Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe
-
Size
455KB
-
MD5
e473345fe6cf235d992c74a1164347cf
-
SHA1
05776a56c9b21a6d91ac09791bd859a21462a5da
-
SHA256
1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6
-
SHA512
ced253f630035fdbc286762993972cb3b6acd9cb97fb69040e22028479925e768a5a3e10dcd98823e716f152770cb6d078a172106bc16c6f411ce0453062a466
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1384-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-1178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-1401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-1527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-1842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4156 vvvvv.exe 3016 btbbnn.exe 2644 pvjdp.exe 4664 5jpjd.exe 1924 tbtbbb.exe 1928 pvdvj.exe 4380 208262.exe 2344 ppdpp.exe 3560 dvpjd.exe 1880 nbhbnn.exe 4548 00042.exe 4404 lllxrlf.exe 4784 pdpdd.exe 2240 884488.exe 4276 9xxrfxr.exe 2412 246026.exe 2096 264082.exe 4300 htbnhb.exe 1028 frrxfll.exe 4392 64826.exe 4748 7rrfrlf.exe 3548 tnnnnn.exe 916 nbbtnn.exe 4724 s0080.exe 5008 288204.exe 1688 9ddpj.exe 4536 rllxlll.exe 2248 vpjdv.exe 4836 8020448.exe 1876 xfrlfxr.exe 3164 46266.exe 3472 hnnhtn.exe 4904 28804.exe 2416 2008664.exe 3736 7ntnhh.exe 4428 u404604.exe 1592 w84282.exe 3104 dvdvv.exe 4584 vjpdv.exe 60 rxfrlff.exe 2224 08484.exe 4376 6686486.exe 4600 jvvvj.exe 1648 8400004.exe 516 g0260.exe 2628 rxfxffr.exe 3192 006460.exe 2644 8026226.exe 1148 7ttnnn.exe 4040 ttbnnt.exe 680 jjvdj.exe 3700 nbbtnb.exe 4732 000888.exe 2344 o048226.exe 4936 068262.exe 3768 fxlfllr.exe 3844 rfrrlrl.exe 768 260600.exe 4264 9xxfxfl.exe 3616 bhhbtt.exe 3004 fxrlfxx.exe 4404 604826.exe 1764 2626662.exe 2240 lffxfff.exe -
resource yara_rule behavioral2/memory/1384-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-1196-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i622000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6660482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6000444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c282288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1384 wrote to memory of 4156 1384 1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe 83 PID 1384 wrote to memory of 4156 1384 1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe 83 PID 1384 wrote to memory of 4156 1384 1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe 83 PID 4156 wrote to memory of 3016 4156 vvvvv.exe 84 PID 4156 wrote to memory of 3016 4156 vvvvv.exe 84 PID 4156 wrote to memory of 3016 4156 vvvvv.exe 84 PID 3016 wrote to memory of 2644 3016 btbbnn.exe 85 PID 3016 wrote to memory of 2644 3016 btbbnn.exe 85 PID 3016 wrote to memory of 2644 3016 btbbnn.exe 85 PID 2644 wrote to memory of 4664 2644 pvjdp.exe 86 PID 2644 wrote to memory of 4664 2644 pvjdp.exe 86 PID 2644 wrote to memory of 4664 2644 pvjdp.exe 86 PID 4664 wrote to memory of 1924 4664 5jpjd.exe 87 PID 4664 wrote to memory of 1924 4664 5jpjd.exe 87 PID 4664 wrote to memory of 1924 4664 5jpjd.exe 87 PID 1924 wrote to memory of 1928 1924 tbtbbb.exe 88 PID 1924 wrote to memory of 1928 1924 tbtbbb.exe 88 PID 1924 wrote to memory of 1928 1924 tbtbbb.exe 88 PID 1928 wrote to memory of 