Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
Resource
win7-20240903-en
General
-
Target
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
-
Size
333KB
-
MD5
6f15a34ff2f291fbdbb06cda86083060
-
SHA1
1b9e7e4b967d1791dd54b7b983f9c29b1c30933b
-
SHA256
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fc
-
SHA512
341ba223867983230a2809cbead9fe7406bd2d6e8c83d228ef565b088f0d0ef3f39adc2c797994929348162ef348f84d904af8ae0b3e0efad2e6fc1249dfed2b
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhq:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTa
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2828-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-1193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3652 tnhbht.exe 468 1pvjd.exe 2636 hbbhnn.exe 2684 vjjvj.exe 2444 xllrrll.exe 4792 ntnbht.exe 3964 xffxlxr.exe 4804 bhhtht.exe 3100 5vpdp.exe 3488 ffxlxrf.exe 4884 nnnbhn.exe 4052 pdvdj.exe 3192 rlrfrxl.exe 368 htnhtn.exe 3096 pvjvj.exe 2632 jdpjv.exe 2160 xlxflrr.exe 1244 vppdp.exe 1640 djjdv.exe 4208 nnhnth.exe 2476 ppdpd.exe 1936 xrfrxrl.exe 1388 bnhhtt.exe 2240 nbthtb.exe 3292 pppdd.exe 3780 3lfrfxl.exe 3564 bhnhbt.exe 2372 pvvjp.exe 4508 xllfrrl.exe 3084 fllxlrl.exe 752 vjjdp.exe 4440 xxxllxr.exe 3504 fxrfxrl.exe 3368 pvvdp.exe 4352 lfrxrxf.exe 3700 nbtnbt.exe 2364 bnthhb.exe 2548 frrflfx.exe 4872 3nnbnh.exe 4892 hbnnhb.exe 396 jdvjd.exe 1336 pdppj.exe 3852 5rrxrfx.exe 912 btthtt.exe 3964 bnhthb.exe 2028 vddvj.exe 1988 xffrfrf.exe 2648 9lrfrfr.exe 4956 bbbnbt.exe 3672 3jdvj.exe 2188 ppdvj.exe 1512 xxfrfrf.exe 4960 5htthb.exe 1580 bbthbb.exe 1316 jdpdv.exe 4516 pjvpj.exe 3184 flrlxrf.exe 3064 5hnbth.exe 3060 5vjdj.exe 1928 dvdvd.exe 4092 frxllff.exe 1056 1tnnhb.exe 932 7vpjp.exe 3676 rxxrxrl.exe -
resource yara_rule behavioral2/memory/2828-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 3652 2828 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 84 PID 2828 wrote to memory of 3652 2828 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 84 PID 2828 wrote to memory of 3652 2828 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 84 PID 3652 wrote to memory of 468 3652 tnhbht.exe 85 PID 3652 wrote to memory of 468 3652 tnhbht.exe 85 PID 3652 wrote to memory of 468 3652 tnhbht.exe 85 PID 468 wrote to memory of 2636 468 1pvjd.exe 86 PID 468 wrote to memory of 2636 468 1pvjd.exe 86 PID 468 wrote to memory of 2636 468 1pvjd.exe 86 PID 2636 wrote to memory of 2684 2636 hbbhnn.exe 87 PID 2636 wrote to memory of 2684 2636 hbbhnn.exe 87 PID 2636 wrote to memory of 2684 2636 hbbhnn.exe 87 PID 2684 wrote to memory of 2444 2684 vjjvj.exe 88 PID 2684 wrote to memory of 2444 2684 vjjvj.exe 88 PID 2684 wrote to memory of 2444 2684 vjjvj.exe 88 PID 2444 wrote to memory of 4792 2444 xllrrll.exe 89 PID 2444 wrote to memory of 4792 2444 xllrrll.exe 89 PID 2444 wrote to memory of 4792 2444 xllrrll.exe 89 PID 4792 wrote to memory of 3964 4792 ntnbht.exe 90 PID 4792 wrote to memory of 3964 4792 ntnbht.exe 90 PID 4792 wrote to memory of 3964 4792 ntnbht.exe 90 PID 3964 wrote to memory of 4804 3964 xffxlxr.exe 91 