Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 13:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe
-
Size
455KB
-
MD5
19858e53bb2f67a4326ddea5a5ae03c0
-
SHA1
45874ac39197b976e92803477f2954665bf4c6d1
-
SHA256
ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652
-
SHA512
253c0fd98ffcdc5dcb9ad5bdc797d03fb96a631fd6a95a32a54fbb8a88b609b3256c9e33440490d5be5c97a02d8e07bb275145409d2fae89245c9e63412b3177
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4892-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-1302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-1315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-1539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-1590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5032 nbnhtt.exe 1028 xfrllll.exe 4060 pjpjp.exe 4436 lffxrrf.exe 4488 nhnhbb.exe 1356 5bhtnh.exe 3864 lrlfxll.exe 3984 vjppj.exe 1556 bbbbtt.exe 3420 vpvvd.exe 644 9rxrrrl.exe 1996 lfflfxx.exe 4780 dpjjd.exe 2044 7lrllll.exe 1076 9hnhbt.exe 348 djppv.exe 1136 frxlfxl.exe 1500 lfrxlxf.exe 8 hbhbnn.exe 4812 jdjdd.exe 4572 nhbhbn.exe 2192 9rlffxx.exe 3304 tbhtnh.exe 2408 xxfxllx.exe 3124 5xfrlrl.exe 1492 pdpjp.exe 4800 tbnhtt.exe 4712 ddpvp.exe 976 rxrfxrf.exe 2352 9vpjd.exe 1100 llrfrlx.exe 2712 tthbbt.exe 412 jvjvd.exe 1132 frrfxxr.exe 4316 7vpjv.exe 3412 rffrfxr.exe 4392 bttnhb.exe 4940 ddpjv.exe 840 bnnhtn.exe 4592 thnbtt.exe 4372 1pjdv.exe 1276 ffllfxr.exe 372 llfxlfx.exe 1644 hhtthh.exe 1336 vjjdv.exe 184 pvdpd.exe 2524 flllxxl.exe 4424 7nthhb.exe 4272 pdddd.exe 4260 xflxllf.exe 4892 ttttnn.exe 2172 nhnhtn.exe 2028 5pjvj.exe 4216 jdpvj.exe 4752 1rlxlfx.exe 3936 thnbbt.exe 3084 tthtnb.exe 4836 7dvpd.exe 1008 xxfrfxr.exe 5036 fxfrftn.exe 1448 tbtbnh.exe 3424 vjjpp.exe 1280 rrrlfxr.exe 2904 1ffxrlf.exe -
resource yara_rule behavioral2/memory/4892-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4892 wrote to memory of 5032 4892 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 83 PID 4892 wrote to memory of 5032 4892 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 83 PID 4892 wrote to memory of 5032 4892 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 83 PID 5032 wrote to memory of 1028 5032 nbnhtt.exe 84 PID 5032 wrote to memory of 1028 5032 nbnhtt.exe 84 PID 5032 wrote to memory of 1028 5032 nbnhtt.exe 84 PID 1028 wrote to memory of 4060 1028 xfrllll.exe 85 PID 1028 wrote to memory of 4060 1028 xfrllll.exe 85 PID 1028 wrote to memory of 4060 1028 xfrllll.exe 85 PID 4060 wrote to memory of 4436 4060 pjpjp.exe 86 PID 4060 wrote to memory of 4436 4060 pjpjp.exe 86 PID 4060 wrote to memory of 4436 4060 pjpjp.exe 86 PID 4436 wrote to memory of 4488 4436 lffxrrf.exe 87 PID 4436 wrote to memory of 4488 4436 lffxrrf.exe 87 PID 4436 wrote to memory of 4488 4436 lffxrrf.exe 87 PID 4488 wrote to memory of 1356 4488 nhnhbb.exe 88 PID 4488 wrote to memory of 1356 4488 nhnhbb.exe 88 PID 4488 wrote to memory of 1356 4488 nhnhbb.exe 88 PID 1356 wrote to memory of 3864 1356 5bhtnh.exe 89 PID 1356 wrote to memory of 3864 1356 5bhtnh.exe 89 PID 1356 wrote to memory of 3864 1356 5bhtnh.exe 89 PID 3864 wrote to memory of 3984 3864 lrlfxll.exe 