Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe
-
Size
454KB
-
MD5
95a1174ec655742760a9b4992be52a49
-
SHA1
024b85fa9692161143561b8503f84e466c8656f9
-
SHA256
b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6
-
SHA512
af9ba99f18596608d98f9a4f344d9163a9e1ad46eca23f6a24b3e85615a68a01cbe7c6c0b6a2b3ac3db63e75618f26aa316d7686d215dee5f5c11016c0ac3b63
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/688-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-1370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4728 nnnbtn.exe 1368 pjdvp.exe 4008 btbtnn.exe 408 tbhhbn.exe 3452 xxfffff.exe 4544 7bbtnb.exe 4436 5nhtnn.exe 3684 1jpjp.exe 936 vjpvd.exe 1576 fxxfxxx.exe 3940 hntnhh.exe 1952 hbhbtn.exe 5016 dvddv.exe 4044 xrxrllf.exe 2388 3ttnnn.exe 3952 bhnhhh.exe 5100 rrrllrr.exe 4316 llrfffx.exe 4116 vjpdv.exe 4476 rxxxrrx.exe 3088 hbbtnn.exe 2900 1ppjd.exe 4652 fxxrxxx.exe 1500 nhtnhh.exe 4896 vpjdv.exe 848 jpvpj.exe 3316 rxrlrlx.exe 4448 nbnbtn.exe 2376 httnhb.exe 368 jpdvj.exe 4924 frrllff.exe 2228 5hhttn.exe 536 nttnbn.exe 2040 lxxlxlf.exe 1672 lxxlfxr.exe 3112 tbhhtn.exe 1812 vjjvj.exe 1892 lxrfrlx.exe 3276 pvjvj.exe 4152 bnnbbt.exe 3040 jpvpj.exe 1204 vvjdd.exe 5096 7flxrlx.exe 4204 7bbtbb.exe 708 7jdpj.exe 4656 llxxrfx.exe 1056 bbnbtb.exe 672 vpdpj.exe 3080 xflflfr.exe 4368 7rxrxrx.exe 1596 bbbhhh.exe 4456 pddjj.exe 1624 xffrfxr.exe 2296 3bbnbb.exe 1544 1tnbtn.exe 1376 vjjdp.exe 2908 xrlxrfr.exe 2808 hnbtnh.exe 2932 jvpjj.exe 2372 lfrxxlf.exe 4252 flrxxlf.exe 800 hbbbhh.exe 4892 dvpvj.exe 5064 3frlflx.exe -
resource yara_rule behavioral2/memory/688-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-668-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 688 wrote to memory of 4728 688 b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe 82 PID 688 wrote to memory of 4728 688 b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe 82 PID 688 wrote to memory of 4728 688 b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe 82 PID 4728 wrote to memory of 1368 4728 nnnbtn.exe 83 PID 4728 wrote to memory of 1368 4728 nnnbtn.exe 83 PID 4728 wrote to memory of 1368 4728 nnnbtn.exe 83 PID 1368 wrote to memory of 4008 1368 pjdvp.exe 84 PID 1368 wrote to memory of 4008 1368 pjdvp.exe 84 PID 1368 wrote to memory of 4008 1368 pjdvp.exe 84 PID 4008 wrote to memory of 408 4008 btbtnn.exe 85 PID 4008 wrote to memory of 408 4008 btbtnn.exe 85 PID 4008 wrote to memory of 408 4008 btbtnn.exe 85 PID 408 wrote to memory of 3452 408 tbhhbn.exe 86 PID 408 wrote to memory of 3452 408 tbhhbn.exe 86 PID 408 wrote to memory of 3452 408 tbhhbn.exe 86 PID 3452 wrote to memory of 4544 3452 xxfffff.exe 87 PID 3452 wrote to memory of 4544 3452 xxfffff.exe 87 PID 3452 wrote to memory of 4544 3452 xxfffff.exe 87 PID 4544 wrote to memory of 4436 4544 7bbtnb.exe 88 PID 4544 wrote to memory of 4436 4544 7bbtnb.exe 88 PID 4544 wrote to memory of 4436 4544 7bbtnb.exe 88 PID 4436 wrote to memory of 3684 4436 5nhtnn.exe 89 PID 4436 wrote to memory of 3684 4436 5nhtnn.exe 89 PID 4436 wrote to memory of 3684 4436 5nhtnn.exe 89 PID 3684 wrote to