Analysis
-
max time kernel
111s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe
-
Size
454KB
-
MD5
3d79e772da9b32b4905bc7ac91f3f730
-
SHA1
574d87655f5f926fd39d260121afda8718ef8cdf
-
SHA256
8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348a
-
SHA512
5f0b50a1665ec1c5d7fd380163e3b8132616ea316d9ad7841a855430eed12b3f2f2e3cc7185f531cd67dd1db39e9ea79538860d9a7c72fa56532b98e5c78b63c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4400-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-979-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3156 9nbbtt.exe 628 dpjdd.exe 4232 vjjdp.exe 4904 3xfxllf.exe 2596 hthtbb.exe 2660 ttbttt.exe 4068 rrrrrrr.exe 3136 xffrlfx.exe 1392 nhtbtt.exe 3408 pdvpp.exe 1228 5hbtht.exe 3292 ppdvj.exe 944 5vvpp.exe 2360 lrxrrfr.exe 3592 9xffllr.exe 4124 bhtbtn.exe 64 jppdp.exe 4044 1rlfxxl.exe 1380 xlrlffx.exe 4848 bnnnhh.exe 3612 dddvp.exe 3748 vpvdv.exe 3620 3flfffx.exe 4780 hbbbth.exe 2276 jjjjd.exe 3664 vpddv.exe 1504 lllllll.exe 804 7dddv.exe 1688 9ffrlfx.exe 3740 xrxrrrf.exe 3344 9nhbnn.exe 2888 djjjj.exe 4244 5xrlffx.exe 744 hnbtnn.exe 1068 3ppjv.exe 3832 xrrfrlx.exe 4272 7lrfxxl.exe 3400 9vpjd.exe 4936 fxfxrxx.exe 3776 rfxlfxr.exe 2852 thhtnb.exe 864 vjpdv.exe 208 rrlxlxl.exe 4836 lxffxxx.exe 4300 nbthtn.exe 3064 dpddp.exe 4340 3flxxrr.exe 2720 3xxrllf.exe 4944 btbtnh.exe 3188 ddpdp.exe 4040 3flfrxf.exe 1100 xffxlxr.exe 1232 hbbnhb.exe 4540 jvddv.exe 4920 lrxrfxl.exe 3008 7rxfffx.exe 4552 5bnhnn.exe 4812 1hbnbt.exe 2336 jvpjj.exe 2548 9lfllfl.exe 4116 7llxlfr.exe 4820 nththt.exe 5096 tnnhnh.exe 2264 jddpj.exe -
resource yara_rule behavioral2/memory/4400-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-979-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-918-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbtb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 3156 4400 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 82 PID 4400 wrote to memory of 3156 4400 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 82 PID 4400 wrote to memory of 3156 4400 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 82 PID 3156 wrote to memory of 628 3156 9nbbtt.exe 83 PID 3156 wrote to memory of 628 3156 9nbbtt.exe 83 PID 3156 wrote to memory of 628 3156 9nbbtt.exe 83 PID 628 wrote to memory of 4232 628 dpjdd.exe 84 PID 628 wrote to memory of 4232 628 dpjdd.exe 84 PID 628 wrote to memory of 4232 628 dpjdd.exe 84 PID 4232 wrote to memory of 4904 4232 vjjdp.exe 85 PID 4232 wrote to memory of 4904 4232 vjjdp.exe 85 PID 4232 wrote to memory of 4904 4232 vjjdp.exe 85 PID 4904 wrote to memory of 2596 4904 3xfxllf.exe 86 PID 4904 wrote to memory of 2596 4904 3xfxllf.exe 86 PID 4904 wrote to memory of 2596 4904 3xfxllf.exe 86 PID 2596 wrote to memory of 2660 2596 hthtbb.exe 87 PID 2596 wrote to memory of 2660 2596 hthtbb.exe 87 PID 2596 wrote to memory of 2660 2596 hthtbb.exe 87 PID 2660 wrote to memory of 4068 2660 ttbttt.exe 88 PID 2660 wrote to memory of 4068 2660 ttbttt.exe 88 PID 2660 wrote to memory of 4068 2660 ttbttt.exe 88 PID 4068 wrote to memory of 3136 4068 rrrrrrr.exe 89 PID 4068 wrote to memory of 3136 