Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe
-
Size
453KB
-
MD5
a059592eb9eb934bbab27d28b0c27340
-
SHA1
b0eb78387e42db6c998c38ce1198546d4069fede
-
SHA256
13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30
-
SHA512
52873f0398fbbc5fc8f6c273191f922fed4cedfe4df2bc4b4d880a90cde77360a069e429e9b60aecabb61098e86a877b3033367bdd2530495b0a154a252be4e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1680-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-876-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-1284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4436 nntbbh.exe 4980 lffxxxx.exe 2036 5hhbtn.exe 1664 pvpjp.exe 216 pvjjj.exe 536 frfxrrr.exe 4644 pjppv.exe 1196 frfxxxx.exe 3004 nbttnh.exe 4808 vpvvj.exe 2752 3dvjd.exe 3228 hbbttn.exe 4468 jjvvp.exe 1816 rlrlfxx.exe 5064 1btnbb.exe 4532 llffxff.exe 3464 nhhhbb.exe 4448 9ddjv.exe 1040 xxxrlll.exe 2276 vpvpp.exe 2336 jjvvd.exe 3944 fxrllff.exe 2384 ffxrlll.exe 4884 htttnn.exe 1700 hbnntt.exe 3080 rxxrrrr.exe 2284 9ddvp.exe 4068 djpjj.exe 1416 jpvvp.exe 724 hbhhbb.exe 1676 lrrffxl.exe 3700 ffrlfxr.exe 1872 jddvp.exe 4764 ntbnnn.exe 4196 jvvjj.exe 1500 rlrlfff.exe 1368 5bhbbb.exe 4272 pjppp.exe 3564 rfrlfxr.exe 4624 hhhbbb.exe 3576 tbhtnh.exe 2344 pjpjj.exe 4936 fxxrlfx.exe 324 bhnhhh.exe 4280 jvdjd.exe 464 7rrlfrx.exe 864 xfxrrlf.exe 908 bbhthb.exe 3848 jjjjd.exe 408 rffxrlx.exe 4392 htbnhh.exe 3316 1tntnn.exe 5024 jvvvp.exe 1096 frfxrll.exe 3488 7bnhhh.exe 2036 pjvjd.exe 1664 5llfrrx.exe 972 1flffxr.exe 5016 1nnhbb.exe 1112 3ppjd.exe 528 xffrllf.exe 1800 hbhhbt.exe 4916 tthhbb.exe 1200 vpvpj.exe -
resource yara_rule behavioral2/memory/1680-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 4436 1680 13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe 82 PID 1680 wrote to memory of 4436 1680 13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe 82 PID 1680 wrote to memory of 4436 1680 13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe 82 PID 4436 wrote to memory of 4980 4436 nntbbh.exe 83 PID 4436 wrote to memory of 4980 4436 nntbbh.exe 83 PID 4436 wrote to memory of 4980 4436 nntbbh.exe 83 PID 4980 wrote to memory of 2036 4980 lffxxxx.exe 84 PID 4980 wrote to memory of 2036 4980 lffxxxx.exe 84 PID 4980 wrote to memory of 2036 4980 lffxxxx.exe 84 PID 2036 wrote to memory of 1664 2036 5hhbtn.exe 85 PID 2036 wrote to memory of 1664 2036 5hhbtn.exe 85 PID 2036 wrote to memory of 1664 2036 5hhbtn.exe 85 PID 1664 wrote to memory of 216 1664 pvpjp.exe 86 PID 1664 wrote to memory of 216 1664 pvpjp.exe 86 PID 1664 wrote to memory of 216 1664 pvpjp.exe 86 PID 216 wrote to memory of 536 216 pvjjj.exe 87 PID 216 wrote to memory of 536 216 pvjjj.exe 87 PID 216 wrote to memory of 536 216 pvjjj.exe 87 PID 536 wrote to memory of 4644 536 frfxrrr.exe 88 PID 536 wrote to memory of 4644 536 frfxrrr.exe 88 PID 536 wrote to memory of 4644 536 frfxrrr.exe 88 PID 4644 wrote to memory of 1196 4644 pjppv.exe 89 PID 4644 wrote to memory of 1196 4644 pjppv.exe 89 PID 4644 wrote to memory of 1196 4644 pjppv.exe 89 PID 1196 wrote to memory of 3004 1196 frfxxxx.exe 90 PID 1196 wrote to memory of 3004 