Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe
-
Size
454KB
-
MD5
672d12771ce3a57eaf3d3efcd3cf7790
-
SHA1
24c52a09c325beea6c8ce73915dd154ac62bb644
-
SHA256
925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8
-
SHA512
b94b5c49e203604aa3ce9acfbd3a06ec395e014d1ffe8f15e86ef8d5c2122c8546ae01c16ba0de86de74d43ad057144b11e426a225fc5ce8aaf473320607c701
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3736-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-1221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-1588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2444 9hhhbh.exe 2840 vpvvp.exe 4008 5lrlrrx.exe 2260 thhhbb.exe 4528 djjdv.exe 2024 rlllllr.exe 2340 7nttnt.exe 4460 llrrlrr.exe 2208 fflllrr.exe 844 7vjvv.exe 2008 ttnbbb.exe 1716 rrrlxlf.exe 4372 bnhhhb.exe 852 bthhtt.exe 2096 jvpjv.exe 2304 5xxxxfx.exe 3560 bhtntt.exe 3136 frlllll.exe 4404 hnnnnt.exe 4160 xxxxxxx.exe 4824 9ntttt.exe 1536 nnbbtt.exe 816 jjppp.exe 2724 fxflflf.exe 632 xffflrx.exe 3192 vvddd.exe 932 ddvvj.exe 3696 xlrrrrl.exe 3388 rlrrrxx.exe 4324 jjddd.exe 4704 pdppp.exe 3296 1ttttb.exe 4500 rfrrxxf.exe 3264 bnbbbb.exe 1112 dppvv.exe 1064 lfrrlrr.exe 1312 3xllrrf.exe 1588 9ntnnt.exe 4596 9ppvv.exe 3340 3lrffff.exe 4396 bbbtnn.exe 3988 jvjjj.exe 2812 rlxrrrx.exe 4444 flxxxff.exe 2440 7hnhhn.exe 4364 pdddp.exe 4816 lrfllrr.exe 2944 bbttbb.exe 4392 pjvvv.exe 2840 7xfrlll.exe 4196 hbtnnh.exe 116 pvdvp.exe 4708 1rxxxrr.exe 4032 tthhtt.exe 4928 dpppv.exe 4944 rxxxrfr.exe 2024 nnhnbb.exe 1416 pdjjp.exe 2976 lxxllxl.exe 4352 nbnbnn.exe 2208 pjjvv.exe 4524 rlllllf.exe 4660 tbbhht.exe 548 jjjvv.exe -
resource yara_rule behavioral2/memory/3736-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-868-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3736 wrote to memory of 2444 3736 925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe 83 PID 3736 wrote to memory of 2444 3736 925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe 83 PID 3736 wrote to memory of 2444 3736 925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe 83 PID 2444 wrote to memory of 2840 2444 9hhhbh.exe 84 PID 2444 wrote to memory of 2840 2444 9hhhbh.exe 84 PID 2444 wrote to memory of 2840 2444 9hhhbh.exe 84 PID 2840 wrote to memory of 4008 2840 vpvvp.exe 85 PID 2840 wrote to memory of 4008 2840 vpvvp.exe 85 PID 2840 wrote to memory of 4008 2840 vpvvp.exe 85 PID 4008 wrote to memory of 2260 4008 5lrlrrx.exe 86 PID 4008 wrote to memory of 2260 4008 5lrlrrx.exe 86 PID 4008 wrote to memory of 2260 4008 5lrlrrx.exe 86 PID 2260 wrote to memory of 4528 2260 thhhbb.exe 87 PID 2260 wrote to memory of 4528 2260 thhhbb.exe 87 PID 2260 wrote to memory of 4528 2260 thhhbb.exe 87 PID 4528 wrote to memory of 2024 4528 djjdv.exe 88 PID 4528 wrote to memory of 2024 4528 djjdv.exe 88 PID 4528 wrote to memory of 2024 4528 djjdv.exe 88 PID 2024 wrote to memory of 2340 2024 rlllllr.exe 89 PID 2024 wrote to memory of 2340 2024 rlllllr.exe 89 PID 2024 wrote to memory of 2340 2024 rlllllr.exe 89 PID 2340 wrote to memory of 4460 2340 7nttnt.exe 90 PID 2340 wrote to memory of 4460 2340 7nttnt.exe 90 PID 2340 wrote to memory of 4460 