Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe
-
Size
453KB
-
MD5
faeca8cf1629d601c820f5f9da92491c
-
SHA1
9e988276fbe6c84d75df2a020346d61074ed4239
-
SHA256
59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d
-
SHA512
57e76fc02490f51f7fd24bb6bf94df96f9e1866cbebfac9bf3982fed23a2e93045ac3add5363ed5095f00742592981e08118796f1dec68b247e1aea9f93f3374
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4624-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-1095-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-1247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-1272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-1522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2636 9bhbnn.exe 3532 dvdjj.exe 1988 xxlrxff.exe 3344 xflffff.exe 1884 ddppp.exe 2824 pppvv.exe 3228 frffxfx.exe 1164 hnbtnt.exe 4308 bnttbb.exe 4280 jjjdv.exe 4024 rflrffr.exe 4052 ddvpp.exe 1452 bnnnth.exe 3744 rffxfxx.exe 32 dddjj.exe 3520 lrlrrlx.exe 4188 nnnhtn.exe 1120 rlrlfxr.exe 1832 htnnhh.exe 5056 pjdvd.exe 3060 lflfrlf.exe 3736 bhnhbb.exe 4840 5flffff.exe 4836 nhhhbt.exe 2284 xrrlfff.exe 1960 7ddvv.exe 404 xrrllff.exe 2400 rffrxrr.exe 2792 lxfrlff.exe 4460 vjdvp.exe 4448 flllxrf.exe 1464 bhnhtt.exe 1264 jvjdd.exe 5096 nbtnbt.exe 708 jpvdp.exe 4268 jjjvv.exe 2444 frxrlfx.exe 3824 nnnbnh.exe 4224 fxlflfl.exe 1736 nbtnhb.exe 2800 jjjvp.exe 2272 dppjd.exe 4408 frfxxlf.exe 3964 hbtnhb.exe 1276 jjjpp.exe 2700 rxlfxxr.exe 1968 nnhhbt.exe 3096 bbhhbh.exe 2920 vjdvp.exe 4476 3rrrlrl.exe 4760 nbnnbh.exe 4388 1vvpj.exe 4316 rxfrllx.exe 4240 rfffxxf.exe 4792 nbbtnn.exe 2060 dvjpd.exe 2372 fffxrrl.exe 4764 bnnnht.exe 1336 pvppd.exe 2452 lfrflfr.exe 1084 bbbtnn.exe 2412 hhbbbt.exe 2824 pvdvp.exe 2896 rllxrlf.exe -
resource yara_rule behavioral2/memory/4624-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-1247-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4624 wrote to memory of 2636 4624 59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe 82 PID 4624 wrote to memory of 2636 4624 59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe 82 PID 4624 wrote to memory of 2636 4624 59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe 82 PID 2636 wrote to memory of 3532 2636 9bhbnn.exe 83 PID 2636 wrote to memory of 3532 2636 9bhbnn.exe 83 PID 2636 wrote to memory of 3532 2636 9bhbnn.exe 83 PID 3532 wrote to memory of 1988 3532 dvdjj.exe 84 PID 3532 wrote to memory of 1988 3532 dvdjj.exe 84 PID 3532 wrote to memory of 1988 3532 dvdjj.exe 84 PID 1988 wrote to memory of 3344 1988 xxlrxff.exe 85 PID 1988 wrote to memory of 3344 1988 xxlrxff.exe 85 PID 1988 wrote to memory of 3344 1988 xxlrxff.exe 85 PID 3344 wrote to memory of 1884 3344 xflffff.exe 86 PID 3344 wrote to memory of 1884 3344 xflffff.exe 86 PID 3344 wrote to memory of 1884 3344 xflffff.exe 86 PID 1884 wrote to memory of 2824 1884 ddppp.exe 87 PID 1884 wrote to memory of 2824 1884 ddppp.exe 87 PID 1884 wrote to memory of 2824 1884 ddppp.exe 87 PID 2824 wrote to memory of 3228 2824 pppvv.exe 88 PID 2824 wrote to memory of 3228 2824 pppvv.exe 88 PID 2824 wrote to memory of 3228 2824 pppvv.exe 88 PID 3228 wrote to memory of 1164 3228 frffxfx.exe 