memory of 936 3684 1jpjp.exe 90 PID 3684 wrote to memory of 936 3684 1jpjp.exe 90 PID 3684 wrote to memory of 936 3684 1jpjp.exe 90 PID 936 wrote to memory of 1576 936 vjpvd.exe 91 PID 936 wrote to memory of 1576 936 vjpvd.exe 91 PID 936 wrote to memory of 1576 936 vjpvd.exe 91 PID 1576 wrote to memory of 3940 1576 fxxfxxx.exe 92 PID 1576 wrote to memory of 3940 1576 fxxfxxx.exe 92 PID 1576 wrote to memory of 3940 1576 fxxfxxx.exe 92 PID 3940 wrote to memory of 1952 3940 hntnhh.exe 93 PID 3940 wrote to memory of 1952 3940 hntnhh.exe 93 PID 3940 wrote to memory of 1952 3940 hntnhh.exe 93 PID 1952 wrote to memory of 5016 1952 hbhbtn.exe 94 PID 1952 wrote to memory of 5016 1952 hbhbtn.exe 94 PID 1952 wrote to memory of 5016 1952 hbhbtn.exe 94 PID 5016 wrote to memory of 4044 5016 dvddv.exe 95 PID 5016 wrote to memory of 4044 5016 dvddv.exe 95 PID 5016 wrote to memory of 4044 5016 dvddv.exe 95 PID 4044 wrote to memory of 2388 4044 xrxrllf.exe 96 PID 4044 wrote to memory of 2388 4044 xrxrllf.exe 96 PID 4044 wrote to memory of 2388 4044 xrxrllf.exe 96 PID 2388 wrote to memory of 3952 2388 3ttnnn.exe 97 PID 2388 wrote to memory of 3952 2388 3ttnnn.exe 97 PID 2388 wrote to memory of 3952 2388 3ttnnn.exe 97 PID 3952 wrote to memory of 5100 3952 bhnhhh.exe 98 PID 3952 wrote to memory of 5100 3952 bhnhhh.exe 98 PID 3952 wrote to memory of 5100 3952 bhnhhh.exe 98 PID 5100 wrote to memory of 4316 5100 rrrllrr.exe 99 PID 5100 wrote to memory of 4316 5100 rrrllrr.exe 99 PID 5100 wrote to memory of 4316 5100 rrrllrr.exe 99 PID 4316 wrote to memory of 4116 4316 llrfffx.exe 100 PID 4316 wrote to memory of 4116 4316 llrfffx.exe 100 PID 4316 wrote to memory of 4116 4316 llrfffx.exe 100 PID 4116 wrote to memory of 4476 4116 vjpdv.exe 101 PID 4116 wrote to memory of 4476 4116 vjpdv.exe 101 PID 4116 wrote to memory of 4476 4116 vjpdv.exe 101 PID 4476 wrote to memory of 3088 4476 rxxxrrx.exe 102 PID 4476 wrote to memory of 3088 4476 rxxxrrx.exe 102 PID 4476 wrote to memory of 3088 4476 rxxxrrx.exe 102 PID 3088 wrote to memory of 2900 3088 hbbtnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe"C:\Users\Admin\AppData\Local\Temp\b7ba64765e4e93c038188318bdc237d8c295d387aa9ca53fb7b4b5d32420a8b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\nnnbtn.exec:\nnnbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\pjdvp.exec:\pjdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\btbtnn.exec:\btbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\tbhhbn.exec:\tbhhbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\xxfffff.exec:\xxfffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\7bbtnb.exec:\7bbtnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\5nhtnn.exec:\5nhtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\1jpjp.exec:\1jpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\vjpvd.exec:\vjpvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\fxxfxxx.exec:\fxxfxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\hntnhh.exec:\hntnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\hbhbtn.exec:\hbhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