Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe
-
Size
456KB
-
MD5
ec932e8e3ef108163b764c2b27819930
-
SHA1
d5014c39f319b83c0c00b2377799635c19c5cd1b
-
SHA256
3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854cc
-
SHA512
a29d2f6cca5dc0ec66bef4f5b8f6cec5ddcfd12fc1d5d0a13ea73587bd86d24c139c613ff005c8eea92b5bfe1abbfba902b7e762b57584a7ade62096090ca6c7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRj:q7Tc2NYHUrAwfMp3CDRj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2584-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1043-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-1254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-1321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1752 nbtnnb.exe 4820 1jppj.exe 4828 hhttnb.exe 4144 7lrlxxx.exe 404 vpdpj.exe 4356 jjjjj.exe 2692 rxxxrrx.exe 2908 tntbtb.exe 2248 lxfffff.exe 2440 htnnhb.exe 4500 bntntt.exe 3668 7ddvp.exe 3904 7bbthb.exe 1056 flrrlfx.exe 1728 ntbnhn.exe 4348 rffxffr.exe 3500 tnbtbb.exe 4708 xrxrffr.exe 3828 vpvpp.exe 4696 fxxllfx.exe 1712 5dvvj.exe 3216 lffxrlf.exe 3152 ddjvj.exe 1596 nhnhtt.exe 3584 jjvpj.exe 2856 dpvjd.exe 3952 frrlxxl.exe 4412 jvvpj.exe 4772 rxxxxll.exe 892 bttnhb.exe 4204 bhtnhb.exe 1936 rffrfxr.exe 1340 dvvpp.exe 2848 ffrlxrr.exe 3932 3hbnhh.exe 2600 dvddv.exe 2220 7ffxllx.exe 4132 tntttt.exe 4052 dvjvv.exe 4076 lflffff.exe 3476 3ttnbt.exe 2052 3vpjv.exe 1324 5xrfxxr.exe 4084 bttntn.exe 4252 vvvpj.exe 4924 rrrlllf.exe 2420 bthhbb.exe 1396 3pjdd.exe 3492 5btnhh.exe 884 nbhnhn.exe 3404 vvjjj.exe 1764 lrlfllf.exe 3848 bnnhbb.exe 4612 pjpjp.exe 4436 rfrrxxl.exe 3612 bbnhtn.exe 1256 vdddd.exe 2012 lflffll.exe 2840 9fllrrf.exe 1176 1nhbnn.exe 2424 vvjdv.exe 548 3xlfffl.exe 868 thbbtn.exe 4704 vppdj.exe -
resource yara_rule behavioral2/memory/2584-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 1752 2584 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 83 PID 2584 wrote to memory of 1752 2584 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 83 PID 2584 wrote to memory of 1752 2584 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 83 PID 1752 wrote to memory of 4820 1752 nbtnnb.exe 84 PID 1752 wrote to memory of 4820 1752 nbtnnb.exe 84 PID 1752 wrote to memory of 4820 1752 nbtnnb.exe 84 PID 4820 wrote to memory of 4828 4820 1jppj.exe 85 PID 4820 wrote to memory of 4828 4820 1jppj.exe 85 PID 4820 wrote to memory of 4828 4820 1jppj.exe 85 PID 4828 wrote to memory of 4144 4828 hhttnb.exe 86 PID 4828 wrote to memory of 4144 4828 hhttnb.exe 86 PID 4828 wrote to memory of 4144 4828 hhttnb.exe 86 PID 4144 wrote to memory of 404 4144 7lrlxxx.exe 87 PID 4144 wrote to memory of 404 4144 7lrlxxx.exe 87 PID 4144 wrote to memory of 404 4144 7lrlxxx.exe 87 PID 404 wrote to memory of 4356 404 vpdpj.exe 88 PID 404 wrote to memory of 4356 404 vpdpj.exe 88 PID 404 wrote to memory of 4356 404 vpdpj.exe 88 PID 4356 wrote to memory of 2692 4356 jjjjj.exe 89 PID 4356 wrote to memory of 2692 4356 jjjjj.exe 89 PID 4356 wrote to memory of 2692 4356 jjjjj.exe 89 PID 2692 wrote to memory of 2908 2692 rxxxrrx.exe 90 PID 2692 wrote to memory of 2908 2692 rxxxrrx.exe 90 PID 2692 wrote