Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe
-
Size
453KB
-
MD5
56a34d40da1706dd668fb0dcd8d7cbf0
-
SHA1
13d1cb7beb81d1b16f13f25fb2448bf137f295ea
-
SHA256
15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680
-
SHA512
022b4a6a996108fdebd79c8def43c71de05225c46482a972da8c3ad2c5ce6c37d0c76b6a979f826f6e4f9a3d3ad77932a6f253ffb20634e2a3b722f768dbeb2e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/972-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1081-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2608 nbbnnn.exe 4624 jjddv.exe 2428 lfrxxrr.exe 3052 1ffxrff.exe 4616 xfxlffr.exe 3680 dvvpp.exe 2388 bnnnnn.exe 912 xfffxxr.exe 4748 pdddv.exe 2924 tbthhb.exe 5000 thnbtb.exe 2696 5ppjd.exe 808 rxffxxx.exe 752 nhhbbb.exe 5052 jdpjv.exe 4540 frfffrf.exe 1856 nbhhbh.exe 456 pjdvv.exe 4388 llrlrrl.exe 1676 nhtnhb.exe 1288 hbhhbb.exe 3700 jvddd.exe 2972 llrrrfl.exe 3068 1bnttb.exe 4648 xxxxxxr.exe 976 lxlllrx.exe 2452 btbhhn.exe 5044 5dppv.exe 2560 vddvv.exe 4860 lxlfflf.exe 3472 nbhhnt.exe 2516 hthhnn.exe 3828 jjddp.exe 3544 llrrrxl.exe 4108 thttnn.exe 3140 bnbttt.exe 984 jjppp.exe 2312 xlxxxff.exe 3972 rlxffxx.exe 1472 hbtnnn.exe 1112 dvppd.exe 3664 rxxlflf.exe 1456 hhnnnt.exe 4876 dvdvv.exe 4588 pjjjd.exe 4644 flffxrx.exe 4908 hhbttt.exe 3564 djppp.exe 2844 rfxxxff.exe 3080 3hnhbb.exe 3208 xrxxfll.exe 2260 bhbhhn.exe 2480 llrrlll.exe 4700 nbbhbb.exe 4192 jjpjj.exe 4228 thhhnh.exe 212 nhttbh.exe 1148 ddvpj.exe 1476 djpjd.exe 4056 bhbbbh.exe 3108 jdvvv.exe 3892 ffrxflr.exe 1316 dpjjp.exe 3528 btbttt.exe -
resource yara_rule behavioral2/memory/972-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-673-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 972 wrote to memory of 2608 972 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 82 PID 972 wrote to memory of 2608 972 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 82 PID 972 wrote to memory of 2608 972 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 82 PID 2608 wrote to memory of 4624 2608 nbbnnn.exe 83 PID 2608 wrote to memory of 4624 2608 nbbnnn.exe 83 PID 2608 wrote to memory of 4624 2608 nbbnnn.exe 83 PID 4624 wrote to memory of 2428 4624 jjddv.exe 84 PID 4624 wrote to memory of 2428 4624 jjddv.exe 84 PID 4624 wrote to memory of 2428 4624 jjddv.exe 84 PID 2428 wrote to memory of 3052 2428 lfrxxrr.exe 85 PID 2428 wrote to memory of 3052 2428 lfrxxrr.exe 85 PID 2428 wrote to memory of 3052 2428 lfrxxrr.exe 85 PID 3052 wrote to memory of 4616 3052 1ffxrff.exe 86 PID 3052 wrote to memory of 4616 3052 1ffxrff.exe 86 PID 3052 wrote to memory of 4616 3052 1ffxrff.exe 86 PID 4616 wrote to memory of 3680 4616 xfxlffr.exe 87 PID 4616 wrote to memory of 3680 4616 xfxlffr.exe 87 PID 4616 wrote to memory of 3680 4616 xfxlffr.exe 87 PID 3680 wrote to memory of 2388 3680 dvvpp.exe 88 PID 3680 wrote to memory of 2388 3680 dvvpp.exe 88 PID 3680 wrote to memory of 2388 3680 dvvpp.exe 88 PID 2388 wrote to memory of 912 2388 bnnnnn.exe 89 PID 2388 wrote to memory of 912 2388 bnnnnn.exe 89 PID 2388 wrote to memory of 912 2388 bnnnnn.exe 