2340 7nttnt.exe 90 PID 4460 wrote to memory of 2208 4460 llrrlrr.exe 91 PID 4460 wrote to memory of 2208 4460 llrrlrr.exe 91 PID 4460 wrote to memory of 2208 4460 llrrlrr.exe 91 PID 2208 wrote to memory of 844 2208 fflllrr.exe 92 PID 2208 wrote to memory of 844 2208 fflllrr.exe 92 PID 2208 wrote to memory of 844 2208 fflllrr.exe 92 PID 844 wrote to memory of 2008 844 7vjvv.exe 93 PID 844 wrote to memory of 2008 844 7vjvv.exe 93 PID 844 wrote to memory of 2008 844 7vjvv.exe 93 PID 2008 wrote to memory of 1716 2008 ttnbbb.exe 94 PID 2008 wrote to memory of 1716 2008 ttnbbb.exe 94 PID 2008 wrote to memory of 1716 2008 ttnbbb.exe 94 PID 1716 wrote to memory of 4372 1716 rrrlxlf.exe 95 PID 1716 wrote to memory of 4372 1716 rrrlxlf.exe 95 PID 1716 wrote to memory of 4372 1716 rrrlxlf.exe 95 PID 4372 wrote to memory of 852 4372 bnhhhb.exe 96 PID 4372 wrote to memory of 852 4372 bnhhhb.exe 96 PID 4372 wrote to memory of 852 4372 bnhhhb.exe 96 PID 852 wrote to memory of 2096 852 bthhtt.exe 97 PID 852 wrote to memory of 2096 852 bthhtt.exe 97 PID 852 wrote to memory of 2096 852 bthhtt.exe 97 PID 2096 wrote to memory of 2304 2096 jvpjv.exe 98 PID 2096 wrote to memory of 2304 2096 jvpjv.exe 98 PID 2096 wrote to memory of 2304 2096 jvpjv.exe 98 PID 2304 wrote to memory of 3560 2304 5xxxxfx.exe 99 PID 2304 wrote to memory of 3560 2304 5xxxxfx.exe 99 PID 2304 wrote to memory of 3560 2304 5xxxxfx.exe 99 PID 3560 wrote to memory of 3136 3560 bhtntt.exe 100 PID 3560 wrote to memory of 3136 3560 bhtntt.exe 100 PID 3560 wrote to memory of 3136 3560 bhtntt.exe 100 PID 3136 wrote to memory of 4404 3136 frlllll.exe 101 PID 3136 wrote to memory of 4404 3136 frlllll.exe 101 PID 3136 wrote to memory of 4404 3136 frlllll.exe 101 PID 4404 wrote to memory of 4160 4404 hnnnnt.exe 102 PID 4404 wrote to memory of 4160 4404 hnnnnt.exe 102 PID 4404 wrote to memory of 4160 4404 hnnnnt.exe 102 PID 4160 wrote to memory of 4824 4160 xxxxxxx.exe 103 PID 4160 wrote to memory of 4824 4160 xxxxxxx.exe 103 PID 4160 wrote to memory of 4824 4160 xxxxxxx.exe 103 PID 4824 wrote to memory of 1536 4824 9ntttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe"C:\Users\Admin\AppData\Local\Temp\925804bce4d20d3994a3f14a53f974ad1abcc16eee1d3970dbbd05b8925fc7f8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\9hhhbh.exec:\9hhhbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\vpvvp.exec:\vpvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\5lrlrrx.exec:\5lrlrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\thhhbb.exec:\thhhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\djjdv.exec:\djjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\rlllllr.exec:\rlllllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\7nttnt.exec:\7nttnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\llrrlrr.exec:\llrrlrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\fflllrr.exec:\fflllrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\7vjvv.exec:\7vjvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\ttnbbb.exec:\ttnbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\rrrlxlf.exec:\rrrlxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\bnhhhb.exec:\bnhhhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\bthhtt.exec:\bthhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\jvpjv.exec:\jvpjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\5xxxxfx.exec:\5xxxxfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\bhtntt.exec:\bhtntt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\frlllll.exec:\frlllll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\hnnnnt.exec:\hnnnnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\9ntttt.exec:\9ntttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\nnbbtt.exec:\nnbbtt.exe23⤵
- Executes dropped EXE
PID:1536 -
\??\c:\jjppp.exec:\jjppp.exe24⤵
- Executes dropped EXE
PID:816 -
\??\c:\fxflflf.exec:\fxflflf.exe25⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xffflrx.exec:\xffflrx.exe26⤵
- Executes dropped EXE
PID:632 -
\??\c:\vvddd.exec:\vvddd.exe27⤵
- Executes dropped EXE
PID:3192 -
\??\c:\ddvvj.exec:\ddvvj.exe28⤵
- Executes dropped EXE
PID:932 -
\??\c:\xlrrrrl.exec:\xlrrrrl.exe29⤵
- Executes dropped EXE
PID:3696 -
\??\c:\rlrrrxx.exec:\rlrrrxx.exe30⤵
- Executes dropped EXE
PID:3388 -
\??\c:\jjddd.exec:\jjddd.exe31⤵
- Executes dropped EXE
PID:4324 -
\??\c:\pdppp.exec:\pdppp.exe32⤵
- Executes dropped EXE
PID:4704 -
\??\c:\1ttttb.exec:\1ttttb.exe33⤵
- Executes dropped EXE
PID:3296 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe34⤵
- Executes dropped EXE
PID:4500 -
\??\c:\bnbbbb.exec:\bnbbbb.exe35⤵
- Executes dropped EXE
PID:3264 -
\??\c:\dppvv.exec:\dppvv.exe36⤵
- Executes dropped EXE
PID:1112 -
\??\c:\lfrrlrr.exec:\lfrrlrr.exe37⤵
- Executes dropped EXE
PID:1064 -
\??\c:\3xllrrf.exec:\3xllrrf.exe38⤵
- Executes dropped EXE
PID:1312 -
\??\c:\9ntnnt.exec:\9ntnnt.exe39⤵
- Executes dropped EXE
PID:1588 -
\??\c:\9ppvv.exec:\9ppvv.exe40⤵
- Executes dropped EXE
PID:4596 -
\??\c:\3lrffff.exec:\3lrffff.exe41⤵
- Executes dropped EXE
PID:3340 -
\??\c:\bbbtnn.exec:\bbbtnn.exe42⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jvjjj.exec:\jvjjj.exe43⤵
- Executes dropped EXE
PID:3988 -
\??\c:\rlxrrrx.exec:\rlxrrrx.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\flxxxff.exec:\flxxxff.exe45⤵
- Executes dropped EXE
PID:4444 -
\??\c:\7hnhhn.exec:\7hnhhn.exe46⤵
- Executes dropped EXE
PID:2440 -
\??\c:\pdddp.exec:\pdddp.exe47⤵
- Executes dropped EXE
PID:4364 -
\??\c:\lrfllrr.exec:\lrfllrr.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\bbttbb.exec:\bbttbb.exe49⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pjvvv.exec:\pjvvv.exe50⤵
- Executes dropped EXE
PID:4392 -
\??\c:\7xfrlll.exec:\7xfrlll.exe51⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hbtnnh.exec:\hbtnnh.exe52⤵
- Executes dropped EXE
PID:4196 -
\??\c:\pvdvp.exec:\pvdvp.exe53⤵
- Executes dropped EXE
PID:116 -
\??\c:\1rxxxrr.exec:\1rxxxrr.exe54⤵
- Executes dropped EXE
PID:4708 -
\??\c:\tthhtt.exec:\tthhtt.exe55⤵
- Executes dropped EXE
PID:4032 -
\??\c:\dpppv.exec:\dpppv.exe56⤵
- Executes dropped EXE
PID:4928 -
\??\c:\rxxxrfr.exec:\rxxxrfr.exe57⤵
- Executes dropped EXE
PID:4944 -
\??\c:\nnhnbb.exec:\nnhnbb.exe58⤵
- Executes dropped EXE
PID:2024 -