89 PID 3228 wrote to memory of 1164 3228 frffxfx.exe 89 PID 3228 wrote to memory of 1164 3228 frffxfx.exe 89 PID 1164 wrote to memory of 4308 1164 hnbtnt.exe 90 PID 1164 wrote to memory of 4308 1164 hnbtnt.exe 90 PID 1164 wrote to memory of 4308 1164 hnbtnt.exe 90 PID 4308 wrote to memory of 4280 4308 bnttbb.exe 91 PID 4308 wrote to memory of 4280 4308 bnttbb.exe 91 PID 4308 wrote to memory of 4280 4308 bnttbb.exe 91 PID 4280 wrote to memory of 4024 4280 jjjdv.exe 92 PID 4280 wrote to memory of 4024 4280 jjjdv.exe 92 PID 4280 wrote to memory of 4024 4280 jjjdv.exe 92 PID 4024 wrote to memory of 4052 4024 rflrffr.exe 93 PID 4024 wrote to memory of 4052 4024 rflrffr.exe 93 PID 4024 wrote to memory of 4052 4024 rflrffr.exe 93 PID 4052 wrote to memory of 1452 4052 ddvpp.exe 94 PID 4052 wrote to memory of 1452 4052 ddvpp.exe 94 PID 4052 wrote to memory of 1452 4052 ddvpp.exe 94 PID 1452 wrote to memory of 3744 1452 bnnnth.exe 95 PID 1452 wrote to memory of 3744 1452 bnnnth.exe 95 PID 1452 wrote to memory of 3744 1452 bnnnth.exe 95 PID 3744 wrote to memory of 32 3744 rffxfxx.exe 96 PID 3744 wrote to memory of 32 3744 rffxfxx.exe 96 PID 3744 wrote to memory of 32 3744 rffxfxx.exe 96 PID 32 wrote to memory of 3520 32 dddjj.exe 97 PID 32 wrote to memory of 3520 32 dddjj.exe 97 PID 32 wrote to memory of 3520 32 dddjj.exe 97 PID 3520 wrote to memory of 4188 3520 lrlrrlx.exe 98 PID 3520 wrote to memory of 4188 3520 lrlrrlx.exe 98 PID 3520 wrote to memory of 4188 3520 lrlrrlx.exe 98 PID 4188 wrote to memory of 1120 4188 nnnhtn.exe 99 PID 4188 wrote to memory of 1120 4188 nnnhtn.exe 99 PID 4188 wrote to memory of 1120 4188 nnnhtn.exe 99 PID 1120 wrote to memory of 1832 1120 rlrlfxr.exe 100 PID 1120 wrote to memory of 1832 1120 rlrlfxr.exe 100 PID 1120 wrote to memory of 1832 1120 rlrlfxr.exe 100 PID 1832 wrote to memory of 5056 1832 htnnhh.exe 101 PID 1832 wrote to memory of 5056 1832 htnnhh.exe 101 PID 1832 wrote to memory of 5056 1832 htnnhh.exe 101 PID 5056 wrote to memory of 3060 5056 pjdvd.exe 102 PID 5056 wrote to memory of 3060 5056 pjdvd.exe 102 PID 5056 wrote to memory of 3060 5056 pjdvd.exe 102 PID 3060 wrote to memory of 3736 3060 lflfrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe"C:\Users\Admin\AppData\Local\Temp\59f7a068912b45eb056b828a106c31be1521aa29367d04f9bdb1a1e9c8fdf92d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\9bhbnn.exec:\9bhbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dvdjj.exec:\dvdjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\xxlrxff.exec:\xxlrxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\xflffff.exec:\xflffff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\ddppp.exec:\ddppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\pppvv.exec:\pppvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\frffxfx.exec:\frffxfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\hnbtnt.exec:\hnbtnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\bnttbb.exec:\bnttbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\jjjdv.exec:\jjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\rflrffr.exec:\rflrffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