4068 rrrrrrr.exe 89 PID 4068 wrote to memory of 3136 4068 rrrrrrr.exe 89 PID 3136 wrote to memory of 1392 3136 xffrlfx.exe 90 PID 3136 wrote to memory of 1392 3136 xffrlfx.exe 90 PID 3136 wrote to memory of 1392 3136 xffrlfx.exe 90 PID 1392 wrote to memory of 3408 1392 nhtbtt.exe 91 PID 1392 wrote to memory of 3408 1392 nhtbtt.exe 91 PID 1392 wrote to memory of 3408 1392 nhtbtt.exe 91 PID 3408 wrote to memory of 1228 3408 pdvpp.exe 92 PID 3408 wrote to memory of 1228 3408 pdvpp.exe 92 PID 3408 wrote to memory of 1228 3408 pdvpp.exe 92 PID 1228 wrote to memory of 3292 1228 5hbtht.exe 93 PID 1228 wrote to memory of 3292 1228 5hbtht.exe 93 PID 1228 wrote to memory of 3292 1228 5hbtht.exe 93 PID 3292 wrote to memory of 944 3292 ppdvj.exe 94 PID 3292 wrote to memory of 944 3292 ppdvj.exe 94 PID 3292 wrote to memory of 944 3292 ppdvj.exe 94 PID 944 wrote to memory of 2360 944 5vvpp.exe 95 PID 944 wrote to memory of 2360 944 5vvpp.exe 95 PID 944 wrote to memory of 2360 944 5vvpp.exe 95 PID 2360 wrote to memory of 3592 2360 lrxrrfr.exe 96 PID 2360 wrote to memory of 3592 2360 lrxrrfr.exe 96 PID 2360 wrote to memory of 3592 2360 lrxrrfr.exe 96 PID 3592 wrote to memory of 4124 3592 9xffllr.exe 97 PID 3592 wrote to memory of 4124 3592 9xffllr.exe 97 PID 3592 wrote to memory of 4124 3592 9xffllr.exe 97 PID 4124 wrote to memory of 64 4124 bhtbtn.exe 98 PID 4124 wrote to memory of 64 4124 bhtbtn.exe 98 PID 4124 wrote to memory of 64 4124 bhtbtn.exe 98 PID 64 wrote to memory of 4044 64 jppdp.exe 99 PID 64 wrote to memory of 4044 64 jppdp.exe 99 PID 64 wrote to memory of 4044 64 jppdp.exe 99 PID 4044 wrote to memory of 1380 4044 1rlfxxl.exe 100 PID 4044 wrote to memory of 1380 4044 1rlfxxl.exe 100 PID 4044 wrote to memory of 1380 4044 1rlfxxl.exe 100 PID 1380 wrote to memory of 4848 1380 xlrlffx.exe 101 PID 1380 wrote to memory of 4848 1380 xlrlffx.exe 101 PID 1380 wrote to memory of 4848 1380 xlrlffx.exe 101 PID 4848 wrote to memory of 3612 4848 bnnnhh.exe 102 PID 4848 wrote to memory of 3612 4848 bnnnhh.exe 102 PID 4848 wrote to memory of 3612 4848 bnnnhh.exe 102 PID 3612 wrote to memory of 3748 3612 dddvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe"C:\Users\Admin\AppData\Local\Temp\8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\9nbbtt.exec:\9nbbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\dpjdd.exec:\dpjdd.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\vjjdp.exec:\vjjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\3xfxllf.exec:\3xfxllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\hthtbb.exec:\hthtbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\ttbttt.exec:\ttbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\xffrlfx.exec:\xffrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\nhtbtt.exec:\nhtbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\pdvpp.exec:\pdvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\5hbtht.exec:\5hbtht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\ppdvj.exec:\ppdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\5vvpp.exec:\5vvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\lrxrrfr.exec:\lrxrrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\9xffllr.exec:\9xffllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bhtbtn.exec:\bhtbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\jppdp.exec:\jppdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\1rlfxxl.exec:\1rlfxxl.