Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe
-
Size
454KB
-
MD5
dd01bd2cf8321bc3b9a64e64aa39d800
-
SHA1
ff9e60333ab733ca1aeca39b9b0cb230c555a813
-
SHA256
cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9c
-
SHA512
9fde2a0741c4c0918ae454d0eeeadbc87669310d9edd66a76aae020d6fb30809982b603b9c2fdcd9a5790cfd5910ea6cb5cf0348039e8008efad4eab6d9cb054
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3604-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-894-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-1717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3604 djdvp.exe 2408 lxfxllf.exe 3140 lflrlrl.exe 4920 9bbbtt.exe 444 jvvpj.exe 1244 lfrrllf.exe 4816 ffxxrxx.exe 2924 hbtttb.exe 4712 bbhnth.exe 1212 bbbbbh.exe 5012 9hhbbh.exe 3300 vpddd.exe 980 bbhbhn.exe 4732 jdddd.exe 536 9vdjd.exe 3268 lrlffff.exe 2296 thhnhb.exe 440 pvvpp.exe 3548 tttbbt.exe 4480 frlfflf.exe 760 fllfxlf.exe 2960 nnbbbb.exe 912 9xlfflx.exe 2616 jdvvp.exe 3720 pvpjj.exe 1416 tnhhbt.exe 1852 pjdpj.exe 4084 llrlxxf.exe 2092 nnbbtt.exe 2692 jpppp.exe 936 pvvpp.exe 4872 9lffxff.exe 412 lrrrlll.exe 1812 hhnntt.exe 548 ffxxxff.exe 1912 httnnn.exe 1776 5tnhbh.exe 4176 lrrlfff.exe 4248 5rlffff.exe 1756 pjppj.exe 1744 rlrrrlf.exe 3620 bbbbbb.exe 4824 9dddd.exe 1600 7lxxffr.exe 4748 btnttt.exe 3032 vpvjd.exe 4272 xrllllr.exe 4720 ddddd.exe 4392 lrffxxx.exe 2128 5thbtb.exe 452 1jjjd.exe 4260 flllfxx.exe 1204 xlrrffr.exe 1760 nnnnhh.exe 4132 djvpj.exe 3260 xrrfflf.exe 2440 fffffff.exe 2860 5jjdv.exe 3016 pdvpj.exe 4816 lxfffff.exe 1624 hhnnhn.exe 1656 9ddvp.exe 2344 llrrlxr.exe 4052 bnnhbh.exe -
resource yara_rule behavioral2/memory/3604-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-894-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 3604 2972 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 83 PID 2972 wrote to memory of 3604 2972 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 83 PID 2972 wrote to memory of 3604 2972 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 83 PID 3604 wrote to memory of 2408 3604 djdvp.exe 84 PID 3604 wrote to memory of 2408 3604 djdvp.exe 84 PID 3604 wrote to memory of 2408 3604 djdvp.exe 84 PID 2408 wrote to memory of 3140 2408 lxfxllf.exe 85 PID 2408 wrote to memory of 3140 2408 lxfxllf.exe 85 PID 2408 wrote to memory of 3140 2408 lxfxllf.exe 85 PID 3140 wrote to memory of 4920 3140 lflrlrl.exe 86 PID 3140 wrote to memory of 4920 3140 lflrlrl.exe 86 PID 3140 wrote to memory of 4920 3140 lflrlrl.exe 86 PID 4920 wrote to memory of 444 4920 9bbbtt.exe 87 PID 4920 wrote to memory of 444 4920 9bbbtt.exe 87 PID 4920 wrote to memory of 444 4920 9bbbtt.exe 87 PID 444 wrote to memory of 1244 444 jvvpj.exe 88 PID 444 wrote to memory of 1244 444 jvvpj.exe 88 PID 444 wrote to memory of 1244 444 jvvpj.exe 88 PID 1244 wrote to memory of 4816 1244 lfrrllf.exe 89 PID 1244 wrote to memory of 4816 1244 lfrrllf.exe 89 PID 1244 wrote to memory of 4816 1244 lfrrllf.exe 89 PID 4816 wrote to memory of 2924 4816 ffxxrxx.exe 90 PID 4816 wrote to memory of 2924 4816 ffxxrxx.exe 90 PID 4816 wrote to memory of 2924 4816 