Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe
-
Size
454KB
-
MD5
a5931e7aba0778a843ed154001c8e704
-
SHA1
ecac23978227958fc9e1e2329b85601fc9175807
-
SHA256
39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66
-
SHA512
2ac24cae18528a7abf42f4606da36c73a17f4a5bfd4939276ed08239809e2011d3bc171a51e368038cdec9f841bec70e214c0b020e550fedae577f94e1b41d59
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1224-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-1094-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-1213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-1326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4692 3nttnn.exe 3388 pdpjj.exe 4992 bhtnnh.exe 1496 pjjdv.exe 1728 bbttnn.exe 2084 xflfxxx.exe 1220 bnnnhh.exe 756 rxxrlfx.exe 3544 djppv.exe 4952 htnttn.exe 1312 tntnbt.exe 372 5xxxxfx.exe 2284 vjdvj.exe 5080 xrfxxlf.exe 4192 bnnnhn.exe 784 1rrlffx.exe 4644 btnnhb.exe 3172 pvvpd.exe 3032 xffxxxx.exe 4948 7xrlllf.exe 2608 jppjd.exe 4792 xlrlfrl.exe 2108 nnhhbb.exe 3952 dvvpj.exe 3892 flxrrlr.exe 4908 pvvdv.exe 3444 frrlrlr.exe 5108 7ntthb.exe 5036 7dpjp.exe 404 rfrxrxx.exe 3192 pvvjv.exe 4340 rxrfrlf.exe 4236 vvjdv.exe 336 fxrlfxr.exe 2772 nbbbtn.exe 640 dpvpj.exe 1156 frrffxx.exe 1364 djvdv.exe 3004 xlfrlxr.exe 4996 9tnhbt.exe 3976 9dpjv.exe 2664 xrlxrfx.exe 4144 dvvvd.exe 980 ppvpj.exe 2212 fxfxxxx.exe 4160 1tttnn.exe 2788 9pvpv.exe 5100 jpjvj.exe 4444 xrxrxrx.exe 2336 tthhnb.exe 3096 vjpjj.exe 3944 xxfxfff.exe 1088 bnthbt.exe 956 9jdpj.exe 3920 frrfrrf.exe 1496 9rfrlfx.exe 316 hthhhb.exe 2000 1vpvj.exe 2192 rrrffxr.exe 4536 3tbtnn.exe 1788 pjjjd.exe 1188 frxxrrf.exe 3156 3thbnt.exe 592 dvvpd.exe -
resource yara_rule behavioral2/memory/1224-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-917-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1224 wrote to memory of 4692 1224 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 85 PID 1224 wrote to memory of 4692 1224 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 85 PID 1224 wrote to memory of 4692 1224 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 85 PID 4692 wrote to memory of 3388 4692 3nttnn.exe 86 PID 4692 wrote to memory of 3388 4692 3nttnn.exe 86 PID 4692 wrote to memory of 3388 4692 3nttnn.exe 86 PID 3388 wrote to memory of 4992 3388 pdpjj.exe 87 PID 3388 wrote to memory of 4992 3388 pdpjj.exe 87 PID 3388 wrote to memory of 4992 3388 pdpjj.exe 87 PID 4992 wrote to memory of 1496 4992 bhtnnh.exe 88 PID 4992 wrote to memory of 1496 4992 bhtnnh.exe 88 PID 4992 wrote to memory of 1496 4992 bhtnnh.exe 88 PID 1496 wrote to memory of 1728 1496 pjjdv.exe 89 PID 1496 wrote to memory of 1728 1496 pjjdv.exe 89 PID 1496 wrote to memory of 1728 1496 pjjdv.exe 89 PID 1728 wrote to memory of 2084 1728 bbttnn.exe 90 PID 1728 wrote to memory of 2084 1728 bbttnn.exe 90 PID 1728 wrote to memory of 2084 1728 bbttnn.exe 90 PID 2084 wrote to memory of 1220 2084 xflfxxx.exe 91 PID 2084 wrote to memory of 1220 2084 xflfxxx.exe 91 PID 2084 wrote to memory of 1220 2084 xflfxxx.exe 91 PID 1220 wrote to memory of 756 1220 bnnnhh.exe 92 PID 1220 wrote to memory