Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe
-
Size
455KB
-
MD5
ae8ed63179165cc2083fc1a495eaa401
-
SHA1
82061d558fc26e2b6b982c094516bf138d149e4e
-
SHA256
ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959
-
SHA512
3df7919f7e4bae3fcb55ff0892eaed46d0ac337431575d83c8d8e8f3e82dac5d232c0005d7519bcf1f2e3fa096ed1f4ee09eb871b85700be6029d5ab19f37ccb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRY:q7Tc2NYHUrAwfMp3CDRY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1016-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2020 nhttbh.exe 1416 vdjjp.exe 3480 nnnbnb.exe 3224 jvvjv.exe 4092 flfxrxr.exe 3624 tnnbnb.exe 224 vdpjp.exe 976 lfxlxfl.exe 892 hhntnb.exe 1104 vjpvp.exe 676 fxfxlxf.exe 4572 tnnnnt.exe 3928 vvddd.exe 1532 jpdvj.exe 32 lfxrrrr.exe 1120 hnhbtt.exe 3596 dpvvv.exe 1784 xrfxffl.exe 4976 ffllrxf.exe 1144 hnnbtn.exe 2380 vppjv.exe 3476 rrlxfrf.exe 3108 bthhnn.exe 4688 dpjdv.exe 4928 xlxlxxr.exe 4236 bbhbnn.exe 1152 jdpvv.exe 1300 lxfflll.exe 3148 hntthh.exe 2424 jpdvj.exe 4708 5jjpp.exe 3984 fxfxxxx.exe 4412 nhbbnb.exe 3924 pdppp.exe 1776 xrlrflx.exe 4872 tbbhtb.exe 1084 bnnbht.exe 2800 ppppp.exe 3008 5lrlllf.exe 1184 htbttt.exe 3204 tttttt.exe 5008 9frfrfl.exe 1624 tthnhn.exe 2012 jjvpp.exe 1076 rxfrlrl.exe 1040 lrrfxxx.exe 1388 nhhbbt.exe 2636 pjjvj.exe 4128 lflffrr.exe 4364 hntbbt.exe 2860 djvdd.exe 4916 rxlfxff.exe 3024 ntnbbh.exe 4980 ddjpd.exe 1984 fxfffll.exe 3616 fxlffxx.exe 5076 vdddv.exe 2472 vjppj.exe 856 5flllrx.exe 2624 hhtbtn.exe 4220 jpjdp.exe 392 pjpjj.exe 2840 rlfffxf.exe 3536 bbnnhh.exe -
resource yara_rule behavioral2/memory/1016-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-951-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1016 wrote to memory of 2020 1016 ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe 83 PID 1016 wrote to memory of 2020 1016 ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe 83 PID 1016 wrote to memory of 2020 1016 ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe 83 PID 2020 wrote to memory of 1416 2020 nhttbh.exe 84 PID 2020 wrote to memory of 1416 2020 nhttbh.exe 84 PID 2020 wrote to memory of 1416 2020 nhttbh.exe 84 PID 1416 wrote to memory of 3480 1416 vdjjp.exe 85 PID 1416 wrote to memory of 3480 1416 vdjjp.exe 85 PID 1416 wrote to memory of 3480 1416 vdjjp.exe 85 PID 3480 wrote to memory of 3224 3480 nnnbnb.exe 86 PID 3480 wrote to memory of 3224 3480 nnnbnb.exe 86 PID 3480 wrote to memory of 3224 3480 nnnbnb.exe 86 PID 3224 wrote to memory of 4092 3224 jvvjv.exe 87 PID 3224 wrote to memory of 4092 3224 jvvjv.exe 87 PID 3224 wrote to memory of 4092 3224 jvvjv.exe 87 PID 4092 wrote to memory of 3624 4092 flfxrxr.exe 88 PID 4092 wrote to memory of 3624 4092 flfxrxr.exe 88 PID 4092 wrote to memory of 3624 4092 flfxrxr.exe 88 PID 3624 wrote to memory of 224 3624 tnnbnb.exe 89 PID 3624 wrote to memory of 224 3624 tnnbnb.exe 89 PID 3624 wrote to memory of 224 3624 tnnbnb.exe 89 PID 224 wrote to memory of 976 224 vdpjp.exe 90 PID 224 wrote to memory of 976 224 vdpjp.exe 90 PID 224 wrote to memory of 976 224 vdpjp.exe 90 PID 976 wrote to memory of 892 