90 PID 3864 wrote to memory of 3984 3864 lrlfxll.exe 90 PID 3864 wrote to memory of 3984 3864 lrlfxll.exe 90 PID 3984 wrote to memory of 1556 3984 vjppj.exe 91 PID 3984 wrote to memory of 1556 3984 vjppj.exe 91 PID 3984 wrote to memory of 1556 3984 vjppj.exe 91 PID 1556 wrote to memory of 3420 1556 bbbbtt.exe 92 PID 1556 wrote to memory of 3420 1556 bbbbtt.exe 92 PID 1556 wrote to memory of 3420 1556 bbbbtt.exe 92 PID 3420 wrote to memory of 644 3420 vpvvd.exe 93 PID 3420 wrote to memory of 644 3420 vpvvd.exe 93 PID 3420 wrote to memory of 644 3420 vpvvd.exe 93 PID 644 wrote to memory of 1996 644 9rxrrrl.exe 94 PID 644 wrote to memory of 1996 644 9rxrrrl.exe 94 PID 644 wrote to memory of 1996 644 9rxrrrl.exe 94 PID 1996 wrote to memory of 4780 1996 lfflfxx.exe 95 PID 1996 wrote to memory of 4780 1996 lfflfxx.exe 95 PID 1996 wrote to memory of 4780 1996 lfflfxx.exe 95 PID 4780 wrote to memory of 2044 4780 dpjjd.exe 96 PID 4780 wrote to memory of 2044 4780 dpjjd.exe 96 PID 4780 wrote to memory of 2044 4780 dpjjd.exe 96 PID 2044 wrote to memory of 1076 2044 7lrllll.exe 97 PID 2044 wrote to memory of 1076 2044 7lrllll.exe 97 PID 2044 wrote to memory of 1076 2044 7lrllll.exe 97 PID 1076 wrote to memory of 348 1076 9hnhbt.exe 98 PID 1076 wrote to memory of 348 1076 9hnhbt.exe 98 PID 1076 wrote to memory of 348 1076 9hnhbt.exe 98 PID 348 wrote to memory of 1136 348 djppv.exe 99 PID 348 wrote to memory of 1136 348 djppv.exe 99 PID 348 wrote to memory of 1136 348 djppv.exe 99 PID 1136 wrote to memory of 1500 1136 frxlfxl.exe 100 PID 1136 wrote to memory of 1500 1136 frxlfxl.exe 100 PID 1136 wrote to memory of 1500 1136 frxlfxl.exe 100 PID 1500 wrote to memory of 8 1500 lfrxlxf.exe 101 PID 1500 wrote to memory of 8 1500 lfrxlxf.exe 101 PID 1500 wrote to memory of 8 1500 lfrxlxf.exe 101 PID 8 wrote to memory of 4812 8 hbhbnn.exe 102 PID 8 wrote to memory of 4812 8 hbhbnn.exe 102 PID 8 wrote to memory of 4812 8 hbhbnn.exe 102 PID 4812 wrote to memory of 4572 4812 jdjdd.exe 103 PID 4812 wrote to memory of 4572 4812 jdjdd.exe 103 PID 4812 wrote to memory of 4572 4812 jdjdd.exe 103 PID 4572 wrote to memory of 2192 4572 nhbhbn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe"C:\Users\Admin\AppData\Local\Temp\ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\nbnhtt.exec:\nbnhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\xfrllll.exec:\xfrllll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\pjpjp.exec:\pjpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\lffxrrf.exec:\lffxrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\nhnhbb.exec:\nhnhbb.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\5bhtnh.exec:\5bhtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\lrlfxll.exec:\lrlfxll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\vjppj.exec:\vjppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\bbbbtt.exec:\bbbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\vpvvd.exec:\vpvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\9rxrrrl.exec:\9rxrrrl.