Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe
-
Size
454KB
-
MD5
84eddb140b1c8b34a2b934c8f2f65984
-
SHA1
5a6d69b674d0a23eef9c3bdf29f0729662999db0
-
SHA256
b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55
-
SHA512
3496cfdab8853e656d2543802c7c26a9d81faaf7cc3efa8c8d588076f96bf32a01426de85a91b29ca4dd69cc2a574f6266ba290e827af63d88acb2b449c5367e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3304-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-1278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5080 666048.exe 4904 8002662.exe 2608 jjdvj.exe 372 0060860.exe 2120 bbbbtb.exe 2044 jjvdj.exe 764 dpvpp.exe 4492 84604.exe 700 0468848.exe 708 40626.exe 2236 xxfxxxf.exe 2728 jdvjp.exe 3848 nnnhhh.exe 704 nnnhbb.exe 3036 jpdjv.exe 5112 jvvdd.exe 4856 lxlfrfx.exe 4368 7rfxrrl.exe 1856 xlrrrrf.exe 1816 04604.exe 2952 806048.exe 4900 5lrlrxr.exe 4664 60048.exe 812 bhhbtn.exe 2760 e42066.exe 3064 bttntb.exe 2188 o004828.exe 3512 httnht.exe 216 284828.exe 3480 a6886.exe 1028 rlrlrlr.exe 4944 200864.exe 1436 lfxxfxf.exe 1548 806048.exe 1500 48604.exe 3860 flrfrfx.exe 2180 hbnbth.exe 3348 9tbttb.exe 3892 7thtnh.exe 2264 pdddv.exe 2380 4222042.exe 2204 fllxrlx.exe 1604 062048.exe 1692 lrxllfl.exe 1528 pdvjd.exe 2580 bntnhb.exe 552 m2260.exe 388 066048.exe 2528 406044.exe 2200 8044004.exe 4316 ddddv.exe 5032 hhhhnn.exe 3304 0848660.exe 4916 tntnhh.exe 4356 frlfrrl.exe 4904 246266.exe 2132 bhtnnn.exe 2016 642682.exe 4620 60260.exe 3904 tttttt.exe 1556 lflxxxx.exe 3120 66220.exe 3952 pdjvv.exe 2004 484040.exe -
resource yara_rule behavioral2/memory/3304-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-849-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u088486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0664864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3304 wrote to memory of 5080 3304 b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe 83 PID 3304 wrote to memory of 5080 3304 b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe 83 PID 3304 wrote to memory of 5080 3304 b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe 83 PID 5080 wrote to memory of 4904 5080 666048.exe 84 PID 5080 wrote to memory of 4904 5080 666048.exe 84 PID 5080 wrote to memory of 4904 5080 666048.exe 84 PID 4904 wrote to memory of 2608 4904 8002662.exe 85 PID 4904 wrote to memory of 2608 4904 8002662.exe 85 PID 4904 wrote to memory of 2608 4904 8002662.exe 85 PID 2608 wrote to memory of 372 2608 jjdvj.exe 86 PID 2608 wrote to memory of 372 2608 jjdvj.exe 86 PID 2608 wrote to memory of 372 2608 jjdvj.exe 86 PID 372 wrote to memory of 2120 372 0060860.exe 87 PID 372 wrote to memory of 2120 372 0060860.exe 87 PID 372 wrote to memory of 2120 372 0060860.exe 87 PID 2120 wrote to memory of 2044 2120 bbbbtb.exe 88 PID 2120 wrote to memory of 2044 2120 bbbbtb.exe 88 PID 2120 wrote to memory of 2044 2120 bbbbtb.exe 88 PID 2044 wrote to memory of 764 2044 jjvdj.exe 89 PID 2044 wrote to memory of 764 2044 jjvdj.exe 89 PID 2044 wrote to memory of 764 2044 jjvdj.exe 89 PID 764 wrote to memory of 4492 764 dpvpp.exe 90 PID 764 wrote to memory of 4492 764 dpvpp.exe 90 PID 764 