Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe
-
Size
454KB
-
MD5
d6c7ca8f661870d68cfb895a1e895ad0
-
SHA1
909823040f9dc0eb0aa77877590b9d5ba37f59b8
-
SHA256
1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0
-
SHA512
3369effbbce41d1ce773a98614094fda057d74bb2e9e061c1d2af51b4cc353f3ebdf3b5d0727f361c9588e0325cb844309f5e6f08f30ac48b2db8a7c584b35a8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4804-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-1061-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-1291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-1357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 32 pdjdp.exe 4688 nbbtnh.exe 3036 3ddpd.exe 2020 lfrrfxx.exe 1492 vpdjv.exe 3576 bhnbtn.exe 876 frlfxxr.exe 3616 dvvjd.exe 4828 rxxrfxr.exe 4240 1ddvp.exe 624 frrfxlx.exe 2836 vvvpd.exe 224 3nhtnh.exe 3260 3fxlllx.exe 4500 nntnbb.exe 4624 pjvdd.exe 4316 hbhbnh.exe 2816 dpvpj.exe 4040 7ffrffr.exe 3288 djppj.exe 4068 5nnhtt.exe 8 jvdvp.exe 544 pjjvj.exe 2464 fffxlrl.exe 1560 5hbtnh.exe 1824 3jdvp.exe 1448 lxlfxrr.exe 4176 tbbtnh.exe 4444 ntbtnh.exe 4864 djjvj.exe 4548 ffffffx.exe 1400 httnbt.exe 1716 vvvvv.exe 1340 1ppjd.exe 2972 5xfrllf.exe 2060 vpvvv.exe 1040 jpvjd.exe 4904 frrrffr.exe 3640 tthbtn.exe 2756 vpdvp.exe 4380 rrfrlfx.exe 3236 bhtnbt.exe 3972 jvddd.exe 2868 lrxlfxr.exe 3836 xllxlfx.exe 4232 pdpjd.exe 1676 7rlfxxl.exe 4588 pppjd.exe 4300 ppvjj.exe 2604 hbtbnb.exe 2176 dpvpj.exe 1640 rfxrllf.exe 3252 5bbtbb.exe 1568 vjjvp.exe 1224 lxrlxrl.exe 2020 ntnnhh.exe 1492 pjddj.exe 3916 lxxxrrr.exe 1496 frxrfxl.exe 2984 bhhbbb.exe 3736 vvvjv.exe 1752 frflrfr.exe 4072 9nttnt.exe 4568 7dvpj.exe -
resource yara_rule behavioral2/memory/4804-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-777-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4804 wrote to memory of 32 4804 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 83 PID 4804 wrote to memory of 32 4804 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 83 PID 4804 wrote to memory of 32 4804 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 83 PID 32 wrote to memory of 4688 32 pdjdp.exe 84 PID 32 wrote to memory of 4688 32 pdjdp.exe 84 PID 32 wrote to memory of 4688 32 pdjdp.exe 84 PID 4688 wrote to memory of 3036 4688 nbbtnh.exe 85 PID 4688 wrote to memory of 3036 4688 nbbtnh.exe 85 PID 4688 wrote to memory of 3036 4688 nbbtnh.exe 85 PID 3036 wrote to memory of 2020 3036 3ddpd.exe 86 PID 3036 wrote to memory of 2020 3036 3ddpd.exe 86 PID 3036 wrote to memory of 2020 3036 3ddpd.exe 86 PID 2020 wrote to memory of 1492 2020 lfrrfxx.exe 87 PID 2020 wrote to memory of 1492 2020 lfrrfxx.exe 87 PID 2020 wrote to memory of 1492 2020 lfrrfxx.exe 87 PID 1492 wrote to memory of 3576 1492 vpdjv.exe 88 PID 1492 wrote to memory of 3576 1492 vpdjv.exe 88 PID 1492 wrote to memory of 3576 1492 vpdjv.exe 88 PID 3576 wrote to memory of 876 3576 bhnbtn.exe 89 PID 3576 wrote to memory of 876 3576 bhnbtn.exe 89 PID 3576 wrote to memory of 876 3576 bhnbtn.exe 89 PID 876 wrote to memory of 3616 876 frlfxxr.exe 90 PID 876 wrote to memory of 3616 876 frlfxxr.exe 90 PID 876 wrote