Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:41
Behavioral task
behavioral1
Sample
9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe
-
Size
332KB
-
MD5
4f001bc4c63a08351734145733b510fe
-
SHA1
4e1c3d7f0dab71dc6f9125de4d7d0ac35668cd3f
-
SHA256
9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765
-
SHA512
9d321b019eee1549c80bb21c31b902427be69f1ad0f913ce918c6d53ba3d347f3499fcff05dc869c0c1600a9410d05b70141b5bc68e6a215a5e10f3e0506e248
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tj:94wFHoStJdSjylh2b77BoTMA9gX59sT7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/5108-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/460-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/988-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1208-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3380-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/888-563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-600-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-705-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-1326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
vpvdd.exebhttbh.exeddvvv.exerllrfxf.exerfrrlrl.exetnbbhn.exejpvvv.exerrxxxxx.exejpdjj.exevdjjj.exexxrxfxx.exexrrrrff.exethnntt.exefxfrxfx.exebbnnhh.exehhbbbh.exehbnnnt.exe5vddj.exetnnhnn.exelxxxxlx.exehbbttt.exerrfxlxf.exerrfxfxf.exejppdv.exe1hhbtt.exevdvvv.exefffxrfx.exehhhbtt.exenhnnhh.exevpjvv.exejpppj.exefrrflfx.exedjvvv.exe9vdvp.exevpjjd.exerlrrlff.exexxxrllf.exedvvvv.exelxxrllf.exehbbnbt.exejdjdp.exerlrlxxr.exetnnnhh.exedppjj.exepjdjp.exerffllll.exefrfxflr.exettnttt.exedvvpd.exelrxfllr.exebnttnt.exepdpvd.exerflfrlf.exebtbnhb.exepvvpd.exefxfxlll.exelxfxllf.exenhnhbb.exettnhtt.exevjpvp.exelrrlxxr.exethbtnt.exenbtbth.exejvjdd.exepid Process 2920 vpvdd.exe 2116 bhttbh.exe 3880 ddvvv.exe 2020 rllrfxf.exe 1292 rfrrlrl.exe 32 tnbbhn.exe 3560 jpvvv.exe 460 rrxxxxx.exe 2260 jpdjj.exe 3108 vdjjj.exe 3576 xxrxfxx.exe 1092 xrrrrff.exe 4928 thnntt.exe 3076 fxfrxfx.exe 988 bbnnhh.exe 3984 hhbbbh.exe 3052 hbnnnt.exe 4176 5vddj.exe 392 tnnhnn.exe 2692 lxxxxlx.exe 1152 hbbttt.exe 3928 rrfxlxf.exe 3272 rrfxfxf.exe 4896 jppdv.exe 2392 1hhbtt.exe 1036 vdvvv.exe 3752 fffxrfx.exe 3336 hhhbtt.exe 4248 nhnnhh.exe 1208 vpjvv.exe 1280 jpppj.exe 1172 frrflfx.exe 3480 djvvv.exe 1872 9vdvp.exe 940 vpjjd.exe 3380 rlrrlff.exe 2824 xxxrllf.exe 2176 dvvvv.exe 1888 lxxrllf.exe 2528 hbbnbt.exe 4772 jdjdp.exe 3724 rlrlxxr.exe 1340 tnnnhh.exe 4640 dppjj.exe 1520 pjdjp.exe 2864 rffllll.exe 4184 frfxflr.exe 2540 ttnttt.exe 4976 dvvpd.exe 4536 lrxfllr.exe 3904 bnttnt.exe 740 pdpvd.exe 4984 rflfrlf.exe 2116 btbnhb.exe 5048 pvvpd.exe 4864 fxfxlll.exe 4164 lxfxllf.exe 2020 nhnhbb.exe 4052 ttnhtt.exe 3728 vjpvp.exe 4588 lrrlxxr.exe 1148 thbtnt.exe 2872 nbtbth.exe 4816 jvjdd.exe -
Processes:
resource yara_rule behavioral2/memory/5108-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b35-3.dat upx behavioral2/memory/5108-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2920-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b8e-10.dat upx behavioral2/memory/2116-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-11.dat upx behavioral2/memory/3880-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-19.dat upx behavioral2/memory/2020-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-24.dat upx behavioral2/memory/2020-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-29.dat