Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 19:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
-
Size
454KB
-
MD5
26e47a741468ae2447aef83a6c757333
-
SHA1
67b02a8d491a13031954390fd8a9582871f85c92
-
SHA256
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a
-
SHA512
05d40185474e5a31b99516b60af9e2c528e00fce7979564ce9c1eefa7033cea75c3d3e01721bbdd0a0f8e672f0d3e2ac47cbae7be11aabc39b0f04574a596c15
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH2:q7Tc2NYHUrAwfMp3CDH2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2804-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-1640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 452 vppjv.exe 4624 nhthbb.exe 4844 jjvpd.exe 1020 rlffxff.exe 4664 bhhhbb.exe 4596 hnbbtb.exe 2700 7xxrffx.exe 4144 tttnht.exe 3612 htbthh.exe 4540 rrrlllf.exe 1344 nbhhhh.exe 1840 xlrlfxr.exe 1752 hnnbth.exe 3036 bnhthb.exe 5024 jjpdv.exe 4888 pjdpd.exe 5032 xrrlffl.exe 5040 vppdv.exe 3788 rxfrfrl.exe 3936 thbtnh.exe 2644 nnhbnh.exe 408 7xfxrrl.exe 3396 nnbbhh.exe 4892 nbnbtt.exe 2392 httnhh.exe 4236 9pvjj.exe 3148 jjvpj.exe 1244 rfffxxx.exe 4756 vpvpp.exe 1948 jdpjp.exe 3056 jppjd.exe 2888 flrfrxr.exe 2304 jjvjd.exe 3664 xrrxxrx.exe 3192 nthhbb.exe 2124 djjdj.exe 3864 ffrrxrx.exe 4616 flrrllf.exe 2868 tnbhtt.exe 4884 ddddv.exe 3760 7xfrffx.exe 2964 lfxrrlf.exe 3956 btnhtb.exe 2704 jpjvj.exe 796 xfrrllf.exe 2172 lxxlffr.exe 4816 nnnhbb.exe 2368 jvddv.exe 3456 rrrlxff.exe 4080 lfffxxr.exe 2528 btnntt.exe 2040 1hhbnt.exe 4024 pvdjd.exe 4568 fxxxrrl.exe 1824 1ntnbb.exe 3332 jpvvv.exe 5068 rrlfxrl.exe 4488 bttnnn.exe 1020 vdpjv.exe 1568 pvdpj.exe 2180 9hhbtt.exe 1492 thbbnn.exe 1940 jdddd.exe 464 xflfrll.exe -
resource yara_rule behavioral2/memory/2804-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-1319-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 452 2804 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 82 PID 2804 wrote to memory of 452 2804 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 82 PID 2804 wrote to memory of 452 2804 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 82 PID 452 wrote to memory of 4624 452 vppjv.exe 83 PID 452 wrote to memory of 4624 452 vppjv.exe 83 PID 452 wrote to memory of 4624 452 vppjv.exe 83 PID 4624 wrote to memory of 4844 4624 nhthbb.exe 84 PID 4624 wrote to memory of 4844 4624 nhthbb.exe 84 PID 4624 wrote to memory of 4844 4624 nhthbb.exe 84 PID 4844 wrote to memory of 1020 4844 jjvpd.exe 85 PID 4844 wrote to memory of 1020 4844 jjvpd.exe 85 PID 4844 wrote to memory of 1020 4844 jjvpd.exe 85 PID 1020 wrote to memory of 4664 1020 rlffxff.exe 86 PID 1020 wrote to memory of 4664 1020 rlffxff.exe 86 PID 1020 wrote to memory of 4664 1020 rlffxff.exe 86 PID 4664 wrote to memory of 4596 4664 bhhhbb.exe 87 PID 4664 wrote to memory of 4596 4664 bhhhbb.exe 87 PID 4664 wrote to memory of 4596 4664 bhhhbb.exe 87 PID 4596 wrote to memory of 2700 4596 hnbbtb.exe 88 PID 4596 wrote to memory of 2700 4596 hnbbtb.exe 88 PID 4596 wrote to memory of 2700 4596 hnbbtb.exe 88 PID 2700 wrote to memory of 4144 2700 7xxrffx.exe 89 PID 2700 wrote to