Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe
-
Size
453KB
-
MD5
7c7243f1cd951620cf2b5616abf235a0
-
SHA1
1e4c886c293c7ae342f7208394da69ae36fee06e
-
SHA256
b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5
-
SHA512
cc47d0d6321af8bd88707db03125e4c07d8bb4627741198d5e7aa4b1bf0fc4502b50f379e9bbaedc6aee67435749394f4ee7016529d87b43a90fbc6dac8c6467
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeu:q7Tc2NYHUrAwfMp3CDu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2720-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-1224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-1379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-1704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2720 tnbnhb.exe 1480 pppjd.exe 4032 jdpjd.exe 1060 3pppj.exe 4536 djjdd.exe 1476 rrlffff.exe 764 pdjdv.exe 1448 bthbnn.exe 4824 3flfrrl.exe 2796 pjvpj.exe 964 jjvdp.exe 1484 1xflflf.exe 3616 nhhhbb.exe 4480 vdvpj.exe 848 xflfxxx.exe 3120 djvvv.exe 3100 fxrlrrx.exe 4504 5jjpj.exe 4816 rxrrlff.exe 3704 9bhttt.exe 4680 jvdvp.exe 5072 3ttnhb.exe 3372 pvjdv.exe 2212 ntbttn.exe 808 dvdvj.exe 2452 xlfrrrr.exe 4484 djjvp.exe 4812 xxlffff.exe 1348 vdpdd.exe 4724 rrxrfxr.exe 2948 5ntnbb.exe 3524 dvvpd.exe 2856 thnhhb.exe 3408 pjppp.exe 3992 lrxrffx.exe 4456 3tnnhh.exe 4584 pvdvp.exe 4804 vpvpj.exe 1564 lflfxxr.exe 4356 1bnhtb.exe 3640 jpvdp.exe 4940 fxllrlr.exe 868 lrfrrll.exe 528 hbnhnn.exe 4768 pdppd.exe 2920 7vjvj.exe 4232 xxffffx.exe 3268 lxlfxxx.exe 3092 bhtnhb.exe 4832 dvpjj.exe 2244 1lfxxfx.exe 2724 hhnhhb.exe 1680 dpppj.exe 1132 pvjdv.exe 4964 frxrlll.exe 316 1nnhbn.exe 1216 pjpjd.exe 5036 ffrlflf.exe 928 tntnhh.exe 3084 bhnbth.exe 4036 3ddvj.exe 4672 xxlxxxf.exe 896 ntnnhb.exe 2580 bbnhtt.exe -
resource yara_rule behavioral2/memory/2720-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-1379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-1590-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 2720 4764 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 82 PID 4764 wrote to memory of 2720 4764 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 82 PID 4764 wrote to memory of 2720 4764 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 82 PID 2720 wrote to memory of 1480 2720 tnbnhb.exe 83 PID 2720 wrote to memory of 1480 2720 tnbnhb.exe 83 PID 2720 wrote to memory of 1480 2720 tnbnhb.exe 83 PID 1480 wrote to memory of 4032 1480 pppjd.exe 84 PID 1480 wrote to memory of 4032 1480 pppjd.exe 84 PID 1480 wrote to memory of 4032 1480 pppjd.exe 84 PID 4032 wrote to memory of 1060 4032 jdpjd.exe 85 PID 4032 wrote to memory of 1060 4032 jdpjd.exe 85 PID 4032 wrote to memory of 1060 4032 jdpjd.exe 85 PID 1060 wrote to memory of 4536 1060 3pppj.exe 86 PID 1060 wrote to memory of 4536 1060 3pppj.exe 86 PID 1060 wrote to memory of 4536 1060 3pppj.exe 86 PID 4536 wrote to memory of 1476 4536 djjdd.exe 87 PID 4536 wrote to memory of 1476 4536 djjdd.exe 87 PID 4536 wrote to memory of 1476 4536 djjdd.exe 87 PID 1476 wrote to memory of 764 1476 rrlffff.exe 88 PID 1476 wrote to memory of 764 1476 rrlffff.exe 88 PID 1476 wrote to memory of 764 1476 rrlffff.exe 