to memory of 3616 876 frlfxxr.exe 90 PID 3616 wrote to memory of 4828 3616 dvvjd.exe 91 PID 3616 wrote to memory of 4828 3616 dvvjd.exe 91 PID 3616 wrote to memory of 4828 3616 dvvjd.exe 91 PID 4828 wrote to memory of 4240 4828 rxxrfxr.exe 92 PID 4828 wrote to memory of 4240 4828 rxxrfxr.exe 92 PID 4828 wrote to memory of 4240 4828 rxxrfxr.exe 92 PID 4240 wrote to memory of 624 4240 1ddvp.exe 93 PID 4240 wrote to memory of 624 4240 1ddvp.exe 93 PID 4240 wrote to memory of 624 4240 1ddvp.exe 93 PID 624 wrote to memory of 2836 624 frrfxlx.exe 94 PID 624 wrote to memory of 2836 624 frrfxlx.exe 94 PID 624 wrote to memory of 2836 624 frrfxlx.exe 94 PID 2836 wrote to memory of 224 2836 vvvpd.exe 95 PID 2836 wrote to memory of 224 2836 vvvpd.exe 95 PID 2836 wrote to memory of 224 2836 vvvpd.exe 95 PID 224 wrote to memory of 3260 224 3nhtnh.exe 96 PID 224 wrote to memory of 3260 224 3nhtnh.exe 96 PID 224 wrote to memory of 3260 224 3nhtnh.exe 96 PID 3260 wrote to memory of 4500 3260 3fxlllx.exe 97 PID 3260 wrote to memory of 4500 3260 3fxlllx.exe 97 PID 3260 wrote to memory of 4500 3260 3fxlllx.exe 97 PID 4500 wrote to memory of 4624 4500 nntnbb.exe 98 PID 4500 wrote to memory of 4624 4500 nntnbb.exe 98 PID 4500 wrote to memory of 4624 4500 nntnbb.exe 98 PID 4624 wrote to memory of 4316 4624 pjvdd.exe 99 PID 4624 wrote to memory of 4316 4624 pjvdd.exe 99 PID 4624 wrote to memory of 4316 4624 pjvdd.exe 99 PID 4316 wrote to memory of 2816 4316 hbhbnh.exe 100 PID 4316 wrote to memory of 2816 4316 hbhbnh.exe 100 PID 4316 wrote to memory of 2816 4316 hbhbnh.exe 100 PID 2816 wrote to memory of 4040 2816 dpvpj.exe 101 PID 2816 wrote to memory of 4040 2816 dpvpj.exe 101 PID 2816 wrote to memory of 4040 2816 dpvpj.exe 101 PID 4040 wrote to memory of 3288 4040 7ffrffr.exe 102 PID 4040 wrote to memory of 3288 4040 7ffrffr.exe 102 PID 4040 wrote to memory of 3288 4040 7ffrffr.exe 102 PID 3288 wrote to memory of 4068 3288 djppj.exe 103 PID 3288 wrote to memory of 4068 3288 djppj.exe 103 PID 3288 wrote to memory of 4068 3288 djppj.exe 103 PID 4068 wrote to memory of 8 4068 5nnhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe"C:\Users\Admin\AppData\Local\Temp\1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\pdjdp.exec:\pdjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\nbbtnh.exec:\nbbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\3ddpd.exec:\3ddpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\lfrrfxx.exec:\lfrrfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\vpdjv.exec:\vpdjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\bhnbtn.exec:\bhnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\frlfxxr.exec:\frlfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\dvvjd.exec:\dvvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\1ddvp.exec:\1ddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\frrfxlx.exec:\frrfxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\vvvpd.exec:\vvvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\3nhtnh.exec:\3nhtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\3fxlllx.exec:\3fxlllx.