wrote to memory of 4492 764 dpvpp.exe 90 PID 4492 wrote to memory of 700 4492 84604.exe 91 PID 4492 wrote to memory of 700 4492 84604.exe 91 PID 4492 wrote to memory of 700 4492 84604.exe 91 PID 700 wrote to memory of 708 700 0468848.exe 92 PID 700 wrote to memory of 708 700 0468848.exe 92 PID 700 wrote to memory of 708 700 0468848.exe 92 PID 708 wrote to memory of 2236 708 40626.exe 93 PID 708 wrote to memory of 2236 708 40626.exe 93 PID 708 wrote to memory of 2236 708 40626.exe 93 PID 2236 wrote to memory of 2728 2236 xxfxxxf.exe 94 PID 2236 wrote to memory of 2728 2236 xxfxxxf.exe 94 PID 2236 wrote to memory of 2728 2236 xxfxxxf.exe 94 PID 2728 wrote to memory of 3848 2728 jdvjp.exe 95 PID 2728 wrote to memory of 3848 2728 jdvjp.exe 95 PID 2728 wrote to memory of 3848 2728 jdvjp.exe 95 PID 3848 wrote to memory of 704 3848 nnnhhh.exe 96 PID 3848 wrote to memory of 704 3848 nnnhhh.exe 96 PID 3848 wrote to memory of 704 3848 nnnhhh.exe 96 PID 704 wrote to memory of 3036 704 nnnhbb.exe 97 PID 704 wrote to memory of 3036 704 nnnhbb.exe 97 PID 704 wrote to memory of 3036 704 nnnhbb.exe 97 PID 3036 wrote to memory of 5112 3036 jpdjv.exe 98 PID 3036 wrote to memory of 5112 3036 jpdjv.exe 98 PID 3036 wrote to memory of 5112 3036 jpdjv.exe 98 PID 5112 wrote to memory of 4856 5112 jvvdd.exe 99 PID 5112 wrote to memory of 4856 5112 jvvdd.exe 99 PID 5112 wrote to memory of 4856 5112 jvvdd.exe 99 PID 4856 wrote to memory of 4368 4856 lxlfrfx.exe 100 PID 4856 wrote to memory of 4368 4856 lxlfrfx.exe 100 PID 4856 wrote to memory of 4368 4856 lxlfrfx.exe 100 PID 4368 wrote to memory of 1856 4368 7rfxrrl.exe 101 PID 4368 wrote to memory of 1856 4368 7rfxrrl.exe 101 PID 4368 wrote to memory of 1856 4368 7rfxrrl.exe 101 PID 1856 wrote to memory of 1816 1856 xlrrrrf.exe 102 PID 1856 wrote to memory of 1816 1856 xlrrrrf.exe 102 PID 1856 wrote to memory of 1816 1856 xlrrrrf.exe 102 PID 1816 wrote to memory of 2952 1816 04604.exe 103 PID 1816 wrote to memory of 2952 1816 04604.exe 103 PID 1816 wrote to memory of 2952 1816 04604.exe 103 PID 2952 wrote to memory of 4900 2952 806048.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe"C:\Users\Admin\AppData\Local\Temp\b9387d176de595230f4a48f07791ed19d3f0dabc1ecae807fa8eaf0dae870e55.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\666048.exec:\666048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\8002662.exec:\8002662.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\jjdvj.exec:\jjdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\0060860.exec:\0060860.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\bbbbtb.exec:\bbbbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\jjvdj.exec:\jjvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\dpvpp.exec:\dpvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\84604.exec:\84604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\0468848.exec:\0468848.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\40626.exec:\40626.