976 lfxlxfl.exe 91 PID 976 wrote to memory of 892 976 lfxlxfl.exe 91 PID 976 wrote to memory of 892 976 lfxlxfl.exe 91 PID 892 wrote to memory of 1104 892 hhntnb.exe 92 PID 892 wrote to memory of 1104 892 hhntnb.exe 92 PID 892 wrote to memory of 1104 892 hhntnb.exe 92 PID 1104 wrote to memory of 676 1104 vjpvp.exe 153 PID 1104 wrote to memory of 676 1104 vjpvp.exe 153 PID 1104 wrote to memory of 676 1104 vjpvp.exe 153 PID 676 wrote to memory of 4572 676 fxfxlxf.exe 94 PID 676 wrote to memory of 4572 676 fxfxlxf.exe 94 PID 676 wrote to memory of 4572 676 fxfxlxf.exe 94 PID 4572 wrote to memory of 3928 4572 tnnnnt.exe 95 PID 4572 wrote to memory of 3928 4572 tnnnnt.exe 95 PID 4572 wrote to memory of 3928 4572 tnnnnt.exe 95 PID 3928 wrote to memory of 1532 3928 vvddd.exe 96 PID 3928 wrote to memory of 1532 3928 vvddd.exe 96 PID 3928 wrote to memory of 1532 3928 vvddd.exe 96 PID 1532 wrote to memory of 32 1532 jpdvj.exe 97 PID 1532 wrote to memory of 32 1532 jpdvj.exe 97 PID 1532 wrote to memory of 32 1532 jpdvj.exe 97 PID 32 wrote to memory of 1120 32 lfxrrrr.exe 157 PID 32 wrote to memory of 1120 32 lfxrrrr.exe 157 PID 32 wrote to memory of 1120 32 lfxrrrr.exe 157 PID 1120 wrote to memory of 3596 1120 hnhbtt.exe 99 PID 1120 wrote to memory of 3596 1120 hnhbtt.exe 99 PID 1120 wrote to memory of 3596 1120 hnhbtt.exe 99 PID 3596 wrote to memory of 1784 3596 dpvvv.exe 100 PID 3596 wrote to memory of 1784 3596 dpvvv.exe 100 PID 3596 wrote to memory of 1784 3596 dpvvv.exe 100 PID 1784 wrote to memory of 4976 1784 xrfxffl.exe 101 PID 1784 wrote to memory of 4976 1784 xrfxffl.exe 101 PID 1784 wrote to memory of 4976 1784 xrfxffl.exe 101 PID 4976 wrote to memory of 1144 4976 ffllrxf.exe 102 PID 4976 wrote to memory of 1144 4976 ffllrxf.exe 102 PID 4976 wrote to memory of 1144 4976 ffllrxf.exe 102 PID 1144 wrote to memory of 2380 1144 hnnbtn.exe 103 PID 1144 wrote to memory of 2380 1144 hnnbtn.exe 103 PID 1144 wrote to memory of 2380 1144 hnnbtn.exe 103 PID 2380 wrote to memory of 3476 2380 vppjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe"C:\Users\Admin\AppData\Local\Temp\ebb10c0c9ced790d2e50bad25823a1578ba3d3f3810e50d7f66ba85c73598959.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\nhttbh.exec:\nhttbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\vdjjp.exec:\vdjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\nnnbnb.exec:\nnnbnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\jvvjv.exec:\jvvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\flfxrxr.exec:\flfxrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\tnnbnb.exec:\tnnbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\vdpjp.exec:\vdpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\lfxlxfl.exec:\lfxlxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\hhntnb.exec:\hhntnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\vjpvp.exec:\vjpvp.