Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe
-
Size
452KB
-
MD5
7b434dc381b5a737263c719962e86440
-
SHA1
3c7ba530cc310322cb46b1d88ac62038a5ae1260
-
SHA256
9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702
-
SHA512
b7b1e1b9d13d13cfcad09bdef10a422cf6d560b922b6d3e46f5ab51e6558ce581198b3f290f756c814875a923050f337f6c03bff05041dbe83014a3a30a462f8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/5004-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-1098-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-1324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4208 nnbtbh.exe 372 jdvjv.exe 3380 jpvjd.exe 3320 lrfxrrr.exe 5064 btnhbb.exe 2224 dpvvp.exe 4588 pdvpd.exe 4136 xflxlfx.exe 3456 5xxxrll.exe 1432 1bthbt.exe 4508 ddjdv.exe 2212 pjddv.exe 836 lxfffll.exe 4788 ppppp.exe 1744 vjvpp.exe 2504 frxrlfx.exe 4032 nbtnnt.exe 2264 lxlfffx.exe 2984 hbhbbb.exe 1068 jdjjd.exe 4464 lxfxrrl.exe 2044 nbhbtt.exe 2316 rflxxlf.exe 1088 5frlxfr.exe 4772 9nnhbb.exe 4832 vvppj.exe 2964 frxxrrl.exe 2884 rlxrxxf.exe 2512 bnnhbb.exe 3180 rllfxxr.exe 3932 pjppp.exe 5084 9lxxrxx.exe 4388 rflfxrl.exe 4176 rrxrlll.exe 3636 vjjdd.exe 3172 flrllff.exe 396 hnbtnn.exe 4444 rrrlxrx.exe 3440 rlrrlll.exe 5028 hthbtt.exe 1428 jdpjd.exe 4308 xxxrllf.exe 4296 rrlflrx.exe 4152 hhhhbh.exe 2392 ddjdv.exe 4716 7jjjd.exe 1752 rlxfrrr.exe 1760 bnnhhh.exe 3696 pvvvv.exe 2304 jdjdv.exe 5112 9xrlffx.exe 4188 bnttnn.exe 2160 dpjjj.exe 440 xflllll.exe 2028 llfxxrl.exe 4136 bnnnhh.exe 1520 dpvvp.exe 4312 djjdp.exe 2668 rlrlfll.exe 4364 nhbnht.exe 1420 jddvj.exe 4936 pjjdj.exe 4480 xlrrllf.exe 2812 bnthhb.exe -
resource yara_rule behavioral2/memory/5004-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-869-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4208 5004 9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe 83 PID 5004 wrote to memory of 4208 5004 9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe 83 PID 5004 wrote to memory of 4208 5004 9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe 83 PID 4208 wrote to memory of 372 4208 nnbtbh.exe 84 PID 4208 wrote to memory of 372 4208 nnbtbh.exe 84 PID 4208 wrote to memory of 372 4208 nnbtbh.exe 84 PID 372 wrote to memory of 3380 372 jdvjv.exe 85 PID 372 wrote to memory of 3380 372 jdvjv.exe 85 PID 372 wrote to memory of 3380 372 jdvjv.exe 85 PID 3380 wrote to memory of 3320 3380 jpvjd.exe 86 PID 3380 wrote to memory of 3320 3380 jpvjd.exe 86 PID 3380 wrote to memory of 3320 3380 jpvjd.exe 86 PID 3320 wrote to memory of 5064 3320 lrfxrrr.exe 87 PID 3320 wrote to memory of 5064 3320 lrfxrrr.exe 87 PID 3320 wrote to memory of 5064 3320 lrfxrrr.exe 87 PID 5064 wrote to memory of 2224 5064 btnhbb.exe 88 PID 5064 wrote to memory of 2224 5064 btnhbb.exe 88 PID 5064 wrote to memory of 2224 5064 btnhbb.exe 88 PID 2224 wrote to memory of 4588 2224 dpvvp.exe 89 PID 2224 wrote to memory of 4588 2224 dpvvp.exe 89 PID 2224 wrote to memory of 4588 2224 dpvvp.exe 89 PID 4588 wrote to memory of 4136 4588 pdvpd.exe 90 PID 4588 wrote to memory of 4136 4588 pdvpd.exe 90 PID 4588 wrote to memory of 4136 4588 pdvpd.exe 90 PID 