upx behavioral2/memory/1292-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-34.dat upx behavioral2/memory/32-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-41.dat upx behavioral2/memory/3560-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-44.dat upx behavioral2/memory/460-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2260-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9e-50.dat upx behavioral2/files/0x000a000000023b9f-54.dat upx behavioral2/memory/3108-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba0-59.dat upx behavioral2/memory/3576-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba1-64.dat upx behavioral2/memory/1092-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-69.dat upx behavioral2/memory/3076-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-75.dat upx behavioral2/memory/988-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba4-81.dat upx behavioral2/files/0x000a000000023ba5-85.dat upx behavioral2/memory/3984-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b93-89.dat upx behavioral2/memory/3052-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4176-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba6-95.dat upx behavioral2/files/0x000a000000023ba8-99.dat upx behavioral2/memory/392-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-104.dat upx behavioral2/memory/2692-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-109.dat upx behavioral2/files/0x000a000000023bab-115.dat upx behavioral2/memory/1152-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bac-118.dat upx behavioral2/memory/4896-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bad-124.dat upx behavioral2/files/0x000a000000023bae-128.dat upx behavioral2/memory/1036-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baf-132.dat upx behavioral2/files/0x000a000000023bb0-136.dat upx behavioral2/memory/3336-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4248-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bb2-146.dat upx behavioral2/files/0x000a000000023bb1-142.dat upx behavioral2/files/0x000b000000023bb3-150.dat upx behavioral2/memory/1208-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bb4-155.dat upx behavioral2/memory/1172-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3380-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2824-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bthbbb.exethtttb.exexxrxfxx.exeddjjj.exethttnt.exexxxfxfx.exehbnnnn.exepjddj.exejvjjd.exexfxrllf.exerlrrlff.exehbhhnn.exe3rxrrxr.exefflffff.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exevpvdd.exebhttbh.exeddvvv.exerllrfxf.exerfrrlrl.exetnbbhn.exejpvvv.exerrxxxxx.exejpdjj.exevdjjj.exexxrxfxx.exexrrrrff.exethnntt.exefxfrxfx.exebbnnhh.exehhbbbh.exehbnnnt.exe5vddj.exetnnhnn.exelxxxxlx.exehbbttt.exedescription pid Process procid_target PID 5108 wrote to memory of 2920 5108 9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe 82 PID 5108 wrote to memory of 2920 5108 9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe 82 PID 5108 wrote to memory of 2920 5108 9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe 82 PID 2920 wrote to memory of 2116 2920 vpvdd.exe 83 PID 2920 wrote to memory of 2116 2920 vpvdd.exe 83 PID 2920 wrote to memory of 2116 2920 vpvdd.exe 83 PID 2116 wrote to memory of 3880 2116 bhttbh.exe 84 PID 2116 wrote to memory of 3880 2116 bhttbh.exe 