Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe
-
Size
456KB
-
MD5
4c5dd5d66536fb0e7bc0f6a8a3022790
-
SHA1
de8879c0367290c6f8718eaba6bc144643e33c70
-
SHA256
e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50db
-
SHA512
566765a545d7284475c3ed261c0ff76b319be8d7d1b506a7cf1af8d6e5cab486b722d9971df0863956883ad98a850ac5bbf6909f47a96600d06c4eaac8ef8267
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4644-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2984 3tnhbt.exe 3136 1jjdv.exe 2036 jdvdd.exe 4472 nntbbn.exe 1288 xrllfff.exe 2312 tnnhhh.exe 952 pjpjd.exe 4160 bnbbnn.exe 4552 1ttnbb.exe 3068 vppjj.exe 1196 1lflffx.exe 4316 thtbth.exe 4112 7ppdv.exe 2672 lrrlfff.exe 4340 hbbnhb.exe 4212 tthbnn.exe 4492 xllxrrl.exe 4312 btbbhb.exe 3360 dvpjj.exe 3460 rrrrllf.exe 4848 htnntn.exe 4612 vvpjp.exe 712 rlflffx.exe 2412 htbbtt.exe 3868 hbbtnn.exe 3536 jdvvj.exe 2300 9rxfxll.exe 2960 thhhbh.exe 2136 lllfxfx.exe 1352 3flllrl.exe 4104 3llffxr.exe 2060 lfxrllf.exe 3864 vjjjj.exe 2428 pdpjd.exe 4100 rxflllf.exe 3416 hbbnhh.exe 3668 ddjjv.exe 1672 tnhhbb.exe 4080 llxrxrx.exe 1540 dpvpd.exe 1224 nthbnn.exe 2592 vjpjj.exe 2304 frrxxff.exe 4872 bbbttn.exe 4676 jvjdd.exe 1768 3ffxlrl.exe 4420 5dpjd.exe 4008 lxxrlrl.exe 4568 hhhbbb.exe 552 ddddv.exe 1888 dpvpp.exe 444 lxffffx.exe 2312 hhhnhn.exe 5028 nhhbtt.exe 4268 djjdp.exe 3388 fxfrlll.exe 1596 btbttt.exe 4696 3jpjp.exe 4108 jddvp.exe 1196 flllfff.exe 3248 xrfxllf.exe 1416 nthhbb.exe 400 vjpjd.exe 2080 9ffflfl.exe -
resource yara_rule behavioral2/memory/4644-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-882-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4644 wrote to memory of 2984 4644 e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe 82 PID 4644 wrote to memory of 2984 4644 e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe 82 PID 4644 wrote to memory of 2984 4644 e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe 82 PID 2984 wrote to memory of 3136 2984 3tnhbt.exe 83 PID 2984 wrote to memory of 3136 2984 3tnhbt.exe 83 PID 2984 wrote to memory of 3136 2984 3tnhbt.exe 83 PID 3136 wrote to memory of 2036 3136 1jjdv.exe 84 PID 3136 wrote to memory of 2036 3136 1jjdv.exe 84 PID 3136 wrote to memory of 2036 3136 1jjdv.exe 84 PID 2036 wrote to memory of 4472 2036 jdvdd.exe 85 PID 2036 wrote to memory of 4472 2036 jdvdd.exe 85 PID 2036 wrote to memory of 4472 2036 jdvdd.exe 85 PID 4472 wrote to memory of 1288 4472 nntbbn.exe 86 PID 4472 wrote to memory of 1288 4472 nntbbn.exe 86 PID 4472 wrote to memory of 1288 4472 nntbbn.exe 86 PID 1288 wrote to memory of 2312 1288 xrllfff.exe 87 PID 1288 wrote to memory of 2312 1288 xrllfff.exe 87 PID 1288 wrote to memory of 2312 1288 xrllfff.exe 87 PID 2312 wrote to memory of 952 2312 tnnhhh.exe 88 PID 2312 wrote to memory of 952 2312 tnnhhh.exe 88 PID 2312 wrote to memory of 952 2312 tnnhhh.exe 88 PID 952 wrote to memory of 4160 952 pjpjd.exe 89 PID 952 wrote to memory of 4160 952 pjpjd.exe 89 PID 952 wrote to memory of 4160 952 pjpjd.exe 89 PID 4160 wrote to memory of 4552 4160 bnbbnn.exe 90 PID 4160 wrote to memory of 4552 4160 