\ddvpp.exec:\ddvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\bnnnth.exec:\bnnnth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\rffxfxx.exec:\rffxfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\dddjj.exec:\dddjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\lrlrrlx.exec:\lrlrrlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\nnnhtn.exec:\nnnhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\htnnhh.exec:\htnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\pjdvd.exec:\pjdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\lflfrlf.exec:\lflfrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\bhnhbb.exec:\bhnhbb.exe23⤵
- Executes dropped EXE
PID:3736 -
\??\c:\5flffff.exec:\5flffff.exe24⤵
- Executes dropped EXE
PID:4840 -
\??\c:\nhhhbt.exec:\nhhhbt.exe25⤵
- Executes dropped EXE
PID:4836 -
\??\c:\xrrlfff.exec:\xrrlfff.exe26⤵
- Executes dropped EXE
PID:2284 -
\??\c:\7ddvv.exec:\7ddvv.exe27⤵
- Executes dropped EXE
PID:1960 -
\??\c:\xrrllff.exec:\xrrllff.exe28⤵
- Executes dropped EXE
PID:404 -
\??\c:\rffrxrr.exec:\rffrxrr.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lxfrlff.exec:\lxfrlff.exe30⤵
- Executes dropped EXE
PID:2792 -
\??\c:\vjdvp.exec:\vjdvp.exe31⤵
- Executes dropped EXE
PID:4460 -
\??\c:\flllxrf.exec:\flllxrf.exe32⤵
- Executes dropped EXE
PID:4448 -
\??\c:\bhnhtt.exec:\bhnhtt.exe33⤵
- Executes dropped EXE
PID:1464 -
\??\c:\jvjdd.exec:\jvjdd.exe34⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nbtnbt.exec:\nbtnbt.exe35⤵
- Executes dropped EXE
PID:5096 -
\??\c:\jpvdp.exec:\jpvdp.exe36⤵
- Executes dropped EXE
PID:708 -
\??\c:\jjjvv.exec:\jjjvv.exe37⤵
- Executes dropped EXE
PID:4268 -
\??\c:\frxrlfx.exec:\frxrlfx.exe38⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nnnbnh.exec:\nnnbnh.exe39⤵
- Executes dropped EXE
PID:3824 -
\??\c:\fxlflfl.exec:\fxlflfl.exe40⤵
- Executes dropped EXE
PID:4224 -
\??\c:\nbtnhb.exec:\nbtnhb.exe41⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jjjvp.exec:\jjjvp.exe42⤵
- Executes dropped EXE
PID:2800 -
\??\c:\dppjd.exec:\dppjd.exe43⤵
- Executes dropped EXE
PID:2272 -
\??\c:\frfxxlf.exec:\frfxxlf.exe44⤵
- Executes dropped EXE
PID:4408 -
\??\c:\hbtnhb.exec:\hbtnhb.exe45⤵
- Executes dropped EXE
PID:3964 -
\??\c:\jjjpp.exec:\jjjpp.exe46⤵
- Executes dropped EXE
PID:1276 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\nnhhbt.exec:\nnhhbt.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\bbhhbh.exec:\bbhhbh.exe49⤵
- Executes dropped EXE
PID:3096 -
\??\c:\vjdvp.exec:\vjdvp.exe50⤵
- Executes dropped EXE
PID:2920 -
\??\c:\3rrrlrl.exec:\3rrrlrl.exe51⤵
- Executes dropped EXE
PID:4476 -
\??\c:\nbnnbh.exec:\nbnnbh.exe52⤵
- Executes dropped EXE
PID:4760 -
\??\c:\1vvpj.exec:\1vvpj.exe53⤵
- Executes dropped EXE
PID:4388 -
\??\c:\rxfrllx.exec:\rxfrllx.exe54⤵
- Executes dropped EXE
PID:4316 -
\??\c:\rfffxxf.exec:\rfffxxf.exe55⤵
- Executes dropped EXE
PID:4240 -
\??\c:\nbbtnn.exec:\nbbtnn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792 -
\??\c:\dvjpd.exec:\dvjpd.exe57⤵
- Executes dropped EXE
PID:2060 -
\??\c:\fffxrrl.exec:\fffxrrl.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\bnnnht.exec:\bnnnht.exe59⤵
