Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe
-
Size
456KB
-
MD5
c314a6af750bbbba8917583ff80eb4e3
-
SHA1
710e13ae554efc2c8ae7c23cc3a8887b08940648
-
SHA256
830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6
-
SHA512
152a854844b6c89e3295777a3fc05a067714a2fbeb24cd87cc0f66123abe23ab5aa2a94dda63c5325efd5d0e918bce1509565176dc20ff4dcf36cb6ccd786840
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRC:q7Tc2NYHUrAwfMp3CDRC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3816-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-1238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2388 tnbtnn.exe 916 ffrrxrx.exe 4012 pjvvd.exe 4340 lxxrrlr.exe 2912 rrxxfxf.exe 452 jvjjj.exe 4988 tbbttn.exe 4460 pjvpv.exe 3924 vvdvd.exe 3784 rrxrrff.exe 2136 vvjvd.exe 4596 3jjdv.exe 184 hhntbb.exe 1288 9jppj.exe 1868 dpvpj.exe 4276 lxflfxr.exe 3772 5hnhhh.exe 2000 jjjdv.exe 1856 5lffxxr.exe 4324 frxlflf.exe 3060 nbnhbt.exe 4372 hthtnn.exe 3420 dvdvp.exe 2596 xrxrrll.exe 2536 lflfxrl.exe 3564 bbhbbt.exe 2056 ppdvv.exe 2972 9vvpd.exe 3704 llffxxr.exe 4780 fllrxrr.exe 1924 bnttnn.exe 2432 jvvpd.exe 2308 1flffff.exe 3300 flxrlfx.exe 728 5nnbtt.exe 4592 nbhhbb.exe 2184 1jvvv.exe 1628 lffxllf.exe 4064 fxfxllf.exe 1960 nbbhtt.exe 1568 dpdvp.exe 3728 5pvpj.exe 3320 lfffxrr.exe 4428 9ttbtb.exe 4784 9nnhhb.exe 1276 jddvv.exe 3260 rrxxfff.exe 1796 xlrlfxr.exe 4992 5bhbbb.exe 1976 hntnnh.exe 4476 9pdvp.exe 3064 7lrlfxr.exe 4848 xrrlfxf.exe 1168 hbhbbn.exe 1732 dpvpp.exe 3432 9ppdv.exe 4504 rllflfr.exe 1384 btnhbt.exe 3680 nhhbbb.exe 4568 rlxfxxx.exe 4920 ntnnhh.exe 676 9vvvp.exe 4844 3jpjj.exe 5084 ffllfff.exe -
resource yara_rule behavioral2/memory/3816-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-782-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3816 wrote to memory of 2388 3816 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 82 PID 3816 wrote to memory of 2388 3816 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 82 PID 3816 wrote to memory of 2388 3816 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 82 PID 2388 wrote to memory of 916 2388 tnbtnn.exe 83 PID 2388 wrote to memory of 916 2388 tnbtnn.exe 83 PID 2388 wrote to memory of 916 2388 tnbtnn.exe 83 PID 916 wrote to memory of 4012 916 ffrrxrx.exe 84 PID 916 wrote to memory of 4012 916 ffrrxrx.exe 84 PID 916 wrote to memory of 4012 916 ffrrxrx.exe 84 PID 4012 wrote to memory of 4340 4012 pjvvd.exe 85 PID 4012 wrote to memory of 4340 4012 pjvvd.exe 85 PID 4012 wrote to memory of 4340 4012 pjvvd.exe 85 PID 4340 wrote to memory of 2912 4340 lxxrrlr.exe 86 PID 4340 wrote to memory of 2912 4340 lxxrrlr.exe 86 PID 4340 wrote to memory of 2912 4340 lxxrrlr.exe 86 PID 2912 wrote to memory of 452 2912 rrxxfxf.exe 87 PID 2912 wrote to memory of 452 2912 rrxxfxf.exe 87 PID 2912 wrote to memory of 452 2912 rrxxfxf.exe 87 PID 452 wrote to memory of 4988 452 jvjjj.exe 88 PID 452 wrote to memory of 4988 452 jvjjj.exe 88 PID 452 wrote to memory of 4988 452 jvjjj.exe 88 PID 4988 wrote to memory of 4460 4988 tbbttn.exe 89 PID 4988 wrote to memory of 4460 4988 tbbttn.exe 89 PID 4988 wrote to