Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe
-
Size
454KB
-
MD5
fe44e91b80a4d7160a68a8620e1ffc0e
-
SHA1
fc90233e18451e40f10de7f0a2503aa56d307031
-
SHA256
3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994
-
SHA512
819087618b66be5831ab5bc6bc927d72649f8ba951b26e07ac0d4ee16f1d7062531b5c8a746447cc09691ae5f3b34eb2c9bfce973a1fd78e0c0f5d85581ec426
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4496-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/520-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-1050-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-1099-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-1130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-1623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-1726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4496 nbtnbt.exe 4464 nbbnbt.exe 4524 nbhtth.exe 264 rrrlfxl.exe 1136 ttbbnn.exe 1852 hnnhtn.exe 4980 xflxrlx.exe 2536 jppjv.exe 1772 rfxrlfx.exe 984 jjvjd.exe 4544 1frffxl.exe 676 nnnbtt.exe 2020 rrxxrxx.exe 1916 5tnbnn.exe 2524 ppjdp.exe 3000 rlrrlfl.exe 2232 1bhtbt.exe 3368 vjjdp.exe 4696 xllfrlf.exe 2308 jvdvv.exe 2940 flllxrl.exe 3836 3tnbnh.exe 1676 pjpjp.exe 1488 9tthbt.exe 4592 xllflff.exe 2264 fxxrfxr.exe 1556 bnhtht.exe 1240 fllflll.exe 4916 nhhttn.exe 3312 dvpdp.exe 2116 nnbnhb.exe 764 rrrllfx.exe 2504 bbbtnh.exe 4476 rfxlfxx.exe 4660 bthbtn.exe 3096 hnnnth.exe 1688 pvpdp.exe 5000 fxfxxrl.exe 1032 rxrlxrl.exe 3500 9ttnbt.exe 4232 pjvjj.exe 3144 5rfrfxl.exe 3936 nbthtn.exe 4672 jpvjd.exe 452 9lrfxrx.exe 1496 nntntn.exe 4572 vjpjd.exe 4540 pvjdp.exe 4848 frxfrrf.exe 4652 thnbhb.exe 520 hbtnbt.exe 4852 vjdvd.exe 3744 rlrlrll.exe 1832 btbnhb.exe 4924 jjjvj.exe 3476 rxlxlxr.exe 2568 fflfrlf.exe 1540 1nnntn.exe 3232 jppjv.exe 4844 rlrflfr.exe 1920 llrlfrl.exe 4384 btbbnh.exe 976 pvjvd.exe 3876 5fffllx.exe -
resource yara_rule behavioral2/memory/4496-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-1130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-1267-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xffrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 592 wrote to memory of 4496 592 3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe 82 PID 592 wrote to memory of 4496 592 3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe 82 PID 592 wrote to memory of 4496 592 3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe 82 PID 4496 wrote to memory of 4464 4496 nbtnbt.exe 83 PID 4496 wrote to memory of 4464 4496 nbtnbt.exe 83 PID 4496 wrote to memory of 4464 4496 nbtnbt.exe 83 PID 4464 wrote to memory of 4524 4464 nbbnbt.exe 84 PID 4464 wrote to memory of 4524 4464 nbbnbt.exe 84 PID 4464 wrote to memory of 4524 4464 nbbnbt.exe 84 PID 4524 wrote to memory of 264 4524 nbhtth.exe 85 PID 4524 wrote to memory of 264 4524 nbhtth.exe 85 PID 4524 wrote to memory of 264 4524 nbhtth.exe 85 PID 264 wrote to memory of 1136 264 rrrlfxl.exe 86 PID 264 wrote to memory of 1136 264 rrrlfxl.exe 86 PID 264 wrote to memory of 1136 264 rrrlfxl.exe 86 PID 1136 wrote to memory of 1852 1136 ttbbnn.exe 87 PID 1136 wrote to memory of 1852 1136 ttbbnn.exe 87 PID 1136 wrote to memory of 