Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe
-
Size
456KB
-
MD5
ee7a2f594504816ca51605addc6b0080
-
SHA1
fe06dcaabebc2905a9344a2805c33157f2e42e7f
-
SHA256
c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1c
-
SHA512
246895cb2a293c567a3e134f213847be7b9d2e22073578cf2ac752024fd88fab3da70394a79a407e269a2ed3fdea81bba2d6e1d25f92c0371f4505aa23e1c59b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeLu:q7Tc2NYHUrAwfMp3CDLu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4560-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3388 bntnhh.exe 2152 dpjjd.exe 1396 pdjjj.exe 752 pdvpd.exe 3124 btnbtn.exe 2712 jpvpj.exe 3292 rfllrlr.exe 4292 7llfxrx.exe 376 lxxrllf.exe 1784 frxfxxr.exe 1380 vddvp.exe 2312 vjdvp.exe 4648 7xrlffx.exe 116 hbbtnn.exe 3064 vpjjd.exe 2744 htbnhb.exe 768 ddjvj.exe 3740 btbbbt.exe 4260 vpdvv.exe 4276 frfxxrx.exe 2420 frrlxxr.exe 1628 httnhb.exe 2524 pjjjv.exe 1996 rfrlllr.exe 1604 lxxfxfx.exe 1752 nthbnn.exe 1368 jppdd.exe 920 lxxrrxr.exe 4384 jvdvd.exe 4000 fxxrrrr.exe 4256 hbbhtb.exe 1712 vdjvp.exe 3168 btbtnn.exe 5004 jvddd.exe 1976 dpvpd.exe 1608 xrrfxrr.exe 3320 9pjjv.exe 2484 nnnnbb.exe 1372 bntnbb.exe 1888 hhhbbt.exe 4928 bbhbnh.exe 2808 ppvjd.exe 5068 lrxrrll.exe 2256 llrlfxl.exe 5096 tnhtbt.exe 832 pjpjv.exe 2340 lxxlrlf.exe 2452 rlllllf.exe 744 httthn.exe 3848 dvvjv.exe 3340 pjjdp.exe 4532 lxxlfxr.exe 964 frxlfrl.exe 4700 thhbtt.exe 1576 1vjvj.exe 2400 lxrlrrf.exe 1856 tbhbtn.exe 4812 7jdvj.exe 2388 dvvpj.exe 4476 rffxrlf.exe 456 hhnbbt.exe 3656 nhtntt.exe 5088 jjjvp.exe 3292 rflxrlf.exe -
resource yara_rule behavioral2/memory/4560-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-567-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3388 4560 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 82 PID 4560 wrote to memory of 3388 4560 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 82 PID 4560 wrote to memory of 3388 4560 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 82 PID 3388 wrote to memory of 2152 3388 bntnhh.exe 83 PID 3388 wrote to memory of 2152 3388 bntnhh.exe 83 PID 3388 wrote to memory of 2152 3388 bntnhh.exe 83 PID 2152 wrote to memory of 1396 2152 dpjjd.exe 84 PID 2152 wrote to memory of 1396 2152 dpjjd.exe 84 PID 2152 wrote to memory of 1396 2152 dpjjd.exe 84 PID 1396 wrote to memory of 752 1396 pdjjj.exe 85 PID 1396 wrote to memory of 752 1396 pdjjj.exe 85 PID 1396 wrote to memory of 752 1396 pdjjj.exe 85 PID 752 wrote to memory of 3124 752 pdvpd.exe 86 PID 752 wrote to memory of 3124 752 pdvpd.exe 86 PID 752 wrote to memory of 3124 752 pdvpd.exe 86 PID 3124 wrote to memory of 2712 3124 btnbtn.exe 87 PID 3124 wrote to memory of 2712 3124 btnbtn.exe 87 PID 3124 wrote to memory of 2712 3124 btnbtn.exe 87 PID 2712 wrote to memory of 3292 2712 jpvpj.exe 88 PID 2712 wrote to memory of 3292 2712 jpvpj.exe 88 PID 2712 wrote to memory of 3292 2712 jpvpj.exe 88 PID 3292 wrote to memory of 4292 3292 rfllrlr.exe 89 PID 3292 wrote to memory of 4292 3292 rfllrlr.exe 89 PID 3292 wrote to memory of 4292 3292 rfllrlr.exe 89 PID 4292 wrote to memory of 376 4292 7llfxrx.exe 90 