Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe
-
Size
455KB
-
MD5
18ea8309a3cc695ac88b5b916e556070
-
SHA1
31ee1084ac6d99eeb7ed0dd989448422c684278d
-
SHA256
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9
-
SHA512
5d1d98b9583720d025af06fe4be97e39537575e7a48c01bb49407ec9e2fbf0f77b65d2cecc67b3eb72c87d48ee4e14fc47d2e0e059dd5389cd21ea2f04979be1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4300-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-995-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-1508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3588 nbtbbn.exe 2840 vjjvp.exe 4868 9flxlxl.exe 1164 rfxlxlx.exe 4808 vvvvv.exe 2308 1xrfrlx.exe 4788 nnnhtn.exe 820 bttnbb.exe 232 7lxrfxl.exe 3456 btnhbt.exe 2328 dvvjd.exe 2212 fxfxlrf.exe 3784 pddvp.exe 968 nbbhhb.exe 5088 dpdpd.exe 3000 fxxlrlx.exe 4652 hnnhbt.exe 4020 pdjvv.exe 536 fxfxrrl.exe 3088 fxxrllf.exe 2556 bthbtt.exe 628 xrfxlfx.exe 1504 hnbntt.exe 3536 dvpjd.exe 5020 rllfxxl.exe 1300 btnhth.exe 4960 vdppv.exe 1080 djjdp.exe 2572 lrfrfrr.exe 1552 tttnbt.exe 2396 jddpd.exe 3532 vvdvj.exe 2764 bbnbbt.exe 1412 vvdpj.exe 4496 9tbtnn.exe 4472 3rxlfxx.exe 796 btttnb.exe 4256 jvpdp.exe 4628 nhbnhh.exe 4560 vpvjd.exe 5016 lffxrlf.exe 3832 hhhhbb.exe 2992 vvjjp.exe 4416 lxxrlrl.exe 2844 3tbtnh.exe 428 dvjvp.exe 2432 tntttt.exe 4128 ntbtnn.exe 4904 vpdpp.exe 4420 5fllrrx.exe 1164 tbhbht.exe 4808 ppdjj.exe 2732 rllxxrl.exe 4728 5nhbtt.exe 3552 jvvvj.exe 2624 xllxrfx.exe 1320 5frllff.exe 4464 tnnnhn.exe 2788 7ddvp.exe 2104 frrfxrf.exe 2328 nhnbhb.exe 3376 dvvpd.exe 4348 5xfxxxx.exe 3784 nhhbnn.exe -
resource yara_rule behavioral2/memory/4300-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-948-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4300 wrote to memory of 3588 4300 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 82 PID 4300 wrote to memory of 3588 4300 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 82 PID 4300 wrote to memory of 3588 4300 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 82 PID 3588 wrote to memory of 2840 3588 nbtbbn.exe 83 PID 3588 wrote to memory of 2840 3588 nbtbbn.exe 83 PID 3588 wrote to memory of 2840 3588 nbtbbn.exe 83 PID 2840 wrote to memory of 4868 2840 vjjvp.exe 84 PID 2840 wrote to memory of 4868 2840 vjjvp.exe 84 PID 2840 wrote to memory of 4868 2840 vjjvp.exe 84 PID 4868 wrote to memory of 1164 4868 9flxlxl.exe 85 PID 4868 wrote to memory of 1164 4868 9flxlxl.exe 85 PID 4868 wrote to memory of 1164 4868 9flxlxl.exe 85 PID 1164 wrote to memory of 4808 1164 rfxlxlx.exe 86 PID 1164 wrote to memory of 4808 1164 rfxlxlx.exe 86 PID 1164 wrote to memory of 4808 1164 rfxlxlx.exe 86 PID 4808 wrote to memory of 2308 4808 vvvvv.exe 87 PID 4808 wrote to memory of 2308 4808 vvvvv.exe 87 PID 4808 wrote to memory of 2308 4808 vvvvv.exe 87 PID 2308 wrote to memory of 4788 2308 1xrfrlx.exe 88 PID 2308 wrote to memory of 4788 2308 1xrfrlx.exe 88 PID 2308 wrote to memory of 4788 2308 1xrfrlx.exe 88 PID 4788 wrote to memory of 820 4788 nnnhtn.exe 89 PID 4788 wrote to memory of 820 4788 nnnhtn.exe 89 PID 