Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe
-
Size
457KB
-
MD5
06a37ece0983d5e900630eeb162c84a6
-
SHA1
e465f6783bdd06cda089e710a9750bf6494e3822
-
SHA256
bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b
-
SHA512
63a80fccfe70a95259ba9911ec88169fc7b31646280b7184c2a4bcec68b1fee4ea9201eebff6d7b0eda636267acac4f9fac65b60d3267fb2fa9a2bbf31c98978
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRPK:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1472-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/496-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-1178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4868 9nhnbt.exe 4952 3ppvp.exe 1788 9ntnhb.exe 3416 xfxlxrf.exe 3796 ddjpd.exe 4136 7tthhh.exe 1060 lffxxrl.exe 1220 1nntht.exe 3704 3rfxlxx.exe 1684 nbthth.exe 3528 ntnhtn.exe 1508 3lxxrxl.exe 2824 pdvjv.exe 1200 lrrfxrf.exe 4508 bhhthb.exe 4728 jvddj.exe 2548 nhbhht.exe 4296 pvjvj.exe 3512 ntbtnn.exe 4220 ppjvj.exe 4576 vddvp.exe 4796 xrfrflx.exe 1924 5pjdv.exe 5116 ffxrrlf.exe 1616 lfxrllf.exe 2820 tnhbnh.exe 1028 5hnbhb.exe 4412 pvdpd.exe 3640 3hthtn.exe 3900 pddpv.exe 2424 llrfxrf.exe 2016 nhthtn.exe 3060 pddpd.exe 1948 1lxlrlf.exe 740 bhhthb.exe 4512 vvvvp.exe 2508 fxffrfr.exe 1084 7bhtnh.exe 4708 3nbnbt.exe 3572 jjdvp.exe 2356 1llfxrl.exe 3480 5nthbt.exe 3288 vvvdp.exe 408 1fxrffx.exe 5036 rrfxlxx.exe 1928 9nnbnh.exe 4548 pdddv.exe 4972 vvvjv.exe 3936 7fxlrll.exe 2724 nbbtnh.exe 4348 jpdvj.exe 3796 5hhttt.exe 1364 tnnhtn.exe 4284 1jjpd.exe 744 frlxxrf.exe 1060 5tthtb.exe 2856 nhhnbt.exe 4932 jddvv.exe 1528 xffxlfx.exe 1664 9nnbtn.exe 3228 httbbt.exe 560 pdvpd.exe 2800 fxrflff.exe 2344 thhtht.exe -
resource yara_rule behavioral2/memory/1472-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/496-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-768-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1472 wrote to memory of 4868 1472 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 82 PID 1472 wrote to memory of 4868 1472 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 82 PID 1472 wrote to memory of 4868 1472 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 82 PID 4868 wrote to memory of 4952 4868 9nhnbt.exe 83 PID 4868 wrote to memory of 4952 4868 9nhnbt.exe 83 PID 4868 wrote to memory of 4952 4868 9nhnbt.exe 83 PID 4952 wrote to memory of 1788 4952 3ppvp.exe 84 PID 4952 wrote to memory of 1788 4952 3ppvp.exe 84 PID 4952 wrote to memory of 1788 4952 3ppvp.exe 84 PID 1788 wrote to memory of 3416 1788 9ntnhb.exe 85 PID 1788 wrote to memory of 3416 1788 9ntnhb.exe 85 PID 1788 wrote to memory of 3416 1788 9ntnhb.exe 85 PID 3416 wrote to memory of 3796 3416 xfxlxrf.exe 86 PID 3416 wrote to memory of 3796 3416 xfxlxrf.exe 86 PID 3416 wrote to memory of 3796 3416 xfxlxrf.exe 86 PID 3796 wrote to memory of 4136 3796 ddjpd.exe 87 PID 3796 wrote to memory of 4136 3796 ddjpd.exe 87 PID 3796 wrote to memory of 4136 3796 ddjpd.exe 87 PID 4136 wrote to memory of 1060 4136 7tthhh.exe 88 PID 4136 wrote to memory of 1060 4136 7tthhh.exe 88 PID 4136 wrote to memory of 1060 4136 7tthhh.exe 88 PID 1060 wrote to memory of 1220 1060 lffxxrl.exe 