\??\c:\pdjjp.exec:\pdjjp.exe59⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lxxllxl.exec:\lxxllxl.exe60⤵
- Executes dropped EXE
PID:2976 -
\??\c:\nbnbnn.exec:\nbnbnn.exe61⤵
- Executes dropped EXE
PID:4352 -
\??\c:\pjjvv.exec:\pjjvv.exe62⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rlllllf.exec:\rlllllf.exe63⤵
- Executes dropped EXE
PID:4524 -
\??\c:\tbbhht.exec:\tbbhht.exe64⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jjjvv.exec:\jjjvv.exe65⤵
- Executes dropped EXE
PID:548 -
\??\c:\rfxfrll.exec:\rfxfrll.exe66⤵PID:452
-
\??\c:\3htnnt.exec:\3htnnt.exe67⤵PID:1716
-
\??\c:\ddvvd.exec:\ddvvd.exe68⤵PID:4636
-
\??\c:\flllrrx.exec:\flllrrx.exe69⤵PID:2396
-
\??\c:\nbttbh.exec:\nbttbh.exe70⤵PID:5104
-
\??\c:\vjvvd.exec:\vjvvd.exe71⤵PID:2096
-
\??\c:\xlflrll.exec:\xlflrll.exe72⤵PID:1908
-
\??\c:\7nbhht.exec:\7nbhht.exe73⤵PID:4644
-
\??\c:\vdppd.exec:\vdppd.exe74⤵PID:4864
-
\??\c:\lrrfrrf.exec:\lrrfrrf.exe75⤵PID:1572
-
\??\c:\bbnnnt.exec:\bbnnnt.exe76⤵PID:4404
-
\??\c:\jjddd.exec:\jjddd.exe77⤵PID:5072
-
\??\c:\3vdjv.exec:\3vdjv.exe78⤵PID:1372
-
\??\c:\llrxfll.exec:\llrxfll.exe79⤵PID:1832
-
\??\c:\nhtthb.exec:\nhtthb.exe80⤵PID:4824
-
\??\c:\vvvpj.exec:\vvvpj.exe81⤵PID:4480
-
\??\c:\fxllllr.exec:\fxllllr.exe82⤵PID:4872
-
\??\c:\hhbbhn.exec:\hhbbhn.exe83⤵PID:1552
-
\??\c:\ttnntt.exec:\ttnntt.exe84⤵PID:2896
-
\??\c:\3jpvv.exec:\3jpvv.exe85⤵PID:3888
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe86⤵PID:3448
-
\??\c:\htbbbb.exec:\htbbbb.exe87⤵PID:3192
-
\??\c:\vpvdd.exec:\vpvdd.exe88⤵PID:4804
-
\??\c:\ppppv.exec:\ppppv.exe89⤵PID:5068
-
\??\c:\llrrlfl.exec:\llrrlfl.exe90⤵PID:3756
-
\??\c:\nbttbh.exec:\nbttbh.exe91⤵PID:2964
-
\??\c:\7vjjj.exec:\7vjjj.exe92⤵PID:3496
-
\??\c:\xlxxxfl.exec:\xlxxxfl.exe93⤵PID:3680
-
\??\c:\lxllrxx.exec:\lxllrxx.exe94⤵PID:2816
-
\??\c:\bhttbh.exec:\bhttbh.exe95⤵PID:4852
-
\??\c:\1dppp.exec:\1dppp.exe96⤵PID:3296
-
\??\c:\7llfxrr.exec:\7llfxrr.exe97⤵PID:4472
-
\??\c:\tntttb.exec:\tntttb.exe98⤵PID:3264
-
\??\c:\pjvvp.exec:\pjvvp.exe99⤵PID:1112
-
\??\c:\pjddd.exec:\pjddd.exe100⤵PID:1064
-
\??\c:\fxxxrll.exec:\fxxxrll.exe101⤵PID:1340
-
\??\c:\hnnnnn.exec:\hnnnnn.exe102⤵PID:440
-
\??\c:\1vddj.exec:\1vddj.exe103⤵PID:3212
-
\??\c:\fllrfrf.exec:\fllrfrf.exe104⤵PID:2336
-
\??\c:\bthhht.exec:\bthhht.exe105⤵PID:2140
-
\??\c:\pppjj.exec:\pppjj.exe106⤵PID:2464
-
\??\c:\7xffflf.exec:\7xffflf.exe107⤵PID:1756
-
\??\c:\nnbhnt.exec:\nnbhnt.exe108⤵PID:4444
-
\??\c:\jddvv.exec:\jddvv.exe109⤵PID:2440
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe110⤵PID:4364
-
\??\c:\bntthn.exec:\bntthn.exe111⤵PID:4816
-
\??\c:\ttbbht.exec:\ttbbht.exe112⤵PID:2592
-
\??\c:\jvjjd.exec:\jvjjd.exe113⤵PID:1856
-
\??\c:\xrfflrr.exec:\xrfflrr.exe114⤵
- System Location Discovery: System Language Discovery
PID:4420 -
\??\c:\hnthhn.exec:\hnthhn.exe115⤵PID:1984
-
\??\c:\hbnnnt.exec:\hbnnnt.exe116⤵PID:5108
-
\??\c:\flffxfx.exec:\flffxfx.exe117⤵PID:2212
-
\??\c:\7bhnbh.exec:\7bhnbh.exe118⤵PID:2772
-
\??\c:\bnhbbn.exec:\bnhbbn.exe119⤵PID:2584
-
\??\c:\jdppv.exec:\jdppv.exe120⤵PID:2128
-
\??\c:\flflfxr.exec:\flflfxr.exe121⤵PID:4944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-