4136 wrote to memory of 3456 4136 xflxlfx.exe 91 PID 4136 wrote to memory of 3456 4136 xflxlfx.exe 91 PID 4136 wrote to memory of 3456 4136 xflxlfx.exe 91 PID 3456 wrote to memory of 1432 3456 5xxxrll.exe 92 PID 3456 wrote to memory of 1432 3456 5xxxrll.exe 92 PID 3456 wrote to memory of 1432 3456 5xxxrll.exe 92 PID 1432 wrote to memory of 4508 1432 1bthbt.exe 93 PID 1432 wrote to memory of 4508 1432 1bthbt.exe 93 PID 1432 wrote to memory of 4508 1432 1bthbt.exe 93 PID 4508 wrote to memory of 2212 4508 ddjdv.exe 94 PID 4508 wrote to memory of 2212 4508 ddjdv.exe 94 PID 4508 wrote to memory of 2212 4508 ddjdv.exe 94 PID 2212 wrote to memory of 836 2212 pjddv.exe 95 PID 2212 wrote to memory of 836 2212 pjddv.exe 95 PID 2212 wrote to memory of 836 2212 pjddv.exe 95 PID 836 wrote to memory of 4788 836 lxfffll.exe 96 PID 836 wrote to memory of 4788 836 lxfffll.exe 96 PID 836 wrote to memory of 4788 836 lxfffll.exe 96 PID 4788 wrote to memory of 1744 4788 ppppp.exe 97 PID 4788 wrote to memory of 1744 4788 ppppp.exe 97 PID 4788 wrote to memory of 1744 4788 ppppp.exe 97 PID 1744 wrote to memory of 2504 1744 vjvpp.exe 98 PID 1744 wrote to memory of 2504 1744 vjvpp.exe 98 PID 1744 wrote to memory of 2504 1744 vjvpp.exe 98 PID 2504 wrote to memory of 4032 2504 frxrlfx.exe 99 PID 2504 wrote to memory of 4032 2504 frxrlfx.exe 99 PID 2504 wrote to memory of 4032 2504 frxrlfx.exe 99 PID 4032 wrote to memory of 2264 4032 nbtnnt.exe 100 PID 4032 wrote to memory of 2264 4032 nbtnnt.exe 100 PID 4032 wrote to memory of 2264 4032 nbtnnt.exe 100 PID 2264 wrote to memory of 2984 2264 lxlfffx.exe 101 PID 2264 wrote to memory of 2984 2264 lxlfffx.exe 101 PID 2264 wrote to memory of 2984 2264 lxlfffx.exe 101 PID 2984 wrote to memory of 1068 2984 hbhbbb.exe 102 PID 2984 wrote to memory of 1068 2984 hbhbbb.exe 102 PID 2984 wrote to memory of 1068 2984 hbhbbb.exe 102 PID 1068 wrote to memory of 4464 1068 jdjjd.exe 103 PID 1068 wrote to memory of 4464 1068 jdjjd.exe 103 PID 1068 wrote to memory of 4464 1068 jdjjd.exe 103 PID 4464 wrote to memory of 2044 4464 lxfxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe"C:\Users\Admin\AppData\Local\Temp\9c059894896c499cadf8ca3265ba39dd7bec47b1f2d21e62cdea37fef5267702N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\nnbtbh.exec:\nnbtbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\jdvjv.exec:\jdvjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\jpvjd.exec:\jpvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\lrfxrrr.exec:\lrfxrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\btnhbb.exec:\btnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\dpvvp.exec:\dpvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\pdvpd.exec:\pdvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\xflxlfx.exec:\xflxlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\5xxxrll.exec:\5xxxrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\1bthbt.exec:\1bthbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\ddjdv.exec:\ddjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\pjddv.exec:\pjddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