89 PID 1060 wrote to memory of 1220 1060 lffxxrl.exe 89 PID 1060 wrote to memory of 1220 1060 lffxxrl.exe 89 PID 1220 wrote to memory of 3704 1220 1nntht.exe 90 PID 1220 wrote to memory of 3704 1220 1nntht.exe 90 PID 1220 wrote to memory of 3704 1220 1nntht.exe 90 PID 3704 wrote to memory of 1684 3704 3rfxlxx.exe 91 PID 3704 wrote to memory of 1684 3704 3rfxlxx.exe 91 PID 3704 wrote to memory of 1684 3704 3rfxlxx.exe 91 PID 1684 wrote to memory of 3528 1684 nbthth.exe 92 PID 1684 wrote to memory of 3528 1684 nbthth.exe 92 PID 1684 wrote to memory of 3528 1684 nbthth.exe 92 PID 3528 wrote to memory of 1508 3528 ntnhtn.exe 93 PID 3528 wrote to memory of 1508 3528 ntnhtn.exe 93 PID 3528 wrote to memory of 1508 3528 ntnhtn.exe 93 PID 1508 wrote to memory of 2824 1508 3lxxrxl.exe 94 PID 1508 wrote to memory of 2824 1508 3lxxrxl.exe 94 PID 1508 wrote to memory of 2824 1508 3lxxrxl.exe 94 PID 2824 wrote to memory of 1200 2824 pdvjv.exe 95 PID 2824 wrote to memory of 1200 2824 pdvjv.exe 95 PID 2824 wrote to memory of 1200 2824 pdvjv.exe 95 PID 1200 wrote to memory of 4508 1200 lrrfxrf.exe 96 PID 1200 wrote to memory of 4508 1200 lrrfxrf.exe 96 PID 1200 wrote to memory of 4508 1200 lrrfxrf.exe 96 PID 4508 wrote to memory of 4728 4508 bhhthb.exe 97 PID 4508 wrote to memory of 4728 4508 bhhthb.exe 97 PID 4508 wrote to memory of 4728 4508 bhhthb.exe 97 PID 4728 wrote to memory of 2548 4728 jvddj.exe 98 PID 4728 wrote to memory of 2548 4728 jvddj.exe 98 PID 4728 wrote to memory of 2548 4728 jvddj.exe 98 PID 2548 wrote to memory of 4296 2548 nhbhht.exe 99 PID 2548 wrote to memory of 4296 2548 nhbhht.exe 99 PID 2548 wrote to memory of 4296 2548 nhbhht.exe 99 PID 4296 wrote to memory of 3512 4296 pvjvj.exe 100 PID 4296 wrote to memory of 3512 4296 pvjvj.exe 100 PID 4296 wrote to memory of 3512 4296 pvjvj.exe 100 PID 3512 wrote to memory of 4220 3512 ntbtnn.exe 101 PID 3512 wrote to memory of 4220 3512 ntbtnn.exe 101 PID 3512 wrote to memory of 4220 3512 ntbtnn.exe 101 PID 4220 wrote to memory of 4576 4220 ppjvj.exe 102 PID 4220 wrote to memory of 4576 4220 ppjvj.exe 102 PID 4220 wrote to memory of 4576 4220 ppjvj.exe 102 PID 4576 wrote to memory of 4796 4576 vddvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe"C:\Users\Admin\AppData\Local\Temp\bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\9nhnbt.exec:\9nhnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\3ppvp.exec:\3ppvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\9ntnhb.exec:\9ntnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xfxlxrf.exec:\xfxlxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\ddjpd.exec:\ddjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\7tthhh.exec:\7tthhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\lffxxrl.exec:\lffxxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\1nntht.exec:\1nntht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\3rfxlxx.exec:\3rfxlxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\nbthth.exec:\nbthth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ntnhtn.exec:\ntnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\3lxxrxl.exec:\3lxxrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\pdvjv.exec:\pdvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\bhhthb.exec:\bhhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\jvddj.exec:\jvddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\nhbhht.exec:\nhbhht.