Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 18:25
Behavioral task
behavioral1
Sample
09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe
-
Size
382KB
-
MD5
41b41bb39cc14987e25f883578701fdb
-
SHA1
080f53e8ec01524becdbbb4302f170289726bf8f
-
SHA256
09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3
-
SHA512
e19426bf673f900a0a7102bd742200481bc627de5e0b4ba499005096ab5a7c37ba1bb4779f07dcc52a3dd7d5502b8a6ccfb6a2f0fd87facf755a54dabb9de96e
-
SSDEEP
6144:9cm4FmowdHoS4WEkMawdHoSbdwqGw+tw+ttidCy13:/4wFHoS4WEkMTHoSbG++tw+tYYy9
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1068-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1020-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/824-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-485-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-505-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-525-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-640-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-785-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-855-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-919-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-1323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-1827-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1664 pjjdp.exe 3620 bhhbnh.exe 324 rxrlfxr.exe 5068 lfxrlff.exe 4292 pvvpj.exe 764 fxfxlfx.exe 1532 vjdvp.exe 2068 xrlrflf.exe 1020 ttnhbt.exe 1600 vpjdp.exe 2516 vppdp.exe 4704 lxrlrxf.exe 3516 jpppp.exe 864 fllrrlr.exe 400 bntthh.exe 4820 jvjdp.exe 1284 llxlllf.exe 3668 nhhbhb.exe 4848 hnntnn.exe 3036 vjjjj.exe 3252 nttbbn.exe 3472 jvjdd.exe 3736 rlxxxfl.exe 3580 vddpd.exe 824 rfflxxl.exe 1336 vvdpj.exe 2108 vddpj.exe 3424 bttnnh.exe 5092 pjvpj.exe 4996 nhtntt.exe 2296 jjppj.exe 2376 5btnbt.exe 4928 pppdv.exe 2788 xxrlffx.exe 2576 hbhbhh.exe 4196 hnhtnh.exe 2908 djjvj.exe 5068 frrllll.exe 2020 tbtnhb.exe 3388 vdjdv.exe 1512 xrfxlrl.exe 508 xrrllfx.exe 4452 jddpj.exe 3636 vvdvj.exe 2832 1lfxllf.exe 4876 bhbtnn.exe 3164 djddv.exe 1540 rfxlfxr.exe 4516 1tbtnn.exe 1084 ppjjd.exe 2804 xxxxrrr.exe 5052 xfffrlr.exe 864 ttnhbb.exe 4980 jpjpj.exe 4028 lrrfxrr.exe 2672 bhhbbh.exe 4708 pvdpj.exe 2828 lffrlfx.exe 3816 lfrlxxl.exe 1436 1btthh.exe 2932 pdvjp.exe 316 rxfxlfx.exe 3652 bthhhh.exe 4488 jjdvp.exe -
resource yara_rule behavioral2/memory/1068-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1068-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b9c-5.dat upx behavioral2/files/0x0008000000023c82-9.dat upx behavioral2/memory/1664-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c86-13.dat upx behavioral2/memory/3620-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-21.dat upx behavioral2/files/0x0007000000023c88-26.dat upx behavioral2/memory/5068-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-32.dat upx behavioral2/memory/4292-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-38.dat upx behavioral2/memory/1532-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-43.dat upx behavioral2/files/0x0007000000023c8d-49.dat upx behavioral2/memory/2068-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-55.dat upx behavioral2/memory/1020-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-63.dat