Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe
-
Size
456KB
-
MD5
3b3a8cb0393e0bbb49f75058007b4bd0
-
SHA1
901f768409e841a41b1a32a6bf7796b0fb4d7cb7
-
SHA256
880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9
-
SHA512
1829740b2eb8afbe249c8d39156c570b1865904720a8b3c7165587567a84155641bfcbd0369fcce9bc327fd068ff1f74acb9eec66298f34e05fcff6d55da6a40
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1520-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-1297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-1587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-1636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-1890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4404 ddjdj.exe 1588 nnbtbb.exe 392 bbtntt.exe 2948 9hbthh.exe 1048 llfxrxr.exe 1656 5pvpp.exe 4616 lflfxrr.exe 1852 dppjd.exe 440 nhtbnn.exe 3456 3jjdv.exe 3624 5hhbbb.exe 4436 bhtnhh.exe 2252 9xllflr.exe 2524 9bhbtt.exe 4928 jpdvp.exe 4008 xfrlffx.exe 1988 dvvvp.exe 3076 5nhhbb.exe 868 vpppj.exe 4972 dddvj.exe 4624 bnbbbt.exe 4044 vvpdj.exe 4752 1ffxrll.exe 2824 vvvvp.exe 1648 xrrlllx.exe 1544 tnnnhn.exe 2632 rflfxxx.exe 448 nttnhb.exe 816 vvjjp.exe 1016 jdjdp.exe 2144 7rrxxrx.exe 1604 htbbtt.exe 2708 flxfrll.exe 3140 hhhbtt.exe 5024 djppd.exe 632 lxfrfrf.exe 1500 htthnb.exe 3252 3dpjp.exe 4612 pjpjd.exe 1148 1rxxxxf.exe 4484 thnhbb.exe 2352 vvvvv.exe 1180 vppjd.exe 4376 rfrlxxx.exe 4836 9tnhht.exe 1520 7jpjv.exe 4404 7rxrllf.exe 4152 hbbtnn.exe 1580 nthbtn.exe 392 5xfrffl.exe 4476 3hnhbt.exe 4760 jjpdv.exe 5016 jddvp.exe 1156 9xfxlrr.exe 1120 bthhht.exe 4488 vvvdv.exe 4744 vpdjj.exe 2512 rxrxrfx.exe 3004 nhttnn.exe 440 7pvpj.exe 3456 jdjdp.exe 4068 rllxxrl.exe 3496 nbhhtt.exe 2196 1djjd.exe -
resource yara_rule behavioral2/memory/1520-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-1297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-1587-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 4404 1520 880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe 82 PID 1520 wrote to memory of 4404 1520 880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe 82 PID 1520 wrote to memory of 4404 1520 880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe 82 PID 4404 wrote to memory of 1588 4404 ddjdj.exe 83 PID 4404 wrote to memory of 1588 4404 ddjdj.exe 83 PID 4404 wrote to memory of 1588 4404 ddjdj.exe 83 PID 1588 wrote to memory of 392 1588 nnbtbb.exe 84 PID 1588 wrote to memory of 392 1588 nnbtbb.exe 84 PID 1588 wrote to memory of 392 1588 nnbtbb.exe 84 PID 392 wrote to memory of 2948 392 bbtntt.exe 85 PID 392 wrote to memory of 2948 392 bbtntt.exe 85 PID 392 wrote to memory of 2948 392 bbtntt.exe 85 PID 2948 wrote to memory of 1048 2948 9hbthh.exe 86 PID 2948 wrote to memory of 1048 2948 9hbthh.exe 86 PID 2948 wrote to memory of 1048 2948 9hbthh.exe 86 PID 1048 wrote to memory of 1656 1048 llfxrxr.exe 87 PID 1048 wrote to memory of 1656 1048 llfxrxr.exe 87 PID 1048 wrote to memory of 1656 1048 llfxrxr.exe 87 PID 1656 wrote to memory of 4616 1656 5pvpp.exe 88 PID 1656 wrote to memory of 4616 1656 5pvpp.exe 88 PID 1656 wrote to memory of 4616 1656 5pvpp.exe 88 PID 4616 wrote to memory of 1852 4616 