84 PID 2116 wrote to memory of 3880 2116 bhttbh.exe 84 PID 3880 wrote to memory of 2020 3880 ddvvv.exe 85 PID 3880 wrote to memory of 2020 3880 ddvvv.exe 85 PID 3880 wrote to memory of 2020 3880 ddvvv.exe 85 PID 2020 wrote to memory of 1292 2020 rllrfxf.exe 86 PID 2020 wrote to memory of 1292 2020 rllrfxf.exe 86 PID 2020 wrote to memory of 1292 2020 rllrfxf.exe 86 PID 1292 wrote to memory of 32 1292 rfrrlrl.exe 87 PID 1292 wrote to memory of 32 1292 rfrrlrl.exe 87 PID 1292 wrote to memory of 32 1292 rfrrlrl.exe 87 PID 32 wrote to memory of 3560 32 tnbbhn.exe 88 PID 32 wrote to memory of 3560 32 tnbbhn.exe 88 PID 32 wrote to memory of 3560 32 tnbbhn.exe 88 PID 3560 wrote to memory of 460 3560 jpvvv.exe 89 PID 3560 wrote to memory of 460 3560 jpvvv.exe 89 PID 3560 wrote to memory of 460 3560 jpvvv.exe 89 PID 460 wrote to memory of 2260 460 rrxxxxx.exe 90 PID 460 wrote to memory of 2260 460 rrxxxxx.exe 90 PID 460 wrote to memory of 2260 460 rrxxxxx.exe 90 PID 2260 wrote to memory of 3108 2260 jpdjj.exe 91 PID 2260 wrote to memory of 3108 2260 jpdjj.exe 91 PID 2260 wrote to memory of 3108 2260 jpdjj.exe 91 PID 3108 wrote to memory of 3576 3108 vdjjj.exe 92 PID 3108 wrote to memory of 3576 3108 vdjjj.exe 92 PID 3108 wrote to memory of 3576 3108 vdjjj.exe 92 PID 3576 wrote to memory of 1092 3576 xxrxfxx.exe 93 PID 3576 wrote to memory of 1092 3576 xxrxfxx.exe 93 PID 3576 wrote to memory of 1092 3576 xxrxfxx.exe 93 PID 1092 wrote to memory of 4928 1092 xrrrrff.exe 94 PID 1092 wrote to memory of 4928 1092 xrrrrff.exe 94 PID 1092 wrote to memory of 4928 1092 xrrrrff.exe 94 PID 4928 wrote to memory of 3076 4928 thnntt.exe 95 PID 4928 wrote to memory of 3076 4928 thnntt.exe 95 PID 4928 wrote to memory of 3076 4928 thnntt.exe 95 PID 3076 wrote to memory of 988 3076 fxfrxfx.exe 96 PID 3076 wrote to memory of 988 3076 fxfrxfx.exe 96 PID 3076 wrote to memory of 988 3076 fxfrxfx.exe 96 PID 988 wrote to memory of 3984 988 bbnnhh.exe 97 PID 988 wrote to memory of 3984 988 bbnnhh.exe 97 PID 988 wrote to memory of 3984 988 bbnnhh.exe 97 PID 3984 wrote to memory of 3052 3984 hhbbbh.exe 98 PID 3984 wrote to memory of 3052 3984 hhbbbh.exe 98 PID 3984 wrote to memory of 3052 3984 hhbbbh.exe 98 PID 3052 wrote to memory of 4176 3052 hbnnnt.exe 99 PID 3052 wrote to memory of 4176 3052 hbnnnt.exe 99 PID 3052 wrote to memory of 4176 3052 hbnnnt.exe 99 PID 4176 wrote to memory of 392 4176 5vddj.exe 100 PID 4176 wrote to memory of 392 4176 5vddj.exe 100 PID 4176 wrote to memory of 392 4176 5vddj.exe 100 PID 392 wrote to memory of 2692 392 tnnhnn.exe 101 PID 392 wrote to memory of 2692 392 tnnhnn.exe 101 PID 392 wrote to memory of 2692 392 tnnhnn.exe 101 PID 2692 wrote to memory of 1152 2692 lxxxxlx.exe 102 PID 2692 wrote to memory of 1152 2692 lxxxxlx.exe 102 PID 2692 wrote to memory of 1152 2692 lxxxxlx.exe 102 PID 1152 wrote to memory of 3928 1152 hbbttt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe"C:\Users\Admin\AppData\Local\Temp\9f0c69760c2084a1f8bb92b2157e9100587d645debda1380110884c5dc03f765.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\vpvdd.exec:\vpvdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\bhttbh.exec:\bhttbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\ddvvv.exec:\ddvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\rllrfxf.exec:\rllrfxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\rfrrlrl.exec:\rfrrlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\tnbbhn.exec:\tnbbhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\jpvvv.exec:\jpvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\jpdjj.exec:\jpdjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vdjjj.exec:\vdjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\xxrxfxx.exec:\xxrxfxx.