Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe
-
Size
453KB
-
MD5
bd0a5f7caeeb32ce42cdd5414b2b1a8a
-
SHA1
1725c336f24d7408ad7d7b2907fb998fcbd76ee2
-
SHA256
a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1
-
SHA512
4f57fce8b268e082ab63a7f38b45f39b341e273a715edf442b7383b3cc01bd660469bf75ff118e7bc884aa108c33f29836c13446623bc42d25710fad312447cf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4504-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4488 dppjd.exe 3532 nhbbhb.exe 916 dpppp.exe 4596 nhnhhb.exe 840 7pddv.exe 1896 hhhtbb.exe 3228 vjdpv.exe 3264 3lfxllx.exe 456 hbbtnn.exe 3316 1djdd.exe 2996 bttnbt.exe 1004 dpvpv.exe 3936 ffxxxff.exe 1632 xrrrrfr.exe 4444 5hhbtn.exe 5104 ppjjp.exe 3648 rlrlllf.exe 2676 tnbtbh.exe 2536 jjvpj.exe 4300 lrrlflf.exe 2820 ttbbnt.exe 2808 jdjdd.exe 2936 rrrllll.exe 412 tnnhbb.exe 4836 pjddj.exe 2284 jvjdd.exe 1960 thhttb.exe 1496 vpppj.exe 2400 rflfxfx.exe 1668 fffxrrl.exe 3968 ntbtnn.exe 400 ddjdv.exe 3776 fflxrlx.exe 2324 hbbbtt.exe 1192 pjjdv.exe 4072 lfxrffr.exe 3076 hntnnn.exe 2444 djpjj.exe 4184 vjpjd.exe 3600 rllxrrl.exe 1684 bbbbtt.exe 1184 htbhht.exe 1956 dvvvp.exe 3056 1xfxrrr.exe 3124 tbtnhh.exe 3636 dpvjd.exe 1372 rxxxrrl.exe 1064 9xxrlll.exe 460 htbttn.exe 2176 1bbttt.exe 3668 1djdj.exe 2860 5llxxxf.exe 3384 rlxfllr.exe 4400 hbnntt.exe 372 nhhbtn.exe 2636 vdppj.exe 648 lxlfxrl.exe 3696 lxxxrrf.exe 4804 nbbthh.exe 628 jpjdd.exe 4492 vdvjv.exe 840 rxlfxxr.exe 3064 hbtnhh.exe 2580 dppjv.exe -
resource yara_rule behavioral2/memory/4504-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-646-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4488 4504 a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe 82 PID 4504 wrote to memory of 4488 4504 a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe 82 PID 4504 wrote to memory of 4488 4504 a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe 82 PID 4488 wrote to memory of 3532 4488 dppjd.exe 83 PID 4488 wrote to memory of 3532 4488 dppjd.exe 83 PID 4488 wrote to memory of 3532 4488 dppjd.exe 83 PID 3532 wrote to memory of 916 3532 nhbbhb.exe 84 PID 3532 wrote to memory of 916 3532 nhbbhb.exe 84 PID 3532 wrote to memory of 916 3532 nhbbhb.exe 84 PID 916 wrote to memory of 4596 916 dpppp.exe 85 PID 916 wrote to memory of 4596 916 dpppp.exe 85 PID 916 wrote to memory of 4596 916 dpppp.exe 85 PID 4596 wrote to memory of 840 4596 nhnhhb.exe 143 PID 4596 wrote to memory of 840 4596 nhnhhb.exe 143 PID 4596 wrote to memory of 840 4596 nhnhhb.exe 143 PID 840 wrote to memory of 1896 840 7pddv.exe 87 PID 840 wrote to memory of 1896 840 7pddv.exe 87 PID 840 wrote to memory of 1896 840 7pddv.exe 87 PID 1896 wrote to memory of 3228 1896 hhhtbb.exe 88 PID 1896 wrote to memory of 3228 1896 hhhtbb.exe 88 PID 1896 wrote to memory of 3228 1896 hhhtbb.exe 88 PID 3228 wrote to memory of 3264 3228 vjdpv.exe 89 PID 3228 wrote to memory of 3264 3228 vjdpv.exe 89 PID 3228 wrote to memory of 3264 3228 vjdpv.exe 89 PID 3264 wrote to memory of 456 3264 3lfxllx.exe 90 PID 3264 wrote to memory of 456 3264 3lfxllx.exe 90 PID 3264 wrote