Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe
-
Size
454KB
-
MD5
70ef8a47e7055120eaad1a7f8213a5b0
-
SHA1
6fad084e1b7a254158f8d50f973523be7b89ab7b
-
SHA256
576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5c
-
SHA512
17dd008dfd64b9a2defa04c1da7ad095d8ccc59ecb0c75ff73eee9f705a8c9d35a9b7a0152594e500b492732cd2c796496f38aed0f3c8b999442019108e2db51
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4700-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-1219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-1581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4700 xfrxrxf.exe 4836 nbnntn.exe 4012 5xxlxrf.exe 4160 3xrfrlf.exe 4460 bbhtnh.exe 3528 jjjjd.exe 5004 xrxlfrr.exe 1004 3hhbtn.exe 2376 jvdpd.exe 4788 1bbtnn.exe 4120 vdjvv.exe 3532 hhnntn.exe 2060 jdjvp.exe 2216 tnbhth.exe 4432 dpvjd.exe 440 nhnhbb.exe 3248 fflxxrl.exe 412 5tthtn.exe 2512 hnbtbb.exe 1132 9xrlllr.exe 2392 bbnhhh.exe 688 lrfxxxr.exe 5112 httbbt.exe 3792 dvpjd.exe 4272 xrxrxrx.exe 736 hhhbtt.exe 2136 tnnbnh.exe 2672 lxlfrrl.exe 3036 7hbtnn.exe 4740 dvdjv.exe 3308 nntnbb.exe 5056 vdjdp.exe 3172 9frfxxr.exe 2004 3thhbb.exe 2312 3rxrffx.exe 3924 ttbbtn.exe 1604 ddvpj.exe 1724 rxfrllf.exe 1108 5rlfxxl.exe 3296 hbtbhh.exe 1076 bntnbb.exe 4560 pddvv.exe 1252 thhbtt.exe 1380 9pvpd.exe 3148 3frllff.exe 1328 3xffxfx.exe 3808 httnnn.exe 4712 vpppd.exe 4256 fxlrfxl.exe 4524 btttnh.exe 4836 pvppd.exe 3944 rrlxxlf.exe 2772 5nhtbt.exe 4976 1jdvd.exe 1408 vdjjv.exe 3684 rxxxrll.exe 1284 hbbhtn.exe 2696 lxlfrrl.exe 4900 llrlllf.exe 4728 xrlfxxf.exe 1156 nhthbb.exe 2248 7vpjd.exe 3252 lrxrllf.exe 2332 hntthh.exe -
resource yara_rule behavioral2/memory/4700-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-674-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 4700 1348 576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe 83 PID 1348 wrote to memory of 4700 1348 576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe 83 PID 1348 wrote to memory of 4700 1348 576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe 83 PID 4700 wrote to memory of 4836 4700 xfrxrxf.exe 84 PID 4700 wrote to memory of 4836 4700 xfrxrxf.exe 84 PID 4700 wrote to memory of 4836 4700 xfrxrxf.exe 84 PID 4836 wrote to memory of 4012 4836 nbnntn.exe 85 PID 4836 wrote to memory of 4012 4836 nbnntn.exe 85 PID 4836 wrote to memory of 4012 4836 nbnntn.exe 85 PID 4012 wrote to memory of 4160 4012 5xxlxrf.exe 86 PID 4012 wrote to memory of 4160 4012 5xxlxrf.exe 86 PID 4012 wrote to memory of 4160 4012 5xxlxrf.exe 86 PID 4160 wrote to memory of 4460 4160 3xrfrlf.exe 87 PID 4160 wrote to memory of 4460 4160 3xrfrlf.exe 87 PID 4160 wrote to memory of 4460 4160 3xrfrlf.exe 87 PID 4460 wrote to memory of 3528 4460 bbhtnh.exe 88 PID 4460 wrote to memory of 3528 4460 bbhtnh.exe 88 PID 4460 wrote to memory of 3528 4460 bbhtnh.exe 88 PID 3528 wrote to memory of 5004 3528 jjjjd.exe 89 PID 3528 wrote to memory of 5004 3528 jjjjd.exe 89 PID 3528 wrote to memory of 5004 3528 jjjjd.exe 89 PID 5004 wrote to memory of 1004 5004 xrxlfrr.exe 90 PID 5004 wrote to memory of 1004 5004 xrxlfrr.exe 90 PID 5004 wrote to memory of 1004 5004 xrxlfrr.exe 90 PID 