PID 3964 wrote to memory of 4804 3964 xffxlxr.exe 91 PID 3964 wrote to memory of 4804 3964 xffxlxr.exe 91 PID 4804 wrote to memory of 3100 4804 bhhtht.exe 92 PID 4804 wrote to memory of 3100 4804 bhhtht.exe 92 PID 4804 wrote to memory of 3100 4804 bhhtht.exe 92 PID 3100 wrote to memory of 3488 3100 5vpdp.exe 93 PID 3100 wrote to memory of 3488 3100 5vpdp.exe 93 PID 3100 wrote to memory of 3488 3100 5vpdp.exe 93 PID 3488 wrote to memory of 4884 3488 ffxlxrf.exe 94 PID 3488 wrote to memory of 4884 3488 ffxlxrf.exe 94 PID 3488 wrote to memory of 4884 3488 ffxlxrf.exe 94 PID 4884 wrote to memory of 4052 4884 nnnbhn.exe 96 PID 4884 wrote to memory of 4052 4884 nnnbhn.exe 96 PID 4884 wrote to memory of 4052 4884 nnnbhn.exe 96 PID 4052 wrote to memory of 3192 4052 pdvdj.exe 97 PID 4052 wrote to memory of 3192 4052 pdvdj.exe 97 PID 4052 wrote to memory of 3192 4052 pdvdj.exe 97 PID 3192 wrote to memory of 368 3192 rlrfrxl.exe 98 PID 3192 wrote to memory of 368 3192 rlrfrxl.exe 98 PID 3192 wrote to memory of 368 3192 rlrfrxl.exe 98 PID 368 wrote to memory of 3096 368 htnhtn.exe 99 PID 368 wrote to memory of 3096 368 htnhtn.exe 99 PID 368 wrote to memory of 3096 368 htnhtn.exe 99 PID 3096 wrote to memory of 2632 3096 pvjvj.exe 100 PID 3096 wrote to memory of 2632 3096 pvjvj.exe 100 PID 3096 wrote to memory of 2632 3096 pvjvj.exe 100 PID 2632 wrote to memory of 2160 2632 jdpjv.exe 101 PID 2632 wrote to memory of 2160 2632 jdpjv.exe 101 PID 2632 wrote to memory of 2160 2632 jdpjv.exe 101 PID 2160 wrote to memory of 1244 2160 xlxflrr.exe 103 PID 2160 wrote to memory of 1244 2160 xlxflrr.exe 103 PID 2160 wrote to memory of 1244 2160 xlxflrr.exe 103 PID 1244 wrote to memory of 1640 1244 vppdp.exe 104 PID 1244 wrote to memory of 1640 1244 vppdp.exe 104 PID 1244 wrote to memory of 1640 1244 vppdp.exe 104 PID 1640 wrote to memory of 4208 1640 djjdv.exe 105 PID 1640 wrote to memory of 4208 1640 djjdv.exe 105 PID 1640 wrote to memory of 4208 1640 djjdv.exe 105 PID 4208 wrote to memory of 2476 4208 nnhnth.exe 107 PID 4208 wrote to memory of 2476 4208 nnhnth.exe 107 PID 4208 wrote to memory of 2476 4208 nnhnth.exe 107 PID 2476 wrote to memory of 1936 2476 ppdpd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tnhbht.exec:\tnhbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\1pvjd.exec:\1pvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\hbbhnn.exec:\hbbhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\vjjvj.exec:\vjjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\xllrrll.exec:\xllrrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\ntnbht.exec:\ntnbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\xffxlxr.exec:\xffxlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\bhhtht.exec:\bhhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\5vpdp.exec:\5vpdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\nnnbhn.exec:\nnnbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\pdvdj.exec:\pdvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\rlrfrxl.exec:\rlrfrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\htnhtn.exec:\htnhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\pvjvj.exec:\pvjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\jdpjv.exec:\jdpjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\xlxflrr.exec:\xlxflrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vppdp.exec:\vppdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\djjdv.exec:\djjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\nnhnth.exec:\nnhnth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\ppdpd.exec:\ppdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\xrfrxrl.exec:\xrfrxrl.exe23⤵
- Executes dropped EXE
PID:1936 -
\??\c:\bnhhtt.exec:\bnhhtt.exe24⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nbthtb.exec:\nbthtb.exe25⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pppdd.exec:\pppdd.exe26⤵
- Executes dropped EXE
PID:3292 -
\??\c:\3lfrfxl.exec:\3lfrfxl.exe27⤵
- Executes dropped EXE
PID:3780 -
\??\c:\bhnhbt.exec:\bhnhbt.exe28⤵
- Executes dropped EXE
PID:3564 -
\??\c:\pvvjp.exec:\pvvjp.exe29⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xllfrrl.exec:\xllfrrl.exe30⤵
- Executes dropped EXE
PID:4508 -
\??\c:\fllxlrl.exec:\fllxlrl.exe31⤵
- Executes dropped EXE
PID:3084 -
\??\c:\vjjdp.exec:\vjjdp.exe32⤵
- Executes dropped EXE
PID:752 -
\??\c:\xxxllxr.exec:\xxxllxr.exe33⤵
- Executes dropped EXE
PID:4440 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe34⤵
- Executes dropped EXE
PID:3504 -
\??\c:\pvvdp.exec:\pvvdp.exe35⤵
- Executes dropped EXE
PID:3368 -
\??\c:\lfrxrxf.exec:\lfrxrxf.exe36⤵
- Executes dropped EXE
PID:4352 -
\??\c:\nbtnbt.exec:\nbtnbt.exe37⤵
- Executes dropped EXE
PID:3700 -
\??\c:\bnthhb.exec:\bnthhb.exe38⤵
- Executes dropped EXE
PID:2364 -
\??\c:\frrflfx.exec:\frrflfx.exe39⤵
- Executes dropped EXE
PID:2548 -
\??\c:\3nnbnh.exec:\3nnbnh.exe40⤵
- Executes dropped EXE
PID:4872 -
\??\c:\hbnnhb.exec:\hbnnhb.exe41⤵
- Executes dropped EXE
PID:4892 -
\??\c:\jdvjd.exec:\jdvjd.exe42⤵
- Executes dropped EXE
PID:396 -
\??\c:\pdppj.exec:\pdppj.exe43⤵
- Executes dropped EXE
PID:1336 -
\??\c:\5rrxrfx.exec:\5rrxrfx.exe44⤵
- Executes dropped EXE
PID:3852 -
\??\c:\btthtt.exec:\btthtt.exe45⤵
- Executes dropped EXE
PID:912 -
\??\c:\bnhthb.exec:\bnhthb.exe46⤵
- Executes dropped EXE
PID:3964 -
\??\c:\vddvj.exec:\vddvj.exe47⤵
- Executes dropped EXE
PID:2028 -
\??\c:\xffrfrf.exec:\xffrfrf.exe48⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9lrfrfr.exec:\9lrfrfr.exe49⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bbbnbt.exec:\bbbnbt.exe50⤵
- Executes dropped EXE
PID:4956 -
\??\c:\3jdvj.exec:\3jdvj.exe51⤵
- Executes dropped EXE
PID:3672 -
\??\c:\ppdvj.exec:\ppdvj.exe52⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xxfrfrf.exec:\xxfrfrf.exe53⤵
- Executes dropped EXE
PID:1512 -
\??\c:\5htthb.exec:\5htthb.exe54⤵
- Executes dropped EXE
PID:4960 -
\??\c:\bbthbb.exec:\bbthbb.exe55⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jdpdv.exec:\jdpdv.exe56⤵
- Executes dropped EXE
PID:1316 -
\??\c:\pjvpj.exec:\pjvpj.exe57⤵
- Executes dropped EXE
PID:4516 -
\??\c:\flrlxrf.exec:\flrlxrf.exe58⤵
- Executes dropped EXE