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\xlrlffx.exec:\xlrlffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\bnnnhh.exec:\bnnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\dddvp.exec:\dddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\vpvdv.exec:\vpvdv.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748 -
\??\c:\3flfffx.exec:\3flfffx.exe24⤵
- Executes dropped EXE
PID:3620 -
\??\c:\hbbbth.exec:\hbbbth.exe25⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jjjjd.exec:\jjjjd.exe26⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vpddv.exec:\vpddv.exe27⤵
- Executes dropped EXE
PID:3664 -
\??\c:\lllllll.exec:\lllllll.exe28⤵
- Executes dropped EXE
PID:1504 -
\??\c:\7dddv.exec:\7dddv.exe29⤵
- Executes dropped EXE
PID:804 -
\??\c:\9ffrlfx.exec:\9ffrlfx.exe30⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xrxrrrf.exec:\xrxrrrf.exe31⤵
- Executes dropped EXE
PID:3740 -
\??\c:\9nhbnn.exec:\9nhbnn.exe32⤵
- Executes dropped EXE
PID:3344 -
\??\c:\djjjj.exec:\djjjj.exe33⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5xrlffx.exec:\5xrlffx.exe34⤵
- Executes dropped EXE
PID:4244 -
\??\c:\hnbtnn.exec:\hnbtnn.exe35⤵
- Executes dropped EXE
PID:744 -
\??\c:\3ppjv.exec:\3ppjv.exe36⤵
- Executes dropped EXE
PID:1068 -
\??\c:\xrrfrlx.exec:\xrrfrlx.exe37⤵
- Executes dropped EXE
PID:3832 -
\??\c:\7lrfxxl.exec:\7lrfxxl.exe38⤵
- Executes dropped EXE
PID:4272 -
\??\c:\9vpjd.exec:\9vpjd.exe39⤵
- Executes dropped EXE
PID:3400 -
\??\c:\fxfxrxx.exec:\fxfxrxx.exe40⤵
- Executes dropped EXE
PID:4936 -
\??\c:\rfxlfxr.exec:\rfxlfxr.exe41⤵
- Executes dropped EXE
PID:3776 -
\??\c:\thhtnb.exec:\thhtnb.exe42⤵
- Executes dropped EXE
PID:2852 -
\??\c:\vjpdv.exec:\vjpdv.exe43⤵
- Executes dropped EXE
PID:864 -
\??\c:\rrlxlxl.exec:\rrlxlxl.exe44⤵
- Executes dropped EXE
PID:208 -
\??\c:\lxffxxx.exec:\lxffxxx.exe45⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nbthtn.exec:\nbthtn.exe46⤵
- Executes dropped EXE
PID:4300 -
\??\c:\dpddp.exec:\dpddp.exe47⤵
- Executes dropped EXE
PID:3064 -
\??\c:\3flxxrr.exec:\3flxxrr.exe48⤵
- Executes dropped EXE
PID:4340 -
\??\c:\3xxrllf.exec:\3xxrllf.exe49⤵
- Executes dropped EXE
PID:2720 -
\??\c:\btbtnh.exec:\btbtnh.exe50⤵
- Executes dropped EXE
PID:4944 -
\??\c:\ddpdp.exec:\ddpdp.exe51⤵
- Executes dropped EXE
PID:3188 -
\??\c:\3flfrxf.exec:\3flfrxf.exe52⤵
- Executes dropped EXE
PID:4040 -
\??\c:\xffxlxr.exec:\xffxlxr.exe53⤵
- Executes dropped EXE
PID:1100 -
\??\c:\hbbnhb.exec:\hbbnhb.exe54⤵
- Executes dropped EXE
PID:1232 -
\??\c:\jvddv.exec:\jvddv.exe55⤵
- Executes dropped EXE
PID:4540 -
\??\c:\lrxrfxl.exec:\lrxrfxl.exe56⤵
- Executes dropped EXE
PID:4920 -
\??\c:\7rxfffx.exec:\7rxfffx.exe57⤵
- Executes dropped EXE
PID:3008 -
\??\c:\5bnhnn.exec:\5bnhnn.exe58⤵
- Executes dropped EXE
PID:4552 -
\??\c:\1hbnbt.exec:\1hbnbt.exe59⤵
