Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe
-
Size
454KB
-
MD5
d38c400eb5d526124627d1cf3f926ca0
-
SHA1
9ca172c71b903bf8611a5f4816efadeb42924d30
-
SHA256
67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4
-
SHA512
c5adbd51511683c98049f16a78784ed28a5fd77212a63a3c13305477dd272c33e1041c10c7046e7236107a3770c4daed7bdd92e63a88f7b70906732da3a97065
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/432-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-1201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3996 5rllrxf.exe 4324 bthnnt.exe 2876 hbbttt.exe 936 nhttnn.exe 4628 7vvvv.exe 4920 lfflrxf.exe 4848 rfrrflx.exe 3812 btbbbb.exe 1916 ppjpp.exe 2924 vdvvp.exe 812 rfffllr.exe 2988 ddjjj.exe 4600 xrxrrxx.exe 5092 nnbbhh.exe 2004 jvjjj.exe 2944 tnnnhh.exe 1688 xlfrflx.exe 3768 tbbnnn.exe 4736 dvjjp.exe 2828 7bhnnt.exe 4552 jjjdp.exe 5052 5fxrxfx.exe 744 lllxflf.exe 3492 dvjjp.exe 4276 hbhhnh.exe 4576 hthbbh.exe 2100 vvddd.exe 3672 ntnnhn.exe 4892 xxfxrrf.exe 4448 hbnnnn.exe 1504 jpvpp.exe 1920 vjvpv.exe 1256 llrrxff.exe 460 bnhhnn.exe 4072 5djpj.exe 1972 fffxrll.exe 3308 3ntnnh.exe 4760 bbttbh.exe 1724 ppvvd.exe 864 lfxflrl.exe 1620 bttnhb.exe 4440 1pvvd.exe 4840 fxxrxrf.exe 3604 hthbbb.exe 4120 jvjdv.exe 2324 xlrlfrr.exe 2728 ntnthn.exe 2912 nbnbtn.exe 4648 vvjvp.exe 2404 xlxfrll.exe 3728 5bhnnh.exe 1160 jdvpj.exe 4848 ffxxxrr.exe 2268 bbnhhh.exe 4980 ddjdd.exe 2212 xxllffl.exe 3584 lrrrlxr.exe 3648 tnnntt.exe 2360 vvddd.exe 2540 7rffxxr.exe 780 bhnnnn.exe 4484 ppvvp.exe 3164 pdpdj.exe 3180 rlxxxxr.exe -
resource yara_rule behavioral2/memory/432-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-688-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 3996 432 67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe 82 PID 432 wrote to memory of 3996 432 67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe 82 PID 432 wrote to memory of 3996 432 67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe 82 PID 3996 wrote to memory of 4324 3996 5rllrxf.exe 83 PID 3996 wrote to memory of 4324 3996 5rllrxf.exe 83 PID 3996 wrote to memory of 4324 3996 5rllrxf.exe 83 PID 4324 wrote to memory of 2876 4324 bthnnt.exe 84 PID 4324 wrote to memory of 2876 4324 bthnnt.exe 84 PID 4324 wrote to memory of 2876 4324 bthnnt.exe 84 PID 2876 wrote to memory of 936 2876 hbbttt.exe 85 PID 2876 wrote to memory of 936 2876 hbbttt.exe 85 PID 2876 wrote to memory of 936 2876 hbbttt.exe 85 PID 936 wrote to memory of 4628 936 nhttnn.exe 86 PID 936 wrote to memory of 4628 936 nhttnn.exe 86 PID 936 wrote to memory of 4628 936 nhttnn.exe 86 PID 4628 wrote to memory of 4920 4628 7vvvv.exe 87 PID 4628 wrote to memory of 4920 4628 7vvvv.exe 87 PID 4628 wrote to memory of 4920 4628 7vvvv.exe 87 PID 4920 wrote to memory of 4848 4920 lfflrxf.exe 88 PID 4920 wrote to memory of 4848 4920 lfflrxf.exe 88 PID 4920 wrote to memory of 4848 4920 lfflrxf.exe 88 PID 4848 wrote to memory of 3812 4848 rfrrflx.exe 89 PID 4848 wrote to memory of 3812 4848 rfrrflx.exe 89 PID 4848 wrote to memory of 3812 4848 rfrrflx.exe 89 PID 3812 wrote to memory of 1916 3812 btbbbb.exe 90 