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\nntnbb.exec:\nntnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\pjvdd.exec:\pjvdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\hbhbnh.exec:\hbhbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\dpvpj.exec:\dpvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\7ffrffr.exec:\7ffrffr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\djppj.exec:\djppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\5nnhtt.exec:\5nnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\jvdvp.exec:\jvdvp.exe23⤵
- Executes dropped EXE
PID:8 -
\??\c:\pjjvj.exec:\pjjvj.exe24⤵
- Executes dropped EXE
PID:544 -
\??\c:\fffxlrl.exec:\fffxlrl.exe25⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5hbtnh.exec:\5hbtnh.exe26⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3jdvp.exec:\3jdvp.exe27⤵
- Executes dropped EXE
PID:1824 -
\??\c:\lxlfxrr.exec:\lxlfxrr.exe28⤵
- Executes dropped EXE
PID:1448 -
\??\c:\tbbtnh.exec:\tbbtnh.exe29⤵
- Executes dropped EXE
PID:4176 -
\??\c:\ntbtnh.exec:\ntbtnh.exe30⤵
- Executes dropped EXE
PID:4444 -
\??\c:\djjvj.exec:\djjvj.exe31⤵
- Executes dropped EXE
PID:4864 -
\??\c:\ffffffx.exec:\ffffffx.exe32⤵
- Executes dropped EXE
PID:4548 -
\??\c:\httnbt.exec:\httnbt.exe33⤵
- Executes dropped EXE
PID:1400 -
\??\c:\vvvvv.exec:\vvvvv.exe34⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1ppjd.exec:\1ppjd.exe35⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5xfrllf.exec:\5xfrllf.exe36⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vpvvv.exec:\vpvvv.exe37⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jpvjd.exec:\jpvjd.exe38⤵
- Executes dropped EXE
PID:1040 -
\??\c:\frrrffr.exec:\frrrffr.exe39⤵
- Executes dropped EXE
PID:4904 -
\??\c:\tthbtn.exec:\tthbtn.exe40⤵
- Executes dropped EXE
PID:3640 -
\??\c:\vpdvp.exec:\vpdvp.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rrfrlfx.exec:\rrfrlfx.exe42⤵
- Executes dropped EXE
PID:4380 -
\??\c:\bhtnbt.exec:\bhtnbt.exe43⤵
- Executes dropped EXE
PID:3236 -
\??\c:\jvddd.exec:\jvddd.exe44⤵
- Executes dropped EXE
PID:3972 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe45⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xllxlfx.exec:\xllxlfx.exe46⤵
- Executes dropped EXE
PID:3836 -
\??\c:\pdpjd.exec:\pdpjd.exe47⤵
- Executes dropped EXE
PID:4232 -
\??\c:\7rlfxxl.exec:\7rlfxxl.exe48⤵
- Executes dropped EXE
PID:1676 -
\??\c:\pppjd.exec:\pppjd.exe49⤵
- Executes dropped EXE
PID:4588 -
\??\c:\ppvjj.exec:\ppvjj.exe50⤵
- Executes dropped EXE
PID:4300 -
\??\c:\hbtbnb.exec:\hbtbnb.exe51⤵
- Executes dropped EXE
PID:2604 -
\??\c:\dpvpj.exec:\dpvpj.exe52⤵
- Executes dropped EXE
PID:2176 -
\??\c:\rfxrllf.exec:\rfxrllf.exe53⤵
- Executes dropped EXE
PID:1640 -
\??\c:\5bbtbb.exec:\5bbtbb.exe54⤵
- Executes dropped EXE
PID:3252 -
\??\c:\vjjvp.exec:\vjjvp.exe55⤵
- Executes dropped EXE
PID:1568 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe56⤵
- Executes dropped EXE
PID:1224 -
\??\c:\ntnnhh.exec:\ntnnhh.exe57⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pjddj.exec:\pjddj.exe58⤵
- Executes dropped EXE