89 PID 912 wrote to memory of 4748 912 xfffxxr.exe 90 PID 912 wrote to memory of 4748 912 xfffxxr.exe 90 PID 912 wrote to memory of 4748 912 xfffxxr.exe 90 PID 4748 wrote to memory of 2924 4748 pdddv.exe 91 PID 4748 wrote to memory of 2924 4748 pdddv.exe 91 PID 4748 wrote to memory of 2924 4748 pdddv.exe 91 PID 2924 wrote to memory of 5000 2924 tbthhb.exe 92 PID 2924 wrote to memory of 5000 2924 tbthhb.exe 92 PID 2924 wrote to memory of 5000 2924 tbthhb.exe 92 PID 5000 wrote to memory of 2696 5000 thnbtb.exe 93 PID 5000 wrote to memory of 2696 5000 thnbtb.exe 93 PID 5000 wrote to memory of 2696 5000 thnbtb.exe 93 PID 2696 wrote to memory of 808 2696 5ppjd.exe 94 PID 2696 wrote to memory of 808 2696 5ppjd.exe 94 PID 2696 wrote to memory of 808 2696 5ppjd.exe 94 PID 808 wrote to memory of 752 808 rxffxxx.exe 95 PID 808 wrote to memory of 752 808 rxffxxx.exe 95 PID 808 wrote to memory of 752 808 rxffxxx.exe 95 PID 752 wrote to memory of 5052 752 nhhbbb.exe 96 PID 752 wrote to memory of 5052 752 nhhbbb.exe 96 PID 752 wrote to memory of 5052 752 nhhbbb.exe 96 PID 5052 wrote to memory of 4540 5052 jdpjv.exe 97 PID 5052 wrote to memory of 4540 5052 jdpjv.exe 97 PID 5052 wrote to memory of 4540 5052 jdpjv.exe 97 PID 4540 wrote to memory of 1856 4540 frfffrf.exe 98 PID 4540 wrote to memory of 1856 4540 frfffrf.exe 98 PID 4540 wrote to memory of 1856 4540 frfffrf.exe 98 PID 1856 wrote to memory of 456 1856 nbhhbh.exe 99 PID 1856 wrote to memory of 456 1856 nbhhbh.exe 99 PID 1856 wrote to memory of 456 1856 nbhhbh.exe 99 PID 456 wrote to memory of 4388 456 pjdvv.exe 100 PID 456 wrote to memory of 4388 456 pjdvv.exe 100 PID 456 wrote to memory of 4388 456 pjdvv.exe 100 PID 4388 wrote to memory of 1676 4388 llrlrrl.exe 101 PID 4388 wrote to memory of 1676 4388 llrlrrl.exe 101 PID 4388 wrote to memory of 1676 4388 llrlrrl.exe 101 PID 1676 wrote to memory of 1288 1676 nhtnhb.exe 102 PID 1676 wrote to memory of 1288 1676 nhtnhb.exe 102 PID 1676 wrote to memory of 1288 1676 nhtnhb.exe 102 PID 1288 wrote to memory of 3700 1288 hbhhbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe"C:\Users\Admin\AppData\Local\Temp\15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\nbbnnn.exec:\nbbnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\jjddv.exec:\jjddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\lfrxxrr.exec:\lfrxxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\1ffxrff.exec:\1ffxrff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\xfxlffr.exec:\xfxlffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\dvvpp.exec:\dvvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\bnnnnn.exec:\bnnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\xfffxxr.exec:\xfffxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\pdddv.exec:\pdddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\tbthhb.exec:\tbthhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\thnbtb.exec:\thnbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\5ppjd.exec:\5ppjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rxffxxx.exec:\rxffxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\nhhbbb.exec:\nhhbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\jdpjv.exec:\jdpjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\frfffrf.exec:\frfffrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\nbhhbh.exec:\nbhhbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\pjdvv.exec:\pjdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\llrlrrl.exec:\llrlrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\nhtnhb.exec:\nhtnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\hbhhbb.exec:\hbhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\jvddd.exec:\jvddd.exe23⤵
- Executes dropped EXE
PID:3700 -
\??\c:\llrrrfl.exec:\llrrrfl.exe24⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1bnttb.exec:\1bnttb.exe25⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xxxxxxr.exec:\xxxxxxr.exe26⤵
- Executes dropped EXE
PID:4648 -
\??\c:\lxlllrx.exec:\lxlllrx.exe27⤵
- Executes dropped EXE
PID:976 -
\??\c:\btbhhn.exec:\btbhhn.exe28⤵
- Executes dropped EXE
PID:2452 -
\??\c:\5dppv.exec:\5dppv.exe29⤵
- Executes dropped EXE
PID:5044 -
\??\c:\vddvv.exec:\vddvv.exe30⤵
- Executes dropped EXE
PID:2560 -
\??\c:\lxlfflf.exec:\lxlfflf.exe31⤵
- Executes dropped EXE
PID:4860 -
\??\c:\nbhhnt.exec:\nbhhnt.exe32⤵
- Executes dropped EXE
PID:3472 -
\??\c:\hthhnn.exec:\hthhnn.exe33⤵
- Executes dropped EXE
PID:2516 -
\??\c:\jjddp.exec:\jjddp.exe34⤵
- Executes dropped EXE
PID:3828 -
\??\c:\llrrrxl.exec:\llrrrxl.exe35⤵
- Executes dropped EXE
PID:3544 -
\??\c:\thttnn.exec:\thttnn.exe36⤵
- Executes dropped EXE
PID:4108 -
\??\c:\bnbttt.exec:\bnbttt.exe37⤵
- Executes dropped EXE
PID:3140 -
\??\c:\jjppp.exec:\jjppp.exe38⤵
- Executes dropped EXE
PID:984 -
\??\c:\xlxxxff.exec:\xlxxxff.exe39⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rlxffxx.exec:\rlxffxx.exe40⤵
- Executes dropped EXE
PID:3972 -
\??\c:\hbtnnn.exec:\hbtnnn.exe41⤵
- Executes dropped EXE
PID:1472 -
\??\c:\dvppd.exec:\dvppd.exe42⤵
- Executes dropped EXE
PID:1112 -
\??\c:\rxxlflf.exec:\rxxlflf.exe43⤵
- Executes dropped EXE
PID:3664 -
\??\c:\hhnnnt.exec:\hhnnnt.exe44⤵
- Executes dropped EXE
PID:1456 -
\??\c:\dvdvv.exec:\dvdvv.exe45⤵
- Executes dropped EXE
PID:4876 -
\??\c:\pjjjd.exec:\pjjjd.exe46⤵
- Executes dropped EXE
PID:4588 -
\??\c:\flffxrx.exec:\flffxrx.exe47⤵
- Executes dropped EXE
PID:4644 -
\??\c:\hhbttt.exec:\hhbttt.exe48⤵
- Executes dropped EXE
PID:4908 -
\??\c:\djppp.exec:\djppp.exe49⤵
- Executes dropped EXE
PID:3564 -
\??\c:\rfxxxff.exec:\rfxxxff.exe50⤵
- Executes dropped EXE
PID:2844 -
\??\c:\3hnhbb.exec:\3hnhbb.exe51⤵
- Executes dropped EXE
PID:3080 -
\??\c:\xrxxfll.exec:\xrxxfll.exe52⤵
- Executes dropped EXE
PID:3208 -
\??\c:\bhbhhn.exec:\bhbhhn.exe53⤵
- Executes dropped EXE
PID:2260 -
\??\c:\llrrlll.exec:\llrrlll.exe54⤵
- Executes dropped EXE
PID:2480 -
\??\c:\nbbhbb.exec:\nbbhbb.exe55⤵
- Executes dropped EXE
PID:4700 -
\??\c:\jjpjj.exec:\jjpjj.exe56⤵
- Executes dropped EXE
PID:4192 -
\??\c:\thhhnh.exec:\thhhnh.exe57⤵
- Executes dropped EXE
PID:4228 -
\??\c:\hbbttt.exec:\hbbttt.exe58⤵PID:1268