to memory of 2908 2692 rxxxrrx.exe 90 PID 2908 wrote to memory of 2248 2908 tntbtb.exe 91 PID 2908 wrote to memory of 2248 2908 tntbtb.exe 91 PID 2908 wrote to memory of 2248 2908 tntbtb.exe 91 PID 2248 wrote to memory of 2440 2248 lxfffff.exe 92 PID 2248 wrote to memory of 2440 2248 lxfffff.exe 92 PID 2248 wrote to memory of 2440 2248 lxfffff.exe 92 PID 2440 wrote to memory of 4500 2440 htnnhb.exe 93 PID 2440 wrote to memory of 4500 2440 htnnhb.exe 93 PID 2440 wrote to memory of 4500 2440 htnnhb.exe 93 PID 4500 wrote to memory of 3668 4500 bntntt.exe 94 PID 4500 wrote to memory of 3668 4500 bntntt.exe 94 PID 4500 wrote to memory of 3668 4500 bntntt.exe 94 PID 3668 wrote to memory of 3904 3668 7ddvp.exe 95 PID 3668 wrote to memory of 3904 3668 7ddvp.exe 95 PID 3668 wrote to memory of 3904 3668 7ddvp.exe 95 PID 3904 wrote to memory of 1056 3904 7bbthb.exe 96 PID 3904 wrote to memory of 1056 3904 7bbthb.exe 96 PID 3904 wrote to memory of 1056 3904 7bbthb.exe 96 PID 1056 wrote to memory of 1728 1056 flrrlfx.exe 97 PID 1056 wrote to memory of 1728 1056 flrrlfx.exe 97 PID 1056 wrote to memory of 1728 1056 flrrlfx.exe 97 PID 1728 wrote to memory of 4348 1728 ntbnhn.exe 98 PID 1728 wrote to memory of 4348 1728 ntbnhn.exe 98 PID 1728 wrote to memory of 4348 1728 ntbnhn.exe 98 PID 4348 wrote to memory of 3500 4348 rffxffr.exe 99 PID 4348 wrote to memory of 3500 4348 rffxffr.exe 99 PID 4348 wrote to memory of 3500 4348 rffxffr.exe 99 PID 3500 wrote to memory of 4708 3500 tnbtbb.exe 100 PID 3500 wrote to memory of 4708 3500 tnbtbb.exe 100 PID 3500 wrote to memory of 4708 3500 tnbtbb.exe 100 PID 4708 wrote to memory of 3828 4708 xrxrffr.exe 101 PID 4708 wrote to memory of 3828 4708 xrxrffr.exe 101 PID 4708 wrote to memory of 3828 4708 xrxrffr.exe 101 PID 3828 wrote to memory of 4696 3828 vpvpp.exe 102 PID 3828 wrote to memory of 4696 3828 vpvpp.exe 102 PID 3828 wrote to memory of 4696 3828 vpvpp.exe 102 PID 4696 wrote to memory of 1712 4696 fxxllfx.exe 103 PID 4696 wrote to memory of 1712 4696 fxxllfx.exe 103 PID 4696 wrote to memory of 1712 4696 fxxllfx.exe 103 PID 1712 wrote to memory of 3216 1712 5dvvj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe"C:\Users\Admin\AppData\Local\Temp\3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\nbtnnb.exec:\nbtnnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\1jppj.exec:\1jppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\hhttnb.exec:\hhttnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\7lrlxxx.exec:\7lrlxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\vpdpj.exec:\vpdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\jjjjj.exec:\jjjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\rxxxrrx.exec:\rxxxrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\tntbtb.exec:\tntbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\lxfffff.exec:\lxfffff.