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\xrrrrff.exec:\xrrrrff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\thnntt.exec:\thnntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\fxfrxfx.exec:\fxfrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\bbnnhh.exec:\bbnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\hhbbbh.exec:\hhbbbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\hbnnnt.exec:\hbnnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\5vddj.exec:\5vddj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\tnnhnn.exec:\tnnhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\lxxxxlx.exec:\lxxxxlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\hbbttt.exec:\hbbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\rrfxlxf.exec:\rrfxlxf.exe23⤵
- Executes dropped EXE
PID:3928 -
\??\c:\rrfxfxf.exec:\rrfxfxf.exe24⤵
- Executes dropped EXE
PID:3272 -
\??\c:\jppdv.exec:\jppdv.exe25⤵
- Executes dropped EXE
PID:4896 -
\??\c:\1hhbtt.exec:\1hhbtt.exe26⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vdvvv.exec:\vdvvv.exe27⤵
- Executes dropped EXE
PID:1036 -
\??\c:\fffxrfx.exec:\fffxrfx.exe28⤵
- Executes dropped EXE
PID:3752 -
\??\c:\hhhbtt.exec:\hhhbtt.exe29⤵
- Executes dropped EXE
PID:3336 -
\??\c:\nhnnhh.exec:\nhnnhh.exe30⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vpjvv.exec:\vpjvv.exe31⤵
- Executes dropped EXE
PID:1208 -
\??\c:\jpppj.exec:\jpppj.exe32⤵
- Executes dropped EXE
PID:1280 -
\??\c:\frrflfx.exec:\frrflfx.exe33⤵
- Executes dropped EXE
PID:1172 -
\??\c:\djvvv.exec:\djvvv.exe34⤵
- Executes dropped EXE
PID:3480 -
\??\c:\9vdvp.exec:\9vdvp.exe35⤵
- Executes dropped EXE
PID:1872 -
\??\c:\vpjjd.exec:\vpjjd.exe36⤵
- Executes dropped EXE
PID:940 -
\??\c:\rlrrlff.exec:\rlrrlff.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380 -
\??\c:\xxxrllf.exec:\xxxrllf.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dvvvv.exec:\dvvvv.exe39⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lxxrllf.exec:\lxxrllf.exe40⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hbbnbt.exec:\hbbnbt.exe41⤵
- Executes dropped EXE
PID:2528 -
\??\c:\jdjdp.exec:\jdjdp.exe42⤵
- Executes dropped EXE
PID:4772 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe43⤵
- Executes dropped EXE
PID:3724 -
\??\c:\tnnnhh.exec:\tnnnhh.exe44⤵
- Executes dropped EXE
PID:1340 -
\??\c:\dppjj.exec:\dppjj.exe45⤵
- Executes dropped EXE
PID:4640 -
\??\c:\pjdjp.exec:\pjdjp.exe46⤵
- Executes dropped EXE
PID:1520 -
\??\c:\rffllll.exec:\rffllll.exe47⤵
- Executes dropped EXE
PID:2864 -
\??\c:\frfxflr.exec:\frfxflr.exe48⤵
- Executes dropped EXE
PID:4184 -
\??\c:\ttnttt.exec:\ttnttt.exe49⤵
- Executes dropped EXE
PID:2540 -
\??\c:\dvvpd.exec:\dvvpd.exe50⤵
- Executes dropped EXE
PID:4976 -
\??\c:\lrxfllr.exec:\lrxfllr.exe51⤵
- Executes dropped EXE
PID:4536 -
\??\c:\rrfxrrf.exec:\rrfxrrf.exe52⤵PID:4384
-
\??\c:\bnttnt.exec:\bnttnt.exe53⤵
- Executes dropped EXE
PID:3904 -
\??\c:\pdpvd.exec:\pdpvd.exe54⤵
- Executes dropped EXE
PID:740 -
\??\c:\rflfrlf.exec:\rflfrlf.exe55⤵
- Executes dropped EXE
