Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 00:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe
-
Size
456KB
-
MD5
aebfd66057fce37eb6f6d86f2a5cb55a
-
SHA1
a49856f6249404b4496cc68886a1aaee1d89e8f9
-
SHA256
93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd
-
SHA512
83e9d4bf9f040d86092870dca79eb4791445f721cbe03d30a6a10c1b4d94d100cfecfc27ec025abff080a7df40975bf79a37e915ce6b56f1d17610e833644194
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1964-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-1185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-1601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 32 jppjd.exe 1476 rxlrrlr.exe 3164 bnbttn.exe 3992 hthbtt.exe 4616 9pppj.exe 1432 fllffff.exe 4252 nnnhhh.exe 5104 7ddpp.exe 4484 jjppj.exe 2924 pjpjd.exe 5000 xrfxxfx.exe 2772 hntttb.exe 2188 hhnhbb.exe 1960 lrfxxxr.exe 1608 xlxrllf.exe 4268 hthbbb.exe 1284 fffrfxr.exe 336 vjvpp.exe 4612 lffxrll.exe 1380 nhbnht.exe 3296 jppvp.exe 5016 xrffrxf.exe 1120 5xfxrrl.exe 1532 xlxxxrr.exe 3556 pdvvj.exe 1736 7bbttt.exe 512 bntttt.exe 5092 hbhhtb.exe 3472 vvdvd.exe 1908 vdjvv.exe 3828 nnthbb.exe 3416 rxxrlxr.exe 1308 bbtthn.exe 228 7nbhhh.exe 2324 jvdvp.exe 1716 9ddvj.exe 1760 hbbbbt.exe 5088 tntnhh.exe 4256 pdvjd.exe 2224 fxxlfxr.exe 1788 hbbbhn.exe 1668 pppjv.exe 1724 xrlfxrl.exe 3904 thnbhh.exe 3132 bttnhb.exe 3452 pvdpd.exe 2128 xrrlllr.exe 3232 bthbbt.exe 4972 pjdvv.exe 4952 vvvpj.exe 452 lrxrllf.exe 3688 1bbthh.exe 4340 djjdv.exe 3264 ppvdp.exe 2244 frlfxxx.exe 4624 hbhbtn.exe 1684 pdvjd.exe 1476 5ffxrlf.exe 2316 5httnn.exe 4920 tttnnn.exe 1588 3ddvp.exe 384 9lfrxxl.exe 1220 rrffxxx.exe 2916 nbbtnh.exe -
resource yara_rule behavioral2/memory/1964-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-826-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 32 1964 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 82 PID 1964 wrote to memory of 32 1964 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 82 PID 1964 wrote to memory of 32 1964 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 82 PID 32 wrote to memory of 1476 32 jppjd.exe 83 PID 32 wrote to memory of 1476 32 jppjd.exe 83 PID 32 wrote to memory of 1476 32 jppjd.exe 83 PID 1476 wrote to memory of 3164 1476 rxlrrlr.exe 84 PID 1476 wrote to memory of 3164 1476 rxlrrlr.exe 84 PID 1476 wrote to memory of 3164 1476 rxlrrlr.exe 84 PID 3164 wrote to memory of 3992 3164 bnbttn.exe 85 PID 3164 wrote to memory of 3992 3164 bnbttn.exe 85 PID 3164 wrote to memory of 3992 3164 bnbttn.exe 85 PID 3992 wrote to memory of 4616 3992 hthbtt.exe 86 PID 3992 wrote to memory of 4616 3992 hthbtt.exe 86 PID 3992 wrote to memory of 4616 3992 hthbtt.exe 86 PID 4616 wrote to memory of 1432 4616 9pppj.exe 87 PID 4616 wrote to memory of 1432 4616 9pppj.exe 87 PID 4616 wrote to memory of 1432 4616 9pppj.exe 87 PID 1432 wrote to memory of 4252 1432 fllffff.exe 88 PID 1432 wrote to memory of 4252 1432 fllffff.exe 88 PID 1432 wrote to memory of 4252 1432 fllffff.exe 88 PID 4252 wrote to memory of 5104 4252 nnnhhh.exe 89 PID 4252 wrote to memory of 5104 4252 nnnhhh.exe 89 PID 4252 wrote to memory of 5104 4252 nnnhhh.exe 89 