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\htnnhb.exec:\htnnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\bntntt.exec:\bntntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\7ddvp.exec:\7ddvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\7bbthb.exec:\7bbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\flrrlfx.exec:\flrrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\ntbnhn.exec:\ntbnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\rffxffr.exec:\rffxffr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\tnbtbb.exec:\tnbtbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\xrxrffr.exec:\xrxrffr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\vpvpp.exec:\vpvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\fxxllfx.exec:\fxxllfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\5dvvj.exec:\5dvvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\lffxrlf.exec:\lffxrlf.exe23⤵
- Executes dropped EXE
PID:3216 -
\??\c:\ddjvj.exec:\ddjvj.exe24⤵
- Executes dropped EXE
PID:3152 -
\??\c:\nhnhtt.exec:\nhnhtt.exe25⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jjvpj.exec:\jjvpj.exe26⤵
- Executes dropped EXE
PID:3584 -
\??\c:\dpvjd.exec:\dpvjd.exe27⤵
- Executes dropped EXE
PID:2856 -
\??\c:\frrlxxl.exec:\frrlxxl.exe28⤵
- Executes dropped EXE
PID:3952 -
\??\c:\jvvpj.exec:\jvvpj.exe29⤵
- Executes dropped EXE
PID:4412 -
\??\c:\rxxxxll.exec:\rxxxxll.exe30⤵
- Executes dropped EXE
PID:4772 -
\??\c:\bttnhb.exec:\bttnhb.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\bhtnhb.exec:\bhtnhb.exe32⤵
- Executes dropped EXE
PID:4204 -
\??\c:\rffrfxr.exec:\rffrfxr.exe33⤵
- Executes dropped EXE
PID:1936 -
\??\c:\dvvpp.exec:\dvvpp.exe34⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ffrlxrr.exec:\ffrlxrr.exe35⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3hbnhh.exec:\3hbnhh.exe36⤵
- Executes dropped EXE
PID:3932 -
\??\c:\dvddv.exec:\dvddv.exe37⤵
- Executes dropped EXE
PID:2600 -
\??\c:\7ffxllx.exec:\7ffxllx.exe38⤵
- Executes dropped EXE
PID:2220 -
\??\c:\tntttt.exec:\tntttt.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4132 -
\??\c:\dvjvv.exec:\dvjvv.exe40⤵
- Executes dropped EXE
PID:4052 -
\??\c:\lflffff.exec:\lflffff.exe41⤵
- Executes dropped EXE
PID:4076 -
\??\c:\3ttnbt.exec:\3ttnbt.exe42⤵
- Executes dropped EXE
PID:3476 -
\??\c:\3vpjv.exec:\3vpjv.exe43⤵
- Executes dropped EXE
PID:2052 -
\??\c:\5xrfxxr.exec:\5xrfxxr.exe44⤵
- Executes dropped EXE
PID:1324 -
\??\c:\bttntn.exec:\bttntn.exe45⤵
- Executes dropped EXE
PID:4084 -
\??\c:\vvvpj.exec:\vvvpj.exe46⤵
- Executes dropped EXE
PID:4252 -
\??\c:\rrrlllf.exec:\rrrlllf.exe47⤵
- Executes dropped EXE
PID:4924 -
\??\c:\bthhbb.exec:\bthhbb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
\??\c:\3pjdd.exec:\3pjdd.exe49⤵
- Executes dropped EXE
PID:1396 -
\??\c:\7rlxrxr.exec:\7rlxrxr.exe50⤵PID:4440
-
\??\c:\5btnhh.exec:\5btnhh.exe51⤵
- Executes dropped EXE
PID:3492 -
\??\c:\nbhnhn.exec:\nbhnhn.exe52⤵
- Executes dropped EXE
PID:884 -
\??\c:\vvjjj.exec:\vvjjj.exe53⤵
- Executes dropped EXE
PID:3404 -
\??\c:\lrlfllf.exec:\lrlfllf.exe54⤵
- Executes dropped EXE
PID:1764 -
\??\c:\bnnhbb.exec:\bnnhbb.exe55⤵
- Executes dropped EXE
PID:3848 -
\??\c:\pjpjp.exec:\pjpjp.exe56⤵
- Executes dropped EXE
PID:4612 -
\??\c:\rfrrxxl.exec:\rfrrxxl.exe57⤵
- Executes dropped EXE
PID:4436 -
\??\c:\bbnhtn.exec:\bbnhtn.exe58⤵
- Executes dropped EXE
PID:3612 -
