Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe
-
Size
456KB
-
MD5
54228cbbc3980dffb6e84088304dcb71
-
SHA1
a685aee5b17f9b104ce5ae05e7ce48e919ae7c0e
-
SHA256
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7
-
SHA512
dc2180444b8f0bbe729439294a544b26845c40727785c8bf32e03b114396fdaacbc737062dc98230c0b531832cfe8236100f8aff1cfc33a0e31a7314248add77
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4712-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-1094-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-1113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-1881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1436 nnnnbb.exe 4640 bthnnb.exe 1228 btbtnn.exe 3596 bbhhbn.exe 2244 9rlfflr.exe 4776 pjjvv.exe 3740 1bbtnn.exe 2908 xxrlxrr.exe 1272 vvddj.exe 2920 jdjdv.exe 1424 vpdpp.exe 2548 lxfxrxr.exe 1044 nbbtnh.exe 2148 djvpj.exe 3028 3bbtnn.exe 3420 jjvpd.exe 2792 rllfxxr.exe 3224 9xxrlrr.exe 2936 nhbtnn.exe 4108 pjvpj.exe 5000 xlrllff.exe 3532 httnhh.exe 1284 5ttnhh.exe 4148 xxrrlll.exe 3492 ffxxrff.exe 1492 vdvpj.exe 3228 9lxxrrl.exe 3768 5pvpj.exe 1648 hbbttt.exe 3608 fflfxxr.exe 2416 jppjj.exe 4968 9rxrlxf.exe 3856 7jdvv.exe 3992 rllfxrr.exe 2740 bhhbtn.exe 4120 nthhtt.exe 416 3dvpd.exe 2880 flrlxxr.exe 1928 nbhbhb.exe 1656 dppjj.exe 1244 frrrllf.exe 3588 nhhbtt.exe 3976 jdpjd.exe 4128 rxfxrlf.exe 1084 rlfxlff.exe 1040 htbtnh.exe 4832 dvppv.exe 4848 pppjv.exe 3384 5xxlfrr.exe 2260 3nhbbn.exe 2924 jvddv.exe 3808 fxfxrlf.exe 4232 1bbtnh.exe 1436 vpppj.exe 4952 1rrlrlr.exe 1528 1pdvv.exe 3892 ddjdd.exe 4536 7frrlfl.exe 4080 nbhbbt.exe 1732 5pdvv.exe 3596 9lflrrx.exe 4400 xflllfx.exe 3732 bntnth.exe 1764 9ddvj.exe -
resource yara_rule behavioral2/memory/4712-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-867-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 1436 4712 324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe 82 PID 4712 wrote to memory of 1436 4712 324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe 82 PID 4712 wrote to memory of 1436 4712 324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe 82 PID 1436 wrote to memory of 4640 1436 nnnnbb.exe 83 PID 1436 wrote to memory of 4640 1436 nnnnbb.exe 83 PID 1436 wrote to memory of 4640 1436 nnnnbb.exe 83 PID 4640 wrote to memory of 1228 4640 bthnnb.exe 84 PID 4640 wrote to memory of 1228 4640 bthnnb.exe 84 PID 4640 wrote to memory of 1228 4640 bthnnb.exe 84 PID 1228 wrote to memory of 3596 1228 btbtnn.exe 85 PID 1228 wrote to memory of 3596 1228 btbtnn.exe 85 PID 1228 wrote to memory of 3596 1228 btbtnn.exe 85 PID 3596 wrote to memory of 2244 3596 bbhhbn.exe 86 PID 3596 wrote to memory of 2244 3596 bbhhbn.exe 86 PID 3596 wrote to memory of 2244 3596 bbhhbn.exe 86 PID 2244 wrote to memory of 4776 2244 9rlfflr.exe 87 PID 2244 wrote to memory of 4776 2244 9rlfflr.exe 87 PID 2244 wrote to memory of 4776 2244 9rlfflr.exe 87 PID 4776 wrote to memory of 3740 4776 pjjvv.exe 88 PID 4776 wrote to memory of 3740 4776 pjjvv.exe 88 PID 4776 wrote to memory of 3740 4776 pjjvv.exe 88 PID 3740 wrote to memory of 2908 3740 1bbtnn.exe 89 PID 3740 wrote