Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 01:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe
-
Size
453KB
-
MD5
cc522facbeaa1cdabb98eeb93e9ed98a
-
SHA1
91044cec4b8885c2d4672458bcdb74004e5b307f
-
SHA256
b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741
-
SHA512
6f0210cca94ab4d71e79b3015e6ddfa042a401846776b7b511a23315f3f35cc0baa7ffe11b6158f7f99c0a281f32ae72b5fdcde9a39fd86200b004bccd815023
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4748-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-969-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-1363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4440 httnbn.exe 1280 pjdvj.exe 3752 lfrfrrx.exe 2456 jdpjv.exe 4720 bhhthb.exe 2764 xlfrlfx.exe 4836 hbbbht.exe 3100 1fxrlfx.exe 3492 pjvpj.exe 4016 9nthth.exe 4092 jdjdv.exe 4788 nhbthh.exe 1908 5nbbnh.exe 4164 tnbnbt.exe 1380 jddvj.exe 5004 9xfxllf.exe 4076 nhthbb.exe 808 dvdpd.exe 4644 jddvj.exe 3536 nhhnbn.exe 4516 htttbt.exe 2404 9ffrlfx.exe 3012 ttthtn.exe 2604 jjjvj.exe 1248 fffxfxl.exe 2488 thbnbt.exe 4804 5ppjv.exe 4144 xrlxlfr.exe 1004 vvvpd.exe 4660 7ffrfxr.exe 5048 dppdp.exe 2292 rlxrfxr.exe 1580 jvdpj.exe 884 xllxrlf.exe 2328 nhbtnh.exe 956 7ntbhn.exe 3732 lrlxrfx.exe 364 bbthtt.exe 4892 3nhhhn.exe 384 1jdjv.exe 4500 3rrxfxl.exe 4932 1hbtnh.exe 4916 pppdp.exe 1360 pdjdd.exe 2984 jvvpp.exe 228 7ddpd.exe 4668 xlfrfxl.exe 212 nbhtnh.exe 3020 9pjdj.exe 3144 fllfxrf.exe 3644 dpdpp.exe 3256 lxlxxxx.exe 2788 5tthtn.exe 1040 3tnhtt.exe 4360 jvdpv.exe 4844 5fxlrrf.exe 3668 3hthtn.exe 2636 jvvpp.exe 1424 9xfxlxl.exe 4040 lxxrflf.exe 3992 btthhb.exe 1796 pdvjp.exe 4176 1djvd.exe 3492 xrlxrlr.exe -
resource yara_rule behavioral2/memory/4748-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-969-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-970-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 4440 4748 b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe 83 PID 4748 wrote to memory of 4440 4748 b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe 83 PID 4748 wrote to memory of 4440 4748 b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe 83 PID 4440 wrote to memory of 1280 4440 httnbn.exe 84 PID 4440 wrote to memory of 1280 4440 httnbn.exe 84 PID 4440 wrote to memory of 1280 4440 httnbn.exe 84 PID 1280 wrote to memory of 3752 1280 pjdvj.exe 85 PID 1280 wrote to memory of 3752 1280 pjdvj.exe 85 PID 1280 wrote to memory of 3752 1280 pjdvj.exe 85 PID 3752 wrote to memory of 2456 3752 lfrfrrx.exe 86 PID 3752 wrote to memory of 2456 3752 lfrfrrx.exe 86 PID 3752 wrote to memory of 2456 3752 lfrfrrx.exe 86 PID 2456 wrote to memory of 4720 2456 jdpjv.exe 87 PID 2456 wrote to memory of 4720 2456 jdpjv.exe 87 PID 2456 wrote to memory of 4720 2456 jdpjv.exe 87 PID 4720 wrote to memory of 2764 4720 bhhthb.exe 88 PID 4720 wrote to memory of 2764 4720 bhhthb.exe 88 PID 4720 wrote to memory of 2764 4720 bhhthb.exe 88 PID 2764 wrote to memory of 4836 2764 xlfrlfx.exe 89 PID 2764 wrote to memory of 4836 2764 xlfrlfx.exe 89 PID 2764 wrote to memory of 4836 2764 xlfrlfx.exe 89 PID 4836 wrote to memory of 3100 4836 hbbbht.exe 90 