Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe
-
Size
454KB
-
MD5
64bd3ba7a3804ae3148aee576cf84150
-
SHA1
544f7f843f7877748293b23295ae94316508fd68
-
SHA256
39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243d
-
SHA512
8b631f99e6ce55ef8d0c4bee4ff3c963433a241adb43091fc5d62f71cdbb1770a24fddf83bdfa3162bb678b7eda0310e6b8fd6e089f1e08f4bda60a3c6f8848a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4048-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-976-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4552 jdjdd.exe 468 9jjdj.exe 1616 ntbttt.exe 344 ffxxrrl.exe 4152 djdvv.exe 1216 lxfxrlx.exe 4928 7ntnhh.exe 3220 9dpjp.exe 4804 hnnbbb.exe 3624 tntttn.exe 1816 vdvpp.exe 4576 xfrlfxr.exe 1404 7ttnnh.exe 2408 vdjpj.exe 4596 5dvjd.exe 5080 7hbtnn.exe 1072 ddvjd.exe 5048 jpdpj.exe 4156 htbthb.exe 4016 xxlxrfx.exe 4172 xlfxrrl.exe 2456 bttnhh.exe 3788 xllfxxx.exe 3704 5hnhhh.exe 2232 nnnhbb.exe 3548 frfrrll.exe 2280 lxxrfff.exe 3500 1jjvp.exe 1728 rlrfxrf.exe 2264 dvdpv.exe 4740 3nthtt.exe 556 pvvpd.exe 3164 1rrfxxl.exe 3328 dppjv.exe 384 vjjdv.exe 2840 hnbtnn.exe 2556 7tttnn.exe 4104 jvdvp.exe 3144 3rfrffx.exe 836 nnbtbb.exe 1960 jpvpd.exe 3720 xffxrrl.exe 452 httnnh.exe 1396 vjvpj.exe 64 llxrxrx.exe 3804 fxfrxrr.exe 4404 bntntn.exe 4252 ddjvj.exe 4008 xxfxlxl.exe 400 ffrflfx.exe 4496 thnnth.exe 1428 ppvpd.exe 4264 fllxlfr.exe 720 5lfrllf.exe 2516 dpdvj.exe 2736 lllfxrl.exe 3964 hnnhbt.exe 4800 btbtbt.exe 4748 rlrfxfx.exe 4928 rxfrrlx.exe 4856 9hnnhn.exe 1108 jjvpj.exe 676 rrfxxrf.exe 1512 hbbthh.exe -
resource yara_rule behavioral2/memory/4048-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-909-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 4552 4048 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 82 PID 4048 wrote to memory of 4552 4048 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 82 PID 4048 wrote to memory of 4552 4048 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 82 PID 4552 wrote to memory of 468 4552 jdjdd.exe 83 PID 4552 wrote to memory of 468 4552 jdjdd.exe 83 PID 4552 wrote to memory of 468 4552 jdjdd.exe 83 PID 468 wrote to memory of 1616 468 9jjdj.exe 84 PID 468 wrote to memory of 1616 468 9jjdj.exe 84 PID 468 wrote to memory of 1616 468 9jjdj.exe 84 PID 1616 wrote to memory of 344 1616 ntbttt.exe 85 PID 1616 wrote to memory of 344 1616 ntbttt.exe 85 PID 1616 wrote to memory of 344 1616 ntbttt.exe 85 PID 344 wrote to memory of 4152 344 ffxxrrl.exe 86 PID 344 wrote to memory of 4152 344 ffxxrrl.exe 86 PID 344 wrote to memory of 4152 344 ffxxrrl.exe 86 PID 4152 wrote to memory of 1216 4152 djdvv.exe 87 PID 4152 wrote to memory of 1216 4152 djdvv.exe 87 PID 4152 wrote to memory of 1216 4152 djdvv.exe 87 PID 1216 wrote to memory of 4928 1216 lxfxrlx.exe 88 PID 1216 wrote to memory of 4928 1216 lxfxrlx.exe 88 PID 1216 wrote to memory of 4928 1216 lxfxrlx.exe 88 PID 4928 wrote to memory of 3220 4928 7ntnhh.exe 89 PID 4928 wrote to memory of 3220 4928 7ntnhh.exe 89 PID 4928 wrote to memory of 3220 4928 7ntnhh.exe 89 PID 3220 wrote to memory