Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 03:57
Behavioral task
behavioral1
Sample
580c880a21fb211dddcd67f398ba2b60N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
580c880a21fb211dddcd67f398ba2b60N.exe
-
Size
76KB
-
MD5
580c880a21fb211dddcd67f398ba2b60
-
SHA1
6feb94444fa88adf51f319fcb933015d1b59a9f9
-
SHA256
3903e4a2e8a02350381667a11863f2c554f261f0a1ed72aa25fac58630f939ee
-
SHA512
ff889ef344535a5395d5018ca561942bd7458803285253eb7220fecff877f644b5a414793fff79fc7785d3674de463b91d28698c0ac8b83e4d91078d6acde6a6
-
SSDEEP
1536:NvQBeOGtrYS3srx93UBWfwC6Ggnouy8KlAXmAXIBG/+WIFuTKLXvCB5yAXNlIQk0:NhOmTsF93UYfwC6GIoutOP/WWGKL/SYu
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3460-6-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3940-12-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3896-19-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4704-25-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1508-30-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/640-36-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1604-43-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4920-49-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2668-55-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4856-60-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/5040-70-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2276-69-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2976-80-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2428-86-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2644-92-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/400-97-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1964-103-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4676-114-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1772-121-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2748-131-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1820-147-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4960-157-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2908-169-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3108-188-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1920-192-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1332-196-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4420-200-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3400-204-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4264-208-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4060-215-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4704-228-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3448-232-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3988-236-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2612-240-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3868-244-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4908-274-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2972-278-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2972-281-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3388-291-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3864-307-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3912-314-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3768-330-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4012-346-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4264-380-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/640-405-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2788-421-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3140-434-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4768-454-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4676-460-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1612-479-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/3912-483-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2360-487-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1268-497-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4900-505-