID 2660 wrote to memory of 4992 2660 9hhbtb.exe 92 PID 2660 wrote to memory of 4992 2660 9hhbtb.exe 92 PID 2660 wrote to memory of 4992 2660 9hhbtb.exe 92 PID 4992 wrote to memory of 2064 4992 lxlrfrl.exe 93 PID 4992 wrote to memory of 2064 4992 lxlrfrl.exe 93 PID 4992 wrote to memory of 2064 4992 lxlrfrl.exe 93 PID 2064 wrote to memory of 1000 2064 tnbthb.exe 94 PID 2064 wrote to memory of 1000 2064 tnbthb.exe 94 PID 2064 wrote to memory of 1000 2064 tnbthb.exe 94 PID 1000 wrote to memory of 3204 1000 1jjdv.exe 95 PID 1000 wrote to memory of 3204 1000 1jjdv.exe 95 PID 1000 wrote to memory of 3204 1000 1jjdv.exe 95 PID 3204 wrote to memory of 216 3204 lfrffxx.exe 96 PID 3204 wrote to memory of 216 3204 lfrffxx.exe 96 PID 3204 wrote to memory of 216 3204 lfrffxx.exe 96 PID 216 wrote to memory of 2956 216 jvvjp.exe 97 PID 216 wrote to memory of 2956 216 jvvjp.exe 97 PID 216 wrote to memory of 2956 216 jvvjp.exe 97 PID 2956 wrote to memory of 2004 2956 nbtbth.exe 98 PID 2956 wrote to memory of 2004 2956 nbtbth.exe 98 PID 2956 wrote to memory of 2004 2956 nbtbth.exe 98 PID 2004 wrote to memory of 1980 2004 dvdjj.exe 99 PID 2004 wrote to memory of 1980 2004 dvdjj.exe 99 PID 2004 wrote to memory of 1980 2004 dvdjj.exe 99 PID 1980 wrote to memory of 2148 1980 frxlfxr.exe 100 PID 1980 wrote to memory of 2148 1980 frxlfxr.exe 100 PID 1980 wrote to memory of 2148 1980 frxlfxr.exe 100 PID 2148 wrote to memory of 4432 2148 3nbthh.exe 101 PID 2148 wrote to memory of 4432 2148 3nbthh.exe 101 PID 2148 wrote to memory of 4432 2148 3nbthh.exe 101 PID 4432 wrote to memory of 2800 4432 ffxrllf.exe 102 PID 4432 wrote to memory of 2800 4432 ffxrllf.exe 102 PID 4432 wrote to memory of 2800 4432 ffxrllf.exe 102 PID 2800 wrote to memory of 1844 2800 tbhhbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe"C:\Users\Admin\AppData\Local\Temp\cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\7bbntn.exec:\7bbntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\hbtbhh.exec:\hbtbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\tnbhhn.exec:\tnbhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\nnbhnt.exec:\nnbhnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\pjpjd.exec:\pjpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\htbtnn.exec:\htbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\7rfxxrr.exec:\7rfxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\djjjd.exec:\djjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\9hhbtb.exec:\9hhbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\lxlrfrl.exec:\lxlrfrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\tnbthb.exec:\tnbthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1jjdv.exec:\1jjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\lfrffxx.exec:\lfrffxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\jvvjp.exec:\jvvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\nbtbth.exec:\nbtbth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\dvdjj.exec:\dvdjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\frxlfxr.exec:\frxlfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\3nbthh.exec:\3nbthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\ffxrllf.exec:\ffxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\tbhhbt.exec:\tbhhbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\bnbttn.exec:\bnbttn.exe23⤵
