Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe
-
Size
456KB
-
MD5
8c85296322424b1822e455527b00f810
-
SHA1
5b28a5cdf7fd1cf4d2a2232e7d630ed2ca09b790
-
SHA256
fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976f
-
SHA512
20b18eb82a65e9321197835e195ef670bb6146c3ba03d0fe06e671cd6284c4454edf87eecfba99f44c60e892edd016c4cba807887f7af642404badaa2af57640
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeLl:q7Tc2NYHUrAwfMp3CDLl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4392-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-1300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-1610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-1791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1036 hbhbbn.exe 3304 jddvp.exe 1260 jdvvp.exe 3344 lfrlrrx.exe 2916 rxrflxx.exe 2932 7tbbtn.exe 1708 7dvpj.exe 2784 jjvjp.exe 4888 dpvpj.exe 3180 vpppj.exe 3488 xxffxlf.exe 264 djjdv.exe 2308 frxrrll.exe 4864 nhtntt.exe 1540 9lfflll.exe 3516 1tntnt.exe 1080 jdpdd.exe 4656 rfllfxr.exe 2428 jdvdd.exe 3116 dvpjd.exe 4612 bntnhh.exe 4496 httnhh.exe 4008 pjpjj.exe 1584 rflfxrl.exe 1308 1xrlffx.exe 4012 thhhbb.exe 1444 pdjdv.exe 944 djvjp.exe 1848 htbtnn.exe 3676 frxxrll.exe 1400 pppjj.exe 1600 1ddvp.exe 3580 1btntn.exe 2768 1pddv.exe 2160 rlxxrff.exe 1916 hbbtnh.exe 3184 jjvpj.exe 3604 pdpdj.exe 2336 fxxrllf.exe 4508 tthnbt.exe 5076 jvdvj.exe 4156 jvdvp.exe 4608 fxrrlxx.exe 408 3bttnt.exe 3396 jpvpj.exe 1164 3xfxxxx.exe 2180 tnhhbb.exe 5036 bhthbt.exe 3848 dvvjd.exe 4476 lfrlllr.exe 428 bnbtbt.exe 4912 hbhhtt.exe 2796 ddpdv.exe 4036 xfrllrl.exe 3700 hbtnnn.exe 3344 djjdp.exe 4192 dvjdp.exe 5096 xrfxllf.exe 3400 bhnnhn.exe 5072 bntbnn.exe 800 dpvjd.exe 5064 rllfrrl.exe 2040 nnhbhh.exe 1876 jvdvp.exe -
resource yara_rule behavioral2/memory/1036-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-1300-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4392 wrote to memory of 1036 4392 fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe 82 PID 4392 wrote to memory of 1036 4392 fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe 82 PID 4392 wrote to memory of 1036 4392 fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe 82 PID 1036 wrote to memory of 3304 1036 hbhbbn.exe 83 PID 1036 wrote to memory of 3304 1036 hbhbbn.exe 83 PID 1036 wrote to memory of 3304 1036 hbhbbn.exe 83 PID 3304 wrote to memory of 1260 3304 jddvp.exe 84 PID 3304 wrote to memory of 1260 3304 jddvp.exe 84 PID 3304 wrote to memory of 1260 3304 jddvp.exe 84 PID 1260 wrote to memory of 3344 1260 jdvvp.exe 85 PID 1260 wrote to memory of 3344 1260 jdvvp.exe 85 PID 1260 wrote to memory of 3344 1260 jdvvp.exe 85 PID 3344 wrote to memory of 2916 3344 lfrlrrx.exe 86 PID 3344 wrote to memory of 2916 3344 lfrlrrx.exe 86 PID 3344 wrote to memory of 2916 3344 lfrlrrx.exe 86 PID 2916 wrote to memory of 2932 2916 rxrflxx.exe 87 PID 2916 wrote to memory of 2932 2916 rxrflxx.exe 87 PID 2916 wrote to memory of 2932 2916 rxrflxx.exe 87 PID 2932 wrote to memory of 1708 2932 7tbbtn.exe 88 PID 2932 wrote to memory of 1708 2932 7tbbtn.exe 88 PID 2932 wrote to memory of 1708 2932 7tbbtn.exe 88 PID 1708 wrote to memory of 2784 1708 7dvpj.exe 89 