Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe
-
Size
456KB
-
MD5
ef09ba38d3b0b56618358100d8201a9b
-
SHA1
6f33ed6529f7fbd1d1fc9941de5e608c33815539
-
SHA256
d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4
-
SHA512
fa1685bc9b1c8f85b4348f05058ee734c5e9c970bff03b4a9e7154a0a8cda04acf5a32c324be3196af7364f2125766973b96d7f78e83654ca4c58d753e5c3784
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRy:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4636-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-1052-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4612 pjjdv.exe 4876 bnnnnt.exe 3348 9xlllrl.exe 464 lrxxllf.exe 4296 jvjjj.exe 3848 xxfffrr.exe 3640 dvdvv.exe 3192 rrxrlll.exe 1224 fxlflfx.exe 4816 3vdvp.exe 3148 rlfxrlf.exe 4280 xxfxrrr.exe 920 vpppj.exe 2948 xlrlfxx.exe 2968 1bbhbh.exe 3248 lflffff.exe 2660 hnhbtn.exe 1456 jvjdv.exe 2104 5tbtnn.exe 528 9ddvv.exe 3108 pvdvp.exe 4196 ffffffl.exe 1768 1ttnnn.exe 1144 lrfxxlx.exe 3352 tbhbtn.exe 4804 nthbbb.exe 2472 5vddv.exe 4104 ddjdd.exe 4120 3pvvv.exe 3512 5rrlxxf.exe 2992 fxxrllf.exe 4112 dpvpj.exe 860 llrxxxx.exe 1664 thnhbt.exe 732 5pvpp.exe 3080 xfxrlff.exe 4920 nbhhbb.exe 2940 tbnttt.exe 592 djvpj.exe 224 1vpjv.exe 4040 rlfrrfx.exe 60 rrffllr.exe 5036 tnhbtn.exe 3632 pvdpj.exe 3976 rrxlxrf.exe 2456 ntnnhh.exe 4940 pppdv.exe 1388 fxxxrrl.exe 2772 htttnh.exe 4408 dpvpd.exe 4636 pvdpj.exe 4784 xlrrrfl.exe 4492 nbhtnh.exe 4876 5ppjd.exe 3648 flfxxxx.exe 2648 thtnhh.exe 2432 jdvpj.exe 4372 xxfxxrr.exe 4296 3bhtnn.exe 4452 jjjdd.exe 2404 djvvp.exe 3056 rlfxxrr.exe 2292 bbbbtt.exe 2428 vjpdv.exe -
resource yara_rule behavioral2/memory/4612-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-606-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xllfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4636 wrote to memory of 4612 4636 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 82 PID 4636 wrote to memory of 4612 4636 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 82 PID 4636 wrote to memory of 4612 4636 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 82 PID 4612 wrote to memory of 4876 4612 pjjdv.exe 83 PID 4612 wrote to memory of 4876 4612 pjjdv.exe 83 PID 4612 wrote to memory of 4876 4612 pjjdv.exe 83 PID 4876 wrote to memory of 3348 4876 bnnnnt.exe 84 PID 4876 wrote to memory of 3348 4876 bnnnnt.exe 84 PID 4876 wrote to memory of 3348 4876 bnnnnt.exe 84 PID 3348 wrote to memory of 464 3348 9xlllrl.exe 85 PID 3348 wrote to memory of 464 3348 9xlllrl.exe 85 PID 3348 wrote to memory of 464 3348 9xlllrl.exe 85 PID 464 wrote to memory of 4296 464 lrxxllf.exe 86 PID 464 wrote to memory of 4296 464 lrxxllf.exe 86 PID 464 wrote to memory of 4296 464 lrxxllf.exe 86 PID 4296 wrote to memory of 3848 4296 jvjjj.exe 87 PID 4296 wrote to memory of 3848 4296 jvjjj.exe 87 PID 4296 wrote to memory of 3848 4296 jvjjj.exe 87 PID 3848 wrote to memory of 3640 3848 xxfffrr.exe 88 PID 3848 wrote to memory of 3640 3848 xxfffrr.exe 88 PID 3848 wrote to memory of 3640 3848 xxfffrr.exe 88 PID 3640 wrote to memory of 3192 3640 dvdvv.exe 89 PID 3640 wrote to memory