88 PID 764 wrote to memory of 1448 764 pdjdv.exe 89 PID 764 wrote to memory of 1448 764 pdjdv.exe 89 PID 764 wrote to memory of 1448 764 pdjdv.exe 89 PID 1448 wrote to memory of 4824 1448 bthbnn.exe 90 PID 1448 wrote to memory of 4824 1448 bthbnn.exe 90 PID 1448 wrote to memory of 4824 1448 bthbnn.exe 90 PID 4824 wrote to memory of 2796 4824 3flfrrl.exe 91 PID 4824 wrote to memory of 2796 4824 3flfrrl.exe 91 PID 4824 wrote to memory of 2796 4824 3flfrrl.exe 91 PID 2796 wrote to memory of 964 2796 pjvpj.exe 92 PID 2796 wrote to memory of 964 2796 pjvpj.exe 92 PID 2796 wrote to memory of 964 2796 pjvpj.exe 92 PID 964 wrote to memory of 1484 964 jjvdp.exe 93 PID 964 wrote to memory of 1484 964 jjvdp.exe 93 PID 964 wrote to memory of 1484 964 jjvdp.exe 93 PID 1484 wrote to memory of 3616 1484 1xflflf.exe 94 PID 1484 wrote to memory of 3616 1484 1xflflf.exe 94 PID 1484 wrote to memory of 3616 1484 1xflflf.exe 94 PID 3616 wrote to memory of 4480 3616 nhhhbb.exe 95 PID 3616 wrote to memory of 4480 3616 nhhhbb.exe 95 PID 3616 wrote to memory of 4480 3616 nhhhbb.exe 95 PID 4480 wrote to memory of 848 4480 vdvpj.exe 96 PID 4480 wrote to memory of 848 4480 vdvpj.exe 96 PID 4480 wrote to memory of 848 4480 vdvpj.exe 96 PID 848 wrote to memory of 3120 848 xflfxxx.exe 97 PID 848 wrote to memory of 3120 848 xflfxxx.exe 97 PID 848 wrote to memory of 3120 848 xflfxxx.exe 97 PID 3120 wrote to memory of 3100 3120 djvvv.exe 98 PID 3120 wrote to memory of 3100 3120 djvvv.exe 98 PID 3120 wrote to memory of 3100 3120 djvvv.exe 98 PID 3100 wrote to memory of 4504 3100 fxrlrrx.exe 99 PID 3100 wrote to memory of 4504 3100 fxrlrrx.exe 99 PID 3100 wrote to memory of 4504 3100 fxrlrrx.exe 99 PID 4504 wrote to memory of 4816 4504 5jjpj.exe 100 PID 4504 wrote to memory of 4816 4504 5jjpj.exe 100 PID 4504 wrote to memory of 4816 4504 5jjpj.exe 100 PID 4816 wrote to memory of 3704 4816 rxrrlff.exe 101 PID 4816 wrote to memory of 3704 4816 rxrrlff.exe 101 PID 4816 wrote to memory of 3704 4816 rxrrlff.exe 101 PID 3704 wrote to memory of 4680 3704 9bhttt.exe 102 PID 3704 wrote to memory of 4680 3704 9bhttt.exe 102 PID 3704 wrote to memory of 4680 3704 9bhttt.exe 102 PID 4680 wrote to memory of 5072 4680 jvdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe"C:\Users\Admin\AppData\Local\Temp\b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\tnbnhb.exec:\tnbnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\pppjd.exec:\pppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\jdpjd.exec:\jdpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\3pppj.exec:\3pppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\djjdd.exec:\djjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\rrlffff.exec:\rrlffff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\pdjdv.exec:\pdjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\bthbnn.exec:\bthbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\3flfrrl.exec:\3flfrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\pjvpj.exec:\pjvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\jjvdp.exec:\jjvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\1xflflf.exec:\1xflflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\nhhhbb.exec:\nhhhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\vdvpj.exec:\vdvpj.