upx behavioral2/memory/1600-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-67.dat upx behavioral2/memory/2516-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-73.dat upx behavioral2/memory/4704-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-82.dat upx behavioral2/memory/3516-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-85.dat upx behavioral2/files/0x0008000000023c83-91.dat upx behavioral2/memory/400-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/864-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-97.dat upx behavioral2/memory/4820-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-103.dat upx behavioral2/memory/3668-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-109.dat upx behavioral2/files/0x0007000000023c97-115.dat upx behavioral2/files/0x0007000000023c99-120.dat upx behavioral2/memory/3252-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-126.dat upx behavioral2/files/0x0007000000023c9b-130.dat upx behavioral2/memory/3736-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3472-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-137.dat upx behavioral2/files/0x0007000000023c9d-143.dat upx behavioral2/memory/824-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-148.dat upx behavioral2/memory/2108-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-155.dat upx behavioral2/memory/2108-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-159.dat upx behavioral2/files/0x0007000000023ca1-166.dat upx behavioral2/memory/5092-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-170.dat upx behavioral2/files/0x0007000000023ca3-176.dat upx behavioral2/memory/4996-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca4-182.dat upx behavioral2/memory/2576-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5068-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2020-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/508-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3636-228-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1084-247-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1664 1068 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 84 PID 1068 wrote to memory of 1664 1068 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 84 PID 1068 wrote to memory of 1664 1068 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 84 PID 1664 wrote to memory of 3620 1664 pjjdp.exe 85 PID 1664 wrote to memory of 3620 1664 pjjdp.exe 85 PID 1664 wrote to memory of 3620 1664 pjjdp.exe 85 PID 3620 wrote to memory of 324 3620 bhhbnh.exe 86 PID 3620 wrote to memory of 324 3620 bhhbnh.exe 86 PID 3620 wrote to memory of 324 3620 bhhbnh.exe 86 PID 324 wrote to memory of 5068 324 rxrlfxr.exe 87 PID 324 wrote to memory of 5068 324 rxrlfxr.exe 87 PID 324 wrote to memory of 5068 324 rxrlfxr.exe 87 PID 5068 wrote to memory of 4292 5068 lfxrlff.exe 88 PID 5068 wrote to memory of 4292 5068 lfxrlff.exe 88 PID 5068 wrote to memory of 4292 5068 lfxrlff.exe 88 PID 4292 wrote to memory of 764 4292 pvvpj.exe 89 PID 4292 wrote to memory of 764 4292 pvvpj.exe 89 PID 4292 wrote to memory of 764 4292 pvvpj.exe 89 PID 764 wrote to memory of 1532 764 fxfxlfx.exe 90 PID 