Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 04:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe
-
Size
454KB
-
MD5
d2e6d82d75cd59975032761929bddb2b
-
SHA1
7f9b1e682d5bd3d89e9868e06070fee65af36442
-
SHA256
c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb
-
SHA512
1fb059916abcd151f30c07ba3cb493e72845cb771fb20e33314c1553cc85bf44f619b279e6245e257bbb14ba8adfbb75b756dec9ff52909dde197b3ca3ea021c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3124-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-1092-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-1531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-1874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2152 djjdv.exe 1696 9bbnnn.exe 2188 vpdvv.exe 4284 pddvj.exe 3964 hnhnhh.exe 4728 ppdvv.exe 3192 nhnhnh.exe 4612 llrrrlf.exe 4556 dpdvp.exe 4312 1ppjd.exe 1880 jvvpj.exe 4600 xrrrlxr.exe 1212 frxlfxr.exe 2304 3ffxllf.exe 3388 1jjvp.exe 4048 rffxrlf.exe 2868 tnthht.exe 1996 ppvjj.exe 2288 7jdpj.exe 2176 lfxrfxr.exe 1904 nbhtnb.exe 2760 dpjdp.exe 3552 xfrfrll.exe 2744 vpppv.exe 4952 ffrrxxx.exe 5020 5frfxxx.exe 5056 thnhhb.exe 3048 3vvpj.exe 4576 nbtnhb.exe 4628 frlfllf.exe 1128 xlrllff.exe 2956 hnhtnn.exe 3044 djpvp.exe 4200 btnbtn.exe 2308 jpvpj.exe 4988 jpdpj.exe 5016 bttnbb.exe 2464 jpvpj.exe 3392 frfxrrl.exe 2364 xxfxllf.exe 5044 thnhnh.exe 4052 7vdvp.exe 3560 xrxrlff.exe 4036 tnttnh.exe 1728 nbnthn.exe 3240 vpdvp.exe 4724 pddpj.exe 4956 flxrflf.exe 4748 5nthbb.exe 4776 vpdvd.exe 4420 xlxrxrx.exe 4464 btbbnh.exe 868 vjpdd.exe 3460 3djvp.exe 2224 5ffxllf.exe 1696 7ttnnn.exe 388 jpvpj.exe 544 vvdjj.exe 4884 xllfxrl.exe 2164 jddvj.exe 5028 xrrlllf.exe 3116 rxffrrl.exe 3192 3hnhbb.exe 3636 djjdp.exe -
resource yara_rule behavioral2/memory/3124-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-1182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-1531-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3124 wrote to memory of 2152 3124 c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe 82 PID 3124 wrote to memory of 2152 3124 c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe 82 PID 3124 wrote to memory of 2152 3124 c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe 82 PID 2152 wrote to memory of 1696 2152 djjdv.exe 83 PID 2152 wrote to memory of 1696 2152 djjdv.exe 83 PID 2152 wrote to memory of 1696 2152 djjdv.exe 83 PID 1696 wrote to memory of 2188 1696 9bbnnn.exe 84 PID 1696 wrote to memory of 2188 1696 9bbnnn.exe 84 PID 1696 wrote to memory of 2188 1696 9bbnnn.exe 84 PID 2188 wrote to memory of 4284 2188 vpdvv.exe 85 PID 2188 wrote to memory of 4284 2188 vpdvv.exe 85 PID 2188 wrote to memory of 4284 2188 vpdvv.exe 85 PID 4284 wrote to memory of 3964 4284 pddvj.exe 86 PID 4284 wrote to memory of 3964 4284 pddvj.exe 86 PID 4284 wrote to memory of 3964 4284 pddvj.exe 86 PID 3964 wrote to memory of 4728 3964 hnhnhh.exe 87 PID 3964 wrote to memory of 4728 3964 hnhnhh.exe 87 PID 3964 wrote to memory of 4728 3964 hnhnhh.exe 87 PID 4728 wrote to memory of 3192 4728 ppdvv.exe 88 PID 4728 wrote to memory of 3192 4728 ppdvv.exe 88 PID 4728 wrote to memory of 3192 4728 ppdvv.exe 88 PID 3192 wrote to memory of 