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\xxfxxxf.exec:\xxfxxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\jdvjp.exec:\jdvjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\nnnhhh.exec:\nnnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\nnnhbb.exec:\nnnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\jpdjv.exec:\jpdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\jvvdd.exec:\jvvdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\lxlfrfx.exec:\lxlfrfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\7rfxrrl.exec:\7rfxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\xlrrrrf.exec:\xlrrrrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\04604.exec:\04604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\806048.exec:\806048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\5lrlrxr.exec:\5lrlrxr.exe23⤵
- Executes dropped EXE
PID:4900 -
\??\c:\60048.exec:\60048.exe24⤵
- Executes dropped EXE
PID:4664 -
\??\c:\bhhbtn.exec:\bhhbtn.exe25⤵
- Executes dropped EXE
PID:812 -
\??\c:\e42066.exec:\e42066.exe26⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bttntb.exec:\bttntb.exe27⤵
- Executes dropped EXE
PID:3064 -
\??\c:\o004828.exec:\o004828.exe28⤵
- Executes dropped EXE
PID:2188 -
\??\c:\httnht.exec:\httnht.exe29⤵
- Executes dropped EXE
PID:3512 -
\??\c:\284828.exec:\284828.exe30⤵
- Executes dropped EXE
PID:216 -
\??\c:\a6886.exec:\a6886.exe31⤵
- Executes dropped EXE
PID:3480 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe32⤵
- Executes dropped EXE
PID:1028 -
\??\c:\200864.exec:\200864.exe33⤵
- Executes dropped EXE
PID:4944 -
\??\c:\lfxxfxf.exec:\lfxxfxf.exe34⤵
- Executes dropped EXE
PID:1436 -
\??\c:\806048.exec:\806048.exe35⤵
- Executes dropped EXE
PID:1548 -
\??\c:\48604.exec:\48604.exe36⤵
- Executes dropped EXE
PID:1500 -
\??\c:\flrfrfx.exec:\flrfrfx.exe37⤵
- Executes dropped EXE
PID:3860 -
\??\c:\hbnbth.exec:\hbnbth.exe38⤵
- Executes dropped EXE
PID:2180 -
\??\c:\9tbttb.exec:\9tbttb.exe39⤵
- Executes dropped EXE
PID:3348 -
\??\c:\7thtnh.exec:\7thtnh.exe40⤵
- Executes dropped EXE
PID:3892 -
\??\c:\pdddv.exec:\pdddv.exe41⤵
- Executes dropped EXE
PID:2264 -
\??\c:\4222042.exec:\4222042.exe42⤵
- Executes dropped EXE
PID:2380 -
\??\c:\fllxrlx.exec:\fllxrlx.exe43⤵
- Executes dropped EXE
PID:2204 -
\??\c:\062048.exec:\062048.exe44⤵
- Executes dropped EXE
PID:1604 -
\??\c:\lrxllfl.exec:\lrxllfl.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
\??\c:\pdvjd.exec:\pdvjd.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\bntnhb.exec:\bntnhb.exe47⤵
- Executes dropped EXE
PID:2580 -
\??\c:\m2260.exec:\m2260.exe48⤵
- Executes dropped EXE
PID:552 -
\??\c:\066048.exec:\066048.exe49⤵
- Executes dropped EXE
PID:388 -
\??\c:\406044.exec:\406044.exe50⤵
- Executes dropped EXE
PID:2528 -
\??\c:\8044004.exec:\8044004.exe51⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ddddv.exec:\ddddv.exe52⤵
- Executes dropped EXE
PID:4316 -
\??\c:\hhhhnn.exec:\hhhhnn.exe53⤵
- Executes dropped EXE
PID:5032 -
\??\c:\0848660.exec:\0848660.exe54⤵
- Executes dropped EXE
PID:3304 -
\??\c:\tntnhh.exec:\tntnhh.exe55⤵
- Executes dropped EXE
PID:4916 -
\??\c:\frlfrrl.exec:\frlfrrl.exe56⤵
- Executes dropped EXE
PID:4356 -
\??\c:\246266.exec:\246266.exe57⤵
- Executes dropped EXE
PID:4904 -