1852 1136 ttbbnn.exe 87 PID 1852 wrote to memory of 4980 1852 hnnhtn.exe 88 PID 1852 wrote to memory of 4980 1852 hnnhtn.exe 88 PID 1852 wrote to memory of 4980 1852 hnnhtn.exe 88 PID 4980 wrote to memory of 2536 4980 xflxrlx.exe 89 PID 4980 wrote to memory of 2536 4980 xflxrlx.exe 89 PID 4980 wrote to memory of 2536 4980 xflxrlx.exe 89 PID 2536 wrote to memory of 1772 2536 jppjv.exe 90 PID 2536 wrote to memory of 1772 2536 jppjv.exe 90 PID 2536 wrote to memory of 1772 2536 jppjv.exe 90 PID 1772 wrote to memory of 984 1772 rfxrlfx.exe 91 PID 1772 wrote to memory of 984 1772 rfxrlfx.exe 91 PID 1772 wrote to memory of 984 1772 rfxrlfx.exe 91 PID 984 wrote to memory of 4544 984 jjvjd.exe 92 PID 984 wrote to memory of 4544 984 jjvjd.exe 92 PID 984 wrote to memory of 4544 984 jjvjd.exe 92 PID 4544 wrote to memory of 676 4544 1frffxl.exe 93 PID 4544 wrote to memory of 676 4544 1frffxl.exe 93 PID 4544 wrote to memory of 676 4544 1frffxl.exe 93 PID 676 wrote to memory of 2020 676 nnnbtt.exe 94 PID 676 wrote to memory of 2020 676 nnnbtt.exe 94 PID 676 wrote to memory of 2020 676 nnnbtt.exe 94 PID 2020 wrote to memory of 1916 2020 rrxxrxx.exe 95 PID 2020 wrote to memory of 1916 2020 rrxxrxx.exe 95 PID 2020 wrote to memory of 1916 2020 rrxxrxx.exe 95 PID 1916 wrote to memory of 2524 1916 5tnbnn.exe 96 PID 1916 wrote to memory of 2524 1916 5tnbnn.exe 96 PID 1916 wrote to memory of 2524 1916 5tnbnn.exe 96 PID 2524 wrote to memory of 3000 2524 ppjdp.exe 97 PID 2524 wrote to memory of 3000 2524 ppjdp.exe 97 PID 2524 wrote to memory of 3000 2524 ppjdp.exe 97 PID 3000 wrote to memory of 2232 3000 rlrrlfl.exe 98 PID 3000 wrote to memory of 2232 3000 rlrrlfl.exe 98 PID 3000 wrote to memory of 2232 3000 rlrrlfl.exe 98 PID 2232 wrote to memory of 3368 2232 1bhtbt.exe 99 PID 2232 wrote to memory of 3368 2232 1bhtbt.exe 99 PID 2232 wrote to memory of 3368 2232 1bhtbt.exe 99 PID 3368 wrote to memory of 4696 3368 vjjdp.exe 100 PID 3368 wrote to memory of 4696 3368 vjjdp.exe 100 PID 3368 wrote to memory of 4696 3368 vjjdp.exe 100 PID 4696 wrote to memory of 2308 4696 xllfrlf.exe 101 PID 4696 wrote to memory of 2308 4696 xllfrlf.exe 101 PID 4696 wrote to memory of 2308 4696 xllfrlf.exe 101 PID 2308 wrote to memory of 2940 2308 jvdvv.exe 102 PID 2308 wrote to memory of 2940 2308 jvdvv.exe 102 PID 2308 wrote to memory of 2940 2308 jvdvv.exe 102 PID 2940 wrote to memory of 3836 2940 flllxrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe"C:\Users\Admin\AppData\Local\Temp\3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\nbtnbt.exec:\nbtnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\nbbnbt.exec:\nbbnbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\nbhtth.exec:\nbhtth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\rrrlfxl.exec:\rrrlfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\ttbbnn.exec:\ttbbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\hnnhtn.exec:\hnnhtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\xflxrlx.exec:\xflxrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\jppjv.exec:\jppjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\jjvjd.exec:\jjvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\1frffxl.exec:\1frffxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\nnnbtt.exec:\nnnbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\5tnbnn.exec:\5tnbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\ppjdp.exec:\ppjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\rlrrlfl.exec:\rlrrlfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\1bhtbt.exec:\1bhtbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\vjjdp.exec:\vjjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\xllfrlf.exec:\xllfrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\jvdvv.exec:\jvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\flllxrl.exec:\flllxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\3tnbnh.exec:\3tnbnh.exe23⤵
- Executes dropped EXE
PID:3836 -
\??\c:\pjpjp.exec:\pjpjp.exe24⤵
- Executes dropped EXE
PID:1676 -
\??\c:\9tthbt.exec:\9tthbt.exe25⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xllflff.exec:\xllflff.exe26⤵
- Executes dropped EXE
PID:4592 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe27⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bnhtht.exec:\bnhtht.exe28⤵
- Executes dropped EXE
PID:1556 -
\??\c:\fllflll.exec:\fllflll.exe29⤵
- Executes dropped EXE
PID:1240 -
\??\c:\nhhttn.exec:\nhhttn.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\dvpdp.exec:\dvpdp.exe31⤵
- Executes dropped EXE
PID:3312 -
\??\c:\nnbnhb.exec:\nnbnhb.exe32⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rrrllfx.exec:\rrrllfx.exe33⤵
- Executes dropped EXE
PID:764 -
\??\c:\bbbtnh.exec:\bbbtnh.exe34⤵
- Executes dropped EXE
PID:2504 -
\??\c:\rfxlfxx.exec:\rfxlfxx.exe35⤵
- Executes dropped EXE
PID:4476 -
\??\c:\bthbtn.exec:\bthbtn.exe36⤵
- Executes dropped EXE
PID:4660 -
\??\c:\hnnnth.exec:\hnnnth.exe37⤵
- Executes dropped EXE
PID:3096 -
\??\c:\pvpdp.exec:\pvpdp.exe38⤵
- Executes dropped EXE
PID:1688 -
\??\c:\fxfxxrl.exec:\fxfxxrl.exe39⤵
- Executes dropped EXE
PID:5000 -
\??\c:\rxrlxrl.exec:\rxrlxrl.exe40⤵
- Executes dropped EXE
PID:1032 -
\??\c:\9ttnbt.exec:\9ttnbt.exe41⤵
- Executes dropped EXE
PID:3500 -
\??\c:\pjvjj.exec:\pjvjj.exe42⤵
- Executes dropped EXE
PID:4232 -
\??\c:\5rfrfxl.exec:\5rfrfxl.exe43⤵
- Executes dropped EXE
PID:3144 -
\??\c:\nbthtn.exec:\nbthtn.exe44⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jpvjd.exec:\jpvjd.exe45⤵
- Executes dropped EXE
PID:4672 -
\??\c:\9lrfxrx.exec:\9lrfxrx.exe46⤵
- Executes dropped EXE
PID:452 -
\??\c:\nntntn.exec:\nntntn.exe47⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vjpjd.exec:\vjpjd.exe48⤵
- Executes dropped EXE
PID:4572 -
\??\c:\pvjdp.exec:\pvjdp.exe49⤵
- Executes dropped EXE
PID:4540 -
\??\c:\frxfrrf.exec:\frxfrrf.exe50⤵
- Executes dropped EXE
PID:4848 -
\??\c:\thnbhb.exec:\thnbhb.exe51⤵
- Executes dropped EXE
PID:4652 -
\??\c:\hbtnbt.exec:\hbtnbt.exe52⤵
- Executes dropped EXE
PID:520 -
\??\c:\vjdvd.exec:\vjdvd.exe53⤵
- Executes dropped EXE
PID:4852 -
\??\c:\rlrlrll.exec:\rlrlrll.exe54⤵
- Executes dropped EXE
PID:3744 -
\??\c:\ttthth.exec:\ttthth.exe55⤵PID:4504
-
\??\c:\btbnhb.exec:\btbnhb.exe56⤵
- Executes dropped EXE
PID:1832 -
\??\c:\jjjvj.exec:\jjjvj.exe57⤵
