Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe
-
Size
453KB
-
MD5
41143ecafdf68bfd1c9b4234a810463d
-
SHA1
cf578c330ef4d5761f3d008b0fbd2bcc2ddf0693
-
SHA256
9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db
-
SHA512
0a64c9b6938acae117e2310ae50987cd886eb1180d6451e1ef40a87a5b37270f9c8495376cb61a80b58efe3756af426f9e526afeb3ee98227d76b4d82b021eef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/828-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-910-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3500 nhhhbb.exe 3588 vpppj.exe 3928 3xrlffx.exe 836 7nnnnn.exe 228 3ppvj.exe 3024 lxrrffr.exe 5068 nbhbbt.exe 1228 nnhtnn.exe 4412 7jdvp.exe 2428 rllfxxl.exe 4364 7xlflll.exe 3224 tttnhh.exe 1360 ppvvd.exe 4416 jpvdj.exe 3960 frrlxxl.exe 3124 tbbtnn.exe 3832 tbtntn.exe 1276 dvdvv.exe 4084 5xrrlxr.exe 3068 nnhbbh.exe 376 9nnhhh.exe 4592 jpjvj.exe 4356 9rlfxfx.exe 760 lrlrlrl.exe 1012 tbbtnn.exe 4432 jpjdv.exe 2744 djjvp.exe 3920 xrrrlrl.exe 4768 hhbtnn.exe 8 tttnnn.exe 5100 dpppj.exe 4240 rrlfxrl.exe 3460 rllffxr.exe 4944 hhbthh.exe 1296 jddjd.exe 4500 1dppj.exe 4088 rrxxxlx.exe 392 nnhtnh.exe 4924 hbthtn.exe 1716 djdvj.exe 2284 frrxlxf.exe 2340 5xxrlfx.exe 3772 nhbthh.exe 3616 vvdvv.exe 2104 ddvpj.exe 4080 xxxxrrl.exe 3576 thhhtt.exe 3216 hhnbtn.exe 2256 pjvpj.exe 2792 jvvpj.exe 2536 xxxrxfx.exe 5004 bhbbth.exe 3556 3ttnhh.exe 4344 9dvpj.exe 2716 rlxxxxr.exe 3608 xrxrffx.exe 3500 btttnn.exe 3508 dvvpj.exe 5008 jjdvj.exe 3720 xrxrrrl.exe 3048 tttnnb.exe 2008 5tbtnh.exe 4880 jdjdj.exe 540 3flfrlf.exe -
resource yara_rule behavioral2/memory/828-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-788-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 3500 828 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 139 PID 828 wrote to memory of 3500 828 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 139 PID 828 wrote to memory of 3500 828 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 139 PID 3500 wrote to memory of 3588 3500 nhhhbb.exe 84 PID 3500 wrote to memory of 3588 3500 nhhhbb.exe 84 PID 3500 wrote to memory of 3588 3500 nhhhbb.exe 84 PID 3588 wrote to memory of 3928 3588 vpppj.exe 85 PID 3588 wrote to memory of 3928 3588 vpppj.exe 85 PID 3588 wrote to memory of 3928 3588 vpppj.exe 85 PID 3928 wrote to memory of 836 3928 3xrlffx.exe 86 PID 3928 wrote to memory of 836 3928 3xrlffx.exe 86 PID 3928 wrote to memory of 836 3928 3xrlffx.exe 86 PID 836 wrote to memory of 228 836 7nnnnn.exe 87 PID 836 wrote to memory of 228 836 7nnnnn.exe 87 PID 836 wrote to memory of 228 836 7nnnnn.exe 87 PID 228 wrote to memory of 3024 228 3ppvj.exe 88 PID 228 wrote to memory of 3024 228 3ppvj.exe 88 PID 228 wrote to memory of 3024 228 3ppvj.exe 88 PID 3024 wrote to memory of 5068 3024 lxrrffr.exe 89 PID 3024 wrote to memory of 5068 3024 lxrrffr.exe 89 PID 3024 wrote to memory of 5068 3024 lxrrffr.exe 89 PID 5068 wrote to memory of 1228 5068 nbhbbt.exe 90 PID 5068 wrote to memory of 1228 5068 nbhbbt.exe 90 PID 5068 wrote to memory of 1228 5068 nbhbbt.exe 90 PID 1228 wrote to memory of 4412 1228 nnhtnn.exe 91 PID 1228 wrote to memory of 