1004 wrote to memory of 2376 1004 3hhbtn.exe 91 PID 1004 wrote to memory of 2376 1004 3hhbtn.exe 91 PID 1004 wrote to memory of 2376 1004 3hhbtn.exe 91 PID 2376 wrote to memory of 4788 2376 jvdpd.exe 92 PID 2376 wrote to memory of 4788 2376 jvdpd.exe 92 PID 2376 wrote to memory of 4788 2376 jvdpd.exe 92 PID 4788 wrote to memory of 4120 4788 1bbtnn.exe 93 PID 4788 wrote to memory of 4120 4788 1bbtnn.exe 93 PID 4788 wrote to memory of 4120 4788 1bbtnn.exe 93 PID 4120 wrote to memory of 3532 4120 vdjvv.exe 94 PID 4120 wrote to memory of 3532 4120 vdjvv.exe 94 PID 4120 wrote to memory of 3532 4120 vdjvv.exe 94 PID 3532 wrote to memory of 2060 3532 hhnntn.exe 95 PID 3532 wrote to memory of 2060 3532 hhnntn.exe 95 PID 3532 wrote to memory of 2060 3532 hhnntn.exe 95 PID 2060 wrote to memory of 2216 2060 jdjvp.exe 96 PID 2060 wrote to memory of 2216 2060 jdjvp.exe 96 PID 2060 wrote to memory of 2216 2060 jdjvp.exe 96 PID 2216 wrote to memory of 4432 2216 tnbhth.exe 97 PID 2216 wrote to memory of 4432 2216 tnbhth.exe 97 PID 2216 wrote to memory of 4432 2216 tnbhth.exe 97 PID 4432 wrote to memory of 440 4432 dpvjd.exe 98 PID 4432 wrote to memory of 440 4432 dpvjd.exe 98 PID 4432 wrote to memory of 440 4432 dpvjd.exe 98 PID 440 wrote to memory of 3248 440 nhnhbb.exe 99 PID 440 wrote to memory of 3248 440 nhnhbb.exe 99 PID 440 wrote to memory of 3248 440 nhnhbb.exe 99 PID 3248 wrote to memory of 412 3248 fflxxrl.exe 100 PID 3248 wrote to memory of 412 3248 fflxxrl.exe 100 PID 3248 wrote to memory of 412 3248 fflxxrl.exe 100 PID 412 wrote to memory of 2512 412 5tthtn.exe 101 PID 412 wrote to memory of 2512 412 5tthtn.exe 101 PID 412 wrote to memory of 2512 412 5tthtn.exe 101 PID 2512 wrote to memory of 1132 2512 hnbtbb.exe 102 PID 2512 wrote to memory of 1132 2512 hnbtbb.exe 102 PID 2512 wrote to memory of 1132 2512 hnbtbb.exe 102 PID 1132 wrote to memory of 2392 1132 9xrlllr.exe 103 PID 1132 wrote to memory of 2392 1132 9xrlllr.exe 103 PID 1132 wrote to memory of 2392 1132 9xrlllr.exe 103 PID 2392 wrote to memory of 688 2392 bbnhhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe"C:\Users\Admin\AppData\Local\Temp\576139be88c0450a55b37949f5035df870d92257db590c303df412704850bb5cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\xfrxrxf.exec:\xfrxrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\nbnntn.exec:\nbnntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\5xxlxrf.exec:\5xxlxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\3xrfrlf.exec:\3xrfrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\bbhtnh.exec:\bbhtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\jjjjd.exec:\jjjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\xrxlfrr.exec:\xrxlfrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\3hhbtn.exec:\3hhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\jvdpd.exec:\jvdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\1bbtnn.exec:\1bbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\vdjvv.exec:\vdjvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\hhnntn.exec:\hhnntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\jdjvp.exec:\jdjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\tnbhth.exec:\tnbhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\dpvjd.exec:\dpvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\nhnhbb.exec:\nhnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\fflxxrl.exec:\fflxxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\5tthtn.exec:\5tthtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\hnbtbb.exec:\hnbtbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\9xrlllr.exec:\9xrlllr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\bbnhhh.exec:\bbnhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe23⤵
- Executes dropped EXE
PID:688 -
\??\c:\httbbt.exec:\httbbt.exe24⤵
- Executes dropped EXE
PID:5112 -
\??\c:\dvpjd.exec:\dvpjd.exe25⤵
- Executes dropped EXE
PID:3792 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe26⤵
- Executes dropped EXE
PID:4272 -
\??\c:\hhhbtt.exec:\hhhbtt.exe27⤵
- Executes dropped EXE
PID:736 -
\??\c:\tnnbnh.exec:\tnnbnh.exe28⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe29⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7hbtnn.exec:\7hbtnn.exe30⤵
- Executes dropped EXE
PID:3036 -
\??\c:\dvdjv.exec:\dvdjv.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740 -
\??\c:\nntnbb.exec:\nntnbb.exe32⤵
- Executes dropped EXE
PID:3308 -
\??\c:\vdjdp.exec:\vdjdp.exe33⤵
- Executes dropped EXE
PID:5056 -
\??\c:\9frfxxr.exec:\9frfxxr.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3172 -
\??\c:\3thhbb.exec:\3thhbb.exe35⤵
- Executes dropped EXE
PID:2004 -
\??\c:\3rxrffx.exec:\3rxrffx.exe36⤵
- Executes dropped EXE
PID:2312 -
\??\c:\ttbbtn.exec:\ttbbtn.exe37⤵
- Executes dropped EXE
PID:3924 -
\??\c:\ddvpj.exec:\ddvpj.exe38⤵
- Executes dropped EXE
PID:1604 -
\??\c:\rxfrllf.exec:\rxfrllf.exe39⤵
- Executes dropped EXE
PID:1724 -
\??\c:\5rlfxxl.exec:\5rlfxxl.exe40⤵
- Executes dropped EXE
PID:1108 -
\??\c:\hbtbhh.exec:\hbtbhh.exe41⤵
- Executes dropped EXE
PID:3296 -
\??\c:\bntnbb.exec:\bntnbb.exe42⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pddvv.exec:\pddvv.exe43⤵
- Executes dropped EXE
PID:4560 -
\??\c:\thhbtt.exec:\thhbtt.exe44⤵
- Executes dropped EXE
PID:1252 -
\??\c:\9pvpd.exec:\9pvpd.exe45⤵
- Executes dropped EXE
PID:1380 -
\??\c:\3frllff.exec:\3frllff.exe46⤵
- Executes dropped EXE
PID:3148 -
\??\c:\3xffxfx.exec:\3xffxfx.exe47⤵
- Executes dropped EXE
PID:1328 -
\??\c:\httnnn.exec:\httnnn.exe48⤵
- Executes dropped EXE
PID:3808 -
\??\c:\vpppd.exec:\vpppd.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4712 -
\??\c:\fxlrfxl.exec:\fxlrfxl.exe50⤵
- Executes dropped EXE
PID:4256 -
\??\c:\btttnh.exec:\btttnh.exe51⤵
- Executes dropped EXE
PID:4524 -
\??\c:\pvppd.exec:\pvppd.exe52⤵
- Executes dropped EXE
PID:4836 -
\??\c:\rrlxxlf.exec:\rrlxxlf.exe53⤵
- Executes dropped EXE
PID:3944 -
\??\c:\5nhtbt.exec:\5nhtbt.exe54⤵
- Executes dropped EXE
PID:2772 -
\??\c:\1jdvd.exec:\1jdvd.exe55⤵
- Executes dropped EXE
PID:4976 -
\??\c:\vdjjv.exec:\vdjjv.exe56⤵
- Executes dropped EXE
PID:1408 -
\??\c:\rxxxrll.exec:\rxxxrll.exe57⤵
- Executes dropped EXE
PID:3684 -
\??\c:\hbbhtn.exec:\hbbhtn.exe58⤵
- Executes dropped EXE
PID:1284 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe59⤵