4612 3192 nhnhnh.exe 89 PID 3192 wrote to memory of 4612 3192 nhnhnh.exe 89 PID 3192 wrote to memory of 4612 3192 nhnhnh.exe 89 PID 4612 wrote to memory of 4556 4612 llrrrlf.exe 90 PID 4612 wrote to memory of 4556 4612 llrrrlf.exe 90 PID 4612 wrote to memory of 4556 4612 llrrrlf.exe 90 PID 4556 wrote to memory of 4312 4556 dpdvp.exe 91 PID 4556 wrote to memory of 4312 4556 dpdvp.exe 91 PID 4556 wrote to memory of 4312 4556 dpdvp.exe 91 PID 4312 wrote to memory of 1880 4312 1ppjd.exe 92 PID 4312 wrote to memory of 1880 4312 1ppjd.exe 92 PID 4312 wrote to memory of 1880 4312 1ppjd.exe 92 PID 1880 wrote to memory of 4600 1880 jvvpj.exe 93 PID 1880 wrote to memory of 4600 1880 jvvpj.exe 93 PID 1880 wrote to memory of 4600 1880 jvvpj.exe 93 PID 4600 wrote to memory of 1212 4600 xrrrlxr.exe 94 PID 4600 wrote to memory of 1212 4600 xrrrlxr.exe 94 PID 4600 wrote to memory of 1212 4600 xrrrlxr.exe 94 PID 1212 wrote to memory of 2304 1212 frxlfxr.exe 95 PID 1212 wrote to memory of 2304 1212 frxlfxr.exe 95 PID 1212 wrote to memory of 2304 1212 frxlfxr.exe 95 PID 2304 wrote to memory of 3388 2304 3ffxllf.exe 96 PID 2304 wrote to memory of 3388 2304 3ffxllf.exe 96 PID 2304 wrote to memory of 3388 2304 3ffxllf.exe 96 PID 3388 wrote to memory of 4048 3388 1jjvp.exe 97 PID 3388 wrote to memory of 4048 3388 1jjvp.exe 97 PID 3388 wrote to memory of 4048 3388 1jjvp.exe 97 PID 4048 wrote to memory of 2868 4048 rffxrlf.exe 98 PID 4048 wrote to memory of 2868 4048 rffxrlf.exe 98 PID 4048 wrote to memory of 2868 4048 rffxrlf.exe 98 PID 2868 wrote to memory of 1996 2868 tnthht.exe 99 PID 2868 wrote to memory of 1996 2868 tnthht.exe 99 PID 2868 wrote to memory of 1996 2868 tnthht.exe 99 PID 1996 wrote to memory of 2288 1996 ppvjj.exe 100 PID 1996 wrote to memory of 2288 1996 ppvjj.exe 100 PID 1996 wrote to memory of 2288 1996 ppvjj.exe 100 PID 2288 wrote to memory of 2176 2288 7jdpj.exe 101 PID 2288 wrote to memory of 2176 2288 7jdpj.exe 101 PID 2288 wrote to memory of 2176 2288 7jdpj.exe 101 PID 2176 wrote to memory of 1904 2176 lfxrfxr.exe 102 PID 2176 wrote to memory of 1904 2176 lfxrfxr.exe 102 PID 2176 wrote to memory of 1904 2176 lfxrfxr.exe 102 PID 1904 wrote to memory of 2760 1904 nbhtnb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe"C:\Users\Admin\AppData\Local\Temp\c89204776f53abbc7e7b6dab87f5420f8d9fcab46c8fd6b1573cc84f63c26eeb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\djjdv.exec:\djjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\9bbnnn.exec:\9bbnnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\vpdvv.exec:\vpdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\pddvj.exec:\pddvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\hnhnhh.exec:\hnhnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\ppdvv.exec:\ppdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\nhnhnh.exec:\nhnhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\llrrrlf.exec:\llrrrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\dpdvp.exec:\dpdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\1ppjd.exec:\1ppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\jvvpj.exec:\jvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\xrrrlxr.exec:\xrrrlxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\frxlfxr.exec:\frxlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\3ffxllf.exec:\3ffxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\1jjvp.exec:\1jjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\rffxrlf.exec:\rffxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\tnthht.exec:\tnthht.