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4892-565-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/2392-587-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4212-603-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1464-631-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4956-653-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4140-693-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/5088-724-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/784-764-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/4892-1003-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral2/memory/1052-1343-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3940 nnhbtn.exe 3896 tbtbnt.exe 4704 3jppp.exe 1508 htnnhh.exe 640 1vpjd.exe 1604 jdpdd.exe 4920 lrfrfrf.exe 2668 tnbnnh.exe 4856 9jjvj.exe 5040 jvjvj.exe 2276 xxfxrlr.exe 2976 bbbtnh.exe 2428 nbnbth.exe 2644 vvpdj.exe 400 xlrflfx.exe 1964 5lxrlff.exe 784 9djvj.exe 4676 vjjvj.exe 1772 1lxlxrf.exe 1020 bhnhtt.exe 2748 ppppd.exe 3648 5lfxrlf.exe 2200 rxrrllf.exe 1820 7htnnn.exe 1716 pjdvp.exe 4960 rfrfrlr.exe 2908 hthbtb.exe 1540 5tbtbb.exe 3180 dpppd.exe 5012 5vvpd.exe 3108 7llrfxl.exe 1920 3lxrffx.exe 1332 7bhtth.exe 4420 pvvpd.exe 3400 7vdpd.exe 4264 flxrfxx.exe 4384 rrllfxr.exe 4060 nnnnnt.exe 3268 pjjdv.exe 5000 dvvpv.exe 2764 fxfrlxf.exe 4704 nnbtbt.exe 3448 tttttt.exe 3988 jvvjd.exe 2612 xfrrrxx.exe 3868 1fllrrx.exe 4040 nhtntn.exe 4816 dvvvp.exe 4848 lxlxxrl.exe 3668 htntht.exe 4984 btnnnh.exe 3960 7dvvp.exe 3356 jjvdj.exe 5076 lxxlffx.exe 4908 bttbbb.exe 2460 5ddvj.exe 2972 jjvpd.exe 3484 xrxrfrl.exe 436 ttbnbn.exe 3388 jvvjd.exe 784 pjpjv.exe 5104 xffxrrx.exe 4620 llffflr.exe 432 nhnnhh.exe -
resource yara_rule behavioral2/memory/3460-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x00090000000233c2-2.dat upx behavioral2/memory/3460-6-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/3940-12-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/3896-13-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0009000000023422-10.dat upx behavioral2/files/0x0007000000023426-16.dat upx behavioral2/memory/3896-19-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023427-22.dat upx behavioral2/memory/4704-25-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023428-28.dat upx behavioral2/memory/1508-30-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023429-34.dat upx behavioral2/memory/640-36-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002342a-40.dat upx behavioral2/memory/1604-43-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002342b-46.dat upx behavioral2/memory/4920-49-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002342c-52.dat upx behavioral2/memory/4856-56-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/2668-55-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002342d-61.dat upx behavioral2/memory/4856-60-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002342e-65.dat upx behavioral2/memory/5040-70-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/2276-69-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002342f-74.dat upx behavioral2/files/0x0007000000023430-78.dat upx behavioral2/memory/2976-80-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023431-83.dat upx behavioral2/memory/2428-86-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023433-89.dat upx behavioral2/memory/2644-92-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/400-97-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023434-95.dat upx behavioral2/files/0x0007000000023435-104.dat upx behavioral2/memory/1964-103-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023436-107.dat upx behavioral2/files/0x0007000000023437-112.dat upx behavioral2/memory/4676-114-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023438-117.dat upx behavioral2/memory/1772-121-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023439-125.dat upx behavioral2/memory/2748-131-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002343a-129.dat