4380 1928 pvdvj.exe 89 PID 1928 wrote to memory of 4380 1928 pvdvj.exe 89 PID 1928 wrote to memory of 4380 1928 pvdvj.exe 89 PID 4380 wrote to memory of 2344 4380 208262.exe 90 PID 4380 wrote to memory of 2344 4380 208262.exe 90 PID 4380 wrote to memory of 2344 4380 208262.exe 90 PID 2344 wrote to memory of 3560 2344 ppdpp.exe 91 PID 2344 wrote to memory of 3560 2344 ppdpp.exe 91 PID 2344 wrote to memory of 3560 2344 ppdpp.exe 91 PID 3560 wrote to memory of 1880 3560 dvpjd.exe 92 PID 3560 wrote to memory of 1880 3560 dvpjd.exe 92 PID 3560 wrote to memory of 1880 3560 dvpjd.exe 92 PID 1880 wrote to memory of 4548 1880 nbhbnn.exe 93 PID 1880 wrote to memory of 4548 1880 nbhbnn.exe 93 PID 1880 wrote to memory of 4548 1880 nbhbnn.exe 93 PID 4548 wrote to memory of 4404 4548 00042.exe 94 PID 4548 wrote to memory of 4404 4548 00042.exe 94 PID 4548 wrote to memory of 4404 4548 00042.exe 94 PID 4404 wrote to memory of 4784 4404 lllxrlf.exe 95 PID 4404 wrote to memory of 4784 4404 lllxrlf.exe 95 PID 4404 wrote to memory of 4784 4404 lllxrlf.exe 95 PID 4784 wrote to memory of 2240 4784 pdpdd.exe 96 PID 4784 wrote to memory of 2240 4784 pdpdd.exe 96 PID 4784 wrote to memory of 2240 4784 pdpdd.exe 96 PID 2240 wrote to memory of 4276 2240 884488.exe 97 PID 2240 wrote to memory of 4276 2240 884488.exe 97 PID 2240 wrote to memory of 4276 2240 884488.exe 97 PID 4276 wrote to memory of 2412 4276 9xxrfxr.exe 98 PID 4276 wrote to memory of 2412 4276 9xxrfxr.exe 98 PID 4276 wrote to memory of 2412 4276 9xxrfxr.exe 98 PID 2412 wrote to memory of 2096 2412 246026.exe 99 PID 2412 wrote to memory of 2096 2412 246026.exe 99 PID 2412 wrote to memory of 2096 2412 246026.exe 99 PID 2096 wrote to memory of 4300 2096 264082.exe 100 PID 2096 wrote to memory of 4300 2096 264082.exe 100 PID 2096 wrote to memory of 4300 2096 264082.exe 100 PID 4300 wrote to memory of 1028 4300 htbnhb.exe 101 PID 4300 wrote to memory of 1028 4300 htbnhb.exe 101 PID 4300 wrote to memory of 1028 4300 htbnhb.exe 101 PID 1028 wrote to memory of 4392 1028 frrxfll.exe 102 PID 1028 wrote to memory of 4392 1028 frrxfll.exe 102 PID 1028 wrote to memory of 4392 1028 frrxfll.exe 102 PID 4392 wrote to memory of 4748 4392 64826.exe 103 PID 4392 wrote to memory of 4748 4392 64826.exe 103 PID 4392 wrote to memory of 4748 4392 64826.exe 103 PID 4748 wrote to memory of 3548 4748 7rrfrlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe"C:\Users\Admin\AppData\Local\Temp\1f3c4228387f3d8178ecd6d445beacca3eae14fac3643043bdef9078b55379a6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\vvvvv.exec:\vvvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\btbbnn.exec:\btbbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\pvjdp.exec:\pvjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5jpjd.exec:\5jpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\tbtbbb.exec:\tbtbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\pvdvj.exec:\pvdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\208262.exec:\208262.