Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe
-
Size
457KB
-
MD5
25029de0b4256da56b35603faa91535f
-
SHA1
ace652cc47eefe0e0410fb4873484bb0344fa942
-
SHA256
96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074
-
SHA512
ff0003e2397c64299385d93b07958b020d876704658bae9d15648a624ef73f3066fe49aaf3302213cc1b345bc1b7e2ed09c63b55109b0eb249565d74fa210613
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRK:q7Tc2NYHUrAwfMp3CDRK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3764-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-1356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2020 nbhnhh.exe 2320 pjvpv.exe 4484 ntnbth.exe 1912 9rxrrlf.exe 1920 djdjv.exe 2700 hhbbtt.exe 348 dpjjd.exe 2988 btbttn.exe 2676 rxfxlfx.exe 2068 hbnhbb.exe 700 lxxrlfl.exe 4880 ntnnhh.exe 4868 jdddd.exe 988 bhhbtn.exe 1700 jjpvv.exe 3132 1xrrllf.exe 1768 tnnnhn.exe 824 jjpjp.exe 3468 jjjdj.exe 2284 3thbnh.exe 3452 ppppj.exe 2272 tnhnhh.exe 3020 pvjvv.exe 5052 7xrlllf.exe 216 hnttnn.exe 4472 5vpjd.exe 1252 9jvjp.exe 3164 7bhttn.exe 4160 btbnth.exe 4560 3djdp.exe 2304 rrrrfff.exe 440 bhtnhh.exe 2424 vjjdj.exe 2652 nttnhb.exe 4216 jdpjj.exe 2996 rllfrxr.exe 1620 tntnnn.exe 1388 pddvp.exe 4864 1ddvp.exe 1772 bbbttt.exe 3400 pjpjj.exe 2248 frlxrxx.exe 3788 3bhbtt.exe 1684 1dvvp.exe 1612 3pdvp.exe 4300 xxffrrx.exe 4376 bbnhhh.exe 4924 vvjdp.exe 1180 jppjd.exe 1472 xxlfrrx.exe 3196 ppppj.exe 2944 pppjd.exe 828 xrrrlxr.exe 936 nhhhhb.exe 2484 vvvpj.exe 2880 vpdvj.exe 3488 1rxrxxl.exe 3128 7bhbtb.exe 1936 ddvpj.exe 876 pjdvp.exe 244 rffxrrl.exe 2068 tnttnn.exe 5004 jjjjd.exe 2928 fllrrfr.exe -
resource yara_rule behavioral2/memory/3764-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-892-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3764 wrote to memory of 2020 3764 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 82 PID 3764 wrote to memory of 2020 3764 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 82 PID 3764 wrote to memory of 2020 3764 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 82 PID 2020 wrote to memory of 2320 2020 nbhnhh.exe 83 PID 2020 wrote to memory of 2320 2020 nbhnhh.exe 83 PID 2020 wrote to memory of 2320 2020 nbhnhh.exe 83 PID 2320 wrote to memory of 4484 2320 pjvpv.exe 84 PID 2320 wrote to memory of 4484 2320 pjvpv.exe 84 PID 2320 wrote to memory of 4484 2320 pjvpv.exe 84 PID 4484 wrote to memory of 1912 4484 ntnbth.exe 85 PID 4484 wrote to memory of 1912 4484 ntnbth.exe 85 PID 4484 wrote to memory of 1912 4484 ntnbth.exe 85 PID 1912 wrote to memory of 1920 1912 9rxrrlf.exe 86 PID 1912 wrote to memory of 1920 1912 9rxrrlf.exe 86 PID 1912 wrote to memory of 1920 1912 9rxrrlf.exe 86 PID 1920 wrote to memory of 2700 1920 djdjv.exe 87 PID 1920 wrote to memory of 2700 1920 djdjv.exe 87 PID 1920 wrote to memory of 2700 1920 djdjv.exe 87 PID 2700 wrote to memory of 348 2700 hhbbtt.exe 88 PID 2700 wrote to memory of 348 2700 hhbbtt.exe 88 PID 2700 wrote to memory of 348 2700 hhbbtt.exe 88 PID 348 wrote to memory of 2988 348 dpjjd.exe 89 PID 348 wrote to memory of 2988 348 dpjjd.exe 