Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe
-
Size
453KB
-
MD5
b3209a2956e4bd51fe08791046723bd0
-
SHA1
aa10546ca93c7b83d32d7c250a15482a9bbbad03
-
SHA256
3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207f
-
SHA512
119a5a51bcb031fd77f0bf0bc4b1f3733443a974fd56dbb706659d92bc53f79670b6e966a9d6902c7d06cb3fe9400234053502c12190b674d7c817e92fe8d5c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1940-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4576 ntbtnh.exe 3692 llrrlrr.exe 3560 bnnhbt.exe 2356 thhnhh.exe 2392 vvjdp.exe 4164 rxlxfxl.exe 1264 ttnbhn.exe 372 xxfxrlf.exe 2064 vdppd.exe 3476 1xlxllx.exe 2264 jdpdj.exe 4776 bhnbnh.exe 1436 jjpjj.exe 1020 ddvjj.exe 3912 rrrlfxr.exe 5000 htbthh.exe 2680 vddvv.exe 620 bnhbbt.exe 2260 thnbnh.exe 228 5vpjp.exe 1736 rrrlrrf.exe 1620 tbbnht.exe 4948 vvpjj.exe 3592 lxxlxrf.exe 744 nbtnbt.exe 1676 3ththt.exe 3464 jjjvp.exe 1552 hhnbnh.exe 4180 dvpjv.exe 4592 xlfrfxr.exe 464 ttbnht.exe 5044 rrlxrlx.exe 1688 jjjvv.exe 1064 llfrfxl.exe 2192 hnbthb.exe 4960 djjdp.exe 2564 1llfrrf.exe 3372 htbthb.exe 2152 7pjdp.exe 2504 jjpdp.exe 4648 lrfrfrl.exe 4264 5ttnbb.exe 3684 jpvpd.exe 4920 dvppj.exe 3440 rffrrlr.exe 3080 1tthtn.exe 1128 frrlxfr.exe 3128 bbhbnt.exe 4828 bnnhnh.exe 116 1ppjp.exe 4164 5rlxlfx.exe 3120 xffxlfr.exe 1144 3bnbtn.exe 1600 dppvp.exe 4684 pvvjd.exe 3728 flffrlf.exe 2168 9frfrlx.exe 1156 nnntbt.exe 4272 1jpdp.exe 1996 rfxrfxr.exe 4776 ffxlffr.exe 1436 jjjdp.exe 3556 vjdvj.exe 1992 flffxrf.exe -
resource yara_rule behavioral2/memory/1940-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-814-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 4576 1940 3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe 83 PID 1940 wrote to memory of 4576 1940 3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe 83 PID 1940 wrote to memory of 4576 1940 3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe 83 PID 4576 wrote to memory of 3692 4576 ntbtnh.exe 84 PID 4576 wrote to memory of 3692 4576 ntbtnh.exe 84 PID 4576 wrote to memory of 3692 4576 ntbtnh.exe 84 PID 3692 wrote to memory of 3560 3692 llrrlrr.exe 85 PID 3692 wrote to memory of 3560 3692 llrrlrr.exe 85 PID 3692 wrote to memory of 3560 3692 llrrlrr.exe 85 PID 3560 wrote to memory of 2356 3560 bnnhbt.exe 86 PID 3560 wrote to memory of 2356 3560 bnnhbt.exe 86 PID 3560 wrote to memory of 2356 3560 bnnhbt.exe 86 PID 2356 wrote to memory of 2392 2356 thhnhh.exe 87 PID 2356 wrote to memory of 2392 2356 thhnhh.exe 87 PID 2356 wrote to memory of 2392 2356 thhnhh.exe 87 PID 2392 wrote to memory of 4164 2392 vvjdp.exe 88 PID 2392 wrote to memory of 4164 2392 vvjdp.exe 88 PID 2392 wrote to memory of 4164 2392 vvjdp.exe 88 PID 4164 wrote to memory of 1264 4164 rxlxfxl.exe 89 PID 4164 wrote to memory of 1264 4164 rxlxfxl.exe 89 PID 4164 wrote to memory of 1264 4164 rxlxfxl.exe 89 PID 1264 wrote to memory of 372 1264 ttnbhn.exe 90 PID 1264 wrote to memory of 372 1264 ttnbhn.exe 90 PID 1264 wrote to memory of 372 1264 ttnbhn.exe 90 PID 372 wrote to memory of 2064 372 xxfxrlf.exe 91 PID 372 wrote to