upx behavioral2/files/0x000700000002343b-135.dat upx behavioral2/files/0x000700000002343c-141.dat upx behavioral2/files/0x000700000002343d-145.dat upx behavioral2/memory/1820-147-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x000700000002343e-151.dat upx behavioral2/memory/4960-157-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0008000000023423-158.dat upx behavioral2/files/0x000700000002343f-163.dat upx behavioral2/memory/2908-169-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023440-170.dat upx behavioral2/files/0x0007000000023441-173.dat upx behavioral2/memory/5012-175-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023442-179.dat upx behavioral2/memory/3108-182-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/3108-188-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/files/0x0007000000023443-187.dat upx behavioral2/memory/1920-192-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1332-196-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/4420-200-0x0000000000400000-0x0000000000433000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 580c880a21fb211dddcd67f398ba2b60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrlf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3460 wrote to memory of 3940 3460 580c880a21fb211dddcd67f398ba2b60N.exe 83 PID 3460 wrote to memory of 3940 3460 580c880a21fb211dddcd67f398ba2b60N.exe 83 PID 3460 wrote to memory of 3940 3460 580c880a21fb211dddcd67f398ba2b60N.exe 83 PID 3940 wrote to memory of 3896 3940 nnhbtn.exe 84 PID 3940 wrote to memory of 3896 3940 nnhbtn.exe 84 PID 3940 wrote to memory of 3896 3940 nnhbtn.exe 84 PID 3896 wrote to memory of 4704 3896 tbtbnt.exe 85 PID 3896 wrote to memory of 4704 3896 tbtbnt.exe 85 PID 3896 wrote to memory of 4704 3896 tbtbnt.exe 85 PID 4704 wrote to memory of 1508 4704 3jppp.exe 86 PID 4704 wrote to memory of 1508 4704 3jppp.exe 86 PID 4704 wrote to memory of 1508 4704 3jppp.exe 86 PID 1508 wrote to memory of 640 1508 htnnhh.exe 87 PID 1508 wrote to memory of 640 1508 htnnhh.exe 87 PID 1508 wrote to memory of 640 1508 htnnhh.exe 87 PID 640 wrote to memory of 1604 640 1vpjd.exe 88 PID 640 wrote to memory of 1604 640 1vpjd.exe 88 PID 640 wrote to memory of 1604 640 1vpjd.exe 88 PID 1604 wrote to memory of 4920 1604 jdpdd.exe 90 PID 1604 wrote to memory of 4920 1604 jdpdd.exe 90 PID 1604 wrote to memory of 4920 1604 jdpdd.exe 90 PID 4920 wrote to memory of 2668 4920 lrfrfrf.exe 91 PID 4920 wrote to memory of 2668 4920 lrfrfrf.exe 91 PID 4920 wrote to memory of 2668 4920 lrfrfrf.exe 91 PID 2668 wrote to memory of 4856 2668 tnbnnh.exe 92 PID 2668 wrote to memory of 4856 2668 tnbnnh.exe 92 PID 2668 wrote to memory of 4856 2668 tnbnnh.exe 92 PID 4856 wrote to memory of 5040 4856 9jjvj.exe 93 PID 4856 wrote to memory of 5040 4856 9jjvj.exe 93 PID 4856 wrote to memory of 5040 4856 9jjvj.exe 93 PID 5040 wrote to memory of 2276 5040 jvjvj.exe 94 PID 5040 wrote to memory of 2276 5040 jvjvj.exe 94 PID 5040 wrote to memory of 2276 5040 jvjvj.exe 94 PID 2276 wrote to memory of 2976 2276 xxfxrlr.exe 95 PID 2276 wrote to memory of 2976 2276 xxfxrlr.exe 95 PID 2276 wrote to memory of 2976 2276 xxfxrlr.exe 95 PID 2976 wrote to memory of 2428 2976 bbbtnh.exe 96 PID 2976 wrote to memory of 2428 2976 bbbtnh.exe 96 PID 2976 wrote to memory of 2428 2976 bbbtnh.exe 96 PID 2428 wrote to memory of 2644 2428 nbnbth.exe 97 PID 2428 wrote to memory of 2644 2428 nbnbth.exe 97 PID 2428 wrote to memory of 2644 2428 nbnbth.exe 97 PID 2644 wrote to memory of 400 2644 vvpdj.exe 98 PID 2644 wrote to memory of 400 2644 vvpdj.exe 98 PID 2644 wrote to memory of 400 2644 vvpdj.exe 98 PID 400 wrote to memory of 1964 400 xlrflfx.exe 99 PID 400 wrote to memory of 1964 400 xlrflfx.exe 99 PID 400 wrote to memory of 1964 400 xlrflfx.exe 99 PID 1964 wrote to memory of 784 1964 5lxrlff.exe 100 PID 1964 wrote to memory of 784 1964 5lxrlff.exe 100 PID 1964 wrote to memory of 784 1964 5lxrlff.exe 100 PID 784 