to memory of 456 3264 3lfxllx.exe 90 PID 456 wrote to memory of 3316 456 hbbtnn.exe 91 PID 456 wrote to memory of 3316 456 hbbtnn.exe 91 PID 456 wrote to memory of 3316 456 hbbtnn.exe 91 PID 3316 wrote to memory of 2996 3316 1djdd.exe 92 PID 3316 wrote to memory of 2996 3316 1djdd.exe 92 PID 3316 wrote to memory of 2996 3316 1djdd.exe 92 PID 2996 wrote to memory of 1004 2996 bttnbt.exe 93 PID 2996 wrote to memory of 1004 2996 bttnbt.exe 93 PID 2996 wrote to memory of 1004 2996 bttnbt.exe 93 PID 1004 wrote to memory of 3936 1004 dpvpv.exe 94 PID 1004 wrote to memory of 3936 1004 dpvpv.exe 94 PID 1004 wrote to memory of 3936 1004 dpvpv.exe 94 PID 3936 wrote to memory of 1632 3936 ffxxxff.exe 95 PID 3936 wrote to memory of 1632 3936 ffxxxff.exe 95 PID 3936 wrote to memory of 1632 3936 ffxxxff.exe 95 PID 1632 wrote to memory of 4444 1632 xrrrrfr.exe 96 PID 1632 wrote to memory of 4444 1632 xrrrrfr.exe 96 PID 1632 wrote to memory of 4444 1632 xrrrrfr.exe 96 PID 4444 wrote to memory of 5104 4444 5hhbtn.exe 97 PID 4444 wrote to memory of 5104 4444 5hhbtn.exe 97 PID 4444 wrote to memory of 5104 4444 5hhbtn.exe 97 PID 5104 wrote to memory of 3648 5104 ppjjp.exe 98 PID 5104 wrote to memory of 3648 5104 ppjjp.exe 98 PID 5104 wrote to memory of 3648 5104 ppjjp.exe 98 PID 3648 wrote to memory of 2676 3648 rlrlllf.exe 99 PID 3648 wrote to memory of 2676 3648 rlrlllf.exe 99 PID 3648 wrote to memory of 2676 3648 rlrlllf.exe 99 PID 2676 wrote to memory of 2536 2676 tnbtbh.exe 100 PID 2676 wrote to memory of 2536 2676 tnbtbh.exe 100 PID 2676 wrote to memory of 2536 2676 tnbtbh.exe 100 PID 2536 wrote to memory of 4300 2536 jjvpj.exe 164 PID 2536 wrote to memory of 4300 2536 jjvpj.exe 164 PID 2536 wrote to memory of 4300 2536 jjvpj.exe 164 PID 4300 wrote to memory of 2820 4300 lrrlflf.exe 102 PID 4300 wrote to memory of 2820 4300 lrrlflf.exe 102 PID 4300 wrote to memory of 2820 4300 lrrlflf.exe 102 PID 2820 wrote to memory of 2808 2820 ttbbnt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe"C:\Users\Admin\AppData\Local\Temp\a20459008ab964b1b5a16dad282387d20e1c8cb503b18056e9a0610d15a7eeb1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\dppjd.exec:\dppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\nhbbhb.exec:\nhbbhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\dpppp.exec:\dpppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\nhnhhb.exec:\nhnhhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\7pddv.exec:\7pddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\hhhtbb.exec:\hhhtbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\vjdpv.exec:\vjdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\3lfxllx.exec:\3lfxllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\hbbtnn.exec:\hbbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\1djdd.exec:\1djdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\bttnbt.exec:\bttnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\dpvpv.exec:\dpvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\ffxxxff.exec:\ffxxxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\xrrrrfr.exec:\xrrrrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\5hhbtn.exec:\5hhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\ppjjp.exec:\ppjjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rlrlllf.exec:\rlrlllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\tnbtbh.exec:\tnbtbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\jjvpj.exec:\jjvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\lrrlflf.exec:\lrrlflf.