memory of 2064 372 xxfxrlf.exe 91 PID 372 wrote to memory of 2064 372 xxfxrlf.exe 91 PID 2064 wrote to memory of 3476 2064 vdppd.exe 92 PID 2064 wrote to memory of 3476 2064 vdppd.exe 92 PID 2064 wrote to memory of 3476 2064 vdppd.exe 92 PID 3476 wrote to memory of 2264 3476 1xlxllx.exe 93 PID 3476 wrote to memory of 2264 3476 1xlxllx.exe 93 PID 3476 wrote to memory of 2264 3476 1xlxllx.exe 93 PID 2264 wrote to memory of 4776 2264 jdpdj.exe 94 PID 2264 wrote to memory of 4776 2264 jdpdj.exe 94 PID 2264 wrote to memory of 4776 2264 jdpdj.exe 94 PID 4776 wrote to memory of 1436 4776 bhnbnh.exe 95 PID 4776 wrote to memory of 1436 4776 bhnbnh.exe 95 PID 4776 wrote to memory of 1436 4776 bhnbnh.exe 95 PID 1436 wrote to memory of 1020 1436 jjpjj.exe 96 PID 1436 wrote to memory of 1020 1436 jjpjj.exe 96 PID 1436 wrote to memory of 1020 1436 jjpjj.exe 96 PID 1020 wrote to memory of 3912 1020 ddvjj.exe 97 PID 1020 wrote to memory of 3912 1020 ddvjj.exe 97 PID 1020 wrote to memory of 3912 1020 ddvjj.exe 97 PID 3912 wrote to memory of 5000 3912 rrrlfxr.exe 98 PID 3912 wrote to memory of 5000 3912 rrrlfxr.exe 98 PID 3912 wrote to memory of 5000 3912 rrrlfxr.exe 98 PID 5000 wrote to memory of 2680 5000 htbthh.exe 99 PID 5000 wrote to memory of 2680 5000 htbthh.exe 99 PID 5000 wrote to memory of 2680 5000 htbthh.exe 99 PID 2680 wrote to memory of 620 2680 vddvv.exe 100 PID 2680 wrote to memory of 620 2680 vddvv.exe 100 PID 2680 wrote to memory of 620 2680 vddvv.exe 100 PID 620 wrote to memory of 2260 620 bnhbbt.exe 101 PID 620 wrote to memory of 2260 620 bnhbbt.exe 101 PID 620 wrote to memory of 2260 620 bnhbbt.exe 101 PID 2260 wrote to memory of 228 2260 thnbnh.exe 102 PID 2260 wrote to memory of 228 2260 thnbnh.exe 102 PID 2260 wrote to memory of 228 2260 thnbnh.exe 102 PID 228 wrote to memory of 1736 228 5vpjp.exe 103 PID 228 wrote to memory of 1736 228 5vpjp.exe 103 PID 228 wrote to memory of 1736 228 5vpjp.exe 103 PID 1736 wrote to memory of 1620 1736 rrrlrrf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe"C:\Users\Admin\AppData\Local\Temp\3663da7e504bac28777148f4860398b60f9e611de3b9ac3cf2d439965b93207fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\ntbtnh.exec:\ntbtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\llrrlrr.exec:\llrrlrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\bnnhbt.exec:\bnnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\thhnhh.exec:\thhnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\vvjdp.exec:\vvjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\rxlxfxl.exec:\rxlxfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\ttnbhn.exec:\ttnbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\vdppd.exec:\vdppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1xlxllx.exec:\1xlxllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\jdpdj.exec:\jdpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\bhnbnh.exec:\bhnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\jjpjj.exec:\jjpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\ddvjj.exec:\ddvjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\htbthh.exec:\htbthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\vddvv.exec:\vddvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\bnhbbt.exec:\bnhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\thnbnh.exec:\thnbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\5vpjp.exec:\5vpjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\rrrlrrf.exec:\rrrlrrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\tbbnht.exec:\tbbnht.exe23⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vvpjj.exec:\vvpjj.exe24⤵
- Executes dropped EXE
PID:4948 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe25⤵
- Executes dropped EXE
PID:3592 -
\??\c:\nbtnbt.exec:\nbtnbt.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:744 -
\??\c:\3ththt.exec:\3ththt.exe27⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jjjvp.exec:\jjjvp.exe28⤵
- Executes dropped EXE
PID:3464 -
\??\c:\hhnbnh.exec:\hhnbnh.exe29⤵
- Executes dropped EXE
PID:1552 -
\??\c:\dvpjv.exec:\dvpjv.exe30⤵
- Executes dropped EXE
PID:4180 -
\??\c:\xlfrfxr.exec:\xlfrfxr.exe31⤵
- Executes dropped EXE
PID:4592 -
\??\c:\ttbnht.exec:\ttbnht.exe32⤵
- Executes dropped EXE
PID:464 -
\??\c:\rrlxrlx.exec:\rrlxrlx.exe33⤵
- Executes dropped EXE
PID:5044 -
\??\c:\jjjvv.exec:\jjjvv.exe34⤵
- Executes dropped EXE
PID:1688 -
\??\c:\llfrfxl.exec:\llfrfxl.exe35⤵
- Executes dropped EXE
PID:1064 -
\??\c:\hnbthb.exec:\hnbthb.exe36⤵
- Executes dropped EXE
PID:2192 -
\??\c:\djjdp.exec:\djjdp.exe37⤵
- Executes dropped EXE
PID:4960 -
\??\c:\1llfrrf.exec:\1llfrrf.exe38⤵
- Executes dropped EXE
PID:2564 -
\??\c:\htbthb.exec:\htbthb.exe39⤵
- Executes dropped EXE
PID:3372 -
\??\c:\7pjdp.exec:\7pjdp.exe40⤵
- Executes dropped EXE
PID:2152 -
\??\c:\jjpdp.exec:\jjpdp.exe41⤵
- Executes dropped EXE
PID:2504 -
\??\c:\lrfrfrl.exec:\lrfrfrl.exe42⤵
- Executes dropped EXE
PID:4648 -
\??\c:\5ttnbb.exec:\5ttnbb.exe43⤵
- Executes dropped EXE
PID:4264 -
\??\c:\jpvpd.exec:\jpvpd.exe44⤵
- Executes dropped EXE
PID:3684 -
\??\c:\dvppj.exec:\dvppj.exe45⤵
- Executes dropped EXE
PID:4920 -
\??\c:\rffrrlr.exec:\rffrrlr.exe46⤵
- Executes dropped EXE
PID:3440 -
\??\c:\1tthtn.exec:\1tthtn.exe47⤵
- Executes dropped EXE
PID:3080 -
\??\c:\frrlxfr.exec:\frrlxfr.exe48⤵
- Executes dropped EXE
PID:1128 -
\??\c:\bbhbnt.exec:\bbhbnt.exe49⤵
- Executes dropped EXE
PID:3128 -
\??\c:\bnnhnh.exec:\bnnhnh.exe50⤵
- Executes dropped EXE
PID:4828 -
\??\c:\1ppjp.exec:\1ppjp.exe51⤵
- Executes dropped EXE
PID:116 -
\??\c:\5rlxlfx.exec:\5rlxlfx.exe52⤵
- Executes dropped EXE
PID:4164 -
\??\c:\xffxlfr.exec:\xffxlfr.exe53⤵
- Executes dropped EXE
PID:3120 -
\??\c:\3bnbtn.exec:\3bnbtn.exe54⤵
- Executes dropped EXE
PID:1144 -
\??\c:\dppvp.exec:\dppvp.exe55⤵
- Executes dropped EXE
PID:1600 -
\??\c:\pvvjd.exec:\pvvjd.exe56⤵
- Executes dropped EXE
PID:4684 -
\??\c:\flffrlf.exec:\flffrlf.exe57⤵
- Executes dropped EXE
PID:3728 -
\??\c:\9frfrlx.exec:\9frfrlx.exe58⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nnntbt.exec:\nnntbt.exe59⤵
- Executes dropped EXE
PID:1156 -
\??\c:\1jpdp.exec:\1jpdp.exe60⤵
