Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe
-
Size
453KB
-
MD5
5c608f30b7ae2164e8b1670a1e1bd270
-
SHA1
f861e7ec850942d6b6ffca7f5f4b7774b415f12d
-
SHA256
a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6
-
SHA512
c1ee64d60172d901adc7e88a6c34a59d0d0df6c6d6a14b98f1f3f02b3f7a113ec15948c654594c5dbdb0f3533d998ac5ff6aaf944699be25d9676598677a87c1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3272-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-1012-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-1034-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3904 jvdpp.exe 1704 nhhbtb.exe 4496 nhbtnh.exe 4844 vjpjd.exe 4824 hbbtnh.exe 4532 vpvpp.exe 4196 rxflrll.exe 3908 9xrllrr.exe 4124 bnnnhn.exe 1364 bnnhhb.exe 224 pdjvp.exe 2828 rxfrlff.exe 928 tnbtnt.exe 1924 lfxllff.exe 5024 tnnhbb.exe 4888 dpvjd.exe 1332 fxxrlfr.exe 4668 rflxfxr.exe 872 5tnhtt.exe 468 vjdvj.exe 3920 xrrrrlf.exe 1532 tthtnh.exe 1488 xrlffxf.exe 3692 frxrllf.exe 4928 5bthbb.exe 3668 9lxrlrr.exe 4236 bhhbtn.exe 3148 lxxlfxr.exe 3328 dvddj.exe 4744 bthbtt.exe 2348 flrfrlf.exe 1696 hthtnn.exe 4508 pjdpd.exe 940 nbhthh.exe 3344 7tbtbb.exe 1772 jppjp.exe 964 lffrlfx.exe 4408 nhnnhh.exe 2132 3jpjj.exe 3100 vvvvp.exe 2460 lxfxrlf.exe 1540 1tnhbb.exe 652 jjdvp.exe 1732 lrxrlfr.exe 5100 rxlxlrf.exe 796 tntttt.exe 4512 jpvjd.exe 4816 5rlxrlf.exe 2368 xrrlfxr.exe 5000 nhhbtt.exe 2268 pjpdv.exe 2528 7llxllf.exe 2040 nhtnbb.exe 4024 1vvjv.exe 4872 frxlfxl.exe 2768 tbnbbb.exe 708 jdjjd.exe 2672 llrlfxr.exe 5068 7ffxrrl.exe 2564 tnnnbb.exe 4308 pvdpj.exe 4824 pvdvj.exe 3520 lflffxx.exe 396 hhhttn.exe -
resource yara_rule behavioral2/memory/3272-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-801-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 3904 3272 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 82 PID 3272 wrote to memory of 3904 3272 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 82 PID 3272 wrote to memory of 3904 3272 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 82 PID 3904 wrote to memory of 1704 3904 jvdpp.exe 83 PID 3904 wrote to memory of 1704 3904 jvdpp.exe 83 PID 3904 wrote to memory of 1704 3904 jvdpp.exe 83 PID 1704 wrote to memory of 4496 1704 nhhbtb.exe 84 PID 1704 wrote to memory of 4496 1704 nhhbtb.exe 84 PID 1704 wrote to memory of 4496 1704 nhhbtb.exe 84 PID 4496 wrote to memory of 4844 4496 nhbtnh.exe 85 PID 4496 wrote to memory of 4844 4496 nhbtnh.exe 85 PID 4496 wrote to memory of 4844 4496 nhbtnh.exe 85 PID 4844 wrote to memory of 4824 4844 vjpjd.exe 86 PID 4844 wrote to memory of 4824 4844 vjpjd.exe 86 PID 4844 wrote to memory of 4824 4844 vjpjd.exe 86 PID 4824 wrote to memory of 4532 4824 hbbtnh.exe 87 PID 4824 wrote to memory of 4532 4824 hbbtnh.exe 87 PID 4824 wrote to memory of 4532 4824 hbbtnh.exe 87 PID 4532 wrote to memory of 4196 4532 vpvpp.exe 88 PID 4532 wrote to memory of 4196 4532 vpvpp.exe 88 PID 4532 wrote to memory of 4196 4532 vpvpp.exe 88 PID 4196 wrote to memory of 3908 4196 rxflrll.exe 89 PID 4196 wrote to memory of 3908 4196 rxflrll.exe 89 PID 4196 wrote to memory of 3908 4196 rxflrll.exe 89 