- Executes dropped EXE
PID:1844 -
\??\c:\7llfxxr.exec:\7llfxxr.exe24⤵
- Executes dropped EXE
PID:3604 -
\??\c:\3tbtnn.exec:\3tbtnn.exe25⤵
- Executes dropped EXE
PID:412 -
\??\c:\dpvvj.exec:\dpvvj.exe26⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nthnnt.exec:\nthnnt.exe27⤵
- Executes dropped EXE
PID:3836 -
\??\c:\pvvpj.exec:\pvvpj.exe28⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hbttnn.exec:\hbttnn.exe29⤵
- Executes dropped EXE
PID:808 -
\??\c:\dpvpj.exec:\dpvpj.exe30⤵
- Executes dropped EXE
PID:2308 -
\??\c:\flxxrxr.exec:\flxxrxr.exe31⤵
- Executes dropped EXE
PID:4144 -
\??\c:\bnnnnb.exec:\bnnnnb.exe32⤵
- Executes dropped EXE
PID:4572 -
\??\c:\3ddjv.exec:\3ddjv.exe33⤵
- Executes dropped EXE
PID:1988 -
\??\c:\3bttnn.exec:\3bttnn.exe34⤵
- Executes dropped EXE
PID:3352 -
\??\c:\djvpj.exec:\djvpj.exe35⤵
- Executes dropped EXE
PID:4972 -
\??\c:\5ffrxrf.exec:\5ffrxrf.exe36⤵
- Executes dropped EXE
PID:3960 -
\??\c:\5bhhbh.exec:\5bhhbh.exe37⤵
- Executes dropped EXE
PID:1876 -
\??\c:\vvvvp.exec:\vvvvp.exe38⤵
- Executes dropped EXE
PID:4740 -
\??\c:\7llfxfx.exec:\7llfxfx.exe39⤵
- Executes dropped EXE
PID:676 -
\??\c:\1bttnn.exec:\1bttnn.exe40⤵
- Executes dropped EXE
PID:4592 -
\??\c:\3ttnbh.exec:\3ttnbh.exe41⤵
- Executes dropped EXE
PID:3980 -
\??\c:\pdvpj.exec:\pdvpj.exe42⤵
- Executes dropped EXE
PID:1164 -
\??\c:\lfffxxx.exec:\lfffxxx.exe43⤵
- Executes dropped EXE
PID:5112 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe44⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ntthth.exec:\ntthth.exe45⤵
- Executes dropped EXE
PID:912 -
\??\c:\1jjjv.exec:\1jjjv.exe46⤵
- Executes dropped EXE
PID:4364 -
\??\c:\1lrrllf.exec:\1lrrllf.exe47⤵
- Executes dropped EXE
PID:3504 -
\??\c:\hhnnbb.exec:\hhnnbb.exe48⤵
- Executes dropped EXE
PID:5024 -
\??\c:\vjdpd.exec:\vjdpd.exe49⤵
- Executes dropped EXE
PID:4340 -
\??\c:\7rlfrrl.exec:\7rlfrrl.exe50⤵
- Executes dropped EXE
PID:4864 -
\??\c:\xxxrlll.exec:\xxxrlll.exe51⤵
- Executes dropped EXE
PID:4416 -
\??\c:\ttnbth.exec:\ttnbth.exe52⤵
- Executes dropped EXE
PID:4048 -
\??\c:\pjjjd.exec:\pjjjd.exe53⤵
- Executes dropped EXE
PID:3744 -
\??\c:\3pvpj.exec:\3pvpj.exe54⤵
- Executes dropped EXE
PID:3780 -
\??\c:\1frflfr.exec:\1frflfr.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740 -
\??\c:\nnhbtn.exec:\nnhbtn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5028 -
\??\c:\1dvvj.exec:\1dvvj.exe57⤵
- Executes dropped EXE
PID:876 -
\??\c:\djjdp.exec:\djjdp.exe58⤵
- Executes dropped EXE
PID:1896 -
\??\c:\lxllffl.exec:\lxllffl.exe59⤵
- Executes dropped EXE
PID:3700 -
\??\c:\htthth.exec:\htthth.exe60⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vppdj.exec:\vppdj.exe61⤵