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\fxfxlxf.exec:\fxfxlxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\tnnnnt.exec:\tnnnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\vvddd.exec:\vvddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\jpdvj.exec:\jpdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\hnhbtt.exec:\hnhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\dpvvv.exec:\dpvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\xrfxffl.exec:\xrfxffl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\ffllrxf.exec:\ffllrxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\hnnbtn.exec:\hnnbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\vppjv.exec:\vppjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\rrlxfrf.exec:\rrlxfrf.exe23⤵
- Executes dropped EXE
PID:3476 -
\??\c:\bthhnn.exec:\bthhnn.exe24⤵
- Executes dropped EXE
PID:3108 -
\??\c:\dpjdv.exec:\dpjdv.exe25⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xlxlxxr.exec:\xlxlxxr.exe26⤵
- Executes dropped EXE
PID:4928 -
\??\c:\bbhbnn.exec:\bbhbnn.exe27⤵
- Executes dropped EXE
PID:4236 -
\??\c:\jdpvv.exec:\jdpvv.exe28⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lxfflll.exec:\lxfflll.exe29⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hntthh.exec:\hntthh.exe30⤵
- Executes dropped EXE
PID:3148 -
\??\c:\jpdvj.exec:\jpdvj.exe31⤵
- Executes dropped EXE
PID:2424 -
\??\c:\5jjpp.exec:\5jjpp.exe32⤵
- Executes dropped EXE
PID:4708 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe33⤵
- Executes dropped EXE
PID:3984 -
\??\c:\nhbbnb.exec:\nhbbnb.exe34⤵
- Executes dropped EXE
PID:4412 -
\??\c:\pdppp.exec:\pdppp.exe35⤵
- Executes dropped EXE
PID:3924 -
\??\c:\xrlrflx.exec:\xrlrflx.exe36⤵
- Executes dropped EXE
PID:1776 -
\??\c:\tbbhtb.exec:\tbbhtb.exe37⤵
- Executes dropped EXE
PID:4872 -
\??\c:\bnnbht.exec:\bnnbht.exe38⤵
- Executes dropped EXE
PID:1084 -
\??\c:\ppppp.exec:\ppppp.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5lrlllf.exec:\5lrlllf.exe40⤵
- Executes dropped EXE
PID:3008 -
\??\c:\htbttt.exec:\htbttt.exe41⤵
- Executes dropped EXE
PID:1184 -
\??\c:\tttttt.exec:\tttttt.exe42⤵
- Executes dropped EXE
PID:3204 -
\??\c:\9frfrfl.exec:\9frfrfl.exe43⤵
- Executes dropped EXE
PID:5008 -
\??\c:\tthnhn.exec:\tthnhn.exe44⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jjvpp.exec:\jjvpp.exe45⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rxfrlrl.exec:\rxfrlrl.exe46⤵
- Executes dropped EXE
PID:1076 -
\??\c:\lrrfxxx.exec:\lrrfxxx.exe47⤵
- Executes dropped EXE
PID:1040 -
\??\c:\nhhbbt.exec:\nhhbbt.exe48⤵
- Executes dropped EXE
PID:1388 -
\??\c:\pjjvj.exec:\pjjvj.exe49⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lflffrr.exec:\lflffrr.exe50⤵
- Executes dropped EXE
PID:4128 -
\??\c:\hntbbt.exec:\hntbbt.exe51⤵
- Executes dropped EXE
PID:4364 -
\??\c:\djvdd.exec:\djvdd.exe52⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rxlfxff.exec:\rxlfxff.exe53⤵
- Executes dropped EXE
PID:4916 -
\??\c:\ntnbbh.exec:\ntnbbh.exe54⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ddjpd.exec:\ddjpd.exe55⤵
- Executes dropped EXE
PID:4980 -
\??\c:\fxfffll.exec:\fxfffll.exe56⤵
- Executes dropped EXE
PID:1984 -
\??\c:\fxlffxx.exec:\fxlffxx.exe57⤵
- Executes dropped EXE
PID:3616 -
\??\c:\vdddv.exec:\vdddv.exe58⤵
- Executes dropped EXE
PID:5076 -
