Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe
-
Size
454KB
-
MD5
5e9f8627fa3247bac4b5baf04abc1a15
-
SHA1
4aba5c64b3bcb437ad6247980568a588374910ae
-
SHA256
24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9
-
SHA512
3371dbf0a77aabd8808df57dfac37afd95cf362c7cc0843c84f127859e0cdf0234ef3512c0aa5dfedeba5b528522803dd1f322f3770c8d45b7c52b95c392302a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4272-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-1178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4612 vddvp.exe 4088 nnnnhh.exe 712 bnthbh.exe 1160 dvdpj.exe 2796 nbhbbt.exe 1284 vpvpj.exe 1364 ppddj.exe 4748 vvdvv.exe 3600 pdpjd.exe 2704 ppjvp.exe 2148 jjdpv.exe 1664 jvdvp.exe 232 1ddvp.exe 3236 nbhnhh.exe 4336 nhbnhb.exe 4764 nhbtnn.exe 220 rxxrlfx.exe 4228 ntnnnh.exe 2776 xfxrffr.exe 2840 hntnhh.exe 1560 nhbbtn.exe 1672 djjjd.exe 1432 rflxlll.exe 3168 hhhbbb.exe 3036 nntntt.exe 3128 vjvpv.exe 4044 ntbbhh.exe 2396 lllxrlx.exe 2784 ddvpj.exe 4544 xrxrxxx.exe 1372 pdjvv.exe 4396 jppvd.exe 1004 ntttnt.exe 1228 ppdpj.exe 1968 rffxlfr.exe 3376 1bhtnh.exe 3368 3djdv.exe 552 rrlffxx.exe 1216 tttnhh.exe 2496 vdjdv.exe 1376 xffrlxr.exe 3440 3nntnt.exe 1632 1ppjd.exe 1056 jvddv.exe 2788 xrrxxxf.exe 4828 hbtbtb.exe 228 pddpj.exe 3660 bhhtnh.exe 4272 xrxrxxf.exe 2268 lxxxllf.exe 4088 9tthbb.exe 712 jddvp.exe 4028 xffxrfx.exe 4416 httnhb.exe 4844 tnnnnn.exe 2796 pvdpj.exe 1772 7lrlffx.exe 2448 htnnhh.exe 3768 nnttbn.exe 3648 7vjdj.exe 4912 rlrlxxr.exe 4740 5tnhbt.exe 4572 5nnbtt.exe 4212 5ddvp.exe -
resource yara_rule behavioral2/memory/4272-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-635-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 4612 4272 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 83 PID 4272 wrote to memory of 4612 4272 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 83 PID 4272 wrote to memory of 4612 4272 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 83 PID 4612 wrote to memory of 4088 4612 vddvp.exe 84 PID 4612 wrote to memory of 4088 4612 vddvp.exe 84 PID 4612 wrote to memory of 4088 4612 vddvp.exe 84 PID 4088 wrote to memory of 712 4088 nnnnhh.exe 85 PID 4088 wrote to memory of 712 4088 nnnnhh.exe 85 PID 4088 wrote to memory of 712 4088 nnnnhh.exe 85 PID 712 wrote to memory of 1160 712 bnthbh.exe 86 PID 712 wrote to memory of 1160 712 bnthbh.exe 86 PID 712 wrote to memory of 1160 712 bnthbh.exe 86 PID 1160 wrote to memory of 2796 1160 dvdpj.exe 87 PID 1160 wrote to memory of 2796 1160 dvdpj.exe 87 PID 1160 wrote to memory of 2796 1160 dvdpj.exe 87 PID 2796 wrote to memory of 1284 2796 nbhbbt.exe 88 PID 2796 wrote to memory of 1284 2796 nbhbbt.exe 88 PID 2796 wrote to memory of 1284 2796 nbhbbt.exe 88 PID 1284 wrote to memory of 1364 1284 vpvpj.exe 89 PID 1284 wrote to memory of 1364 1284 vpvpj.exe 89 PID 1284 wrote to memory of 1364 1284 vpvpj.exe 89 PID 1364 wrote to memory of 4748 1364 ppddj.exe 90 PID 1364 wrote to memory of 4748 1364 ppddj.exe 90 PID 1364 wrote to memory of 4748 1364 ppddj.exe 90 PID 4748 wrote to memory