4412 1228 nnhtnn.exe 91 PID 1228 wrote to memory of 4412 1228 nnhtnn.exe 91 PID 4412 wrote to memory of 2428 4412 7jdvp.exe 92 PID 4412 wrote to memory of 2428 4412 7jdvp.exe 92 PID 4412 wrote to memory of 2428 4412 7jdvp.exe 92 PID 2428 wrote to memory of 4364 2428 rllfxxl.exe 93 PID 2428 wrote to memory of 4364 2428 rllfxxl.exe 93 PID 2428 wrote to memory of 4364 2428 rllfxxl.exe 93 PID 4364 wrote to memory of 3224 4364 7xlflll.exe 94 PID 4364 wrote to memory of 3224 4364 7xlflll.exe 94 PID 4364 wrote to memory of 3224 4364 7xlflll.exe 94 PID 3224 wrote to memory of 1360 3224 tttnhh.exe 95 PID 3224 wrote to memory of 1360 3224 tttnhh.exe 95 PID 3224 wrote to memory of 1360 3224 tttnhh.exe 95 PID 1360 wrote to memory of 4416 1360 ppvvd.exe 96 PID 1360 wrote to memory of 4416 1360 ppvvd.exe 96 PID 1360 wrote to memory of 4416 1360 ppvvd.exe 96 PID 4416 wrote to memory of 3960 4416 jpvdj.exe 97 PID 4416 wrote to memory of 3960 4416 jpvdj.exe 97 PID 4416 wrote to memory of 3960 4416 jpvdj.exe 97 PID 3960 wrote to memory of 3124 3960 frrlxxl.exe 98 PID 3960 wrote to memory of 3124 3960 frrlxxl.exe 98 PID 3960 wrote to memory of 3124 3960 frrlxxl.exe 98 PID 3124 wrote to memory of 3832 3124 tbbtnn.exe 99 PID 3124 wrote to memory of 3832 3124 tbbtnn.exe 99 PID 3124 wrote to memory of 3832 3124 tbbtnn.exe 99 PID 3832 wrote to memory of 1276 3832 tbtntn.exe 100 PID 3832 wrote to memory of 1276 3832 tbtntn.exe 100 PID 3832 wrote to memory of 1276 3832 tbtntn.exe 100 PID 1276 wrote to memory of 4084 1276 dvdvv.exe 101 PID 1276 wrote to memory of 4084 1276 dvdvv.exe 101 PID 1276 wrote to memory of 4084 1276 dvdvv.exe 101 PID 4084 wrote to memory of 3068 4084 5xrrlxr.exe 155 PID 4084 wrote to memory of 3068 4084 5xrrlxr.exe 155 PID 4084 wrote to memory of 3068 4084 5xrrlxr.exe 155 PID 3068 wrote to memory of 376 3068 nnhbbh.exe 103 PID 3068 wrote to memory of 376 3068 nnhbbh.exe 103 PID 3068 wrote to memory of 376 3068 nnhbbh.exe 103 PID 376 wrote to memory of 4592 376 9nnhhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe"C:\Users\Admin\AppData\Local\Temp\9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\nhhhbb.exec:\nhhhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\vpppj.exec:\vpppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\3xrlffx.exec:\3xrlffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\7nnnnn.exec:\7nnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\3ppvj.exec:\3ppvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\lxrrffr.exec:\lxrrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\nbhbbt.exec:\nbhbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\nnhtnn.exec:\nnhtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\7jdvp.exec:\7jdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\rllfxxl.exec:\rllfxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\7xlflll.exec:\7xlflll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\tttnhh.exec:\tttnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\ppvvd.exec:\ppvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\jpvdj.exec:\jpvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\frrlxxl.exec:\frrlxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\tbbtnn.exec:\tbbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\tbtntn.exec:\tbtntn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\dvdvv.exec:\dvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\5xrrlxr.exec:\5xrrlxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\nnhbbh.exec:\nnhbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\9nnhhh.exec:\9nnhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\jpjvj.exec:\jpjvj.exe23⤵
- Executes dropped EXE
PID:4592 -
\??\c:\9rlfxfx.exec:\9rlfxfx.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356 -
\??\c:\lrlrlrl.exec:\lrlrlrl.exe25⤵
- Executes dropped EXE
PID:760 -
\??\c:\tbbtnn.exec:\tbbtnn.exe26⤵
- Executes dropped EXE
PID:1012 -
\??\c:\jpjdv.exec:\jpjdv.exe27⤵
- Executes dropped EXE
PID:4432 -
\??\c:\djjvp.exec:\djjvp.exe28⤵
- Executes dropped EXE
PID:2744 -
\??\c:\xrrrlrl.exec:\xrrrlrl.exe29⤵
- Executes dropped EXE
PID:3920 -
\??\c:\hhbtnn.exec:\hhbtnn.exe30⤵
- Executes dropped EXE
PID:4768 -
\??\c:\tttnnn.exec:\tttnnn.exe31⤵
- Executes dropped EXE
PID:8 -
\??\c:\dpppj.exec:\dpppj.exe32⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe33⤵
- Executes dropped EXE
PID:4240 -
\??\c:\rllffxr.exec:\rllffxr.exe34⤵
- Executes dropped EXE
PID:3460 -
\??\c:\hhbthh.exec:\hhbthh.exe35⤵
- Executes dropped EXE
PID:4944 -
\??\c:\jddjd.exec:\jddjd.exe36⤵
- Executes dropped EXE
PID:1296 -
\??\c:\1dppj.exec:\1dppj.exe37⤵
- Executes dropped EXE
PID:4500 -
\??\c:\rrxxxlx.exec:\rrxxxlx.exe38⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nnhtnh.exec:\nnhtnh.exe39⤵
- Executes dropped EXE
PID:392 -
\??\c:\hbthtn.exec:\hbthtn.exe40⤵
- Executes dropped EXE
PID:4924 -
\??\c:\djdvj.exec:\djdvj.exe41⤵
- Executes dropped EXE
PID:1716 -
\??\c:\frrxlxf.exec:\frrxlxf.exe42⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5xxrlfx.exec:\5xxrlfx.exe43⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nhbthh.exec:\nhbthh.exe44⤵
- Executes dropped EXE
PID:3772 -
\??\c:\vvdvv.exec:\vvdvv.exe45⤵
- Executes dropped EXE
PID:3616 -
\??\c:\ddvpj.exec:\ddvpj.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe47⤵
- Executes dropped EXE
PID:4080 -
\??\c:\thhhtt.exec:\thhhtt.exe48⤵
- Executes dropped EXE
PID:3576 -
\??\c:\hhnbtn.exec:\hhnbtn.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3216 -
\??\c:\pjvpj.exec:\pjvpj.exe50⤵
- Executes dropped EXE
PID:2256 -
\??\c:\jvvpj.exec:\jvvpj.exe51⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xxxrxfx.exec:\xxxrxfx.exe52⤵
- Executes dropped EXE
PID:2536 -
\??\c:\bhbbth.exec:\bhbbth.exe53⤵
- Executes dropped EXE
PID:5004 -
\??\c:\3ttnhh.exec:\3ttnhh.exe54⤵
- Executes dropped EXE
PID:3556 -
\??\c:\9dvpj.exec:\9dvpj.exe55⤵
- Executes dropped EXE
PID:4344 -
\??\c:\rlxxxxr.exec:\rlxxxxr.exe56⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xrxrffx.exec:\xrxrffx.exe57⤵
- Executes dropped EXE
PID:3608 -
\??\c:\btttnn.exec:\btttnn.exe58⤵
- Executes dropped EXE
PID:3500 -
\??\c:\dvvpj.exec:\dvvpj.exe59⤵
- Executes dropped EXE
PID:3508 -