lflfxrr.exe 89 PID 4616 wrote to memory of 1852 4616 lflfxrr.exe 89 PID 4616 wrote to memory of 1852 4616 lflfxrr.exe 89 PID 1852 wrote to memory of 440 1852 dppjd.exe 90 PID 1852 wrote to memory of 440 1852 dppjd.exe 90 PID 1852 wrote to memory of 440 1852 dppjd.exe 90 PID 440 wrote to memory of 3456 440 nhtbnn.exe 91 PID 440 wrote to memory of 3456 440 nhtbnn.exe 91 PID 440 wrote to memory of 3456 440 nhtbnn.exe 91 PID 3456 wrote to memory of 3624 3456 3jjdv.exe 92 PID 3456 wrote to memory of 3624 3456 3jjdv.exe 92 PID 3456 wrote to memory of 3624 3456 3jjdv.exe 92 PID 3624 wrote to memory of 4436 3624 5hhbbb.exe 93 PID 3624 wrote to memory of 4436 3624 5hhbbb.exe 93 PID 3624 wrote to memory of 4436 3624 5hhbbb.exe 93 PID 4436 wrote to memory of 2252 4436 bhtnhh.exe 94 PID 4436 wrote to memory of 2252 4436 bhtnhh.exe 94 PID 4436 wrote to memory of 2252 4436 bhtnhh.exe 94 PID 2252 wrote to memory of 2524 2252 9xllflr.exe 95 PID 2252 wrote to memory of 2524 2252 9xllflr.exe 95 PID 2252 wrote to memory of 2524 2252 9xllflr.exe 95 PID 2524 wrote to memory of 4928 2524 9bhbtt.exe 96 PID 2524 wrote to memory of 4928 2524 9bhbtt.exe 96 PID 2524 wrote to memory of 4928 2524 9bhbtt.exe 96 PID 4928 wrote to memory of 4008 4928 jpdvp.exe 97 PID 4928 wrote to memory of 4008 4928 jpdvp.exe 97 PID 4928 wrote to memory of 4008 4928 jpdvp.exe 97 PID 4008 wrote to memory of 1988 4008 xfrlffx.exe 98 PID 4008 wrote to memory of 1988 4008 xfrlffx.exe 98 PID 4008 wrote to memory of 1988 4008 xfrlffx.exe 98 PID 1988 wrote to memory of 3076 1988 dvvvp.exe 99 PID 1988 wrote to memory of 3076 1988 dvvvp.exe 99 PID 1988 wrote to memory of 3076 1988 dvvvp.exe 99 PID 3076 wrote to memory of 868 3076 5nhhbb.exe 100 PID 3076 wrote to memory of 868 3076 5nhhbb.exe 100 PID 3076 wrote to memory of 868 3076 5nhhbb.exe 100 PID 868 wrote to memory of 4972 868 vpppj.exe 101 PID 868 wrote to memory of 4972 868 vpppj.exe 101 PID 868 wrote to memory of 4972 868 vpppj.exe 101 PID 4972 wrote to memory of 4624 4972 dddvj.exe 102 PID 4972 wrote to memory of 4624 4972 dddvj.exe 102 PID 4972 wrote to memory of 4624 4972 dddvj.exe 102 PID 4624 wrote to memory of 4044 4624 bnbbbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe"C:\Users\Admin\AppData\Local\Temp\880d3da2436d556704633c68487ed9432712a51cdfca6f93021c9b829e0331f9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\ddjdj.exec:\ddjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\nnbtbb.exec:\nnbtbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\bbtntt.exec:\bbtntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\9hbthh.exec:\9hbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\llfxrxr.exec:\llfxrxr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\5pvpp.exec:\5pvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\lflfxrr.exec:\lflfxrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\dppjd.exec:\dppjd.