of 3600 4748 vvdvv.exe 91 PID 4748 wrote to memory of 3600 4748 vvdvv.exe 91 PID 4748 wrote to memory of 3600 4748 vvdvv.exe 91 PID 3600 wrote to memory of 2704 3600 pdpjd.exe 92 PID 3600 wrote to memory of 2704 3600 pdpjd.exe 92 PID 3600 wrote to memory of 2704 3600 pdpjd.exe 92 PID 2704 wrote to memory of 2148 2704 ppjvp.exe 93 PID 2704 wrote to memory of 2148 2704 ppjvp.exe 93 PID 2704 wrote to memory of 2148 2704 ppjvp.exe 93 PID 2148 wrote to memory of 1664 2148 jjdpv.exe 94 PID 2148 wrote to memory of 1664 2148 jjdpv.exe 94 PID 2148 wrote to memory of 1664 2148 jjdpv.exe 94 PID 1664 wrote to memory of 232 1664 jvdvp.exe 95 PID 1664 wrote to memory of 232 1664 jvdvp.exe 95 PID 1664 wrote to memory of 232 1664 jvdvp.exe 95 PID 232 wrote to memory of 3236 232 1ddvp.exe 96 PID 232 wrote to memory of 3236 232 1ddvp.exe 96 PID 232 wrote to memory of 3236 232 1ddvp.exe 96 PID 3236 wrote to memory of 4336 3236 nbhnhh.exe 97 PID 3236 wrote to memory of 4336 3236 nbhnhh.exe 97 PID 3236 wrote to memory of 4336 3236 nbhnhh.exe 97 PID 4336 wrote to memory of 4764 4336 nhbnhb.exe 98 PID 4336 wrote to memory of 4764 4336 nhbnhb.exe 98 PID 4336 wrote to memory of 4764 4336 nhbnhb.exe 98 PID 4764 wrote to memory of 220 4764 nhbtnn.exe 99 PID 4764 wrote to memory of 220 4764 nhbtnn.exe 99 PID 4764 wrote to memory of 220 4764 nhbtnn.exe 99 PID 220 wrote to memory of 4228 220 rxxrlfx.exe 100 PID 220 wrote to memory of 4228 220 rxxrlfx.exe 100 PID 220 wrote to memory of 4228 220 rxxrlfx.exe 100 PID 4228 wrote to memory of 2776 4228 ntnnnh.exe 101 PID 4228 wrote to memory of 2776 4228 ntnnnh.exe 101 PID 4228 wrote to memory of 2776 4228 ntnnnh.exe 101 PID 2776 wrote to memory of 2840 2776 xfxrffr.exe 102 PID 2776 wrote to memory of 2840 2776 xfxrffr.exe 102 PID 2776 wrote to memory of 2840 2776 xfxrffr.exe 102 PID 2840 wrote to memory of 1560 2840 hntnhh.exe 103 PID 2840 wrote to memory of 1560 2840 hntnhh.exe 103 PID 2840 wrote to memory of 1560 2840 hntnhh.exe 103 PID 1560 wrote to memory of 1672 1560 nhbbtn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe"C:\Users\Admin\AppData\Local\Temp\24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\vddvp.exec:\vddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\nnnnhh.exec:\nnnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\bnthbh.exec:\bnthbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\dvdpj.exec:\dvdpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\nbhbbt.exec:\nbhbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\vpvpj.exec:\vpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\ppddj.exec:\ppddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\vvdvv.exec:\vvdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\pdpjd.exec:\pdpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\ppjvp.exec:\ppjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\jjdpv.exec:\jjdpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\jvdvp.exec:\jvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\1ddvp.exec:\1ddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\nbhnhh.exec:\nbhnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\nhbnhb.exec:\nhbnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\nhbtnn.exec:\nhbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\ntnnnh.exec:\ntnnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\xfxrffr.exec:\xfxrffr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\hntnhh.exec:\hntnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\nhbbtn.exec:\nhbbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\djjjd.exec:\djjjd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\rflxlll.exec:\rflxlll.exe24⤵
- Executes dropped EXE
PID:1432 -
\??\c:\hhhbbb.exec:\hhhbbb.exe25⤵
- Executes dropped EXE
PID:3168 -
\??\c:\nntntt.exec:\nntntt.exe26⤵
- Executes dropped EXE
PID:3036 -
\??\c:\vjvpv.exec:\vjvpv.exe27⤵
- Executes dropped EXE
PID:3128 -
\??\c:\ntbbhh.exec:\ntbbhh.exe28⤵
- Executes dropped EXE
PID:4044 -
\??\c:\lllxrlx.exec:\lllxrlx.exe29⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ddvpj.exec:\ddvpj.exe30⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xrxrxxx.exec:\xrxrxxx.exe31⤵
- Executes dropped EXE
PID:4544 -
\??\c:\pdjvv.exec:\pdjvv.exe32⤵
- Executes dropped EXE
PID:1372 -
\??\c:\jppvd.exec:\jppvd.exe33⤵
- Executes dropped EXE
PID:4396 -
\??\c:\ntttnt.exec:\ntttnt.exe34⤵
- Executes dropped EXE
PID:1004 -
\??\c:\ppdpj.exec:\ppdpj.exe35⤵
- Executes dropped EXE
PID:1228 -
\??\c:\rffxlfr.exec:\rffxlfr.exe36⤵
- Executes dropped EXE
PID:1968 -
\??\c:\1bhtnh.exec:\1bhtnh.exe37⤵
- Executes dropped EXE
PID:3376 -
\??\c:\3djdv.exec:\3djdv.exe38⤵
- Executes dropped EXE
PID:3368 -
\??\c:\rrlffxx.exec:\rrlffxx.exe39⤵
- Executes dropped EXE
PID:552 -
\??\c:\tttnhh.exec:\tttnhh.exe40⤵
- Executes dropped EXE
PID:1216 -
\??\c:\vdjdv.exec:\vdjdv.exe41⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xffrlxr.exec:\xffrlxr.exe42⤵
- Executes dropped EXE
PID:1376 -
\??\c:\3nntnt.exec:\3nntnt.exe43⤵
- Executes dropped EXE
PID:3440 -
\??\c:\1ppjd.exec:\1ppjd.exe44⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jvddv.exec:\jvddv.exe45⤵
- Executes dropped EXE
PID:1056 -
\??\c:\xrrxxxf.exec:\xrrxxxf.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbtbtb.exec:\hbtbtb.exe47⤵
- Executes dropped EXE
PID:4828 -
\??\c:\pddpj.exec:\pddpj.exe48⤵
- Executes dropped EXE
PID:228 -
\??\c:\bhhtnh.exec:\bhhtnh.exe49⤵
- Executes dropped EXE
PID:3660 -
\??\c:\ppdvj.exec:\ppdvj.exe50⤵PID:4552
-
\??\c:\xrxrxxf.exec:\xrxrxxf.exe51⤵
- Executes dropped EXE
PID:4272 -
\??\c:\lxxxllf.exec:\lxxxllf.exe52⤵
- Executes dropped EXE
PID:2268 -
\??\c:\9tthbb.exec:\9tthbb.exe53⤵
- Executes dropped EXE
PID:4088 -
\??\c:\jddvp.exec:\jddvp.exe54⤵
- Executes dropped EXE
PID:712 -
\??\c:\xffxrfx.exec:\xffxrfx.exe55⤵
- Executes dropped EXE
PID:4028 -
\??\c:\httnhb.exec:\httnhb.exe56⤵
- Executes dropped EXE
PID:4416 -
\??\c:\tnnnnn.exec:\tnnnnn.exe57⤵
- Executes dropped EXE
PID:4844 -
\??\c:\pvdpj.exec:\pvdpj.exe58⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7lrlffx.exec:\7lrlffx.exe59⤵