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\pvjvj.exec:\pvjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\ntbtnn.exec:\ntbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\ppjvj.exec:\ppjvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\vddvp.exec:\vddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\xrfrflx.exec:\xrfrflx.exe23⤵
- Executes dropped EXE
PID:4796 -
\??\c:\5pjdv.exec:\5pjdv.exe24⤵
- Executes dropped EXE
PID:1924 -
\??\c:\ffxrrlf.exec:\ffxrrlf.exe25⤵
- Executes dropped EXE
PID:5116 -
\??\c:\lfxrllf.exec:\lfxrllf.exe26⤵
- Executes dropped EXE
PID:1616 -
\??\c:\tnhbnh.exec:\tnhbnh.exe27⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5hnbhb.exec:\5hnbhb.exe28⤵
- Executes dropped EXE
PID:1028 -
\??\c:\pvdpd.exec:\pvdpd.exe29⤵
- Executes dropped EXE
PID:4412 -
\??\c:\3hthtn.exec:\3hthtn.exe30⤵
- Executes dropped EXE
PID:3640 -
\??\c:\pddpv.exec:\pddpv.exe31⤵
- Executes dropped EXE
PID:3900 -
\??\c:\llrfxrf.exec:\llrfxrf.exe32⤵
- Executes dropped EXE
PID:2424 -
\??\c:\nhthtn.exec:\nhthtn.exe33⤵
- Executes dropped EXE
PID:2016 -
\??\c:\pddpd.exec:\pddpd.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\1lxlrlf.exec:\1lxlrlf.exe35⤵
- Executes dropped EXE
PID:1948 -
\??\c:\bhhthb.exec:\bhhthb.exe36⤵
- Executes dropped EXE
PID:740 -
\??\c:\vvvvp.exec:\vvvvp.exe37⤵
- Executes dropped EXE
PID:4512 -
\??\c:\fxffrfr.exec:\fxffrfr.exe38⤵
- Executes dropped EXE
PID:2508 -
\??\c:\7bhtnh.exec:\7bhtnh.exe39⤵
- Executes dropped EXE
PID:1084 -
\??\c:\3nbnbt.exec:\3nbnbt.exe40⤵
- Executes dropped EXE
PID:4708 -
\??\c:\jjdvp.exec:\jjdvp.exe41⤵
- Executes dropped EXE
PID:3572 -
\??\c:\1llfxrl.exec:\1llfxrl.exe42⤵
- Executes dropped EXE
PID:2356 -
\??\c:\5nthbt.exec:\5nthbt.exe43⤵
- Executes dropped EXE
PID:3480 -
\??\c:\vvvdp.exec:\vvvdp.exe44⤵
- Executes dropped EXE
PID:3288 -
\??\c:\1fxrffx.exec:\1fxrffx.exe45⤵
- Executes dropped EXE
PID:408 -
\??\c:\rrfxlxx.exec:\rrfxlxx.exe46⤵
- Executes dropped EXE
PID:5036 -
\??\c:\9nnbnh.exec:\9nnbnh.exe47⤵
- Executes dropped EXE
PID:1928 -
\??\c:\pdddv.exec:\pdddv.exe48⤵
- Executes dropped EXE
PID:4548 -
\??\c:\vvvjv.exec:\vvvjv.exe49⤵
- Executes dropped EXE
PID:4972 -
\??\c:\7fxlrll.exec:\7fxlrll.exe50⤵
- Executes dropped EXE
PID:3936 -
\??\c:\nbbtnh.exec:\nbbtnh.exe51⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jpdvj.exec:\jpdvj.exe52⤵
- Executes dropped EXE
PID:4348 -
\??\c:\5hhttt.exec:\5hhttt.exe53⤵
- Executes dropped EXE
PID:3796 -
\??\c:\tnnhtn.exec:\tnnhtn.exe54⤵
- Executes dropped EXE
PID:1364 -
\??\c:\1jjpd.exec:\1jjpd.exe55⤵
- Executes dropped EXE
PID:4284 -
\??\c:\frlxxrf.exec:\frlxxrf.exe56⤵
- Executes dropped EXE
PID:744 -
\??\c:\5tthtb.exec:\5tthtb.exe57⤵
- Executes dropped EXE
PID:1060 -
\??\c:\nhhnbt.exec:\nhhnbt.exe58⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jddvv.exec:\jddvv.exe59⤵
