Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 16:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe
-
Size
454KB
-
MD5
877fbcfb32c08c5eadef9863fb56ea10
-
SHA1
57ec43b1ab45f7fa3cbe67b05ed5552673301149
-
SHA256
9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90
-
SHA512
c7027eeae7f1a5effbe46c49cc2e79d47e6d37ebd847c64e908471a5f90357c9695f7ee5576bb4a0083e4d3f817fae6c45adc3d7689145dbf0bb103def5ccc0c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2760-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-1015-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-1092-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-1598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2908 bbttht.exe 3872 rxrrrrl.exe 4564 bnhbth.exe 1940 5nbbtb.exe 3920 vdddd.exe 3528 7rllfll.exe 4960 tnhhht.exe 3152 pvddv.exe 4332 jvvpj.exe 3092 ddvvv.exe 1056 lxrllll.exe 3908 llxxxxf.exe 1660 dpvpj.exe 936 rrlffff.exe 4516 xrrrrrr.exe 4964 pvjjd.exe 1792 xffxxfx.exe 3928 hntnbb.exe 3764 7jvvd.exe 2528 xxllxxx.exe 2216 bhbhnh.exe 3140 ddvvv.exe 4396 xfffxxx.exe 2548 7nbtbb.exe 3016 fxrrrrr.exe 4664 tbnhbb.exe 4216 rrrxxxf.exe 2260 7jjdd.exe 4436 7lrrxff.exe 452 tbhhbb.exe 1584 ntnnhh.exe 1020 5ttttb.exe 3744 rfrrfrl.exe 1468 1nhbtt.exe 1728 ppvpp.exe 760 lxxrrrr.exe 3788 3pvvd.exe 364 jjpjp.exe 3232 5djjd.exe 5072 lxffxxr.exe 1636 hbbhtn.exe 3124 djpdd.exe 3544 5xxrlll.exe 3912 tntttt.exe 1476 djjdd.exe 2588 rrffxff.exe 4276 7hhbtt.exe 2376 vdvpp.exe 3668 vddjd.exe 2812 rrrffrr.exe 2992 tbhhnn.exe 3004 nnbtnn.exe 2264 djddd.exe 2468 1xfffrx.exe 2764 1nnnnt.exe 3932 jddjp.exe 3528 jdpjv.exe 3636 rflrrxx.exe 4940 bhbnhh.exe 5060 hhttht.exe 828 djvpd.exe 320 xxfflll.exe 4064 3tbhbt.exe 2852 pvvpp.exe -
resource yara_rule behavioral2/memory/2760-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2908 2760 9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe 83 PID 2760 wrote to memory of 2908 2760 9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe 83 PID 2760 wrote to memory of 2908 2760 9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe 83 PID 2908 wrote to memory of 3872 2908 bbttht.exe 84 PID 2908 wrote to memory of 3872 2908 bbttht.exe 84 PID 2908 wrote to memory of 3872 2908 bbttht.exe 84 PID 3872 wrote to memory of 4564 3872 rxrrrrl.exe 85 PID 3872 wrote to memory of 4564 3872 rxrrrrl.exe 85 PID 3872 wrote to memory of 4564 3872 rxrrrrl.exe 85 PID 4564 wrote to memory of 1940 4564 bnhbth.exe 86 PID 4564 wrote to memory of 1940 4564 bnhbth.exe 86 PID 4564 wrote to memory of 1940 4564 bnhbth.exe 86 PID 1940 wrote to memory of 3920 1940 5nbbtb.exe 87 PID 1940 wrote to memory of 3920 1940 5nbbtb.exe 87 PID 1940 wrote to memory of 3920 1940 5nbbtb.exe 87 PID 3920 wrote to memory of 3528 3920 vdddd.exe 88 PID 3920 wrote to memory of 3528 3920 vdddd.exe 88 PID 3920 wrote to memory of 3528 3920 vdddd.exe 88 PID 3528 wrote to memory of 4960 3528 7rllfll.exe 89 PID 3528 wrote to memory of 4960 3528 7rllfll.exe 89 PID 3528 wrote to memory of 4960 3528 7rllfll.exe 89 PID 4960 wrote to memory of 3152 4960 tnhhht.exe 90 PID 4960 wrote to memory of 3152 4960 tnhhht.exe 90 PID 4960 wrote to memory of 3152 4960 tnhhht.exe 90 PID 3152 wrote to memory of 4332 3152 pvddv.exe 91 PID 3152 wrote to memory of 4332 3152 pvddv.exe 91 PID 3152 wrote to memory of 4332 3152 pvddv.exe 91 PID 4332 wrote to memory of 3092 4332 jvvpj.exe 92 PID 4332 wrote to memory of 3092 4332 jvvpj.exe 92 PID 4332 wrote to memory of 3092 4332 jvvpj.exe 92 PID 3092 wrote to memory of 1056 3092 ddvvv.exe 93 PID 3092 wrote to memory of 1056 3092 ddvvv.exe 93 PID 3092 wrote to memory of 1056 3092 ddvvv.exe 93 PID 1056 wrote to memory of 3908 1056 