of 4804 3220 9dpjp.exe 90 PID 3220 wrote to memory of 4804 3220 9dpjp.exe 90 PID 3220 wrote to memory of 4804 3220 9dpjp.exe 90 PID 4804 wrote to memory of 3624 4804 hnnbbb.exe 91 PID 4804 wrote to memory of 3624 4804 hnnbbb.exe 91 PID 4804 wrote to memory of 3624 4804 hnnbbb.exe 91 PID 3624 wrote to memory of 1816 3624 tntttn.exe 92 PID 3624 wrote to memory of 1816 3624 tntttn.exe 92 PID 3624 wrote to memory of 1816 3624 tntttn.exe 92 PID 1816 wrote to memory of 4576 1816 vdvpp.exe 93 PID 1816 wrote to memory of 4576 1816 vdvpp.exe 93 PID 1816 wrote to memory of 4576 1816 vdvpp.exe 93 PID 4576 wrote to memory of 1404 4576 xfrlfxr.exe 94 PID 4576 wrote to memory of 1404 4576 xfrlfxr.exe 94 PID 4576 wrote to memory of 1404 4576 xfrlfxr.exe 94 PID 1404 wrote to memory of 2408 1404 7ttnnh.exe 95 PID 1404 wrote to memory of 2408 1404 7ttnnh.exe 95 PID 1404 wrote to memory of 2408 1404 7ttnnh.exe 95 PID 2408 wrote to memory of 4596 2408 vdjpj.exe 96 PID 2408 wrote to memory of 4596 2408 vdjpj.exe 96 PID 2408 wrote to memory of 4596 2408 vdjpj.exe 96 PID 4596 wrote to memory of 5080 4596 5dvjd.exe 97 PID 4596 wrote to memory of 5080 4596 5dvjd.exe 97 PID 4596 wrote to memory of 5080 4596 5dvjd.exe 97 PID 5080 wrote to memory of 1072 5080 7hbtnn.exe 98 PID 5080 wrote to memory of 1072 5080 7hbtnn.exe 98 PID 5080 wrote to memory of 1072 5080 7hbtnn.exe 98 PID 1072 wrote to memory of 5048 1072 ddvjd.exe 99 PID 1072 wrote to memory of 5048 1072 ddvjd.exe 99 PID 1072 wrote to memory of 5048 1072 ddvjd.exe 99 PID 5048 wrote to memory of 4156 5048 jpdpj.exe 100 PID 5048 wrote to memory of 4156 5048 jpdpj.exe 100 PID 5048 wrote to memory of 4156 5048 jpdpj.exe 100 PID 4156 wrote to memory of 4016 4156 htbthb.exe 101 PID 4156 wrote to memory of 4016 4156 htbthb.exe 101 PID 4156 wrote to memory of 4016 4156 htbthb.exe 101 PID 4016 wrote to memory of 4172 4016 xxlxrfx.exe 102 PID 4016 wrote to memory of 4172 4016 xxlxrfx.exe 102 PID 4016 wrote to memory of 4172 4016 xxlxrfx.exe 102 PID 4172 wrote to memory of 2456 4172 xlfxrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe"C:\Users\Admin\AppData\Local\Temp\39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\jdjdd.exec:\jdjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\9jjdj.exec:\9jjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\ntbttt.exec:\ntbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\djdvv.exec:\djdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\lxfxrlx.exec:\lxfxrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\7ntnhh.exec:\7ntnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\9dpjp.exec:\9dpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\hnnbbb.exec:\hnnbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\tntttn.exec:\tntttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\vdvpp.exec:\vdvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\7ttnnh.exec:\7ttnnh.