PID 5104 wrote to memory of 4484 5104 7ddpp.exe 90 PID 5104 wrote to memory of 4484 5104 7ddpp.exe 90 PID 5104 wrote to memory of 4484 5104 7ddpp.exe 90 PID 4484 wrote to memory of 2924 4484 jjppj.exe 91 PID 4484 wrote to memory of 2924 4484 jjppj.exe 91 PID 4484 wrote to memory of 2924 4484 jjppj.exe 91 PID 2924 wrote to memory of 5000 2924 pjpjd.exe 92 PID 2924 wrote to memory of 5000 2924 pjpjd.exe 92 PID 2924 wrote to memory of 5000 2924 pjpjd.exe 92 PID 5000 wrote to memory of 2772 5000 xrfxxfx.exe 93 PID 5000 wrote to memory of 2772 5000 xrfxxfx.exe 93 PID 5000 wrote to memory of 2772 5000 xrfxxfx.exe 93 PID 2772 wrote to memory of 2188 2772 hntttb.exe 94 PID 2772 wrote to memory of 2188 2772 hntttb.exe 94 PID 2772 wrote to memory of 2188 2772 hntttb.exe 94 PID 2188 wrote to memory of 1960 2188 hhnhbb.exe 95 PID 2188 wrote to memory of 1960 2188 hhnhbb.exe 95 PID 2188 wrote to memory of 1960 2188 hhnhbb.exe 95 PID 1960 wrote to memory of 1608 1960 lrfxxxr.exe 96 PID 1960 wrote to memory of 1608 1960 lrfxxxr.exe 96 PID 1960 wrote to memory of 1608 1960 lrfxxxr.exe 96 PID 1608 wrote to memory of 4268 1608 xlxrllf.exe 97 PID 1608 wrote to memory of 4268 1608 xlxrllf.exe 97 PID 1608 wrote to memory of 4268 1608 xlxrllf.exe 97 PID 4268 wrote to memory of 1284 4268 hthbbb.exe 98 PID 4268 wrote to memory of 1284 4268 hthbbb.exe 98 PID 4268 wrote to memory of 1284 4268 hthbbb.exe 98 PID 1284 wrote to memory of 336 1284 fffrfxr.exe 99 PID 1284 wrote to memory of 336 1284 fffrfxr.exe 99 PID 1284 wrote to memory of 336 1284 fffrfxr.exe 99 PID 336 wrote to memory of 4612 336 vjvpp.exe 100 PID 336 wrote to memory of 4612 336 vjvpp.exe 100 PID 336 wrote to memory of 4612 336 vjvpp.exe 100 PID 4612 wrote to memory of 1380 4612 lffxrll.exe 101 PID 4612 wrote to memory of 1380 4612 lffxrll.exe 101 PID 4612 wrote to memory of 1380 4612 lffxrll.exe 101 PID 1380 wrote to memory of 3296 1380 nhbnht.exe 102 PID 1380 wrote to memory of 3296 1380 nhbnht.exe 102 PID 1380 wrote to memory of 3296 1380 nhbnht.exe 102 PID 3296 wrote to memory of 5016 3296 jppvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe"C:\Users\Admin\AppData\Local\Temp\93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\jppjd.exec:\jppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\rxlrrlr.exec:\rxlrrlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\bnbttn.exec:\bnbttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\hthbtt.exec:\hthbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\9pppj.exec:\9pppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\fllffff.exec:\fllffff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\nnnhhh.exec:\nnnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\7ddpp.exec:\7ddpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\jjppj.exec:\jjppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\pjpjd.exec:\pjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\xrfxxfx.exec:\xrfxxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\hntttb.exec:\hntttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\hhnhbb.exec:\hhnhbb.