-
\??\c:\nhttbh.exec:\nhttbh.exe59⤵
- Executes dropped EXE
PID:212 -
\??\c:\ddvpj.exec:\ddvpj.exe60⤵
- Executes dropped EXE
PID:1148 -
\??\c:\djpjd.exec:\djpjd.exe61⤵
- Executes dropped EXE
PID:1476 -
\??\c:\bhbbbh.exec:\bhbbbh.exe62⤵
- Executes dropped EXE
PID:4056 -
\??\c:\jdvvv.exec:\jdvvv.exe63⤵
- Executes dropped EXE
PID:3108 -
\??\c:\ffrxflr.exec:\ffrxflr.exe64⤵
- Executes dropped EXE
PID:3892 -
\??\c:\dpjjp.exec:\dpjjp.exe65⤵
- Executes dropped EXE
PID:1316 -
\??\c:\btbttt.exec:\btbttt.exe66⤵
- Executes dropped EXE
PID:3528 -
\??\c:\tbhhtb.exec:\tbhhtb.exe67⤵PID:3464
-
\??\c:\pppdd.exec:\pppdd.exe68⤵PID:384
-
\??\c:\lxrlflf.exec:\lxrlflf.exe69⤵PID:4904
-
\??\c:\3thnnt.exec:\3thnnt.exe70⤵PID:404
-
\??\c:\xrrrrxr.exec:\xrrrrxr.exe71⤵PID:4484
-
\??\c:\fxlffff.exec:\fxlffff.exe72⤵PID:1840
-
\??\c:\nttnnn.exec:\nttnnn.exe73⤵PID:2412
-
\??\c:\1dpjd.exec:\1dpjd.exe74⤵PID:1356
-
\??\c:\frxrlfx.exec:\frxrlfx.exe75⤵PID:4640
-
\??\c:\bhhhtb.exec:\bhhhtb.exe76⤵PID:2132
-
\??\c:\dpvjj.exec:\dpvjj.exe77⤵PID:3400
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe78⤵PID:4488
-
\??\c:\3nttnn.exec:\3nttnn.exe79⤵PID:2028
-
\??\c:\7nhhbh.exec:\7nhhbh.exe80⤵PID:468
-
\??\c:\rlrrxlr.exec:\rlrrxlr.exe81⤵PID:4436
-
\??\c:\7llfxrl.exec:\7llfxrl.exe82⤵PID:4420
-
\??\c:\pvvjd.exec:\pvvjd.exe83⤵PID:1960
-
\??\c:\pjvvv.exec:\pjvvv.exe84⤵PID:3496
-
\??\c:\rrfllrr.exec:\rrfllrr.exe85⤵PID:1676
-
\??\c:\nnhhhh.exec:\nnhhhh.exe86⤵PID:2600
-
\??\c:\vdvjv.exec:\vdvjv.exe87⤵PID:3296
-
\??\c:\xrlrlfl.exec:\xrlrlfl.exe88⤵PID:740
-
\??\c:\ttnhht.exec:\ttnhht.exe89⤵PID:3332
-
\??\c:\xlffffr.exec:\xlffffr.exe90⤵PID:1380
-
\??\c:\tbnbnh.exec:\tbnbnh.exe91⤵PID:1932
-
\??\c:\thnhbb.exec:\thnhbb.exe92⤵PID:2928
-
\??\c:\pjpjv.exec:\pjpjv.exe93⤵PID:3976
-
\??\c:\flrrrxx.exec:\flrrrxx.exe94⤵PID:4772
-
\??\c:\tnhntn.exec:\tnhntn.exe95⤵PID:5028
-
\??\c:\vjdvj.exec:\vjdvj.exe96⤵PID:2584
-
\??\c:\fxxrrll.exec:\fxxrrll.exe97⤵PID:3076
-
\??\c:\nnnbtn.exec:\nnnbtn.exe98⤵PID:3828
-
\??\c:\ddpjd.exec:\ddpjd.exe99⤵PID:3544
-
\??\c:\fllfrrl.exec:\fllfrrl.exe100⤵PID:4108
-
\??\c:\btbnhb.exec:\btbnhb.exe101⤵PID:1168
-
\??\c:\9tnnbb.exec:\9tnnbb.exe102⤵PID:4808
-
\??\c:\vpvpd.exec:\vpvpd.exe103⤵PID:852
-
\??\c:\xfrlffx.exec:\xfrlffx.exe104⤵PID:1600
-
\??\c:\lflfxxx.exec:\lflfxxx.exe105⤵PID:4316
-
\??\c:\jdjdp.exec:\jdjdp.exe106⤵PID:3056
-
\??\c:\jdjdj.exec:\jdjdj.exe107⤵PID:5012
-
\??\c:\ffrlxlf.exec:\ffrlxlf.exe108⤵PID:976
-
\??\c:\nnbttn.exec:\nnbttn.exe109⤵PID:1736
-
\??\c:\thbnbn.exec:\thbnbn.exe110⤵PID:1672
-
\??\c:\lxfxxll.exec:\lxfxxll.exe111⤵PID:1952
-
\??\c:\5bhhnt.exec:\5bhhnt.exe112⤵PID:3128
-
\??\c:\ttbnhh.exec:\ttbnhh.exe113⤵PID:440
-
\??\c:\1jjjj.exec:\1jjjj.exe114⤵PID:4472
-
\??\c:\xxllllf.exec:\xxllllf.exe115⤵PID:4008
-
\??\c:\nttnbt.exec:\nttnbt.exe116⤵PID:4724
-
\??\c:\ppvvv.exec:\ppvvv.exe117⤵PID:3564
-
\??\c:\jjppj.exec:\jjppj.exe118⤵PID:2844
-
\??\c:\flxxlll.exec:\flxxlll.exe119⤵PID:2128
-
\??\c:\bhnhbt.exec:\bhnhbt.exe120⤵PID:2684
-
\??\c:\pjvpd.exec:\pjvpd.exe121⤵PID:4296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-