PID 4836 wrote to memory of 3100 4836 hbbbht.exe 90 PID 4836 wrote to memory of 3100 4836 hbbbht.exe 90 PID 3100 wrote to memory of 3492 3100 1fxrlfx.exe 91 PID 3100 wrote to memory of 3492 3100 1fxrlfx.exe 91 PID 3100 wrote to memory of 3492 3100 1fxrlfx.exe 91 PID 3492 wrote to memory of 4016 3492 pjvpj.exe 92 PID 3492 wrote to memory of 4016 3492 pjvpj.exe 92 PID 3492 wrote to memory of 4016 3492 pjvpj.exe 92 PID 4016 wrote to memory of 4092 4016 9nthth.exe 93 PID 4016 wrote to memory of 4092 4016 9nthth.exe 93 PID 4016 wrote to memory of 4092 4016 9nthth.exe 93 PID 4092 wrote to memory of 4788 4092 jdjdv.exe 94 PID 4092 wrote to memory of 4788 4092 jdjdv.exe 94 PID 4092 wrote to memory of 4788 4092 jdjdv.exe 94 PID 4788 wrote to memory of 1908 4788 nhbthh.exe 95 PID 4788 wrote to memory of 1908 4788 nhbthh.exe 95 PID 4788 wrote to memory of 1908 4788 nhbthh.exe 95 PID 1908 wrote to memory of 4164 1908 5nbbnh.exe 96 PID 1908 wrote to memory of 4164 1908 5nbbnh.exe 96 PID 1908 wrote to memory of 4164 1908 5nbbnh.exe 96 PID 4164 wrote to memory of 1380 4164 tnbnbt.exe 97 PID 4164 wrote to memory of 1380 4164 tnbnbt.exe 97 PID 4164 wrote to memory of 1380 4164 tnbnbt.exe 97 PID 1380 wrote to memory of 5004 1380 jddvj.exe 98 PID 1380 wrote to memory of 5004 1380 jddvj.exe 98 PID 1380 wrote to memory of 5004 1380 jddvj.exe 98 PID 5004 wrote to memory of 4076 5004 9xfxllf.exe 99 PID 5004 wrote to memory of 4076 5004 9xfxllf.exe 99 PID 5004 wrote to memory of 4076 5004 9xfxllf.exe 99 PID 4076 wrote to memory of 808 4076 nhthbb.exe 100 PID 4076 wrote to memory of 808 4076 nhthbb.exe 100 PID 4076 wrote to memory of 808 4076 nhthbb.exe 100 PID 808 wrote to memory of 4644 808 dvdpd.exe 101 PID 808 wrote to memory of 4644 808 dvdpd.exe 101 PID 808 wrote to memory of 4644 808 dvdpd.exe 101 PID 4644 wrote to memory of 3536 4644 jddvj.exe 102 PID 4644 wrote to memory of 3536 4644 jddvj.exe 102 PID 4644 wrote to memory of 3536 4644 jddvj.exe 102 PID 3536 wrote to memory of 4516 3536 nhhnbn.exe 103 PID 3536 wrote to memory of 4516 3536 nhhnbn.exe 103 PID 3536 wrote to memory of 4516 3536 nhhnbn.exe 103 PID 4516 wrote to memory of 2404 4516 htttbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe"C:\Users\Admin\AppData\Local\Temp\b2eb78218b738a38f167fdb6c6ac64c16c1c6c1a380452363ec51263acb29741.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\httnbn.exec:\httnbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\pjdvj.exec:\pjdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\lfrfrrx.exec:\lfrfrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\jdpjv.exec:\jdpjv.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\bhhthb.exec:\bhhthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\hbbbht.exec:\hbbbht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\1fxrlfx.exec:\1fxrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\pjvpj.exec:\pjvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\9nthth.exec:\9nthth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\jdjdv.exec:\jdjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\nhbthh.exec:\nhbthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\5nbbnh.exec:\5nbbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\tnbnbt.exec:\tnbnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\jddvj.exec:\jddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\9xfxllf.exec:\9xfxllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\nhthbb.exec:\nhthbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\dvdpd.exec:\dvdpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\jddvj.exec:\jddvj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\nhhnbn.exec:\nhhnbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\htttbt.exec:\htttbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\9ffrlfx.exec:\9ffrlfx.exe23⤵
- Executes dropped EXE
PID:2404 -
\??\c:\ttthtn.exec:\ttthtn.exe24⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jjjvj.exec:\jjjvj.exe25⤵
- Executes dropped EXE
PID:2604 -
\??\c:\fffxfxl.exec:\fffxfxl.exe26⤵
- Executes dropped EXE
PID:1248 -
\??\c:\thbnbt.exec:\thbnbt.exe27⤵
- Executes dropped EXE
PID:2488 -
\??\c:\5ppjv.exec:\5ppjv.exe28⤵
- Executes dropped EXE
PID:4804 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe29⤵
- Executes dropped EXE
PID:4144 -
\??\c:\vvvpd.exec:\vvvpd.exe30⤵
- Executes dropped EXE
PID:1004 -
\??\c:\7ffrfxr.exec:\7ffrfxr.exe31⤵
- Executes dropped EXE
PID:4660 -
\??\c:\dppdp.exec:\dppdp.exe32⤵
- Executes dropped EXE
PID:5048 -
\??\c:\rlxrfxr.exec:\rlxrfxr.exe33⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jvdpj.exec:\jvdpj.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xllxrlf.exec:\xllxrlf.exe35⤵
- Executes dropped EXE
PID:884 -
\??\c:\nhbtnh.exec:\nhbtnh.exe36⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7ntbhn.exec:\7ntbhn.exe37⤵
- Executes dropped EXE
PID:956 -
\??\c:\lrlxrfx.exec:\lrlxrfx.exe38⤵
- Executes dropped EXE
PID:3732 -
\??\c:\bbthtt.exec:\bbthtt.exe39⤵
- Executes dropped EXE
PID:364 -
\??\c:\3nhhhn.exec:\3nhhhn.exe40⤵
- Executes dropped EXE
PID:4892 -
\??\c:\1jdjv.exec:\1jdjv.exe41⤵
- Executes dropped EXE
PID:384 -
\??\c:\3rrxfxl.exec:\3rrxfxl.exe42⤵
- Executes dropped EXE
PID:4500 -
\??\c:\1hbtnh.exec:\1hbtnh.exe43⤵
- Executes dropped EXE
PID:4932 -
\??\c:\pppdp.exec:\pppdp.exe44⤵
- Executes dropped EXE
PID:4916 -
\??\c:\pdjdd.exec:\pdjdd.exe45⤵
- Executes dropped EXE
PID:1360 -
\??\c:\jvvpp.exec:\jvvpp.exe46⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7ddpd.exec:\7ddpd.exe47⤵
- Executes dropped EXE
PID:228 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe48⤵
- Executes dropped EXE
PID:4668 -
\??\c:\nbhtnh.exec:\nbhtnh.exe49⤵
- Executes dropped EXE
PID:212 -
\??\c:\9pjdj.exec:\9pjdj.exe50⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lxxrxrf.exec:\lxxrxrf.exe51⤵PID:4388
-
\??\c:\fllfxrf.exec:\fllfxrf.exe52⤵
- Executes dropped EXE
PID:3144 -
\??\c:\dpdpp.exec:\dpdpp.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644 -
\??\c:\lxlxxxx.exec:\lxlxxxx.exe54⤵
- Executes dropped EXE
PID:3256 -
\??\c:\5tthtn.exec:\5tthtn.exe55⤵
- Executes dropped EXE
PID:2788 -
\??\c:\3tnhtt.exec:\3tnhtt.exe56⤵
- Executes dropped EXE
PID:1040 -
\??\c:\jvdpv.exec:\jvdpv.exe57⤵
- Executes dropped EXE
