Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 03:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe
-
Size
456KB
-
MD5
9a0bedff174307b141898bd170b2cda4
-
SHA1
0d27a3d246ce88b9f71853a301fb7aaaaf2c4940
-
SHA256
bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948
-
SHA512
b0cf96d4af5a00dc9a002e1a9e2a7b3c856a731ed7ff9fbcfd02c8177f37e5442dc11955ee7365df72091809a2e47dca93b737757277ca836d67b2f6838e849a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRF:q7Tc2NYHUrAwfMp3CDRF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2404-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-126-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1952-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-178-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2172-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-305-0x00000000773D0000-0x00000000774EF000-memory.dmp family_blackmoon behavioral1/memory/2796-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-327-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-631-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-749-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2392-774-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1952-966-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/876-1365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2632 9tnnbh.exe 2760 llflxfx.exe 2776 nhbntb.exe 2560 1jjvd.exe 2772 5lxffxl.exe 2520 llflrlf.exe 2940 hhbhbt.exe 2208 llflflx.exe 776 bbthbh.exe 756 9rrxlfl.exe 2512 llfrrff.exe 2840 rlxfxfx.exe 2280 3ntbnt.exe 1952 lfxlxfr.exe 1568 5nhtbh.exe 1804 rrlfxff.exe 540 bttbtb.exe 1636 lfxfrfx.exe 2892 hbbhtb.exe 2172 lfrxlxr.exe 2184 hhbhtt.exe 2240 pjjvj.exe 1832 9lflxlr.exe 1780 9lxxlrx.exe 1384 lxrxflr.exe 1028 jvpdj.exe 1992 rlxfflr.exe 548 nhtttn.exe 2252 5djvj.exe 2228 hbntbh.exe 1736 vpjdp.exe 2404 1nbtbh.exe 1732 1thnbh.exe 1564 1lxlfrx.exe 2796 5dvpv.exe 2684 rrrxlrl.exe 2388 3btbbh.exe 2580 vjpdv.exe 2544 9frlrfl.exe 2984 rlflrxf.exe 2952 nbnthh.exe 580 pjjvv.exe 1064 lfrxflf.exe 572 xlllxfl.exe 1956 nhtthh.exe 2816 ppdpp.exe 2384 xfxxffl.exe 2620 btnntb.exe 1624 pdddj.exe 496 jddpd.exe 800 llxlxxl.exe 2360 bntbhb.exe 1804 vdvvd.exe 1944 xxrflxl.exe 1076 9frrflx.exe 2176 nhbhbh.exe 2164 vjvdp.exe 3020 7pjjj.exe 3068 rlxxffr.exe 2332 1nthnn.exe 1344 vjdjp.exe 844 dvjpd.exe 824 lfllrfr.exe 1612 nhbhtb.exe -
resource yara_rule behavioral1/memory/2404-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-928-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-1241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-1248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-1279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-1333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-1365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-1366-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2632 2404 bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe 30 PID 2404 wrote to memory of 2632 2404 bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe 30 PID 2404 wrote to memory of 2632 2404 bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe 30 PID 2404 wrote to memory of 2632 2404 bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe 30 PID 2632 wrote to memory of 2760 2632 9tnnbh.exe 31 PID 2632 wrote to memory of 2760 2632 9tnnbh.exe 31 PID 2632 wrote to memory of 2760 2632 9tnnbh.exe 31 PID 2632 wrote to memory of 2760 