to memory of 2908 3740 1bbtnn.exe 89 PID 3740 wrote to memory of 2908 3740 1bbtnn.exe 89 PID 2908 wrote to memory of 1272 2908 xxrlxrr.exe 90 PID 2908 wrote to memory of 1272 2908 xxrlxrr.exe 90 PID 2908 wrote to memory of 1272 2908 xxrlxrr.exe 90 PID 1272 wrote to memory of 2920 1272 vvddj.exe 91 PID 1272 wrote to memory of 2920 1272 vvddj.exe 91 PID 1272 wrote to memory of 2920 1272 vvddj.exe 91 PID 2920 wrote to memory of 1424 2920 jdjdv.exe 92 PID 2920 wrote to memory of 1424 2920 jdjdv.exe 92 PID 2920 wrote to memory of 1424 2920 jdjdv.exe 92 PID 1424 wrote to memory of 2548 1424 vpdpp.exe 93 PID 1424 wrote to memory of 2548 1424 vpdpp.exe 93 PID 1424 wrote to memory of 2548 1424 vpdpp.exe 93 PID 2548 wrote to memory of 1044 2548 lxfxrxr.exe 94 PID 2548 wrote to memory of 1044 2548 lxfxrxr.exe 94 PID 2548 wrote to memory of 1044 2548 lxfxrxr.exe 94 PID 1044 wrote to memory of 2148 1044 nbbtnh.exe 95 PID 1044 wrote to memory of 2148 1044 nbbtnh.exe 95 PID 1044 wrote to memory of 2148 1044 nbbtnh.exe 95 PID 2148 wrote to memory of 3028 2148 djvpj.exe 96 PID 2148 wrote to memory of 3028 2148 djvpj.exe 96 PID 2148 wrote to memory of 3028 2148 djvpj.exe 96 PID 3028 wrote to memory of 3420 3028 3bbtnn.exe 97 PID 3028 wrote to memory of 3420 3028 3bbtnn.exe 97 PID 3028 wrote to memory of 3420 3028 3bbtnn.exe 97 PID 3420 wrote to memory of 2792 3420 jjvpd.exe 98 PID 3420 wrote to memory of 2792 3420 jjvpd.exe 98 PID 3420 wrote to memory of 2792 3420 jjvpd.exe 98 PID 2792 wrote to memory of 3224 2792 rllfxxr.exe 99 PID 2792 wrote to memory of 3224 2792 rllfxxr.exe 99 PID 2792 wrote to memory of 3224 2792 rllfxxr.exe 99 PID 3224 wrote to memory of 2936 3224 9xxrlrr.exe 100 PID 3224 wrote to memory of 2936 3224 9xxrlrr.exe 100 PID 3224 wrote to memory of 2936 3224 9xxrlrr.exe 100 PID 2936 wrote to memory of 4108 2936 nhbtnn.exe 101 PID 2936 wrote to memory of 4108 2936 nhbtnn.exe 101 PID 2936 wrote to memory of 4108 2936 nhbtnn.exe 101 PID 4108 wrote to memory of 5000 4108 pjvpj.exe 102 PID 4108 wrote to memory of 5000 4108 pjvpj.exe 102 PID 4108 wrote to memory of 5000 4108 pjvpj.exe 102 PID 5000 wrote to memory of 3532 5000 xlrllff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe"C:\Users\Admin\AppData\Local\Temp\324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\nnnnbb.exec:\nnnnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\bthnnb.exec:\bthnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\btbtnn.exec:\btbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\bbhhbn.exec:\bbhhbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\9rlfflr.exec:\9rlfflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\pjjvv.exec:\pjjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\1bbtnn.exec:\1bbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\xxrlxrr.exec:\xxrlxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\vvddj.exec:\vvddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\jdjdv.exec:\jdjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\vpdpp.exec:\vpdpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\nbbtnh.