PID 1708 wrote to memory of 2784 1708 7dvpj.exe 89 PID 1708 wrote to memory of 2784 1708 7dvpj.exe 89 PID 2784 wrote to memory of 4888 2784 jjvjp.exe 90 PID 2784 wrote to memory of 4888 2784 jjvjp.exe 90 PID 2784 wrote to memory of 4888 2784 jjvjp.exe 90 PID 4888 wrote to memory of 3180 4888 dpvpj.exe 91 PID 4888 wrote to memory of 3180 4888 dpvpj.exe 91 PID 4888 wrote to memory of 3180 4888 dpvpj.exe 91 PID 3180 wrote to memory of 3488 3180 vpppj.exe 92 PID 3180 wrote to memory of 3488 3180 vpppj.exe 92 PID 3180 wrote to memory of 3488 3180 vpppj.exe 92 PID 3488 wrote to memory of 264 3488 xxffxlf.exe 93 PID 3488 wrote to memory of 264 3488 xxffxlf.exe 93 PID 3488 wrote to memory of 264 3488 xxffxlf.exe 93 PID 264 wrote to memory of 2308 264 djjdv.exe 94 PID 264 wrote to memory of 2308 264 djjdv.exe 94 PID 264 wrote to memory of 2308 264 djjdv.exe 94 PID 2308 wrote to memory of 4864 2308 frxrrll.exe 95 PID 2308 wrote to memory of 4864 2308 frxrrll.exe 95 PID 2308 wrote to memory of 4864 2308 frxrrll.exe 95 PID 4864 wrote to memory of 1540 4864 nhtntt.exe 96 PID 4864 wrote to memory of 1540 4864 nhtntt.exe 96 PID 4864 wrote to memory of 1540 4864 nhtntt.exe 96 PID 1540 wrote to memory of 3516 1540 9lfflll.exe 97 PID 1540 wrote to memory of 3516 1540 9lfflll.exe 97 PID 1540 wrote to memory of 3516 1540 9lfflll.exe 97 PID 3516 wrote to memory of 1080 3516 1tntnt.exe 98 PID 3516 wrote to memory of 1080 3516 1tntnt.exe 98 PID 3516 wrote to memory of 1080 3516 1tntnt.exe 98 PID 1080 wrote to memory of 4656 1080 jdpdd.exe 99 PID 1080 wrote to memory of 4656 1080 jdpdd.exe 99 PID 1080 wrote to memory of 4656 1080 jdpdd.exe 99 PID 4656 wrote to memory of 2428 4656 rfllfxr.exe 100 PID 4656 wrote to memory of 2428 4656 rfllfxr.exe 100 PID 4656 wrote to memory of 2428 4656 rfllfxr.exe 100 PID 2428 wrote to memory of 3116 2428 jdvdd.exe 101 PID 2428 wrote to memory of 3116 2428 jdvdd.exe 101 PID 2428 wrote to memory of 3116 2428 jdvdd.exe 101 PID 3116 wrote to memory of 4612 3116 dvpjd.exe 102 PID 3116 wrote to memory of 4612 3116 dvpjd.exe 102 PID 3116 wrote to memory of 4612 3116 dvpjd.exe 102 PID 4612 wrote to memory of 4496 4612 bntnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe"C:\Users\Admin\AppData\Local\Temp\fb49eeb68b74d1fef0996b1b372ef3f0a95d99b5dda32b45e5f6b742c068976fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\hbhbbn.exec:\hbhbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\jddvp.exec:\jddvp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\jdvvp.exec:\jdvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\rxrflxx.exec:\rxrflxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\7tbbtn.exec:\7tbbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\7dvpj.exec:\7dvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\jjvjp.exec:\jjvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\dpvpj.exec:\dpvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\vpppj.exec:\vpppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\xxffxlf.exec:\xxffxlf.