- Executes dropped EXE
PID:4932 -
\??\c:\xffxlfx.exec:\xffxlfx.exe60⤵
- Executes dropped EXE
PID:1528 -
\??\c:\9nnbtn.exec:\9nnbtn.exe61⤵
- Executes dropped EXE
PID:1664 -
\??\c:\httbbt.exec:\httbbt.exe62⤵
- Executes dropped EXE
PID:3228 -
\??\c:\pdvpd.exec:\pdvpd.exe63⤵
- Executes dropped EXE
PID:560 -
\??\c:\fxrflff.exec:\fxrflff.exe64⤵
- Executes dropped EXE
PID:2800 -
\??\c:\thhtht.exec:\thhtht.exe65⤵
- Executes dropped EXE
PID:2344 -
\??\c:\nhbthb.exec:\nhbthb.exe66⤵PID:1412
-
\??\c:\vjjdv.exec:\vjjdv.exe67⤵PID:3600
-
\??\c:\jjdpd.exec:\jjdpd.exe68⤵PID:1368
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe69⤵PID:3252
-
\??\c:\bntnnb.exec:\bntnnb.exe70⤵PID:4260
-
\??\c:\pvvjv.exec:\pvvjv.exe71⤵PID:2548
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe72⤵PID:4296
-
\??\c:\ttthth.exec:\ttthth.exe73⤵PID:3484
-
\??\c:\nbhbnh.exec:\nbhbnh.exe74⤵PID:564
-
\??\c:\3pdpj.exec:\3pdpj.exe75⤵PID:1996
-
\??\c:\xffxlxl.exec:\xffxlxl.exe76⤵PID:496
-
\??\c:\ntbnbn.exec:\ntbnbn.exe77⤵PID:4492
-
\??\c:\nththb.exec:\nththb.exe78⤵PID:3100
-
\??\c:\1djdp.exec:\1djdp.exe79⤵PID:3128
-
\??\c:\xfllxrl.exec:\xfllxrl.exe80⤵PID:4428
-
\??\c:\bhhbnh.exec:\bhhbnh.exe81⤵PID:3884
-
\??\c:\nhbnbt.exec:\nhbnbt.exe82⤵PID:4600
-
\??\c:\vjjpv.exec:\vjjpv.exe83⤵PID:908
-
\??\c:\lxrrxrf.exec:\lxrrxrf.exe84⤵PID:1796
-
\??\c:\tbtntn.exec:\tbtntn.exe85⤵PID:1628
-
\??\c:\nnnnhh.exec:\nnnnhh.exe86⤵PID:3824
-
\??\c:\pvjdv.exec:\pvjdv.exe87⤵PID:224
-
\??\c:\xxrlxll.exec:\xxrlxll.exe88⤵PID:1944
-
\??\c:\nbbhtn.exec:\nbbhtn.exe89⤵PID:700
-
\??\c:\ppvdd.exec:\ppvdd.exe90⤵PID:3024
-
\??\c:\xrxrllf.exec:\xrxrllf.exe91⤵PID:1660
-
\??\c:\nnhttt.exec:\nnhttt.exe92⤵PID:4904
-
\??\c:\jjjjd.exec:\jjjjd.exe93⤵PID:1948
-
\??\c:\llfffxf.exec:\llfffxf.exe94⤵PID:2696
-
\??\c:\9ffrrlf.exec:\9ffrrlf.exe95⤵PID:3272
-
\??\c:\btbbtn.exec:\btbbtn.exe96⤵PID:2412
-
\??\c:\pdvjj.exec:\pdvjj.exe97⤵PID:1084
-
\??\c:\xlrrfxl.exec:\xlrrfxl.exe98⤵PID:3428
-
\??\c:\3fxlxrl.exec:\3fxlxrl.exe99⤵PID:3760
-
\??\c:\bththb.exec:\bththb.exe100⤵PID:1396
-
\??\c:\vjjdp.exec:\vjjdp.exe101⤵PID:2332
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe102⤵PID:4388
-
\??\c:\hthhhn.exec:\hthhhn.exe103⤵PID:3132
-
\??\c:\jjpjd.exec:\jjpjd.exe104⤵PID:4868
-
\??\c:\9rlrfxr.exec:\9rlrfxr.exe105⤵PID:4400
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe106⤵PID:2036
-
\??\c:\nthhbh.exec:\nthhbh.exe107⤵PID:3924
-
\??\c:\jdjdd.exec:\jdjdd.exe108⤵PID:732
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe109⤵PID:3052
-
\??\c:\3nhnbt.exec:\3nhnbt.exe110⤵PID:3188
-
\??\c:\3jjdd.exec:\3jjdd.exe111⤵PID:3980
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe112⤵PID:2352
-
\??\c:\xrfflfr.exec:\xrfflfr.exe113⤵PID:1364
-
\??\c:\bntbtt.exec:\bntbtt.exe114⤵PID:4284
-
\??\c:\7jjvd.exec:\7jjvd.exe115⤵PID:876
-
\??\c:\lrxrflf.exec:\lrxrflf.exe116⤵PID:1468
-
\??\c:\rfxlfxr.exec:\rfxlfxr.exe117⤵PID:980
-
\??\c:\9hbnnn.exec:\9hbnnn.exe118⤵PID:4876
-
\??\c:\pdvvp.exec:\pdvvp.exe119⤵PID:1684
-
\??\c:\lrfxxrr.exec:\lrfxxrr.exe120⤵PID:1900
-
\??\c:\htbnbt.exec:\htbnbt.exe121⤵PID:1496
-
\??\c:\djdvp.exec:\djdvp.exe122⤵PID:4812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-