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\lfflfxx.exec:\lfflfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\dpjjd.exec:\dpjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\7lrllll.exec:\7lrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\9hnhbt.exec:\9hnhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\djppv.exec:\djppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\frxlfxl.exec:\frxlfxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\lfrxlxf.exec:\lfrxlxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\hbhbnn.exec:\hbhbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\jdjdd.exec:\jdjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\nhbhbn.exec:\nhbhbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\9rlffxx.exec:\9rlffxx.exe23⤵
- Executes dropped EXE
PID:2192 -
\??\c:\tbhtnh.exec:\tbhtnh.exe24⤵
- Executes dropped EXE
PID:3304 -
\??\c:\xxfxllx.exec:\xxfxllx.exe25⤵
- Executes dropped EXE
PID:2408 -
\??\c:\5xfrlrl.exec:\5xfrlrl.exe26⤵
- Executes dropped EXE
PID:3124 -
\??\c:\pdpjp.exec:\pdpjp.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\tbnhtt.exec:\tbnhtt.exe28⤵
- Executes dropped EXE
PID:4800 -
\??\c:\ddpvp.exec:\ddpvp.exe29⤵
- Executes dropped EXE
PID:4712 -
\??\c:\rxrfxrf.exec:\rxrfxrf.exe30⤵
- Executes dropped EXE
PID:976 -
\??\c:\9vpjd.exec:\9vpjd.exe31⤵
- Executes dropped EXE
PID:2352 -
\??\c:\llrfrlx.exec:\llrfrlx.exe32⤵
- Executes dropped EXE
PID:1100 -
\??\c:\tthbbt.exec:\tthbbt.exe33⤵
- Executes dropped EXE
PID:2712 -
\??\c:\jvjvd.exec:\jvjvd.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:412 -
\??\c:\frrfxxr.exec:\frrfxxr.exe35⤵
- Executes dropped EXE
PID:1132 -
\??\c:\7vpjv.exec:\7vpjv.exe36⤵
- Executes dropped EXE
PID:4316 -
\??\c:\rffrfxr.exec:\rffrfxr.exe37⤵
- Executes dropped EXE
PID:3412 -
\??\c:\bttnhb.exec:\bttnhb.exe38⤵
- Executes dropped EXE
PID:4392 -
\??\c:\ddpjv.exec:\ddpjv.exe39⤵
- Executes dropped EXE
PID:4940 -
\??\c:\bnnhtn.exec:\bnnhtn.exe40⤵
- Executes dropped EXE
PID:840 -
\??\c:\thnbtt.exec:\thnbtt.exe41⤵
- Executes dropped EXE
PID:4592 -
\??\c:\1pjdv.exec:\1pjdv.exe42⤵
- Executes dropped EXE
PID:4372 -
\??\c:\ffllfxr.exec:\ffllfxr.exe43⤵
- Executes dropped EXE
PID:1276 -
\??\c:\llfxlfx.exec:\llfxlfx.exe44⤵
- Executes dropped EXE
PID:372 -
\??\c:\hhtthh.exec:\hhtthh.exe45⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vjjdv.exec:\vjjdv.exe46⤵
- Executes dropped EXE
PID:1336 -
\??\c:\pvdpd.exec:\pvdpd.exe47⤵
- Executes dropped EXE
PID:184 -
\??\c:\flllxxl.exec:\flllxxl.exe48⤵
- Executes dropped EXE
PID:2524 -
\??\c:\7nthhb.exec:\7nthhb.exe49⤵
- Executes dropped EXE
PID:4424 -
\??\c:\pdddd.exec:\pdddd.exe50⤵
- Executes dropped EXE
PID:4272 -
\??\c:\xflxllf.exec:\xflxllf.exe51⤵
- Executes dropped EXE
PID:4260 -
\??\c:\ttttnn.exec:\ttttnn.exe52⤵
- Executes dropped EXE
PID:4892 -
\??\c:\nhnhtn.exec:\nhnhtn.exe53⤵
- Executes dropped EXE
PID:2172 -
\??\c:\5pjvj.exec:\5pjvj.exe54⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jdpvj.exec:\jdpvj.exe55⤵
- Executes dropped EXE
PID:4216 -
\??\c:\1rlxlfx.exec:\1rlxlfx.exe56⤵
- Executes dropped EXE
PID:4752 -
\??\c:\thnbbt.exec:\thnbbt.exe57⤵
- Executes dropped EXE
PID:3936 -
\??\c:\tthtnb.exec:\tthtnb.exe58⤵
- Executes dropped EXE
PID:3084 -
