Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe
-
Size
453KB
-
MD5
483c5dbbd2ad5cfedd2e7e1c0ed6b6ac
-
SHA1
21778785e8b4e0875817b1e07f059c2e95f18be5
-
SHA256
3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4
-
SHA512
c479e66f7b441e96c897913a1e6ffa20a88ab194ef4e771a31359a2c6ab165a7057fdb43ea84859f37b475b57a29210650d20c0df81ebcf12d9c116a846b4a94
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/396-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-1036-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-1175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-1438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3620 nntntn.exe 1332 bbnhnn.exe 4348 tnttth.exe 4312 7dppp.exe 1916 hbhbtb.exe 2936 xllffxx.exe 3628 hntnhb.exe 4220 flrrrrl.exe 1988 jvjdv.exe 208 tnnhbt.exe 3948 ddpdj.exe 1004 frxrllf.exe 5060 nbbbnn.exe 2408 9pvjj.exe 4976 dvvpj.exe 3036 5fxxrxr.exe 2116 bbbttn.exe 1196 hthbbh.exe 4816 hbbbth.exe 5044 bbnhnt.exe 4472 1fllrrx.exe 4836 nhnhht.exe 3152 vpppp.exe 4104 bthbbt.exe 4504 djjdv.exe 1152 tbbthh.exe 744 llfrfrr.exe 2324 thnhbb.exe 2692 vdpdj.exe 1044 rxxrllf.exe 3540 nhnhth.exe 3836 rfxlxlr.exe 2688 xflfrlr.exe 116 9ttnhh.exe 2888 pdpdd.exe 4652 ntbtnn.exe 1812 thnnbb.exe 2512 1djjd.exe 3624 xfxrrxr.exe 4292 bntnhb.exe 4860 ddvpd.exe 396 xffxlff.exe 3620 1xrllll.exe 816 3hnhbb.exe 1332 5vvvp.exe 540 xllxrlf.exe 4820 5rfxrrr.exe 1508 nhbhth.exe 2352 jdpjp.exe 1992 rllxfxx.exe 2404 hhnhnh.exe 2936 pdpjd.exe 5076 jdvpp.exe 4468 lrlrxrx.exe 4360 tnnnnh.exe 2932 hhhnbn.exe 1632 jpddv.exe 5116 rllfrrl.exe 1088 bbhbbb.exe 208 bttttb.exe 3632 jppjv.exe 1980 xrrlxxr.exe 2276 rllfrlf.exe 2080 hbhbhb.exe -
resource yara_rule behavioral2/memory/396-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-838-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 396 wrote to memory of 3620 396 3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe 83 PID 396 wrote to memory of 3620 396 3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe 83 PID 396 wrote to memory of 3620 396 3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe 83 PID 3620 wrote to memory of 1332 3620 nntntn.exe 84 PID 3620 wrote to memory of 1332 3620 nntntn.exe 84 PID 3620 wrote to memory of 1332 3620 nntntn.exe 84 PID 1332 wrote to memory of 4348 1332 bbnhnn.exe 85 PID 1332 wrote to memory of 4348 1332 bbnhnn.exe 85 PID 1332 wrote to memory of 4348 1332 bbnhnn.exe 85 PID 4348 wrote to memory of 4312 4348 tnttth.exe 86 PID 4348 wrote to memory of 4312 4348 tnttth.exe 86 PID 4348 wrote to memory of 4312 4348 tnttth.exe 86 PID 4312 wrote to memory of 1916 4312 7dppp.exe 87 PID 4312 wrote to memory of 1916 4312 7dppp.exe 87 PID 4312 wrote to memory of 1916 4312 7dppp.exe 87 PID 1916 wrote to memory of 2936 1916 hbhbtb.exe 88 PID 1916 wrote to memory of 2936 1916 hbhbtb.exe 88 PID 1916 wrote to memory of 2936 1916 hbhbtb.exe 88 PID 2936 wrote to memory of 3628 2936 xllffxx.exe 89 PID 2936 wrote to memory of 3628 2936 xllffxx.exe 89 PID 2936 wrote to memory of 3628 2936 xllffxx.exe 89 PID 3628 wrote to memory of 4220 3628 hntnhb.exe 90 PID 3628 wrote to memory of 4220 3628 hntnhb.exe 90 PID 3628 