764 wrote to memory of 1532 764 fxfxlfx.exe 90 PID 764 wrote to memory of 1532 764 fxfxlfx.exe 90 PID 1532 wrote to memory of 2068 1532 vjdvp.exe 91 PID 1532 wrote to memory of 2068 1532 vjdvp.exe 91 PID 1532 wrote to memory of 2068 1532 vjdvp.exe 91 PID 2068 wrote to memory of 1020 2068 xrlrflf.exe 92 PID 2068 wrote to memory of 1020 2068 xrlrflf.exe 92 PID 2068 wrote to memory of 1020 2068 xrlrflf.exe 92 PID 1020 wrote to memory of 1600 1020 ttnhbt.exe 93 PID 1020 wrote to memory of 1600 1020 ttnhbt.exe 93 PID 1020 wrote to memory of 1600 1020 ttnhbt.exe 93 PID 1600 wrote to memory of 2516 1600 vpjdp.exe 95 PID 1600 wrote to memory of 2516 1600 vpjdp.exe 95 PID 1600 wrote to memory of 2516 1600 vpjdp.exe 95 PID 2516 wrote to memory of 4704 2516 vppdp.exe 97 PID 2516 wrote to memory of 4704 2516 vppdp.exe 97 PID 2516 wrote to memory of 4704 2516 vppdp.exe 97 PID 4704 wrote to memory of 3516 4704 lxrlrxf.exe 98 PID 4704 wrote to memory of 3516 4704 lxrlrxf.exe 98 PID 4704 wrote to memory of 3516 4704 lxrlrxf.exe 98 PID 3516 wrote to memory of 864 3516 jpppp.exe 100 PID 3516 wrote to memory of 864 3516 jpppp.exe 100 PID 3516 wrote to memory of 864 3516 jpppp.exe 100 PID 864 wrote to memory of 400 864 fllrrlr.exe 101 PID 864 wrote to memory of 400 864 fllrrlr.exe 101 PID 864 wrote to memory of 400 864 fllrrlr.exe 101 PID 400 wrote to memory of 4820 400 bntthh.exe 102 PID 400 wrote to memory of 4820 400 bntthh.exe 102 PID 400 wrote to memory of 4820 400 bntthh.exe 102 PID 4820 wrote to memory of 1284 4820 jvjdp.exe 103 PID 4820 wrote to memory of 1284 4820 jvjdp.exe 103 PID 4820 wrote to memory of 1284 4820 jvjdp.exe 103 PID 1284 wrote to memory of 3668 1284 llxlllf.exe 104 PID 1284 wrote to memory of 3668 1284 llxlllf.exe 104 PID 1284 wrote to memory of 3668 1284 llxlllf.exe 104 PID 3668 wrote to memory of 4848 3668 nhhbhb.exe 105 PID 3668 wrote to memory of 4848 3668 nhhbhb.exe 105 PID 3668 wrote to memory of 4848 3668 nhhbhb.exe 105 PID 4848 wrote to memory of 3036 4848 hnntnn.exe 106 PID 4848 wrote to memory of 3036 4848 hnntnn.exe 106 PID 4848 wrote to memory of 3036 4848 hnntnn.exe 106 PID 3036 wrote to memory of 3252 3036 vjjjj.exe 107 PID 3036 wrote to memory of 3252 3036 vjjjj.exe 107 PID 3036 wrote to memory of 3252 3036 vjjjj.exe 107 PID 3252 wrote to memory of 3472 3252 nttbbn.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe"C:\Users\Admin\AppData\Local\Temp\09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\pjjdp.exec:\pjjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\bhhbnh.exec:\bhhbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\rxrlfxr.exec:\rxrlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\lfxrlff.exec:\lfxrlff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\pvvpj.exec:\pvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\vjdvp.exec:\vjdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\xrlrflf.exec:\xrlrflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\ttnhbt.exec:\ttnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\vpjdp.exec:\vpjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\vppdp.exec:\vppdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\lxrlrxf.exec:\lxrlrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\jpppp.exec:\jpppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\fllrrlr.exec:\fllrrlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\bntthh.exec:\bntthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\jvjdp.exec:\jvjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\llxlllf.exec:\llxlllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\nhhbhb.exec:\nhhbhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\hnntnn.exec:\hnntnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\vjjjj.exec:\vjjjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\nttbbn.exec:\nttbbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\jvjdd.exec:\jvjdd.exe23⤵
- Executes dropped EXE
PID:3472 -
\??\c:\rlxxxfl.exec:\rlxxxfl.exe24⤵
- Executes dropped EXE
PID:3736 -
\??\c:\vddpd.exec:\vddpd.exe25⤵
- Executes dropped EXE
PID:3580 -
\??\c:\rfflxxl.exec:\rfflxxl.exe26⤵
- Executes dropped EXE
PID:824 -
\??\c:\vvdpj.exec:\vvdpj.exe27⤵
- Executes dropped EXE
PID:1336 -
\??\c:\vddpj.exec:\vddpj.exe28⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bttnnh.exec:\bttnnh.exe29⤵
- Executes dropped EXE
PID:3424 -
\??\c:\pjvpj.exec:\pjvpj.exe30⤵
- Executes dropped EXE
PID:5092 -
\??\c:\nhtntt.exec:\nhtntt.exe31⤵
- Executes dropped EXE
PID:4996 -
\??\c:\jjppj.exec:\jjppj.exe32⤵
- Executes dropped EXE
PID:2296 -
\??\c:\5btnbt.exec:\5btnbt.exe33⤵
- Executes dropped EXE
PID:2376 -
\??\c:\pppdv.exec:\pppdv.exe34⤵
- Executes dropped EXE
PID:4928 -
\??\c:\xxrlffx.exec:\xxrlffx.exe35⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbhbhh.exec:\hbhbhh.exe36⤵
- Executes dropped EXE
PID:2576 -
\??\c:\hnhtnh.exec:\hnhtnh.exe37⤵
- Executes dropped EXE
PID:4196 -
\??\c:\djjvj.exec:\djjvj.exe38⤵
- Executes dropped EXE
PID:2908 -
\??\c:\frrllll.exec:\frrllll.exe39⤵
- Executes dropped EXE
PID:5068 -
\??\c:\tbtnhb.exec:\tbtnhb.exe40⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vdjdv.exec:\vdjdv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3388 -
\??\c:\xrfxlrl.exec:\xrfxlrl.exe42⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xrrllfx.exec:\xrrllfx.exe43⤵
- Executes dropped EXE
PID:508 -
\??\c:\jddpj.exec:\jddpj.exe44⤵
- Executes dropped EXE
PID:4452 -
\??\c:\vvdvj.exec:\vvdvj.exe45⤵
- Executes dropped EXE
PID:3636 -
\??\c:\1lfxllf.exec:\1lfxllf.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\bhbtnn.exec:\bhbtnn.exe47⤵
- Executes dropped EXE
PID:4876 -
\??\c:\djddv.exec:\djddv.exe48⤵
- Executes dropped EXE
PID:3164 -
\??\c:\rfxlfxr.exec:\rfxlfxr.exe49⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1tbtnn.exec:\1tbtnn.exe50⤵
- Executes dropped EXE
PID:4516 -
\??\c:\ppjjd.exec:\ppjjd.exe51⤵
- Executes dropped EXE
PID:1084 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe52⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xfffrlr.exec:\xfffrlr.exe53⤵
- Executes dropped EXE
PID:5052 -
\??\c:\ttnhbb.exec:\ttnhbb.exe54⤵
- Executes dropped EXE
PID:864 -
\??\c:\jpjpj.exec:\jpjpj.exe55⤵
- Executes dropped EXE
PID:4980 -
\??\c:\lrrfxrr.exec:\lrrfxrr.exe56⤵
- Executes dropped EXE
PID:4028 -
\??\c:\bhhbbh.exec:\bhhbbh.exe57⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pvdpj.exec:\pvdpj.exe58⤵
