Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe
-
Size
453KB
-
MD5
559114a8d7608c85d756a0fd74a03300
-
SHA1
d5f65f8285b083aeaf48eda36a14f8c399a029b4
-
SHA256
45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baeb
-
SHA512
3260359e28badee6ee74ecb111cd69307912051e6ae4359fdd43632ed9a6c81cd4af2fc1a00512b2560748855108fb09e45557d6da9d5e388602a79dca804e2e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1060-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-1525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1056 jjpjd.exe 1168 nnnhtb.exe 392 ffrxfxl.exe 4784 dpvvv.exe 4964 jpvpp.exe 1408 nbbnhh.exe 2484 bnbttt.exe 4876 lllxrxr.exe 3592 ppppj.exe 964 bbnhhb.exe 1568 3vppj.exe 4976 5frlrrx.exe 4008 htthnh.exe 3324 hhhnnn.exe 4760 lxxrllf.exe 3604 bhnhbb.exe 2184 xrllffx.exe 3428 hhnhtt.exe 4872 xffxrrr.exe 4300 bbnnnt.exe 3896 dvdvv.exe 2256 1dddv.exe 3468 3flfxxr.exe 2536 tntnnh.exe 5092 pddvv.exe 3736 nbttnn.exe 376 rrlfrrr.exe 3076 hbttnt.exe 4440 bthhbb.exe 1404 jppjd.exe 4680 frfxrlr.exe 2756 ppdvj.exe 4272 bthbtb.exe 3960 pddpj.exe 3912 thnnnn.exe 2800 dppdv.exe 3900 lfrlllr.exe 3412 nbthbt.exe 4548 ddjjd.exe 4040 frfxxff.exe 1540 xllfrrl.exe 3924 1hbtnn.exe 4332 pjjjj.exe 616 xrffxrx.exe 2412 1nnnhh.exe 4916 5vpjd.exe 548 dvdpv.exe 3464 xfffxxr.exe 4312 bhnhtn.exe 3920 hnnhhb.exe 3872 jpjvp.exe 3612 rfrfxrr.exe 824 bbhbnh.exe 1768 djppd.exe 1748 pddvp.exe 4144 fxfxrlf.exe 4304 5bbnht.exe 2676 pjjpj.exe 4700 rrxrfxl.exe 3624 rlrrrrf.exe 4956 bnnhtn.exe 5112 vpjpv.exe 1560 vdjvp.exe 4836 flxrxff.exe -
resource yara_rule behavioral2/memory/1060-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-791-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1056 1060 45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe 83 PID 1060 wrote to memory of 1056 1060 45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe 83 PID 1060 wrote to memory of 1056 1060 45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe 83 PID 1056 wrote to memory of 1168 1056 jjpjd.exe 84 PID 1056 wrote to memory of 1168 1056 jjpjd.exe 84 PID 1056 wrote to memory of 1168 1056 jjpjd.exe 84 PID 1168 wrote to memory of 392 1168 nnnhtb.exe 85 PID 1168 wrote to memory of 392 1168 nnnhtb.exe 85 PID 1168 wrote to memory of 392 1168 nnnhtb.exe 85 PID 392 wrote to memory of 4784 392 ffrxfxl.exe 86 PID 392 wrote to memory of 4784 392 ffrxfxl.exe 86 PID 392 wrote to memory of 4784 392 ffrxfxl.exe 86 PID 4784 wrote to memory of 4964 4784 dpvvv.exe 87 PID 4784 wrote to memory of 4964 4784 dpvvv.exe 87 PID 4784 wrote to memory of 4964 4784 dpvvv.exe 87 PID 4964 wrote to memory of 1408 4964 jpvpp.exe 88 PID 4964 wrote to memory of 1408 4964 jpvpp.exe 88 PID 4964 wrote to memory of 1408 4964 jpvpp.exe 88 PID 1408 wrote to memory of 2484 1408 nbbnhh.exe 89 PID 1408 wrote to memory of 2484 1408 nbbnhh.exe 89 PID 1408 wrote to memory of 2484 1408 nbbnhh.exe 89 PID 2484 wrote to memory of 4876 2484 bnbttt.exe 90 PID 2484 wrote to memory of 4876 2484 bnbttt.exe 90 PID 2484 wrote to memory of 4876 2484 bnbttt.exe 90 PID 4876 wrote to memory of 3592 4876 