lxrllll.exe 94 PID 1056 wrote to memory of 3908 1056 lxrllll.exe 94 PID 1056 wrote to memory of 3908 1056 lxrllll.exe 94 PID 3908 wrote to memory of 1660 3908 llxxxxf.exe 95 PID 3908 wrote to memory of 1660 3908 llxxxxf.exe 95 PID 3908 wrote to memory of 1660 3908 llxxxxf.exe 95 PID 1660 wrote to memory of 936 1660 dpvpj.exe 96 PID 1660 wrote to memory of 936 1660 dpvpj.exe 96 PID 1660 wrote to memory of 936 1660 dpvpj.exe 96 PID 936 wrote to memory of 4516 936 rrlffff.exe 97 PID 936 wrote to memory of 4516 936 rrlffff.exe 97 PID 936 wrote to memory of 4516 936 rrlffff.exe 97 PID 4516 wrote to memory of 4964 4516 xrrrrrr.exe 98 PID 4516 wrote to memory of 4964 4516 xrrrrrr.exe 98 PID 4516 wrote to memory of 4964 4516 xrrrrrr.exe 98 PID 4964 wrote to memory of 1792 4964 pvjjd.exe 99 PID 4964 wrote to memory of 1792 4964 pvjjd.exe 99 PID 4964 wrote to memory of 1792 4964 pvjjd.exe 99 PID 1792 wrote to memory of 3928 1792 xffxxfx.exe 100 PID 1792 wrote to memory of 3928 1792 xffxxfx.exe 100 PID 1792 wrote to memory of 3928 1792 xffxxfx.exe 100 PID 3928 wrote to memory of 3764 3928 hntnbb.exe 101 PID 3928 wrote to memory of 3764 3928 hntnbb.exe 101 PID 3928 wrote to memory of 3764 3928 hntnbb.exe 101 PID 3764 wrote to memory of 2528 3764 7jvvd.exe 102 PID 3764 wrote to memory of 2528 3764 7jvvd.exe 102 PID 3764 wrote to memory of 2528 3764 7jvvd.exe 102 PID 2528 wrote to memory of 2216 2528 xxllxxx.exe 103 PID 2528 wrote to memory of 2216 2528 xxllxxx.exe 103 PID 2528 wrote to memory of 2216 2528 xxllxxx.exe 103 PID 2216 wrote to memory of 3140 2216 bhbhnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe"C:\Users\Admin\AppData\Local\Temp\9fccd5daa4568e4c14289380687b5e23921db283bc2965efc747fe2ed611aa90N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\bbttht.exec:\bbttht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\rxrrrrl.exec:\rxrrrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\bnhbth.exec:\bnhbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\5nbbtb.exec:\5nbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\vdddd.exec:\vdddd.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\7rllfll.exec:\7rllfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\tnhhht.exec:\tnhhht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\pvddv.exec:\pvddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\jvvpj.exec:\jvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\ddvvv.exec:\ddvvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lxrllll.exec:\lxrllll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\llxxxxf.exec:\llxxxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\dpvpj.exec:\dpvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\rrlffff.exec:\rrlffff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\pvjjd.exec:\pvjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\xffxxfx.exec:\xffxxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\hntnbb.exec:\hntnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\7jvvd.exec:\7jvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\xxllxxx.exec:\xxllxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\bhbhnh.exec:\bhbhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\ddvvv.exec:\ddvvv.exe23⤵
- Executes dropped EXE
PID:3140 -
\??\c:\xfffxxx.exec:\xfffxxx.exe24⤵
- Executes dropped EXE
PID:4396 -
\??\c:\7nbtbb.exec:\7nbtbb.exe25⤵
- Executes dropped EXE
PID:2548 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe26⤵
- Executes dropped EXE
PID:3016 -
\??\c:\tbnhbb.exec:\tbnhbb.exe27⤵
- Executes dropped EXE
PID:4664 -
\??\c:\rrrxxxf.exec:\rrrxxxf.exe28⤵
- Executes dropped EXE
PID:4216 -