PID 3908 wrote to memory of 4124 3908 9xrllrr.exe 90 PID 3908 wrote to memory of 4124 3908 9xrllrr.exe 90 PID 3908 wrote to memory of 4124 3908 9xrllrr.exe 90 PID 4124 wrote to memory of 1364 4124 bnnnhn.exe 91 PID 4124 wrote to memory of 1364 4124 bnnnhn.exe 91 PID 4124 wrote to memory of 1364 4124 bnnnhn.exe 91 PID 1364 wrote to memory of 224 1364 bnnhhb.exe 92 PID 1364 wrote to memory of 224 1364 bnnhhb.exe 92 PID 1364 wrote to memory of 224 1364 bnnhhb.exe 92 PID 224 wrote to memory of 2828 224 pdjvp.exe 93 PID 224 wrote to memory of 2828 224 pdjvp.exe 93 PID 224 wrote to memory of 2828 224 pdjvp.exe 93 PID 2828 wrote to memory of 928 2828 rxfrlff.exe 94 PID 2828 wrote to memory of 928 2828 rxfrlff.exe 94 PID 2828 wrote to memory of 928 2828 rxfrlff.exe 94 PID 928 wrote to memory of 1924 928 tnbtnt.exe 95 PID 928 wrote to memory of 1924 928 tnbtnt.exe 95 PID 928 wrote to memory of 1924 928 tnbtnt.exe 95 PID 1924 wrote to memory of 5024 1924 lfxllff.exe 96 PID 1924 wrote to memory of 5024 1924 lfxllff.exe 96 PID 1924 wrote to memory of 5024 1924 lfxllff.exe 96 PID 5024 wrote to memory of 4888 5024 tnnhbb.exe 97 PID 5024 wrote to memory of 4888 5024 tnnhbb.exe 97 PID 5024 wrote to memory of 4888 5024 tnnhbb.exe 97 PID 4888 wrote to memory of 1332 4888 dpvjd.exe 98 PID 4888 wrote to memory of 1332 4888 dpvjd.exe 98 PID 4888 wrote to memory of 1332 4888 dpvjd.exe 98 PID 1332 wrote to memory of 4668 1332 fxxrlfr.exe 99 PID 1332 wrote to memory of 4668 1332 fxxrlfr.exe 99 PID 1332 wrote to memory of 4668 1332 fxxrlfr.exe 99 PID 4668 wrote to memory of 872 4668 rflxfxr.exe 100 PID 4668 wrote to memory of 872 4668 rflxfxr.exe 100 PID 4668 wrote to memory of 872 4668 rflxfxr.exe 100 PID 872 wrote to memory of 468 872 5tnhtt.exe 101 PID 872 wrote to memory of 468 872 5tnhtt.exe 101 PID 872 wrote to memory of 468 872 5tnhtt.exe 101 PID 468 wrote to memory of 3920 468 vjdvj.exe 102 PID 468 wrote to memory of 3920 468 vjdvj.exe 102 PID 468 wrote to memory of 3920 468 vjdvj.exe 102 PID 3920 wrote to memory of 1532 3920 xrrrrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe"C:\Users\Admin\AppData\Local\Temp\a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\jvdpp.exec:\jvdpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\nhhbtb.exec:\nhhbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\nhbtnh.exec:\nhbtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\vjpjd.exec:\vjpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\hbbtnh.exec:\hbbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\vpvpp.exec:\vpvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\rxflrll.exec:\rxflrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\9xrllrr.exec:\9xrllrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\bnnnhn.exec:\bnnnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\bnnhhb.exec:\bnnhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\pdjvp.exec:\pdjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\rxfrlff.exec:\rxfrlff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tnbtnt.exec:\tnbtnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