bnbbnn.exe 90 PID 4160 wrote to memory of 4552 4160 bnbbnn.exe 90 PID 4552 wrote to memory of 3068 4552 1ttnbb.exe 91 PID 4552 wrote to memory of 3068 4552 1ttnbb.exe 91 PID 4552 wrote to memory of 3068 4552 1ttnbb.exe 91 PID 3068 wrote to memory of 1196 3068 vppjj.exe 92 PID 3068 wrote to memory of 1196 3068 vppjj.exe 92 PID 3068 wrote to memory of 1196 3068 vppjj.exe 92 PID 1196 wrote to memory of 4316 1196 1lflffx.exe 93 PID 1196 wrote to memory of 4316 1196 1lflffx.exe 93 PID 1196 wrote to memory of 4316 1196 1lflffx.exe 93 PID 4316 wrote to memory of 4112 4316 thtbth.exe 94 PID 4316 wrote to memory of 4112 4316 thtbth.exe 94 PID 4316 wrote to memory of 4112 4316 thtbth.exe 94 PID 4112 wrote to memory of 2672 4112 7ppdv.exe 95 PID 4112 wrote to memory of 2672 4112 7ppdv.exe 95 PID 4112 wrote to memory of 2672 4112 7ppdv.exe 95 PID 2672 wrote to memory of 4340 2672 lrrlfff.exe 96 PID 2672 wrote to memory of 4340 2672 lrrlfff.exe 96 PID 2672 wrote to memory of 4340 2672 lrrlfff.exe 96 PID 4340 wrote to memory of 4212 4340 hbbnhb.exe 97 PID 4340 wrote to memory of 4212 4340 hbbnhb.exe 97 PID 4340 wrote to memory of 4212 4340 hbbnhb.exe 97 PID 4212 wrote to memory of 4492 4212 tthbnn.exe 98 PID 4212 wrote to memory of 4492 4212 tthbnn.exe 98 PID 4212 wrote to memory of 4492 4212 tthbnn.exe 98 PID 4492 wrote to memory of 4312 4492 xllxrrl.exe 99 PID 4492 wrote to memory of 4312 4492 xllxrrl.exe 99 PID 4492 wrote to memory of 4312 4492 xllxrrl.exe 99 PID 4312 wrote to memory of 3360 4312 btbbhb.exe 100 PID 4312 wrote to memory of 3360 4312 btbbhb.exe 100 PID 4312 wrote to memory of 3360 4312 btbbhb.exe 100 PID 3360 wrote to memory of 3460 3360 dvpjj.exe 101 PID 3360 wrote to memory of 3460 3360 dvpjj.exe 101 PID 3360 wrote to memory of 3460 3360 dvpjj.exe 101 PID 3460 wrote to memory of 4848 3460 rrrrllf.exe 102 PID 3460 wrote to memory of 4848 3460 rrrrllf.exe 102 PID 3460 wrote to memory of 4848 3460 rrrrllf.exe 102 PID 4848 wrote to memory of 4612 4848 htnntn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe"C:\Users\Admin\AppData\Local\Temp\e0071fcd5afac4444f0dbe66af9f94cb22dc73fc83c088329b21977b45bd50dbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\3tnhbt.exec:\3tnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\1jjdv.exec:\1jjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\jdvdd.exec:\jdvdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\nntbbn.exec:\nntbbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\xrllfff.exec:\xrllfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\tnnhhh.exec:\tnnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\pjpjd.exec:\pjpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\bnbbnn.exec:\bnbbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\1ttnbb.exec:\1ttnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\vppjj.exec:\vppjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\1lflffx.exec:\1lflffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\thtbth.exec:\thtbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\7ppdv.exec:\7ppdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