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\ttbbnt.exec:\ttbbnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jdjdd.exec:\jdjdd.exe23⤵
- Executes dropped EXE
PID:2808 -
\??\c:\rrrllll.exec:\rrrllll.exe24⤵
- Executes dropped EXE
PID:2936 -
\??\c:\tnnhbb.exec:\tnnhbb.exe25⤵
- Executes dropped EXE
PID:412 -
\??\c:\pjddj.exec:\pjddj.exe26⤵
- Executes dropped EXE
PID:4836 -
\??\c:\jvjdd.exec:\jvjdd.exe27⤵
- Executes dropped EXE
PID:2284 -
\??\c:\thhttb.exec:\thhttb.exe28⤵
- Executes dropped EXE
PID:1960 -
\??\c:\vpppj.exec:\vpppj.exe29⤵
- Executes dropped EXE
PID:1496 -
\??\c:\rflfxfx.exec:\rflfxfx.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\fffxrrl.exec:\fffxrrl.exe31⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ntbtnn.exec:\ntbtnn.exe32⤵
- Executes dropped EXE
PID:3968 -
\??\c:\ddjdv.exec:\ddjdv.exe33⤵
- Executes dropped EXE
PID:400 -
\??\c:\fflxrlx.exec:\fflxrlx.exe34⤵
- Executes dropped EXE
PID:3776 -
\??\c:\hbbbtt.exec:\hbbbtt.exe35⤵
- Executes dropped EXE
PID:2324 -
\??\c:\pjjdv.exec:\pjjdv.exe36⤵
- Executes dropped EXE
PID:1192 -
\??\c:\lfxrffr.exec:\lfxrffr.exe37⤵
- Executes dropped EXE
PID:4072 -
\??\c:\hntnnn.exec:\hntnnn.exe38⤵
- Executes dropped EXE
PID:3076 -
\??\c:\djpjj.exec:\djpjj.exe39⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vjpjd.exec:\vjpjd.exe40⤵
- Executes dropped EXE
PID:4184 -
\??\c:\rllxrrl.exec:\rllxrrl.exe41⤵
- Executes dropped EXE
PID:3600 -
\??\c:\bbbbtt.exec:\bbbbtt.exe42⤵
- Executes dropped EXE
PID:1684 -
\??\c:\htbhht.exec:\htbhht.exe43⤵
- Executes dropped EXE
PID:1184 -
\??\c:\dvvvp.exec:\dvvvp.exe44⤵
- Executes dropped EXE
PID:1956 -
\??\c:\1xfxrrr.exec:\1xfxrrr.exe45⤵
- Executes dropped EXE
PID:3056 -
\??\c:\tbtnhh.exec:\tbtnhh.exe46⤵
- Executes dropped EXE
PID:3124 -
\??\c:\dpvjd.exec:\dpvjd.exe47⤵
- Executes dropped EXE
PID:3636 -
\??\c:\rxxxrrl.exec:\rxxxrrl.exe48⤵
- Executes dropped EXE
PID:1372 -
\??\c:\9xxrlll.exec:\9xxrlll.exe49⤵
- Executes dropped EXE
PID:1064 -
\??\c:\htbttn.exec:\htbttn.exe50⤵
- Executes dropped EXE
PID:460 -
\??\c:\1bbttt.exec:\1bbttt.exe51⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1djdj.exec:\1djdj.exe52⤵
- Executes dropped EXE
PID:3668 -
\??\c:\5llxxxf.exec:\5llxxxf.exe53⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rlxfllr.exec:\rlxfllr.exe54⤵
- Executes dropped EXE
PID:3384 -
\??\c:\hbnntt.exec:\hbnntt.exe55⤵
- Executes dropped EXE
PID:4400 -
\??\c:\nhhbtn.exec:\nhhbtn.exe56⤵
- Executes dropped EXE
PID:372 -
\??\c:\vdppj.exec:\vdppj.exe57⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe58⤵
- Executes dropped EXE
PID:648 -
\??\c:\lxxxrrf.exec:\lxxxrrf.exe59⤵