\??\c:\bhtnnn.exec:\bhtnnn.exe58⤵
- Executes dropped EXE
PID:2132 -
\??\c:\642682.exec:\642682.exe59⤵
- Executes dropped EXE
PID:2016 -
\??\c:\60260.exec:\60260.exe60⤵
- Executes dropped EXE
PID:4620 -
\??\c:\tttttt.exec:\tttttt.exe61⤵
- Executes dropped EXE
PID:3904 -
\??\c:\lflxxxx.exec:\lflxxxx.exe62⤵
- Executes dropped EXE
PID:1556 -
\??\c:\66220.exec:\66220.exe63⤵
- Executes dropped EXE
PID:3120 -
\??\c:\pdjvv.exec:\pdjvv.exe64⤵
- Executes dropped EXE
PID:3952 -
\??\c:\484040.exec:\484040.exe65⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ddddd.exec:\ddddd.exe66⤵PID:3244
-
\??\c:\06226.exec:\06226.exe67⤵PID:1592
-
\??\c:\2280048.exec:\2280048.exe68⤵PID:2092
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe69⤵PID:2236
-
\??\c:\jppjj.exec:\jppjj.exe70⤵PID:2612
-
\??\c:\428668.exec:\428668.exe71⤵PID:2940
-
\??\c:\flxrrrr.exec:\flxrrrr.exe72⤵PID:704
-
\??\c:\004444.exec:\004444.exe73⤵PID:3824
-
\??\c:\o808842.exec:\o808842.exe74⤵PID:2964
-
\??\c:\djpvd.exec:\djpvd.exe75⤵PID:2356
-
\??\c:\bhbttt.exec:\bhbttt.exe76⤵PID:1988
-
\??\c:\6262682.exec:\6262682.exe77⤵PID:244
-
\??\c:\6482884.exec:\6482884.exe78⤵PID:1064
-
\??\c:\hhhbtt.exec:\hhhbtt.exe79⤵PID:1068
-
\??\c:\0282224.exec:\0282224.exe80⤵PID:212
-
\??\c:\dvdjp.exec:\dvdjp.exe81⤵PID:1252
-
\??\c:\60482.exec:\60482.exe82⤵PID:4664
-
\??\c:\m4060.exec:\m4060.exe83⤵PID:1264
-
\??\c:\lfxxffl.exec:\lfxxffl.exe84⤵PID:2856
-
\??\c:\26406.exec:\26406.exe85⤵PID:2872
-
\??\c:\frxfxxx.exec:\frxfxxx.exe86⤵PID:2532
-
\??\c:\lfffxxr.exec:\lfffxxr.exe87⤵PID:1908
-
\??\c:\24266.exec:\24266.exe88⤵PID:5048
-
\??\c:\824222.exec:\824222.exe89⤵PID:2988
-
\??\c:\xxxflfr.exec:\xxxflfr.exe90⤵PID:4264
-
\??\c:\htbtbb.exec:\htbtbb.exe91⤵PID:1940
-
\??\c:\202226.exec:\202226.exe92⤵PID:1696
-
\??\c:\66266.exec:\66266.exe93⤵PID:4976
-
\??\c:\1flfxrl.exec:\1flfxrl.exe94⤵PID:4436
-
\??\c:\3vdjv.exec:\3vdjv.exe95⤵PID:2360
-
\??\c:\ddppp.exec:\ddppp.exe96⤵PID:4804
-
\??\c:\i008260.exec:\i008260.exe97⤵PID:2100
-
\??\c:\jjpdv.exec:\jjpdv.exe98⤵PID:3588
-
\??\c:\8844608.exec:\8844608.exe99⤵PID:3564
-
\??\c:\llflflf.exec:\llflflf.exe100⤵PID:404
-
\??\c:\tbnhtn.exec:\tbnhtn.exe101⤵PID:4484
-
\??\c:\068604.exec:\068604.exe102⤵PID:4836
-
\??\c:\xfxlxrx.exec:\xfxlxrx.exe103⤵PID:3832
-
\??\c:\286082.exec:\286082.exe104⤵PID:2312
-
\??\c:\btbtnt.exec:\btbtnt.exe105⤵PID:1624
-
\??\c:\vjdpj.exec:\vjdpj.exe106⤵PID:2436
-
\??\c:\pvjpv.exec:\pvjpv.exe107⤵PID:1272
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe108⤵PID:1464
-
\??\c:\xrlrxlf.exec:\xrlrxlf.exe109⤵PID:4872
-
\??\c:\i226482.exec:\i226482.exe110⤵PID:552
-
\??\c:\jdjdp.exec:\jdjdp.exe111⤵PID:4268
-
\??\c:\48224.exec:\48224.exe112⤵PID:1976
-
\??\c:\826240.exec:\826240.exe113⤵PID:4280
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe114⤵PID:4300
-
\??\c:\3xxlllf.exec:\3xxlllf.exe115⤵PID:4712
-
\??\c:\ddjvj.exec:\ddjvj.exe116⤵PID:4428
-
\??\c:\thhbtt.exec:\thhbtt.exe117⤵PID:1848
-
\??\c:\lrfllrl.exec:\lrfllrl.exe118⤵PID:2232
-
\??\c:\nnnbtn.exec:\nnnbtn.exe119⤵PID:4432
-
\??\c:\pjjvj.exec:\pjjvj.exe120⤵PID:4904
-
\??\c:\3lfxrrf.exec:\3lfxrrf.exe121⤵PID:4816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-