1196 frfxxxx.exe 90 PID 1196 wrote to memory of 3004 1196 frfxxxx.exe 90 PID 3004 wrote to memory of 4808 3004 nbttnh.exe 91 PID 3004 wrote to memory of 4808 3004 nbttnh.exe 91 PID 3004 wrote to memory of 4808 3004 nbttnh.exe 91 PID 4808 wrote to memory of 2752 4808 vpvvj.exe 92 PID 4808 wrote to memory of 2752 4808 vpvvj.exe 92 PID 4808 wrote to memory of 2752 4808 vpvvj.exe 92 PID 2752 wrote to memory of 3228 2752 3dvjd.exe 93 PID 2752 wrote to memory of 3228 2752 3dvjd.exe 93 PID 2752 wrote to memory of 3228 2752 3dvjd.exe 93 PID 3228 wrote to memory of 4468 3228 hbbttn.exe 94 PID 3228 wrote to memory of 4468 3228 hbbttn.exe 94 PID 3228 wrote to memory of 4468 3228 hbbttn.exe 94 PID 4468 wrote to memory of 1816 4468 jjvvp.exe 95 PID 4468 wrote to memory of 1816 4468 jjvvp.exe 95 PID 4468 wrote to memory of 1816 4468 jjvvp.exe 95 PID 1816 wrote to memory of 5064 1816 rlrlfxx.exe 96 PID 1816 wrote to memory of 5064 1816 rlrlfxx.exe 96 PID 1816 wrote to memory of 5064 1816 rlrlfxx.exe 96 PID 5064 wrote to memory of 4532 5064 1btnbb.exe 97 PID 5064 wrote to memory of 4532 5064 1btnbb.exe 97 PID 5064 wrote to memory of 4532 5064 1btnbb.exe 97 PID 4532 wrote to memory of 3464 4532 llffxff.exe 98 PID 4532 wrote to memory of 3464 4532 llffxff.exe 98 PID 4532 wrote to memory of 3464 4532 llffxff.exe 98 PID 3464 wrote to memory of 4448 3464 nhhhbb.exe 99 PID 3464 wrote to memory of 4448 3464 nhhhbb.exe 99 PID 3464 wrote to memory of 4448 3464 nhhhbb.exe 99 PID 4448 wrote to memory of 1040 4448 9ddjv.exe 100 PID 4448 wrote to memory of 1040 4448 9ddjv.exe 100 PID 4448 wrote to memory of 1040 4448 9ddjv.exe 100 PID 1040 wrote to memory of 2276 1040 xxxrlll.exe 101 PID 1040 wrote to memory of 2276 1040 xxxrlll.exe 101 PID 1040 wrote to memory of 2276 1040 xxxrlll.exe 101 PID 2276 wrote to memory of 2336 2276 vpvpp.exe 102 PID 2276 wrote to memory of 2336 2276 vpvpp.exe 102 PID 2276 wrote to memory of 2336 2276 vpvpp.exe 102 PID 2336 wrote to memory of 3944 2336 jjvvd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe"C:\Users\Admin\AppData\Local\Temp\13deab242096f3c84a87add89e062ffd44e2a07076b38b4efcd3ce8b51b0fa30N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\nntbbh.exec:\nntbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\lffxxxx.exec:\lffxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\5hhbtn.exec:\5hhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\pvpjp.exec:\pvpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\pvjjj.exec:\pvjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\frfxrrr.exec:\frfxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\pjppv.exec:\pjppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\frfxxxx.exec:\frfxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\nbttnh.exec:\nbttnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\vpvvj.exec:\vpvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\3dvjd.exec:\3dvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\hbbttn.exec:\hbbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\jjvvp.exec:\jjvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\rlrlfxx.exec:\rlrlfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\1btnbb.exec:\1btnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\llffxff.exec:\llffxff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\nhhhbb.exec:\nhhhbb.