\lfxllff.exec:\lfxllff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\tnnhbb.exec:\tnnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\dpvjd.exec:\dpvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\fxxrlfr.exec:\fxxrlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\rflxfxr.exec:\rflxfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\5tnhtt.exec:\5tnhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\vjdvj.exec:\vjdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\xrrrrlf.exec:\xrrrrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\tthtnh.exec:\tthtnh.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\xrlffxf.exec:\xrlffxf.exe24⤵
- Executes dropped EXE
PID:1488 -
\??\c:\frxrllf.exec:\frxrllf.exe25⤵
- Executes dropped EXE
PID:3692 -
\??\c:\5bthbb.exec:\5bthbb.exe26⤵
- Executes dropped EXE
PID:4928 -
\??\c:\9lxrlrr.exec:\9lxrlrr.exe27⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bhhbtn.exec:\bhhbtn.exe28⤵
- Executes dropped EXE
PID:4236 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe29⤵
- Executes dropped EXE
PID:3148 -
\??\c:\dvddj.exec:\dvddj.exe30⤵
- Executes dropped EXE
PID:3328 -
\??\c:\bthbtt.exec:\bthbtt.exe31⤵
- Executes dropped EXE
PID:4744 -
\??\c:\flrfrlf.exec:\flrfrlf.exe32⤵
- Executes dropped EXE
PID:2348 -
\??\c:\hthtnn.exec:\hthtnn.exe33⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pjdpd.exec:\pjdpd.exe34⤵
- Executes dropped EXE
PID:4508 -
\??\c:\nbhthh.exec:\nbhthh.exe35⤵
- Executes dropped EXE
PID:940 -
\??\c:\7tbtbb.exec:\7tbtbb.exe36⤵
- Executes dropped EXE
PID:3344 -
\??\c:\jppjp.exec:\jppjp.exe37⤵
- Executes dropped EXE
PID:1772 -
\??\c:\lffrlfx.exec:\lffrlfx.exe38⤵
- Executes dropped EXE
PID:964 -
\??\c:\nhnnhh.exec:\nhnnhh.exe39⤵
- Executes dropped EXE
PID:4408 -
\??\c:\3jpjj.exec:\3jpjj.exe40⤵
- Executes dropped EXE
PID:2132 -
\??\c:\vvvvp.exec:\vvvvp.exe41⤵
- Executes dropped EXE
PID:3100 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe42⤵
- Executes dropped EXE
PID:2460 -
\??\c:\1tnhbb.exec:\1tnhbb.exe43⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jjdvp.exec:\jjdvp.exe44⤵
- Executes dropped EXE
PID:652 -
\??\c:\lrxrlfr.exec:\lrxrlfr.exe45⤵
- Executes dropped EXE
PID:1732 -
\??\c:\rxlxlrf.exec:\rxlxlrf.exe46⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tntttt.exec:\tntttt.exe47⤵
- Executes dropped EXE
PID:796 -
\??\c:\jpvjd.exec:\jpvjd.exe48⤵
- Executes dropped EXE
PID:4512 -
\??\c:\5rlxrlf.exec:\5rlxrlf.exe49⤵
- Executes dropped EXE
PID:4816 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe50⤵
- Executes dropped EXE
PID:2368 -
\??\c:\nhhbtt.exec:\nhhbtt.exe51⤵
- Executes dropped EXE
PID:5000 -
\??\c:\pjpdv.exec:\pjpdv.exe52⤵
- Executes dropped EXE
PID:2268 -
\??\c:\7llxllf.exec:\7llxllf.exe53⤵
- Executes dropped EXE
PID:2528 -
\??\c:\nhtnbb.exec:\nhtnbb.exe54⤵
- Executes dropped EXE
PID:2040 -
\??\c:\1vvjv.exec:\1vvjv.exe55⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rlxllff.exec:\rlxllff.exe56⤵PID:4316
-
\??\c:\frxlfxl.exec:\frxlfxl.exe57⤵
- Executes dropped EXE
PID:4872 -