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\ppdpp.exec:\ppdpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\dvpjd.exec:\dvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\nbhbnn.exec:\nbhbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\00042.exec:\00042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\lllxrlf.exec:\lllxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\pdpdd.exec:\pdpdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\884488.exec:\884488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\9xxrfxr.exec:\9xxrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\246026.exec:\246026.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\264082.exec:\264082.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\htbnhb.exec:\htbnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\frrxfll.exec:\frrxfll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\64826.exec:\64826.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\7rrfrlf.exec:\7rrfrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\tnnnnn.exec:\tnnnnn.exe23⤵
- Executes dropped EXE
PID:3548 -
\??\c:\nbbtnn.exec:\nbbtnn.exe24⤵
- Executes dropped EXE
PID:916 -
\??\c:\s0080.exec:\s0080.exe25⤵
- Executes dropped EXE
PID:4724 -
\??\c:\288204.exec:\288204.exe26⤵
- Executes dropped EXE
PID:5008 -
\??\c:\9ddpj.exec:\9ddpj.exe27⤵
- Executes dropped EXE
PID:1688 -
\??\c:\rllxlll.exec:\rllxlll.exe28⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vpjdv.exec:\vpjdv.exe29⤵
- Executes dropped EXE
PID:2248 -
\??\c:\8020448.exec:\8020448.exe30⤵
- Executes dropped EXE
PID:4836 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe31⤵
- Executes dropped EXE
PID:1876 -
\??\c:\46266.exec:\46266.exe32⤵
- Executes dropped EXE
PID:3164 -
\??\c:\hnnhtn.exec:\hnnhtn.exe33⤵
- Executes dropped EXE
PID:3472 -
\??\c:\28804.exec:\28804.exe34⤵
- Executes dropped EXE
PID:4904 -
\??\c:\2008664.exec:\2008664.exe35⤵
- Executes dropped EXE
PID:2416 -
\??\c:\7ntnhh.exec:\7ntnhh.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736 -
\??\c:\u404604.exec:\u404604.exe37⤵
- Executes dropped EXE
PID:4428 -
\??\c:\w84282.exec:\w84282.exe38⤵
- Executes dropped EXE
PID:1592 -
\??\c:\dvdvv.exec:\dvdvv.exe39⤵
- Executes dropped EXE
PID:3104 -
\??\c:\vjpdv.exec:\vjpdv.exe40⤵
- Executes dropped EXE
PID:4584 -
\??\c:\rxfrlff.exec:\rxfrlff.exe41⤵
- Executes dropped EXE
PID:60 -
\??\c:\08484.exec:\08484.exe42⤵
- Executes dropped EXE
PID:2224 -
\??\c:\6686486.exec:\6686486.exe43⤵
- Executes dropped EXE
PID:4376 -
\??\c:\jvvvj.exec:\jvvvj.exe44⤵
- Executes dropped EXE
PID:4600 -
\??\c:\8400004.exec:\8400004.exe45⤵
- Executes dropped EXE
PID:1648 -
\??\c:\g0260.exec:\g0260.exe46⤵
- Executes dropped EXE
PID:516 -
\??\c:\rxfxffr.exec:\rxfxffr.exe47⤵
- Executes dropped EXE
PID:2628 -
\??\c:\006460.exec:\006460.exe48⤵
- Executes dropped EXE
PID:3192 -
\??\c:\8026226.exec:\8026226.exe49⤵
- Executes dropped EXE
PID:2644 -
\??\c:\7ttnnn.exec:\7ttnnn.exe50⤵
- Executes dropped EXE
PID:1148 -
\??\c:\ttbnnt.exec:\ttbnnt.exe51⤵
- Executes dropped EXE
PID:4040 -
\??\c:\jjvdj.exec:\jjvdj.exe52⤵
- Executes dropped EXE
PID:680 -
\??\c:\nbbtnb.exec:\nbbtnb.exe53⤵
- Executes dropped EXE
PID:3700 -
\??\c:\000888.exec:\000888.exe54⤵
- Executes dropped EXE
PID:4732 -
\??\c:\o048226.exec:\o048226.exe55⤵
- Executes dropped EXE
PID:2344 -
\??\c:\068262.exec:\068262.exe56⤵
- Executes dropped EXE
PID:4936 -