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\djjdv.exec:\djjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\frxrrll.exec:\frxrrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\nhtntt.exec:\nhtntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\9lfflll.exec:\9lfflll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\1tntnt.exec:\1tntnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\jdpdd.exec:\jdpdd.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\rfllfxr.exec:\rfllfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\jdvdd.exec:\jdvdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\dvpjd.exec:\dvpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\bntnhh.exec:\bntnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\httnhh.exec:\httnhh.exe23⤵
- Executes dropped EXE
PID:4496 -
\??\c:\pjpjj.exec:\pjpjj.exe24⤵
- Executes dropped EXE
PID:4008 -
\??\c:\rflfxrl.exec:\rflfxrl.exe25⤵
- Executes dropped EXE
PID:1584 -
\??\c:\1xrlffx.exec:\1xrlffx.exe26⤵
- Executes dropped EXE
PID:1308 -
\??\c:\thhhbb.exec:\thhhbb.exe27⤵
- Executes dropped EXE
PID:4012 -
\??\c:\pdjdv.exec:\pdjdv.exe28⤵
- Executes dropped EXE
PID:1444 -
\??\c:\djvjp.exec:\djvjp.exe29⤵
- Executes dropped EXE
PID:944 -
\??\c:\htbtnn.exec:\htbtnn.exe30⤵
- Executes dropped EXE
PID:1848 -
\??\c:\frxxrll.exec:\frxxrll.exe31⤵
- Executes dropped EXE
PID:3676 -
\??\c:\pppjj.exec:\pppjj.exe32⤵
- Executes dropped EXE
PID:1400 -
\??\c:\1ddvp.exec:\1ddvp.exe33⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1btntn.exec:\1btntn.exe34⤵
- Executes dropped EXE
PID:3580 -
\??\c:\1pddv.exec:\1pddv.exe35⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rlxxrff.exec:\rlxxrff.exe36⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hbbtnh.exec:\hbbtnh.exe37⤵
- Executes dropped EXE
PID:1916 -
\??\c:\jjvpj.exec:\jjvpj.exe38⤵
- Executes dropped EXE
PID:3184 -
\??\c:\pdpdj.exec:\pdpdj.exe39⤵
- Executes dropped EXE
PID:3604 -
\??\c:\fxxrllf.exec:\fxxrllf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\tthnbt.exec:\tthnbt.exe41⤵
- Executes dropped EXE
PID:4508 -
\??\c:\jvdvj.exec:\jvdvj.exe42⤵
- Executes dropped EXE
PID:5076 -
\??\c:\jvdvp.exec:\jvdvp.exe43⤵
- Executes dropped EXE
PID:4156 -
\??\c:\fxrrlxx.exec:\fxrrlxx.exe44⤵
- Executes dropped EXE
PID:4608 -
\??\c:\3bttnt.exec:\3bttnt.exe45⤵
- Executes dropped EXE
PID:408 -
\??\c:\jpvpj.exec:\jpvpj.exe46⤵
- Executes dropped EXE
PID:3396 -
\??\c:\3xfxxxx.exec:\3xfxxxx.exe47⤵
- Executes dropped EXE
PID:1164 -
\??\c:\tnhhbb.exec:\tnhhbb.exe48⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bhthbt.exec:\bhthbt.exe49⤵
- Executes dropped EXE
PID:5036 -
\??\c:\dvvjd.exec:\dvvjd.exe50⤵
- Executes dropped EXE
PID:3848 -
\??\c:\lfrlllr.exec:\lfrlllr.exe51⤵
- Executes dropped EXE
PID:4476 -
\??\c:\bnbtbt.exec:\bnbtbt.exe52⤵
- Executes dropped EXE
PID:428 -
\??\c:\hbhhtt.exec:\hbhhtt.exe53⤵
- Executes dropped EXE
PID:4912 -
\??\c:\ddpdv.exec:\ddpdv.exe54⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xfrllrl.exec:\xfrllrl.exe55⤵
- Executes dropped EXE
PID:4036 -
\??\c:\hbtnnn.exec:\hbtnnn.exe56⤵
- Executes dropped EXE
PID:3700 -
\??\c:\djjdp.exec:\djjdp.exe57⤵
- Executes dropped EXE
PID:3344 -
\??\c:\dvjdp.exec:\dvjdp.exe58⤵
- Executes dropped EXE
PID:4192 -
\??\c:\xrfxllf.exec:\xrfxllf.exe59⤵
- Executes dropped EXE