memory of 4460 4988 tbbttn.exe 89 PID 4460 wrote to memory of 3924 4460 pjvpv.exe 90 PID 4460 wrote to memory of 3924 4460 pjvpv.exe 90 PID 4460 wrote to memory of 3924 4460 pjvpv.exe 90 PID 3924 wrote to memory of 3784 3924 vvdvd.exe 91 PID 3924 wrote to memory of 3784 3924 vvdvd.exe 91 PID 3924 wrote to memory of 3784 3924 vvdvd.exe 91 PID 3784 wrote to memory of 2136 3784 rrxrrff.exe 92 PID 3784 wrote to memory of 2136 3784 rrxrrff.exe 92 PID 3784 wrote to memory of 2136 3784 rrxrrff.exe 92 PID 2136 wrote to memory of 4596 2136 vvjvd.exe 93 PID 2136 wrote to memory of 4596 2136 vvjvd.exe 93 PID 2136 wrote to memory of 4596 2136 vvjvd.exe 93 PID 4596 wrote to memory of 184 4596 3jjdv.exe 94 PID 4596 wrote to memory of 184 4596 3jjdv.exe 94 PID 4596 wrote to memory of 184 4596 3jjdv.exe 94 PID 184 wrote to memory of 1288 184 hhntbb.exe 95 PID 184 wrote to memory of 1288 184 hhntbb.exe 95 PID 184 wrote to memory of 1288 184 hhntbb.exe 95 PID 1288 wrote to memory of 1868 1288 9jppj.exe 96 PID 1288 wrote to memory of 1868 1288 9jppj.exe 96 PID 1288 wrote to memory of 1868 1288 9jppj.exe 96 PID 1868 wrote to memory of 4276 1868 dpvpj.exe 97 PID 1868 wrote to memory of 4276 1868 dpvpj.exe 97 PID 1868 wrote to memory of 4276 1868 dpvpj.exe 97 PID 4276 wrote to memory of 3772 4276 lxflfxr.exe 98 PID 4276 wrote to memory of 3772 4276 lxflfxr.exe 98 PID 4276 wrote to memory of 3772 4276 lxflfxr.exe 98 PID 3772 wrote to memory of 2000 3772 5hnhhh.exe 99 PID 3772 wrote to memory of 2000 3772 5hnhhh.exe 99 PID 3772 wrote to memory of 2000 3772 5hnhhh.exe 99 PID 2000 wrote to memory of 1856 2000 jjjdv.exe 100 PID 2000 wrote to memory of 1856 2000 jjjdv.exe 100 PID 2000 wrote to memory of 1856 2000 jjjdv.exe 100 PID 1856 wrote to memory of 4324 1856 5lffxxr.exe 101 PID 1856 wrote to memory of 4324 1856 5lffxxr.exe 101 PID 1856 wrote to memory of 4324 1856 5lffxxr.exe 101 PID 4324 wrote to memory of 3060 4324 frxlflf.exe 102 PID 4324 wrote to memory of 3060 4324 frxlflf.exe 102 PID 4324 wrote to memory of 3060 4324 frxlflf.exe 102 PID 3060 wrote to memory of 4372 3060 nbnhbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe"C:\Users\Admin\AppData\Local\Temp\830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\tnbtnn.exec:\tnbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\ffrrxrx.exec:\ffrrxrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\pjvvd.exec:\pjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\lxxrrlr.exec:\lxxrrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\rrxxfxf.exec:\rrxxfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\jvjjj.exec:\jvjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\tbbttn.exec:\tbbttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\pjvpv.exec:\pjvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\vvdvd.exec:\vvdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\rrxrrff.exec:\rrxrrff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\vvjvd.exec:\vvjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\3jjdv.exec:\3jjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\hhntbb.exec