exec:\nbbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\djvpj.exec:\djvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\3bbtnn.exec:\3bbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\jjvpd.exec:\jjvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\rllfxxr.exec:\rllfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\9xxrlrr.exec:\9xxrlrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\nhbtnn.exec:\nhbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\pjvpj.exec:\pjvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\xlrllff.exec:\xlrllff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\httnhh.exec:\httnhh.exe23⤵
- Executes dropped EXE
PID:3532 -
\??\c:\5ttnhh.exec:\5ttnhh.exe24⤵
- Executes dropped EXE
PID:1284 -
\??\c:\xxrrlll.exec:\xxrrlll.exe25⤵
- Executes dropped EXE
PID:4148 -
\??\c:\ffxxrff.exec:\ffxxrff.exe26⤵
- Executes dropped EXE
PID:3492 -
\??\c:\vdvpj.exec:\vdvpj.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\9lxxrrl.exec:\9lxxrrl.exe28⤵
- Executes dropped EXE
PID:3228 -
\??\c:\5pvpj.exec:\5pvpj.exe29⤵
- Executes dropped EXE
PID:3768 -
\??\c:\hbbttt.exec:\hbbttt.exe30⤵
- Executes dropped EXE
PID:1648 -
\??\c:\fflfxxr.exec:\fflfxxr.exe31⤵
- Executes dropped EXE
PID:3608 -
\??\c:\jppjj.exec:\jppjj.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\9rxrlxf.exec:\9rxrlxf.exe33⤵
- Executes dropped EXE
PID:4968 -
\??\c:\7jdvv.exec:\7jdvv.exe34⤵
- Executes dropped EXE
PID:3856 -
\??\c:\rllfxrr.exec:\rllfxrr.exe35⤵
- Executes dropped EXE
PID:3992 -
\??\c:\bhhbtn.exec:\bhhbtn.exe36⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nthhtt.exec:\nthhtt.exe37⤵
- Executes dropped EXE
PID:4120 -
\??\c:\3dvpd.exec:\3dvpd.exe38⤵
- Executes dropped EXE
PID:416 -
\??\c:\flrlxxr.exec:\flrlxxr.exe39⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nbhbhb.exec:\nbhbhb.exe40⤵
- Executes dropped EXE
PID:1928 -
\??\c:\dppjj.exec:\dppjj.exe41⤵
- Executes dropped EXE
PID:1656 -
\??\c:\frrrllf.exec:\frrrllf.exe42⤵
- Executes dropped EXE
PID:1244 -
\??\c:\nhhbtt.exec:\nhhbtt.exe43⤵
- Executes dropped EXE
PID:3588 -
\??\c:\jdpjd.exec:\jdpjd.exe44⤵
- Executes dropped EXE
PID:3976 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe45⤵
- Executes dropped EXE
PID:4128 -
\??\c:\rlfxlff.exec:\rlfxlff.exe46⤵
- Executes dropped EXE
PID:1084 -
\??\c:\htbtnh.exec:\htbtnh.exe47⤵
- Executes dropped EXE
PID:1040 -
\??\c:\dvppv.exec:\dvppv.exe48⤵
- Executes dropped EXE
PID:4832 -
\??\c:\pppjv.exec:\pppjv.exe49⤵
- Executes dropped EXE
PID:4848 -
\??\c:\5xxlfrr.exec:\5xxlfrr.exe50⤵
- Executes dropped EXE
PID:3384 -
\??\c:\3nhbbn.exec:\3nhbbn.exe51⤵
- Executes dropped EXE
PID:2260 -
\??\c:\jvddv.exec:\jvddv.exe52⤵
- Executes dropped EXE
PID:2924 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe53⤵
- Executes dropped EXE
PID:3808 -
\??\c:\lrxxrlx.exec:\lrxxrlx.exe54⤵PID:4444
-
\??\c:\1bbtnh.exec:\1bbtnh.exe55⤵
- Executes dropped EXE
PID:4232 -
\??\c:\vpppj.exec:\vpppj.exe56⤵
- Executes dropped EXE
PID:1436 -
\??\c:\1rrlrlr.exec:\1rrlrlr.exe57⤵
- Executes dropped EXE
PID:4952 -
\??\c:\1pdvv.exec:\1pdvv.exe58⤵