of 3192 3640 dvdvv.exe 89 PID 3640 wrote to memory of 3192 3640 dvdvv.exe 89 PID 3192 wrote to memory of 1224 3192 rrxrlll.exe 90 PID 3192 wrote to memory of 1224 3192 rrxrlll.exe 90 PID 3192 wrote to memory of 1224 3192 rrxrlll.exe 90 PID 1224 wrote to memory of 4816 1224 fxlflfx.exe 91 PID 1224 wrote to memory of 4816 1224 fxlflfx.exe 91 PID 1224 wrote to memory of 4816 1224 fxlflfx.exe 91 PID 4816 wrote to memory of 3148 4816 3vdvp.exe 92 PID 4816 wrote to memory of 3148 4816 3vdvp.exe 92 PID 4816 wrote to memory of 3148 4816 3vdvp.exe 92 PID 3148 wrote to memory of 4280 3148 rlfxrlf.exe 93 PID 3148 wrote to memory of 4280 3148 rlfxrlf.exe 93 PID 3148 wrote to memory of 4280 3148 rlfxrlf.exe 93 PID 4280 wrote to memory of 920 4280 xxfxrrr.exe 94 PID 4280 wrote to memory of 920 4280 xxfxrrr.exe 94 PID 4280 wrote to memory of 920 4280 xxfxrrr.exe 94 PID 920 wrote to memory of 2948 920 vpppj.exe 95 PID 920 wrote to memory of 2948 920 vpppj.exe 95 PID 920 wrote to memory of 2948 920 vpppj.exe 95 PID 2948 wrote to memory of 2968 2948 xlrlfxx.exe 96 PID 2948 wrote to memory of 2968 2948 xlrlfxx.exe 96 PID 2948 wrote to memory of 2968 2948 xlrlfxx.exe 96 PID 2968 wrote to memory of 3248 2968 1bbhbh.exe 97 PID 2968 wrote to memory of 3248 2968 1bbhbh.exe 97 PID 2968 wrote to memory of 3248 2968 1bbhbh.exe 97 PID 3248 wrote to memory of 2660 3248 lflffff.exe 98 PID 3248 wrote to memory of 2660 3248 lflffff.exe 98 PID 3248 wrote to memory of 2660 3248 lflffff.exe 98 PID 2660 wrote to memory of 1456 2660 hnhbtn.exe 99 PID 2660 wrote to memory of 1456 2660 hnhbtn.exe 99 PID 2660 wrote to memory of 1456 2660 hnhbtn.exe 99 PID 1456 wrote to memory of 2104 1456 jvjdv.exe 100 PID 1456 wrote to memory of 2104 1456 jvjdv.exe 100 PID 1456 wrote to memory of 2104 1456 jvjdv.exe 100 PID 2104 wrote to memory of 528 2104 5tbtnn.exe 101 PID 2104 wrote to memory of 528 2104 5tbtnn.exe 101 PID 2104 wrote to memory of 528 2104 5tbtnn.exe 101 PID 528 wrote to memory of 3108 528 9ddvv.exe 102 PID 528 wrote to memory of 3108 528 9ddvv.exe 102 PID 528 wrote to memory of 3108 528 9ddvv.exe 102 PID 3108 wrote to memory of 4196 3108 pvdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe"C:\Users\Admin\AppData\Local\Temp\d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\pjjdv.exec:\pjjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\bnnnnt.exec:\bnnnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\9xlllrl.exec:\9xlllrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\lrxxllf.exec:\lrxxllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\jvjjj.exec:\jvjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\xxfffrr.exec:\xxfffrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\dvdvv.exec:\dvdvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\rrxrlll.exec:\rrxrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\fxlflfx.exec:\fxlflfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\3vdvp.exec:\3vdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\vpppj.exec:\vpppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\1bbhbh.exec:\1bbhbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\lflffff.exec:\lflffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\hnhbtn.exec:\hnhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\jvjdv.exec:\jvjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\5tbtnn.exec:\5tbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\9ddvv.exec:\9ddvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\pvdvp.exec:\pvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\ffffffl.exec:\ffffffl.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4196 -
\??\c:\1ttnnn.exec:\1ttnnn.exe24⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lrfxxlx.exec:\lrfxxlx.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\tbhbtn.exec:\tbhbtn.exe26⤵
- Executes dropped EXE
PID:3352 -
\??\c:\nthbbb.exec:\nthbbb.exe27⤵
- Executes dropped EXE
PID:4804 -
\??\c:\5vddv.exec:\5vddv.exe28⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ddjdd.exec:\ddjdd.exe29⤵
- Executes dropped EXE
PID:4104 -
\??\c:\3pvvv.exec:\3pvvv.exe30⤵
- Executes dropped EXE
PID:4120 -
\??\c:\5rrlxxf.exec:\5rrlxxf.exe31⤵
- Executes dropped EXE
PID:3512 -
\??\c:\fxxrllf.exec:\fxxrllf.exe32⤵
- Executes dropped EXE
PID:2992 -
\??\c:\dpvpj.exec:\dpvpj.exe33⤵
- Executes dropped EXE
PID:4112 -
\??\c:\llrxxxx.exec:\llrxxxx.exe34⤵
- Executes dropped EXE
PID:860 -
\??\c:\thnhbt.exec:\thnhbt.exe35⤵
- Executes dropped EXE
PID:1664 -
\??\c:\5pvpp.exec:\5pvpp.exe36⤵
- Executes dropped EXE
PID:732 -
\??\c:\xfxrlff.exec:\xfxrlff.exe37⤵
- Executes dropped EXE
PID:3080 -
\??\c:\nbhhbb.exec:\nbhhbb.exe38⤵
- Executes dropped EXE
PID:4920 -
\??\c:\tbnttt.exec:\tbnttt.exe39⤵
- Executes dropped EXE
PID:2940 -
\??\c:\djvpj.exec:\djvpj.exe40⤵
- Executes dropped EXE
PID:592 -
\??\c:\1vpjv.exec:\1vpjv.exe41⤵
- Executes dropped EXE
PID:224 -
\??\c:\rlfrrfx.exec:\rlfrrfx.exe42⤵
- Executes dropped EXE
PID:4040 -
\??\c:\rrffllr.exec:\rrffllr.exe43⤵
- Executes dropped EXE
PID:60 -
\??\c:\tnhbtn.exec:\tnhbtn.exe44⤵
- Executes dropped EXE
PID:5036 -
\??\c:\pvdpj.exec:\pvdpj.exe45⤵
- Executes dropped EXE
PID:3632 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe46⤵
- Executes dropped EXE
PID:3976 -
\??\c:\ntnnhh.exec:\ntnnhh.exe47⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pppdv.exec:\pppdv.exe48⤵
- Executes dropped EXE
PID:4940 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe49⤵
- Executes dropped EXE
PID:1388 -
\??\c:\htttnh.exec:\htttnh.exe50⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dpvpd.exec:\dpvpd.exe51⤵
- Executes dropped EXE
PID:4408 -
\??\c:\pvdpj.exec:\pvdpj.exe52⤵
- Executes dropped EXE
PID:4636 -
\??\c:\xlrrrfl.exec:\xlrrrfl.exe53⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nbhtnh.exec:\nbhtnh.exe54⤵
- Executes dropped EXE
PID:4492 -
\??\c:\5ppjd.exec:\5ppjd.exe55⤵
- Executes dropped EXE
PID:4876 -
\??\c:\flfxxxx.exec:\flfxxxx.exe56⤵
- Executes dropped EXE
PID:3648 -
\??\c:\thtnhh.exec:\thtnhh.exe57⤵
- Executes dropped EXE
PID:2648 -
\??\c:\jdvpj.exec:\jdvpj.exe58⤵
- Executes dropped EXE
PID:2432 -
\??\c:\xxfxxrr.exec:\xxfxxrr.exe59⤵
- Executes dropped EXE
PID:4372 -