- Executes dropped EXE
PID:4924 -
\??\c:\rxlxlxr.exec:\rxlxlxr.exe58⤵
- Executes dropped EXE
PID:3476 -
\??\c:\fflfrlf.exec:\fflfrlf.exe59⤵
- Executes dropped EXE
PID:2568 -
\??\c:\1nnntn.exec:\1nnntn.exe60⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jppjv.exec:\jppjv.exe61⤵
- Executes dropped EXE
PID:3232 -
\??\c:\rlrflfr.exec:\rlrflfr.exe62⤵
- Executes dropped EXE
PID:4844 -
\??\c:\llrlfrl.exec:\llrlfrl.exe63⤵
- Executes dropped EXE
PID:1920 -
\??\c:\btbbnh.exec:\btbbnh.exe64⤵
- Executes dropped EXE
PID:4384 -
\??\c:\pvjvd.exec:\pvjvd.exe65⤵
- Executes dropped EXE
PID:976 -
\??\c:\5fffllx.exec:\5fffllx.exe66⤵
- Executes dropped EXE
PID:3876 -
\??\c:\fffrxrf.exec:\fffrxrf.exe67⤵PID:1684
-
\??\c:\thhhhb.exec:\thhhhb.exe68⤵PID:2728
-
\??\c:\jvpjv.exec:\jvpjv.exe69⤵PID:3580
-
\??\c:\vjjvp.exec:\vjjvp.exe70⤵PID:4188
-
\??\c:\xlfrlrf.exec:\xlfrlrf.exe71⤵PID:1092
-
\??\c:\9bbttt.exec:\9bbttt.exe72⤵PID:320
-
\??\c:\pddpd.exec:\pddpd.exe73⤵PID:116
-
\??\c:\xflxrlf.exec:\xflxrlf.exe74⤵PID:972
-
\??\c:\bnnhbt.exec:\bnnhbt.exe75⤵PID:1956
-
\??\c:\tnhbhb.exec:\tnhbhb.exe76⤵PID:4324
-
\??\c:\djdvp.exec:\djdvp.exe77⤵PID:2788
-
\??\c:\frrfxrl.exec:\frrfxrl.exe78⤵PID:2808
-
\??\c:\nbbtbt.exec:\nbbtbt.exe79⤵PID:3128
-
\??\c:\ttbtnh.exec:\ttbtnh.exe80⤵PID:3916
-
\??\c:\dppdv.exec:\dppdv.exe81⤵PID:3908
-
\??\c:\xllxlfx.exec:\xllxlfx.exe82⤵PID:3984
-
\??\c:\bbtthh.exec:\bbtthh.exe83⤵PID:2284
-
\??\c:\7nhtbn.exec:\7nhtbn.exe84⤵PID:4860
-
\??\c:\9vvjv.exec:\9vvjv.exe85⤵PID:208
-
\??\c:\3lfrlfl.exec:\3lfrlfl.exe86⤵PID:3612
-
\??\c:\nnnhtn.exec:\nnnhtn.exe87⤵PID:4008
-
\??\c:\ntbttn.exec:\ntbttn.exe88⤵PID:3216
-
\??\c:\jdvvp.exec:\jdvvp.exe89⤵PID:4960
-
\??\c:\vpvpp.exec:\vpvpp.exe90⤵PID:4148
-
\??\c:\5flfrlx.exec:\5flfrlx.exe91⤵PID:4448
-
\??\c:\bhhbnt.exec:\bhhbnt.exe92⤵PID:2268
-
\??\c:\dpvjv.exec:\dpvjv.exe93⤵PID:2264
-
\??\c:\dppdv.exec:\dppdv.exe94⤵PID:3628
-
\??\c:\3flxrlx.exec:\3flxrlx.exe95⤵PID:2844
-
\??\c:\bhhtnh.exec:\bhhtnh.exe96⤵PID:3808
-
\??\c:\dpjvp.exec:\dpjvp.exe97⤵PID:3816
-
\??\c:\frrfrfx.exec:\frrfrfx.exe98⤵PID:4864
-
\??\c:\llrlxrl.exec:\llrlxrl.exe99⤵PID:3312
-
\??\c:\hhtnbt.exec:\hhtnbt.exe100⤵PID:2116
-
\??\c:\jdjvp.exec:\jdjvp.exe101⤵PID:1116
-
\??\c:\lxrfxrf.exec:\lxrfxrf.exe102⤵PID:876
-
\??\c:\fxxrlrf.exec:\fxxrlrf.exe103⤵PID:468
-
\??\c:\ntnbtn.exec:\ntnbtn.exe104⤵PID:4440
-
\??\c:\jdvpd.exec:\jdvpd.exe105⤵PID:4172
-
\??\c:\vjjdp.exec:\vjjdp.exe106⤵PID:3636
-
\??\c:\rfxxrff.exec:\rfxxrff.exe107⤵PID:1964
-
\??\c:\5bnbtn.exec:\5bnbtn.exe108⤵PID:4396
-
\??\c:\vpddd.exec:\vpddd.exe109⤵PID:5036
-
\??\c:\jvpjv.exec:\jvpjv.exe110⤵PID:4576
-
\??\c:\lfxrffx.exec:\lfxrffx.exe111⤵PID:244
-
\??\c:\lfrlxrx.exec:\lfrlxrx.exe112⤵PID:4952
-
\??\c:\thhtnh.exec:\thhtnh.exe113⤵PID:3596
-
\??\c:\7dvjv.exec:\7dvjv.exe114⤵PID:2872
-
\??\c:\xxxrfxl.exec:\xxxrfxl.exe115⤵PID:4536
-
\??\c:\lfrllfx.exec:\lfrllfx.exe116⤵PID:4404
-
\??\c:\1hhtbb.exec:\1hhtbb.exe117⤵PID:3448
-
\??\c:\jvvjd.exec:\jvvjd.exe118⤵PID:1656
-
\??\c:\jjdpj.exec:\jjdpj.exe119⤵PID:4652
-
\??\c:\rrrllfl.exec:\rrrllfl.exe120⤵PID:968
-
\??\c:\htbnbh.exec:\htbnbh.exe121⤵PID:4852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-