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\ppvjj.exec:\ppvjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\7jdpj.exec:\7jdpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\nbhtnb.exec:\nbhtnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\dpjdp.exec:\dpjdp.exe23⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xfrfrll.exec:\xfrfrll.exe24⤵
- Executes dropped EXE
PID:3552 -
\??\c:\vpppv.exec:\vpppv.exe25⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ffrrxxx.exec:\ffrrxxx.exe26⤵
- Executes dropped EXE
PID:4952 -
\??\c:\5frfxxx.exec:\5frfxxx.exe27⤵
- Executes dropped EXE
PID:5020 -
\??\c:\thnhhb.exec:\thnhhb.exe28⤵
- Executes dropped EXE
PID:5056 -
\??\c:\3vvpj.exec:\3vvpj.exe29⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nbtnhb.exec:\nbtnhb.exe30⤵
- Executes dropped EXE
PID:4576 -
\??\c:\frlfllf.exec:\frlfllf.exe31⤵
- Executes dropped EXE
PID:4628 -
\??\c:\xlrllff.exec:\xlrllff.exe32⤵
- Executes dropped EXE
PID:1128 -
\??\c:\hnhtnn.exec:\hnhtnn.exe33⤵
- Executes dropped EXE
PID:2956 -
\??\c:\djpvp.exec:\djpvp.exe34⤵
- Executes dropped EXE
PID:3044 -
\??\c:\btnbtn.exec:\btnbtn.exe35⤵
- Executes dropped EXE
PID:4200 -
\??\c:\jpvpj.exec:\jpvpj.exe36⤵
- Executes dropped EXE
PID:2308 -
\??\c:\jpdpj.exec:\jpdpj.exe37⤵
- Executes dropped EXE
PID:4988 -
\??\c:\bttnbb.exec:\bttnbb.exe38⤵
- Executes dropped EXE
PID:5016 -
\??\c:\jpvpj.exec:\jpvpj.exe39⤵
- Executes dropped EXE
PID:2464 -
\??\c:\frfxrrl.exec:\frfxrrl.exe40⤵
- Executes dropped EXE
PID:3392 -
\??\c:\xxfxllf.exec:\xxfxllf.exe41⤵
- Executes dropped EXE
PID:2364 -
\??\c:\thnhnh.exec:\thnhnh.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\7vdvp.exec:\7vdvp.exe43⤵
- Executes dropped EXE
PID:4052 -
\??\c:\xrxrlff.exec:\xrxrlff.exe44⤵
- Executes dropped EXE
PID:3560 -
\??\c:\tnttnh.exec:\tnttnh.exe45⤵
- Executes dropped EXE
PID:4036 -
\??\c:\nbnthn.exec:\nbnthn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
\??\c:\vpdvp.exec:\vpdvp.exe47⤵
- Executes dropped EXE
PID:3240 -
\??\c:\pddpj.exec:\pddpj.exe48⤵
- Executes dropped EXE
PID:4724 -
\??\c:\flxrflf.exec:\flxrflf.exe49⤵
- Executes dropped EXE
PID:4956 -
\??\c:\5nthbb.exec:\5nthbb.exe50⤵
- Executes dropped EXE
PID:4748 -
\??\c:\vpdvd.exec:\vpdvd.exe51⤵
- Executes dropped EXE
PID:4776 -
\??\c:\xlxrxrx.exec:\xlxrxrx.exe52⤵
- Executes dropped EXE
PID:4420 -
\??\c:\btbbnh.exec:\btbbnh.exe53⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vjpdd.exec:\vjpdd.exe54⤵
- Executes dropped EXE
PID:868 -
\??\c:\3djvp.exec:\3djvp.exe55⤵
- Executes dropped EXE
PID:3460 -
\??\c:\5ffxllf.exec:\5ffxllf.exe56⤵
- Executes dropped EXE
PID:2224 -
\??\c:\7ttnnn.exec:\7ttnnn.exe57⤵
- Executes dropped EXE
PID:1696 -
\??\c:\jpvpj.exec:\jpvpj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:388 -