PID:4984 -
\??\c:\btbnhb.exec:\btbnhb.exe56⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pvvpd.exec:\pvvpd.exe57⤵
- Executes dropped EXE
PID:5048 -
\??\c:\fxfxlll.exec:\fxfxlll.exe58⤵
- Executes dropped EXE
PID:4864 -
\??\c:\lxfxllf.exec:\lxfxllf.exe59⤵
- Executes dropped EXE
PID:4164 -
\??\c:\nhnhbb.exec:\nhnhbb.exe60⤵
- Executes dropped EXE
PID:2020 -
\??\c:\ttnhtt.exec:\ttnhtt.exe61⤵
- Executes dropped EXE
PID:4052 -
\??\c:\vjpvp.exec:\vjpvp.exe62⤵
- Executes dropped EXE
PID:3728 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe63⤵
- Executes dropped EXE
PID:4588 -
\??\c:\thbtnt.exec:\thbtnt.exe64⤵
- Executes dropped EXE
PID:1148 -
\??\c:\nbtbth.exec:\nbtbth.exe65⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jvjdd.exec:\jvjdd.exe66⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pppjp.exec:\pppjp.exe67⤵PID:2968
-
\??\c:\xfxrllf.exec:\xfxrllf.exe68⤵
- System Location Discovery: System Language Discovery
PID:4292 -
\??\c:\hhttnt.exec:\hhttnt.exe69⤵PID:4024
-
\??\c:\ddpjd.exec:\ddpjd.exe70⤵PID:1500
-
\??\c:\dvvpj.exec:\dvvpj.exe71⤵PID:5112
-
\??\c:\xrxrxxf.exec:\xrxrxxf.exe72⤵PID:4196
-
\??\c:\bnbbbb.exec:\bnbbbb.exe73⤵PID:4932
-
\??\c:\hnnthb.exec:\hnnthb.exe74⤵PID:4464
-
\??\c:\vvvjd.exec:\vvvjd.exe75⤵PID:4876
-
\??\c:\7fxrlfx.exec:\7fxrlfx.exe76⤵PID:4104
-
\??\c:\lxrlffx.exec:\lxrlffx.exe77⤵PID:2024
-
\??\c:\bbtntt.exec:\bbtntt.exe78⤵PID:220
-
\??\c:\pvjjj.exec:\pvjjj.exe79⤵PID:2924
-
\??\c:\xrxxlll.exec:\xrxxlll.exe80⤵PID:4176
-
\??\c:\bbnnhn.exec:\bbnnhn.exe81⤵PID:1616
-
\??\c:\vjdvv.exec:\vjdvv.exe82⤵PID:2456
-
\??\c:\jddjv.exec:\jddjv.exe83⤵PID:1776
-
\??\c:\rlrlxfx.exec:\rlrlxfx.exe84⤵PID:2504
-
\??\c:\5nbbtt.exec:\5nbbtt.exe85⤵PID:2604
-
\??\c:\pjddd.exec:\pjddd.exe86⤵PID:2884
-
\??\c:\ffffllx.exec:\ffffllx.exe87⤵PID:3644
-
\??\c:\frfxrrl.exec:\frfxrrl.exe88⤵PID:2464
-
\??\c:\nnnnbh.exec:\nnnnbh.exe89⤵PID:5044
-
\??\c:\pjpvv.exec:\pjpvv.exe90⤵PID:1036
-
\??\c:\dvjvv.exec:\dvjvv.exe91⤵PID:4364
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe92⤵PID:3464
-
\??\c:\bttnnn.exec:\bttnnn.exe93⤵PID:4676
-
\??\c:\jppdj.exec:\jppdj.exe94⤵PID:2592
-
\??\c:\9dddv.exec:\9dddv.exe95⤵PID:1592
-
\??\c:\1rfffll.exec:\1rfffll.exe96⤵PID:1208
-
\??\c:\tnhbbb.exec:\tnhbbb.exe97⤵PID:2292
-
\??\c:\bntnhh.exec:\bntnhh.exe98⤵PID:2324
-
\??\c:\vpddd.exec:\vpddd.exe99⤵PID:1172
-
\??\c:\rlxfxfr.exec:\rlxfxfr.exe100⤵PID:760
-
\??\c:\bthbbb.exec:\bthbbb.exe101⤵PID:2428
-
\??\c:\hhbbbb.exec:\hhbbbb.exe102⤵PID:2828
-
\??\c:\vpjpp.exec:\vpjpp.exe103⤵PID:2224
-
\??\c:\5lxxrxx.exec:\5lxxrxx.exe104⤵PID:2804
-
\??\c:\fxxfflr.exec:\fxxfflr.exe105⤵PID:5056
-
\??\c:\nntttb.exec:\nntttb.exe106⤵PID:1784
-
\??\c:\vdvpd.exec:\vdvpd.exe107⤵PID:4484
-
\??\c:\lxxxxxl.exec:\lxxxxxl.exe108⤵PID:3312
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe109⤵PID:2200
-
\??\c:\nntnnt.exec:\nntnnt.exe110⤵PID:4892
-
\??\c:\7jddd.exec:\7jddd.exe111⤵PID:2332
-
\??\c:\pjpjd.exec:\pjpjd.exe112⤵PID:3300
-
\??\c:\1xffrff.exec:\1xffrff.exe113⤵PID:4344
-
\??\c:\hbhbbb.exec:\hbhbbb.exe114⤵PID:2944
-
\??\c:\jvppd.exec:\jvppd.exe115⤵PID:3880
-
\??\c:\fffffxx.exec:\fffffxx.exe116⤵PID:2212
-
\??\c:\xlxxffr.exec:\xlxxffr.exe117⤵PID:5048
-
\??\c:\btbhbn.exec:\btbhbn.exe118⤵PID:2148
-
\??\c:\nnhnnt.exec:\nnhnnt.exe119⤵PID:4164
-
\??\c:\jjdvd.exec:\jjdvd.exe120⤵PID:2836
-
\??\c:\llrrrrx.exec:\llrrrrx.exe121⤵PID:3848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-