\??\c:\7dvpd.exec:\7dvpd.exe59⤵
- Executes dropped EXE
PID:4836 -
\??\c:\xxfrfxr.exec:\xxfrfxr.exe60⤵
- Executes dropped EXE
PID:1008 -
\??\c:\fxfrftn.exec:\fxfrftn.exe61⤵
- Executes dropped EXE
PID:5036 -
\??\c:\tbtbnh.exec:\tbtbnh.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
\??\c:\vjjpp.exec:\vjjpp.exe63⤵
- Executes dropped EXE
PID:3424 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\1ffxrlf.exec:\1ffxrlf.exe65⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nhbthh.exec:\nhbthh.exe66⤵PID:3420
-
\??\c:\1jdpd.exec:\1jdpd.exe67⤵PID:3700
-
\??\c:\vvvjv.exec:\vvvjv.exe68⤵PID:1140
-
\??\c:\3rfffll.exec:\3rfffll.exe69⤵PID:1628
-
\??\c:\7nnhtn.exec:\7nnhtn.exe70⤵PID:4116
-
\??\c:\9bnbth.exec:\9bnbth.exe71⤵PID:1992
-
\??\c:\jvvdv.exec:\jvvdv.exe72⤵PID:2628
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe73⤵PID:5008
-
\??\c:\rrrllff.exec:\rrrllff.exe74⤵PID:4568
-
\??\c:\nbhhbb.exec:\nbhhbb.exe75⤵PID:1792
-
\??\c:\jdjdv.exec:\jdjdv.exe76⤵PID:5080
-
\??\c:\lrrxflr.exec:\lrrxflr.exe77⤵PID:456
-
\??\c:\bnthhb.exec:\bnthhb.exe78⤵PID:1500
-
\??\c:\jjvjd.exec:\jjvjd.exe79⤵PID:8
-
\??\c:\vjjvj.exec:\vjjvj.exe80⤵PID:3092
-
\??\c:\ffllrlr.exec:\ffllrlr.exe81⤵
- System Location Discovery: System Language Discovery
PID:4700 -
\??\c:\lfffrfx.exec:\lfffrfx.exe82⤵PID:2996
-
\??\c:\7ttnhb.exec:\7ttnhb.exe83⤵PID:440
-
\??\c:\jjjpv.exec:\jjjpv.exe84⤵PID:2192
-
\??\c:\lxlffff.exec:\lxlffff.exe85⤵PID:3304
-
\??\c:\xflfxlr.exec:\xflfxlr.exe86⤵PID:2864
-
\??\c:\bhbbtt.exec:\bhbbtt.exe87⤵PID:772
-
\??\c:\vddjj.exec:\vddjj.exe88⤵PID:1868
-
\??\c:\vpjpj.exec:\vpjpj.exe89⤵PID:696
-
\??\c:\lxlrlxf.exec:\lxlrlxf.exe90⤵PID:4776
-
\??\c:\htbttt.exec:\htbttt.exe91⤵PID:2088
-
\??\c:\bnnbnh.exec:\bnnbnh.exe92⤵PID:4712
-
\??\c:\jvjvj.exec:\jvjvj.exe93⤵PID:3384
-
\??\c:\fllxlfr.exec:\fllxlfr.exe94⤵PID:4612
-
\??\c:\9fxlxrl.exec:\9fxlxrl.exe95⤵PID:3616
-
\??\c:\tnntnh.exec:\tnntnh.exe96⤵PID:1100
-
\??\c:\5vvjv.exec:\5vvjv.exe97⤵PID:892
-
\??\c:\7jjdp.exec:\7jjdp.exe98⤵PID:4784
-
\??\c:\3rlrffr.exec:\3rlrffr.exe99⤵PID:5012
-
\??\c:\bhbhbb.exec:\bhbhbb.exe100⤵PID:1132
-
\??\c:\ttthtn.exec:\ttthtn.exe101⤵PID:2092
-
\??\c:\dvvvp.exec:\dvvvp.exe102⤵PID:3412
-
\??\c:\ffrfxrx.exec:\ffrfxrx.exe103⤵PID:4392
-
\??\c:\5flfffl.exec:\5flfffl.exe104⤵PID:4804
-
\??\c:\ntnnhb.exec:\ntnnhb.exe105⤵PID:4980
-
\??\c:\vjjvj.exec:\vjjvj.exe106⤵PID:216
-
\??\c:\pjdpd.exec:\pjdpd.exe107⤵PID:3852
-
\??\c:\rrlflfx.exec:\rrlflfx.exe108⤵PID:756
-
\??\c:\pvvvv.exec:\pvvvv.exe109⤵PID:4556
-
\??\c:\dddpd.exec:\dddpd.exe110⤵PID:228
-
\??\c:\bntnbt.exec:\bntnbt.exe111⤵PID:1516
-
\??\c:\7ddpj.exec:\7ddpj.exe112⤵PID:468
-
\??\c:\1rlfrlr.exec:\1rlfrlr.exe113⤵PID:2892
-
\??\c:\hbtthh.exec:\hbtthh.exe114⤵PID:4344
-
\??\c:\nbnthh.exec:\nbnthh.exe115⤵PID:4308
-
\??\c:\pdjdv.exec:\pdjdv.exe116⤵
- System Location Discovery: System Language Discovery
PID:4544 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe117⤵PID:2848
-
\??\c:\3bbtnh.exec:\3bbtnh.exe118⤵PID:3948
-
\??\c:\frrfffr.exec:\frrfffr.exe119⤵PID:1028
-
\??\c:\7hthht.exec:\7hthht.exe120⤵PID:2000
-
\??\c:\tttnbb.exec:\tttnbb.exe121⤵PID:1212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-