:\hhntbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\9jppj.exec:\9jppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\dpvpj.exec:\dpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\lxflfxr.exec:\lxflfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\5hnhhh.exec:\5hnhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\jjjdv.exec:\jjjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\5lffxxr.exec:\5lffxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\frxlflf.exec:\frxlflf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\nbnhbt.exec:\nbnhbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\hthtnn.exec:\hthtnn.exe23⤵
- Executes dropped EXE
PID:4372 -
\??\c:\dvdvp.exec:\dvdvp.exe24⤵
- Executes dropped EXE
PID:3420 -
\??\c:\xrxrrll.exec:\xrxrrll.exe25⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lflfxrl.exec:\lflfxrl.exe26⤵
- Executes dropped EXE
PID:2536 -
\??\c:\bbhbbt.exec:\bbhbbt.exe27⤵
- Executes dropped EXE
PID:3564 -
\??\c:\ppdvv.exec:\ppdvv.exe28⤵
- Executes dropped EXE
PID:2056 -
\??\c:\9vvpd.exec:\9vvpd.exe29⤵
- Executes dropped EXE
PID:2972 -
\??\c:\llffxxr.exec:\llffxxr.exe30⤵
- Executes dropped EXE
PID:3704 -
\??\c:\fllrxrr.exec:\fllrxrr.exe31⤵
- Executes dropped EXE
PID:4780 -
\??\c:\bnttnn.exec:\bnttnn.exe32⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jvvpd.exec:\jvvpd.exe33⤵
- Executes dropped EXE
PID:2432 -
\??\c:\1flffff.exec:\1flffff.exe34⤵
- Executes dropped EXE
PID:2308 -
\??\c:\flxrlfx.exec:\flxrlfx.exe35⤵
- Executes dropped EXE
PID:3300 -
\??\c:\5nnbtt.exec:\5nnbtt.exe36⤵
- Executes dropped EXE
PID:728 -
\??\c:\nbhhbb.exec:\nbhhbb.exe37⤵
- Executes dropped EXE
PID:4592 -
\??\c:\1jvvv.exec:\1jvvv.exe38⤵
- Executes dropped EXE
PID:2184 -
\??\c:\lffxllf.exec:\lffxllf.exe39⤵
- Executes dropped EXE
PID:1628 -
\??\c:\fxfxllf.exec:\fxfxllf.exe40⤵
- Executes dropped EXE
PID:4064 -
\??\c:\nbbhtt.exec:\nbbhtt.exe41⤵
- Executes dropped EXE
PID:1960 -
\??\c:\dpdvp.exec:\dpdvp.exe42⤵
- Executes dropped EXE
PID:1568 -
\??\c:\5pvpj.exec:\5pvpj.exe43⤵
- Executes dropped EXE
PID:3728 -
\??\c:\lfffxrr.exec:\lfffxrr.exe44⤵
- Executes dropped EXE
PID:3320 -
\??\c:\9ttbtb.exec:\9ttbtb.exe45⤵
- Executes dropped EXE
PID:4428 -
\??\c:\9nnhhb.exec:\9nnhhb.exe46⤵
- Executes dropped EXE
PID:4784 -
\??\c:\jddvv.exec:\jddvv.exe47⤵
- Executes dropped EXE
PID:1276 -
\??\c:\rrxxfff.exec:\rrxxfff.exe48⤵
- Executes dropped EXE
PID:3260 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe49⤵
- Executes dropped EXE
PID:1796 -
\??\c:\5bhbbb.exec:\5bhbbb.exe50⤵
- Executes dropped EXE
PID:4992 -
\??\c:\hntnnh.exec:\hntnnh.exe51⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9pdvp.exec:\9pdvp.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\7lrlfxr.exec:\7lrlfxr.exe53⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xrrlfxf.exec:\xrrlfxf.exe54⤵
- Executes dropped EXE
PID:4848 -
\??\c:\hbhbbn.exec:\hbhbbn.exe55⤵
- Executes dropped EXE
PID:1168 -
\??\c:\dpvpp.exec:\dpvpp.exe56⤵
- Executes dropped EXE
PID:1732 -
\??\c:\9ppdv.exec:\9ppdv.exe57⤵
- Executes dropped EXE
PID:3432 -
\??\c:\rllflfr.exec:\rllflfr.exe58⤵