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\nhtbnn.exec:\nhtbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\3jjdv.exec:\3jjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\5hhbbb.exec:\5hhbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\bhtnhh.exec:\bhtnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\9xllflr.exec:\9xllflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\9bhbtt.exec:\9bhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\jpdvp.exec:\jpdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\xfrlffx.exec:\xfrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\dvvvp.exec:\dvvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\5nhhbb.exec:\5nhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\vpppj.exec:\vpppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\dddvj.exec:\dddvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\bnbbbt.exec:\bnbbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\vvpdj.exec:\vvpdj.exe23⤵
- Executes dropped EXE
PID:4044 -
\??\c:\1ffxrll.exec:\1ffxrll.exe24⤵
- Executes dropped EXE
PID:4752 -
\??\c:\vvvvp.exec:\vvvvp.exe25⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xrrlllx.exec:\xrrlllx.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\tnnnhn.exec:\tnnnhn.exe27⤵
- Executes dropped EXE
PID:1544 -
\??\c:\rflfxxx.exec:\rflfxxx.exe28⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nttnhb.exec:\nttnhb.exe29⤵
- Executes dropped EXE
PID:448 -
\??\c:\vvjjp.exec:\vvjjp.exe30⤵
- Executes dropped EXE
PID:816 -
\??\c:\jdjdp.exec:\jdjdp.exe31⤵
- Executes dropped EXE
PID:1016 -
\??\c:\7rrxxrx.exec:\7rrxxrx.exe32⤵
- Executes dropped EXE
PID:2144 -
\??\c:\htbbtt.exec:\htbbtt.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
\??\c:\flxfrll.exec:\flxfrll.exe34⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hhhbtt.exec:\hhhbtt.exe35⤵
- Executes dropped EXE
PID:3140 -
\??\c:\djppd.exec:\djppd.exe36⤵
- Executes dropped EXE
PID:5024 -
\??\c:\lxfrfrf.exec:\lxfrfrf.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\htthnb.exec:\htthnb.exe38⤵
- Executes dropped EXE
PID:1500 -
\??\c:\3dpjp.exec:\3dpjp.exe39⤵
- Executes dropped EXE
PID:3252 -
\??\c:\pjpjd.exec:\pjpjd.exe40⤵
- Executes dropped EXE
PID:4612 -
\??\c:\1rxxxxf.exec:\1rxxxxf.exe41⤵
- Executes dropped EXE
PID:1148 -
\??\c:\thnhbb.exec:\thnhbb.exe42⤵
- Executes dropped EXE
PID:4484 -
\??\c:\vvvvv.exec:\vvvvv.exe43⤵
- Executes dropped EXE
PID:2352 -
\??\c:\vppjd.exec:\vppjd.exe44⤵
- Executes dropped EXE
PID:1180 -
\??\c:\rfrlxxx.exec:\rfrlxxx.exe45⤵
- Executes dropped EXE
PID:4376 -
\??\c:\9tnhht.exec:\9tnhht.exe46⤵
- Executes dropped EXE
PID:4836 -
\??\c:\7jpjv.exec:\7jpjv.exe47⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7rxrllf.exec:\7rxrllf.exe48⤵
- Executes dropped EXE
PID:4404 -
\??\c:\hbbtnn.exec:\hbbtnn.exe49⤵
- Executes dropped EXE
PID:4152 -
\??\c:\nthbtn.exec:\nthbtn.exe50⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5xfrffl.exec:\5xfrffl.exe51⤵
- Executes dropped EXE
PID:392 -
\??\c:\3hnhbt.exec:\3hnhbt.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\jjpdv.exec:\jjpdv.exe53⤵
- Executes dropped EXE
PID:4760 -
\??\c:\jddvp.exec:\jddvp.exe54⤵
- Executes dropped EXE
PID:5016 -
\??\c:\9xfxlrr.exec:\9xfxlrr.exe55⤵
- Executes dropped EXE
PID:1156 -
\??\c:\bthhht.exec:\bthhht.exe56⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vvvdv.exec:\vvvdv.exe57⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vpdjj.exec:\vpdjj.exe58⤵