wrote to memory of 4220 3628 hntnhb.exe 90 PID 4220 wrote to memory of 1988 4220 flrrrrl.exe 91 PID 4220 wrote to memory of 1988 4220 flrrrrl.exe 91 PID 4220 wrote to memory of 1988 4220 flrrrrl.exe 91 PID 1988 wrote to memory of 208 1988 jvjdv.exe 92 PID 1988 wrote to memory of 208 1988 jvjdv.exe 92 PID 1988 wrote to memory of 208 1988 jvjdv.exe 92 PID 208 wrote to memory of 3948 208 tnnhbt.exe 93 PID 208 wrote to memory of 3948 208 tnnhbt.exe 93 PID 208 wrote to memory of 3948 208 tnnhbt.exe 93 PID 3948 wrote to memory of 1004 3948 ddpdj.exe 94 PID 3948 wrote to memory of 1004 3948 ddpdj.exe 94 PID 3948 wrote to memory of 1004 3948 ddpdj.exe 94 PID 1004 wrote to memory of 5060 1004 frxrllf.exe 95 PID 1004 wrote to memory of 5060 1004 frxrllf.exe 95 PID 1004 wrote to memory of 5060 1004 frxrllf.exe 95 PID 5060 wrote to memory of 2408 5060 nbbbnn.exe 96 PID 5060 wrote to memory of 2408 5060 nbbbnn.exe 96 PID 5060 wrote to memory of 2408 5060 nbbbnn.exe 96 PID 2408 wrote to memory of 4976 2408 9pvjj.exe 97 PID 2408 wrote to memory of 4976 2408 9pvjj.exe 97 PID 2408 wrote to memory of 4976 2408 9pvjj.exe 97 PID 4976 wrote to memory of 3036 4976 dvvpj.exe 98 PID 4976 wrote to memory of 3036 4976 dvvpj.exe 98 PID 4976 wrote to memory of 3036 4976 dvvpj.exe 98 PID 3036 wrote to memory of 2116 3036 5fxxrxr.exe 99 PID 3036 wrote to memory of 2116 3036 5fxxrxr.exe 99 PID 3036 wrote to memory of 2116 3036 5fxxrxr.exe 99 PID 2116 wrote to memory of 1196 2116 bbbttn.exe 100 PID 2116 wrote to memory of 1196 2116 bbbttn.exe 100 PID 2116 wrote to memory of 1196 2116 bbbttn.exe 100 PID 1196 wrote to memory of 4816 1196 hthbbh.exe 101 PID 1196 wrote to memory of 4816 1196 hthbbh.exe 101 PID 1196 wrote to memory of 4816 1196 hthbbh.exe 101 PID 4816 wrote to memory of 5044 4816 hbbbth.exe 102 PID 4816 wrote to memory of 5044 4816 hbbbth.exe 102 PID 4816 wrote to memory of 5044 4816 hbbbth.exe 102 PID 5044 wrote to memory of 4472 5044 bbnhnt.exe 103 PID 5044 wrote to memory of 4472 5044 bbnhnt.exe 103 PID 5044 wrote to memory of 4472 5044 bbnhnt.exe 103 PID 4472 wrote to memory of 4836 4472 1fllrrx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe"C:\Users\Admin\AppData\Local\Temp\3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\nntntn.exec:\nntntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\bbnhnn.exec:\bbnhnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\tnttth.exec:\tnttth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\7dppp.exec:\7dppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\hbhbtb.exec:\hbhbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\xllffxx.exec:\xllffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\hntnhb.exec:\hntnhb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\flrrrrl.exec:\flrrrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\jvjdv.exec:\jvjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\tnnhbt.exec:\tnnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\ddpdj.exec:\ddpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\frxrllf.exec:\frxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\nbbbnn.exec:\nbbbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\9pvjj.exec:\9pvjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\dvvpj.exec:\dvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\5fxxrxr.exec:\5fxxrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\bbbttn.exec:\bbbttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\hthbbh.exec:\hthbbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\hbbbth.exec:\hbbbth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\bbnhnt.exec:\bbnhnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\1fllrrx.exec:\1fllrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\nhnhht.exec:\nhnhht.exe23⤵
- Executes dropped EXE
PID:4836 -
\??\c:\vpppp.exec:\vpppp.exe24⤵
- Executes dropped EXE
PID:3152 -
\??\c:\bthbbt.exec:\bthbbt.exe25⤵
- Executes dropped EXE
PID:4104 -
\??\c:\djjdv.exec:\djjdv.exe26⤵
- Executes dropped EXE
PID:4504 -
\??\c:\tbbthh.exec:\tbbthh.exe27⤵
- Executes dropped EXE
PID:1152 -
\??\c:\llfrfrr.exec:\llfrfrr.exe28⤵
- Executes dropped EXE
PID:744 -
\??\c:\thnhbb.exec:\thnhbb.exe29⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vdpdj.exec:\vdpdj.exe30⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rxxrllf.exec:\rxxrllf.exe31⤵
- Executes dropped EXE
PID:1044 -
\??\c:\nhnhth.exec:\nhnhth.exe32⤵
- Executes dropped EXE
PID:3540 -
\??\c:\rfxlxlr.exec:\rfxlxlr.exe33⤵
- Executes dropped EXE
PID:3836 -
\??\c:\xflfrlr.exec:\xflfrlr.exe34⤵
- Executes dropped EXE
PID:2688 -
\??\c:\9ttnhh.exec:\9ttnhh.exe35⤵
- Executes dropped EXE
PID:116 -
\??\c:\pdpdd.exec:\pdpdd.exe36⤵
- Executes dropped EXE
PID:2888 -
\??\c:\ntbtnn.exec:\ntbtnn.exe37⤵
- Executes dropped EXE
PID:4652 -
\??\c:\thnnbb.exec:\thnnbb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\1djjd.exec:\1djjd.exe39⤵
- Executes dropped EXE
PID:2512 -
\??\c:\xfxrrxr.exec:\xfxrrxr.exe40⤵
- Executes dropped EXE
PID:3624 -
\??\c:\bntnhb.exec:\bntnhb.exe41⤵
- Executes dropped EXE
PID:4292 -
\??\c:\ddvpd.exec:\ddvpd.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\xffxlff.exec:\xffxlff.exe43⤵
- Executes dropped EXE
PID:396 -
\??\c:\1xrllll.exec:\1xrllll.exe44⤵
- Executes dropped EXE
PID:3620 -
\??\c:\3hnhbb.exec:\3hnhbb.exe45⤵
- Executes dropped EXE
PID:816 -
\??\c:\5vvvp.exec:\5vvvp.exe46⤵
- Executes dropped EXE
PID:1332 -
\??\c:\xllxrlf.exec:\xllxrlf.exe47⤵
- Executes dropped EXE
PID:540 -
\??\c:\5rfxrrr.exec:\5rfxrrr.exe48⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nhbhth.exec:\nhbhth.exe49⤵
- Executes dropped EXE
PID:1508 -
\??\c:\jdpjp.exec:\jdpjp.exe50⤵
- Executes dropped EXE
PID:2352 -
\??\c:\rllxfxx.exec:\rllxfxx.exe51⤵
- Executes dropped EXE
PID:1992 -
\??\c:\hhnhnh.exec:\hhnhnh.exe52⤵
- Executes dropped EXE
PID:2404 -
\??\c:\pdpjd.exec:\pdpjd.exe53⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jdvpp.exec:\jdvpp.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076 -
\??\c:\lrlrxrx.exec:\lrlrxrx.exe55⤵
- Executes dropped EXE
PID:4468 -
\??\c:\tnnnnh.exec:\tnnnnh.exe56⤵
- Executes dropped EXE
PID:4360 -
\??\c:\hhhnbn.exec:\hhhnbn.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jpddv.exec:\jpddv.exe58⤵
- Executes dropped EXE
PID:1632 -
\??\c:\rllfrrl.exec:\rllfrrl.exe59⤵