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\xlxrllf.exec:\xlxrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\hthbbb.exec:\hthbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\fffrfxr.exec:\fffrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\vjvpp.exec:\vjvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\lffxrll.exec:\lffxrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\nhbnht.exec:\nhbnht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\jppvp.exec:\jppvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\xrffrxf.exec:\xrffrxf.exe23⤵
- Executes dropped EXE
PID:5016 -
\??\c:\5xfxrrl.exec:\5xfxrrl.exe24⤵
- Executes dropped EXE
PID:1120 -
\??\c:\xlxxxrr.exec:\xlxxxrr.exe25⤵
- Executes dropped EXE
PID:1532 -
\??\c:\pdvvj.exec:\pdvvj.exe26⤵
- Executes dropped EXE
PID:3556 -
\??\c:\7bbttt.exec:\7bbttt.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\bntttt.exec:\bntttt.exe28⤵
- Executes dropped EXE
PID:512 -
\??\c:\hbhhtb.exec:\hbhhtb.exe29⤵
- Executes dropped EXE
PID:5092 -
\??\c:\vvdvd.exec:\vvdvd.exe30⤵
- Executes dropped EXE
PID:3472 -
\??\c:\vdjvv.exec:\vdjvv.exe31⤵
- Executes dropped EXE
PID:1908 -
\??\c:\nnthbb.exec:\nnthbb.exe32⤵
- Executes dropped EXE
PID:3828 -
\??\c:\rxxrlxr.exec:\rxxrlxr.exe33⤵
- Executes dropped EXE
PID:3416 -
\??\c:\bbtthn.exec:\bbtthn.exe34⤵
- Executes dropped EXE
PID:1308 -
\??\c:\7nbhhh.exec:\7nbhhh.exe35⤵
- Executes dropped EXE
PID:228 -
\??\c:\jvdvp.exec:\jvdvp.exe36⤵
- Executes dropped EXE
PID:2324 -
\??\c:\9ddvj.exec:\9ddvj.exe37⤵
- Executes dropped EXE
PID:1716 -
\??\c:\hbbbbt.exec:\hbbbbt.exe38⤵
- Executes dropped EXE
PID:1760 -
\??\c:\tntnhh.exec:\tntnhh.exe39⤵
- Executes dropped EXE
PID:5088 -
\??\c:\pdvjd.exec:\pdvjd.exe40⤵
- Executes dropped EXE
PID:4256 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe41⤵
- Executes dropped EXE
PID:2224 -
\??\c:\hbbbhn.exec:\hbbbhn.exe42⤵
- Executes dropped EXE
PID:1788 -
\??\c:\pppjv.exec:\pppjv.exe43⤵
- Executes dropped EXE
PID:1668 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe44⤵
- Executes dropped EXE
PID:1724 -
\??\c:\thnbhh.exec:\thnbhh.exe45⤵
- Executes dropped EXE
PID:3904 -
\??\c:\bttnhb.exec:\bttnhb.exe46⤵
- Executes dropped EXE
PID:3132 -
\??\c:\pvdpd.exec:\pvdpd.exe47⤵
- Executes dropped EXE
PID:3452 -
\??\c:\xrrlllr.exec:\xrrlllr.exe48⤵
- Executes dropped EXE
PID:2128 -
\??\c:\bthbbt.exec:\bthbbt.exe49⤵
- Executes dropped EXE
PID:3232 -
\??\c:\pjdvv.exec:\pjdvv.exe50⤵
- Executes dropped EXE
PID:4972 -
\??\c:\vvvpj.exec:\vvvpj.exe51⤵
- Executes dropped EXE
PID:4952 -
\??\c:\lrxrllf.exec:\lrxrllf.exe52⤵
- Executes dropped EXE
PID:452 -
\??\c:\1bbthh.exec:\1bbthh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3688 -
\??\c:\djjdv.exec:\djjdv.exe54⤵
- Executes dropped EXE
PID:4340 -
\??\c:\ppvdp.exec:\ppvdp.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3264 -
\??\c:\frlfxxx.exec:\frlfxxx.exe56⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hbhbtn.exec:\hbhbtn.exe57⤵
- Executes dropped EXE
PID:4624 -
\??\c:\pdvjd.exec:\pdvjd.exe58⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5ffxrlf.exec:\5ffxrlf.exe59⤵
- Executes dropped EXE
PID:1476 -
\??\c:\5httnn.exec:\5httnn.exe60⤵