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\9ddjv.exec:\9ddjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\xxxrlll.exec:\xxxrlll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\vpvpp.exec:\vpvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\jjvvd.exec:\jjvvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\fxrllff.exec:\fxrllff.exe23⤵
- Executes dropped EXE
PID:3944 -
\??\c:\ffxrlll.exec:\ffxrlll.exe24⤵
- Executes dropped EXE
PID:2384 -
\??\c:\htttnn.exec:\htttnn.exe25⤵
- Executes dropped EXE
PID:4884 -
\??\c:\hbnntt.exec:\hbnntt.exe26⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe27⤵
- Executes dropped EXE
PID:3080 -
\??\c:\9ddvp.exec:\9ddvp.exe28⤵
- Executes dropped EXE
PID:2284 -
\??\c:\djpjj.exec:\djpjj.exe29⤵
- Executes dropped EXE
PID:4068 -
\??\c:\jpvvp.exec:\jpvvp.exe30⤵
- Executes dropped EXE
PID:1416 -
\??\c:\hbhhbb.exec:\hbhhbb.exe31⤵
- Executes dropped EXE
PID:724 -
\??\c:\lrrffxl.exec:\lrrffxl.exe32⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ffrlfxr.exec:\ffrlfxr.exe33⤵
- Executes dropped EXE
PID:3700 -
\??\c:\jddvp.exec:\jddvp.exe34⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ntbnnn.exec:\ntbnnn.exe35⤵
- Executes dropped EXE
PID:4764 -
\??\c:\jvvjj.exec:\jvvjj.exe36⤵
- Executes dropped EXE
PID:4196 -
\??\c:\rlrlfff.exec:\rlrlfff.exe37⤵
- Executes dropped EXE
PID:1500 -
\??\c:\5bhbbb.exec:\5bhbbb.exe38⤵
- Executes dropped EXE
PID:1368 -
\??\c:\pjppp.exec:\pjppp.exe39⤵
- Executes dropped EXE
PID:4272 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe40⤵
- Executes dropped EXE
PID:3564 -
\??\c:\hhhbbb.exec:\hhhbbb.exe41⤵
- Executes dropped EXE
PID:4624 -
\??\c:\tbhtnh.exec:\tbhtnh.exe42⤵
- Executes dropped EXE
PID:3576 -
\??\c:\pjpjj.exec:\pjpjj.exe43⤵
- Executes dropped EXE
PID:2344 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe44⤵
- Executes dropped EXE
PID:4936 -
\??\c:\bhnhhh.exec:\bhnhhh.exe45⤵
- Executes dropped EXE
PID:324 -
\??\c:\jvdjd.exec:\jvdjd.exe46⤵
- Executes dropped EXE
PID:4280 -
\??\c:\7rrlfrx.exec:\7rrlfrx.exe47⤵
- Executes dropped EXE
PID:464 -
\??\c:\xfxrrlf.exec:\xfxrrlf.exe48⤵
- Executes dropped EXE
PID:864 -
\??\c:\bbhthb.exec:\bbhthb.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:908 -
\??\c:\jjjjd.exec:\jjjjd.exe50⤵
- Executes dropped EXE
PID:3848 -
\??\c:\rffxrlx.exec:\rffxrlx.exe51⤵
- Executes dropped EXE
PID:408 -
\??\c:\htbnhh.exec:\htbnhh.exe52⤵
- Executes dropped EXE
PID:4392 -
\??\c:\1tntnn.exec:\1tntnn.exe53⤵
- Executes dropped EXE
PID:3316 -
\??\c:\jvvvp.exec:\jvvvp.exe54⤵
- Executes dropped EXE
PID:5024 -
\??\c:\frfxrll.exec:\frfxrll.exe55⤵
- Executes dropped EXE
PID:1096 -
\??\c:\7bnhhh.exec:\7bnhhh.exe56⤵
- Executes dropped EXE
PID:3488 -
\??\c:\pjvjd.exec:\pjvjd.exe57⤵
- Executes dropped EXE
PID:2036 -
\??\c:\5llfrrx.exec:\5llfrrx.exe58⤵
- Executes dropped EXE
PID:1664 -
\??\c:\1flffxr.exec:\1flffxr.exe59⤵