89 PID 348 wrote to memory of 2988 348 dpjjd.exe 89 PID 2988 wrote to memory of 2676 2988 btbttn.exe 90 PID 2988 wrote to memory of 2676 2988 btbttn.exe 90 PID 2988 wrote to memory of 2676 2988 btbttn.exe 90 PID 2676 wrote to memory of 2068 2676 rxfxlfx.exe 91 PID 2676 wrote to memory of 2068 2676 rxfxlfx.exe 91 PID 2676 wrote to memory of 2068 2676 rxfxlfx.exe 91 PID 2068 wrote to memory of 700 2068 hbnhbb.exe 92 PID 2068 wrote to memory of 700 2068 hbnhbb.exe 92 PID 2068 wrote to memory of 700 2068 hbnhbb.exe 92 PID 700 wrote to memory of 4880 700 lxxrlfl.exe 93 PID 700 wrote to memory of 4880 700 lxxrlfl.exe 93 PID 700 wrote to memory of 4880 700 lxxrlfl.exe 93 PID 4880 wrote to memory of 4868 4880 ntnnhh.exe 94 PID 4880 wrote to memory of 4868 4880 ntnnhh.exe 94 PID 4880 wrote to memory of 4868 4880 ntnnhh.exe 94 PID 4868 wrote to memory of 988 4868 jdddd.exe 95 PID 4868 wrote to memory of 988 4868 jdddd.exe 95 PID 4868 wrote to memory of 988 4868 jdddd.exe 95 PID 988 wrote to memory of 1700 988 bhhbtn.exe 96 PID 988 wrote to memory of 1700 988 bhhbtn.exe 96 PID 988 wrote to memory of 1700 988 bhhbtn.exe 96 PID 1700 wrote to memory of 3132 1700 jjpvv.exe 97 PID 1700 wrote to memory of 3132 1700 jjpvv.exe 97 PID 1700 wrote to memory of 3132 1700 jjpvv.exe 97 PID 3132 wrote to memory of 1768 3132 1xrrllf.exe 98 PID 3132 wrote to memory of 1768 3132 1xrrllf.exe 98 PID 3132 wrote to memory of 1768 3132 1xrrllf.exe 98 PID 1768 wrote to memory of 824 1768 tnnnhn.exe 99 PID 1768 wrote to memory of 824 1768 tnnnhn.exe 99 PID 1768 wrote to memory of 824 1768 tnnnhn.exe 99 PID 824 wrote to memory of 3468 824 jjpjp.exe 100 PID 824 wrote to memory of 3468 824 jjpjp.exe 100 PID 824 wrote to memory of 3468 824 jjpjp.exe 100 PID 3468 wrote to memory of 2284 3468 jjjdj.exe 101 PID 3468 wrote to memory of 2284 3468 jjjdj.exe 101 PID 3468 wrote to memory of 2284 3468 jjjdj.exe 101 PID 2284 wrote to memory of 3452 2284 3thbnh.exe 102 PID 2284 wrote to memory of 3452 2284 3thbnh.exe 102 PID 2284 wrote to memory of 3452 2284 3thbnh.exe 102 PID 3452 wrote to memory of 2272 3452 ppppj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe"C:\Users\Admin\AppData\Local\Temp\96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\nbhnhh.exec:\nbhnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\pjvpv.exec:\pjvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\ntnbth.exec:\ntnbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\9rxrrlf.exec:\9rxrrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\djdjv.exec:\djdjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\hhbbtt.exec:\hhbbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\dpjjd.exec:\dpjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\btbttn.exec:\btbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\hbnhbb.exec:\hbnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\lxxrlfl.exec:\lxxrlfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\ntnnhh.exec:\ntnnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\jdddd.exec:\jdddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