4788 wrote to memory of 820 4788 nnnhtn.exe 89 PID 820 wrote to memory of 232 820 bttnbb.exe 90 PID 820 wrote to memory of 232 820 bttnbb.exe 90 PID 820 wrote to memory of 232 820 bttnbb.exe 90 PID 232 wrote to memory of 3456 232 7lxrfxl.exe 91 PID 232 wrote to memory of 3456 232 7lxrfxl.exe 91 PID 232 wrote to memory of 3456 232 7lxrfxl.exe 91 PID 3456 wrote to memory of 2328 3456 btnhbt.exe 92 PID 3456 wrote to memory of 2328 3456 btnhbt.exe 92 PID 3456 wrote to memory of 2328 3456 btnhbt.exe 92 PID 2328 wrote to memory of 2212 2328 dvvjd.exe 93 PID 2328 wrote to memory of 2212 2328 dvvjd.exe 93 PID 2328 wrote to memory of 2212 2328 dvvjd.exe 93 PID 2212 wrote to memory of 3784 2212 fxfxlrf.exe 94 PID 2212 wrote to memory of 3784 2212 fxfxlrf.exe 94 PID 2212 wrote to memory of 3784 2212 fxfxlrf.exe 94 PID 3784 wrote to memory of 968 3784 pddvp.exe 95 PID 3784 wrote to memory of 968 3784 pddvp.exe 95 PID 3784 wrote to memory of 968 3784 pddvp.exe 95 PID 968 wrote to memory of 5088 968 nbbhhb.exe 96 PID 968 wrote to memory of 5088 968 nbbhhb.exe 96 PID 968 wrote to memory of 5088 968 nbbhhb.exe 96 PID 5088 wrote to memory of 3000 5088 dpdpd.exe 97 PID 5088 wrote to memory of 3000 5088 dpdpd.exe 97 PID 5088 wrote to memory of 3000 5088 dpdpd.exe 97 PID 3000 wrote to memory of 4652 3000 fxxlrlx.exe 98 PID 3000 wrote to memory of 4652 3000 fxxlrlx.exe 98 PID 3000 wrote to memory of 4652 3000 fxxlrlx.exe 98 PID 4652 wrote to memory of 4020 4652 hnnhbt.exe 99 PID 4652 wrote to memory of 4020 4652 hnnhbt.exe 99 PID 4652 wrote to memory of 4020 4652 hnnhbt.exe 99 PID 4020 wrote to memory of 536 4020 pdjvv.exe 100 PID 4020 wrote to memory of 536 4020 pdjvv.exe 100 PID 4020 wrote to memory of 536 4020 pdjvv.exe 100 PID 536 wrote to memory of 3088 536 fxfxrrl.exe 101 PID 536 wrote to memory of 3088 536 fxfxrrl.exe 101 PID 536 wrote to memory of 3088 536 fxfxrrl.exe 101 PID 3088 wrote to memory of 2556 3088 fxxrllf.exe 102 PID 3088 wrote to memory of 2556 3088 fxxrllf.exe 102 PID 3088 wrote to memory of 2556 3088 fxxrllf.exe 102 PID 2556 wrote to memory of 628 2556 bthbtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe"C:\Users\Admin\AppData\Local\Temp\cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\nbtbbn.exec:\nbtbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\vjjvp.exec:\vjjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\9flxlxl.exec:\9flxlxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\rfxlxlx.exec:\rfxlxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\vvvvv.exec:\vvvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\1xrfrlx.exec:\1xrfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\nnnhtn.exec:\nnnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\bttnbb.exec:\bttnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\7lxrfxl.exec:\7lxrfxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\btnhbt.exec:\btnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\dvvjd.exec:\dvvjd.