PID 3812 wrote to memory of 1916 3812 btbbbb.exe 90 PID 3812 wrote to memory of 1916 3812 btbbbb.exe 90 PID 1916 wrote to memory of 2924 1916 ppjpp.exe 91 PID 1916 wrote to memory of 2924 1916 ppjpp.exe 91 PID 1916 wrote to memory of 2924 1916 ppjpp.exe 91 PID 2924 wrote to memory of 812 2924 vdvvp.exe 92 PID 2924 wrote to memory of 812 2924 vdvvp.exe 92 PID 2924 wrote to memory of 812 2924 vdvvp.exe 92 PID 812 wrote to memory of 2988 812 rfffllr.exe 93 PID 812 wrote to memory of 2988 812 rfffllr.exe 93 PID 812 wrote to memory of 2988 812 rfffllr.exe 93 PID 2988 wrote to memory of 4600 2988 ddjjj.exe 94 PID 2988 wrote to memory of 4600 2988 ddjjj.exe 94 PID 2988 wrote to memory of 4600 2988 ddjjj.exe 94 PID 4600 wrote to memory of 5092 4600 xrxrrxx.exe 95 PID 4600 wrote to memory of 5092 4600 xrxrrxx.exe 95 PID 4600 wrote to memory of 5092 4600 xrxrrxx.exe 95 PID 5092 wrote to memory of 2004 5092 nnbbhh.exe 96 PID 5092 wrote to memory of 2004 5092 nnbbhh.exe 96 PID 5092 wrote to memory of 2004 5092 nnbbhh.exe 96 PID 2004 wrote to memory of 2944 2004 jvjjj.exe 97 PID 2004 wrote to memory of 2944 2004 jvjjj.exe 97 PID 2004 wrote to memory of 2944 2004 jvjjj.exe 97 PID 2944 wrote to memory of 1688 2944 tnnnhh.exe 98 PID 2944 wrote to memory of 1688 2944 tnnnhh.exe 98 PID 2944 wrote to memory of 1688 2944 tnnnhh.exe 98 PID 1688 wrote to memory of 3768 1688 xlfrflx.exe 99 PID 1688 wrote to memory of 3768 1688 xlfrflx.exe 99 PID 1688 wrote to memory of 3768 1688 xlfrflx.exe 99 PID 3768 wrote to memory of 4736 3768 tbbnnn.exe 100 PID 3768 wrote to memory of 4736 3768 tbbnnn.exe 100 PID 3768 wrote to memory of 4736 3768 tbbnnn.exe 100 PID 4736 wrote to memory of 2828 4736 dvjjp.exe 101 PID 4736 wrote to memory of 2828 4736 dvjjp.exe 101 PID 4736 wrote to memory of 2828 4736 dvjjp.exe 101 PID 2828 wrote to memory of 4552 2828 7bhnnt.exe 102 PID 2828 wrote to memory of 4552 2828 7bhnnt.exe 102 PID 2828 wrote to memory of 4552 2828 7bhnnt.exe 102 PID 4552 wrote to memory of 5052 4552 jjjdp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe"C:\Users\Admin\AppData\Local\Temp\67fe89c7434a6f7b307a106b319ab27d5d7b35d88a306248f19dc6d049e892b4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\5rllrxf.exec:\5rllrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\bthnnt.exec:\bthnnt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\hbbttt.exec:\hbbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\nhttnn.exec:\nhttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\7vvvv.exec:\7vvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\lfflrxf.exec:\lfflrxf.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\rfrrflx.exec:\rfrrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\btbbbb.exec:\btbbbb.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\ppjpp.exec:\ppjpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\vdvvp.exec:\vdvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\rfffllr.exec:\rfffllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\ddjjj.exec:\ddjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\xrxrrxx.exec:\xrxrrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\nnbbhh.exec:\nnbbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\jvjjj.exec:\jvjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\tnnnhh.exec:\tnnnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xlfrflx.exec:\xlfrflx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\tbbnnn.exec:\tbbnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\dvjjp.exec:\dvjjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\7bhnnt.exec:\7bhnnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jjjdp.exec:\jjjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\5fxrxfx.exec:\5fxrxfx.exe23⤵
- Executes dropped EXE
PID:5052 -
\??\c:\lllxflf.exec:\lllxflf.exe24⤵
- Executes dropped EXE
PID:744 -
\??\c:\dvjjp.exec:\dvjjp.exe25⤵
- Executes dropped EXE
PID:3492 -
\??\c:\hbhhnh.exec:\hbhhnh.exe26⤵
- Executes dropped EXE
PID:4276 -
\??\c:\hthbbh.exec:\hthbbh.exe27⤵
- Executes dropped EXE
PID:4576 -
\??\c:\vvddd.exec:\vvddd.exe28⤵
- Executes dropped EXE
PID:2100 -
\??\c:\ntnnhn.exec:\ntnnhn.exe29⤵
- Executes dropped EXE
PID:3672 -
\??\c:\xxfxrrf.exec:\xxfxrrf.exe30⤵
- Executes dropped EXE
PID:4892 -
\??\c:\hbnnnn.exec:\hbnnnn.exe31⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jpvpp.exec:\jpvpp.exe32⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vjvpv.exec:\vjvpv.exe33⤵
- Executes dropped EXE
PID:1920 -
\??\c:\llrrxff.exec:\llrrxff.exe34⤵
- Executes dropped EXE
PID:1256 -
\??\c:\bnhhnn.exec:\bnhhnn.exe35⤵
- Executes dropped EXE
PID:460 -
\??\c:\5djpj.exec:\5djpj.exe36⤵
- Executes dropped EXE
PID:4072 -
\??\c:\fffxrll.exec:\fffxrll.exe37⤵
- Executes dropped EXE
PID:1972 -
\??\c:\3ntnnh.exec:\3ntnnh.exe38⤵
- Executes dropped EXE
PID:3308 -
\??\c:\bbttbh.exec:\bbttbh.exe39⤵
- Executes dropped EXE
PID:4760 -
\??\c:\ppvvd.exec:\ppvvd.exe40⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lfxflrl.exec:\lfxflrl.exe41⤵
- Executes dropped EXE
PID:864 -
\??\c:\bttnhb.exec:\bttnhb.exe42⤵
- Executes dropped EXE
PID:1620 -
\??\c:\1pvvd.exec:\1pvvd.exe43⤵
- Executes dropped EXE
PID:4440 -
\??\c:\fxxrxrf.exec:\fxxrxrf.exe44⤵
- Executes dropped EXE
PID:4840 -
\??\c:\hthbbb.exec:\hthbbb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
\??\c:\jvjdv.exec:\jvjdv.exe46⤵
- Executes dropped EXE
PID:4120 -
\??\c:\xlrlfrr.exec:\xlrlfrr.exe47⤵
- Executes dropped EXE
PID:2324 -
\??\c:\ntnthn.exec:\ntnthn.exe48⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nbnbtn.exec:\nbnbtn.exe49⤵
- Executes dropped EXE
PID:2912 -
\??\c:\vvjvp.exec:\vvjvp.exe50⤵
- Executes dropped EXE
PID:4648 -
\??\c:\xlxfrll.exec:\xlxfrll.exe51⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5bhnnh.exec:\5bhnnh.exe52⤵
- Executes dropped EXE
PID:3728 -
\??\c:\jdvpj.exec:\jdvpj.exe53⤵
- Executes dropped EXE
PID:1160 -
\??\c:\ffxxxrr.exec:\ffxxxrr.exe54⤵
- Executes dropped EXE
PID:4848 -
\??\c:\bbnhhh.exec:\bbnhhh.exe55⤵
- Executes dropped EXE
PID:2268 -
\??\c:\ddjdd.exec:\ddjdd.exe56⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xxllffl.exec:\xxllffl.exe57⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lrrrlxr.exec:\lrrrlxr.exe58⤵