\bhhbtn.exec:\bhhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\jjpvv.exec:\jjpvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\1xrrllf.exec:\1xrrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\tnnnhn.exec:\tnnnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\jjpjp.exec:\jjpjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\jjjdj.exec:\jjjdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\3thbnh.exec:\3thbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\ppppj.exec:\ppppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\tnhnhh.exec:\tnhnhh.exe23⤵
- Executes dropped EXE
PID:2272 -
\??\c:\pvjvv.exec:\pvjvv.exe24⤵
- Executes dropped EXE
PID:3020 -
\??\c:\7xrlllf.exec:\7xrlllf.exe25⤵
- Executes dropped EXE
PID:5052 -
\??\c:\hnttnn.exec:\hnttnn.exe26⤵
- Executes dropped EXE
PID:216 -
\??\c:\5vpjd.exec:\5vpjd.exe27⤵
- Executes dropped EXE
PID:4472 -
\??\c:\9jvjp.exec:\9jvjp.exe28⤵
- Executes dropped EXE
PID:1252 -
\??\c:\7bhttn.exec:\7bhttn.exe29⤵
- Executes dropped EXE
PID:3164 -
\??\c:\btbnth.exec:\btbnth.exe30⤵
- Executes dropped EXE
PID:4160 -
\??\c:\3djdp.exec:\3djdp.exe31⤵
- Executes dropped EXE
PID:4560 -
\??\c:\rrrrfff.exec:\rrrrfff.exe32⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bhtnhh.exec:\bhtnhh.exe33⤵
- Executes dropped EXE
PID:440 -
\??\c:\vjjdj.exec:\vjjdj.exe34⤵
- Executes dropped EXE
PID:2424 -
\??\c:\nttnhb.exec:\nttnhb.exe35⤵
- Executes dropped EXE
PID:2652 -
\??\c:\jdpjj.exec:\jdpjj.exe36⤵
- Executes dropped EXE
PID:4216 -
\??\c:\rllfrxr.exec:\rllfrxr.exe37⤵
- Executes dropped EXE
PID:2996 -
\??\c:\tntnnn.exec:\tntnnn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\pddvp.exec:\pddvp.exe39⤵
- Executes dropped EXE
PID:1388 -
\??\c:\1ddvp.exec:\1ddvp.exe40⤵
- Executes dropped EXE
PID:4864 -
\??\c:\bbbttt.exec:\bbbttt.exe41⤵
- Executes dropped EXE
PID:1772 -
\??\c:\pjpjj.exec:\pjpjj.exe42⤵
- Executes dropped EXE
PID:3400 -
\??\c:\frlxrxx.exec:\frlxrxx.exe43⤵
- Executes dropped EXE
PID:2248 -
\??\c:\3bhbtt.exec:\3bhbtt.exe44⤵
- Executes dropped EXE
PID:3788 -
\??\c:\1dvvp.exec:\1dvvp.exe45⤵
- Executes dropped EXE
PID:1684 -
\??\c:\3pdvp.exec:\3pdvp.exe46⤵
- Executes dropped EXE
PID:1612 -
\??\c:\xxffrrx.exec:\xxffrrx.exe47⤵
- Executes dropped EXE
PID:4300 -
\??\c:\bbnhhh.exec:\bbnhhh.exe48⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vvjdp.exec:\vvjdp.exe49⤵
- Executes dropped EXE
PID:4924 -
\??\c:\jppjd.exec:\jppjd.exe50⤵
- Executes dropped EXE
PID:1180 -
\??\c:\xxlfrrx.exec:\xxlfrrx.exe51⤵
- Executes dropped EXE
PID:1472 -
\??\c:\ppppj.exec:\ppppj.exe52⤵
- Executes dropped EXE
PID:3196 -
\??\c:\pppjd.exec:\pppjd.exe53⤵
- Executes dropped EXE
PID:2944 -
\??\c:\xrrrlxr.exec:\xrrrlxr.exe54⤵
- Executes dropped EXE
PID:828 -
\??\c:\nhhhhb.exec:\nhhhhb.exe55⤵
- Executes dropped EXE
PID:936 -
\??\c:\vvvpj.exec:\vvvpj.exe56⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vpdvj.exec:\vpdvj.exe57⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1rxrxxl.exec:\1rxrxxl.exe58⤵
- Executes dropped EXE
PID:3488 -