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\fxfxlrf.exec:\fxfxlrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\pddvp.exec:\pddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\nbbhhb.exec:\nbbhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\dpdpd.exec:\dpdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\fxxlrlx.exec:\fxxlrlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\hnnhbt.exec:\hnnhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\pdjvv.exec:\pdjvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\fxxrllf.exec:\fxxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\bthbtt.exec:\bthbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe23⤵
- Executes dropped EXE
PID:628 -
\??\c:\hnbntt.exec:\hnbntt.exe24⤵
- Executes dropped EXE
PID:1504 -
\??\c:\dvpjd.exec:\dvpjd.exe25⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rllfxxl.exec:\rllfxxl.exe26⤵
- Executes dropped EXE
PID:5020 -
\??\c:\btnhth.exec:\btnhth.exe27⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vdppv.exec:\vdppv.exe28⤵
- Executes dropped EXE
PID:4960 -
\??\c:\djjdp.exec:\djjdp.exe29⤵
- Executes dropped EXE
PID:1080 -
\??\c:\lrfrfrr.exec:\lrfrfrr.exe30⤵
- Executes dropped EXE
PID:2572 -
\??\c:\tttnbt.exec:\tttnbt.exe31⤵
- Executes dropped EXE
PID:1552 -
\??\c:\jddpd.exec:\jddpd.exe32⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vvdvj.exec:\vvdvj.exe33⤵
- Executes dropped EXE
PID:3532 -
\??\c:\bbnbbt.exec:\bbnbbt.exe34⤵
- Executes dropped EXE
PID:2764 -
\??\c:\vvdpj.exec:\vvdpj.exe35⤵
- Executes dropped EXE
PID:1412 -
\??\c:\9tbtnn.exec:\9tbtnn.exe36⤵
- Executes dropped EXE
PID:4496 -
\??\c:\3rxlfxx.exec:\3rxlfxx.exe37⤵
- Executes dropped EXE
PID:4472 -
\??\c:\btttnb.exec:\btttnb.exe38⤵
- Executes dropped EXE
PID:796 -
\??\c:\jvpdp.exec:\jvpdp.exe39⤵
- Executes dropped EXE
PID:4256 -
\??\c:\nhbnhh.exec:\nhbnhh.exe40⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vpvjd.exec:\vpvjd.exe41⤵
- Executes dropped EXE
PID:4560 -
\??\c:\lffxrlf.exec:\lffxrlf.exe42⤵
- Executes dropped EXE
PID:5016 -
\??\c:\hhhhbb.exec:\hhhhbb.exe43⤵
- Executes dropped EXE
PID:3832 -
\??\c:\vvjjp.exec:\vvjjp.exe44⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lxxrlrl.exec:\lxxrlrl.exe45⤵
- Executes dropped EXE
PID:4416 -
\??\c:\3tbtnh.exec:\3tbtnh.exe46⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dvjvp.exec:\dvjvp.exe47⤵
- Executes dropped EXE
PID:428 -
\??\c:\tntttt.exec:\tntttt.exe48⤵
- Executes dropped EXE
PID:2432 -
\??\c:\ntbtnn.exec:\ntbtnn.exe49⤵
- Executes dropped EXE
PID:4128 -
\??\c:\vpdpp.exec:\vpdpp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4904 -
\??\c:\5fllrrx.exec:\5fllrrx.exe51⤵
- Executes dropped EXE
PID:4420 -
\??\c:\tbhbht.exec:\tbhbht.exe52⤵
- Executes dropped EXE
PID:1164 -
\??\c:\ppdjj.exec:\ppdjj.exe53⤵
- Executes dropped EXE
PID:4808 -
\??\c:\rllxxrl.exec:\rllxxrl.exe54⤵
- Executes dropped EXE
PID:2732 -
\??\c:\5nhbtt.exec:\5nhbtt.exe55⤵
- Executes dropped EXE
PID:4728 -
\??\c:\jvvvj.exec:\jvvvj.exe56⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xllxrfx.exec:\xllxrfx.exe57⤵
- Executes dropped EXE
PID:2624 -
\??\c:\5frllff.exec:\5frllff.exe58⤵
- Executes dropped EXE