2632 9tnnbh.exe 31 PID 2760 wrote to memory of 2776 2760 llflxfx.exe 32 PID 2760 wrote to memory of 2776 2760 llflxfx.exe 32 PID 2760 wrote to memory of 2776 2760 llflxfx.exe 32 PID 2760 wrote to memory of 2776 2760 llflxfx.exe 32 PID 2776 wrote to memory of 2560 2776 nhbntb.exe 33 PID 2776 wrote to memory of 2560 2776 nhbntb.exe 33 PID 2776 wrote to memory of 2560 2776 nhbntb.exe 33 PID 2776 wrote to memory of 2560 2776 nhbntb.exe 33 PID 2560 wrote to memory of 2772 2560 1jjvd.exe 34 PID 2560 wrote to memory of 2772 2560 1jjvd.exe 34 PID 2560 wrote to memory of 2772 2560 1jjvd.exe 34 PID 2560 wrote to memory of 2772 2560 1jjvd.exe 34 PID 2772 wrote to memory of 2520 2772 5lxffxl.exe 35 PID 2772 wrote to memory of 2520 2772 5lxffxl.exe 35 PID 2772 wrote to memory of 2520 2772 5lxffxl.exe 35 PID 2772 wrote to memory of 2520 2772 5lxffxl.exe 35 PID 2520 wrote to memory of 2940 2520 llflrlf.exe 36 PID 2520 wrote to memory of 2940 2520 llflrlf.exe 36 PID 2520 wrote to memory of 2940 2520 llflrlf.exe 36 PID 2520 wrote to memory of 2940 2520 llflrlf.exe 36 PID 2940 wrote to memory of 2208 2940 hhbhbt.exe 37 PID 2940 wrote to memory of 2208 2940 hhbhbt.exe 37 PID 2940 wrote to memory of 2208 2940 hhbhbt.exe 37 PID 2940 wrote to memory of 2208 2940 hhbhbt.exe 37 PID 2208 wrote to memory of 776 2208 llflflx.exe 38 PID 2208 wrote to memory of 776 2208 llflflx.exe 38 PID 2208 wrote to memory of 776 2208 llflflx.exe 38 PID 2208 wrote to memory of 776 2208 llflflx.exe 38 PID 776 wrote to memory of 756 776 bbthbh.exe 39 PID 776 wrote to memory of 756 776 bbthbh.exe 39 PID 776 wrote to memory of 756 776 bbthbh.exe 39 PID 776 wrote to memory of 756 776 bbthbh.exe 39 PID 756 wrote to memory of 2512 756 9rrxlfl.exe 40 PID 756 wrote to memory of 2512 756 9rrxlfl.exe 40 PID 756 wrote to memory of 2512 756 9rrxlfl.exe 40 PID 756 wrote to memory of 2512 756 9rrxlfl.exe 40 PID 2512 wrote to memory of 2840 2512 llfrrff.exe 41 PID 2512 wrote to memory of 2840 2512 llfrrff.exe 41 PID 2512 wrote to memory of 2840 2512 llfrrff.exe 41 PID 2512 wrote to memory of 2840 2512 llfrrff.exe 41 PID 2840 wrote to memory of 2280 2840 rlxfxfx.exe 42 PID 2840 wrote to memory of 2280 2840 rlxfxfx.exe 42 PID 2840 wrote to memory of 2280 2840 rlxfxfx.exe 42 PID 2840 wrote to memory of 2280 2840 rlxfxfx.exe 42 PID 2280 wrote to memory of 1952 2280 3ntbnt.exe 43 PID 2280 wrote to memory of 1952 2280 3ntbnt.exe 43 PID 2280 wrote to memory of 1952 2280 3ntbnt.exe 43 PID 2280 wrote to memory of 1952 2280 3ntbnt.exe 43 PID 1952 wrote to memory of 1568 1952 lfxlxfr.exe 44 PID 1952 wrote to memory of 1568 1952 lfxlxfr.exe 44 PID 1952 wrote to memory of 1568 1952 lfxlxfr.exe 44 PID 1952 wrote to memory of 1568 1952 lfxlxfr.exe 44 PID 1568 wrote to memory of 1804 1568 5nhtbh.exe 45 PID 1568 wrote to memory of 1804 1568 5nhtbh.exe 45 PID 1568 wrote to memory of 1804 1568 5nhtbh.exe 45 PID 1568 wrote to memory of 1804 1568 5nhtbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe"C:\Users\Admin\AppData\Local\Temp\bf48182886880d99b762e2924433f0a5196f32c4214b574ada2e21d7ecdc4948.