- Executes dropped EXE
PID:2696 -
\??\c:\llrlllf.exec:\llrlllf.exe60⤵
- Executes dropped EXE
PID:4900 -
\??\c:\xrlfxxf.exec:\xrlfxxf.exe61⤵
- Executes dropped EXE
PID:4728 -
\??\c:\nhthbb.exec:\nhthbb.exe62⤵
- Executes dropped EXE
PID:1156 -
\??\c:\7vpjd.exec:\7vpjd.exe63⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lrxrllf.exec:\lrxrllf.exe64⤵
- Executes dropped EXE
PID:3252 -
\??\c:\hntthh.exec:\hntthh.exe65⤵
- Executes dropped EXE
PID:2332 -
\??\c:\bnbtnn.exec:\bnbtnn.exe66⤵PID:3756
-
\??\c:\pjjvv.exec:\pjjvv.exe67⤵PID:3812
-
\??\c:\frxrrrx.exec:\frxrrrx.exe68⤵PID:2280
-
\??\c:\7rxlfrf.exec:\7rxlfrf.exe69⤵PID:1344
-
\??\c:\9tbthh.exec:\9tbthh.exe70⤵PID:4036
-
\??\c:\vpddd.exec:\vpddd.exe71⤵
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\lrllxxr.exec:\lrllxxr.exe72⤵PID:2360
-
\??\c:\flrllff.exec:\flrllff.exe73⤵PID:1796
-
\??\c:\bnnbhb.exec:\bnnbhb.exe74⤵PID:3660
-
\??\c:\vppjv.exec:\vppjv.exe75⤵PID:4844
-
\??\c:\xfrlfff.exec:\xfrlfff.exe76⤵PID:2512
-
\??\c:\btbnhh.exec:\btbnhh.exe77⤵PID:1936
-
\??\c:\vdvpv.exec:\vdvpv.exe78⤵PID:1424
-
\??\c:\7jdpd.exec:\7jdpd.exe79⤵PID:980
-
\??\c:\xxrllff.exec:\xxrllff.exe80⤵PID:1860
-
\??\c:\hnbbnt.exec:\hnbbnt.exe81⤵PID:3340
-
\??\c:\vdppj.exec:\vdppj.exe82⤵PID:4132
-
\??\c:\5rlfrlf.exec:\5rlfrlf.exe83⤵PID:3632
-
\??\c:\1hhbhb.exec:\1hhbhb.exe84⤵PID:3440
-
\??\c:\9vdvd.exec:\9vdvd.exe85⤵PID:4940
-
\??\c:\5rffxxr.exec:\5rffxxr.exe86⤵PID:428
-
\??\c:\nbbtbh.exec:\nbbtbh.exe87⤵PID:1628
-
\??\c:\ddjvp.exec:\ddjvp.exe88⤵PID:4616
-
\??\c:\5vddv.exec:\5vddv.exe89⤵PID:3688
-
\??\c:\bbnbbn.exec:\bbnbbn.exe90⤵PID:2916
-
\??\c:\hhbbtt.exec:\hhbbtt.exe91⤵PID:984
-
\??\c:\vvjvp.exec:\vvjvp.exe92⤵PID:1720
-
\??\c:\3xllfxr.exec:\3xllfxr.exe93⤵PID:3424
-
\??\c:\nbnnnt.exec:\nbnnnt.exe94⤵PID:3896
-
\??\c:\hthbtt.exec:\hthbtt.exe95⤵PID:1988
-
\??\c:\vjvdd.exec:\vjvdd.exe96⤵PID:1728
-
\??\c:\rxxrffx.exec:\rxxrffx.exe97⤵PID:2312
-
\??\c:\5btnbb.exec:\5btnbb.exe98⤵PID:1992
-
\??\c:\jvdjv.exec:\jvdjv.exe99⤵PID:3612
-
\??\c:\rxrxfrf.exec:\rxrxfrf.exe100⤵PID:3620
-
\??\c:\3tnbtn.exec:\3tnbtn.exe101⤵PID:1208
-
\??\c:\vdvjv.exec:\vdvjv.exe102⤵PID:4200
-
\??\c:\ppvvp.exec:\ppvvp.exe103⤵PID:840
-
\??\c:\xffxlll.exec:\xffxlll.exe104⤵
- System Location Discovery: System Language Discovery
PID:4560 -
\??\c:\bbtntt.exec:\bbtntt.exe105⤵PID:1376
-
\??\c:\ddjvp.exec:\ddjvp.exe106⤵PID:1380
-
\??\c:\pppjd.exec:\pppjd.exe107⤵PID:2256
-
\??\c:\1xrrfxr.exec:\1xrrfxr.exe108⤵PID:4368
-
\??\c:\tthhbn.exec:\tthhbn.exe109⤵PID:1416
-
\??\c:\vppjj.exec:\vppjj.exe110⤵PID:2096
-
\??\c:\djjdv.exec:\djjdv.exe111⤵PID:4232
-
\??\c:\lrrlllr.exec:\lrrlllr.exe112⤵PID:3748
-
\??\c:\5ntnhh.exec:\5ntnhh.exe113⤵PID:228
-
\??\c:\jvdvj.exec:\jvdvj.exe114⤵PID:1692
-
\??\c:\lffxxxx.exec:\lffxxxx.exe115⤵
- System Location Discovery: System Language Discovery
PID:3796 -
\??\c:\tbhbhh.exec:\tbhbhh.exe116⤵PID:4460
-
\??\c:\hbhntn.exec:\hbhntn.exe117⤵PID:4376
-
\??\c:\jdvvj.exec:\jdvvj.exe118⤵PID:1816
-
\??\c:\lfflfxx.exec:\lfflfxx.exe119⤵PID:5004
-
\??\c:\httnnn.exec:\httnnn.exe120⤵PID:4880
-
\??\c:\5vjpd.exec:\5vjpd.exe121⤵PID:456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-