PID 4292 wrote to memory of 376 4292 7llfxrx.exe 90 PID 4292 wrote to memory of 376 4292 7llfxrx.exe 90 PID 376 wrote to memory of 1784 376 lxxrllf.exe 91 PID 376 wrote to memory of 1784 376 lxxrllf.exe 91 PID 376 wrote to memory of 1784 376 lxxrllf.exe 91 PID 1784 wrote to memory of 1380 1784 frxfxxr.exe 92 PID 1784 wrote to memory of 1380 1784 frxfxxr.exe 92 PID 1784 wrote to memory of 1380 1784 frxfxxr.exe 92 PID 1380 wrote to memory of 2312 1380 vddvp.exe 93 PID 1380 wrote to memory of 2312 1380 vddvp.exe 93 PID 1380 wrote to memory of 2312 1380 vddvp.exe 93 PID 2312 wrote to memory of 4648 2312 vjdvp.exe 94 PID 2312 wrote to memory of 4648 2312 vjdvp.exe 94 PID 2312 wrote to memory of 4648 2312 vjdvp.exe 94 PID 4648 wrote to memory of 116 4648 7xrlffx.exe 95 PID 4648 wrote to memory of 116 4648 7xrlffx.exe 95 PID 4648 wrote to memory of 116 4648 7xrlffx.exe 95 PID 116 wrote to memory of 3064 116 hbbtnn.exe 96 PID 116 wrote to memory of 3064 116 hbbtnn.exe 96 PID 116 wrote to memory of 3064 116 hbbtnn.exe 96 PID 3064 wrote to memory of 2744 3064 vpjjd.exe 97 PID 3064 wrote to memory of 2744 3064 vpjjd.exe 97 PID 3064 wrote to memory of 2744 3064 vpjjd.exe 97 PID 2744 wrote to memory of 768 2744 htbnhb.exe 98 PID 2744 wrote to memory of 768 2744 htbnhb.exe 98 PID 2744 wrote to memory of 768 2744 htbnhb.exe 98 PID 768 wrote to memory of 3740 768 ddjvj.exe 99 PID 768 wrote to memory of 3740 768 ddjvj.exe 99 PID 768 wrote to memory of 3740 768 ddjvj.exe 99 PID 3740 wrote to memory of 4260 3740 btbbbt.exe 100 PID 3740 wrote to memory of 4260 3740 btbbbt.exe 100 PID 3740 wrote to memory of 4260 3740 btbbbt.exe 100 PID 4260 wrote to memory of 4276 4260 vpdvv.exe 101 PID 4260 wrote to memory of 4276 4260 vpdvv.exe 101 PID 4260 wrote to memory of 4276 4260 vpdvv.exe 101 PID 4276 wrote to memory of 2420 4276 frfxxrx.exe 102 PID 4276 wrote to memory of 2420 4276 frfxxrx.exe 102 PID 4276 wrote to memory of 2420 4276 frfxxrx.exe 102 PID 2420 wrote to memory of 1628 2420 frrlxxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe"C:\Users\Admin\AppData\Local\Temp\c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\bntnhh.exec:\bntnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\dpjjd.exec:\dpjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\pdjjj.exec:\pdjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\pdvpd.exec:\pdvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\btnbtn.exec:\btnbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\jpvpj.exec:\jpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\rfllrlr.exec:\rfllrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\7llfxrx.exec:\7llfxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\lxxrllf.exec:\lxxrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\frxfxxr.exec:\frxfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\vddvp.exec:\vddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\vjdvp.exec:\vjdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\7xrlffx.exec:\7xrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\hbbtnn.exec:\hbbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\vpjjd.exec:\vpjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\htbnhb.exec:\htbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\ddjvj.exec:\ddjvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\btbbbt.exec:\btbbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\vpdvv.exec:\vpdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\frfxxrx.exec:\frfxxrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\frrlxxr.exec:\frrlxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\httnhb.exec:\httnhb.exe23⤵
- Executes dropped EXE
PID:1628 -
\??\c:\pjjjv.exec:\pjjjv.exe24⤵
- Executes dropped EXE
PID:2524 -
\??\c:\rfrlllr.exec:\rfrlllr.exe25⤵
- Executes dropped EXE
PID:1996 -
\??\c:\lxxfxfx.exec:\lxxfxfx.exe26⤵
- Executes dropped EXE
PID:1604 -
\??\c:\nthbnn.exec:\nthbnn.exe27⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jppdd.exec:\jppdd.exe28⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lxxrrxr.exec:\lxxrrxr.exe29⤵
- Executes dropped EXE
PID:920 -
\??\c:\jvdvd.exec:\jvdvd.exe30⤵
- Executes dropped EXE
PID:4384 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe31⤵
- Executes dropped EXE
PID:4000 -
\??\c:\hbbhtb.exec:\hbbhtb.exe32⤵
- Executes dropped EXE
PID:4256 -
\??\c:\vdjvp.exec:\vdjvp.exe33⤵
- Executes dropped EXE
PID:1712 -
\??\c:\btbtnn.exec:\btbtnn.exe34⤵
- Executes dropped EXE
PID:3168 -
\??\c:\jvddd.exec:\jvddd.exe35⤵
- Executes dropped EXE
PID:5004 -
\??\c:\dpvpd.exec:\dpvpd.exe36⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xrrfxrr.exec:\xrrfxrr.exe37⤵
- Executes dropped EXE
PID:1608 -
\??\c:\9pjjv.exec:\9pjjv.exe38⤵
- Executes dropped EXE
PID:3320 -
\??\c:\nnnnbb.exec:\nnnnbb.exe39⤵
- Executes dropped EXE
PID:2484 -
\??\c:\bntnbb.exec:\bntnbb.exe40⤵
- Executes dropped EXE
PID:1372 -
\??\c:\hhhbbt.exec:\hhhbbt.exe41⤵
- Executes dropped EXE
PID:1888 -
\??\c:\bbhbnh.exec:\bbhbnh.exe42⤵
- Executes dropped EXE
PID:4928 -
\??\c:\ppvjd.exec:\ppvjd.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\lrxrrll.exec:\lrxrrll.exe44⤵
- Executes dropped EXE
PID:5068 -
\??\c:\llrlfxl.exec:\llrlfxl.exe45⤵
- Executes dropped EXE
PID:2256 -
\??\c:\tnhtbt.exec:\tnhtbt.exe46⤵
- Executes dropped EXE
PID:5096 -
\??\c:\pjpjv.exec:\pjpjv.exe47⤵
- Executes dropped EXE
PID:832 -
\??\c:\lxxlrlf.exec:\lxxlrlf.exe48⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rlllllf.exec:\rlllllf.exe49⤵
- Executes dropped EXE
PID:2452 -
\??\c:\httthn.exec:\httthn.exe50⤵
- Executes dropped EXE
PID:744 -
\??\c:\dvvjv.exec:\dvvjv.exe51⤵
- Executes dropped EXE
PID:3848 -
\??\c:\pjjdp.exec:\pjjdp.exe52⤵
- Executes dropped EXE
PID:3340 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe53⤵
- Executes dropped EXE
PID:4532 -
\??\c:\frxlfrl.exec:\frxlfrl.exe54⤵
- Executes dropped EXE
PID:964 -
\??\c:\thhbtt.exec:\thhbtt.exe55⤵
- Executes dropped EXE
PID:4700 -
\??\c:\1vjvj.exec:\1vjvj.exe56⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lxrlrrf.exec:\lxrlrrf.exe57⤵
- Executes dropped EXE
PID:2400 -
\??\c:\tbhbtn.exec:\tbhbtn.exe58⤵
- Executes dropped EXE
PID:1856 -
\??\c:\7jdvj.exec:\7jdvj.exe59⤵