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\9tnnbh.exec:\9tnnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\llflxfx.exec:\llflxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\nhbntb.exec:\nhbntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\1jjvd.exec:\1jjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\5lxffxl.exec:\5lxffxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\llflrlf.exec:\llflrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\hhbhbt.exec:\hhbhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\llflflx.exec:\llflflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\bbthbh.exec:\bbthbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\9rrxlfl.exec:\9rrxlfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\llfrrff.exec:\llfrrff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\rlxfxfx.exec:\rlxfxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\3ntbnt.exec:\3ntbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\lfxlxfr.exec:\lfxlxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\5nhtbh.exec:\5nhtbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\rrlfxff.exec:\rrlfxff.exe17⤵
- Executes dropped EXE
PID:1804 -
\??\c:\bttbtb.exec:\bttbtb.exe18⤵
- Executes dropped EXE
PID:540 -
\??\c:\lfxfrfx.exec:\lfxfrfx.exe19⤵
- Executes dropped EXE
PID:1636 -
\??\c:\hbbhtb.exec:\hbbhtb.exe20⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lfrxlxr.exec:\lfrxlxr.exe21⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hhbhtt.exec:\hhbhtt.exe22⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pjjvj.exec:\pjjvj.exe23⤵
- Executes dropped EXE
PID:2240 -
\??\c:\9lflxlr.exec:\9lflxlr.exe24⤵
- Executes dropped EXE
PID:1832 -
\??\c:\9lxxlrx.exec:\9lxxlrx.exe25⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lxrxflr.exec:\lxrxflr.exe26⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jvpdj.exec:\jvpdj.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rlxfflr.exec:\rlxfflr.exe28⤵
- Executes dropped EXE
PID:1992 -
\??\c:\nhtttn.exec:\nhtttn.exe29⤵
- Executes dropped EXE
PID:548 -
\??\c:\5djvj.exec:\5djvj.exe30⤵
- Executes dropped EXE
PID:2252 -
\??\c:\hbntbh.exec:\hbntbh.exe31⤵
- Executes dropped EXE
PID:2228 -
\??\c:\vpjdp.exec:\vpjdp.exe32⤵
- Executes dropped EXE
PID:1736 -
\??\c:\1nbtbh.exec:\1nbtbh.exe33⤵
- Executes dropped EXE
PID:2404 -
\??\c:\1thnbh.exec:\1thnbh.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\1lxlfrx.exec:\1lxlfrx.exe35⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9lffflr.exec:\9lffflr.exe36⤵PID:1696
-
\??\c:\5dvpv.exec:\5dvpv.exe37⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rrrxlrl.exec:\rrrxlrl.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3btbbh.exec:\3btbbh.exe39⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vjpdv.exec:\vjpdv.exe40⤵
- Executes dropped EXE
PID:2580 -
\??\c:\9frlrfl.exec:\9frlrfl.exe41⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rlflrxf.exec:\rlflrxf.exe42⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nbnthh.exec:\nbnthh.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pjjvv.exec:\pjjvv.exe44⤵
- Executes dropped EXE
PID:580 -
\??\c:\lfrxflf.exec:\lfrxflf.exe45⤵
- Executes dropped EXE
PID:1064 -
\??\c:\xlllxfl.exec:\xlllxfl.exe46⤵
- Executes dropped EXE
PID:572 -
\??\c:\nhtthh.exec:\nhtthh.exe47⤵
- Executes dropped EXE
PID:1956 -
\??\c:\ppdpp.exec:\ppdpp.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\xfxxffl.exec:\xfxxffl.exe49⤵
- Executes dropped EXE
PID:2384 -
\??\c:\btnntb.exec:\btnntb.exe50⤵
- Executes dropped EXE
PID:2620 -
\??\c:\pdddj.exec:\pdddj.exe51⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jddpd.exec:\jddpd.exe52⤵
- Executes dropped EXE
PID:496 -
\??\c:\llxlxxl.exec:\llxlxxl.exe53⤵