\dvddv.exec:\dvddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\xrxrllf.exec:\xrxrllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\3ttnnn.exec:\3ttnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\bhnhhh.exec:\bhnhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\rrrllrr.exec:\rrrllrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\llrfffx.exec:\llrfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\vjpdv.exec:\vjpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\rxxxrrx.exec:\rxxxrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\hbbtnn.exec:\hbbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\1ppjd.exec:\1ppjd.exe23⤵
- Executes dropped EXE
PID:2900 -
\??\c:\fxxrxxx.exec:\fxxrxxx.exe24⤵
- Executes dropped EXE
PID:4652 -
\??\c:\nhtnhh.exec:\nhtnhh.exe25⤵
- Executes dropped EXE
PID:1500 -
\??\c:\vpjdv.exec:\vpjdv.exe26⤵
- Executes dropped EXE
PID:4896 -
\??\c:\jpvpj.exec:\jpvpj.exe27⤵
- Executes dropped EXE
PID:848 -
\??\c:\rxrlrlx.exec:\rxrlrlx.exe28⤵
- Executes dropped EXE
PID:3316 -
\??\c:\nbnbtn.exec:\nbnbtn.exe29⤵
- Executes dropped EXE
PID:4448 -
\??\c:\httnhb.exec:\httnhb.exe30⤵
- Executes dropped EXE
PID:2376 -
\??\c:\jpdvj.exec:\jpdvj.exe31⤵
- Executes dropped EXE
PID:368 -
\??\c:\frrllff.exec:\frrllff.exe32⤵
- Executes dropped EXE
PID:4924 -
\??\c:\5hhttn.exec:\5hhttn.exe33⤵
- Executes dropped EXE
PID:2228 -
\??\c:\nttnbn.exec:\nttnbn.exe34⤵
- Executes dropped EXE
PID:536 -
\??\c:\lxxlxlf.exec:\lxxlxlf.exe35⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\tbhhtn.exec:\tbhhtn.exe37⤵
- Executes dropped EXE
PID:3112 -
\??\c:\vjjvj.exec:\vjjvj.exe38⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe39⤵
- Executes dropped EXE
PID:1892 -
\??\c:\pvjvj.exec:\pvjvj.exe40⤵
- Executes dropped EXE
PID:3276 -
\??\c:\bnnbbt.exec:\bnnbbt.exe41⤵
- Executes dropped EXE
PID:4152 -
\??\c:\jpvpj.exec:\jpvpj.exe42⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vvjdd.exec:\vvjdd.exe43⤵
- Executes dropped EXE
PID:1204 -
\??\c:\7flxrlx.exec:\7flxrlx.exe44⤵
- Executes dropped EXE
PID:5096 -
\??\c:\7bbtbb.exec:\7bbtbb.exe45⤵
- Executes dropped EXE
PID:4204 -
\??\c:\7jdpj.exec:\7jdpj.exe46⤵
- Executes dropped EXE
PID:708 -
\??\c:\llxxrfx.exec:\llxxrfx.exe47⤵
- Executes dropped EXE
PID:4656 -
\??\c:\bbnbtb.exec:\bbnbtb.exe48⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vpdpj.exec:\vpdpj.exe49⤵
- Executes dropped EXE
PID:672 -
\??\c:\xflflfr.exec:\xflflfr.exe50⤵
- Executes dropped EXE
PID:3080 -
\??\c:\7rxrxrx.exec:\7rxrxrx.exe51⤵
- Executes dropped EXE
PID:4368 -
\??\c:\bbbhhh.exec:\bbbhhh.exe52⤵
- Executes dropped EXE
PID:1596 -
\??\c:\pddjj.exec:\pddjj.exe53⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xffrfxr.exec:\xffrfxr.exe54⤵
- Executes dropped EXE
PID:1624 -
\??\c:\3bbnbb.exec:\3bbnbb.exe55⤵
- Executes dropped EXE
PID:2296 -
\??\c:\1tnbtn.exec:\1tnbtn.exe56⤵
- Executes dropped EXE
PID:1544 -
\??\c:\vjjdp.exec:\vjjdp.exe57⤵
- Executes dropped EXE
PID:1376 -
\??\c:\xrlxrfr.exec:\xrlxrfr.exe58⤵
- Executes dropped EXE
PID:2908 -