lllxrxr.exe 91 PID 4876 wrote to memory of 3592 4876 lllxrxr.exe 91 PID 4876 wrote to memory of 3592 4876 lllxrxr.exe 91 PID 3592 wrote to memory of 964 3592 ppppj.exe 92 PID 3592 wrote to memory of 964 3592 ppppj.exe 92 PID 3592 wrote to memory of 964 3592 ppppj.exe 92 PID 964 wrote to memory of 1568 964 bbnhhb.exe 93 PID 964 wrote to memory of 1568 964 bbnhhb.exe 93 PID 964 wrote to memory of 1568 964 bbnhhb.exe 93 PID 1568 wrote to memory of 4976 1568 3vppj.exe 94 PID 1568 wrote to memory of 4976 1568 3vppj.exe 94 PID 1568 wrote to memory of 4976 1568 3vppj.exe 94 PID 4976 wrote to memory of 4008 4976 5frlrrx.exe 95 PID 4976 wrote to memory of 4008 4976 5frlrrx.exe 95 PID 4976 wrote to memory of 4008 4976 5frlrrx.exe 95 PID 4008 wrote to memory of 3324 4008 htthnh.exe 96 PID 4008 wrote to memory of 3324 4008 htthnh.exe 96 PID 4008 wrote to memory of 3324 4008 htthnh.exe 96 PID 3324 wrote to memory of 4760 3324 hhhnnn.exe 97 PID 3324 wrote to memory of 4760 3324 hhhnnn.exe 97 PID 3324 wrote to memory of 4760 3324 hhhnnn.exe 97 PID 4760 wrote to memory of 3604 4760 lxxrllf.exe 98 PID 4760 wrote to memory of 3604 4760 lxxrllf.exe 98 PID 4760 wrote to memory of 3604 4760 lxxrllf.exe 98 PID 3604 wrote to memory of 2184 3604 bhnhbb.exe 99 PID 3604 wrote to memory of 2184 3604 bhnhbb.exe 99 PID 3604 wrote to memory of 2184 3604 bhnhbb.exe 99 PID 2184 wrote to memory of 3428 2184 xrllffx.exe 100 PID 2184 wrote to memory of 3428 2184 xrllffx.exe 100 PID 2184 wrote to memory of 3428 2184 xrllffx.exe 100 PID 3428 wrote to memory of 4872 3428 hhnhtt.exe 101 PID 3428 wrote to memory of 4872 3428 hhnhtt.exe 101 PID 3428 wrote to memory of 4872 3428 hhnhtt.exe 101 PID 4872 wrote to memory of 4300 4872 xffxrrr.exe 102 PID 4872 wrote to memory of 4300 4872 xffxrrr.exe 102 PID 4872 wrote to memory of 4300 4872 xffxrrr.exe 102 PID 4300 wrote to memory of 3896 4300 bbnnnt.exe 103 PID 4300 wrote to memory of 3896 4300 bbnnnt.exe 103 PID 4300 wrote to memory of 3896 4300 bbnnnt.exe 103 PID 3896 wrote to memory of 2256 3896 dvdvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe"C:\Users\Admin\AppData\Local\Temp\45329048c83aaabf853c8536315f5f77f84e419f6d70387e926a7440def8baebN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\jjpjd.exec:\jjpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\nnnhtb.exec:\nnnhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\ffrxfxl.exec:\ffrxfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\dpvvv.exec:\dpvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\jpvpp.exec:\jpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\nbbnhh.exec:\nbbnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\bnbttt.exec:\bnbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\lllxrxr.exec:\lllxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\ppppj.exec:\ppppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bbnhhb.exec:\bbnhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\3vppj.exec:\3vppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\5frlrrx.exec:\5frlrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