\??\c:\vdddd.exec:\vdddd.exe59⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lflffll.exec:\lflffll.exe60⤵
- Executes dropped EXE
PID:2012 -
\??\c:\9fllrrf.exec:\9fllrrf.exe61⤵
- Executes dropped EXE
PID:2840 -
\??\c:\1nhbnn.exec:\1nhbnn.exe62⤵
- Executes dropped EXE
PID:1176 -
\??\c:\vvjdv.exec:\vvjdv.exe63⤵
- Executes dropped EXE
PID:2424 -
\??\c:\3xlfffl.exec:\3xlfffl.exe64⤵
- Executes dropped EXE
PID:548 -
\??\c:\thbbtn.exec:\thbbtn.exe65⤵
- Executes dropped EXE
PID:868 -
\??\c:\vppdj.exec:\vppdj.exe66⤵
- Executes dropped EXE
PID:4704 -
\??\c:\vdpjv.exec:\vdpjv.exe67⤵PID:3960
-
\??\c:\rxfxllf.exec:\rxfxllf.exe68⤵PID:4384
-
\??\c:\hntnnn.exec:\hntnnn.exe69⤵PID:1624
-
\??\c:\9jjdv.exec:\9jjdv.exe70⤵PID:1684
-
\??\c:\vjvpv.exec:\vjvpv.exe71⤵PID:3496
-
\??\c:\flrlfxl.exec:\flrlfxl.exe72⤵PID:5100
-
\??\c:\btbtbt.exec:\btbtbt.exe73⤵PID:4852
-
\??\c:\pddpj.exec:\pddpj.exe74⤵PID:2212
-
\??\c:\jjpjv.exec:\jjpjv.exe75⤵PID:4176
-
\??\c:\xlxlxlf.exec:\xlxlxlf.exe76⤵PID:2540
-
\??\c:\vvdvp.exec:\vvdvp.exe77⤵PID:4708
-
\??\c:\1xfxrll.exec:\1xfxrll.exe78⤵PID:1736
-
\??\c:\lxxrxrx.exec:\lxxrxrx.exe79⤵PID:1364
-
\??\c:\1thbbb.exec:\1thbbb.exe80⤵PID:3004
-
\??\c:\1jdvp.exec:\1jdvp.exe81⤵PID:944
-
\??\c:\3ffxrrf.exec:\3ffxrrf.exe82⤵PID:2004
-
\??\c:\1xrlffx.exec:\1xrlffx.exe83⤵PID:4844
-
\??\c:\bbthbt.exec:\bbthbt.exe84⤵PID:1808
-
\??\c:\jdjdv.exec:\jdjdv.exe85⤵PID:4492
-
\??\c:\9lrlfxr.exec:\9lrlfxr.exe86⤵PID:2936
-
\??\c:\nhbnhn.exec:\nhbnhn.exe87⤵PID:4124
-
\??\c:\3dvpd.exec:\3dvpd.exe88⤵
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\9djvj.exec:\9djvj.exe89⤵PID:3576
-
\??\c:\frxxrrr.exec:\frxxrrr.exe90⤵PID:924
-
\??\c:\hbtnnh.exec:\hbtnnh.exe91⤵PID:988
-
\??\c:\3dvjd.exec:\3dvjd.exe92⤵PID:5008
-
\??\c:\7dvdp.exec:\7dvdp.exe93⤵PID:1276
-
\??\c:\lxflrff.exec:\lxflrff.exe94⤵PID:892
-
\??\c:\3bnhtb.exec:\3bnhtb.exe95⤵PID:2512
-
\??\c:\jdjjd.exec:\jdjjd.exe96⤵PID:3280
-
\??\c:\fxffrrf.exec:\fxffrrf.exe97⤵PID:3732
-
\??\c:\hbhhhh.exec:\hbhhhh.exe98⤵
- System Location Discovery: System Language Discovery
PID:5020 -
\??\c:\pvjdv.exec:\pvjdv.exe99⤵PID:1204
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe100⤵PID:5096
-
\??\c:\3rllflf.exec:\3rllflf.exe101⤵PID:1444
-
\??\c:\btbtnb.exec:\btbtnb.exe102⤵PID:3964
-
\??\c:\pdppj.exec:\pdppj.exe103⤵PID:3912
-
\??\c:\lflfxxx.exec:\lflfxxx.exe104⤵PID:2780
-
\??\c:\ntbtht.exec:\ntbtht.exe105⤵PID:3200
-
\??\c:\vvvjd.exec:\vvvjd.exe106⤵PID:5044
-
\??\c:\rxrrllf.exec:\rxrrllf.exe107⤵PID:408
-
\??\c:\9htthh.exec:\9htthh.exe108⤵PID:1564
-
\??\c:\httnbn.exec:\httnbn.exe109⤵PID:2700
-
\??\c:\vjpjd.exec:\vjpjd.exe110⤵PID:872
-
\??\c:\9xxrxxr.exec:\9xxrxxr.exe111⤵PID:2460
-
\??\c:\nhhtnh.exec:\nhhtnh.exe112⤵PID:3164
-
\??\c:\hntnhb.exec:\hntnhb.exe113⤵PID:2584
-
\??\c:\jvvpv.exec:\jvvpv.exe114⤵PID:3928
-
\??\c:\fffxxxr.exec:\fffxxxr.exe115⤵PID:1612
-
\??\c:\7nnhbb.exec:\7nnhbb.exe116⤵PID:3036
-
\??\c:\1dppp.exec:\1dppp.exe117⤵PID:4828
-
\??\c:\3lrflff.exec:\3lrflff.exe118⤵PID:1844
-
\??\c:\5xxrfxr.exec:\5xxrfxr.exe119⤵PID:2008
-
\??\c:\nbbnhb.exec:\nbbnhb.exe120⤵PID:116
-
\??\c:\dpvvd.exec:\dpvvd.exe121⤵PID:1336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-