\lxfffll.exec:\lxfffll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\ppppp.exec:\ppppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\vjvpp.exec:\vjvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\frxrlfx.exec:\frxrlfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\nbtnnt.exec:\nbtnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\lxlfffx.exec:\lxlfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\hbhbbb.exec:\hbhbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\jdjjd.exec:\jdjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\nbhbtt.exec:\nbhbtt.exe23⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rflxxlf.exec:\rflxxlf.exe24⤵
- Executes dropped EXE
PID:2316 -
\??\c:\5frlxfr.exec:\5frlxfr.exe25⤵
- Executes dropped EXE
PID:1088 -
\??\c:\9nnhbb.exec:\9nnhbb.exe26⤵
- Executes dropped EXE
PID:4772 -
\??\c:\vvppj.exec:\vvppj.exe27⤵
- Executes dropped EXE
PID:4832 -
\??\c:\frxxrrl.exec:\frxxrrl.exe28⤵
- Executes dropped EXE
PID:2964 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe29⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bnnhbb.exec:\bnnhbb.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
\??\c:\rllfxxr.exec:\rllfxxr.exe31⤵
- Executes dropped EXE
PID:3180 -
\??\c:\pjppp.exec:\pjppp.exe32⤵
- Executes dropped EXE
PID:3932 -
\??\c:\9lxxrxx.exec:\9lxxrxx.exe33⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rflfxrl.exec:\rflfxrl.exe34⤵
- Executes dropped EXE
PID:4388 -
\??\c:\rrxrlll.exec:\rrxrlll.exe35⤵
- Executes dropped EXE
PID:4176 -
\??\c:\vjjdd.exec:\vjjdd.exe36⤵
- Executes dropped EXE
PID:3636 -
\??\c:\flrllff.exec:\flrllff.exe37⤵
- Executes dropped EXE
PID:3172 -
\??\c:\hnbtnn.exec:\hnbtnn.exe38⤵
- Executes dropped EXE
PID:396 -
\??\c:\rrrlxrx.exec:\rrrlxrx.exe39⤵
- Executes dropped EXE
PID:4444 -
\??\c:\rlrrlll.exec:\rlrrlll.exe40⤵
- Executes dropped EXE
PID:3440 -
\??\c:\hthbtt.exec:\hthbtt.exe41⤵
- Executes dropped EXE
PID:5028 -
\??\c:\jdpjd.exec:\jdpjd.exe42⤵
- Executes dropped EXE
PID:1428 -
\??\c:\xxxrllf.exec:\xxxrllf.exe43⤵
- Executes dropped EXE
PID:4308 -
\??\c:\rrlflrx.exec:\rrlflrx.exe44⤵
- Executes dropped EXE
PID:4296 -
\??\c:\hhhhbh.exec:\hhhhbh.exe45⤵
- Executes dropped EXE
PID:4152 -
\??\c:\ddjdv.exec:\ddjdv.exe46⤵
- Executes dropped EXE
PID:2392 -
\??\c:\7jjjd.exec:\7jjjd.exe47⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rlxfrrr.exec:\rlxfrrr.exe48⤵
- Executes dropped EXE
PID:1752 -
\??\c:\bnnhhh.exec:\bnnhhh.exe49⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pvvvv.exec:\pvvvv.exe50⤵
- Executes dropped EXE
PID:3696 -
\??\c:\jdjdv.exec:\jdjdv.exe51⤵
- Executes dropped EXE
PID:2304 -
\??\c:\9xrlffx.exec:\9xrlffx.exe52⤵
- Executes dropped EXE
PID:5112 -
\??\c:\bnttnn.exec:\bnttnn.exe53⤵
- Executes dropped EXE
PID:4188 -
\??\c:\dpjjj.exec:\dpjjj.exe54⤵
- Executes dropped EXE
PID:2160 -
\??\c:\xflllll.exec:\xflllll.exe55⤵
- Executes dropped EXE
PID:440 -
\??\c:\llfxxrl.exec:\llfxxrl.exe56⤵
- Executes dropped EXE
PID:2028 -
\??\c:\bnnnhh.exec:\bnnnhh.exe57⤵
- Executes dropped EXE
PID:4136 -
\??\c:\dpvvp.exec:\dpvvp.exe58⤵
- Executes dropped EXE