- Executes dropped EXE
PID:1528 -
\??\c:\ddjdd.exec:\ddjdd.exe59⤵
- Executes dropped EXE
PID:3892 -
\??\c:\7frrlfl.exec:\7frrlfl.exe60⤵
- Executes dropped EXE
PID:4536 -
\??\c:\nbhbbt.exec:\nbhbbt.exe61⤵
- Executes dropped EXE
PID:4080 -
\??\c:\5pdvv.exec:\5pdvv.exe62⤵
- Executes dropped EXE
PID:1732 -
\??\c:\9lflrrx.exec:\9lflrrx.exe63⤵
- Executes dropped EXE
PID:3596 -
\??\c:\xflllfx.exec:\xflllfx.exe64⤵
- Executes dropped EXE
PID:4400 -
\??\c:\bntnth.exec:\bntnth.exe65⤵
- Executes dropped EXE
PID:3732 -
\??\c:\9ddvj.exec:\9ddvj.exe66⤵
- Executes dropped EXE
PID:1764 -
\??\c:\fffrxrl.exec:\fffrxrl.exe67⤵PID:1092
-
\??\c:\nnnnhn.exec:\nnnnhn.exe68⤵PID:1212
-
\??\c:\bntnnn.exec:\bntnnn.exe69⤵PID:4112
-
\??\c:\5ddvp.exec:\5ddvp.exe70⤵PID:2664
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe71⤵PID:4480
-
\??\c:\thnhhb.exec:\thnhhb.exe72⤵PID:4516
-
\??\c:\5ddvp.exec:\5ddvp.exe73⤵PID:3672
-
\??\c:\1lfxllf.exec:\1lfxllf.exe74⤵PID:1516
-
\??\c:\9bbtnn.exec:\9bbtnn.exe75⤵PID:228
-
\??\c:\dvjdp.exec:\dvjdp.exe76⤵PID:116
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe77⤵PID:2996
-
\??\c:\rrxrrrl.exec:\rrxrrrl.exe78⤵PID:2660
-
\??\c:\bbhnth.exec:\bbhnth.exe79⤵PID:2208
-
\??\c:\5pdpv.exec:\5pdpv.exe80⤵PID:3772
-
\??\c:\flrlxlf.exec:\flrlxlf.exe81⤵PID:3000
-
\??\c:\hhbthb.exec:\hhbthb.exe82⤵PID:2160
-
\??\c:\7ntnhn.exec:\7ntnhn.exe83⤵PID:4208
-
\??\c:\jdjdv.exec:\jdjdv.exe84⤵PID:4300
-
\??\c:\lffxrlf.exec:\lffxrlf.exe85⤵PID:2240
-
\??\c:\nttnhb.exec:\nttnhb.exe86⤵PID:2824
-
\??\c:\1djvp.exec:\1djvp.exe87⤵PID:1868
-
\??\c:\frrlllf.exec:\frrlllf.exe88⤵PID:3068
-
\??\c:\bhnhbb.exec:\bhnhbb.exe89⤵PID:872
-
\??\c:\vddjj.exec:\vddjj.exe90⤵PID:2124
-
\??\c:\dddvv.exec:\dddvv.exe91⤵PID:2980
-
\??\c:\9fxrllf.exec:\9fxrllf.exe92⤵PID:3492
-
\??\c:\9bbtnh.exec:\9bbtnh.exe93⤵PID:4372
-
\??\c:\hhhhbt.exec:\hhhhbt.exe94⤵PID:2628
-
\??\c:\jdjdp.exec:\jdjdp.exe95⤵PID:3776
-
\??\c:\lxlrrff.exec:\lxlrrff.exe96⤵PID:4196
-
\??\c:\rflfxxl.exec:\rflfxxl.exe97⤵PID:4940
-
\??\c:\5thbbb.exec:\5thbbb.exe98⤵PID:2372
-
\??\c:\pvjdv.exec:\pvjdv.exe99⤵PID:1056
-
\??\c:\ffrllrl.exec:\ffrllrl.exe100⤵PID:1924
-
\??\c:\nbbttn.exec:\nbbttn.exe101⤵PID:2700
-
\??\c:\5djdd.exec:\5djdd.exe102⤵PID:2560
-
\??\c:\xrfxrrx.exec:\xrfxrrx.exe103⤵PID:4968
-
\??\c:\htnhhh.exec:\htnhhh.exe104⤵PID:1204
-
\??\c:\jjpdv.exec:\jjpdv.exe105⤵PID:3624
-
\??\c:\fflfxrl.exec:\fflfxrl.exe106⤵PID:3824
-
\??\c:\5nhhbh.exec:\5nhhbh.exe107⤵PID:4364
-
\??\c:\hhnhbb.exec:\hhnhbb.exe108⤵PID:740
-
\??\c:\ppvpj.exec:\ppvpj.exe109⤵PID:2880
-
\??\c:\xllfxxr.exec:\xllfxxr.exe110⤵PID:1280
-
\??\c:\5hnhbb.exec:\5hnhbb.exe111⤵PID:1656
-
\??\c:\1dvpj.exec:\1dvpj.exe112⤵PID:2552
-
\??\c:\3dddv.exec:\3dddv.exe113⤵PID:3724
-
\??\c:\3frlflf.exec:\3frlflf.exe114⤵PID:4488
-
\??\c:\tntnhh.exec:\tntnhh.exe115⤵PID:4924
-
\??\c:\dvvpj.exec:\dvvpj.exe116⤵PID:2132
-
\??\c:\lfxrllf.exec:\lfxrllf.exe117⤵PID:2040
-
\??\c:\bnhnbb.exec:\bnhnbb.exe118⤵PID:4348
-
\??\c:\hhhbbt.exec:\hhhbbt.exe119⤵PID:4688
-
\??\c:\9djjd.exec:\9djjd.exe120⤵PID:1188
-
\??\c:\3rrrfff.exec:\3rrrfff.exe121⤵PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-