\??\c:\vjppj.exec:\vjppj.exe59⤵
- Executes dropped EXE
PID:2472 -
\??\c:\5flllrx.exec:\5flllrx.exe60⤵
- Executes dropped EXE
PID:856 -
\??\c:\hhtbtn.exec:\hhtbtn.exe61⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jpjdp.exec:\jpjdp.exe62⤵
- Executes dropped EXE
PID:4220 -
\??\c:\pjpjj.exec:\pjpjj.exe63⤵
- Executes dropped EXE
PID:392 -
\??\c:\rlfffxf.exec:\rlfffxf.exe64⤵
- Executes dropped EXE
PID:2840 -
\??\c:\bbnnhh.exec:\bbnnhh.exe65⤵
- Executes dropped EXE
PID:3536 -
\??\c:\jvdjd.exec:\jvdjd.exe66⤵PID:4052
-
\??\c:\rrxxxfl.exec:\rrxxxfl.exe67⤵PID:4492
-
\??\c:\jdpjp.exec:\jdpjp.exe68⤵PID:1796
-
\??\c:\xrxxflr.exec:\xrxxflr.exe69⤵PID:2588
-
\??\c:\7hhnht.exec:\7hhnht.exe70⤵PID:312
-
\??\c:\vvvpv.exec:\vvvpv.exe71⤵PID:628
-
\??\c:\rrxxxfl.exec:\rrxxxfl.exe72⤵PID:676
-
\??\c:\1xxxrff.exec:\1xxxrff.exe73⤵PID:4232
-
\??\c:\5bhhnt.exec:\5bhhnt.exe74⤵PID:2132
-
\??\c:\jjjpp.exec:\jjjpp.exe75⤵PID:4116
-
\??\c:\xrrlfff.exec:\xrrlfff.exe76⤵PID:1120
-
\??\c:\bhbnnh.exec:\bhbnnh.exe77⤵PID:4400
-
\??\c:\jdjjj.exec:\jdjjj.exe78⤵PID:3948
-
\??\c:\lxffxll.exec:\lxffxll.exe79⤵PID:3040
-
\??\c:\3htnnn.exec:\3htnnn.exe80⤵PID:3864
-
\??\c:\nbhhtb.exec:\nbhhtb.exe81⤵PID:4780
-
\??\c:\xxffrrf.exec:\xxffrrf.exe82⤵PID:1512
-
\??\c:\hnnhbb.exec:\hnnhbb.exe83⤵
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\bnhtnn.exec:\bnhtnn.exe84⤵PID:4700
-
\??\c:\pjvvv.exec:\pjvvv.exe85⤵PID:1332
-
\??\c:\9btnnn.exec:\9btnnn.exe86⤵PID:4432
-
\??\c:\dvdvd.exec:\dvdvd.exe87⤵PID:4136
-
\??\c:\9xfflrr.exec:\9xfflrr.exe88⤵PID:3452
-
\??\c:\1nbbnt.exec:\1nbbnt.exe89⤵PID:4480
-
\??\c:\lxxxflx.exec:\lxxxflx.exe90⤵PID:4836
-
\??\c:\hnnnhh.exec:\hnnnhh.exe91⤵PID:4120
-
\??\c:\ppdjp.exec:\ppdjp.exe92⤵PID:3908
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe93⤵PID:3812
-
\??\c:\nnhnnb.exec:\nnhnnb.exe94⤵PID:1856
-
\??\c:\pdvdv.exec:\pdvdv.exe95⤵PID:448
-
\??\c:\dpvvd.exec:\dpvvd.exe96⤵PID:1228
-
\??\c:\rlrxxfr.exec:\rlrxxfr.exe97⤵PID:1824
-
\??\c:\ttbbbb.exec:\ttbbbb.exe98⤵PID:4032
-
\??\c:\7rllflf.exec:\7rllflf.exe99⤵PID:4796
-
\??\c:\tnbttb.exec:\tnbttb.exe100⤵PID:2636
-
\??\c:\dpvpd.exec:\dpvpd.exe101⤵PID:848
-
\??\c:\lfffflf.exec:\lfffflf.exe102⤵PID:5052
-
\??\c:\hthtnh.exec:\hthtnh.exe103⤵PID:3240
-
\??\c:\jpvpj.exec:\jpvpj.exe104⤵PID:4640
-
\??\c:\llrrllf.exec:\llrrllf.exe105⤵PID:1544
-
\??\c:\pvjdj.exec:\pvjdj.exe106⤵PID:712
-
\??\c:\xlxfxrl.exec:\xlxfxrl.exe107⤵PID:1216
-
\??\c:\xxfffll.exec:\xxfffll.exe108⤵PID:1792
-
\??\c:\ppjdd.exec:\ppjdd.exe109⤵PID:3136
-
\??\c:\rfxxxxf.exec:\rfxxxxf.exe110⤵PID:5044
-
\??\c:\5tbnbb.exec:\5tbnbb.exe111⤵PID:1220
-
\??\c:\3pdvd.exec:\3pdvd.exe112⤵PID:856
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe113⤵PID:2044
-
\??\c:\nhtnhb.exec:\nhtnhb.exe114⤵PID:3004
-
\??\c:\bbhbbb.exec:\bbhbbb.exe115⤵PID:1788
-
\??\c:\jdjdd.exec:\jdjdd.exe116⤵PID:1016
-
\??\c:\fxxxxff.exec:\fxxxxff.exe117⤵PID:5100
-
\??\c:\nhtnnb.exec:\nhtnnb.exe118⤵PID:4844
-
\??\c:\dvppv.exec:\dvppv.exe119⤵PID:3504
-
\??\c:\pdvpj.exec:\pdvpj.exe120⤵PID:5080
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe121⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-