- Executes dropped EXE
PID:4812 -
\??\c:\jvpjj.exec:\jvpjj.exe60⤵
- Executes dropped EXE
PID:2336 -
\??\c:\9lfllfl.exec:\9lfllfl.exe61⤵
- Executes dropped EXE
PID:2548 -
\??\c:\7llxlfr.exec:\7llxlfr.exe62⤵
- Executes dropped EXE
PID:4116 -
\??\c:\nththt.exec:\nththt.exe63⤵
- Executes dropped EXE
PID:4820 -
\??\c:\tnnhnh.exec:\tnnhnh.exe64⤵
- Executes dropped EXE
PID:5096 -
\??\c:\jddpj.exec:\jddpj.exe65⤵
- Executes dropped EXE
PID:2264 -
\??\c:\rxxfxfx.exec:\rxxfxfx.exe66⤵PID:808
-
\??\c:\xrlxxrf.exec:\xrlxxrf.exe67⤵PID:3296
-
\??\c:\bnnhbn.exec:\bnnhbn.exe68⤵PID:2004
-
\??\c:\jddjv.exec:\jddjv.exe69⤵PID:1724
-
\??\c:\llrlffx.exec:\llrlffx.exe70⤵PID:2384
-
\??\c:\btttbh.exec:\btttbh.exe71⤵PID:4080
-
\??\c:\dpjvj.exec:\dpjvj.exe72⤵PID:3896
-
\??\c:\vjjvd.exec:\vjjvd.exe73⤵
- System Location Discovery: System Language Discovery
PID:2344 -
\??\c:\fxrxrll.exec:\fxrxrll.exe74⤵PID:212
-
\??\c:\nhbnhh.exec:\nhbnhh.exe75⤵PID:612
-
\??\c:\pjddd.exec:\pjddd.exe76⤵PID:4500
-
\??\c:\jdvdp.exec:\jdvdp.exe77⤵PID:4596
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe78⤵PID:2860
-
\??\c:\9bbttn.exec:\9bbttn.exe79⤵PID:4448
-
\??\c:\hhhhtn.exec:\hhhhtn.exe80⤵PID:3304
-
\??\c:\5vjvj.exec:\5vjvj.exe81⤵PID:948
-
\??\c:\vvjdj.exec:\vvjdj.exe82⤵PID:4572
-
\??\c:\llxrrll.exec:\llxrrll.exe83⤵PID:3268
-
\??\c:\nbbttb.exec:\nbbttb.exe84⤵PID:3576
-
\??\c:\bbbtnn.exec:\bbbtnn.exe85⤵PID:4780
-
\??\c:\dvvpj.exec:\dvvpj.exe86⤵PID:4824
-
\??\c:\5rxrxxf.exec:\5rxrxxf.exe87⤵PID:2948
-
\??\c:\9xfflrf.exec:\9xfflrf.exe88⤵PID:856
-
\??\c:\7httnn.exec:\7httnn.exe89⤵PID:1760
-
\??\c:\jvpdv.exec:\jvpdv.exe90⤵PID:5012
-
\??\c:\jvdpv.exec:\jvdpv.exe91⤵PID:4968
-
\??\c:\xxffllx.exec:\xxffllx.exe92⤵PID:3384
-
\??\c:\rxrfrfr.exec:\rxrfrfr.exe93⤵PID:3540
-
\??\c:\5htnbb.exec:\5htnbb.exe94⤵PID:3876
-
\??\c:\5vdpj.exec:\5vdpj.exe95⤵PID:1484
-
\??\c:\pjpdd.exec:\pjpdd.exe96⤵
- System Location Discovery: System Language Discovery
PID:3556 -
\??\c:\xxxfxlf.exec:\xxxfxlf.exe97⤵PID:2624
-
\??\c:\hnhtht.exec:\hnhtht.exe98⤵PID:1128
-
\??\c:\nbnbhh.exec:\nbnbhh.exe99⤵PID:336
-
\??\c:\vdvpd.exec:\vdvpd.exe100⤵PID:3368
-
\??\c:\flrffxr.exec:\flrffxr.exe101⤵PID:1948
-
\??\c:\lffrrfl.exec:\lffrrfl.exe102⤵PID:1676
-
\??\c:\htbtnn.exec:\htbtnn.exe103⤵PID:4268
-
\??\c:\bhhhbb.exec:\bhhhbb.exe104⤵PID:1616
-
\??\c:\5vvjd.exec:\5vvjd.exe105⤵PID:1236
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe106⤵PID:512
-
\??\c:\3xxrrlr.exec:\3xxrrlr.exe107⤵PID:1124
-
\??\c:\1nbnnh.exec:\1nbnnh.exe108⤵PID:316
-
\??\c:\pjvjv.exec:\pjvjv.exe109⤵PID:1716
-
\??\c:\jpdvp.exec:\jpdvp.exe110⤵PID:1952
-
\??\c:\1llxlfx.exec:\1llxlfx.exe111⤵PID:3756
-
\??\c:\3xlfxxx.exec:\3xlfxxx.exe112⤵PID:3516
-
\??\c:\3ttnhh.exec:\3ttnhh.exe113⤵PID:2300
-
\??\c:\vvddp.exec:\vvddp.exe114⤵PID:2760
-
\??\c:\9pdpv.exec:\9pdpv.exe115⤵PID:4944
-
\??\c:\rfllfff.exec:\rfllfff.exe116⤵PID:4952
-
\??\c:\9ffrxrr.exec:\9ffrxrr.exe117⤵PID:1828
-
\??\c:\tnhbbb.exec:\tnhbbb.exe118⤵PID:2180
-
\??\c:\dpdvp.exec:\dpdvp.exe119⤵PID:4672
-
\??\c:\1jddp.exec:\1jddp.exe120⤵PID:708
-
\??\c:\fxxfrxf.exec:\fxxfrxf.exe121⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-