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\vdjpj.exec:\vdjpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\5dvjd.exec:\5dvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\7hbtnn.exec:\7hbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\ddvjd.exec:\ddvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\jpdpj.exec:\jpdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\htbthb.exec:\htbthb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\xxlxrfx.exec:\xxlxrfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\bttnhh.exec:\bttnhh.exe23⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xllfxxx.exec:\xllfxxx.exe24⤵
- Executes dropped EXE
PID:3788 -
\??\c:\5hnhhh.exec:\5hnhhh.exe25⤵
- Executes dropped EXE
PID:3704 -
\??\c:\nnnhbb.exec:\nnnhbb.exe26⤵
- Executes dropped EXE
PID:2232 -
\??\c:\frfrrll.exec:\frfrrll.exe27⤵
- Executes dropped EXE
PID:3548 -
\??\c:\lxxrfff.exec:\lxxrfff.exe28⤵
- Executes dropped EXE
PID:2280 -
\??\c:\1jjvp.exec:\1jjvp.exe29⤵
- Executes dropped EXE
PID:3500 -
\??\c:\rlrfxrf.exec:\rlrfxrf.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\dvdpv.exec:\dvdpv.exe31⤵
- Executes dropped EXE
PID:2264 -
\??\c:\3nthtt.exec:\3nthtt.exe32⤵
- Executes dropped EXE
PID:4740 -
\??\c:\pvvpd.exec:\pvvpd.exe33⤵
- Executes dropped EXE
PID:556 -
\??\c:\1rrfxxl.exec:\1rrfxxl.exe34⤵
- Executes dropped EXE
PID:3164 -
\??\c:\dppjv.exec:\dppjv.exe35⤵
- Executes dropped EXE
PID:3328 -
\??\c:\vjjdv.exec:\vjjdv.exe36⤵
- Executes dropped EXE
PID:384 -
\??\c:\hnbtnn.exec:\hnbtnn.exe37⤵
- Executes dropped EXE
PID:2840 -
\??\c:\7tttnn.exec:\7tttnn.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jvdvp.exec:\jvdvp.exe39⤵
- Executes dropped EXE
PID:4104 -
\??\c:\3rfrffx.exec:\3rfrffx.exe40⤵
- Executes dropped EXE
PID:3144 -
\??\c:\nnbtbb.exec:\nnbtbb.exe41⤵
- Executes dropped EXE
PID:836 -
\??\c:\jpvpd.exec:\jpvpd.exe42⤵
- Executes dropped EXE
PID:1960 -
\??\c:\xffxrrl.exec:\xffxrrl.exe43⤵
- Executes dropped EXE
PID:3720 -
\??\c:\httnnh.exec:\httnnh.exe44⤵
- Executes dropped EXE
PID:452 -
\??\c:\vjvpj.exec:\vjvpj.exe45⤵
- Executes dropped EXE
PID:1396 -
\??\c:\llxrxrx.exec:\llxrxrx.exe46⤵
- Executes dropped EXE
PID:64 -
\??\c:\fxfrxrr.exec:\fxfrxrr.exe47⤵
- Executes dropped EXE
PID:3804 -
\??\c:\bntntn.exec:\bntntn.exe48⤵
- Executes dropped EXE
PID:4404 -
\??\c:\ddjvj.exec:\ddjvj.exe49⤵
- Executes dropped EXE
PID:4252 -
\??\c:\xxfxlxl.exec:\xxfxlxl.exe50⤵
- Executes dropped EXE
PID:4008 -
\??\c:\ffrflfx.exec:\ffrflfx.exe51⤵
- Executes dropped EXE
PID:400 -
\??\c:\thnnth.exec:\thnnth.exe52⤵
- Executes dropped EXE
PID:4496 -
\??\c:\ppvpd.exec:\ppvpd.exe53⤵
- Executes dropped EXE
PID:1428 -
\??\c:\fllxlfr.exec:\fllxlfr.exe54⤵
- Executes dropped EXE
PID:4264 -
\??\c:\5lfrllf.exec:\5lfrllf.exe55⤵
- Executes dropped EXE
PID:720 -
\??\c:\dpdvj.exec:\dpdvj.exe56⤵
- Executes dropped EXE
PID:2516 -
\??\c:\lllfxrl.exec:\lllfxrl.exe57⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hnnhbt.exec:\hnnhbt.exe58⤵
- Executes dropped EXE
PID:3964 -
\??\c:\btbtbt.exec:\btbtbt.exe59⤵
- Executes dropped EXE
PID:4800 -
\??\c:\rlrfxfx.exec:\rlrfxfx.exe60⤵
- Executes dropped EXE
PID:4748 -
\??\c:\rxfrrlx.exec:\rxfrrlx.exe61⤵