ffxxrxx.exe 90 PID 2924 wrote to memory of 4712 2924 hbtttb.exe 91 PID 2924 wrote to memory of 4712 2924 hbtttb.exe 91 PID 2924 wrote to memory of 4712 2924 hbtttb.exe 91 PID 4712 wrote to memory of 1212 4712 bbhnth.exe 92 PID 4712 wrote to memory of 1212 4712 bbhnth.exe 92 PID 4712 wrote to memory of 1212 4712 bbhnth.exe 92 PID 1212 wrote to memory of 5012 1212 bbbbbh.exe 93 PID 1212 wrote to memory of 5012 1212 bbbbbh.exe 93 PID 1212 wrote to memory of 5012 1212 bbbbbh.exe 93 PID 5012 wrote to memory of 3300 5012 9hhbbh.exe 94 PID 5012 wrote to memory of 3300 5012 9hhbbh.exe 94 PID 5012 wrote to memory of 3300 5012 9hhbbh.exe 94 PID 3300 wrote to memory of 980 3300 vpddd.exe 95 PID 3300 wrote to memory of 980 3300 vpddd.exe 95 PID 3300 wrote to memory of 980 3300 vpddd.exe 95 PID 980 wrote to memory of 4732 980 bbhbhn.exe 96 PID 980 wrote to memory of 4732 980 bbhbhn.exe 96 PID 980 wrote to memory of 4732 980 bbhbhn.exe 96 PID 4732 wrote to memory of 536 4732 jdddd.exe 97 PID 4732 wrote to memory of 536 4732 jdddd.exe 97 PID 4732 wrote to memory of 536 4732 jdddd.exe 97 PID 536 wrote to memory of 3268 536 9vdjd.exe 98 PID 536 wrote to memory of 3268 536 9vdjd.exe 98 PID 536 wrote to memory of 3268 536 9vdjd.exe 98 PID 3268 wrote to memory of 2296 3268 lrlffff.exe 99 PID 3268 wrote to memory of 2296 3268 lrlffff.exe 99 PID 3268 wrote to memory of 2296 3268 lrlffff.exe 99 PID 2296 wrote to memory of 440 2296 thhnhb.exe 100 PID 2296 wrote to memory of 440 2296 thhnhb.exe 100 PID 2296 wrote to memory of 440 2296 thhnhb.exe 100 PID 440 wrote to memory of 3548 440 pvvpp.exe 101 PID 440 wrote to memory of 3548 440 pvvpp.exe 101 PID 440 wrote to memory of 3548 440 pvvpp.exe 101 PID 3548 wrote to memory of 4480 3548 tttbbt.exe 102 PID 3548 wrote to memory of 4480 3548 tttbbt.exe 102 PID 3548 wrote to memory of 4480 3548 tttbbt.exe 102 PID 4480 wrote to memory of 760 4480 frlfflf.exe 103 PID 4480 wrote to memory of 760 4480 frlfflf.exe 103 PID 4480 wrote to memory of 760 4480 frlfflf.exe 103 PID 760 wrote to memory of 2960 760 fllfxlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe"C:\Users\Admin\AppData\Local\Temp\cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\djdvp.exec:\djdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\lxfxllf.exec:\lxfxllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\lflrlrl.exec:\lflrlrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\9bbbtt.exec:\9bbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\jvvpj.exec:\jvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\lfrrllf.exec:\lfrrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\ffxxrxx.exec:\ffxxrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\hbtttb.exec:\hbtttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\bbhnth.exec:\bbhnth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\bbbbbh.exec:\bbbbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\9hhbbh.exec:\9hhbbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\vpddd.exec:\vpddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\bbhbhn.exec:\bbhbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\jdddd.exec:\jdddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\9vdjd.exec:\9vdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\lrlffff.exec:\lrlffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\thhnhb.exec:\thhnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\pvvpp.exec:\pvvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\tttbbt.exec:\tttbbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\frlfflf.exec:\frlfflf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\fllfxlf.exec:\fllfxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\nnbbbb.exec:\nnbbbb.exe23⤵
- Executes dropped EXE
PID:2960 -
\??\c:\9xlfflx.exec:\9xlfflx.exe24⤵
- Executes dropped EXE
PID:912 -
\??\c:\jdvvp.exec:\jdvvp.exe25⤵
- Executes dropped EXE
PID:2616 -
\??\c:\pvpjj.exec:\pvpjj.exe26⤵
- Executes dropped EXE
PID:3720 -
\??\c:\tnhhbt.exec:\tnhhbt.exe27⤵
- Executes dropped EXE
PID:1416 -
\??\c:\pjdpj.exec:\pjdpj.exe28⤵
- Executes dropped EXE
PID:1852 -
\??\c:\llrlxxf.exec:\llrlxxf.exe29⤵
- Executes dropped EXE
PID:4084 -
\??\c:\nnbbtt.exec:\nnbbtt.exe30⤵
- Executes dropped EXE
PID:2092 -
\??\c:\jpppp.exec:\jpppp.exe31⤵
- Executes dropped EXE
PID:2692 -
\??\c:\pvvpp.exec:\pvvpp.exe32⤵
- Executes dropped EXE
PID:936 -
\??\c:\9lffxff.exec:\9lffxff.exe33⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lrrrlll.exec:\lrrrlll.exe34⤵
- Executes dropped EXE
PID:412 -
\??\c:\hhnntt.exec:\hhnntt.exe35⤵
- Executes dropped EXE
PID:1812 -
\??\c:\ffxxxff.exec:\ffxxxff.exe36⤵
- Executes dropped EXE
PID:548 -
\??\c:\httnnn.exec:\httnnn.exe37⤵
- Executes dropped EXE
PID:1912 -
\??\c:\5tnhbh.exec:\5tnhbh.exe38⤵
- Executes dropped EXE
PID:1776 -
\??\c:\lrrlfff.exec:\lrrlfff.exe39⤵
- Executes dropped EXE
PID:4176 -
\??\c:\5rlffff.exec:\5rlffff.exe40⤵
- Executes dropped EXE
PID:4248 -
\??\c:\pjppj.exec:\pjppj.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
\??\c:\rlrrrlf.exec:\rlrrrlf.exe42⤵
- Executes dropped EXE
PID:1744 -
\??\c:\bbbbbb.exec:\bbbbbb.exe43⤵
- Executes dropped EXE
PID:3620 -
\??\c:\9dddd.exec:\9dddd.exe44⤵
- Executes dropped EXE
PID:4824 -
\??\c:\7lxxffr.exec:\7lxxffr.exe45⤵
- Executes dropped EXE
PID:1600 -
\??\c:\btnttt.exec:\btnttt.exe46⤵
- Executes dropped EXE
PID:4748 -
\??\c:\vpvjd.exec:\vpvjd.exe47⤵
- Executes dropped EXE
PID:3032 -
\??\c:\xrllllr.exec:\xrllllr.exe48⤵
- Executes dropped EXE
PID:4272 -
\??\c:\ddddd.exec:\ddddd.exe49⤵
- Executes dropped EXE
PID:4720 -
\??\c:\lrffxxx.exec:\lrffxxx.exe50⤵
- Executes dropped EXE
PID:4392 -
\??\c:\5thbtb.exec:\5thbtb.exe51⤵
- Executes dropped EXE
PID:2128 -
\??\c:\1jjjd.exec:\1jjjd.exe52⤵
- Executes dropped EXE
PID:452 -
\??\c:\flllfxx.exec:\flllfxx.exe53⤵
- Executes dropped EXE
PID:4260 -
\??\c:\xlrrffr.exec:\xlrrffr.exe54⤵
- Executes dropped EXE
PID:1204 -
\??\c:\nnnnhh.exec:\nnnnhh.exe55⤵
- Executes dropped EXE
PID:1760 -
\??\c:\djvpj.exec:\djvpj.exe56⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xrrfflf.exec:\xrrfflf.exe57⤵
- Executes dropped EXE
PID:3260 -
\??\c:\fffffff.exec:\fffffff.exe58⤵
- Executes dropped EXE
PID:2440 -