PID:3184 -
\??\c:\5hnbth.exec:\5hnbth.exe59⤵
- Executes dropped EXE
PID:3064 -
\??\c:\5vjdj.exec:\5vjdj.exe60⤵
- Executes dropped EXE
PID:3060 -
\??\c:\dvdvd.exec:\dvdvd.exe61⤵
- Executes dropped EXE
PID:1928 -
\??\c:\frxllff.exec:\frxllff.exe62⤵
- Executes dropped EXE
PID:4092 -
\??\c:\1tnnhb.exec:\1tnnhb.exe63⤵
- Executes dropped EXE
PID:1056 -
\??\c:\7vpjp.exec:\7vpjp.exe64⤵
- Executes dropped EXE
PID:932 -
\??\c:\rxxrxrl.exec:\rxxrxrl.exe65⤵
- Executes dropped EXE
PID:3676 -
\??\c:\tnnhbb.exec:\tnnhbb.exe66⤵PID:532
-
\??\c:\dppdp.exec:\dppdp.exe67⤵PID:4196
-
\??\c:\lxrlxrr.exec:\lxrlxrr.exe68⤵PID:2576
-
\??\c:\9lxrrlr.exec:\9lxrrlr.exe69⤵PID:456
-
\??\c:\nnnbtt.exec:\nnnbtt.exe70⤵PID:2460
-
\??\c:\rlxrrxx.exec:\rlxrrxx.exe71⤵PID:4172
-
\??\c:\bhbnth.exec:\bhbnth.exe72⤵PID:4860
-
\??\c:\bnbnhb.exec:\bnbnhb.exe73⤵PID:3872
-
\??\c:\ddvdp.exec:\ddvdp.exe74⤵PID:4508
-
\??\c:\vdjvp.exec:\vdjvp.exe75⤵PID:4504
-
\??\c:\xlfxfxr.exec:\xlfxfxr.exe76⤵PID:2220
-
\??\c:\tntnnh.exec:\tntnnh.exe77⤵PID:4948
-
\??\c:\dvdvp.exec:\dvdvp.exe78⤵PID:2252
-
\??\c:\rlrxfrf.exec:\rlrxfrf.exe79⤵PID:4344
-
\??\c:\nhhbnh.exec:\nhhbnh.exe80⤵PID:4724
-
\??\c:\nhtnbt.exec:\nhtnbt.exe81⤵PID:3800
-
\??\c:\vjjpj.exec:\vjjpj.exe82⤵PID:3500
-
\??\c:\rlfxlff.exec:\rlfxlff.exe83⤵PID:452
-
\??\c:\9xfxlrf.exec:\9xfxlrf.exe84⤵PID:2636
-
\??\c:\3nttbt.exec:\3nttbt.exe85⤵PID:2756
-
\??\c:\nbbtnh.exec:\nbbtnh.exe86⤵PID:2444
-
\??\c:\dvjvv.exec:\dvjvv.exe87⤵PID:5116
-
\??\c:\9lfxrlf.exec:\9lfxrlf.exe88⤵PID:1420
-
\??\c:\hnbtbb.exec:\hnbtbb.exe89⤵PID:3764
-
\??\c:\jdjvj.exec:\jdjvj.exe90⤵PID:3628
-
\??\c:\3vvdv.exec:\3vvdv.exe91⤵PID:4960
-
\??\c:\9lrlfxx.exec:\9lrlfxx.exe92⤵PID:956
-
\??\c:\bthbhh.exec:\bthbhh.exe93⤵PID:1904
-
\??\c:\pvdpd.exec:\pvdpd.exe94⤵PID:5008
-
\??\c:\3jdvp.exec:\3jdvp.exe95⤵PID:1232
-
\??\c:\fxlfffl.exec:\fxlfffl.exe96⤵PID:3064
-
\??\c:\9nnhth.exec:\9nnhth.exe97⤵PID:3060
-
\??\c:\jvpdj.exec:\jvpdj.exe98⤵PID:1928
-
\??\c:\vjjvv.exec:\vjjvv.exe99⤵PID:2184
-
\??\c:\rflxrxr.exec:\rflxrxr.exe100⤵PID:808
-
\??\c:\1ntnhn.exec:\1ntnhn.exe101⤵PID:1576
-
\??\c:\vvdvj.exec:\vvdvj.exe102⤵PID:4576
-
\??\c:\lrxlfrl.exec:\lrxlfrl.exe103⤵PID:3740
-
\??\c:\llrfrlx.exec:\llrfrlx.exe104⤵PID:1768
-
\??\c:\nnhtht.exec:\nnhtht.exe105⤵PID:1668
-
\??\c:\dpdvv.exec:\dpdvv.exe106⤵PID:2164
-
\??\c:\vpdvj.exec:\vpdvj.exe107⤵PID:1456
-
\??\c:\xxfrrfr.exec:\xxfrrfr.exe108⤵PID:3600
-
\??\c:\tntbhb.exec:\tntbhb.exe109⤵PID:3768
-
\??\c:\nhnbhb.exec:\nhnbhb.exe110⤵PID:4432
-
\??\c:\ppjdp.exec:\ppjdp.exe111⤵PID:1084
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe112⤵PID:752
-
\??\c:\rxfrlll.exec:\rxfrlll.exe113⤵PID:1788
-
\??\c:\htnbtn.exec:\htnbtn.exe114⤵PID:3784
-
\??\c:\vpjpv.exec:\vpjpv.exe115⤵PID:1960
-
\??\c:\dddpd.exec:\dddpd.exe116⤵PID:3164
-
\??\c:\xlfrfxl.exec:\xlfrfxl.exe117⤵PID:3392
-
\??\c:\lxrxfll.exec:\lxrxfll.exe118⤵PID:2136
-
\??\c:\nhbntn.exec:\nhbntn.exe119⤵PID:4420
-
\??\c:\hbbnbt.exec:\hbbnbt.exe120⤵PID:2060
-
\??\c:\7vvpj.exec:\7vvpj.exe121⤵PID:4940
-
\??\c:\xlxlxrx.exec:\xlxlxrx.exe122⤵PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-