- Executes dropped EXE
PID:4744 -
\??\c:\rxrxrfx.exec:\rxrxrfx.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\nhttnn.exec:\nhttnn.exe60⤵
- Executes dropped EXE
PID:3004 -
\??\c:\7pvpj.exec:\7pvpj.exe61⤵
- Executes dropped EXE
PID:440 -
\??\c:\jdjdp.exec:\jdjdp.exe62⤵
- Executes dropped EXE
PID:3456 -
\??\c:\rllxxrl.exec:\rllxxrl.exe63⤵
- Executes dropped EXE
PID:4068 -
\??\c:\nbhhtt.exec:\nbhhtt.exe64⤵
- Executes dropped EXE
PID:3496 -
\??\c:\1djjd.exec:\1djjd.exe65⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xrlfrrr.exec:\xrlfrrr.exe66⤵PID:2252
-
\??\c:\thnnhb.exec:\thnnhb.exe67⤵PID:1144
-
\??\c:\1jdvv.exec:\1jdvv.exe68⤵PID:4460
-
\??\c:\5rxrxfl.exec:\5rxrxfl.exe69⤵PID:4928
-
\??\c:\httthh.exec:\httthh.exe70⤵PID:4796
-
\??\c:\nbbthh.exec:\nbbthh.exe71⤵PID:4424
-
\??\c:\jddvj.exec:\jddvj.exe72⤵PID:3076
-
\??\c:\fxxrlff.exec:\fxxrlff.exe73⤵PID:2356
-
\??\c:\3hhhtt.exec:\3hhhtt.exe74⤵PID:1592
-
\??\c:\pppdp.exec:\pppdp.exe75⤵PID:4972
-
\??\c:\dddvv.exec:\dddvv.exe76⤵
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\5flffxf.exec:\5flffxf.exe77⤵PID:400
-
\??\c:\5thtnn.exec:\5thtnn.exe78⤵PID:3968
-
\??\c:\jvjdv.exec:\jvjdv.exe79⤵PID:3408
-
\??\c:\7rlfrrl.exec:\7rlfrrl.exe80⤵PID:4920
-
\??\c:\rlxxrxr.exec:\rlxxrxr.exe81⤵PID:5116
-
\??\c:\tnnhbt.exec:\tnnhbt.exe82⤵PID:3904
-
\??\c:\vvvdv.exec:\vvvdv.exe83⤵PID:3572
-
\??\c:\1jpvv.exec:\1jpvv.exe84⤵PID:1576
-
\??\c:\1xllrrf.exec:\1xllrrf.exe85⤵PID:1044
-
\??\c:\hnnhbb.exec:\hnnhbb.exe86⤵PID:696
-
\??\c:\vvjvj.exec:\vvjvj.exe87⤵PID:1176
-
\??\c:\jjvpp.exec:\jjvpp.exe88⤵PID:2648
-
\??\c:\xrxrffx.exec:\xrxrffx.exe89⤵PID:1212
-
\??\c:\1nnhbb.exec:\1nnhbb.exe90⤵PID:2144
-
\??\c:\bnthbb.exec:\bnthbb.exe91⤵PID:3560
-
\??\c:\5pjdv.exec:\5pjdv.exe92⤵PID:1068
-
\??\c:\rxlfrff.exec:\rxlfrff.exe93⤵PID:720
-
\??\c:\hbtnhb.exec:\hbtnhb.exe94⤵PID:956
-
\??\c:\1bhbbh.exec:\1bhbbh.exe95⤵PID:4828
-
\??\c:\ppvpd.exec:\ppvpd.exe96⤵PID:2752
-
\??\c:\rrxrlrr.exec:\rrxrlrr.exe97⤵PID:3200
-
\??\c:\fxlflfl.exec:\fxlflfl.exe98⤵PID:3252
-
\??\c:\9bhbtt.exec:\9bhbtt.exe99⤵PID:4004
-
\??\c:\dpvpj.exec:\dpvpj.exe100⤵PID:1148
-
\??\c:\fffxllf.exec:\fffxllf.exe101⤵PID:4628
-
\??\c:\ttbbtb.exec:\ttbbtb.exe102⤵PID:3920
-
\??\c:\vjppj.exec:\vjppj.exe103⤵PID:928
-
\??\c:\7llffxr.exec:\7llffxr.exe104⤵PID:4372
-
\??\c:\5llfxxl.exec:\5llfxxl.exe105⤵PID:3284
-
\??\c:\9nhbtn.exec:\9nhbtn.exe106⤵PID:4204
-
\??\c:\9jpjj.exec:\9jpjj.exe107⤵PID:1520
-
\??\c:\9lrlxfl.exec:\9lrlxfl.exe108⤵PID:2104
-
\??\c:\5htnhb.exec:\5htnhb.exe109⤵PID:436
-
\??\c:\3hbthh.exec:\3hbthh.exe110⤵PID:3688
-
\??\c:\jdpdd.exec:\jdpdd.exe111⤵PID:392
-
\??\c:\xrxrlll.exec:\xrxrlll.exe112⤵PID:1048
-
\??\c:\flrrllf.exec:\flrrllf.exe113⤵PID:4716
-
\??\c:\hthbtt.exec:\hthbtt.exe114⤵PID:4608
-
\??\c:\vjpdp.exec:\vjpdp.exe115⤵PID:1508
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe116⤵PID:4148
-
\??\c:\nbhtnh.exec:\nbhtnh.exe117⤵PID:2436
-
\??\c:\9pjvd.exec:\9pjvd.exe118⤵PID:4744
-
\??\c:\pdjdj.exec:\pdjdj.exe119⤵PID:3008
-
\??\c:\5rrfrfx.exec:\5rrfrfx.exe120⤵PID:3500
-
\??\c:\tbtthb.exec:\tbtthb.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-