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\xflfxxx.exec:\xflfxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\djvvv.exec:\djvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\fxrlrrx.exec:\fxrlrrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\5jjpj.exec:\5jjpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rxrrlff.exec:\rxrrlff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\9bhttt.exec:\9bhttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\jvdvp.exec:\jvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\3ttnhb.exec:\3ttnhb.exe23⤵
- Executes dropped EXE
PID:5072 -
\??\c:\pvjdv.exec:\pvjdv.exe24⤵
- Executes dropped EXE
PID:3372 -
\??\c:\ntbttn.exec:\ntbttn.exe25⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dvdvj.exec:\dvdvj.exe26⤵
- Executes dropped EXE
PID:808 -
\??\c:\xlfrrrr.exec:\xlfrrrr.exe27⤵
- Executes dropped EXE
PID:2452 -
\??\c:\djjvp.exec:\djjvp.exe28⤵
- Executes dropped EXE
PID:4484 -
\??\c:\xxlffff.exec:\xxlffff.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\vdpdd.exec:\vdpdd.exe30⤵
- Executes dropped EXE
PID:1348 -
\??\c:\rrxrfxr.exec:\rrxrfxr.exe31⤵
- Executes dropped EXE
PID:4724 -
\??\c:\5ntnbb.exec:\5ntnbb.exe32⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dvvpd.exec:\dvvpd.exe33⤵
- Executes dropped EXE
PID:3524 -
\??\c:\thnhhb.exec:\thnhhb.exe34⤵
- Executes dropped EXE
PID:2856 -
\??\c:\pjppp.exec:\pjppp.exe35⤵
- Executes dropped EXE
PID:3408 -
\??\c:\lrxrffx.exec:\lrxrffx.exe36⤵
- Executes dropped EXE
PID:3992 -
\??\c:\3tnnhh.exec:\3tnnhh.exe37⤵
- Executes dropped EXE
PID:4456 -
\??\c:\pvdvp.exec:\pvdvp.exe38⤵
- Executes dropped EXE
PID:4584 -
\??\c:\vpvpj.exec:\vpvpj.exe39⤵
- Executes dropped EXE
PID:4804 -
\??\c:\lflfxxr.exec:\lflfxxr.exe40⤵
- Executes dropped EXE
PID:1564 -
\??\c:\1bnhtb.exec:\1bnhtb.exe41⤵
- Executes dropped EXE
PID:4356 -
\??\c:\jpvdp.exec:\jpvdp.exe42⤵
- Executes dropped EXE
PID:3640 -
\??\c:\fxllrlr.exec:\fxllrlr.exe43⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lrfrrll.exec:\lrfrrll.exe44⤵
- Executes dropped EXE
PID:868 -
\??\c:\hbnhnn.exec:\hbnhnn.exe45⤵
- Executes dropped EXE
PID:528 -
\??\c:\pdppd.exec:\pdppd.exe46⤵
- Executes dropped EXE
PID:4768 -
\??\c:\7vjvj.exec:\7vjvj.exe47⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xxffffx.exec:\xxffffx.exe48⤵
- Executes dropped EXE
PID:4232 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe49⤵
- Executes dropped EXE
PID:3268 -
\??\c:\bhtnhb.exec:\bhtnhb.exe50⤵
- Executes dropped EXE
PID:3092 -
\??\c:\dvpjj.exec:\dvpjj.exe51⤵
- Executes dropped EXE
PID:4832 -
\??\c:\1lfxxfx.exec:\1lfxxfx.exe52⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hhnhhb.exec:\hhnhhb.exe53⤵
- Executes dropped EXE
PID:2724 -
\??\c:\dpppj.exec:\dpppj.exe54⤵
- Executes dropped EXE
PID:1680 -
\??\c:\pvjdv.exec:\pvjdv.exe55⤵
- Executes dropped EXE
PID:1132 -
\??\c:\frxrlll.exec:\frxrlll.exe56⤵
- Executes dropped EXE
PID:4964 -
\??\c:\1nnhbn.exec:\1nnhbn.exe57⤵