- Executes dropped EXE
PID:3696 -
\??\c:\nbbthh.exec:\nbbthh.exe60⤵
- Executes dropped EXE
PID:4804 -
\??\c:\jpjdd.exec:\jpjdd.exe61⤵
- Executes dropped EXE
PID:628 -
\??\c:\vdvjv.exec:\vdvjv.exe62⤵
- Executes dropped EXE
PID:4492 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\hbtnhh.exec:\hbtnhh.exe64⤵
- Executes dropped EXE
PID:3064 -
\??\c:\dppjv.exec:\dppjv.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\jdjdv.exec:\jdjdv.exe66⤵PID:5004
-
\??\c:\3rlxrrf.exec:\3rlxrrf.exe67⤵PID:3628
-
\??\c:\9xfxflr.exec:\9xfxflr.exe68⤵
- System Location Discovery: System Language Discovery
PID:636 -
\??\c:\bhnnhh.exec:\bhnnhh.exe69⤵PID:2304
-
\??\c:\1pvpp.exec:\1pvpp.exe70⤵PID:2772
-
\??\c:\pvvpd.exec:\pvvpd.exe71⤵PID:956
-
\??\c:\rlxxlrx.exec:\rlxxlrx.exe72⤵PID:2192
-
\??\c:\nbbtnn.exec:\nbbtnn.exe73⤵PID:3068
-
\??\c:\btbbtt.exec:\btbbtt.exe74⤵PID:1076
-
\??\c:\jpdvv.exec:\jpdvv.exe75⤵PID:4748
-
\??\c:\1rfxffx.exec:\1rfxffx.exe76⤵PID:1028
-
\??\c:\1fxxrrl.exec:\1fxxrrl.exe77⤵PID:5112
-
\??\c:\hhttnh.exec:\hhttnh.exe78⤵PID:3548
-
\??\c:\9nttnn.exec:\9nttnn.exe79⤵PID:1148
-
\??\c:\jdpdv.exec:\jdpdv.exe80⤵PID:2680
-
\??\c:\fffxfff.exec:\fffxfff.exe81⤵PID:4168
-
\??\c:\xrlxlxl.exec:\xrlxlxl.exe82⤵PID:1352
-
\??\c:\bbnhbb.exec:\bbnhbb.exe83⤵
- System Location Discovery: System Language Discovery
PID:1492 -
\??\c:\dvpjj.exec:\dvpjj.exe84⤵PID:4300
-
\??\c:\1jpjp.exec:\1jpjp.exe85⤵PID:32
-
\??\c:\lfxrllf.exec:\lfxrllf.exe86⤵PID:1224
-
\??\c:\3bnhbb.exec:\3bnhbb.exe87⤵PID:860
-
\??\c:\dvpdv.exec:\dvpdv.exe88⤵PID:4844
-
\??\c:\rflfxfl.exec:\rflfxfl.exe89⤵PID:1588
-
\??\c:\5bnntb.exec:\5bnntb.exe90⤵PID:4828
-
\??\c:\vvddv.exec:\vvddv.exe91⤵PID:2268
-
\??\c:\hnbhhh.exec:\hnbhhh.exe92⤵PID:2284
-
\??\c:\jvdvp.exec:\jvdvp.exe93⤵PID:2548
-
\??\c:\btbbtt.exec:\btbbtt.exe94⤵PID:1496
-
\??\c:\jddpj.exec:\jddpj.exe95⤵PID:4088
-
\??\c:\thhbhh.exec:\thhbhh.exe96⤵PID:2352
-
\??\c:\jdvpj.exec:\jdvpj.exe97⤵PID:4460
-
\??\c:\pjjvj.exec:\pjjvj.exe98⤵PID:2652
-
\??\c:\vjpdj.exec:\vjpdj.exe99⤵PID:1480
-
\??\c:\nnnhnb.exec:\nnnhnb.exe100⤵PID:4560
-
\??\c:\jjvpj.exec:\jjvpj.exe101⤵PID:744
-
\??\c:\hbbbhh.exec:\hbbbhh.exe102⤵PID:5092
-
\??\c:\rrfrxxf.exec:\rrfrxxf.exe103⤵PID:5096
-
\??\c:\dddjp.exec:\dddjp.exe104⤵PID:2180
-
\??\c:\3tbthh.exec:\3tbthh.exe105⤵PID:3076
-
\??\c:\vpdpp.exec:\vpdpp.exe106⤵PID:2444
-
\??\c:\3ppjj.exec:\3ppjj.exe107⤵PID:2712
-
\??\c:\fxxfflx.exec:\fxxfflx.exe108⤵PID:2164
-
\??\c:\9btnhh.exec:\9btnhh.exe109⤵PID:1072
-
\??\c:\vjjdd.exec:\vjjdd.exe110⤵PID:2056
-
\??\c:\lxxrrll.exec:\lxxrrll.exe111⤵PID:1956
-
\??\c:\lxfxllx.exec:\lxfxllx.exe112⤵PID:672
-
\??\c:\djdpj.exec:\djdpj.exe113⤵PID:2104
-
\??\c:\rxrxlrx.exec:\rxrxlrx.exe114⤵PID:952
-
\??\c:\bnnhbt.exec:\bnnhbt.exe115⤵PID:3536
-
\??\c:\dvdvp.exec:\dvdvp.exe116⤵PID:1372
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe117⤵PID:3128
-
\??\c:\flrlfff.exec:\flrlfff.exe118⤵PID:4036
-
\??\c:\tnthnh.exec:\tnthnh.exe119⤵PID:1400
-
\??\c:\dpdvd.exec:\dpdvd.exe120⤵PID:1416
-
\??\c:\jvpdv.exec:\jvpdv.exe121⤵PID:4760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-