wrote to memory of 4676 784 9djvj.exe 101 PID 784 wrote to memory of 4676 784 9djvj.exe 101 PID 784 wrote to memory of 4676 784 9djvj.exe 101 PID 4676 wrote to memory of 1772 4676 vjjvj.exe 103 PID 4676 wrote to memory of 1772 4676 vjjvj.exe 103 PID 4676 wrote to memory of 1772 4676 vjjvj.exe 103 PID 1772 wrote to memory of 1020 1772 1lxlxrf.exe 104 PID 1772 wrote to memory of 1020 1772 1lxlxrf.exe 104 PID 1772 wrote to memory of 1020 1772 1lxlxrf.exe 104 PID 1020 wrote to memory of 2748 1020 bhnhtt.exe 105 PID 1020 wrote to memory of 2748 1020 bhnhtt.exe 105 PID 1020 wrote to memory of 2748 1020 bhnhtt.exe 105 PID 2748 wrote to memory of 3648 2748 ppppd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\580c880a21fb211dddcd67f398ba2b60N.exe"C:\Users\Admin\AppData\Local\Temp\580c880a21fb211dddcd67f398ba2b60N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\nnhbtn.exec:\nnhbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\tbtbnt.exec:\tbtbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\3jppp.exec:\3jppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\htnnhh.exec:\htnnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\1vpjd.exec:\1vpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\jdpdd.exec:\jdpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\lrfrfrf.exec:\lrfrfrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\tnbnnh.exec:\tnbnnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\9jjvj.exec:\9jjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\jvjvj.exec:\jvjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\xxfxrlr.exec:\xxfxrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\bbbtnh.exec:\bbbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\nbnbth.exec:\nbnbth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\vvpdj.exec:\vvpdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\xlrflfx.exec:\xlrflfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\5lxrlff.exec:\5lxrlff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\9djvj.exec:\9djvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\vjjvj.exec:\vjjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\1lxlxrf.exec:\1lxlxrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\bhnhtt.exec:\bhnhtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\ppppd.exec:\ppppd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\5lfxrlf.exec:\5lfxrlf.exe23⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rxrrllf.exec:\rxrrllf.exe24⤵
- Executes dropped EXE
PID:2200 -
\??\c:\7htnnn.exec:\7htnnn.exe25⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pjdvp.exec:\pjdvp.exe26⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rfrfrlr.exec:\rfrfrlr.exe27⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hthbtb.exec:\hthbtb.exe28⤵
- Executes dropped EXE
PID:2908 -
\??\c:\5tbtbb.exec:\5tbtbb.exe29⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dpppd.exec:\dpppd.exe30⤵
- Executes dropped EXE
PID:3180 -
\??\c:\5vvpd.exec:\5vvpd.exe31⤵
- Executes dropped EXE
PID:5012 -
\??\c:\7llrfxl.exec:\7llrfxl.exe32⤵
- Executes dropped EXE
PID:3108 -
\??\c:\3lxrffx.exec:\3lxrffx.exe33⤵
- Executes dropped EXE
PID:1920 -
\??\c:\7bhtth.exec:\7bhtth.exe34⤵
- Executes dropped EXE
PID:1332 -
\??\c:\pvvpd.exec:\pvvpd.exe35⤵
- Executes dropped EXE
PID:4420 -
\??\c:\7vdpd.exec:\7vdpd.exe36⤵
- Executes dropped EXE
PID:3400 -
\??\c:\flxrfxx.exec:\flxrfxx.exe37⤵
- Executes dropped EXE
PID:4264 -
\??\c:\rrllfxr.exec:\rrllfxr.exe38⤵
- Executes dropped EXE
PID:4384 -
\??\c:\nnnnnt.exec:\nnnnnt.exe39⤵
- Executes dropped EXE
PID:4060 -
\??\c:\pjjdv.exec:\pjjdv.exe40⤵
- Executes dropped EXE
PID:3268 -
\??\c:\dvvpv.exec:\dvvpv.exe41⤵
- Executes dropped EXE
PID:5000 -
\??\c:\fxfrlxf.exec:\fxfrlxf.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nnbtbt.exec:\nnbtbt.exe43⤵
- Executes dropped EXE
PID:4704 -
\??\c:\tttttt.exec:\tttttt.exe44⤵
- Executes dropped EXE
PID:3448 -
\??\c:\jvvjd.exec:\jvvjd.exe45⤵
- Executes dropped EXE