PID:1520 -
\??\c:\djjdp.exec:\djjdp.exe59⤵
- Executes dropped EXE
PID:4312 -
\??\c:\rlrlfll.exec:\rlrlfll.exe60⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nhbnht.exec:\nhbnht.exe61⤵
- Executes dropped EXE
PID:4364 -
\??\c:\jddvj.exec:\jddvj.exe62⤵
- Executes dropped EXE
PID:1420 -
\??\c:\pjjdj.exec:\pjjdj.exe63⤵
- Executes dropped EXE
PID:4936 -
\??\c:\xlrrllf.exec:\xlrrllf.exe64⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bnthhb.exec:\bnthhb.exe65⤵
- Executes dropped EXE
PID:2812 -
\??\c:\dddjv.exec:\dddjv.exe66⤵PID:1744
-
\??\c:\7lrlxxx.exec:\7lrlxxx.exe67⤵PID:5076
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe68⤵PID:4020
-
\??\c:\bnbtnn.exec:\bnbtnn.exe69⤵PID:4476
-
\??\c:\vpvpp.exec:\vpvpp.exe70⤵PID:212
-
\??\c:\7rxlffx.exec:\7rxlffx.exe71⤵
- System Location Discovery: System Language Discovery
PID:404 -
\??\c:\tnthbt.exec:\tnthbt.exe72⤵PID:2684
-
\??\c:\7jppp.exec:\7jppp.exe73⤵PID:2588
-
\??\c:\fxfxlff.exec:\fxfxlff.exe74⤵PID:680
-
\??\c:\rflfrrl.exec:\rflfrrl.exe75⤵PID:1876
-
\??\c:\bbttbb.exec:\bbttbb.exe76⤵PID:1852
-
\??\c:\9djdv.exec:\9djdv.exe77⤵PID:3812
-
\??\c:\rxflfxx.exec:\rxflfxx.exe78⤵PID:4848
-
\??\c:\rffxrlf.exec:\rffxrlf.exe79⤵PID:3624
-
\??\c:\ntbtnn.exec:\ntbtnn.exe80⤵PID:948
-
\??\c:\7vvpj.exec:\7vvpj.exe81⤵PID:3668
-
\??\c:\jpjdp.exec:\jpjdp.exe82⤵PID:5116
-
\??\c:\rrxrffl.exec:\rrxrffl.exe83⤵PID:1480
-
\??\c:\nhhhbb.exec:\nhhhbb.exe84⤵PID:4344
-
\??\c:\dvdvv.exec:\dvdvv.exe85⤵PID:3424
-
\??\c:\xflfxrl.exec:\xflfxrl.exe86⤵PID:3864
-
\??\c:\xrlfffl.exec:\xrlfffl.exe87⤵PID:4624
-
\??\c:\tnhbnh.exec:\tnhbnh.exe88⤵PID:1288
-
\??\c:\vjvjj.exec:\vjvjj.exe89⤵PID:4472
-
\??\c:\jpdvp.exec:\jpdvp.exe90⤵PID:4760
-
\??\c:\xxfxxrr.exec:\xxfxxrr.exe91⤵PID:4676
-
\??\c:\5bbthh.exec:\5bbthh.exe92⤵PID:2228
-
\??\c:\pddpj.exec:\pddpj.exe93⤵PID:2716
-
\??\c:\frxrllr.exec:\frxrllr.exe94⤵PID:3664
-
\??\c:\hbhhhh.exec:\hbhhhh.exe95⤵PID:4924
-
\??\c:\jvdvv.exec:\jvdvv.exe96⤵PID:3440
-
\??\c:\fffllll.exec:\fffllll.exe97⤵PID:4988
-
\??\c:\hntttb.exec:\hntttb.exe98⤵PID:4304
-
\??\c:\dvjjd.exec:\dvjjd.exe99⤵PID:2584
-
\??\c:\dvdvp.exec:\dvdvp.exe100⤵PID:4220
-
\??\c:\llllllf.exec:\llllllf.exe101⤵PID:2152
-
\??\c:\hbnnhh.exec:\hbnnhh.exe102⤵PID:372
-
\??\c:\1vddv.exec:\1vddv.exe103⤵PID:1864
-
\??\c:\3jjdv.exec:\3jjdv.exe104⤵PID:3332
-
\??\c:\lffxxxx.exec:\lffxxxx.exe105⤵PID:2380
-
\??\c:\tntnnn.exec:\tntnnn.exe106⤵PID:2484
-
\??\c:\bnbbtt.exec:\bnbbtt.exe107⤵PID:4792
-
\??\c:\ppvpd.exec:\ppvpd.exe108⤵PID:2224
-
\??\c:\xlrrlll.exec:\xlrrlll.exe109⤵PID:4620
-
\??\c:\nbbhbt.exec:\nbbhbt.exe110⤵PID:3080
-
\??\c:\7jjjd.exec:\7jjjd.exe111⤵PID:3948
-
\??\c:\ddvpj.exec:\ddvpj.exe112⤵PID:1632
-
\??\c:\5rrlflf.exec:\5rrlflf.exe113⤵PID:4448
-
\??\c:\nhnhhh.exec:\nhnhhh.exe114⤵PID:1432
-
\??\c:\jdvpp.exec:\jdvpp.exe115⤵PID:3448
-
\??\c:\3xfxffr.exec:\3xfxffr.exe116⤵PID:1924
-
\??\c:\bhttnt.exec:\bhttnt.exe117⤵PID:4508
-
\??\c:\5vdvp.exec:\5vdvp.exe118⤵PID:2340
-
\??\c:\jpjdp.exec:\jpjdp.exe119⤵PID:3384
-
\??\c:\xxlfxrx.exec:\xxlfxrx.exe120⤵PID:836
-
\??\c:\ttbttt.exec:\ttbttt.exe121⤵PID:4480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-