- Executes dropped EXE
PID:2316 -
\??\c:\tttnnn.exec:\tttnnn.exe61⤵
- Executes dropped EXE
PID:4920 -
\??\c:\3ddvp.exec:\3ddvp.exe62⤵
- Executes dropped EXE
PID:1588 -
\??\c:\9lfrxxl.exec:\9lfrxxl.exe63⤵
- Executes dropped EXE
PID:384 -
\??\c:\rrffxxx.exec:\rrffxxx.exe64⤵
- Executes dropped EXE
PID:1220 -
\??\c:\nbbtnh.exec:\nbbtnh.exe65⤵
- Executes dropped EXE
PID:2916 -
\??\c:\xflxrlf.exec:\xflxrlf.exe66⤵PID:4448
-
\??\c:\xllfxrl.exec:\xllfxrl.exe67⤵PID:3524
-
\??\c:\bhtttb.exec:\bhtttb.exe68⤵PID:4900
-
\??\c:\dvddv.exec:\dvddv.exe69⤵PID:4752
-
\??\c:\xfffxrr.exec:\xfffxrr.exe70⤵PID:3932
-
\??\c:\nbbtnh.exec:\nbbtnh.exe71⤵PID:3776
-
\??\c:\dvdpj.exec:\dvdpj.exe72⤵PID:1648
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe73⤵PID:808
-
\??\c:\ttbbbb.exec:\ttbbbb.exe74⤵PID:2120
-
\??\c:\jdvpd.exec:\jdvpd.exe75⤵PID:4064
-
\??\c:\fxlfrrl.exec:\fxlfrrl.exe76⤵PID:3400
-
\??\c:\nhbntn.exec:\nhbntn.exe77⤵PID:2144
-
\??\c:\jjjpj.exec:\jjjpj.exe78⤵PID:3048
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe79⤵PID:736
-
\??\c:\rrffrrx.exec:\rrffrrx.exe80⤵PID:4832
-
\??\c:\btnbtn.exec:\btnbtn.exe81⤵PID:1284
-
\??\c:\hnbbnn.exec:\hnbbnn.exe82⤵PID:468
-
\??\c:\pvdvv.exec:\pvdvv.exe83⤵PID:3448
-
\??\c:\llrlxrr.exec:\llrlxrr.exe84⤵PID:456
-
\??\c:\bnnnbb.exec:\bnnnbb.exe85⤵PID:2376
-
\??\c:\vddvj.exec:\vddvj.exe86⤵PID:3156
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe87⤵PID:4104
-
\??\c:\ttttnt.exec:\ttttnt.exe88⤵PID:1364
-
\??\c:\7tnbnn.exec:\7tnbnn.exe89⤵PID:1184
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe90⤵PID:2236
-
\??\c:\lrxxxff.exec:\lrxxxff.exe91⤵PID:2308
-
\??\c:\btbbbb.exec:\btbbbb.exe92⤵PID:2988
-
\??\c:\nnbnnn.exec:\nnbnnn.exe93⤵PID:3976
-
\??\c:\3pvpd.exec:\3pvpd.exe94⤵PID:2560
-
\??\c:\jpdvp.exec:\jpdvp.exe95⤵PID:724
-
\??\c:\llrlffr.exec:\llrlffr.exe96⤵PID:2256
-
\??\c:\btbhnn.exec:\btbhnn.exe97⤵PID:5112
-
\??\c:\jpvvp.exec:\jpvvp.exe98⤵
- System Location Discovery: System Language Discovery
PID:3128 -
\??\c:\jjvvp.exec:\jjvvp.exe99⤵PID:3732
-
\??\c:\xrfxflr.exec:\xrfxflr.exe100⤵PID:3076
-
\??\c:\7nnbtn.exec:\7nnbtn.exe101⤵PID:1168
-
\??\c:\pvdvp.exec:\pvdvp.exe102⤵PID:1060
-
\??\c:\5frlrlr.exec:\5frlrlr.exe103⤵PID:2052
-
\??\c:\thnnhh.exec:\thnnhh.exe104⤵PID:1976
-
\??\c:\9ntnht.exec:\9ntnht.exe105⤵PID:1444
-
\??\c:\dvvvd.exec:\dvvvd.exe106⤵PID:4284
-
\??\c:\1rffxxx.exec:\1rffxxx.exe107⤵
- System Location Discovery: System Language Discovery
PID:2036 -
\??\c:\tbbnhb.exec:\tbbnhb.exe108⤵PID:1456
-
\??\c:\pvdpv.exec:\pvdpv.exe109⤵PID:3684
-
\??\c:\lflxlfx.exec:\lflxlfx.exe110⤵PID:1244
-
\??\c:\htthhb.exec:\htthhb.exe111⤵PID:2224
-
\??\c:\vdjdp.exec:\vdjdp.exe112⤵PID:1788
-
\??\c:\vpvvv.exec:\vpvvv.exe113⤵PID:3564
-
\??\c:\xxfxrrr.exec:\xxfxrrr.exe114⤵PID:112
-
\??\c:\7hhhbb.exec:\7hhhbb.exe115⤵PID:2668
-
\??\c:\nnnhbh.exec:\nnnhbh.exe116⤵PID:2620
-
\??\c:\dvjjp.exec:\dvjjp.exe117⤵PID:3452
-
\??\c:\fxfrrxr.exec:\fxfrrxr.exe118⤵PID:1008
-
\??\c:\5bhhhn.exec:\5bhhhn.exe119⤵PID:3232
-
\??\c:\htbbnn.exec:\htbbnn.exe120⤵
- System Location Discovery: System Language Discovery
PID:4524 -
\??\c:\vdvpd.exec:\vdvpd.exe121⤵PID:4032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-