- Executes dropped EXE
PID:4708 -
\??\c:\lffrlfx.exec:\lffrlfx.exe59⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lfrlxxl.exec:\lfrlxxl.exe60⤵
- Executes dropped EXE
PID:3816 -
\??\c:\1btthh.exec:\1btthh.exe61⤵
- Executes dropped EXE
PID:1436 -
\??\c:\pdvjp.exec:\pdvjp.exe62⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe63⤵
- Executes dropped EXE
PID:316 -
\??\c:\bthhhh.exec:\bthhhh.exe64⤵
- Executes dropped EXE
PID:3652 -
\??\c:\jjdvp.exec:\jjdvp.exe65⤵
- Executes dropped EXE
PID:4488 -
\??\c:\jdddp.exec:\jdddp.exe66⤵PID:3252
-
\??\c:\fxrllff.exec:\fxrllff.exe67⤵PID:2328
-
\??\c:\ntttbt.exec:\ntttbt.exe68⤵PID:2300
-
\??\c:\djpdv.exec:\djpdv.exe69⤵PID:4464
-
\??\c:\jdjvd.exec:\jdjvd.exe70⤵PID:3132
-
\??\c:\frrfxrf.exec:\frrfxrf.exe71⤵PID:3052
-
\??\c:\nbbbnh.exec:\nbbbnh.exe72⤵PID:4496
-
\??\c:\3jdvp.exec:\3jdvp.exe73⤵PID:4432
-
\??\c:\jvdpj.exec:\jvdpj.exe74⤵PID:4684
-
\??\c:\lflfffx.exec:\lflfffx.exe75⤵PID:5008
-
\??\c:\btnhtn.exec:\btnhtn.exe76⤵PID:4784
-
\??\c:\nttntt.exec:\nttntt.exe77⤵PID:4080
-
\??\c:\jjpjj.exec:\jjpjj.exe78⤵PID:4380
-
\??\c:\rflxlfr.exec:\rflxlfr.exe79⤵PID:2592
-
\??\c:\nttnbb.exec:\nttnbb.exe80⤵PID:5012
-
\??\c:\frllfrf.exec:\frllfrf.exe81⤵PID:1996
-
\??\c:\llrflfl.exec:\llrflfl.exe82⤵PID:4928
-
\??\c:\hbthbn.exec:\hbthbn.exe83⤵PID:2224
-
\??\c:\vddpj.exec:\vddpj.exe84⤵PID:4936
-
\??\c:\jdppj.exec:\jdppj.exe85⤵PID:216
-
\??\c:\rrfffff.exec:\rrfffff.exe86⤵PID:3452
-
\??\c:\bntnnn.exec:\bntnnn.exe87⤵PID:5068
-
\??\c:\3dvdv.exec:\3dvdv.exe88⤵PID:1116
-
\??\c:\lflfxrl.exec:\lflfxrl.exe89⤵PID:2176
-
\??\c:\htbttt.exec:\htbttt.exe90⤵PID:1532
-
\??\c:\jppjv.exec:\jppjv.exe91⤵PID:508
-
\??\c:\5lxlfxf.exec:\5lxlfxf.exe92⤵PID:4172
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe93⤵PID:3112
-
\??\c:\nttbhh.exec:\nttbhh.exe94⤵PID:536
-
\??\c:\1jdvj.exec:\1jdvj.exe95⤵PID:4808
-
\??\c:\7llfllf.exec:\7llfllf.exe96⤵PID:2516
-
\??\c:\hthnnn.exec:\hthnnn.exe97⤵PID:1540
-
\??\c:\pjpjv.exec:\pjpjv.exe98⤵PID:4304
-
\??\c:\dvdpj.exec:\dvdpj.exe99⤵PID:2416
-
\??\c:\rlfxlxr.exec:\rlfxlxr.exe100⤵PID:2804
-
\??\c:\tnnhtt.exec:\tnnhtt.exe101⤵PID:4864
-
\??\c:\pppjd.exec:\pppjd.exe102⤵PID:4076
-
\??\c:\lfllfll.exec:\lfllfll.exe103⤵PID:5076
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe104⤵PID:2928
-
\??\c:\tbhnnn.exec:\tbhnnn.exe105⤵PID:648
-
\??\c:\rrxxlfx.exec:\rrxxlfx.exe106⤵PID:3920
-
\??\c:\lxlffxr.exec:\lxlffxr.exe107⤵PID:2452
-
\??\c:\tthbtn.exec:\tthbtn.exe108⤵PID:4848
-
\??\c:\dppjd.exec:\dppjd.exe109⤵PID:3652
-
\??\c:\rlxfxff.exec:\rlxfxff.exe110⤵PID:3488
-
\??\c:\ffxrlfl.exec:\ffxrlfl.exe111⤵PID:3396
-
\??\c:\httnbt.exec:\httnbt.exe112⤵
- System Location Discovery: System Language Discovery
PID:3912 -
\??\c:\dvpjd.exec:\dvpjd.exe113⤵PID:2368
-
\??\c:\1llfxxr.exec:\1llfxxr.exe114⤵PID:824
-
\??\c:\ntbtnn.exec:\ntbtnn.exe115⤵PID:3144
-
\??\c:\bhbthb.exec:\bhbthb.exe116⤵PID:5088
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe117⤵PID:2284
-
\??\c:\hbhbtt.exec:\hbhbtt.exe118⤵PID:540
-
\??\c:\tbhbbb.exec:\tbhbbb.exe119⤵PID:2108
-
\??\c:\vdpjd.exec:\vdpjd.exe120⤵PID:448
-
\??\c:\rfrlfff.exec:\rfrlfff.exe121⤵PID:5092
-
\??\c:\tthtnh.exec:\tthtnh.exe122⤵PID:1344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-