of 756 1220 bnnnhh.exe 92 PID 1220 wrote to memory of 756 1220 bnnnhh.exe 92 PID 756 wrote to memory of 3544 756 rxxrlfx.exe 93 PID 756 wrote to memory of 3544 756 rxxrlfx.exe 93 PID 756 wrote to memory of 3544 756 rxxrlfx.exe 93 PID 3544 wrote to memory of 4952 3544 djppv.exe 94 PID 3544 wrote to memory of 4952 3544 djppv.exe 94 PID 3544 wrote to memory of 4952 3544 djppv.exe 94 PID 4952 wrote to memory of 1312 4952 htnttn.exe 95 PID 4952 wrote to memory of 1312 4952 htnttn.exe 95 PID 4952 wrote to memory of 1312 4952 htnttn.exe 95 PID 1312 wrote to memory of 372 1312 tntnbt.exe 96 PID 1312 wrote to memory of 372 1312 tntnbt.exe 96 PID 1312 wrote to memory of 372 1312 tntnbt.exe 96 PID 372 wrote to memory of 2284 372 5xxxxfx.exe 97 PID 372 wrote to memory of 2284 372 5xxxxfx.exe 97 PID 372 wrote to memory of 2284 372 5xxxxfx.exe 97 PID 2284 wrote to memory of 5080 2284 vjdvj.exe 98 PID 2284 wrote to memory of 5080 2284 vjdvj.exe 98 PID 2284 wrote to memory of 5080 2284 vjdvj.exe 98 PID 5080 wrote to memory of 4192 5080 xrfxxlf.exe 99 PID 5080 wrote to memory of 4192 5080 xrfxxlf.exe 99 PID 5080 wrote to memory of 4192 5080 xrfxxlf.exe 99 PID 4192 wrote to memory of 784 4192 bnnnhn.exe 100 PID 4192 wrote to memory of 784 4192 bnnnhn.exe 100 PID 4192 wrote to memory of 784 4192 bnnnhn.exe 100 PID 784 wrote to memory of 4644 784 1rrlffx.exe 101 PID 784 wrote to memory of 4644 784 1rrlffx.exe 101 PID 784 wrote to memory of 4644 784 1rrlffx.exe 101 PID 4644 wrote to memory of 3172 4644 btnnhb.exe 102 PID 4644 wrote to memory of 3172 4644 btnnhb.exe 102 PID 4644 wrote to memory of 3172 4644 btnnhb.exe 102 PID 3172 wrote to memory of 3032 3172 pvvpd.exe 103 PID 3172 wrote to memory of 3032 3172 pvvpd.exe 103 PID 3172 wrote to memory of 3032 3172 pvvpd.exe 103 PID 3032 wrote to memory of 4948 3032 xffxxxx.exe 104 PID 3032 wrote to memory of 4948 3032 xffxxxx.exe 104 PID 3032 wrote to memory of 4948 3032 xffxxxx.exe 104 PID 4948 wrote to memory of 2608 4948 7xrlllf.exe 105 PID 4948 wrote to memory of 2608 4948 7xrlllf.exe 105 PID 4948 wrote to memory of 2608 4948 7xrlllf.exe 105 PID 2608 wrote to memory of 4792 2608 jppjd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe"C:\Users\Admin\AppData\Local\Temp\39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\3nttnn.exec:\3nttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\pdpjj.exec:\pdpjj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\bhtnnh.exec:\bhtnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\pjjdv.exec:\pjjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\bbttnn.exec:\bbttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\xflfxxx.exec:\xflfxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\bnnnhh.exec:\bnnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\djppv.exec:\djppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\htnttn.exec:\htnttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\tntnbt.exec:\tntnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\5xxxxfx.exec:\5xxxxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\vjdvj.exec:\vjdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\xrfxxlf.exec:\xrfxxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\bnnnhn.exec:\bnnnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\1rrlffx.exec:\1rrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\btnnhb.exec:\btnnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\pvvpd.exec:\pvvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\xffxxxx.exec:\xffxxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\7xrlllf.exec:\7xrlllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\jppjd.exec:\jppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe23⤵
- Executes dropped EXE
PID:4792 -
\??\c:\nnhhbb.exec:\nnhhbb.exe24⤵
- Executes dropped EXE
PID:2108 -
\??\c:\dvvpj.exec:\dvvpj.exe25⤵
- Executes dropped EXE
PID:3952 -
\??\c:\flxrrlr.exec:\flxrrlr.exe26⤵
- Executes dropped EXE
PID:3892 -
\??\c:\pvvdv.exec:\pvvdv.exe27⤵
- Executes dropped EXE
PID:4908 -
\??\c:\frrlrlr.exec:\frrlrlr.exe28⤵
- Executes dropped EXE
PID:3444 -
\??\c:\7ntthb.exec:\7ntthb.exe29⤵
- Executes dropped EXE
PID:5108 -
\??\c:\7dpjp.exec:\7dpjp.exe30⤵
- Executes dropped EXE
PID:5036 -
\??\c:\rfrxrxx.exec:\rfrxrxx.exe31⤵
- Executes dropped EXE
PID:404 -
\??\c:\pvvjv.exec:\pvvjv.exe32⤵
- Executes dropped EXE
PID:3192 -
\??\c:\rxrfrlf.exec:\rxrfrlf.exe33⤵
- Executes dropped EXE
PID:4340 -
\??\c:\vvjdv.exec:\vvjdv.exe34⤵
- Executes dropped EXE
PID:4236 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe35⤵
- Executes dropped EXE
PID:336 -
\??\c:\nbbbtn.exec:\nbbbtn.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dpvpj.exec:\dpvpj.exe37⤵
- Executes dropped EXE
PID:640 -
\??\c:\frrffxx.exec:\frrffxx.exe38⤵
- Executes dropped EXE
PID:1156 -
\??\c:\djvdv.exec:\djvdv.exe39⤵
- Executes dropped EXE
PID:1364 -
\??\c:\xlfrlxr.exec:\xlfrlxr.exe40⤵
- Executes dropped EXE
PID:3004 -
\??\c:\9tnhbt.exec:\9tnhbt.exe41⤵
- Executes dropped EXE
PID:4996 -
\??\c:\9dpjv.exec:\9dpjv.exe42⤵
- Executes dropped EXE
PID:3976 -
\??\c:\xrlxrfx.exec:\xrlxrfx.exe43⤵
- Executes dropped EXE
PID:2664 -
\??\c:\dvvvd.exec:\dvvvd.exe44⤵
- Executes dropped EXE
PID:4144 -
\??\c:\ppvpj.exec:\ppvpj.exe45⤵
- Executes dropped EXE
PID:980 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe46⤵
- Executes dropped EXE
PID:2212 -
\??\c:\1tttnn.exec:\1tttnn.exe47⤵
- Executes dropped EXE
PID:4160 -
\??\c:\9pvpv.exec:\9pvpv.exe48⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jpjvj.exec:\jpjvj.exe49⤵
- Executes dropped EXE
PID:5100 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe50⤵
- Executes dropped EXE
PID:4444 -
\??\c:\tthhnb.exec:\tthhnb.exe51⤵
- Executes dropped EXE
PID:2336 -
\??\c:\vjpjj.exec:\vjpjj.exe52⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xxfxfff.exec:\xxfxfff.exe53⤵
- Executes dropped EXE
PID:3944 -
\??\c:\bnthbt.exec:\bnthbt.exe54⤵
- Executes dropped EXE
PID:1088 -
\??\c:\9jdpj.exec:\9jdpj.exe55⤵
- Executes dropped EXE
PID:956 -
\??\c:\frrfrrf.exec:\frrfrrf.exe56⤵
- Executes dropped EXE
PID:3920 -
\??\c:\9rfrlfx.exec:\9rfrlfx.exe57⤵
- Executes dropped EXE
PID:1496 -
\??\c:\hthhhb.exec:\hthhhb.exe58⤵
- Executes dropped EXE
PID:316 -
