Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe
-
Size
453KB
-
MD5
14c4bd223137e543ac8225897d2cdf2e
-
SHA1
4c63173acc329cab56355f18bcf172ab529e1367
-
SHA256
9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482
-
SHA512
aa79e0f27e99a3347a163499814908cb23b6dba214b78856300ba6ffaab3bcf5f315634897dce448a2651f1cc812c02a8db38fa69bdb2fe2d7ec0f5337ef0ca2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1716-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-1121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-1296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-1357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-1361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 jdjvp.exe 4800 8226604.exe 3876 262204.exe 1572 266666.exe 2040 64228.exe 3708 bbnbnt.exe 4572 djjpp.exe 1644 e62824.exe 2816 bnttnt.exe 4872 tnbbnn.exe 5052 00880.exe 2308 882684.exe 2400 flxlrfl.exe 3516 xrrrxff.exe 3640 8484464.exe 2780 228888.exe 4832 llflxxl.exe 3244 jpppp.exe 760 flrllff.exe 4716 246006.exe 1464 462862.exe 3220 rrxllrr.exe 4004 2402488.exe 4232 vpvpp.exe 3964 240222.exe 5032 624880.exe 1876 dvdpd.exe 3976 66088.exe 4052 ntnhhh.exe 1304 frrflfx.exe 1772 rlxxlrr.exe 1664 dvjjj.exe 3568 jpppj.exe 3040 8008400.exe 1568 bhtttt.exe 3164 68884.exe 2888 bbbtbb.exe 4292 vppjv.exe 4796 thnhhh.exe 1468 lrrfxff.exe 4604 4206060.exe 4700 vdjpj.exe 8 thhbtn.exe 3268 64484.exe 2792 k88402.exe 3264 bnthnh.exe 1344 42888.exe 3612 486248.exe 1424 06240.exe 3780 664446.exe 2120 04606.exe 3872 rlxlrxx.exe 3740 xrxrrll.exe 824 nhbtnh.exe 3704 6846224.exe 1892 280440.exe 3748 nhhbtt.exe 4296 6248882.exe 4248 20804.exe 3828 vjpjd.exe 5092 jdvpv.exe 2880 pjjdj.exe 3536 1ppjv.exe 5052 nhbbth.exe -
resource yara_rule behavioral2/memory/1716-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-31-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2060404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4820004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2024 1716 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 315 PID 1716 wrote to memory of 2024 1716 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 315 PID 1716 wrote to memory of 2024 1716 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 315 PID 2024 wrote to memory of 4800 2024 jdjvp.exe 84 PID 2024 wrote to memory of 4800 2024 jdjvp.exe 84 PID 2024 wrote to memory of 4800 2024 jdjvp.exe 84 PID 4800 wrote to memory of 3876 4800 8226604.exe 255 PID 4800 wrote to memory of 3876 4800 8226604.exe 255 PID 4800 wrote to memory of 3876 4800 8226604.exe 255 PID 3876 wrote to memory of 1572 3876 262204.exe 379 PID 3876 wrote to memory of 1572 3876 262204.exe 379 PID 3876 wrote to memory of 1572 3876 262204.exe 379 PID 1572 wrote to memory of 2040 1572 266666.exe 87 PID 1572 wrote to memory of 2040 1572 266666.exe 87 PID 1572 wrote to memory of 2040 1572 266666.exe 87 PID 2040 wrote to memory of 3708 2040 64228.exe 88 PID 2040 wrote to memory of 3708 2040 64228.exe 88 PID 2040 wrote to memory of 3708 2040 64228.exe 88 PID 3708 wrote to memory of 4572 3708 bbnbnt.exe 89 PID 3708 wrote to memory of 4572 3708 bbnbnt.exe 89 PID 3708 wrote to memory of 4572 