memory of 4144 2700 7xxrffx.exe 89 PID 2700 wrote to memory of 4144 2700 7xxrffx.exe 89 PID 4144 wrote to memory of 3612 4144 tttnht.exe 90 PID 4144 wrote to memory of 3612 4144 tttnht.exe 90 PID 4144 wrote to memory of 3612 4144 tttnht.exe 90 PID 3612 wrote to memory of 4540 3612 htbthh.exe 91 PID 3612 wrote to memory of 4540 3612 htbthh.exe 91 PID 3612 wrote to memory of 4540 3612 htbthh.exe 91 PID 4540 wrote to memory of 1344 4540 rrrlllf.exe 92 PID 4540 wrote to memory of 1344 4540 rrrlllf.exe 92 PID 4540 wrote to memory of 1344 4540 rrrlllf.exe 92 PID 1344 wrote to memory of 1840 1344 nbhhhh.exe 93 PID 1344 wrote to memory of 1840 1344 nbhhhh.exe 93 PID 1344 wrote to memory of 1840 1344 nbhhhh.exe 93 PID 1840 wrote to memory of 1752 1840 xlrlfxr.exe 94 PID 1840 wrote to memory of 1752 1840 xlrlfxr.exe 94 PID 1840 wrote to memory of 1752 1840 xlrlfxr.exe 94 PID 1752 wrote to memory of 3036 1752 hnnbth.exe 95 PID 1752 wrote to memory of 3036 1752 hnnbth.exe 95 PID 1752 wrote to memory of 3036 1752 hnnbth.exe 95 PID 3036 wrote to memory of 5024 3036 bnhthb.exe 96 PID 3036 wrote to memory of 5024 3036 bnhthb.exe 96 PID 3036 wrote to memory of 5024 3036 bnhthb.exe 96 PID 5024 wrote to memory of 4888 5024 jjpdv.exe 97 PID 5024 wrote to memory of 4888 5024 jjpdv.exe 97 PID 5024 wrote to memory of 4888 5024 jjpdv.exe 97 PID 4888 wrote to memory of 5032 4888 pjdpd.exe 98 PID 4888 wrote to memory of 5032 4888 pjdpd.exe 98 PID 4888 wrote to memory of 5032 4888 pjdpd.exe 98 PID 5032 wrote to memory of 5040 5032 xrrlffl.exe 99 PID 5032 wrote to memory of 5040 5032 xrrlffl.exe 99 PID 5032 wrote to memory of 5040 5032 xrrlffl.exe 99 PID 5040 wrote to memory of 3788 5040 vppdv.exe 100 PID 5040 wrote to memory of 3788 5040 vppdv.exe 100 PID 5040 wrote to memory of 3788 5040 vppdv.exe 100 PID 3788 wrote to memory of 3936 3788 rxfrfrl.exe 101 PID 3788 wrote to memory of 3936 3788 rxfrfrl.exe 101 PID 3788 wrote to memory of 3936 3788 rxfrfrl.exe 101 PID 3936 wrote to memory of 2644 3936 thbtnh.exe 102 PID 3936 wrote to memory of 2644 3936 thbtnh.exe 102 PID 3936 wrote to memory of 2644 3936 thbtnh.exe 102 PID 2644 wrote to memory of 408 2644 nnhbnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\vppjv.exec:\vppjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\nhthbb.exec:\nhthbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\jjvpd.exec:\jjvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\rlffxff.exec:\rlffxff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\bhhhbb.exec:\bhhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\hnbbtb.exec:\hnbbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\7xxrffx.exec:\7xxrffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\tttnht.exec:\tttnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\htbthh.exec:\htbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\rrrlllf.exec:\rrrlllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\nbhhhh.exec:\nbhhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\hnnbth.exec:\hnnbth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\bnhthb.exec:\bnhthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\jjpdv.exec:\jjpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\pjdpd.exec:\pjdpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\xrrlffl.exec:\xrrlffl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\vppdv.exec:\vppdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\thbtnh.exec:\thbtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\nnhbnh.exec:\nnhbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\7xfxrrl.exec:\7xfxrrl.exe23⤵
- Executes dropped EXE
PID:408 -
\??\c:\nnbbhh.exec:\nnbbhh.exe24⤵
- Executes dropped EXE
PID:3396 -
\??\c:\nbnbtt.exec:\nbnbtt.exe25⤵
- Executes dropped EXE
PID:4892 -
\??\c:\httnhh.exec:\httnhh.exe26⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9pvjj.exec:\9pvjj.exe27⤵
- Executes dropped EXE
PID:4236 -
\??\c:\jjvpj.exec:\jjvpj.exe28⤵
- Executes dropped EXE
PID:3148 -
\??\c:\rfffxxx.exec:\rfffxxx.exe29⤵
- Executes dropped EXE
PID:1244 -
\??\c:\vpvpp.exec:\vpvpp.exe30⤵
- Executes dropped EXE
PID:4756 -
\??\c:\jdpjp.exec:\jdpjp.exe31⤵
- Executes dropped EXE
PID:1948 -
\??\c:\jppjd.exec:\jppjd.exe32⤵
- Executes dropped EXE
PID:3056 -
\??\c:\flrfrxr.exec:\flrfrxr.exe33⤵
- Executes dropped EXE
PID:2888 -
\??\c:\jjvjd.exec:\jjvjd.exe34⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xrrxxrx.exec:\xrrxxrx.exe35⤵
- Executes dropped EXE
PID:3664 -
\??\c:\nthhbb.exec:\nthhbb.exe36⤵
- Executes dropped EXE
PID:3192 -
\??\c:\djjdj.exec:\djjdj.exe37⤵
- Executes dropped EXE
PID:2124 -
\??\c:\ffrrxrx.exec:\ffrrxrx.exe38⤵
- Executes dropped EXE
PID:3864 -
\??\c:\flrrllf.exec:\flrrllf.exe39⤵
- Executes dropped EXE
PID:4616 -
\??\c:\tnbhtt.exec:\tnbhtt.exe40⤵
- Executes dropped EXE
PID:2868 -
\??\c:\ddddv.exec:\ddddv.exe41⤵
- Executes dropped EXE
PID:4884 -
\??\c:\7xfrffx.exec:\7xfrffx.exe42⤵
- Executes dropped EXE
PID:3760 -
\??\c:\lfxrrlf.exec:\lfxrrlf.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\btnhtb.exec:\btnhtb.exe44⤵
- Executes dropped EXE
PID:3956 -
\??\c:\jpjvj.exec:\jpjvj.exe45⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xfrrllf.exec:\xfrrllf.exe46⤵
- Executes dropped EXE
PID:796 -
\??\c:\lxxlffr.exec:\lxxlffr.exe47⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nnnhbb.exec:\nnnhbb.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\jvddv.exec:\jvddv.exe49⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rrrlxff.exec:\rrrlxff.exe50⤵
- Executes dropped EXE
PID:3456 -
\??\c:\lfffxxr.exec:\lfffxxr.exe51⤵
- Executes dropped EXE
PID:4080 -
\??\c:\btnntt.exec:\btnntt.exe52⤵
- Executes dropped EXE
PID:2528 -
\??\c:\1hhbnt.exec:\1hhbnt.exe53⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pvdjd.exec:\pvdjd.exe54⤵
- Executes dropped EXE
PID:4024 -
\??\c:\flxlffx.exec:\flxlffx.exe55⤵PID:4468
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe56⤵
- Executes dropped EXE
PID:4568 -
\??\c:\1ntnbb.exec:\1ntnbb.exe57⤵
- Executes dropped EXE
PID:1824 -
\??\c:\jpvvv.exec:\jpvvv.exe58⤵
- Executes dropped EXE
PID:3332 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068 -