\??\c:\7bhbtb.exec:\7bhbtb.exe59⤵
- Executes dropped EXE
PID:3128 -
\??\c:\ddvpj.exec:\ddvpj.exe60⤵
- Executes dropped EXE
PID:1936 -
\??\c:\pjdvp.exec:\pjdvp.exe61⤵
- Executes dropped EXE
PID:876 -
\??\c:\rffxrrl.exec:\rffxrrl.exe62⤵
- Executes dropped EXE
PID:244 -
\??\c:\tnttnn.exec:\tnttnn.exe63⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jjjjd.exec:\jjjjd.exe64⤵
- Executes dropped EXE
PID:5004 -
\??\c:\fllrrfr.exec:\fllrrfr.exe65⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lllfxxr.exec:\lllfxxr.exe66⤵PID:4880
-
\??\c:\bhtnhh.exec:\bhtnhh.exe67⤵PID:1816
-
\??\c:\pjvpd.exec:\pjvpd.exe68⤵PID:3184
-
\??\c:\jddvd.exec:\jddvd.exe69⤵PID:3512
-
\??\c:\9flfrlr.exec:\9flfrlr.exe70⤵PID:1700
-
\??\c:\9bbbhh.exec:\9bbbhh.exe71⤵PID:3132
-
\??\c:\1ddvp.exec:\1ddvp.exe72⤵PID:3564
-
\??\c:\fxffxff.exec:\fxffxff.exe73⤵PID:3404
-
\??\c:\nhnhbh.exec:\nhnhbh.exe74⤵PID:1956
-
\??\c:\dvjdp.exec:\dvjdp.exe75⤵PID:3604
-
\??\c:\lxfrffx.exec:\lxfrffx.exe76⤵PID:924
-
\??\c:\9hnhbb.exec:\9hnhbb.exe77⤵PID:1884
-
\??\c:\vpvvp.exec:\vpvvp.exe78⤵PID:3452
-
\??\c:\vvjdp.exec:\vvjdp.exe79⤵PID:1796
-
\??\c:\lffxrfx.exec:\lffxrfx.exe80⤵PID:3492
-
\??\c:\3hnnbb.exec:\3hnnbb.exe81⤵PID:4672
-
\??\c:\pppjd.exec:\pppjd.exe82⤵PID:956
-
\??\c:\1lrfxxf.exec:\1lrfxxf.exe83⤵PID:1444
-
\??\c:\btbtht.exec:\btbtht.exe84⤵PID:4348
-
\??\c:\nbntnn.exec:\nbntnn.exe85⤵PID:5108
-
\??\c:\3vdvj.exec:\3vdvj.exe86⤵PID:1600
-
\??\c:\7rlrffx.exec:\7rlrffx.exe87⤵PID:3164
-
\??\c:\lxxxxrl.exec:\lxxxxrl.exe88⤵PID:4224
-
\??\c:\vjpjj.exec:\vjpjj.exe89⤵PID:4092
-
\??\c:\pjpdd.exec:\pjpdd.exe90⤵PID:388
-
\??\c:\rlxrllf.exec:\rlxrllf.exe91⤵PID:2912
-
\??\c:\btttnh.exec:\btttnh.exe92⤵PID:5064
-
\??\c:\dvjdj.exec:\dvjdj.exe93⤵PID:1460
-
\??\c:\frrllll.exec:\frrllll.exe94⤵PID:2684
-
\??\c:\fxrlrrf.exec:\fxrlrrf.exe95⤵PID:2404
-
\??\c:\nbbbtt.exec:\nbbbtt.exe96⤵PID:3932
-
\??\c:\vdjdp.exec:\vdjdp.exe97⤵PID:3388
-
\??\c:\3ffxxxr.exec:\3ffxxxr.exe98⤵PID:432
-
\??\c:\xlllfff.exec:\xlllfff.exe99⤵PID:1836
-
\??\c:\bbbnnh.exec:\bbbnnh.exe100⤵PID:3732
-
\??\c:\1dvvp.exec:\1dvvp.exe101⤵PID:4852
-
\??\c:\vddvd.exec:\vddvd.exe102⤵PID:3900
-
\??\c:\9tbbnt.exec:\9tbbnt.exe103⤵PID:3192
-
\??\c:\tthhtt.exec:\tthhtt.exe104⤵PID:4872
-
\??\c:\ddddv.exec:\ddddv.exe105⤵PID:4936
-
\??\c:\xrrxrll.exec:\xrrxrll.exe106⤵PID:2756
-
\??\c:\bhnnhh.exec:\bhnnhh.exe107⤵PID:4300
-
\??\c:\5jpjd.exec:\5jpjd.exe108⤵PID:3804
-
\??\c:\5jvpp.exec:\5jvpp.exe109⤵PID:3160
-
\??\c:\9xxxxff.exec:\9xxxxff.exe110⤵PID:1572
-
\??\c:\bthbtn.exec:\bthbtn.exe111⤵PID:2320
-
\??\c:\dpppd.exec:\dpppd.exe112⤵PID:2372
-
\??\c:\fflfxxx.exec:\fflfxxx.exe113⤵PID:4480
-
\??\c:\ttnnhh.exec:\ttnnhh.exe114⤵PID:4772
-
\??\c:\jpvvv.exec:\jpvvv.exe115⤵PID:5032
-
\??\c:\3ffxlxr.exec:\3ffxlxr.exe116⤵PID:3924
-
\??\c:\hhnhtt.exec:\hhnhtt.exe117⤵PID:1624
-
\??\c:\ntbbbt.exec:\ntbbbt.exe118⤵PID:3576
-
\??\c:\1pjdd.exec:\1pjdd.exe119⤵PID:4200
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe120⤵PID:952
-
\??\c:\frxrllf.exec:\frxrllf.exe121⤵PID:3084
-
\??\c:\bntnnh.exec:\bntnnh.exe122⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-