PID:4360 -
\??\c:\5fxlrrf.exec:\5fxlrrf.exe58⤵
- Executes dropped EXE
PID:4844 -
\??\c:\3hthtn.exec:\3hthtn.exe59⤵
- Executes dropped EXE
PID:3668 -
\??\c:\jvvpp.exec:\jvvpp.exe60⤵
- Executes dropped EXE
PID:2636 -
\??\c:\9xfxlxl.exec:\9xfxlxl.exe61⤵
- Executes dropped EXE
PID:1424 -
\??\c:\lxxrflf.exec:\lxxrflf.exe62⤵
- Executes dropped EXE
PID:4040 -
\??\c:\btthhb.exec:\btthhb.exe63⤵
- Executes dropped EXE
PID:3992 -
\??\c:\pdvjp.exec:\pdvjp.exe64⤵
- Executes dropped EXE
PID:1796 -
\??\c:\1djvd.exec:\1djvd.exe65⤵
- Executes dropped EXE
PID:4176 -
\??\c:\xrlxrlr.exec:\xrlxrlr.exe66⤵
- Executes dropped EXE
PID:3492 -
\??\c:\nnthnh.exec:\nnthnh.exe67⤵PID:4016
-
\??\c:\bnnbbn.exec:\bnnbbn.exe68⤵PID:1464
-
\??\c:\vjdvj.exec:\vjdvj.exe69⤵PID:3872
-
\??\c:\vvdpv.exec:\vvdpv.exe70⤵PID:4380
-
\??\c:\7rrflff.exec:\7rrflff.exe71⤵PID:2448
-
\??\c:\tbhbnh.exec:\tbhbnh.exe72⤵PID:3944
-
\??\c:\jvvjp.exec:\jvvjp.exe73⤵PID:4160
-
\??\c:\xfllxrl.exec:\xfllxrl.exe74⤵PID:2364
-
\??\c:\fxrxxll.exec:\fxrxxll.exe75⤵PID:2548
-
\??\c:\tnnhtn.exec:\tnnhtn.exe76⤵PID:4536
-
\??\c:\jpvjp.exec:\jpvjp.exe77⤵PID:4076
-
\??\c:\1llxfxl.exec:\1llxfxl.exe78⤵PID:1812
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe79⤵PID:1960
-
\??\c:\3bthth.exec:\3bthth.exe80⤵PID:4200
-
\??\c:\dpvjd.exec:\dpvjd.exe81⤵PID:2036
-
\??\c:\lxxlrrf.exec:\lxxlrrf.exe82⤵PID:2024
-
\??\c:\flfrlxl.exec:\flfrlxl.exe83⤵PID:1508
-
\??\c:\hhhbnh.exec:\hhhbnh.exe84⤵PID:1576
-
\??\c:\vpvpv.exec:\vpvpv.exe85⤵PID:1448
-
\??\c:\rxxlrlf.exec:\rxxlrlf.exe86⤵PID:1540
-
\??\c:\nnhnbh.exec:\nnhnbh.exe87⤵PID:2492
-
\??\c:\jjjdj.exec:\jjjdj.exe88⤵PID:1364
-
\??\c:\vpjvj.exec:\vpjvj.exe89⤵PID:1724
-
\??\c:\1frflfr.exec:\1frflfr.exe90⤵PID:1312
-
\??\c:\bnthtb.exec:\bnthtb.exe91⤵PID:5028
-
\??\c:\nbnhnh.exec:\nbnhnh.exe92⤵PID:1408
-
\??\c:\1jdpd.exec:\1jdpd.exe93⤵PID:1096
-
\??\c:\xxrfrlf.exec:\xxrfrlf.exe94⤵PID:372
-
\??\c:\9ffrrll.exec:\9ffrrll.exe95⤵PID:2872
-
\??\c:\ntthtt.exec:\ntthtt.exe96⤵PID:5048
-
\??\c:\1vvdp.exec:\1vvdp.exe97⤵PID:2292
-
\??\c:\7rrrlff.exec:\7rrrlff.exe98⤵PID:1160
-
\??\c:\xffrfxr.exec:\xffrfxr.exe99⤵PID:3432
-
\??\c:\tnhbnh.exec:\tnhbnh.exe100⤵PID:3472
-
\??\c:\ddvjp.exec:\ddvjp.exe101⤵PID:3300
-
\??\c:\3vjvp.exec:\3vjvp.exe102⤵PID:2892
-
\??\c:\xllxlfr.exec:\xllxlfr.exe103⤵PID:2948
-
\??\c:\bntntn.exec:\bntntn.exe104⤵PID:364
-
\??\c:\thhthn.exec:\thhthn.exe105⤵PID:4752
-
\??\c:\3pjvj.exec:\3pjvj.exe106⤵PID:384
-
\??\c:\frllxrf.exec:\frllxrf.exe107⤵PID:1744
-
\??\c:\frrfrlx.exec:\frrfrlx.exe108⤵PID:4824
-
\??\c:\7hbnbt.exec:\7hbnbt.exe109⤵PID:1168
-
\??\c:\dpvdp.exec:\dpvdp.exe110⤵PID:4068
-
\??\c:\lffrxfr.exec:\lffrxfr.exe111⤵PID:224
-
\??\c:\nnthhn.exec:\nnthhn.exe112⤵PID:508
-
\??\c:\hhhhnn.exec:\hhhhnn.exe113⤵PID:4832
-
\??\c:\vjpdv.exec:\vjpdv.exe114⤵PID:4936
-
\??\c:\7rlxfxl.exec:\7rlxfxl.exe115⤵PID:4384
-
\??\c:\xxfxlrr.exec:\xxfxlrr.exe116⤵PID:4444
-
\??\c:\9tthnt.exec:\9tthnt.exe117⤵PID:4396
-
\??\c:\dppdj.exec:\dppdj.exe118⤵PID:2500
-
\??\c:\ddjvd.exec:\ddjvd.exe119⤵PID:4440
-
\??\c:\xflxrlx.exec:\xflxrlx.exe120⤵PID:3256
-
\??\c:\btnbnh.exec:\btnbnh.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-