\??\c:\1vpvj.exec:\1vpvj.exe59⤵
- Executes dropped EXE
PID:2000 -
\??\c:\rrrffxr.exec:\rrrffxr.exe60⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3tbtnn.exec:\3tbtnn.exe61⤵
- Executes dropped EXE
PID:4536 -
\??\c:\pjjjd.exec:\pjjjd.exe62⤵
- Executes dropped EXE
PID:1788 -
\??\c:\frxxrrf.exec:\frxxrrf.exe63⤵
- Executes dropped EXE
PID:1188 -
\??\c:\3thbnt.exec:\3thbnt.exe64⤵
- Executes dropped EXE
PID:3156 -
\??\c:\dvvpd.exec:\dvvpd.exe65⤵
- Executes dropped EXE
PID:592 -
\??\c:\fffrrll.exec:\fffrrll.exe66⤵PID:212
-
\??\c:\9nhbtt.exec:\9nhbtt.exe67⤵PID:2468
-
\??\c:\jpjdv.exec:\jpjdv.exe68⤵PID:2008
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe69⤵PID:1020
-
\??\c:\7tnbbh.exec:\7tnbbh.exe70⤵PID:1240
-
\??\c:\pddvv.exec:\pddvv.exe71⤵PID:2348
-
\??\c:\xxxlffr.exec:\xxxlffr.exe72⤵PID:2152
-
\??\c:\nthbbt.exec:\nthbbt.exe73⤵PID:1072
-
\??\c:\dpjdv.exec:\dpjdv.exe74⤵PID:3996
-
\??\c:\vvvvj.exec:\vvvvj.exe75⤵PID:1216
-
\??\c:\7rfllxf.exec:\7rfllxf.exe76⤵PID:1292
-
\??\c:\hbbtnn.exec:\hbbtnn.exe77⤵PID:2400
-
\??\c:\jppjd.exec:\jppjd.exe78⤵PID:2216
-
\??\c:\3lfxxxf.exec:\3lfxxxf.exe79⤵PID:4948
-
\??\c:\3bhbtt.exec:\3bhbtt.exe80⤵PID:2608
-
\??\c:\9pjdv.exec:\9pjdv.exe81⤵PID:1936
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe82⤵PID:4792
-
\??\c:\1bbbtt.exec:\1bbbtt.exe83⤵PID:4888
-
\??\c:\bnnhnh.exec:\bnnhnh.exe84⤵PID:2988
-
\??\c:\ddjdv.exec:\ddjdv.exe85⤵PID:3412
-
\??\c:\frfxllf.exec:\frfxllf.exe86⤵PID:3892
-
\??\c:\rlffxlr.exec:\rlffxlr.exe87⤵PID:4908
-
\??\c:\nbhbhb.exec:\nbhbhb.exe88⤵PID:4324
-
\??\c:\pdjdj.exec:\pdjdj.exe89⤵PID:1916
-
\??\c:\fxrfffl.exec:\fxrfffl.exe90⤵PID:1660
-
\??\c:\nnnnhh.exec:\nnnnhh.exe91⤵PID:4784
-
\??\c:\tthbbt.exec:\tthbbt.exe92⤵PID:5044
-
\??\c:\7jpjp.exec:\7jpjp.exe93⤵PID:2716
-
\??\c:\1xxrlxr.exec:\1xxrlxr.exe94⤵PID:900
-
\??\c:\nhbnnn.exec:\nhbnnn.exe95⤵PID:3384
-
\??\c:\vppjd.exec:\vppjd.exe96⤵PID:4696
-
\??\c:\rxlxlxl.exec:\rxlxlxl.exe97⤵PID:4944
-
\??\c:\tbhbnh.exec:\tbhbnh.exe98⤵PID:4452
-
\??\c:\bhhbnn.exec:\bhhbnn.exe99⤵PID:4148
-
\??\c:\vjvdv.exec:\vjvdv.exe100⤵PID:1076
-
\??\c:\rxffxrl.exec:\rxffxrl.exe101⤵PID:2596
-
\??\c:\bbnnnn.exec:\bbnnnn.exe102⤵PID:1952
-
\??\c:\bnbtnh.exec:\bnbtnh.exe103⤵PID:4996
-
\??\c:\rllfrrl.exec:\rllfrrl.exe104⤵PID:1080
-
\??\c:\9lrlrrx.exec:\9lrlrrx.exe105⤵PID:3916
-
\??\c:\bnnhbt.exec:\bnnhbt.exe106⤵PID:4796
-
\??\c:\pvjjd.exec:\pvjjd.exe107⤵PID:4880
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe108⤵PID:4500
-
\??\c:\xffxrlf.exec:\xffxrlf.exe109⤵PID:4160
-
\??\c:\hnnhtt.exec:\hnnhtt.exe110⤵PID:4040
-
\??\c:\pddpp.exec:\pddpp.exe111⤵PID:4440
-
\??\c:\1rllffl.exec:\1rllffl.exe112⤵PID:744
-
\??\c:\nttnbh.exec:\nttnbh.exe113⤵PID:4524
-
\??\c:\7ddvj.exec:\7ddvj.exe114⤵PID:1596
-
\??\c:\1dddd.exec:\1dddd.exe115⤵PID:3980
-
\??\c:\fxxlffr.exec:\fxxlffr.exe116⤵PID:5056
-
\??\c:\7tnbtn.exec:\7tnbtn.exe117⤵PID:3944
-
\??\c:\bhhtbt.exec:\bhhtbt.exe118⤵PID:4816
-
\??\c:\vjjdp.exec:\vjjdp.exe119⤵PID:2136
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe120⤵PID:4464
-
\??\c:\thnnhb.exec:\thnnhb.exe121⤵PID:3224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-