- Executes dropped EXE
PID:5116 -
\??\c:\bbhbbb.exec:\bbhbbb.exe60⤵
- Executes dropped EXE
PID:1088 -
\??\c:\bttttb.exec:\bttttb.exe61⤵
- Executes dropped EXE
PID:208 -
\??\c:\jppjv.exec:\jppjv.exe62⤵
- Executes dropped EXE
PID:3632 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe63⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rllfrlf.exec:\rllfrlf.exe64⤵
- Executes dropped EXE
PID:2276 -
\??\c:\hbhbhb.exec:\hbhbhb.exe65⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jpppj.exec:\jpppj.exe66⤵PID:848
-
\??\c:\rflfrrl.exec:\rflfrrl.exe67⤵PID:2660
-
\??\c:\9rfrlfr.exec:\9rfrlfr.exe68⤵PID:4732
-
\??\c:\3nnhbh.exec:\3nnhbh.exe69⤵PID:2024
-
\??\c:\jvvjj.exec:\jvvjj.exe70⤵PID:676
-
\??\c:\rxxxxxr.exec:\rxxxxxr.exe71⤵PID:4432
-
\??\c:\xfflllf.exec:\xfflllf.exe72⤵PID:4984
-
\??\c:\pvvpd.exec:\pvvpd.exe73⤵PID:1196
-
\??\c:\xflfflf.exec:\xflfflf.exe74⤵PID:4160
-
\??\c:\bnbttt.exec:\bnbttt.exe75⤵PID:1456
-
\??\c:\nhtnhh.exec:\nhtnhh.exe76⤵PID:1052
-
\??\c:\pdpjv.exec:\pdpjv.exe77⤵PID:784
-
\??\c:\rrrlrxf.exec:\rrrlrxf.exe78⤵PID:4836
-
\??\c:\3bhtht.exec:\3bhtht.exe79⤵PID:2876
-
\??\c:\jdjdv.exec:\jdjdv.exe80⤵PID:4872
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe81⤵PID:4460
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe82⤵PID:4716
-
\??\c:\tbhhhn.exec:\tbhhhn.exe83⤵PID:4504
-
\??\c:\9ppvj.exec:\9ppvj.exe84⤵PID:4184
-
\??\c:\dpjdp.exec:\dpjdp.exe85⤵PID:1280
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe86⤵PID:996
-
\??\c:\bbbbtn.exec:\bbbbtn.exe87⤵PID:1900
-
\??\c:\9djdv.exec:\9djdv.exe88⤵PID:2692
-
\??\c:\7vpvv.exec:\7vpvv.exe89⤵PID:1044
-
\??\c:\xrfllfl.exec:\xrfllfl.exe90⤵PID:3488
-
\??\c:\3ttnhh.exec:\3ttnhh.exe91⤵PID:4888
-
\??\c:\jddvp.exec:\jddvp.exe92⤵PID:3836
-
\??\c:\3vvpj.exec:\3vvpj.exe93⤵PID:4480
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe94⤵PID:2688
-
\??\c:\tbhthh.exec:\tbhthh.exe95⤵PID:116
-
\??\c:\hbbbnn.exec:\hbbbnn.exe96⤵PID:2888
-
\??\c:\ddvvv.exec:\ddvvv.exe97⤵PID:4652
-
\??\c:\lfffxxx.exec:\lfffxxx.exe98⤵PID:1812
-
\??\c:\nbhbtt.exec:\nbhbtt.exe99⤵PID:3636
-
\??\c:\thhnbt.exec:\thhnbt.exe100⤵PID:1436
-
\??\c:\jpdpd.exec:\jpdpd.exe101⤵PID:4292
-
\??\c:\rflxrlf.exec:\rflxrlf.exe102⤵PID:4860
-
\??\c:\hbnhbt.exec:\hbnhbt.exe103⤵PID:436
-
\??\c:\ddvvv.exec:\ddvvv.exe104⤵PID:3620
-
\??\c:\ppvvp.exec:\ppvvp.exe105⤵PID:4656
-
\??\c:\rflfrrl.exec:\rflfrrl.exe106⤵PID:4728
-
\??\c:\hhnhbb.exec:\hhnhbb.exe107⤵PID:2900
-
\??\c:\pjpjd.exec:\pjpjd.exe108⤵PID:4820
-
\??\c:\jpvpj.exec:\jpvpj.exe109⤵PID:392
-
\??\c:\7xfrllf.exec:\7xfrllf.exe110⤵PID:1904
-
\??\c:\bbbtnb.exec:\bbbtnb.exe111⤵PID:4856
-
\??\c:\nhnhhn.exec:\nhnhhn.exe112⤵PID:4620
-
\??\c:\7pdvv.exec:\7pdvv.exe113⤵PID:1568
-
\??\c:\lfxxxxl.exec:\lfxxxxl.exe114⤵PID:4236
-
\??\c:\fxfxfff.exec:\fxfxfff.exe115⤵PID:1048
-
\??\c:\nbbtnh.exec:\nbbtnh.exe116⤵
- System Location Discovery: System Language Discovery
PID:552 -
\??\c:\dvpdv.exec:\dvpdv.exe117⤵PID:1852
-
\??\c:\jjjvp.exec:\jjjvp.exe118⤵PID:2428
-
\??\c:\rrlfrrr.exec:\rrlfrrr.exe119⤵PID:3928
-
\??\c:\thhhnh.exec:\thhhnh.exe120⤵PID:1236
-
\??\c:\thnhtt.exec:\thnhtt.exe121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-