- Executes dropped EXE
PID:972 -
\??\c:\1nnhbb.exec:\1nnhbb.exe60⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3ppjd.exec:\3ppjd.exe61⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xffrllf.exec:\xffrllf.exe62⤵
- Executes dropped EXE
PID:528 -
\??\c:\hbhhbt.exec:\hbhhbt.exe63⤵
- Executes dropped EXE
PID:1800 -
\??\c:\tthhbb.exec:\tthhbb.exe64⤵
- Executes dropped EXE
PID:4916 -
\??\c:\vpvpj.exec:\vpvpj.exe65⤵
- Executes dropped EXE
PID:1200 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe66⤵PID:3004
-
\??\c:\ttbnbt.exec:\ttbnbt.exe67⤵PID:928
-
\??\c:\hbtnbt.exec:\hbtnbt.exe68⤵PID:3032
-
\??\c:\dvjvp.exec:\dvjvp.exe69⤵PID:4536
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe70⤵PID:3912
-
\??\c:\nhhbtn.exec:\nhhbtn.exe71⤵PID:1712
-
\??\c:\ddvpj.exec:\ddvpj.exe72⤵PID:2100
-
\??\c:\xfrlffx.exec:\xfrlffx.exe73⤵PID:220
-
\??\c:\bnnhbn.exec:\bnnhbn.exe74⤵PID:2664
-
\??\c:\tnnbnh.exec:\tnnbnh.exe75⤵PID:4472
-
\??\c:\ddjdd.exec:\ddjdd.exe76⤵PID:4596
-
\??\c:\fllxrlf.exec:\fllxrlf.exe77⤵PID:892
-
\??\c:\tntnhh.exec:\tntnhh.exe78⤵PID:4348
-
\??\c:\pjpjv.exec:\pjpjv.exe79⤵PID:2824
-
\??\c:\fxxlrlr.exec:\fxxlrlr.exe80⤵PID:752
-
\??\c:\lffxxrf.exec:\lffxxrf.exe81⤵PID:4252
-
\??\c:\bhnthh.exec:\bhnthh.exe82⤵PID:1972
-
\??\c:\1jdvp.exec:\1jdvp.exe83⤵
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\ppvjv.exec:\ppvjv.exe84⤵PID:3556
-
\??\c:\3lrlfff.exec:\3lrlfff.exe85⤵PID:2760
-
\??\c:\hbbhhn.exec:\hbbhhn.exe86⤵PID:1584
-
\??\c:\vpvvp.exec:\vpvvp.exe87⤵PID:4908
-
\??\c:\xxxfrlf.exec:\xxxfrlf.exe88⤵PID:2504
-
\??\c:\hbbthn.exec:\hbbthn.exe89⤵PID:2756
-
\??\c:\htbhbt.exec:\htbhbt.exe90⤵PID:868
-
\??\c:\9djdj.exec:\9djdj.exe91⤵PID:3880
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe92⤵PID:4296
-
\??\c:\rllfrlf.exec:\rllfrlf.exe93⤵PID:4692
-
\??\c:\bthhtt.exec:\bthhtt.exe94⤵PID:4168
-
\??\c:\dddvp.exec:\dddvp.exe95⤵PID:3376
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe96⤵PID:2700
-
\??\c:\hhnhbb.exec:\hhnhbb.exe97⤵PID:1128
-
\??\c:\jvdpj.exec:\jvdpj.exe98⤵PID:3504
-
\??\c:\jvjjd.exec:\jvjjd.exe99⤵PID:3996
-
\??\c:\xrlxrlx.exec:\xrlxrlx.exe100⤵PID:876
-
\??\c:\tthntt.exec:\tthntt.exe101⤵PID:5028
-
\??\c:\1jddv.exec:\1jddv.exe102⤵PID:4880
-
\??\c:\xfffxrx.exec:\xfffxrx.exe103⤵PID:4324
-
\??\c:\btbtbt.exec:\btbtbt.exe104⤵PID:1032
-
\??\c:\btnhbt.exec:\btnhbt.exe105⤵PID:4680
-
\??\c:\vpddd.exec:\vpddd.exe106⤵PID:3108
-
\??\c:\llxxxxl.exec:\llxxxxl.exe107⤵PID:2492
-
\??\c:\3hbnhb.exec:\3hbnhb.exe108⤵PID:3624
-
\??\c:\hnhbtn.exec:\hnhbtn.exe109⤵PID:1168
-
\??\c:\ddvvj.exec:\ddvvj.exe110⤵PID:4336
-
\??\c:\xfxrxrf.exec:\xfxrxrf.exe111⤵PID:2884
-
\??\c:\hntnbt.exec:\hntnbt.exe112⤵PID:4968
-
\??\c:\tbhbtt.exec:\tbhbtt.exe113⤵PID:1844
-
\??\c:\jjpjd.exec:\jjpjd.exe114⤵PID:1652
-
\??\c:\xrfxxrr.exec:\xrfxxrr.exe115⤵PID:3048
-
\??\c:\nbthbt.exec:\nbthbt.exe116⤵PID:908
-
\??\c:\jpppp.exec:\jpppp.exe117⤵PID:3848
-
\??\c:\ffffflf.exec:\ffffflf.exe118⤵PID:4388
-
\??\c:\7ttnhn.exec:\7ttnhn.exe119⤵PID:2020
-
\??\c:\dvdjj.exec:\dvdjj.exe120⤵PID:2936
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe121⤵PID:3560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-