- Executes dropped EXE
PID:3584 -
\??\c:\tnnntt.exec:\tnnntt.exe59⤵
- Executes dropped EXE
PID:3648 -
\??\c:\vvddd.exec:\vvddd.exe60⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7rffxxr.exec:\7rffxxr.exe61⤵
- Executes dropped EXE
PID:2540 -
\??\c:\bhnnnn.exec:\bhnnnn.exe62⤵
- Executes dropped EXE
PID:780 -
\??\c:\ppvvp.exec:\ppvvp.exe63⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pdpdj.exec:\pdpdj.exe64⤵
- Executes dropped EXE
PID:3164 -
\??\c:\rlxxxxr.exec:\rlxxxxr.exe65⤵
- Executes dropped EXE
PID:3180 -
\??\c:\7tnhhh.exec:\7tnhhh.exe66⤵PID:5020
-
\??\c:\vpvvv.exec:\vpvvv.exe67⤵PID:4080
-
\??\c:\ffrrlll.exec:\ffrrlll.exe68⤵PID:3008
-
\??\c:\nbnnnb.exec:\nbnnnb.exe69⤵PID:2668
-
\??\c:\thtnnn.exec:\thtnnn.exe70⤵PID:1928
-
\??\c:\djjjj.exec:\djjjj.exe71⤵PID:2120
-
\??\c:\3rfxxxx.exec:\3rfxxxx.exe72⤵PID:4888
-
\??\c:\thttnn.exec:\thttnn.exe73⤵PID:4768
-
\??\c:\vpjjj.exec:\vpjjj.exe74⤵PID:1948
-
\??\c:\dvdvp.exec:\dvdvp.exe75⤵PID:3284
-
\??\c:\rfrfxlx.exec:\rfrfxlx.exe76⤵PID:5084
-
\??\c:\nthnth.exec:\nthnth.exe77⤵PID:2500
-
\??\c:\vpjjd.exec:\vpjjd.exe78⤵PID:4008
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe79⤵PID:3492
-
\??\c:\bhhbtt.exec:\bhhbtt.exe80⤵PID:964
-
\??\c:\vjvvp.exec:\vjvvp.exe81⤵PID:1188
-
\??\c:\xlllfll.exec:\xlllfll.exe82⤵PID:1216
-
\??\c:\7ntnht.exec:\7ntnht.exe83⤵PID:4640
-
\??\c:\ttbtbb.exec:\ttbtbb.exe84⤵PID:2100
-
\??\c:\dpddd.exec:\dpddd.exe85⤵PID:4152
-
\??\c:\frrlffx.exec:\frrlffx.exe86⤵PID:3428
-
\??\c:\bbnntb.exec:\bbnntb.exe87⤵PID:776
-
\??\c:\vpvvv.exec:\vpvvv.exe88⤵PID:2784
-
\??\c:\3jpdv.exec:\3jpdv.exe89⤵PID:3368
-
\??\c:\rlxrrrr.exec:\rlxrrrr.exe90⤵PID:3356
-
\??\c:\1tthbb.exec:\1tthbb.exe91⤵PID:4996
-
\??\c:\dpjjj.exec:\dpjjj.exe92⤵PID:2704
-
\??\c:\rflfffx.exec:\rflfffx.exe93⤵PID:3660
-
\??\c:\htbbnt.exec:\htbbnt.exe94⤵PID:4348
-
\??\c:\thttbn.exec:\thttbn.exe95⤵PID:3424
-
\??\c:\jddvp.exec:\jddvp.exe96⤵PID:1832
-
\??\c:\rfrlxrl.exec:\rfrlxrl.exe97⤵PID:3904
-
\??\c:\fxfxxrl.exec:\fxfxxrl.exe98⤵PID:4968
-
\??\c:\hhnnnn.exec:\hhnnnn.exe99⤵PID:876
-
\??\c:\dpjjj.exec:\dpjjj.exe100⤵PID:3824
-
\??\c:\vvjjd.exec:\vvjjd.exe101⤵PID:4992
-
\??\c:\xffxrrf.exec:\xffxrrf.exe102⤵PID:4584
-
\??\c:\nhhbhb.exec:\nhhbhb.exe103⤵PID:4900
-
\??\c:\hnbhtb.exec:\hnbhtb.exe104⤵PID:4316
-
\??\c:\jddvp.exec:\jddvp.exe105⤵PID:3096
-
\??\c:\9lxrrrf.exec:\9lxrrrf.exe106⤵PID:3816
-
\??\c:\bhnhbb.exec:\bhnhbb.exe107⤵PID:3420
-
\??\c:\vjvjj.exec:\vjvjj.exe108⤵PID:4340
-
\??\c:\jjjjv.exec:\jjjjv.exe109⤵PID:3840
-
\??\c:\rllffff.exec:\rllffff.exe110⤵PID:2488
-
\??\c:\tnnhbb.exec:\tnnhbb.exe111⤵PID:1580
-
\??\c:\bbbbtt.exec:\bbbbtt.exe112⤵PID:1532
-
\??\c:\pjppd.exec:\pjppd.exe113⤵PID:1528
-
\??\c:\7llfrll.exec:\7llfrll.exe114⤵PID:3804
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe115⤵PID:5032
-
\??\c:\hhtnhh.exec:\hhtnhh.exe116⤵PID:3140
-
\??\c:\pjpdv.exec:\pjpdv.exe117⤵PID:3500
-
\??\c:\xrxrffx.exec:\xrxrffx.exe118⤵PID:3060
-
\??\c:\1btnnt.exec:\1btnnt.exe119⤵PID:4532
-
\??\c:\pvjdd.exec:\pvjdd.exe120⤵PID:1672
-
\??\c:\frxlfxx.exec:\frxlfxx.exe121⤵PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-