\lrrlfff.exec:\lrrlfff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\hbbnhb.exec:\hbbnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\tthbnn.exec:\tthbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\xllxrrl.exec:\xllxrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\btbbhb.exec:\btbbhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\dvpjj.exec:\dvpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\rrrrllf.exec:\rrrrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\htnntn.exec:\htnntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\vvpjp.exec:\vvpjp.exe23⤵
- Executes dropped EXE
PID:4612 -
\??\c:\rlflffx.exec:\rlflffx.exe24⤵
- Executes dropped EXE
PID:712 -
\??\c:\htbbtt.exec:\htbbtt.exe25⤵
- Executes dropped EXE
PID:2412 -
\??\c:\hbbtnn.exec:\hbbtnn.exe26⤵
- Executes dropped EXE
PID:3868 -
\??\c:\jdvvj.exec:\jdvvj.exe27⤵
- Executes dropped EXE
PID:3536 -
\??\c:\9rxfxll.exec:\9rxfxll.exe28⤵
- Executes dropped EXE
PID:2300 -
\??\c:\thhhbh.exec:\thhhbh.exe29⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lllfxfx.exec:\lllfxfx.exe30⤵
- Executes dropped EXE
PID:2136 -
\??\c:\3flllrl.exec:\3flllrl.exe31⤵
- Executes dropped EXE
PID:1352 -
\??\c:\3llffxr.exec:\3llffxr.exe32⤵
- Executes dropped EXE
PID:4104 -
\??\c:\lfxrllf.exec:\lfxrllf.exe33⤵
- Executes dropped EXE
PID:2060 -
\??\c:\vjjjj.exec:\vjjjj.exe34⤵
- Executes dropped EXE
PID:3864 -
\??\c:\pdpjd.exec:\pdpjd.exe35⤵
- Executes dropped EXE
PID:2428 -
\??\c:\rxflllf.exec:\rxflllf.exe36⤵
- Executes dropped EXE
PID:4100 -
\??\c:\hbbnhh.exec:\hbbnhh.exe37⤵
- Executes dropped EXE
PID:3416 -
\??\c:\ddjjv.exec:\ddjjv.exe38⤵
- Executes dropped EXE
PID:3668 -
\??\c:\tnhhbb.exec:\tnhhbb.exe39⤵
- Executes dropped EXE
PID:1672 -
\??\c:\llxrxrx.exec:\llxrxrx.exe40⤵
- Executes dropped EXE
PID:4080 -
\??\c:\dpvpd.exec:\dpvpd.exe41⤵
- Executes dropped EXE
PID:1540 -
\??\c:\nthbnn.exec:\nthbnn.exe42⤵
- Executes dropped EXE
PID:1224 -
\??\c:\vjpjj.exec:\vjpjj.exe43⤵
- Executes dropped EXE
PID:2592 -
\??\c:\frrxxff.exec:\frrxxff.exe44⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bbbttn.exec:\bbbttn.exe45⤵
- Executes dropped EXE
PID:4872 -
\??\c:\jvjdd.exec:\jvjdd.exe46⤵
- Executes dropped EXE
PID:4676 -
\??\c:\3ffxlrl.exec:\3ffxlrl.exe47⤵
- Executes dropped EXE
PID:1768 -
\??\c:\5dpjd.exec:\5dpjd.exe48⤵
- Executes dropped EXE
PID:4420 -
\??\c:\lxxrlrl.exec:\lxxrlrl.exe49⤵
- Executes dropped EXE
PID:4008 -
\??\c:\hhhbbb.exec:\hhhbbb.exe50⤵
- Executes dropped EXE
PID:4568 -
\??\c:\ddddv.exec:\ddddv.exe51⤵
- Executes dropped EXE
PID:552 -
\??\c:\dpvpp.exec:\dpvpp.exe52⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lxffffx.exec:\lxffffx.exe53⤵
- Executes dropped EXE
PID:444 -
\??\c:\hhhnhn.exec:\hhhnhn.exe54⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nhhbtt.exec:\nhhbtt.exe55⤵
- Executes dropped EXE
PID:5028 -
\??\c:\djjdp.exec:\djjdp.exe56⤵
- Executes dropped EXE
PID:4268 -
\??\c:\fxfrlll.exec:\fxfrlll.exe57⤵
- Executes dropped EXE
PID:3388 -
\??\c:\btbttt.exec:\btbttt.exe58⤵
- Executes dropped EXE
PID:1596 -
\??\c:\3jpjp.exec:\3jpjp.exe59⤵