PID:5096 -
\??\c:\bhnnhn.exec:\bhnnhn.exe60⤵
- Executes dropped EXE
PID:3400 -
\??\c:\bntbnn.exec:\bntbnn.exe61⤵
- Executes dropped EXE
PID:5072 -
\??\c:\dpvjd.exec:\dpvjd.exe62⤵
- Executes dropped EXE
PID:800 -
\??\c:\rllfrrl.exec:\rllfrrl.exe63⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nnhbhh.exec:\nnhbhh.exe64⤵
- Executes dropped EXE
PID:2040 -
\??\c:\jvdvp.exec:\jvdvp.exe65⤵
- Executes dropped EXE
PID:1876 -
\??\c:\jddjv.exec:\jddjv.exe66⤵PID:2880
-
\??\c:\rflfxrl.exec:\rflfxrl.exe67⤵PID:1460
-
\??\c:\7ntnbb.exec:\7ntnbb.exe68⤵PID:5084
-
\??\c:\hnnnhh.exec:\hnnnhh.exe69⤵
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\fxlrxrf.exec:\fxlrxrf.exe70⤵PID:3640
-
\??\c:\xllfxxr.exec:\xllfxxr.exe71⤵PID:264
-
\??\c:\nnhbbt.exec:\nnhbbt.exe72⤵PID:536
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe73⤵PID:1128
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe74⤵PID:1960
-
\??\c:\7thtnn.exec:\7thtnn.exe75⤵PID:1540
-
\??\c:\jjvjp.exec:\jjvjp.exe76⤵PID:1716
-
\??\c:\pjpvp.exec:\pjpvp.exe77⤵PID:1184
-
\??\c:\bttnbt.exec:\bttnbt.exe78⤵PID:4736
-
\??\c:\7nhbtn.exec:\7nhbtn.exe79⤵PID:2216
-
\??\c:\pjjpj.exec:\pjjpj.exe80⤵PID:832
-
\??\c:\xflfrrl.exec:\xflfrrl.exe81⤵PID:3320
-
\??\c:\htnhtt.exec:\htnhtt.exe82⤵PID:704
-
\??\c:\nhhtbh.exec:\nhhtbh.exe83⤵PID:4184
-
\??\c:\vppjv.exec:\vppjv.exe84⤵PID:404
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe85⤵PID:4408
-
\??\c:\ttbnhb.exec:\ttbnhb.exe86⤵PID:948
-
\??\c:\jjjvp.exec:\jjjvp.exe87⤵PID:1944
-
\??\c:\vpvpj.exec:\vpvpj.exe88⤵PID:804
-
\??\c:\lffrllx.exec:\lffrllx.exe89⤵PID:4536
-
\??\c:\thnhtn.exec:\thnhtn.exe90⤵PID:4012
-
\??\c:\nttnbb.exec:\nttnbb.exe91⤵PID:2724
-
\??\c:\pdpjd.exec:\pdpjd.exe92⤵PID:4996
-
\??\c:\frrllfx.exec:\frrllfx.exe93⤵
- System Location Discovery: System Language Discovery
PID:3056 -
\??\c:\hbhbnn.exec:\hbhbnn.exe94⤵PID:3968
-
\??\c:\nhnbtt.exec:\nhnbtt.exe95⤵PID:2276
-
\??\c:\jpjdv.exec:\jpjdv.exe96⤵PID:380
-
\??\c:\7rrllfl.exec:\7rrllfl.exe97⤵PID:1400
-
\??\c:\fxfxffx.exec:\fxfxffx.exe98⤵PID:1200
-
\??\c:\thhbbt.exec:\thhbbt.exe99⤵PID:512
-
\??\c:\tbbthh.exec:\tbbthh.exe100⤵PID:4196
-
\??\c:\dpdvp.exec:\dpdvp.exe101⤵PID:1764
-
\??\c:\rflfffx.exec:\rflfffx.exe102⤵PID:2832
-
\??\c:\xrlllrx.exec:\xrlllrx.exe103⤵PID:1820
-
\??\c:\hbhhnt.exec:\hbhhnt.exe104⤵PID:2412
-
\??\c:\pjpjp.exec:\pjpjp.exe105⤵PID:3324
-
\??\c:\xxxrllf.exec:\xxxrllf.exe106⤵PID:3776
-
\??\c:\lrxrlff.exec:\lrxrlff.exe107⤵PID:3684
-
\??\c:\7hnbtn.exec:\7hnbtn.exe108⤵PID:3688
-
\??\c:\vpppj.exec:\vpppj.exe109⤵PID:5076
-
\??\c:\xrfrrlx.exec:\xrfrrlx.exe110⤵PID:4156
-
\??\c:\nthhtb.exec:\nthhtb.exe111⤵PID:2368
-
\??\c:\pdjvp.exec:\pdjvp.exe112⤵PID:224
-
\??\c:\xxfrrxr.exec:\xxfrrxr.exe113⤵PID:4648
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe114⤵PID:4208
-
\??\c:\httnhb.exec:\httnhb.exe115⤵PID:1216
-
\??\c:\pjdjd.exec:\pjdjd.exe116⤵PID:2376
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe117⤵PID:2756
-
\??\c:\bbbbnn.exec:\bbbbnn.exe118⤵PID:4476
-
\??\c:\jdddd.exec:\jdddd.exe119⤵PID:400
-
\??\c:\9ddvj.exec:\9ddvj.exe120⤵PID:312
-
\??\c:\xffxrll.exec:\xffxrll.exe121⤵PID:1036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-