\??\c:\3bhtnn.exec:\3bhtnn.exe60⤵
- Executes dropped EXE
PID:4296 -
\??\c:\jjjdd.exec:\jjjdd.exe61⤵
- Executes dropped EXE
PID:4452 -
\??\c:\djvvp.exec:\djvvp.exe62⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rlfxxrr.exec:\rlfxxrr.exe63⤵
- Executes dropped EXE
PID:3056 -
\??\c:\bbbbtt.exec:\bbbbtt.exe64⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vjpdv.exec:\vjpdv.exe65⤵
- Executes dropped EXE
PID:2428 -
\??\c:\1lfrlrl.exec:\1lfrlrl.exe66⤵PID:1224
-
\??\c:\nnhhbb.exec:\nnhhbb.exe67⤵PID:4008
-
\??\c:\5pvvp.exec:\5pvvp.exe68⤵PID:2108
-
\??\c:\5flfxfl.exec:\5flfxfl.exe69⤵PID:1384
-
\??\c:\hbbthb.exec:\hbbthb.exe70⤵PID:2796
-
\??\c:\jdvpp.exec:\jdvpp.exe71⤵PID:4280
-
\??\c:\xxrffff.exec:\xxrffff.exe72⤵PID:4796
-
\??\c:\nttthb.exec:\nttthb.exe73⤵PID:2952
-
\??\c:\nhnhbt.exec:\nhnhbt.exe74⤵PID:656
-
\??\c:\jjdvp.exec:\jjdvp.exe75⤵PID:2376
-
\??\c:\lfrffrx.exec:\lfrffrx.exe76⤵PID:3476
-
\??\c:\nnnnhb.exec:\nnnnhb.exe77⤵PID:408
-
\??\c:\hbhhbb.exec:\hbhhbb.exe78⤵PID:4100
-
\??\c:\dppjd.exec:\dppjd.exe79⤵PID:1456
-
\??\c:\xxfxlrl.exec:\xxfxlrl.exe80⤵PID:2104
-
\??\c:\fflflfl.exec:\fflflfl.exe81⤵PID:528
-
\??\c:\htttbt.exec:\htttbt.exe82⤵PID:3668
-
\??\c:\jpvpj.exec:\jpvpj.exe83⤵PID:4176
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe84⤵PID:1716
-
\??\c:\nnbtbh.exec:\nnbtbh.exe85⤵PID:2452
-
\??\c:\bttnhb.exec:\bttnhb.exe86⤵PID:4828
-
\??\c:\vppjd.exec:\vppjd.exe87⤵PID:4652
-
\??\c:\fxlrrlf.exec:\fxlrrlf.exe88⤵PID:3920
-
\??\c:\tnbtbt.exec:\tnbtbt.exe89⤵PID:3800
-
\??\c:\dpjdv.exec:\dpjdv.exe90⤵PID:2184
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe91⤵PID:1412
-
\??\c:\nnhbtn.exec:\nnhbtn.exe92⤵PID:2436
-
\??\c:\vvvjj.exec:\vvvjj.exe93⤵PID:2004
-
\??\c:\rrrrfff.exec:\rrrrfff.exe94⤵PID:1352
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe95⤵PID:228
-
\??\c:\ntbhth.exec:\ntbhth.exe96⤵PID:5092
-
\??\c:\3jpjv.exec:\3jpjv.exe97⤵PID:3460
-
\??\c:\pppjj.exec:\pppjj.exe98⤵PID:860
-
\??\c:\rrrllll.exec:\rrrllll.exe99⤵PID:3136
-
\??\c:\hbbthh.exec:\hbbthh.exe100⤵PID:1604
-
\??\c:\7ddvv.exec:\7ddvv.exe101⤵PID:4544
-
\??\c:\1rfxffl.exec:\1rfxffl.exe102⤵PID:3016
-
\??\c:\5nnhhh.exec:\5nnhhh.exe103⤵PID:2392
-
\??\c:\dpjpd.exec:\dpjpd.exe104⤵PID:1420
-
\??\c:\rrxxfxl.exec:\rrxxfxl.exe105⤵PID:5112
-
\??\c:\rrlffff.exec:\rrlffff.exe106⤵PID:2524
-
\??\c:\jppjd.exec:\jppjd.exe107⤵PID:2872
-
\??\c:\7lffffx.exec:\7lffffx.exe108⤵PID:1912
-
\??\c:\xrfffff.exec:\xrfffff.exe109⤵PID:3524
-
\??\c:\htnnhb.exec:\htnnhb.exe110⤵PID:2308
-
\??\c:\3dvpp.exec:\3dvpp.exe111⤵PID:1656
-
\??\c:\lllxrlf.exec:\lllxrlf.exe112⤵PID:4400
-
\??\c:\fxrxllx.exec:\fxrxllx.exe113⤵PID:3708
-
\??\c:\bnbtnn.exec:\bnbtnn.exe114⤵PID:4940
-
\??\c:\jvvpd.exec:\jvvpd.exe115⤵PID:4456
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe116⤵PID:5048
-
\??\c:\hbhbbt.exec:\hbhbbt.exe117⤵PID:2552
-
\??\c:\hbnhbb.exec:\hbnhbb.exe118⤵PID:4564
-
\??\c:\jpjdd.exec:\jpjdd.exe119⤵PID:628
-
\??\c:\lxlllrx.exec:\lxlllrx.exe120⤵PID:2920
-
\??\c:\fxxfxrx.exec:\fxxfxrx.exe121⤵PID:3828
-
\??\c:\hhtnth.exec:\hhtnth.exe122⤵PID:4860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-