- Executes dropped EXE
PID:1772 -
\??\c:\htnnhh.exec:\htnnhh.exe60⤵
- Executes dropped EXE
PID:2448 -
\??\c:\nnttbn.exec:\nnttbn.exe61⤵
- Executes dropped EXE
PID:3768 -
\??\c:\7vjdj.exec:\7vjdj.exe62⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe63⤵
- Executes dropped EXE
PID:4912 -
\??\c:\5tnhbt.exec:\5tnhbt.exe64⤵
- Executes dropped EXE
PID:4740 -
\??\c:\5nnbtt.exec:\5nnbtt.exe65⤵
- Executes dropped EXE
PID:4572 -
\??\c:\5ddvp.exec:\5ddvp.exe66⤵
- Executes dropped EXE
PID:4212 -
\??\c:\lllfrrl.exec:\lllfrrl.exe67⤵PID:4696
-
\??\c:\llrllff.exec:\llrllff.exe68⤵PID:1580
-
\??\c:\thnhbb.exec:\thnhbb.exe69⤵PID:1664
-
\??\c:\5jdvp.exec:\5jdvp.exe70⤵PID:4988
-
\??\c:\xllfffx.exec:\xllfffx.exe71⤵PID:444
-
\??\c:\9nbbbb.exec:\9nbbbb.exe72⤵PID:4676
-
\??\c:\hbnhbb.exec:\hbnhbb.exe73⤵PID:4332
-
\??\c:\jjdvv.exec:\jjdvv.exe74⤵PID:3636
-
\??\c:\btbthh.exec:\btbthh.exe75⤵PID:3852
-
\??\c:\httnhh.exec:\httnhh.exe76⤵PID:2172
-
\??\c:\jppdd.exec:\jppdd.exe77⤵PID:3804
-
\??\c:\jjjdp.exec:\jjjdp.exe78⤵PID:2328
-
\??\c:\rlxrxxr.exec:\rlxrxxr.exe79⤵PID:3464
-
\??\c:\5btttt.exec:\5btttt.exe80⤵PID:1392
-
\??\c:\jjdpd.exec:\jjdpd.exe81⤵PID:3024
-
\??\c:\jvjjd.exec:\jvjjd.exe82⤵PID:4992
-
\??\c:\rlllxlf.exec:\rlllxlf.exe83⤵PID:2316
-
\??\c:\tntnnt.exec:\tntnnt.exe84⤵PID:4720
-
\??\c:\vppjv.exec:\vppjv.exe85⤵PID:2692
-
\??\c:\xfrfrrl.exec:\xfrfrrl.exe86⤵PID:4736
-
\??\c:\nhnhbb.exec:\nhnhbb.exe87⤵PID:4556
-
\??\c:\jddvp.exec:\jddvp.exe88⤵PID:1572
-
\??\c:\1ffxrfx.exec:\1ffxrfx.exe89⤵PID:4628
-
\??\c:\nbbbnn.exec:\nbbbnn.exe90⤵PID:2752
-
\??\c:\bnbnhb.exec:\bnbnhb.exe91⤵PID:2204
-
\??\c:\jjppd.exec:\jjppd.exe92⤵PID:2440
-
\??\c:\7frlffr.exec:\7frlffr.exe93⤵PID:1140
-
\??\c:\9nhnhb.exec:\9nhnhb.exe94⤵PID:4476
-
\??\c:\jpdjd.exec:\jpdjd.exe95⤵PID:4172
-
\??\c:\frxrffx.exec:\frxrffx.exe96⤵PID:2412
-
\??\c:\lfllxxr.exec:\lfllxxr.exe97⤵PID:3112
-
\??\c:\tbnhnn.exec:\tbnhnn.exe98⤵PID:1968
-
\??\c:\7djdj.exec:\7djdj.exe99⤵PID:3376
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe100⤵PID:4152
-
\??\c:\bbhhnn.exec:\bbhhnn.exe101⤵PID:5112
-
\??\c:\tbnbtt.exec:\tbnbtt.exe102⤵PID:1216
-
\??\c:\3dpjd.exec:\3dpjd.exe103⤵PID:2496
-
\??\c:\9lrxrrl.exec:\9lrxrrl.exe104⤵PID:1376
-
\??\c:\thnhbb.exec:\thnhbb.exe105⤵PID:3908
-
\??\c:\djjvv.exec:\djjvv.exe106⤵PID:3296
-
\??\c:\rflxrlf.exec:\rflxrlf.exe107⤵PID:2344
-
\??\c:\rfllfrx.exec:\rfllfrx.exe108⤵PID:724
-
\??\c:\hbbtbb.exec:\hbbtbb.exe109⤵PID:1996
-
\??\c:\pdvpj.exec:\pdvpj.exe110⤵PID:2416
-
\??\c:\vdjdv.exec:\vdjdv.exe111⤵PID:228
-
\??\c:\xrrrffx.exec:\xrrrffx.exe112⤵PID:1464
-
\??\c:\tnhbhh.exec:\tnhbhh.exe113⤵PID:3320
-
\??\c:\vddvp.exec:\vddvp.exe114⤵PID:1708
-
\??\c:\9fxxrll.exec:\9fxxrll.exe115⤵PID:3504
-
\??\c:\hnnttn.exec:\hnnttn.exe116⤵PID:4116
-
\??\c:\btbtnh.exec:\btbtnh.exe117⤵PID:4224
-
\??\c:\9dvpd.exec:\9dvpd.exe118⤵PID:4060
-
\??\c:\fxrlxfx.exec:\fxrlxfx.exe119⤵PID:2120
-
\??\c:\7btbtt.exec:\7btbtt.exe120⤵PID:2984
-
\??\c:\nnnhbb.exec:\nnnhbb.exe121⤵PID:2780
-
\??\c:\jddvj.exec:\jddvj.exe122⤵PID:4564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-