\??\c:\vvdjj.exec:\vvdjj.exe59⤵
- Executes dropped EXE
PID:544 -
\??\c:\xllfxrl.exec:\xllfxrl.exe60⤵
- Executes dropped EXE
PID:4884 -
\??\c:\jddvj.exec:\jddvj.exe61⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xrrlllf.exec:\xrrlllf.exe62⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rxffrrl.exec:\rxffrrl.exe63⤵
- Executes dropped EXE
PID:3116 -
\??\c:\3hnhbb.exec:\3hnhbb.exe64⤵
- Executes dropped EXE
PID:3192 -
\??\c:\djjdp.exec:\djjdp.exe65⤵
- Executes dropped EXE
PID:3636 -
\??\c:\9llxrll.exec:\9llxrll.exe66⤵PID:1052
-
\??\c:\7hnntt.exec:\7hnntt.exe67⤵PID:1772
-
\??\c:\pjpjd.exec:\pjpjd.exe68⤵PID:4844
-
\??\c:\dvjdv.exec:\dvjdv.exe69⤵PID:2792
-
\??\c:\lflfrrl.exec:\lflfrrl.exe70⤵PID:4968
-
\??\c:\9bttnn.exec:\9bttnn.exe71⤵PID:3656
-
\??\c:\dvdvd.exec:\dvdvd.exe72⤵PID:3456
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe73⤵PID:2008
-
\??\c:\ffffxrl.exec:\ffffxrl.exe74⤵PID:4392
-
\??\c:\nbtnbb.exec:\nbtnbb.exe75⤵PID:220
-
\??\c:\3dvpp.exec:\3dvpp.exe76⤵PID:4444
-
\??\c:\3xrrffx.exec:\3xrrffx.exe77⤵PID:4048
-
\??\c:\rflfffl.exec:\rflfffl.exe78⤵PID:1528
-
\??\c:\tnbhbh.exec:\tnbhbh.exe79⤵PID:928
-
\??\c:\vvjvp.exec:\vvjvp.exe80⤵
- System Location Discovery: System Language Discovery
PID:992 -
\??\c:\xlxfxxx.exec:\xlxfxxx.exe81⤵PID:4152
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe82⤵PID:4372
-
\??\c:\bbnnhh.exec:\bbnnhh.exe83⤵PID:4648
-
\??\c:\3dvpd.exec:\3dvpd.exe84⤵PID:400
-
\??\c:\rlrrllf.exec:\rlrrllf.exe85⤵PID:5116
-
\??\c:\bhnnhn.exec:\bhnnhn.exe86⤵PID:1192
-
\??\c:\jvdvv.exec:\jvdvv.exe87⤵PID:4720
-
\??\c:\jvpjd.exec:\jvpjd.exe88⤵PID:660
-
\??\c:\lfrflfl.exec:\lfrflfl.exe89⤵PID:4764
-
\??\c:\nbnnhh.exec:\nbnnhh.exe90⤵PID:1448
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵PID:3788
-
\??\c:\vpjdp.exec:\vpjdp.exe92⤵PID:5056
-
\??\c:\lfrrlrl.exec:\lfrrlrl.exe93⤵PID:3048
-
\??\c:\9tttnn.exec:\9tttnn.exe94⤵PID:4180
-
\??\c:\vppjd.exec:\vppjd.exe95⤵PID:3232
-
\??\c:\jddvp.exec:\jddvp.exe96⤵PID:380
-
\??\c:\lrxrrll.exec:\lrxrrll.exe97⤵PID:1128
-
\??\c:\nnthbb.exec:\nnthbb.exe98⤵PID:184
-
\??\c:\jvddv.exec:\jvddv.exe99⤵PID:828
-
\??\c:\1xfrfrl.exec:\1xfrfrl.exe100⤵PID:2736
-
\??\c:\ttbttn.exec:\ttbttn.exe101⤵PID:1308
-
\??\c:\jdpjj.exec:\jdpjj.exe102⤵PID:4632
-
\??\c:\vjdvj.exec:\vjdvj.exe103⤵PID:2004
-
\??\c:\3frlrrx.exec:\3frlrrx.exe104⤵PID:4832
-
\??\c:\nthtnn.exec:\nthtnn.exe105⤵PID:4528
-
\??\c:\pvvpj.exec:\pvvpj.exe106⤵PID:5108
-
\??\c:\llxlffr.exec:\llxlffr.exe107⤵PID:3856
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe108⤵PID:2236
-
\??\c:\ttbbtn.exec:\ttbbtn.exe109⤵PID:2100
-
\??\c:\nnnnhb.exec:\nnnnhb.exe110⤵PID:3728
-
\??\c:\pppdv.exec:\pppdv.exe111⤵PID:1892
-
\??\c:\rflxrll.exec:\rflxrll.exe112⤵PID:1292
-
\??\c:\tttnhh.exec:\tttnhh.exe113⤵PID:4360
-
\??\c:\vppjd.exec:\vppjd.exe114⤵PID:1084
-
\??\c:\5jvpp.exec:\5jvpp.exe115⤵PID:3792
-
\??\c:\frxlxrl.exec:\frxlxrl.exe116⤵PID:4428
-
\??\c:\nbbthh.exec:\nbbthh.exe117⤵PID:4484
-
\??\c:\ddvpp.exec:\ddvpp.exe118⤵PID:3328
-
\??\c:\frxlffx.exec:\frxlffx.exe119⤵PID:4456
-
\??\c:\thhtnh.exec:\thhtnh.exe120⤵PID:224
-
\??\c:\nbhhbt.exec:\nbhhbt.exe121⤵PID:376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-