- Executes dropped EXE
PID:800 -
\??\c:\bntbhb.exec:\bntbhb.exe54⤵
- Executes dropped EXE
PID:2360 -
\??\c:\vdvvd.exec:\vdvvd.exe55⤵
- Executes dropped EXE
PID:1804 -
\??\c:\xxrflxl.exec:\xxrflxl.exe56⤵
- Executes dropped EXE
PID:1944 -
\??\c:\9frrflx.exec:\9frrflx.exe57⤵
- Executes dropped EXE
PID:1076 -
\??\c:\nhbhbh.exec:\nhbhbh.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\vjvdp.exec:\vjvdp.exe59⤵
- Executes dropped EXE
PID:2164 -
\??\c:\7pjjj.exec:\7pjjj.exe60⤵
- Executes dropped EXE
PID:3020 -
\??\c:\rlxxffr.exec:\rlxxffr.exe61⤵
- Executes dropped EXE
PID:3068 -
\??\c:\1nthnn.exec:\1nthnn.exe62⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vjdjp.exec:\vjdjp.exe63⤵
- Executes dropped EXE
PID:1344 -
\??\c:\dvjpd.exec:\dvjpd.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\lfllrfr.exec:\lfllrfr.exe65⤵
- Executes dropped EXE
PID:824 -
\??\c:\nhbhtb.exec:\nhbhtb.exe66⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hbnhtb.exec:\hbnhtb.exe67⤵PID:956
-
\??\c:\jpddp.exec:\jpddp.exe68⤵PID:2044
-
\??\c:\rlxrffl.exec:\rlxrffl.exe69⤵PID:1464
-
\??\c:\1thtbh.exec:\1thtbh.exe70⤵PID:344
-
\??\c:\bnttbb.exec:\bnttbb.exe71⤵PID:2496
-
\??\c:\dvjvj.exec:\dvjvj.exe72⤵PID:568
-
\??\c:\rllrxfl.exec:\rllrxfl.exe73⤵PID:1340
-
\??\c:\7lrxxxl.exec:\7lrxxxl.exe74⤵PID:2196
-
\??\c:\9btntb.exec:\9btntb.exe75⤵PID:2236
-
\??\c:\pjvjd.exec:\pjvjd.exe76⤵PID:2732
-
\??\c:\1pdvd.exec:\1pdvd.exe77⤵PID:2724
-
\??\c:\3frxxxf.exec:\3frxxxf.exe78⤵PID:1588
-
\??\c:\nhbhnt.exec:\nhbhnt.exe79⤵PID:1596
-
\??\c:\7jpvj.exec:\7jpvj.exe80⤵PID:1164
-
\??\c:\ppdjv.exec:\ppdjv.exe81⤵PID:2852
-
\??\c:\rlrxrxr.exec:\rlrxrxr.exe82⤵PID:2568
-
\??\c:\nnhntb.exec:\nnhntb.exe83⤵PID:2560
-
\??\c:\1pddd.exec:\1pddd.exe84⤵PID:2572
-
\??\c:\pjvvd.exec:\pjvvd.exe85⤵PID:2336
-
\??\c:\rlxlrrr.exec:\rlxlrrr.exe86⤵PID:1200
-
\??\c:\nnhhnn.exec:\nnhhnn.exe87⤵PID:2952
-
\??\c:\vjdpd.exec:\vjdpd.exe88⤵PID:580
-
\??\c:\ppvvd.exec:\ppvvd.exe89⤵PID:2284
-
\??\c:\ffrxllx.exec:\ffrxllx.exe90⤵PID:1856
-
\??\c:\3htbhn.exec:\3htbhn.exe91⤵PID:2704
-
\??\c:\vpppd.exec:\vpppd.exe92⤵PID:2624
-
\??\c:\vpjpd.exec:\vpjpd.exe93⤵PID:2564
-
\??\c:\xrlfrlx.exec:\xrlfrlx.exe94⤵PID:1712
-
\??\c:\hbnhhn.exec:\hbnhhn.exe95⤵PID:1688
-
\??\c:\hbtttt.exec:\hbtttt.exe96⤵PID:1988
-
\??\c:\vpppv.exec:\vpppv.exe97⤵PID:2000
-
\??\c:\rlffxxl.exec:\rlffxxl.exe98⤵PID:1808
-
\??\c:\3rxxxff.exec:\3rxxxff.exe99⤵PID:2472
-
\??\c:\hhhhtb.exec:\hhhhtb.exe100⤵PID:1628
-
\??\c:\dvvdp.exec:\dvvdp.exe101⤵PID:1088
-
\??\c:\jpdpp.exec:\jpdpp.exe102⤵PID:2832
-
\??\c:\rfxxfxl.exec:\rfxxfxl.exe103⤵PID:2876
-
\??\c:\tbtnhh.exec:\tbtnhh.exe104⤵PID:2172
-
\??\c:\pjvvd.exec:\pjvvd.exe105⤵PID:2392
-
\??\c:\jdvjv.exec:\jdvjv.exe106⤵PID:2184
-
\??\c:\7fxxflx.exec:\7fxxflx.exe107⤵PID:376
-
\??\c:\nhtttt.exec:\nhtttt.exe108⤵PID:1056
-
\??\c:\hnhntt.exec:\hnhntt.exe109⤵PID:2424
-
\??\c:\3vppv.exec:\3vppv.exe110⤵PID:832
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe111⤵PID:1384
-
\??\c:\nbtttb.exec:\nbtttb.exe112⤵PID:288
-
\??\c:\nnbhhn.exec:\nnbhhn.exe113⤵PID:2448
-
\??\c:\pdvvp.exec:\pdvvp.exe114⤵PID:2480
-
\??\c:\lxfxxfl.exec:\lxfxxfl.exe115⤵PID:1104
-
\??\c:\rllllff.exec:\rllllff.exe116⤵PID:784
-
\??\c:\tnbnhn.exec:\tnbnhn.exe117⤵PID:884
-
\??\c:\dppvd.exec:\dppvd.exe118⤵PID:2604
-
\??\c:\jvppp.exec:\jvppp.exe119⤵PID:3032
-
\??\c:\9nhntt.exec:\9nhntt.exe120⤵PID:2740
-
\??\c:\dvpvj.exec:\dvpvj.exe121⤵PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-