- Executes dropped EXE
PID:2192 -
\??\c:\5ffxllf.exec:\5ffxllf.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\nnntnn.exec:\nnntnn.exe63⤵
- Executes dropped EXE
PID:732 -
\??\c:\htthth.exec:\htthth.exe64⤵
- Executes dropped EXE
PID:2160 -
\??\c:\jdvpp.exec:\jdvpp.exe65⤵
- Executes dropped EXE
PID:888 -
\??\c:\xxlxlxr.exec:\xxlxlxr.exe66⤵PID:2272
-
\??\c:\xlxrxrx.exec:\xlxrxrx.exe67⤵PID:388
-
\??\c:\nbhhhh.exec:\nbhhhh.exe68⤵PID:2104
-
\??\c:\jpdvp.exec:\jpdvp.exe69⤵PID:2936
-
\??\c:\7pjvj.exec:\7pjvj.exe70⤵PID:4056
-
\??\c:\lrxrffx.exec:\lrxrffx.exe71⤵PID:4744
-
\??\c:\btbtbb.exec:\btbtbb.exe72⤵PID:916
-
\??\c:\jdjdv.exec:\jdjdv.exe73⤵PID:1156
-
\??\c:\jddpd.exec:\jddpd.exe74⤵PID:2148
-
\??\c:\xffrxrf.exec:\xffrxrf.exe75⤵PID:4432
-
\??\c:\5tttnh.exec:\5tttnh.exe76⤵PID:3628
-
\??\c:\jvvjv.exec:\jvvjv.exe77⤵PID:4768
-
\??\c:\dvjdp.exec:\dvjdp.exe78⤵PID:4960
-
\??\c:\7xxlffx.exec:\7xxlffx.exe79⤵PID:4220
-
\??\c:\nhnhbb.exec:\nhnhbb.exe80⤵PID:212
-
\??\c:\tttnhh.exec:\tttnhh.exe81⤵PID:1488
-
\??\c:\dvpjj.exec:\dvpjj.exe82⤵PID:4156
-
\??\c:\lrrrxrl.exec:\lrrrxrl.exe83⤵PID:2792
-
\??\c:\3lxxrrl.exec:\3lxxrrl.exe84⤵PID:1548
-
\??\c:\tbbtnn.exec:\tbbtnn.exe85⤵PID:2320
-
\??\c:\dpvpd.exec:\dpvpd.exe86⤵PID:512
-
\??\c:\dvpdd.exec:\dvpdd.exe87⤵PID:1720
-
\??\c:\llflxrx.exec:\llflxrx.exe88⤵PID:1080
-
\??\c:\nbthtn.exec:\nbthtn.exe89⤵PID:3344
-
\??\c:\7jpjv.exec:\7jpjv.exe90⤵PID:5080
-
\??\c:\3rrlxlf.exec:\3rrlxlf.exe91⤵PID:3168
-
\??\c:\lfxrlll.exec:\lfxrlll.exe92⤵PID:1084
-
\??\c:\1tnhtn.exec:\1tnhtn.exe93⤵PID:3264
-
\??\c:\ddjvp.exec:\ddjvp.exe94⤵PID:5000
-
\??\c:\dvvjj.exec:\dvvjj.exe95⤵PID:1876
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe96⤵PID:5040
-
\??\c:\btbtnb.exec:\btbtnb.exe97⤵PID:1132
-
\??\c:\dvjdj.exec:\dvjdj.exe98⤵PID:4592
-
\??\c:\vpdpd.exec:\vpdpd.exe99⤵PID:4024
-
\??\c:\5lxlrlr.exec:\5lxlrlr.exe100⤵PID:3812
-
\??\c:\bnhttt.exec:\bnhttt.exe101⤵PID:4240
-
\??\c:\3tthtn.exec:\3tthtn.exe102⤵PID:4332
-
\??\c:\7jvjp.exec:\7jvjp.exe103⤵PID:4376
-
\??\c:\vjvdp.exec:\vjvdp.exe104⤵PID:3240
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe105⤵
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\tnhtht.exec:\tnhtht.exe106⤵PID:3552
-
\??\c:\pvpdj.exec:\pvpdj.exe107⤵PID:2396
-
\??\c:\7dvjp.exec:\7dvjp.exe108⤵PID:696
-
\??\c:\fllxfxl.exec:\fllxfxl.exe109⤵PID:2072
-
\??\c:\bnthht.exec:\bnthht.exe110⤵PID:4416
-
\??\c:\5dvjd.exec:\5dvjd.exe111⤵PID:3896
-
\??\c:\vppdd.exec:\vppdd.exe112⤵PID:1700
-
\??\c:\xxrxflf.exec:\xxrxflf.exe113⤵PID:4196
-
\??\c:\1nnbth.exec:\1nnbth.exe114⤵PID:4908
-
\??\c:\dppdj.exec:\dppdj.exe115⤵PID:1220
-
\??\c:\pvvdp.exec:\pvvdp.exe116⤵PID:1180
-
\??\c:\xrlxfxl.exec:\xrlxfxl.exe117⤵PID:4404
-
\??\c:\7nhnbh.exec:\7nhnbh.exe118⤵PID:2552
-
\??\c:\ddpvp.exec:\ddpvp.exe119⤵PID:4980
-
\??\c:\ddvjp.exec:\ddvjp.exe120⤵
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\lxrflxr.exec:\lxrflxr.exe121⤵PID:3624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-