- Executes dropped EXE
PID:4928 -
\??\c:\9hnnhn.exec:\9hnnhn.exe62⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jjvpj.exec:\jjvpj.exe63⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rrfxxrf.exec:\rrfxxrf.exe64⤵
- Executes dropped EXE
PID:676 -
\??\c:\hbbthh.exec:\hbbthh.exe65⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pdjvp.exec:\pdjvp.exe66⤵PID:1008
-
\??\c:\ddppp.exec:\ddppp.exe67⤵PID:4656
-
\??\c:\rrllflf.exec:\rrllflf.exe68⤵PID:1896
-
\??\c:\ntnnbh.exec:\ntnnbh.exe69⤵PID:4424
-
\??\c:\pddpj.exec:\pddpj.exe70⤵PID:1440
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe71⤵PID:2508
-
\??\c:\hbhbbb.exec:\hbhbbb.exe72⤵PID:8
-
\??\c:\7bbnbb.exec:\7bbnbb.exe73⤵PID:2180
-
\??\c:\pdjdj.exec:\pdjdj.exe74⤵
- System Location Discovery: System Language Discovery
PID:1576 -
\??\c:\xllfxrf.exec:\xllfxrf.exe75⤵PID:2932
-
\??\c:\htttnh.exec:\htttnh.exe76⤵PID:4976
-
\??\c:\nbthtt.exec:\nbthtt.exe77⤵PID:3636
-
\??\c:\djpdv.exec:\djpdv.exe78⤵PID:632
-
\??\c:\rfxrffx.exec:\rfxrffx.exe79⤵PID:4128
-
\??\c:\5bbttt.exec:\5bbttt.exe80⤵PID:1652
-
\??\c:\htbntn.exec:\htbntn.exe81⤵PID:5104
-
\??\c:\jpddv.exec:\jpddv.exe82⤵PID:1912
-
\??\c:\9rrfxfx.exec:\9rrfxfx.exe83⤵PID:756
-
\??\c:\hthbbt.exec:\hthbbt.exe84⤵PID:4668
-
\??\c:\dvpjj.exec:\dvpjj.exe85⤵PID:3704
-
\??\c:\rllxlfx.exec:\rllxlfx.exe86⤵PID:1200
-
\??\c:\3hbtnh.exec:\3hbtnh.exe87⤵PID:808
-
\??\c:\btbttb.exec:\btbttb.exe88⤵PID:1928
-
\??\c:\pdjvp.exec:\pdjvp.exe89⤵PID:3128
-
\??\c:\5rxxrrf.exec:\5rxxrrf.exe90⤵PID:4808
-
\??\c:\3ntbtt.exec:\3ntbtt.exe91⤵PID:1492
-
\??\c:\7dvpj.exec:\7dvpj.exe92⤵PID:2072
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe93⤵PID:2264
-
\??\c:\7bbbnn.exec:\7bbbnn.exe94⤵PID:748
-
\??\c:\vpdpj.exec:\vpdpj.exe95⤵PID:4696
-
\??\c:\rfxrfxl.exec:\rfxrfxl.exe96⤵
- System Location Discovery: System Language Discovery
PID:3552 -
\??\c:\ntbtnb.exec:\ntbtnb.exe97⤵PID:1860
-
\??\c:\tbbbbt.exec:\tbbbbt.exe98⤵PID:4996
-
\??\c:\dvjdv.exec:\dvjdv.exe99⤵PID:3352
-
\??\c:\9flfxxr.exec:\9flfxxr.exe100⤵PID:3168
-
\??\c:\tbhhbb.exec:\tbhhbb.exe101⤵PID:2556
-
\??\c:\jjpjv.exec:\jjpjv.exe102⤵PID:4104
-
\??\c:\dppjd.exec:\dppjd.exe103⤵PID:3144
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe104⤵PID:1840
-
\??\c:\bbhbtn.exec:\bbhbtn.exe105⤵PID:996
-
\??\c:\vppjd.exec:\vppjd.exe106⤵PID:3720
-
\??\c:\9vdvp.exec:\9vdvp.exe107⤵PID:452
-
\??\c:\9bttnn.exec:\9bttnn.exe108⤵PID:4692
-
\??\c:\jpppv.exec:\jpppv.exe109⤵PID:4388
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe110⤵PID:4396
-
\??\c:\5lfxrrf.exec:\5lfxrrf.exe111⤵PID:1480
-
\??\c:\3bthbt.exec:\3bthbt.exe112⤵PID:1068
-
\??\c:\vjjdv.exec:\vjjdv.exe113⤵PID:3080
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe114⤵PID:2340
-
\??\c:\rllfxrl.exec:\rllfxrl.exe115⤵PID:1360
-
\??\c:\tnhbtn.exec:\tnhbtn.exe116⤵PID:3084
-
\??\c:\vpvpp.exec:\vpvpp.exe117⤵PID:4264
-
\??\c:\fffxrlx.exec:\fffxrlx.exe118⤵PID:3176
-
\??\c:\tnnnhh.exec:\tnnnhh.exe119⤵PID:4152
-
\??\c:\vvdvp.exec:\vvdvp.exe120⤵PID:4780
-
\??\c:\jvjdp.exec:\jvjdp.exe121⤵PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-