PID:1492 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe59⤵
- Executes dropped EXE
PID:3916 -
\??\c:\frxrfxl.exec:\frxrfxl.exe60⤵
- Executes dropped EXE
PID:1496 -
\??\c:\bhhbbb.exec:\bhhbbb.exe61⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vvvjv.exec:\vvvjv.exe62⤵
- Executes dropped EXE
PID:3736 -
\??\c:\frflrfr.exec:\frflrfr.exe63⤵
- Executes dropped EXE
PID:1752 -
\??\c:\9nttnt.exec:\9nttnt.exe64⤵
- Executes dropped EXE
PID:4072 -
\??\c:\7dvpj.exec:\7dvpj.exe65⤵
- Executes dropped EXE
PID:4568 -
\??\c:\rfxrlfr.exec:\rfxrlfr.exe66⤵PID:312
-
\??\c:\nbbttt.exec:\nbbttt.exe67⤵PID:4288
-
\??\c:\nbbtnn.exec:\nbbtnn.exe68⤵PID:4220
-
\??\c:\ddddv.exec:\ddddv.exe69⤵PID:3684
-
\??\c:\lxfxflf.exec:\lxfxflf.exe70⤵PID:1580
-
\??\c:\ttthtn.exec:\ttthtn.exe71⤵PID:1336
-
\??\c:\nhbbtn.exec:\nhbbtn.exe72⤵PID:764
-
\??\c:\pdpdp.exec:\pdpdp.exe73⤵PID:4500
-
\??\c:\xflxllx.exec:\xflxllx.exe74⤵PID:440
-
\??\c:\nhttnh.exec:\nhttnh.exe75⤵PID:4876
-
\??\c:\hnthbb.exec:\hnthbb.exe76⤵PID:384
-
\??\c:\9jjvp.exec:\9jjvp.exe77⤵PID:3348
-
\??\c:\rxlxlfr.exec:\rxlxlfr.exe78⤵PID:2172
-
\??\c:\nbbnhb.exec:\nbbnhb.exe79⤵PID:5036
-
\??\c:\nhtnhb.exec:\nhtnhb.exe80⤵PID:3404
-
\??\c:\jvvpj.exec:\jvvpj.exe81⤵PID:3600
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe82⤵PID:3388
-
\??\c:\bhnbtn.exec:\bhnbtn.exe83⤵PID:3520
-
\??\c:\hnhtnn.exec:\hnhtnn.exe84⤵PID:812
-
\??\c:\dppjd.exec:\dppjd.exe85⤵PID:3308
-
\??\c:\5tnhbb.exec:\5tnhbb.exe86⤵PID:3384
-
\??\c:\pjpdv.exec:\pjpdv.exe87⤵PID:2032
-
\??\c:\3lrlxxx.exec:\3lrlxxx.exe88⤵PID:564
-
\??\c:\7btnhb.exec:\7btnhb.exe89⤵PID:4324
-
\??\c:\btthtb.exec:\btthtb.exe90⤵PID:4808
-
\??\c:\dpdpp.exec:\dpdpp.exe91⤵PID:4988
-
\??\c:\lrxlrrf.exec:\lrxlrrf.exe92⤵PID:1928
-
\??\c:\bnnhtt.exec:\bnnhtt.exe93⤵PID:3356
-
\??\c:\nhtnnh.exec:\nhtnnh.exe94⤵PID:3700
-
\??\c:\jvjdv.exec:\jvjdv.exe95⤵PID:4824
-
\??\c:\xxrfrlf.exec:\xxrfrlf.exe96⤵PID:4868
-
\??\c:\lxxrxrl.exec:\lxxrxrl.exe97⤵PID:3292
-
\??\c:\nhnhhn.exec:\nhnhhn.exe98⤵PID:3808
-
\??\c:\9jpdp.exec:\9jpdp.exe99⤵PID:2608
-
\??\c:\9fxrffx.exec:\9fxrffx.exe100⤵PID:3408
-
\??\c:\fffrxxr.exec:\fffrxxr.exe101⤵PID:4408
-
\??\c:\bhbnbt.exec:\bhbnbt.exe102⤵PID:4180
-
\??\c:\pdvvd.exec:\pdvvd.exe103⤵PID:4112
-
\??\c:\xxlxlff.exec:\xxlxlff.exe104⤵PID:4084
-
\??\c:\rllfxrl.exec:\rllfxrl.exe105⤵PID:3724
-
\??\c:\thnnnh.exec:\thnnnh.exe106⤵PID:3628
-
\??\c:\ntbtbb.exec:\ntbtbb.exe107⤵PID:3528
-
\??\c:\7jjdj.exec:\7jjdj.exe108⤵PID:2868
-
\??\c:\xfrlllf.exec:\xfrlllf.exe109⤵PID:2340
-
\??\c:\xrrxfrx.exec:\xrrxfrx.exe110⤵PID:2728
-
\??\c:\thhtbt.exec:\thhtbt.exe111⤵PID:4228
-
\??\c:\pdjvj.exec:\pdjvj.exe112⤵PID:4592
-
\??\c:\7lfrlfr.exec:\7lfrlfr.exe113⤵PID:4296
-
\??\c:\nhnbbt.exec:\nhnbbt.exe114⤵
- System Location Discovery: System Language Discovery
PID:3200 -
\??\c:\vjpjv.exec:\vjpjv.exe115⤵PID:3400
-
\??\c:\1ppdv.exec:\1ppdv.exe116⤵PID:1216
-
\??\c:\lffxrll.exec:\lffxrll.exe117⤵PID:1460
-
\??\c:\bbhtnh.exec:\bbhtnh.exe118⤵PID:4772
-
\??\c:\7vpvp.exec:\7vpvp.exe119⤵PID:4724
-
\??\c:\rlrxrlf.exec:\rlrxrlf.exe120⤵PID:2216
-
\??\c:\nnthbt.exec:\nnthbt.exe121⤵PID:3028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-