- Executes dropped EXE
PID:316 -
\??\c:\pjpjd.exec:\pjpjd.exe58⤵
- Executes dropped EXE
PID:1216 -
\??\c:\ffrlflf.exec:\ffrlflf.exe59⤵
- Executes dropped EXE
PID:5036 -
\??\c:\tntnhh.exec:\tntnhh.exe60⤵
- Executes dropped EXE
PID:928 -
\??\c:\bhnbth.exec:\bhnbth.exe61⤵
- Executes dropped EXE
PID:3084 -
\??\c:\3ddvj.exec:\3ddvj.exe62⤵
- Executes dropped EXE
PID:4036 -
\??\c:\xxlxxxf.exec:\xxlxxxf.exe63⤵
- Executes dropped EXE
PID:4672 -
\??\c:\ntnnhb.exec:\ntnnhb.exe64⤵
- Executes dropped EXE
PID:896 -
\??\c:\bbnhtt.exec:\bbnhtt.exe65⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3djjj.exec:\3djjj.exe66⤵PID:3836
-
\??\c:\5xfxrrl.exec:\5xfxrrl.exe67⤵PID:1872
-
\??\c:\nbhbth.exec:\nbhbth.exe68⤵PID:3136
-
\??\c:\vjpjv.exec:\vjpjv.exe69⤵PID:4480
-
\??\c:\pddvp.exec:\pddvp.exe70⤵PID:2004
-
\??\c:\lfffxxx.exec:\lfffxxx.exe71⤵PID:5008
-
\??\c:\hhbtnn.exec:\hhbtnn.exe72⤵PID:1496
-
\??\c:\pjpjd.exec:\pjpjd.exe73⤵PID:1028
-
\??\c:\jdjvd.exec:\jdjvd.exe74⤵PID:4788
-
\??\c:\rxxlxlf.exec:\rxxlxlf.exe75⤵PID:4040
-
\??\c:\tnbtbt.exec:\tnbtbt.exe76⤵PID:2496
-
\??\c:\pppvd.exec:\pppvd.exe77⤵PID:4476
-
\??\c:\rfrlffr.exec:\rfrlffr.exe78⤵PID:1688
-
\??\c:\lrxrrxl.exec:\lrxrrxl.exe79⤵PID:5072
-
\??\c:\1hnhbb.exec:\1hnhbb.exe80⤵PID:4552
-
\??\c:\jdvpd.exec:\jdvpd.exe81⤵PID:3328
-
\??\c:\dppdp.exec:\dppdp.exe82⤵PID:1984
-
\??\c:\xlrlffx.exec:\xlrlffx.exe83⤵PID:3644
-
\??\c:\bhhthb.exec:\bhhthb.exe84⤵PID:4572
-
\??\c:\1dvjd.exec:\1dvjd.exe85⤵PID:2820
-
\??\c:\3frxfxl.exec:\3frxfxl.exe86⤵PID:4564
-
\??\c:\lflflll.exec:\lflflll.exe87⤵PID:1796
-
\??\c:\hbnbtt.exec:\hbnbtt.exe88⤵PID:1276
-
\??\c:\vjdpd.exec:\vjdpd.exe89⤵PID:2160
-
\??\c:\ppvvd.exec:\ppvvd.exe90⤵PID:2344
-
\??\c:\lxxlxxl.exec:\lxxlxxl.exe91⤵PID:1904
-
\??\c:\bnbhbb.exec:\bnbhbb.exe92⤵PID:3624
-
\??\c:\jpvvj.exec:\jpvvj.exe93⤵PID:1044
-
\??\c:\jvpdp.exec:\jvpdp.exe94⤵PID:2648
-
\??\c:\rlxflfr.exec:\rlxflfr.exe95⤵PID:400
-
\??\c:\nnnhbt.exec:\nnnhbt.exe96⤵PID:1508
-
\??\c:\btnhtn.exec:\btnhtn.exe97⤵PID:3108
-
\??\c:\jvdvp.exec:\jvdvp.exe98⤵PID:776
-
\??\c:\rllfrfx.exec:\rllfrfx.exe99⤵PID:1564
-
\??\c:\hhnnhh.exec:\hhnnhh.exe100⤵PID:3964
-
\??\c:\jjvjd.exec:\jjvjd.exe101⤵PID:3640
-
\??\c:\jjpdv.exec:\jjpdv.exe102⤵PID:4908
-
\??\c:\lrxlrlf.exec:\lrxlrlf.exe103⤵PID:4252
-
\??\c:\thbthb.exec:\thbthb.exe104⤵PID:912
-
\??\c:\vjvpd.exec:\vjvpd.exe105⤵PID:2752
-
\??\c:\lfffxxx.exec:\lfffxxx.exe106⤵PID:2920
-
\??\c:\xrxxrrl.exec:\xrxxrrl.exe107⤵PID:916
-
\??\c:\ntbbtt.exec:\ntbbtt.exe108⤵PID:1428
-
\??\c:\7vjdv.exec:\7vjdv.exe109⤵PID:1924
-
\??\c:\1frxxlr.exec:\1frxxlr.exe110⤵PID:3904
-
\??\c:\7tbntn.exec:\7tbntn.exe111⤵PID:2772
-
\??\c:\dpdvp.exec:\dpdvp.exe112⤵PID:1612
-
\??\c:\vdjdv.exec:\vdjdv.exe113⤵PID:456
-
\??\c:\xfxrxrf.exec:\xfxrxrf.exe114⤵PID:920
-
\??\c:\tnbtbb.exec:\tnbtbb.exe115⤵PID:3140
-
\??\c:\pvvpd.exec:\pvvpd.exe116⤵PID:3056
-
\??\c:\ddjdv.exec:\ddjdv.exe117⤵PID:316
-
\??\c:\xxxfxll.exec:\xxxfxll.exe118⤵PID:2792
-
\??\c:\3htntt.exec:\3htntt.exe119⤵PID:1448
-
\??\c:\1djdv.exec:\1djdv.exe120⤵PID:2732
-
\??\c:\lxlxrll.exec:\lxlxrll.exe121⤵PID:4336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-