\htthnh.exec:\htthnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\hhhnnn.exec:\hhhnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\lxxrllf.exec:\lxxrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\bhnhbb.exec:\bhnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\xrllffx.exec:\xrllffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\hhnhtt.exec:\hhnhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\xffxrrr.exec:\xffxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\bbnnnt.exec:\bbnnnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\dvdvv.exec:\dvdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\1dddv.exec:\1dddv.exe23⤵
- Executes dropped EXE
PID:2256 -
\??\c:\3flfxxr.exec:\3flfxxr.exe24⤵
- Executes dropped EXE
PID:3468 -
\??\c:\tntnnh.exec:\tntnnh.exe25⤵
- Executes dropped EXE
PID:2536 -
\??\c:\pddvv.exec:\pddvv.exe26⤵
- Executes dropped EXE
PID:5092 -
\??\c:\nbttnn.exec:\nbttnn.exe27⤵
- Executes dropped EXE
PID:3736 -
\??\c:\rrlfrrr.exec:\rrlfrrr.exe28⤵
- Executes dropped EXE
PID:376 -
\??\c:\hbttnt.exec:\hbttnt.exe29⤵
- Executes dropped EXE
PID:3076 -
\??\c:\bthhbb.exec:\bthhbb.exe30⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jppjd.exec:\jppjd.exe31⤵
- Executes dropped EXE
PID:1404 -
\??\c:\frfxrlr.exec:\frfxrlr.exe32⤵
- Executes dropped EXE
PID:4680 -
\??\c:\ppdvj.exec:\ppdvj.exe33⤵
- Executes dropped EXE
PID:2756 -
\??\c:\bthbtb.exec:\bthbtb.exe34⤵
- Executes dropped EXE
PID:4272 -
\??\c:\pddpj.exec:\pddpj.exe35⤵
- Executes dropped EXE
PID:3960 -
\??\c:\thnnnn.exec:\thnnnn.exe36⤵
- Executes dropped EXE
PID:3912 -
\??\c:\dppdv.exec:\dppdv.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\lfrlllr.exec:\lfrlllr.exe38⤵
- Executes dropped EXE
PID:3900 -
\??\c:\nbthbt.exec:\nbthbt.exe39⤵
- Executes dropped EXE
PID:3412 -
\??\c:\ddjjd.exec:\ddjjd.exe40⤵
- Executes dropped EXE
PID:4548 -
\??\c:\frfxxff.exec:\frfxxff.exe41⤵
- Executes dropped EXE
PID:4040 -
\??\c:\xllfrrl.exec:\xllfrrl.exe42⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1hbtnn.exec:\1hbtnn.exe43⤵
- Executes dropped EXE
PID:3924 -
\??\c:\pjjjj.exec:\pjjjj.exe44⤵
- Executes dropped EXE
PID:4332 -
\??\c:\xrffxrx.exec:\xrffxrx.exe45⤵
- Executes dropped EXE
PID:616 -
\??\c:\1nnnhh.exec:\1nnnhh.exe46⤵
- Executes dropped EXE
PID:2412 -
\??\c:\5vpjd.exec:\5vpjd.exe47⤵
- Executes dropped EXE
PID:4916 -
\??\c:\dvdpv.exec:\dvdpv.exe48⤵
- Executes dropped EXE
PID:548 -
\??\c:\xfffxxr.exec:\xfffxxr.exe49⤵
- Executes dropped EXE
PID:3464 -
\??\c:\bhnhtn.exec:\bhnhtn.exe50⤵
- Executes dropped EXE
PID:4312 -
\??\c:\hnnhhb.exec:\hnnhhb.exe51⤵
- Executes dropped EXE
PID:3920 -
\??\c:\jpjvp.exec:\jpjvp.exe52⤵
- Executes dropped EXE
PID:3872 -
\??\c:\rfrfxrr.exec:\rfrfxrr.exe53⤵
- Executes dropped EXE
PID:3612 -
\??\c:\bbhbnh.exec:\bbhbnh.exe54⤵
- Executes dropped EXE
PID:824 -
\??\c:\djppd.exec:\djppd.exe55⤵
- Executes dropped EXE
PID:1768 -
\??\c:\pddvp.exec:\pddvp.exe56⤵
- Executes dropped EXE
PID:1748 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe57⤵
- Executes dropped EXE
PID:4144 -
\??\c:\5bbnht.exec:\5bbnht.exe58⤵