PID:1320 -
\??\c:\tnnnhn.exec:\tnnnhn.exe59⤵
- Executes dropped EXE
PID:4464 -
\??\c:\7ddvp.exec:\7ddvp.exe60⤵
- Executes dropped EXE
PID:2788 -
\??\c:\frrfxrf.exec:\frrfxrf.exe61⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nhnbhb.exec:\nhnbhb.exe62⤵
- Executes dropped EXE
PID:2328 -
\??\c:\dvvpd.exec:\dvvpd.exe63⤵
- Executes dropped EXE
PID:3376 -
\??\c:\5xfxxxx.exec:\5xfxxxx.exe64⤵
- Executes dropped EXE
PID:4348 -
\??\c:\nhhbnn.exec:\nhhbnn.exe65⤵
- Executes dropped EXE
PID:3784 -
\??\c:\jvpdv.exec:\jvpdv.exe66⤵PID:616
-
\??\c:\xllxrfx.exec:\xllxrfx.exe67⤵PID:1696
-
\??\c:\ttbtnn.exec:\ttbtnn.exe68⤵PID:4968
-
\??\c:\bhtbtn.exec:\bhtbtn.exe69⤵PID:3648
-
\??\c:\fxxlffx.exec:\fxxlffx.exe70⤵PID:3288
-
\??\c:\5ffrfxl.exec:\5ffrfxl.exe71⤵PID:1052
-
\??\c:\tthnhh.exec:\tthnhh.exe72⤵PID:512
-
\??\c:\pjdvp.exec:\pjdvp.exe73⤵PID:3568
-
\??\c:\3xxrlfx.exec:\3xxrlfx.exe74⤵
- System Location Discovery: System Language Discovery
PID:2592 -
\??\c:\bnnhbt.exec:\bnnhbt.exe75⤵PID:1368
-
\??\c:\vvvpv.exec:\vvvpv.exe76⤵PID:3656
-
\??\c:\frxxlff.exec:\frxxlff.exe77⤵PID:548
-
\??\c:\5lrrxxl.exec:\5lrrxxl.exe78⤵PID:4232
-
\??\c:\9nbttn.exec:\9nbttn.exe79⤵PID:1576
-
\??\c:\vpjvp.exec:\vpjvp.exe80⤵PID:3668
-
\??\c:\rlfxfxx.exec:\rlfxfxx.exe81⤵PID:1420
-
\??\c:\bnnntb.exec:\bnnntb.exe82⤵PID:4324
-
\??\c:\3jddp.exec:\3jddp.exe83⤵PID:2680
-
\??\c:\fxfxlfx.exec:\fxfxlfx.exe84⤵PID:1256
-
\??\c:\nbtnhb.exec:\nbtnhb.exe85⤵PID:2980
-
\??\c:\9nnbnt.exec:\9nnbnt.exe86⤵PID:2832
-
\??\c:\jdpjd.exec:\jdpjd.exe87⤵PID:2412
-
\??\c:\rlfxlxf.exec:\rlfxlxf.exe88⤵PID:212
-
\??\c:\hntthh.exec:\hntthh.exe89⤵PID:2396
-
\??\c:\djjvj.exec:\djjvj.exe90⤵PID:5112
-
\??\c:\rrfxlll.exec:\rrfxlll.exe91⤵PID:1592
-
\??\c:\httnbb.exec:\httnbb.exe92⤵PID:216
-
\??\c:\jvvjv.exec:\jvvjv.exe93⤵PID:3104
-
\??\c:\dvvjv.exec:\dvvjv.exe94⤵PID:844
-
\??\c:\frxrlff.exec:\frxrlff.exe95⤵PID:2304
-
\??\c:\hbthbt.exec:\hbthbt.exe96⤵PID:2796
-
\??\c:\nbbnnh.exec:\nbbnnh.exe97⤵PID:796
-
\??\c:\pjjdd.exec:\pjjdd.exe98⤵PID:1208
-
\??\c:\rrrfflf.exec:\rrrfflf.exe99⤵PID:640
-
\??\c:\tbbnhb.exec:\tbbnhb.exe100⤵PID:4560
-
\??\c:\djdvj.exec:\djdvj.exe101⤵PID:4604
-
\??\c:\lrrfxlx.exec:\lrrfxlx.exe102⤵PID:4424
-
\??\c:\rrfrlff.exec:\rrfrlff.exe103⤵PID:2992
-
\??\c:\7bhtbh.exec:\7bhtbh.exe104⤵PID:4416
-
\??\c:\jddpj.exec:\jddpj.exe105⤵PID:4572
-
\??\c:\flrlxrx.exec:\flrlxrx.exe106⤵PID:5076
-
\??\c:\tnbthh.exec:\tnbthh.exe107⤵PID:4868
-
\??\c:\9vvjj.exec:\9vvjj.exe108⤵PID:4972
-
\??\c:\dvvvp.exec:\dvvvp.exe109⤵PID:4908
-
\??\c:\rfrrllf.exec:\rfrrllf.exe110⤵PID:1540
-
\??\c:\bthttn.exec:\bthttn.exe111⤵PID:2536
-
\??\c:\1jdvj.exec:\1jdvj.exe112⤵PID:3652
-
\??\c:\rxfxrll.exec:\rxfxrll.exe113⤵PID:2360
-
\??\c:\rffxrlf.exec:\rffxrlf.exe114⤵PID:1228
-
\??\c:\nntntn.exec:\nntntn.exe115⤵PID:5008
-
\??\c:\jppdv.exec:\jppdv.exe116⤵PID:3672
-
\??\c:\xxxrllx.exec:\xxxrllx.exe117⤵PID:232
-
\??\c:\rffxrlf.exec:\rffxrlf.exe118⤵PID:2468
-
\??\c:\hhthbb.exec:\hhthbb.exe119⤵PID:1968
-
\??\c:\1vdvp.exec:\1vdvp.exe120⤵PID:3696
-
\??\c:\ffxlffx.exec:\ffxlffx.exe121⤵PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-