3708 bbnbnt.exe 89 PID 4572 wrote to memory of 1644 4572 djjpp.exe 90 PID 4572 wrote to memory of 1644 4572 djjpp.exe 90 PID 4572 wrote to memory of 1644 4572 djjpp.exe 90 PID 1644 wrote to memory of 2816 1644 e62824.exe 264 PID 1644 wrote to memory of 2816 1644 e62824.exe 264 PID 1644 wrote to memory of 2816 1644 e62824.exe 264 PID 2816 wrote to memory of 4872 2816 bnttnt.exe 327 PID 2816 wrote to memory of 4872 2816 bnttnt.exe 327 PID 2816 wrote to memory of 4872 2816 bnttnt.exe 327 PID 4872 wrote to memory of 5052 4872 tnbbnn.exe 334 PID 4872 wrote to memory of 5052 4872 tnbbnn.exe 334 PID 4872 wrote to memory of 5052 4872 tnbbnn.exe 334 PID 5052 wrote to memory of 2308 5052 00880.exe 94 PID 5052 wrote to memory of 2308 5052 00880.exe 94 PID 5052 wrote to memory of 2308 5052 00880.exe 94 PID 2308 wrote to memory of 2400 2308 882684.exe 95 PID 2308 wrote to memory of 2400 2308 882684.exe 95 PID 2308 wrote to memory of 2400 2308 882684.exe 95 PID 2400 wrote to memory of 3516 2400 flxlrfl.exe 96 PID 2400 wrote to memory of 3516 2400 flxlrfl.exe 96 PID 2400 wrote to memory of 3516 2400 flxlrfl.exe 96 PID 3516 wrote to memory of 3640 3516 xrrrxff.exe 97 PID 3516 wrote to memory of 3640 3516 xrrrxff.exe 97 PID 3516 wrote to memory of 3640 3516 xrrrxff.exe 97 PID 3640 wrote to memory of 2780 3640 8484464.exe 98 PID 3640 wrote to memory of 2780 3640 8484464.exe 98 PID 3640 wrote to memory of 2780 3640 8484464.exe 98 PID 2780 wrote to memory of 4832 2780 228888.exe 278 PID 2780 wrote to memory of 4832 2780 228888.exe 278 PID 2780 wrote to memory of 4832 2780 228888.exe 278 PID 4832 wrote to memory of 3244 4832 llflxxl.exe 343 PID 4832 wrote to memory of 3244 4832 llflxxl.exe 343 PID 4832 wrote to memory of 3244 4832 llflxxl.exe 343 PID 3244 wrote to memory of 760 3244 jpppp.exe 101 PID 3244 wrote to memory of 760 3244 jpppp.exe 101 PID 3244 wrote to memory of 760 3244 jpppp.exe 101 PID 760 wrote to memory of 4716 760 flrllff.exe 345 PID 760 wrote to memory of 4716 760 flrllff.exe 345 PID 760 wrote to memory of 4716 760 flrllff.exe 345 PID 4716 wrote to memory of 1464 4716 246006.exe 226 PID 4716 wrote to memory of 1464 4716 246006.exe 226 PID 4716 wrote to memory of 1464 4716 246006.exe 226 PID 1464 wrote to memory of 3220 1464 462862.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe"C:\Users\Admin\AppData\Local\Temp\9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\jdjvp.exec:\jdjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\8226604.exec:\8226604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\262204.exec:\262204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\266666.exec:\266666.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\64228.exec:\64228.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\bbnbnt.exec:\bbnbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\djjpp.exec:\djjpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\e62824.exec:\e62824.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\bnttnt.exec:\bnttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\tnbbnn.exec:\tnbbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\00880.exec:\00880.