- Executes dropped EXE
PID:4764 -
\??\c:\pvppd.exec:\pvppd.exe60⤵
- Executes dropped EXE
PID:1336 -
\??\c:\lfrflfr.exec:\lfrflfr.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\bbbtnn.exec:\bbbtnn.exe62⤵
- Executes dropped EXE
PID:1084 -
\??\c:\hhbbbt.exec:\hhbbbt.exe63⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pvdvp.exec:\pvdvp.exe64⤵
- Executes dropped EXE
PID:2824 -
\??\c:\rllxrlf.exec:\rllxrlf.exe65⤵
- Executes dropped EXE
PID:2896 -
\??\c:\frrxrrr.exec:\frrxrrr.exe66⤵PID:456
-
\??\c:\httthh.exec:\httthh.exe67⤵PID:2764
-
\??\c:\3vdpj.exec:\3vdpj.exe68⤵PID:2836
-
\??\c:\xxrfxlr.exec:\xxrfxlr.exe69⤵PID:3316
-
\??\c:\7ttbnn.exec:\7ttbnn.exe70⤵PID:4164
-
\??\c:\1hhhbb.exec:\1hhhbb.exe71⤵PID:1244
-
\??\c:\pvvpv.exec:\pvvpv.exe72⤵PID:832
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe73⤵PID:872
-
\??\c:\5bbttt.exec:\5bbttt.exe74⤵PID:4444
-
\??\c:\3pdpd.exec:\3pdpd.exe75⤵PID:2884
-
\??\c:\fflfxrr.exec:\fflfxrr.exe76⤵PID:2564
-
\??\c:\tnntnn.exec:\tnntnn.exe77⤵PID:1320
-
\??\c:\vvjjd.exec:\vvjjd.exe78⤵PID:2880
-
\??\c:\vpddd.exec:\vpddd.exe79⤵PID:3520
-
\??\c:\lfrrlff.exec:\lfrrlff.exe80⤵PID:220
-
\??\c:\nhnhbb.exec:\nhnhbb.exe81⤵PID:1564
-
\??\c:\nbhbtt.exec:\nbhbtt.exe82⤵PID:4300
-
\??\c:\9ppjd.exec:\9ppjd.exe83⤵PID:1608
-
\??\c:\1lfxffr.exec:\1lfxffr.exe84⤵PID:4828
-
\??\c:\nhnhhh.exec:\nhnhhh.exe85⤵PID:3692
-
\??\c:\5tttnn.exec:\5tttnn.exe86⤵PID:2560
-
\??\c:\5jpjj.exec:\5jpjj.exe87⤵PID:1224
-
\??\c:\xrrlffx.exec:\xrrlffx.exe88⤵PID:3168
-
\??\c:\rxfxrrf.exec:\rxfxrrf.exe89⤵PID:5052
-
\??\c:\3tntnn.exec:\3tntnn.exe90⤵PID:4836
-
\??\c:\vvpjd.exec:\vvpjd.exe91⤵PID:2284
-
\??\c:\xrrxrfx.exec:\xrrxrfx.exe92⤵PID:3732
-
\??\c:\nbbtnn.exec:\nbbtnn.exe93⤵PID:1960
-
\??\c:\tnhbhb.exec:\tnhbhb.exe94⤵PID:4916
-
\??\c:\jppjd.exec:\jppjd.exe95⤵PID:3300
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe96⤵PID:2384
-
\??\c:\bbntnb.exec:\bbntnb.exe97⤵PID:1600
-
\??\c:\5pppj.exec:\5pppj.exe98⤵PID:2024
-
\??\c:\flrrrlr.exec:\flrrrlr.exe99⤵PID:4688
-
\??\c:\btbnhh.exec:\btbnhh.exe100⤵PID:1536
-
\??\c:\jjppv.exec:\jjppv.exe101⤵PID:2324
-
\??\c:\dvddj.exec:\dvddj.exe102⤵
- System Location Discovery: System Language Discovery
PID:1192 -
\??\c:\rlflfxr.exec:\rlflfxr.exe103⤵PID:1672
-
\??\c:\bhtnnh.exec:\bhtnnh.exe104⤵PID:2356
-
\??\c:\pjvpv.exec:\pjvpv.exe105⤵PID:892
-
\??\c:\frfxrll.exec:\frfxrll.exe106⤵PID:3600
-
\??\c:\ttnhbb.exec:\ttnhbb.exe107⤵
- System Location Discovery: System Language Discovery
PID:4320 -
\??\c:\nbhhbt.exec:\nbhhbt.exe108⤵PID:3148
-
\??\c:\jdvvp.exec:\jdvvp.exe109⤵PID:1860
-
\??\c:\nbbbtt.exec:\nbbbtt.exe110⤵PID:4848
-
\??\c:\pjdvp.exec:\pjdvp.exe111⤵PID:4948
-
\??\c:\dpvpp.exec:\dpvpp.exe112⤵PID:2272
-
\??\c:\frflfxx.exec:\frflfxx.exe113⤵PID:3460
-
\??\c:\nthbbb.exec:\nthbbb.exe114⤵PID:2096
-
\??\c:\jdvpd.exec:\jdvpd.exe115⤵PID:4464
-
\??\c:\xxxrffx.exec:\xxxrffx.exe116⤵PID:4812
-
\??\c:\fxlfllr.exec:\fxlfllr.exe117⤵PID:3928
-
\??\c:\nbbbnb.exec:\nbbbnb.exe118⤵PID:2544
-
\??\c:\3vpjv.exec:\3vpjv.exe119⤵PID:4900
-
\??\c:\lflxrrr.exec:\lflxrrr.exe120⤵PID:1476
-
\??\c:\bthntt.exec:\bthntt.exe121⤵PID:4076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-