- Executes dropped EXE
PID:4504 -
\??\c:\btnhbt.exec:\btnhbt.exe59⤵
- Executes dropped EXE
PID:1384 -
\??\c:\nhhbbb.exec:\nhhbbb.exe60⤵
- Executes dropped EXE
PID:3680 -
\??\c:\rlxfxxx.exec:\rlxfxxx.exe61⤵
- Executes dropped EXE
PID:4568 -
\??\c:\ntnnhh.exec:\ntnnhh.exe62⤵
- Executes dropped EXE
PID:4920 -
\??\c:\9vvvp.exec:\9vvvp.exe63⤵
- Executes dropped EXE
PID:676 -
\??\c:\3jpjj.exec:\3jpjj.exe64⤵
- Executes dropped EXE
PID:4844 -
\??\c:\ffllfff.exec:\ffllfff.exe65⤵
- Executes dropped EXE
PID:5084 -
\??\c:\nbhttn.exec:\nbhttn.exe66⤵PID:2956
-
\??\c:\dppdv.exec:\dppdv.exe67⤵PID:2576
-
\??\c:\xxfxffl.exec:\xxfxffl.exe68⤵PID:4808
-
\??\c:\tnbtbb.exec:\tnbtbb.exe69⤵PID:4124
-
\??\c:\hbbbht.exec:\hbbbht.exe70⤵PID:4564
-
\??\c:\hhnnhh.exec:\hhnnhh.exe71⤵PID:4460
-
\??\c:\hbbtnh.exec:\hbbtnh.exe72⤵PID:3436
-
\??\c:\pvvpj.exec:\pvvpj.exe73⤵PID:4220
-
\??\c:\jdvdd.exec:\jdvdd.exe74⤵PID:2500
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe75⤵PID:2108
-
\??\c:\5hhttt.exec:\5hhttt.exe76⤵PID:2160
-
\??\c:\tnnhbb.exec:\tnnhbb.exe77⤵PID:428
-
\??\c:\thhbtn.exec:\thhbtn.exe78⤵PID:4188
-
\??\c:\nntntt.exec:\nntntt.exe79⤵PID:4112
-
\??\c:\ddddv.exec:\ddddv.exe80⤵PID:4616
-
\??\c:\frxxrrr.exec:\frxxrrr.exe81⤵PID:1964
-
\??\c:\9hnhhb.exec:\9hnhhb.exe82⤵PID:1892
-
\??\c:\dpdvp.exec:\dpdvp.exe83⤵PID:4244
-
\??\c:\ppdvp.exec:\ppdvp.exe84⤵PID:1612
-
\??\c:\5rxlxxl.exec:\5rxlxxl.exe85⤵PID:3616
-
\??\c:\1ttnhb.exec:\1ttnhb.exe86⤵PID:624
-
\??\c:\jjppv.exec:\jjppv.exe87⤵PID:3536
-
\??\c:\jpvdv.exec:\jpvdv.exe88⤵PID:2536
-
\??\c:\fxlflfl.exec:\fxlflfl.exe89⤵PID:3852
-
\??\c:\tnbttt.exec:\tnbttt.exe90⤵PID:2056
-
\??\c:\ppvvd.exec:\ppvvd.exe91⤵PID:3704
-
\??\c:\3vdpj.exec:\3vdpj.exe92⤵PID:2784
-
\??\c:\lrxxllf.exec:\lrxxllf.exe93⤵PID:2408
-
\??\c:\thnnhb.exec:\thnnhb.exe94⤵PID:940
-
\??\c:\thhnhh.exec:\thhnhh.exe95⤵PID:1256
-
\??\c:\pjvvd.exec:\pjvvd.exe96⤵PID:3452
-
\??\c:\rxxlflf.exec:\rxxlflf.exe97⤵PID:3684
-
\??\c:\3hnhnh.exec:\3hnhnh.exe98⤵PID:3676
-
\??\c:\ttbthh.exec:\ttbthh.exe99⤵PID:4336
-
\??\c:\jddvd.exec:\jddvd.exe100⤵PID:1064
-
\??\c:\rlrrrxr.exec:\rlrrrxr.exe101⤵PID:4148
-
\??\c:\bbnhnn.exec:\bbnhnn.exe102⤵PID:1636
-
\??\c:\7tttnn.exec:\7tttnn.exe103⤵PID:1972
-
\??\c:\pvjdv.exec:\pvjdv.exe104⤵PID:736
-
\??\c:\9rrrlfx.exec:\9rrrlfx.exe105⤵PID:3580
-
\??\c:\3bhbtb.exec:\3bhbtb.exe106⤵PID:3276
-
\??\c:\jdpjv.exec:\jdpjv.exe107⤵PID:1464
-
\??\c:\3djjd.exec:\3djjd.exe108⤵PID:1276
-
\??\c:\fxxrlfr.exec:\fxxrlfr.exe109⤵PID:1616
-
\??\c:\nhnnht.exec:\nhnnht.exe110⤵PID:1052
-
\??\c:\9jpjd.exec:\9jpjd.exe111⤵PID:1876
-
\??\c:\frlxrlf.exec:\frlxrlf.exe112⤵PID:1244
-
\??\c:\nnttnn.exec:\nnttnn.exe113⤵PID:3360
-
\??\c:\ttttnh.exec:\ttttnh.exe114⤵PID:3064
-
\??\c:\jddvd.exec:\jddvd.exe115⤵PID:2640
-
\??\c:\9flllll.exec:\9flllll.exe116⤵PID:4532
-
\??\c:\bhthbn.exec:\bhthbn.exe117⤵PID:4408
-
\??\c:\dpppj.exec:\dpppj.exe118⤵PID:1732
-
\??\c:\5djdp.exec:\5djdp.exe119⤵PID:2112
-
\??\c:\rlfxllf.exec:\rlfxllf.exe120⤵PID:3208
-
\??\c:\9nbntb.exec:\9nbntb.exe121⤵PID:1212
-
\??\c:\jpvpj.exec:\jpvpj.exe122⤵PID:4964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-