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\882684.exec:\882684.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\flxlrfl.exec:\flxlrfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\xrrrxff.exec:\xrrrxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\8484464.exec:\8484464.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\228888.exec:\228888.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\llflxxl.exec:\llflxxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\jpppp.exec:\jpppp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\flrllff.exec:\flrllff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\246006.exec:\246006.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\462862.exec:\462862.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\rrxllrr.exec:\rrxllrr.exe23⤵
- Executes dropped EXE
PID:3220 -
\??\c:\2402488.exec:\2402488.exe24⤵
- Executes dropped EXE
PID:4004 -
\??\c:\vpvpp.exec:\vpvpp.exe25⤵
- Executes dropped EXE
PID:4232 -
\??\c:\240222.exec:\240222.exe26⤵
- Executes dropped EXE
PID:3964 -
\??\c:\624880.exec:\624880.exe27⤵
- Executes dropped EXE
PID:5032 -
\??\c:\dvdpd.exec:\dvdpd.exe28⤵
- Executes dropped EXE
PID:1876 -
\??\c:\66088.exec:\66088.exe29⤵
- Executes dropped EXE
PID:3976 -
\??\c:\ntnhhh.exec:\ntnhhh.exe30⤵
- Executes dropped EXE
PID:4052 -
\??\c:\frrflfx.exec:\frrflfx.exe31⤵
- Executes dropped EXE
PID:1304 -
\??\c:\rlxxlrr.exec:\rlxxlrr.exe32⤵
- Executes dropped EXE
PID:1772 -
\??\c:\dvjjj.exec:\dvjjj.exe33⤵
- Executes dropped EXE
PID:1664 -
\??\c:\jpppj.exec:\jpppj.exe34⤵
- Executes dropped EXE
PID:3568 -
\??\c:\8008400.exec:\8008400.exe35⤵
- Executes dropped EXE
PID:3040 -
\??\c:\bhtttt.exec:\bhtttt.exe36⤵
- Executes dropped EXE
PID:1568 -
\??\c:\68884.exec:\68884.exe37⤵
- Executes dropped EXE
PID:3164 -
\??\c:\bbbtbb.exec:\bbbtbb.exe38⤵
- Executes dropped EXE
PID:2888 -
\??\c:\vppjv.exec:\vppjv.exe39⤵
- Executes dropped EXE
PID:4292 -
\??\c:\thnhhh.exec:\thnhhh.exe40⤵
- Executes dropped EXE
PID:4796 -
\??\c:\lrrfxff.exec:\lrrfxff.exe41⤵
- Executes dropped EXE
PID:1468 -
\??\c:\4206060.exec:\4206060.exe42⤵
- Executes dropped EXE
PID:4604 -
\??\c:\vdjpj.exec:\vdjpj.exe43⤵
- Executes dropped EXE
PID:4700 -
\??\c:\thhbtn.exec:\thhbtn.exe44⤵
- Executes dropped EXE
PID:8 -
\??\c:\64484.exec:\64484.exe45⤵
- Executes dropped EXE
PID:3268 -
\??\c:\k88402.exec:\k88402.exe46⤵
- Executes dropped EXE
PID:2792 -
\??\c:\bnthnh.exec:\bnthnh.exe47⤵
- Executes dropped EXE
PID:3264 -
\??\c:\fffffrl.exec:\fffffrl.exe48⤵PID:3584
-
\??\c:\42888.exec:\42888.exe49⤵
- Executes dropped EXE
PID:1344 -
\??\c:\486248.exec:\486248.exe50⤵
- Executes dropped EXE
PID:3612 -
\??\c:\06240.exec:\06240.exe51⤵
- Executes dropped EXE
PID:1424 -
\??\c:\664446.exec:\664446.exe52⤵
- Executes dropped EXE
PID:3780 -
\??\c:\04606.exec:\04606.exe53⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rlxlrxx.exec:\rlxlrxx.exe54⤵
- Executes dropped EXE
PID:3872 -
\??\c:\xrxrrll.exec:\xrxrrll.exe55⤵
- Executes dropped EXE
PID:3740 -
\??\c:\nhbtnh.exec:\nhbtnh.exe56⤵
- Executes dropped EXE
PID:824 -
\??\c:\6846224.exec:\6846224.exe57⤵
- Executes dropped EXE
PID:3704 -