- Executes dropped EXE
PID:4304 -
\??\c:\pjjpj.exec:\pjjpj.exe59⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rrxrfxl.exec:\rrxrfxl.exe60⤵
- Executes dropped EXE
PID:4700 -
\??\c:\rlrrrrf.exec:\rlrrrrf.exe61⤵
- Executes dropped EXE
PID:3624 -
\??\c:\bnnhtn.exec:\bnnhtn.exe62⤵
- Executes dropped EXE
PID:4956 -
\??\c:\vpjpv.exec:\vpjpv.exe63⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vdjvp.exec:\vdjvp.exe64⤵
- Executes dropped EXE
PID:1560 -
\??\c:\flxrxff.exec:\flxrxff.exe65⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nntnnn.exec:\nntnnn.exe66⤵PID:224
-
\??\c:\vjddj.exec:\vjddj.exe67⤵PID:3560
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe68⤵PID:116
-
\??\c:\1nnthb.exec:\1nnthb.exe69⤵PID:4060
-
\??\c:\vddjd.exec:\vddjd.exe70⤵PID:4496
-
\??\c:\jvvpp.exec:\jvvpp.exe71⤵PID:384
-
\??\c:\3xffxff.exec:\3xffxff.exe72⤵PID:3324
-
\??\c:\nnhhbt.exec:\nnhhbt.exe73⤵PID:4260
-
\??\c:\vjppj.exec:\vjppj.exe74⤵PID:2332
-
\??\c:\5pvpp.exec:\5pvpp.exe75⤵PID:2252
-
\??\c:\lxlxlfl.exec:\lxlxlfl.exe76⤵PID:5100
-
\??\c:\bttnhb.exec:\bttnhb.exe77⤵PID:3068
-
\??\c:\jdddv.exec:\jdddv.exe78⤵PID:1948
-
\??\c:\lxflxfx.exec:\lxflxfx.exe79⤵PID:3100
-
\??\c:\btnhtt.exec:\btnhtt.exe80⤵PID:1544
-
\??\c:\pvddv.exec:\pvddv.exe81⤵PID:720
-
\??\c:\9ppdv.exec:\9ppdv.exe82⤵PID:4856
-
\??\c:\llrrrff.exec:\llrrrff.exe83⤵PID:1616
-
\??\c:\9ntntb.exec:\9ntntb.exe84⤵PID:4584
-
\??\c:\tbbtnh.exec:\tbbtnh.exe85⤵PID:4580
-
\??\c:\vvddv.exec:\vvddv.exe86⤵PID:1620
-
\??\c:\rllfrfr.exec:\rllfrfr.exe87⤵PID:4172
-
\??\c:\btbnhb.exec:\btbnhb.exe88⤵PID:2300
-
\??\c:\jvvpj.exec:\jvvpj.exe89⤵PID:4208
-
\??\c:\vdjvp.exec:\vdjvp.exe90⤵PID:2044
-
\??\c:\frllfrr.exec:\frllfrr.exe91⤵PID:3000
-
\??\c:\htbbbt.exec:\htbbbt.exe92⤵PID:740
-
\??\c:\5vdvp.exec:\5vdvp.exe93⤵PID:992
-
\??\c:\lxllffx.exec:\lxllffx.exe94⤵PID:2792
-
\??\c:\bnbnhb.exec:\bnbnhb.exe95⤵PID:3356
-
\??\c:\djjdv.exec:\djjdv.exe96⤵PID:728
-
\??\c:\dddvp.exec:\dddvp.exe97⤵PID:2368
-
\??\c:\ffrlfxr.exec:\ffrlfxr.exe98⤵PID:4792
-
\??\c:\hbhnbh.exec:\hbhnbh.exe99⤵PID:5008
-
\??\c:\vpjdd.exec:\vpjdd.exe100⤵PID:3916
-
\??\c:\9fxrrlr.exec:\9fxrrlr.exe101⤵PID:3652
-
\??\c:\7xfxrrl.exec:\7xfxrrl.exe102⤵PID:3412
-
\??\c:\hnhtnt.exec:\hnhtnt.exe103⤵PID:4548
-
\??\c:\vppjd.exec:\vppjd.exe104⤵PID:3360
-
\??\c:\djdpv.exec:\djdpv.exe105⤵PID:2712
-
\??\c:\7rxllll.exec:\7rxllll.exe106⤵PID:3860
-
\??\c:\fllxrlx.exec:\fllxrlx.exe107⤵PID:2480
-
\??\c:\1hhhtt.exec:\1hhhtt.exe108⤵PID:1360
-
\??\c:\pjdpj.exec:\pjdpj.exe109⤵PID:5104
-
\??\c:\flrlfxx.exec:\flrlfxx.exe110⤵PID:396
-
\??\c:\llllfxr.exec:\llllfxr.exe111⤵PID:4596
-
\??\c:\tnbhbb.exec:\tnbhbb.exe112⤵PID:2456
-
\??\c:\5vvvj.exec:\5vvvj.exe113⤵PID:956
-
\??\c:\xxxfxlf.exec:\xxxfxlf.exe114⤵PID:4312
-
\??\c:\lffrlll.exec:\lffrlll.exe115⤵PID:896
-
\??\c:\bthhnn.exec:\bthhnn.exe116⤵PID:1884
-
\??\c:\vpvpj.exec:\vpvpj.exe117⤵PID:2016
-
\??\c:\fxllfff.exec:\fxllfff.exe118⤵PID:3904
-
\??\c:\nnnnnn.exec:\nnnnnn.exe119⤵PID:3120
-
\??\c:\tthntt.exec:\tthntt.exe120⤵PID:1644
-
\??\c:\pppvj.exec:\pppvj.exe121⤵PID:3168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-