PID:3988 -
\??\c:\xfrrrxx.exec:\xfrrrxx.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\1fllrrx.exec:\1fllrrx.exe47⤵
- Executes dropped EXE
PID:3868 -
\??\c:\nhtntn.exec:\nhtntn.exe48⤵
- Executes dropped EXE
PID:4040 -
\??\c:\dvvvp.exec:\dvvvp.exe49⤵
- Executes dropped EXE
PID:4816 -
\??\c:\lxlxxrl.exec:\lxlxxrl.exe50⤵
- Executes dropped EXE
PID:4848 -
\??\c:\htntht.exec:\htntht.exe51⤵
- Executes dropped EXE
PID:3668 -
\??\c:\btnnnh.exec:\btnnnh.exe52⤵
- Executes dropped EXE
PID:4984 -
\??\c:\7dvvp.exec:\7dvvp.exe53⤵
- Executes dropped EXE
PID:3960 -
\??\c:\jjvdj.exec:\jjvdj.exe54⤵
- Executes dropped EXE
PID:3356 -
\??\c:\lxxlffx.exec:\lxxlffx.exe55⤵
- Executes dropped EXE
PID:5076 -
\??\c:\bttbbb.exec:\bttbbb.exe56⤵
- Executes dropped EXE
PID:4908 -
\??\c:\5ddvj.exec:\5ddvj.exe57⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jjvpd.exec:\jjvpd.exe58⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xrxrfrl.exec:\xrxrfrl.exe59⤵
- Executes dropped EXE
PID:3484 -
\??\c:\ttbnbn.exec:\ttbnbn.exe60⤵
- Executes dropped EXE
PID:436 -
\??\c:\jvvjd.exec:\jvvjd.exe61⤵
- Executes dropped EXE
PID:3388 -
\??\c:\pjpjv.exec:\pjpjv.exe62⤵
- Executes dropped EXE
PID:784 -
\??\c:\xffxrrx.exec:\xffxrrx.exe63⤵
- Executes dropped EXE
PID:5104 -
\??\c:\llffflr.exec:\llffflr.exe64⤵
- Executes dropped EXE
PID:4620 -
\??\c:\nhnnhh.exec:\nhnnhh.exe65⤵
- Executes dropped EXE
PID:432 -
\??\c:\bnhnth.exec:\bnhnth.exe66⤵PID:3864
-
\??\c:\vjvjv.exec:\vjvjv.exe67⤵PID:1768
-
\??\c:\9rflxxx.exec:\9rflxxx.exe68⤵PID:3912
-
\??\c:\ffllrlx.exec:\ffllrlx.exe69⤵PID:2360
-
\??\c:\hbbtnn.exec:\hbbtnn.exe70⤵PID:1428
-
\??\c:\3nnntt.exec:\3nnntt.exe71⤵PID:4300
-
\??\c:\vpvpd.exec:\vpvpd.exe72⤵PID:4904
-
\??\c:\vjpjv.exec:\vjpjv.exe73⤵PID:3768
-
\??\c:\lxxlrrx.exec:\lxxlrrx.exe74⤵PID:5064
-
\??\c:\xflrllf.exec:\xflrllf.exe75⤵PID:3928
-
\??\c:\5nbtnn.exec:\5nbtnn.exe76⤵PID:1624
-
\??\c:\jppjv.exec:\jppjv.exe77⤵PID:4460
-
\??\c:\ppvpv.exec:\ppvpv.exe78⤵PID:4012
-
\??\c:\nttnbt.exec:\nttnbt.exe79⤵PID:4388
-
\??\c:\1tnbht.exec:\1tnbht.exe80⤵PID:5016
-
\??\c:\jdvpp.exec:\jdvpp.exe81⤵PID:2828
-
\??\c:\jvvjv.exec:\jvvjv.exe82⤵PID:3792
-
\??\c:\lxrlxrr.exec:\lxrlxrr.exe83⤵PID:1476
-
\??\c:\rxlxlfl.exec:\rxlxlfl.exe84⤵PID:2888
-
\??\c:\nbhnbt.exec:\nbhnbt.exe85⤵PID:2284
-
\??\c:\7nbbnh.exec:\7nbbnh.exe86⤵PID:1648
-
\??\c:\5pdvp.exec:\5pdvp.exe87⤵PID:5048
-
\??\c:\vjjjv.exec:\vjjjv.exe88⤵PID:2720
-
\??\c:\5xxrxrl.exec:\5xxrxrl.exe89⤵PID:4264
-
\??\c:\hnhbnh.exec:\hnhbnh.exe90⤵PID:4988
-
\??\c:\pppdd.exec:\pppdd.exe91⤵PID:3940
-
\??\c:\lxlxlxl.exec:\lxlxlxl.exe92⤵PID:1628
-
\??\c:\fxlrffx.exec:\fxlrffx.exe93⤵PID:5000
-
\??\c:\bthbbn.exec:\bthbbn.exe94⤵PID:4068
-
\??\c:\3vpjp.exec:\3vpjp.exe95⤵PID:4136
-
\??\c:\pppjd.exec:\pppjd.exe96⤵PID:3416
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe97⤵PID:640
-
\??\c:\thnnbt.exec:\thnnbt.exe98⤵PID:3680
-
\??\c:\dvddp.exec:\dvddp.exe99⤵PID:1896
-
\??\c:\9vdvd.exec:\9vdvd.exe100⤵PID:2380
-
\??\c:\1ppjd.exec:\1ppjd.exe101⤵PID:4788
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe102⤵PID:2788
-
\??\c:\hnhnhh.exec:\hnhnhh.exe103⤵PID:4636
-
\??\c:\nnnhtt.exec:\nnnhtt.exe104⤵PID:5040
-
\??\c:\jpdvp.exec:\jpdvp.exe105⤵PID:2276
-
\??\c:\3lrfxrl.exec:\3lrfxrl.exe106⤵PID:3140
-
\??\c:\1llxrrl.exec:\1llxrrl.exe107⤵PID:3964
-
\??\c:\nhtnht.exec:\nhtnht.exe108⤵PID:3596
-
\??\c:\9hnhtn.exec:\9hnhtn.exe109⤵PID:2460
-
\??\c:\vjpjp.exec:\vjpjp.exe110⤵PID:4588
-
\??\c:\5lfrllf.exec:\5lfrllf.exe111⤵PID:4412
-
\??\c:\3fllfxl.exec:\3fllfxl.exe112⤵PID:4768
-
\??\c:\vppdp.exec:\vppdp.exe113⤵PID:4732
-
\??\c:\ppvjd.exec:\ppvjd.exe114⤵PID:4676
-
\??\c:\rlrlrff.exec:\rlrlrff.exe115⤵PID:784
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe116⤵PID:5104
-
\??\c:\bbnbtn.exec:\bbnbtn.exe117⤵PID:4620
-
\??\c:\3jvpp.exec:\3jvpp.exe118⤵PID:4708
-
\??\c:\7vvvp.exec:\7vvvp.exe119⤵PID:3864
-
\??\c:\5xfrllf.exec:\5xfrllf.exe120⤵PID:1612
-
\??\c:\rxxlfll.exec:\rxxlfll.exe121⤵PID:3912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-