\??\c:\280440.exec:\280440.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892 -
\??\c:\nhhbtt.exec:\nhhbtt.exe59⤵
- Executes dropped EXE
PID:3748 -
\??\c:\6248882.exec:\6248882.exe60⤵
- Executes dropped EXE
PID:4296 -
\??\c:\20804.exec:\20804.exe61⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vjpjd.exec:\vjpjd.exe62⤵
- Executes dropped EXE
PID:3828 -
\??\c:\jdvpv.exec:\jdvpv.exe63⤵
- Executes dropped EXE
PID:5092 -
\??\c:\pjjdj.exec:\pjjdj.exe64⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1ppjv.exec:\1ppjv.exe65⤵
- Executes dropped EXE
PID:3536 -
\??\c:\nhbbth.exec:\nhbbth.exe66⤵
- Executes dropped EXE
PID:5052 -
\??\c:\0460662.exec:\0460662.exe67⤵PID:3184
-
\??\c:\rxflxxr.exec:\rxflxxr.exe68⤵PID:5076
-
\??\c:\lllllll.exec:\lllllll.exe69⤵PID:3640
-
\??\c:\nhhtnn.exec:\nhhtnn.exe70⤵PID:112
-
\??\c:\xrrrllf.exec:\xrrrllf.exe71⤵PID:4832
-
\??\c:\jvddd.exec:\jvddd.exe72⤵PID:3244
-
\??\c:\844260.exec:\844260.exe73⤵PID:4584
-
\??\c:\8264280.exec:\8264280.exe74⤵PID:1296
-
\??\c:\0864442.exec:\0864442.exe75⤵PID:4716
-
\??\c:\6804444.exec:\6804444.exe76⤵PID:224
-
\??\c:\682000.exec:\682000.exe77⤵PID:4464
-
\??\c:\40260.exec:\40260.exe78⤵PID:3716
-
\??\c:\tnnhbt.exec:\tnnhbt.exe79⤵PID:4432
-
\??\c:\2848228.exec:\2848228.exe80⤵PID:2076
-
\??\c:\046000.exec:\046000.exe81⤵PID:3768
-
\??\c:\tnnhbh.exec:\tnnhbh.exe82⤵PID:4560
-
\??\c:\hbbtnh.exec:\hbbtnh.exe83⤵PID:4648
-
\??\c:\68220.exec:\68220.exe84⤵PID:2348
-
\??\c:\nhhbtt.exec:\nhhbtt.exe85⤵PID:232
-
\??\c:\nnnhbb.exec:\nnnhbb.exe86⤵PID:3976
-
\??\c:\lrrfxxr.exec:\lrrfxxr.exe87⤵PID:3712
-
\??\c:\ddddd.exec:\ddddd.exe88⤵PID:1280
-
\??\c:\4848286.exec:\4848286.exe89⤵PID:372
-
\??\c:\4660848.exec:\4660848.exe90⤵PID:1772
-
\??\c:\262802.exec:\262802.exe91⤵PID:1752
-
\??\c:\vddvd.exec:\vddvd.exe92⤵PID:640
-
\??\c:\vdvvp.exec:\vdvvp.exe93⤵PID:5080
-
\??\c:\xxlflfl.exec:\xxlflfl.exe94⤵PID:3728
-
\??\c:\djpjd.exec:\djpjd.exe95⤵
- System Location Discovery: System Language Discovery
PID:3432 -
\??\c:\40048.exec:\40048.exe96⤵PID:1428
-
\??\c:\02084.exec:\02084.exe97⤵PID:2828
-
\??\c:\c828282.exec:\c828282.exe98⤵PID:4496
-
\??\c:\22624.exec:\22624.exe99⤵PID:4796
-
\??\c:\20648.exec:\20648.exe100⤵PID:1468
-
\??\c:\2626048.exec:\2626048.exe101⤵PID:4644
-
\??\c:\2642666.exec:\2642666.exe102⤵PID:4700
-
\??\c:\nnbhbb.exec:\nnbhbb.exe103⤵PID:1008
-
\??\c:\btbhnt.exec:\btbhnt.exe104⤵PID:3268
-
\??\c:\tbhbtt.exec:\tbhbtt.exe105⤵PID:2792
-
\??\c:\8220482.exec:\8220482.exe106⤵PID:4352
-
\??\c:\484880.exec:\484880.exe107⤵PID:1716
-
\??\c:\2668860.exec:\2668860.exe108⤵PID:1344
-
\??\c:\6826260.exec:\6826260.exe109⤵PID:3876
-
\??\c:\60482.exec:\60482.exe110⤵PID:1424
-
\??\c:\068042.exec:\068042.exe111⤵PID:1968
-
\??\c:\684444.exec:\684444.exe112⤵PID:3052
-
\??\c:\824486.exec:\824486.exe113⤵PID:2460
-
\??\c:\frxlfxr.exec:\frxlfxr.exe114⤵PID:592
-
\??\c:\9dvpp.exec:\9dvpp.exe115⤵PID:2184
-
\??\c:\vppjj.exec:\vppjj.exe116⤵PID:2144
-
\??\c:\5jdvp.exec:\5jdvp.exe117⤵PID:4528
-
\??\c:\xxxrlll.exec:\xxxrlll.exe118⤵PID:3972
-
\??\c:\xrxxrll.exec:\xrxxrll.exe119⤵PID:3492
-
\??\c:\xrrlrfl.exec:\xrrlrfl.exe120⤵PID:3520
-
\??\c:\lflrxlr.exec:\lflrxlr.exe121⤵PID:3788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-