\??\c:\jjdvj.exec:\jjdvj.exe60⤵
- Executes dropped EXE
PID:5008 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe61⤵
- Executes dropped EXE
PID:3720 -
\??\c:\tttnnb.exec:\tttnnb.exe62⤵
- Executes dropped EXE
PID:3048 -
\??\c:\5tbtnh.exec:\5tbtnh.exe63⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jdjdj.exec:\jdjdj.exe64⤵
- Executes dropped EXE
PID:4880 -
\??\c:\3flfrlf.exec:\3flfrlf.exe65⤵
- Executes dropped EXE
PID:540 -
\??\c:\fxfxrxr.exec:\fxfxrxr.exe66⤵PID:3224
-
\??\c:\lfxrffr.exec:\lfxrffr.exe67⤵PID:3304
-
\??\c:\ttthbt.exec:\ttthbt.exe68⤵PID:3640
-
\??\c:\vdjdd.exec:\vdjdd.exe69⤵PID:2000
-
\??\c:\xxrlffx.exec:\xxrlffx.exe70⤵PID:3624
-
\??\c:\hnnhhb.exec:\hnnhhb.exe71⤵PID:1848
-
\??\c:\5ddvd.exec:\5ddvd.exe72⤵PID:2380
-
\??\c:\xxlxlrr.exec:\xxlxlrr.exe73⤵PID:2316
-
\??\c:\bnnnhb.exec:\bnnnhb.exe74⤵PID:3068
-
\??\c:\9djdv.exec:\9djdv.exe75⤵PID:4596
-
\??\c:\lxfrlxx.exec:\lxfrlxx.exe76⤵PID:4336
-
\??\c:\nhbtnb.exec:\nhbtnb.exe77⤵PID:2112
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe78⤵PID:1340
-
\??\c:\lxxrrfx.exec:\lxxrrfx.exe79⤵PID:4664
-
\??\c:\7htntb.exec:\7htntb.exe80⤵PID:4504
-
\??\c:\jjpdv.exec:\jjpdv.exe81⤵PID:3920
-
\??\c:\fflfrlx.exec:\fflfrlx.exe82⤵PID:4768
-
\??\c:\ttnnhn.exec:\ttnnhn.exe83⤵PID:804
-
\??\c:\hnttht.exec:\hnttht.exe84⤵PID:4316
-
\??\c:\ddddv.exec:\ddddv.exe85⤵PID:4436
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe86⤵PID:4484
-
\??\c:\hhbbtt.exec:\hhbbtt.exe87⤵PID:2608
-
\??\c:\ddppv.exec:\ddppv.exe88⤵PID:4288
-
\??\c:\fflfxff.exec:\fflfxff.exe89⤵PID:4500
-
\??\c:\ntbnht.exec:\ntbnht.exe90⤵PID:1996
-
\??\c:\xrlfxrx.exec:\xrlfxrx.exe91⤵PID:1000
-
\??\c:\ntnhhh.exec:\ntnhhh.exe92⤵PID:2348
-
\??\c:\dddvp.exec:\dddvp.exe93⤵PID:868
-
\??\c:\3jddv.exec:\3jddv.exe94⤵PID:2284
-
\??\c:\bbhhtt.exec:\bbhhtt.exe95⤵PID:896
-
\??\c:\vdpjd.exec:\vdpjd.exe96⤵PID:3040
-
\??\c:\bbbbbh.exec:\bbbbbh.exe97⤵PID:3616
-
\??\c:\bbbbhh.exec:\bbbbhh.exe98⤵PID:4932
-
\??\c:\vvvvv.exec:\vvvvv.exe99⤵PID:364
-
\??\c:\fxrrlrr.exec:\fxrrlrr.exe100⤵PID:1640
-
\??\c:\hnttnn.exec:\hnttnn.exe101⤵PID:1904
-
\??\c:\jvpjp.exec:\jvpjp.exe102⤵PID:2140
-
\??\c:\ddddj.exec:\ddddj.exe103⤵PID:1952
-
\??\c:\lxrrllf.exec:\lxrrllf.exe104⤵PID:32
-
\??\c:\hntbbn.exec:\hntbbn.exe105⤵PID:4548
-
\??\c:\ppdjv.exec:\ppdjv.exe106⤵PID:2856
-
\??\c:\3xrllll.exec:\3xrllll.exe107⤵PID:4460
-
\??\c:\bhhbhb.exec:\bhhbhb.exe108⤵PID:3164
-
\??\c:\ntnthn.exec:\ntnthn.exe109⤵PID:2832
-
\??\c:\9pjjj.exec:\9pjjj.exe110⤵PID:2816
-
\??\c:\hnhbhb.exec:\hnhbhb.exe111⤵PID:636
-
\??\c:\3djjd.exec:\3djjd.exe112⤵PID:4324
-
\??\c:\9vvvp.exec:\9vvvp.exe113⤵PID:4612
-
\??\c:\7fllfff.exec:\7fllfff.exe114⤵PID:5048
-
\??\c:\hhnbbh.exec:\hhnbbh.exe115⤵PID:1540
-
\??\c:\ddvvv.exec:\ddvvv.exe116⤵PID:4964
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe117⤵PID:1480
-
\??\c:\ntntbb.exec:\ntntbb.exe118⤵PID:212
-
\??\c:\xxfflff.exec:\xxfflff.exe119⤵PID:1496
-
\??\c:\rlrrrxx.exec:\rlrrrxx.exe120⤵
- System Location Discovery: System Language Discovery
PID:2812 -
\??\c:\tttthh.exec:\tttthh.exe121⤵PID:4444
-
\??\c:\vpddj.exec:\vpddj.exe122⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-