\??\c:\5jjdv.exec:\5jjdv.exe59⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pdvpj.exec:\pdvpj.exe60⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lxfffff.exec:\lxfffff.exe61⤵
- Executes dropped EXE
PID:4816 -
\??\c:\hhnnhn.exec:\hhnnhn.exe62⤵
- Executes dropped EXE
PID:1624 -
\??\c:\9ddvp.exec:\9ddvp.exe63⤵
- Executes dropped EXE
PID:1656 -
\??\c:\llrrlxr.exec:\llrrlxr.exe64⤵
- Executes dropped EXE
PID:2344 -
\??\c:\bnnhbh.exec:\bnnhbh.exe65⤵
- Executes dropped EXE
PID:4052 -
\??\c:\pddpp.exec:\pddpp.exe66⤵PID:2588
-
\??\c:\jjpjd.exec:\jjpjd.exe67⤵PID:540
-
\??\c:\7rxrrrr.exec:\7rxrrrr.exe68⤵PID:3096
-
\??\c:\hnhbbb.exec:\hnhbbb.exe69⤵PID:5072
-
\??\c:\pjdvp.exec:\pjdvp.exe70⤵PID:2728
-
\??\c:\3lffxlf.exec:\3lffxlf.exe71⤵PID:3504
-
\??\c:\tntnnn.exec:\tntnnn.exe72⤵PID:1104
-
\??\c:\bttnbb.exec:\bttnbb.exe73⤵PID:536
-
\??\c:\ddppj.exec:\ddppj.exe74⤵PID:3044
-
\??\c:\xllfflf.exec:\xllfflf.exe75⤵PID:340
-
\??\c:\hhbthb.exec:\hhbthb.exe76⤵PID:4492
-
\??\c:\dvvpj.exec:\dvvpj.exe77⤵PID:4468
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe78⤵PID:1036
-
\??\c:\ffrlxrr.exec:\ffrlxrr.exe79⤵PID:628
-
\??\c:\bbbttt.exec:\bbbttt.exe80⤵PID:3600
-
\??\c:\pvddd.exec:\pvddd.exe81⤵PID:2452
-
\??\c:\lrxxlll.exec:\lrxxlll.exe82⤵PID:2960
-
\??\c:\5lxxxlf.exec:\5lxxxlf.exe83⤵PID:4852
-
\??\c:\bnnttt.exec:\bnnttt.exe84⤵PID:2500
-
\??\c:\pjppp.exec:\pjppp.exe85⤵PID:916
-
\??\c:\rrfxxfl.exec:\rrfxxfl.exe86⤵PID:1336
-
\??\c:\bbbttt.exec:\bbbttt.exe87⤵PID:4100
-
\??\c:\nnhhbn.exec:\nnhhbn.exe88⤵PID:1208
-
\??\c:\djvpd.exec:\djvpd.exe89⤵PID:3048
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe90⤵PID:1340
-
\??\c:\htbbbt.exec:\htbbbt.exe91⤵PID:4084
-
\??\c:\nhtnnn.exec:\nhtnnn.exe92⤵PID:1732
-
\??\c:\jjppd.exec:\jjppd.exe93⤵PID:4324
-
\??\c:\xxllfxx.exec:\xxllfxx.exe94⤵PID:2524
-
\??\c:\rlrxxxx.exec:\rlrxxxx.exe95⤵PID:1028
-
\??\c:\nthbhn.exec:\nthbhn.exe96⤵PID:1604
-
\??\c:\dvvvv.exec:\dvvvv.exe97⤵PID:2552
-
\??\c:\5pvvd.exec:\5pvvd.exe98⤵PID:5056
-
\??\c:\fxrrllf.exec:\fxrrllf.exe99⤵PID:3236
-
\??\c:\tntnnn.exec:\tntnnn.exe100⤵PID:2036
-
\??\c:\hnnnhh.exec:\hnnnhh.exe101⤵PID:1684
-
\??\c:\jpdvj.exec:\jpdvj.exe102⤵PID:4176
-
\??\c:\frllxxr.exec:\frllxxr.exe103⤵PID:64
-
\??\c:\hbnhbb.exec:\hbnhbb.exe104⤵PID:1740
-
\??\c:\pvppp.exec:\pvppp.exe105⤵PID:1512
-
\??\c:\jjvvj.exec:\jjvvj.exe106⤵PID:3620
-
\??\c:\rllllll.exec:\rllllll.exe107⤵PID:244
-
\??\c:\nbbhbt.exec:\nbbhbt.exe108⤵PID:5076
-
\??\c:\jjddd.exec:\jjddd.exe109⤵PID:2528
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe110⤵PID:4740
-
\??\c:\fxffxxx.exec:\fxffxxx.exe111⤵PID:5004
-
\??\c:\9bnnnn.exec:\9bnnnn.exe112⤵PID:4384
-
\??\c:\nhttnn.exec:\nhttnn.exe113⤵PID:4388
-
\??\c:\vvvdv.exec:\vvvdv.exe114⤵PID:4392
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe115⤵PID:4048
-
\??\c:\7fflfrl.exec:\7fflfrl.exe116⤵PID:4708
-
\??\c:\hbnhbt.exec:\hbnhbt.exe117⤵PID:4260
-
\??\c:\jjddd.exec:\jjddd.exe118⤵PID:1372
-
\??\c:\lrfxrll.exec:\lrfxrll.exe119⤵PID:3264
-
\??\c:\xllllrl.exec:\xllllrl.exe120⤵PID:4552
-
\??\c:\pdvpj.exec:\pdvpj.exe121⤵PID:4856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-