- Executes dropped EXE
PID:4812 -
\??\c:\dvvpj.exec:\dvvpj.exe60⤵
- Executes dropped EXE
PID:2388 -
\??\c:\rffxrlf.exec:\rffxrlf.exe61⤵
- Executes dropped EXE
PID:4476 -
\??\c:\hhnbbt.exec:\hhnbbt.exe62⤵
- Executes dropped EXE
PID:456 -
\??\c:\nhtntt.exec:\nhtntt.exe63⤵
- Executes dropped EXE
PID:3656 -
\??\c:\jjjvp.exec:\jjjvp.exe64⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rflxrlf.exec:\rflxrlf.exe65⤵
- Executes dropped EXE
PID:3292 -
\??\c:\ttbthb.exec:\ttbthb.exe66⤵PID:4292
-
\??\c:\bnnhhb.exec:\bnnhhb.exe67⤵PID:1476
-
\??\c:\jdjdj.exec:\jdjdj.exe68⤵PID:1612
-
\??\c:\flrlxrl.exec:\flrlxrl.exe69⤵PID:1872
-
\??\c:\nhbnbn.exec:\nhbnbn.exe70⤵PID:1784
-
\??\c:\hhtnbt.exec:\hhtnbt.exe71⤵PID:2884
-
\??\c:\lxxrlfr.exec:\lxxrlfr.exe72⤵PID:4508
-
\??\c:\lxfxfxx.exec:\lxfxfxx.exe73⤵PID:2408
-
\??\c:\pjdvp.exec:\pjdvp.exe74⤵PID:2780
-
\??\c:\frrlrrl.exec:\frrlrrl.exe75⤵PID:2336
-
\??\c:\xflxrlf.exec:\xflxrlf.exe76⤵PID:3012
-
\??\c:\nttnhh.exec:\nttnhh.exe77⤵PID:3064
-
\??\c:\7ppjd.exec:\7ppjd.exe78⤵PID:4424
-
\??\c:\fxxlfrl.exec:\fxxlfrl.exe79⤵PID:1980
-
\??\c:\flrlfxr.exec:\flrlfxr.exe80⤵PID:4192
-
\??\c:\tnnhtt.exec:\tnnhtt.exe81⤵PID:1176
-
\??\c:\5pjvv.exec:\5pjvv.exe82⤵PID:4356
-
\??\c:\djvjv.exec:\djvjv.exe83⤵PID:1492
-
\??\c:\lrfrlff.exec:\lrfrlff.exe84⤵PID:1416
-
\??\c:\hhthbt.exec:\hhthbt.exe85⤵PID:1672
-
\??\c:\hbbthh.exec:\hbbthh.exe86⤵PID:1860
-
\??\c:\dpvjd.exec:\dpvjd.exe87⤵PID:680
-
\??\c:\xffrlff.exec:\xffrlff.exe88⤵PID:1348
-
\??\c:\7hhbhh.exec:\7hhbhh.exe89⤵
- System Location Discovery: System Language Discovery
PID:2372 -
\??\c:\pddpd.exec:\pddpd.exe90⤵PID:3324
-
\??\c:\lffxfxr.exec:\lffxfxr.exe91⤵PID:1948
-
\??\c:\nhnnnb.exec:\nhnnnb.exe92⤵PID:1516
-
\??\c:\thhbth.exec:\thhbth.exe93⤵PID:4208
-
\??\c:\jvpdp.exec:\jvpdp.exe94⤵PID:2244
-
\??\c:\flrlxfx.exec:\flrlxfx.exe95⤵PID:4704
-
\??\c:\lfxrlfr.exec:\lfxrlfr.exe96⤵PID:3816
-
\??\c:\httthh.exec:\httthh.exe97⤵PID:3284
-
\??\c:\9pppj.exec:\9pppj.exe98⤵PID:208
-
\??\c:\jddvj.exec:\jddvj.exe99⤵PID:3620
-
\??\c:\5lllxxl.exec:\5lllxxl.exe100⤵PID:4052
-
\??\c:\5btnbt.exec:\5btnbt.exe101⤵PID:1828
-
\??\c:\tnnhbt.exec:\tnnhbt.exe102⤵PID:4952
-
\??\c:\9pdvd.exec:\9pdvd.exe103⤵PID:5028
-
\??\c:\5lrllll.exec:\5lrllll.exe104⤵PID:3716
-
\??\c:\1tthbt.exec:\1tthbt.exe105⤵PID:4160
-
\??\c:\9btbth.exec:\9btbth.exe106⤵PID:400
-
\??\c:\vjpjv.exec:\vjpjv.exe107⤵PID:1936
-
\??\c:\7lrfrlx.exec:\7lrfrlx.exe108⤵PID:1888
-
\??\c:\xxfxlfx.exec:\xxfxlfx.exe109⤵PID:2900
-
\??\c:\bnbnnn.exec:\bnbnnn.exe110⤵PID:4132
-
\??\c:\jvdjj.exec:\jvdjj.exe111⤵PID:776
-
\??\c:\frllxrf.exec:\frllxrf.exe112⤵PID:1168
-
\??\c:\nhnhbh.exec:\nhnhbh.exe113⤵PID:4820
-
\??\c:\vjdpd.exec:\vjdpd.exe114⤵PID:4368
-
\??\c:\vpjjv.exec:\vpjjv.exe115⤵PID:4344
-
\??\c:\1xxlrlf.exec:\1xxlrlf.exe116⤵PID:2184
-
\??\c:\bnbtbt.exec:\bnbtbt.exe117⤵PID:4092
-
\??\c:\vppdp.exec:\vppdp.exe118⤵PID:4620
-
\??\c:\9pvpj.exec:\9pvpj.exe119⤵PID:4064
-
\??\c:\lflfxfx.exec:\lflfxfx.exe120⤵PID:1584
-
\??\c:\ththbh.exec:\ththbh.exe121⤵
- System Location Discovery: System Language Discovery
PID:1764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-