\??\c:\fxlfllr.exec:\fxlfllr.exe57⤵
- Executes dropped EXE
PID:3768 -
\??\c:\rfrrlrl.exec:\rfrrlrl.exe58⤵
- Executes dropped EXE
PID:3844 -
\??\c:\260600.exec:\260600.exe59⤵
- Executes dropped EXE
PID:768 -
\??\c:\9xxfxfl.exec:\9xxfxfl.exe60⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bhhbtt.exec:\bhhbtt.exe61⤵
- Executes dropped EXE
PID:3616 -
\??\c:\fxrlfxx.exec:\fxrlfxx.exe62⤵
- Executes dropped EXE
PID:3004 -
\??\c:\604826.exec:\604826.exe63⤵
- Executes dropped EXE
PID:4404 -
\??\c:\2626662.exec:\2626662.exe64⤵
- Executes dropped EXE
PID:1764 -
\??\c:\lffxfff.exec:\lffxfff.exe65⤵
- Executes dropped EXE
PID:2240 -
\??\c:\ntnnhh.exec:\ntnnhh.exe66⤵PID:2272
-
\??\c:\9ffrrrl.exec:\9ffrrrl.exe67⤵PID:2412
-
\??\c:\o280444.exec:\o280444.exe68⤵PID:1532
-
\??\c:\68008.exec:\68008.exe69⤵PID:1312
-
\??\c:\0062622.exec:\0062622.exe70⤵PID:4424
-
\??\c:\q44488.exec:\q44488.exe71⤵PID:4888
-
\??\c:\40820.exec:\40820.exe72⤵PID:2872
-
\??\c:\thhbtb.exec:\thhbtb.exe73⤵PID:536
-
\??\c:\vpvpp.exec:\vpvpp.exe74⤵PID:8
-
\??\c:\dpdvj.exec:\dpdvj.exe75⤵PID:3636
-
\??\c:\3vvdv.exec:\3vvdv.exe76⤵PID:3564
-
\??\c:\7dpjp.exec:\7dpjp.exe77⤵PID:1344
-
\??\c:\4848660.exec:\4848660.exe78⤵PID:3904
-
\??\c:\4446600.exec:\4446600.exe79⤵PID:1672
-
\??\c:\0842406.exec:\0842406.exe80⤵PID:4812
-
\??\c:\jdjjd.exec:\jdjjd.exe81⤵PID:2940
-
\??\c:\lxfrfxf.exec:\lxfrfxf.exe82⤵PID:1588
-
\??\c:\88264.exec:\88264.exe83⤵PID:5040
-
\??\c:\422260.exec:\422260.exe84⤵PID:2548
-
\??\c:\48884.exec:\48884.exe85⤵PID:2248
-
\??\c:\lfrrxrx.exec:\lfrrxrx.exe86⤵PID:4560
-
\??\c:\c208068.exec:\c208068.exe87⤵PID:4648
-
\??\c:\htttnn.exec:\htttnn.exe88⤵PID:2892
-
\??\c:\i626004.exec:\i626004.exe89⤵PID:3960
-
\??\c:\w80444.exec:\w80444.exe90⤵PID:2380
-
\??\c:\k80840.exec:\k80840.exe91⤵PID:3492
-
\??\c:\6222600.exec:\6222600.exe92⤵PID:3576
-
\??\c:\btthbn.exec:\btthbn.exe93⤵PID:4764
-
\??\c:\1tttnn.exec:\1tttnn.exe94⤵PID:3308
-
\??\c:\fxrxxfl.exec:\fxrxxfl.exe95⤵PID:3792
-
\??\c:\nhnhnt.exec:\nhnhnt.exe96⤵PID:2260
-
\??\c:\3xrlfxx.exec:\3xrlfxx.exe97⤵PID:4144
-
\??\c:\7rrllll.exec:\7rrllll.exe98⤵PID:4312
-
\??\c:\02448.exec:\02448.exe99⤵PID:4368
-
\??\c:\jdjdj.exec:\jdjdj.exe100⤵PID:1120
-
\??\c:\020422.exec:\020422.exe101⤵PID:5060
-
\??\c:\lfrxxlr.exec:\lfrxxlr.exe102⤵PID:3452
-
\??\c:\8282484.exec:\8282484.exe103⤵PID:3016
-
\??\c:\q40488.exec:\q40488.exe104⤵PID:3568
-
\??\c:\tnntnt.exec:\tnntnt.exe105⤵PID:3192
-
\??\c:\48000.exec:\48000.exe106⤵PID:2644
-
\??\c:\pdjdd.exec:\pdjdd.exe107⤵PID:2372
-
\??\c:\xxlfxxx.exec:\xxlfxxx.exe108⤵PID:4384
-
\??\c:\48888.exec:\48888.exe109⤵PID:4396
-
\??\c:\lrxrlxr.exec:\lrxrlxr.exe110⤵PID:4996
-
\??\c:\4844602.exec:\4844602.exe111⤵PID:4476
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe112⤵PID:4568
-
\??\c:\vjppj.exec:\vjppj.exe113⤵PID:2012
-
\??\c:\262824.exec:\262824.exe114⤵PID:316
-
\??\c:\468866.exec:\468866.exe115⤵PID:1884
-
\??\c:\nbbbtt.exec:\nbbbtt.exe116⤵PID:3844
-
\??\c:\6424446.exec:\6424446.exe117⤵PID:1568
-
\??\c:\lxxrxxx.exec:\lxxrxxx.exe118⤵PID:3744
-
\??\c:\fxffxxr.exec:\fxffxxr.exe119⤵PID:3804
-
\??\c:\48826.exec:\48826.exe120⤵PID:3772
-
\??\c:\pjppp.exec:\pjppp.exe121⤵PID:3440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-