- Executes dropped EXE
PID:4272 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe61⤵
- Executes dropped EXE
PID:1996 -
\??\c:\ffxlffr.exec:\ffxlffr.exe62⤵
- Executes dropped EXE
PID:4776 -
\??\c:\jjjdp.exec:\jjjdp.exe63⤵
- Executes dropped EXE
PID:1436 -
\??\c:\vjdvj.exec:\vjdvj.exe64⤵
- Executes dropped EXE
PID:3556 -
\??\c:\flffxrf.exec:\flffxrf.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\ttthtt.exec:\ttthtt.exe66⤵PID:3164
-
\??\c:\ttbntt.exec:\ttbntt.exe67⤵PID:3740
-
\??\c:\vppjd.exec:\vppjd.exe68⤵PID:5080
-
\??\c:\3xrrfxl.exec:\3xrrfxl.exe69⤵PID:4376
-
\??\c:\bnnbnh.exec:\bnnbnh.exe70⤵PID:2816
-
\??\c:\ttbnhh.exec:\ttbnhh.exe71⤵PID:3584
-
\??\c:\dppdp.exec:\dppdp.exe72⤵PID:876
-
\??\c:\pvdpd.exec:\pvdpd.exe73⤵PID:3168
-
\??\c:\frrfxrl.exec:\frrfxrl.exe74⤵PID:1844
-
\??\c:\nhhbnb.exec:\nhhbnb.exe75⤵PID:3212
-
\??\c:\pjjvj.exec:\pjjvj.exe76⤵PID:1900
-
\??\c:\lfrflrf.exec:\lfrflrf.exe77⤵PID:4080
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe78⤵PID:2072
-
\??\c:\thbthb.exec:\thbthb.exe79⤵PID:1772
-
\??\c:\pppjd.exec:\pppjd.exe80⤵PID:5092
-
\??\c:\lrrrfrr.exec:\lrrrfrr.exe81⤵PID:64
-
\??\c:\tbtnnn.exec:\tbtnnn.exe82⤵PID:1192
-
\??\c:\jjpjd.exec:\jjpjd.exe83⤵PID:4372
-
\??\c:\vpjdj.exec:\vpjdj.exe84⤵
- System Location Discovery: System Language Discovery
PID:5016 -
\??\c:\ffxlrxf.exec:\ffxlrxf.exe85⤵PID:1140
-
\??\c:\3ntnhb.exec:\3ntnhb.exe86⤵PID:4812
-
\??\c:\jvvjv.exec:\jvvjv.exe87⤵PID:4020
-
\??\c:\xllxlfx.exec:\xllxlfx.exe88⤵PID:2188
-
\??\c:\tnnhtn.exec:\tnnhtn.exe89⤵PID:4320
-
\??\c:\nhbthh.exec:\nhbthh.exe90⤵PID:1064
-
\??\c:\pjpjp.exec:\pjpjp.exe91⤵PID:2192
-
\??\c:\xllxlfr.exec:\xllxlfr.exe92⤵PID:1976
-
\??\c:\ttnnhh.exec:\ttnnhh.exe93⤵PID:2564
-
\??\c:\vpjvj.exec:\vpjvj.exe94⤵PID:224
-
\??\c:\jddpd.exec:\jddpd.exe95⤵PID:4632
-
\??\c:\rffxffr.exec:\rffxffr.exe96⤵PID:2068
-
\??\c:\ttnnnh.exec:\ttnnnh.exe97⤵PID:4344
-
\??\c:\btnbnh.exec:\btnbnh.exe98⤵PID:4252
-
\??\c:\dpjvj.exec:\dpjvj.exe99⤵PID:1616
-
\??\c:\fflfrlf.exec:\fflfrlf.exe100⤵PID:1372
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe101⤵PID:3560
-
\??\c:\7bhbnh.exec:\7bhbnh.exe102⤵PID:5032
-
\??\c:\vppjv.exec:\vppjv.exe103⤵PID:4284
-
\??\c:\rllxxrf.exec:\rllxxrf.exe104⤵PID:1128
-
\??\c:\nthhtb.exec:\nthhtb.exe105⤵PID:3724
-
\??\c:\tbhhbb.exec:\tbhhbb.exe106⤵PID:4884
-
\??\c:\1dvjv.exec:\1dvjv.exe107⤵PID:1596
-
\??\c:\xrxlxrr.exec:\xrxlxrr.exe108⤵PID:2144
-
\??\c:\thnntn.exec:\thnntn.exe109⤵PID:3120
-
\??\c:\vvvpj.exec:\vvvpj.exe110⤵PID:1144
-
\??\c:\xflfrlf.exec:\xflfrlf.exe111⤵PID:4188
-
\??\c:\hhnbbt.exec:\hhnbbt.exe112⤵PID:4684
-
\??\c:\9tttnn.exec:\9tttnn.exe113⤵PID:3744
-
\??\c:\vpdvp.exec:\vpdvp.exe114⤵PID:1728
-
\??\c:\rxfrffx.exec:\rxfrffx.exe115⤵
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\3thtnh.exec:\3thtnh.exe116⤵PID:3552
-
\??\c:\pddpd.exec:\pddpd.exe117⤵PID:5068
-
\??\c:\7pjvj.exec:\7pjvj.exe118⤵PID:4044
-
\??\c:\9xxrffx.exec:\9xxrffx.exe119⤵PID:3272
-
\??\c:\hbtnhb.exec:\hbtnhb.exe120⤵PID:3912
-
\??\c:\dppdj.exec:\dppdj.exe121⤵PID:5000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-