- Executes dropped EXE
PID:4696 -
\??\c:\jddvp.exec:\jddvp.exe60⤵
- Executes dropped EXE
PID:4108 -
\??\c:\flllfff.exec:\flllfff.exe61⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xrfxllf.exec:\xrfxllf.exe62⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nthhbb.exec:\nthhbb.exe63⤵
- Executes dropped EXE
PID:1416 -
\??\c:\vjpjd.exec:\vjpjd.exe64⤵
- Executes dropped EXE
PID:400 -
\??\c:\9ffflfl.exec:\9ffflfl.exe65⤵
- Executes dropped EXE
PID:2080 -
\??\c:\thtnbn.exec:\thtnbn.exe66⤵PID:1356
-
\??\c:\hbnttt.exec:\hbnttt.exe67⤵PID:1060
-
\??\c:\pdjdp.exec:\pdjdp.exe68⤵PID:1604
-
\??\c:\9flflfl.exec:\9flflfl.exe69⤵PID:4836
-
\??\c:\hbbthb.exec:\hbbthb.exe70⤵PID:1684
-
\??\c:\bbtnhb.exec:\bbtnhb.exe71⤵PID:4312
-
\??\c:\ddddv.exec:\ddddv.exe72⤵PID:3408
-
\??\c:\frrxflx.exec:\frrxflx.exe73⤵PID:5084
-
\??\c:\hbthbt.exec:\hbthbt.exe74⤵PID:4848
-
\??\c:\jppjd.exec:\jppjd.exe75⤵PID:1496
-
\??\c:\lrrrxlr.exec:\lrrrxlr.exe76⤵PID:4816
-
\??\c:\rlfxllf.exec:\rlfxllf.exe77⤵PID:2548
-
\??\c:\htbnnb.exec:\htbnnb.exe78⤵PID:5004
-
\??\c:\vpjvv.exec:\vpjvv.exe79⤵PID:4788
-
\??\c:\7jvpd.exec:\7jvpd.exe80⤵PID:1348
-
\??\c:\flrfrlr.exec:\flrfrlr.exe81⤵PID:2608
-
\??\c:\htnhtn.exec:\htnhtn.exe82⤵PID:640
-
\??\c:\pvdvp.exec:\pvdvp.exe83⤵PID:4800
-
\??\c:\jvjvv.exec:\jvjvv.exe84⤵PID:2000
-
\??\c:\frrlfff.exec:\frrlfff.exe85⤵PID:4740
-
\??\c:\ntnhhb.exec:\ntnhhb.exe86⤵PID:4056
-
\??\c:\9vdvv.exec:\9vdvv.exe87⤵PID:4732
-
\??\c:\lffxrlf.exec:\lffxrlf.exe88⤵PID:3572
-
\??\c:\bttnhh.exec:\bttnhh.exe89⤵PID:2792
-
\??\c:\jvvpp.exec:\jvvpp.exe90⤵PID:4572
-
\??\c:\dppjd.exec:\dppjd.exe91⤵PID:3864
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe92⤵PID:528
-
\??\c:\1tbtbt.exec:\1tbtbt.exe93⤵PID:4100
-
\??\c:\hhbtnn.exec:\hhbtnn.exe94⤵PID:3628
-
\??\c:\7vpvj.exec:\7vpvj.exe95⤵PID:4324
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe96⤵PID:2320
-
\??\c:\bttntn.exec:\bttntn.exe97⤵PID:548
-
\??\c:\9dpjj.exec:\9dpjj.exe98⤵PID:3356
-
\??\c:\jvvdv.exec:\jvvdv.exe99⤵PID:1376
-
\??\c:\flllffx.exec:\flllffx.exe100⤵PID:320
-
\??\c:\thttnn.exec:\thttnn.exe101⤵PID:3024
-
\??\c:\5bttnn.exec:\5bttnn.exe102⤵PID:2592
-
\??\c:\jjpjj.exec:\jjpjj.exe103⤵PID:2304
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe104⤵PID:2912
-
\??\c:\hnnhbt.exec:\hnnhbt.exe105⤵PID:1436
-
\??\c:\tttnnh.exec:\tttnnh.exe106⤵PID:4648
-
\??\c:\pdvpv.exec:\pdvpv.exe107⤵PID:4156
-
\??\c:\llxlrfr.exec:\llxlrfr.exe108⤵PID:3520
-
\??\c:\xfllffl.exec:\xfllffl.exe109⤵PID:4420
-
\??\c:\tnnhhb.exec:\tnnhhb.exe110⤵PID:4008
-
\??\c:\jjjjd.exec:\jjjjd.exe111⤵PID:2748
-
\??\c:\vddvp.exec:\vddvp.exe112⤵PID:3432
-
\??\c:\5lrlfxr.exec:\5lrlfxr.exe113⤵PID:552
-
\??\c:\ttbhtt.exec:\ttbhtt.exe114⤵PID:3112
-
\??\c:\tnhtnt.exec:\tnhtnt.exe115⤵PID:1200
-
\??\c:\jddvj.exec:\jddvj.exe116⤵PID:4032
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe117⤵PID:4160
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe118⤵PID:3940
-
\??\c:\hnbthb.exec:\hnbthb.exe119⤵PID:4384
-
\??\c:\pvvjd.exec:\pvvjd.exe120⤵PID:3680
-
\??\c:\xxxrlrl.exec:\xxxrlrl.exe121⤵PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-