\??\c:\bttnnn.exec:\bttnnn.exe60⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vdpjv.exec:\vdpjv.exe61⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pvdpj.exec:\pvdpj.exe62⤵
- Executes dropped EXE
PID:1568 -
\??\c:\9hhbtt.exec:\9hhbtt.exe63⤵
- Executes dropped EXE
PID:2180 -
\??\c:\thbbnn.exec:\thbbnn.exe64⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jdddd.exec:\jdddd.exe65⤵
- Executes dropped EXE
PID:1940 -
\??\c:\xflfrll.exec:\xflfrll.exe66⤵
- Executes dropped EXE
PID:464 -
\??\c:\btbtbn.exec:\btbtbn.exe67⤵PID:1868
-
\??\c:\tnbthh.exec:\tnbthh.exe68⤵PID:3972
-
\??\c:\jpppj.exec:\jpppj.exe69⤵PID:2568
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe70⤵PID:1056
-
\??\c:\rflfrrl.exec:\rflfrrl.exe71⤵PID:4588
-
\??\c:\thtnhb.exec:\thtnhb.exe72⤵PID:1604
-
\??\c:\7fxrffx.exec:\7fxrffx.exe73⤵PID:4000
-
\??\c:\1rxxlfl.exec:\1rxxlfl.exe74⤵PID:232
-
\??\c:\tbhtnh.exec:\tbhtnh.exe75⤵PID:712
-
\??\c:\jjvjp.exec:\jjvjp.exe76⤵PID:1924
-
\??\c:\fllfrrl.exec:\fllfrrl.exe77⤵PID:2576
-
\??\c:\htbtnh.exec:\htbtnh.exe78⤵PID:3016
-
\??\c:\ntbtth.exec:\ntbtth.exe79⤵PID:4888
-
\??\c:\pjjdv.exec:\pjjdv.exe80⤵PID:2732
-
\??\c:\lffxllf.exec:\lffxllf.exe81⤵PID:3356
-
\??\c:\hthbtt.exec:\hthbtt.exe82⤵PID:2968
-
\??\c:\jpvpj.exec:\jpvpj.exe83⤵PID:3936
-
\??\c:\pjjvd.exec:\pjjvd.exe84⤵PID:1548
-
\??\c:\frllffx.exec:\frllffx.exe85⤵PID:5076
-
\??\c:\thnbtt.exec:\thnbtt.exe86⤵PID:1488
-
\??\c:\3dpjj.exec:\3dpjj.exe87⤵PID:3692
-
\??\c:\9pdvv.exec:\9pdvv.exe88⤵PID:3852
-
\??\c:\rrfrllf.exec:\rrfrllf.exe89⤵PID:3668
-
\??\c:\nntntt.exec:\nntntt.exe90⤵PID:4892
-
\??\c:\dvvpp.exec:\dvvpp.exe91⤵PID:4232
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe92⤵PID:2392
-
\??\c:\ttbhbb.exec:\ttbhbb.exe93⤵PID:4520
-
\??\c:\hhbbbb.exec:\hhbbbb.exe94⤵PID:3148
-
\??\c:\dvjpd.exec:\dvjpd.exe95⤵PID:4744
-
\??\c:\xrxrffx.exec:\xrxrffx.exe96⤵PID:4920
-
\??\c:\1flfxxr.exec:\1flfxxr.exe97⤵PID:548
-
\??\c:\ntbtnn.exec:\ntbtnn.exe98⤵PID:4940
-
\??\c:\5jpjd.exec:\5jpjd.exe99⤵PID:1696
-
\??\c:\xrfxffl.exec:\xrfxffl.exe100⤵PID:1208
-
\??\c:\3ttnhb.exec:\3ttnhb.exe101⤵PID:940
-
\??\c:\tnbttt.exec:\tnbttt.exe102⤵PID:2600
-
\??\c:\dpvpp.exec:\dpvpp.exe103⤵PID:1724
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe104⤵PID:3632
-
\??\c:\9btnhh.exec:\9btnhh.exe105⤵PID:3844
-
\??\c:\tbhbtt.exec:\tbhbtt.exe106⤵PID:3100
-
\??\c:\rlrfrrf.exec:\rlrfrrf.exe107⤵PID:5016
-
\??\c:\tttnhh.exec:\tttnhh.exe108⤵PID:2776
-
\??\c:\tbnhbh.exec:\tbnhbh.exe109⤵PID:3828
-
\??\c:\dvjdj.exec:\dvjdj.exe110⤵PID:652
-
\??\c:\pjpdv.exec:\pjpdv.exe111⤵PID:2848
-
\??\c:\lflfxxr.exec:\lflfxxr.exe112⤵PID:4660
-
\??\c:\nnbntn.exec:\nnbntn.exe113⤵PID:2112
-
\??\c:\ppddp.exec:\ppddp.exe114⤵PID:3156
-
\??\c:\vjpjd.exec:\vjpjd.exe115⤵PID:2172
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe116⤵PID:2812
-
\??\c:\nnnhbb.exec:\nnnhbb.exe117⤵PID:3960
-
\??\c:\pdjvp.exec:\pdjvp.exe118⤵PID:3456
-
\??\c:\frxrlff.exec:\frxrlff.exe119⤵PID:4080
-
\??\c:\fffrlff.exec:\fffrlff.exe120⤵PID:1996
-
\??\c:\7tnhbt.exec:\7tnhbt.exe121⤵PID:4300
-
\??\c:\vvvvv.exec:\vvvvv.exe122⤵PID:4332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-