\??\c:\tbnbbb.exec:\tbnbbb.exe58⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jdjjd.exec:\jdjjd.exe59⤵
- Executes dropped EXE
PID:708 -
\??\c:\llrlfxr.exec:\llrlfxr.exe60⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe61⤵
- Executes dropped EXE
PID:5068 -
\??\c:\tnnnbb.exec:\tnnnbb.exe62⤵
- Executes dropped EXE
PID:2564 -
\??\c:\pvdpj.exec:\pvdpj.exe63⤵
- Executes dropped EXE
PID:4308 -
\??\c:\pvdvj.exec:\pvdvj.exe64⤵
- Executes dropped EXE
PID:4824 -
\??\c:\lflffxx.exec:\lflffxx.exe65⤵
- Executes dropped EXE
PID:3520 -
\??\c:\hhhttn.exec:\hhhttn.exe66⤵
- Executes dropped EXE
PID:396 -
\??\c:\5bnhtn.exec:\5bnhtn.exe67⤵PID:464
-
\??\c:\vvdpd.exec:\vvdpd.exe68⤵PID:3856
-
\??\c:\rflfxrx.exec:\rflfxrx.exe69⤵PID:1376
-
\??\c:\nbtttt.exec:\nbtttt.exe70⤵PID:1076
-
\??\c:\bhthtb.exec:\bhthtb.exe71⤵PID:3528
-
\??\c:\3jddp.exec:\3jddp.exe72⤵PID:1568
-
\??\c:\lffrfxf.exec:\lffrfxf.exe73⤵PID:4332
-
\??\c:\5rlfxrl.exec:\5rlfxrl.exe74⤵PID:2092
-
\??\c:\ttbtnh.exec:\ttbtnh.exe75⤵PID:3036
-
\??\c:\pjjdp.exec:\pjjdp.exe76⤵PID:3940
-
\??\c:\lxlxxrx.exec:\lxlxxrx.exe77⤵PID:988
-
\??\c:\bnhtbb.exec:\bnhtbb.exe78⤵PID:3016
-
\??\c:\5hhbtn.exec:\5hhbtn.exe79⤵PID:696
-
\??\c:\5vppj.exec:\5vppj.exe80⤵PID:3356
-
\??\c:\llrlllx.exec:\llrlllx.exe81⤵PID:4668
-
\??\c:\tnnhbb.exec:\tnnhbb.exe82⤵PID:4260
-
\??\c:\tnthtt.exec:\tnthtt.exe83⤵PID:4852
-
\??\c:\jdpdj.exec:\jdpdj.exe84⤵PID:1136
-
\??\c:\9llfxrl.exec:\9llfxrl.exe85⤵PID:1048
-
\??\c:\hhnhhb.exec:\hhnhhb.exe86⤵PID:4380
-
\??\c:\thhbnh.exec:\thhbnh.exe87⤵PID:4640
-
\??\c:\vvdvj.exec:\vvdvj.exe88⤵PID:1440
-
\??\c:\xflfxrl.exec:\xflfxrl.exe89⤵PID:1444
-
\??\c:\9rlfrrl.exec:\9rlfrrl.exe90⤵PID:3756
-
\??\c:\hhthnh.exec:\hhthnh.exe91⤵PID:5052
-
\??\c:\pddpd.exec:\pddpd.exe92⤵PID:1776
-
\??\c:\rxfrllf.exec:\rxfrllf.exe93⤵PID:1252
-
\??\c:\xrxffxx.exec:\xrxffxx.exe94⤵PID:1572
-
\??\c:\hhtnhh.exec:\hhtnhh.exe95⤵PID:4756
-
\??\c:\djjjd.exec:\djjjd.exe96⤵PID:2280
-
\??\c:\5rrfxrx.exec:\5rrfxrx.exe97⤵PID:2328
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe98⤵PID:1084
-
\??\c:\thhbnn.exec:\thhbnn.exe99⤵PID:4944
-
\??\c:\pjjjd.exec:\pjjjd.exe100⤵PID:2304
-
\??\c:\lxxfxfx.exec:\lxxfxfx.exe101⤵PID:2168
-
\??\c:\frrlfff.exec:\frrlfff.exe102⤵PID:1380
-
\??\c:\ntbtnn.exec:\ntbtnn.exe103⤵PID:1724
-
\??\c:\jvvjv.exec:\jvvjv.exe104⤵PID:3632
-
\??\c:\xflfrlx.exec:\xflfrlx.exe105⤵PID:4636
-
\??\c:\xflfrrl.exec:\xflfrrl.exe106⤵PID:4356
-
\??\c:\hbhbtt.exec:\hbhbtt.exe107⤵PID:1624
-
\??\c:\pdjdp.exec:\pdjdp.exe108⤵PID:636
-
\??\c:\xlfrxrr.exec:\xlfrxrr.exe109⤵PID:3372
-
\??\c:\htthtn.exec:\htthtn.exe110⤵PID:3948
-
\??\c:\vvdpd.exec:\vvdpd.exe111⤵PID:3828
-
\??\c:\3llfrlx.exec:\3llfrlx.exe112⤵PID:3472
-
\??\c:\7nnbtn.exec:\7nnbtn.exe113⤵PID:1732
-
\??\c:\nhbthb.exec:\nhbthb.exe114⤵PID:2112
-
\??\c:\7jdpd.exec:\7jdpd.exe115⤵PID:796
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe116⤵PID:2536
-
\??\c:\bnbntn.exec:\bnbntn.exe117⤵PID:4672
-
\??\c:\9vpjv.exec:\9vpjv.exe118⤵PID:2464
-
\??\c:\jjjdd.exec:\jjjdd.exe119⤵PID:2808
-
\??\c:\fxfxllf.exec:\fxfxllf.exe120⤵PID:2560
-
\??\c:\tttttt.exec:\tttttt.exe121⤵PID:3220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-