\??\c:\hnbtnh.exec:\hnbtnh.exe59⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jvpjj.exec:\jvpjj.exe60⤵
- Executes dropped EXE
PID:2932 -
\??\c:\lfrxxlf.exec:\lfrxxlf.exe61⤵
- Executes dropped EXE
PID:2372 -
\??\c:\flrxxlf.exec:\flrxxlf.exe62⤵
- Executes dropped EXE
PID:4252 -
\??\c:\hbbbhh.exec:\hbbbhh.exe63⤵
- Executes dropped EXE
PID:800 -
\??\c:\dvpvj.exec:\dvpvj.exe64⤵
- Executes dropped EXE
PID:4892 -
\??\c:\3frlflx.exec:\3frlflx.exe65⤵
- Executes dropped EXE
PID:5064 -
\??\c:\llffxxr.exec:\llffxxr.exe66⤵PID:2848
-
\??\c:\hbthbh.exec:\hbthbh.exe67⤵PID:3700
-
\??\c:\1tthnn.exec:\1tthnn.exe68⤵PID:2224
-
\??\c:\vjvjv.exec:\vjvjv.exe69⤵PID:1604
-
\??\c:\frllxlf.exec:\frllxlf.exe70⤵PID:5076
-
\??\c:\bntbht.exec:\bntbht.exe71⤵PID:4640
-
\??\c:\thtbnh.exec:\thtbnh.exe72⤵PID:3132
-
\??\c:\jjppp.exec:\jjppp.exe73⤵PID:3492
-
\??\c:\3xllxrf.exec:\3xllxrf.exe74⤵PID:4428
-
\??\c:\5thnhh.exec:\5thnhh.exe75⤵PID:1772
-
\??\c:\vpppp.exec:\vpppp.exe76⤵PID:4616
-
\??\c:\1lrlxxr.exec:\1lrlxxr.exe77⤵PID:1184
-
\??\c:\bbbttt.exec:\bbbttt.exe78⤵PID:4996
-
\??\c:\bhthtn.exec:\bhthtn.exe79⤵PID:4716
-
\??\c:\dppdp.exec:\dppdp.exe80⤵PID:4064
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe81⤵PID:180
-
\??\c:\hbhtbn.exec:\hbhtbn.exe82⤵PID:4200
-
\??\c:\vvdvj.exec:\vvdvj.exe83⤵PID:3020
-
\??\c:\jdddp.exec:\jdddp.exe84⤵PID:628
-
\??\c:\fflfxrr.exec:\fflfxrr.exe85⤵PID:2496
-
\??\c:\bbnhtn.exec:\bbnhtn.exe86⤵PID:1740
-
\??\c:\1ddpd.exec:\1ddpd.exe87⤵PID:4560
-
\??\c:\3flxrxx.exec:\3flxrxx.exe88⤵PID:2164
-
\??\c:\xflxlfx.exec:\xflxlfx.exe89⤵PID:3524
-
\??\c:\tnnhbt.exec:\tnnhbt.exe90⤵PID:4792
-
\??\c:\5vppd.exec:\5vppd.exe91⤵PID:3972
-
\??\c:\jdjjv.exec:\jdjjv.exe92⤵PID:4624
-
\??\c:\ffflxrl.exec:\ffflxrl.exe93⤵PID:1848
-
\??\c:\hbthnh.exec:\hbthnh.exe94⤵PID:3156
-
\??\c:\3ppdp.exec:\3ppdp.exe95⤵PID:4836
-
\??\c:\xlffxrf.exec:\xlffxrf.exe96⤵PID:3380
-
\??\c:\bttnhb.exec:\bttnhb.exe97⤵PID:4136
-
\??\c:\nbbtbb.exec:\nbbtbb.exe98⤵PID:3644
-
\??\c:\vjpjd.exec:\vjpjd.exe99⤵PID:2776
-
\??\c:\5llfrlf.exec:\5llfrlf.exe100⤵PID:2768
-
\??\c:\rlfxrll.exec:\rlfxrll.exe101⤵PID:3984
-
\??\c:\3hhbbh.exec:\3hhbbh.exe102⤵PID:2804
-
\??\c:\3dddp.exec:\3dddp.exe103⤵PID:1308
-
\??\c:\xrrllxr.exec:\xrrllxr.exe104⤵PID:2124
-
\??\c:\ffxlfff.exec:\ffxlfff.exe105⤵PID:3096
-
\??\c:\tnhbtn.exec:\tnhbtn.exe106⤵PID:3276
-
\??\c:\djdpp.exec:\djdpp.exe107⤵PID:1564
-
\??\c:\5frlxrl.exec:\5frlxrl.exe108⤵PID:4472
-
\??\c:\hnbbnh.exec:\hnbbnh.exe109⤵PID:1204
-
\??\c:\ddjvj.exec:\ddjvj.exe110⤵PID:5116
-
\??\c:\lffxlff.exec:\lffxlff.exe111⤵
- System Location Discovery: System Language Discovery
PID:1464 -
\??\c:\bhbbbb.exec:\bhbbbb.exe112⤵PID:4332
-
\??\c:\thnhhh.exec:\thnhhh.exe113⤵PID:3656
-
\??\c:\dvjjp.exec:\dvjjp.exe114⤵PID:208
-
\??\c:\5xlxllx.exec:\5xlxllx.exe115⤵PID:1056
-
\??\c:\hbnhbn.exec:\hbnhbn.exe116⤵PID:2832
-
\??\c:\9jpdj.exec:\9jpdj.exe117⤵PID:3080
-
\??\c:\llrlfll.exec:\llrlfll.exe118⤵PID:4300
-
\??\c:\tnnhhb.exec:\tnnhhb.exe119⤵PID:3532
-
\??\c:\bthhbb.exec:\bthhbb.exe120⤵PID:5000
-
\??\c:\vjdvj.exec:\vjdvj.exe121⤵PID:1520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-