\??\c:\7jjdd.exec:\7jjdd.exe29⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7lrrxff.exec:\7lrrxff.exe30⤵
- Executes dropped EXE
PID:4436 -
\??\c:\tbhhbb.exec:\tbhhbb.exe31⤵
- Executes dropped EXE
PID:452 -
\??\c:\ntnnhh.exec:\ntnnhh.exe32⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5ttttb.exec:\5ttttb.exe33⤵
- Executes dropped EXE
PID:1020 -
\??\c:\rfrrfrl.exec:\rfrrfrl.exe34⤵
- Executes dropped EXE
PID:3744 -
\??\c:\1nhbtt.exec:\1nhbtt.exe35⤵
- Executes dropped EXE
PID:1468 -
\??\c:\ppvpp.exec:\ppvpp.exe36⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe37⤵
- Executes dropped EXE
PID:760 -
\??\c:\3pvvd.exec:\3pvvd.exe38⤵
- Executes dropped EXE
PID:3788 -
\??\c:\jjpjp.exec:\jjpjp.exe39⤵
- Executes dropped EXE
PID:364 -
\??\c:\5djjd.exec:\5djjd.exe40⤵
- Executes dropped EXE
PID:3232 -
\??\c:\lxffxxr.exec:\lxffxxr.exe41⤵
- Executes dropped EXE
PID:5072 -
\??\c:\hbbhtn.exec:\hbbhtn.exe42⤵
- Executes dropped EXE
PID:1636 -
\??\c:\djpdd.exec:\djpdd.exe43⤵
- Executes dropped EXE
PID:3124 -
\??\c:\5xxrlll.exec:\5xxrlll.exe44⤵
- Executes dropped EXE
PID:3544 -
\??\c:\tntttt.exec:\tntttt.exe45⤵
- Executes dropped EXE
PID:3912 -
\??\c:\djjdd.exec:\djjdd.exe46⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rrffxff.exec:\rrffxff.exe47⤵
- Executes dropped EXE
PID:2588 -
\??\c:\7hhbtt.exec:\7hhbtt.exe48⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vdvpp.exec:\vdvpp.exe49⤵
- Executes dropped EXE
PID:2376 -
\??\c:\vddjd.exec:\vddjd.exe50⤵
- Executes dropped EXE
PID:3668 -
\??\c:\rrrffrr.exec:\rrrffrr.exe51⤵
- Executes dropped EXE
PID:2812 -
\??\c:\tbhhnn.exec:\tbhhnn.exe52⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nnbtnn.exec:\nnbtnn.exe53⤵
- Executes dropped EXE
PID:3004 -
\??\c:\djddd.exec:\djddd.exe54⤵
- Executes dropped EXE
PID:2264 -
\??\c:\1xfffrx.exec:\1xfffrx.exe55⤵
- Executes dropped EXE
PID:2468 -
\??\c:\1nnnnt.exec:\1nnnnt.exe56⤵
- Executes dropped EXE
PID:2764 -
\??\c:\jddjp.exec:\jddjp.exe57⤵
- Executes dropped EXE
PID:3932 -
\??\c:\jdpjv.exec:\jdpjv.exe58⤵
- Executes dropped EXE
PID:3528 -
\??\c:\rflrrxx.exec:\rflrrxx.exe59⤵
- Executes dropped EXE
PID:3636 -
\??\c:\bhbnhh.exec:\bhbnhh.exe60⤵
- Executes dropped EXE
PID:4940 -
\??\c:\hhttht.exec:\hhttht.exe61⤵
- Executes dropped EXE
PID:5060 -
\??\c:\djvpd.exec:\djvpd.exe62⤵
- Executes dropped EXE
PID:828 -
\??\c:\xxfflll.exec:\xxfflll.exe63⤵
- Executes dropped EXE
PID:320 -
\??\c:\3tbhbt.exec:\3tbhbt.exe64⤵
- Executes dropped EXE
PID:4064 -
\??\c:\pvvpp.exec:\pvvpp.exe65⤵
- Executes dropped EXE
PID:2852 -
\??\c:\jpdvp.exec:\jpdvp.exe66⤵PID:3524
-
\??\c:\rlxrllx.exec:\rlxrllx.exe67⤵PID:728
-
\??\c:\9htnbh.exec:\9htnbh.exe68⤵PID:4000
-
\??\c:\5jpjd.exec:\5jpjd.exe69⤵PID:4840
-
\??\c:\llffrrl.exec:\llffrrl.exe70⤵PID:4448
-
\??\c:\5tbnhn.exec:\5tbnhn.exe71⤵
- System Location Discovery: System Language Discovery
PID:3852 -
\??\c:\djvpj.exec:\djvpj.exe72⤵PID:3840
-
\??\c:\fxxffll.exec:\fxxffll.exe73⤵PID:3624
-
\??\c:\rrffrrf.exec:\rrffrrf.exe74⤵PID:3056
-
\??\c:\hhhhhh.exec:\hhhhhh.exe75⤵PID:4992
-
\??\c:\djppd.exec:\djppd.exe76⤵PID:2340
-
\??\c:\9xllrxf.exec:\9xllrxf.exe77⤵PID:2800
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe78⤵PID:1936
-
\??\c:\nnnnhh.exec:\nnnnhh.exe79⤵PID:2276
-
\??\c:\ntbhnn.exec:\ntbhnn.exe80⤵PID:2368
-
\??\c:\5pvpv.exec:\5pvpv.exe81⤵PID:2084
-
\??\c:\rflrxxr.exec:\rflrxxr.exe82⤵PID:2540
-
\??\c:\hbnnnt.exec:\hbnnnt.exe83⤵PID:4716
-
\??\c:\nhnnnn.exec:\nhnnnn.exe84⤵PID:1776
-
\??\c:\1djjv.exec:\1djjv.exe85⤵PID:1432
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe86⤵PID:2092
-
\??\c:\7lrllrl.exec:\7lrllrl.exe87⤵PID:4152
-
\??\c:\bhhhnn.exec:\bhhhnn.exe88⤵PID:1680
-
\??\c:\9ppvp.exec:\9ppvp.exe89⤵PID:1752
-
\??\c:\djjdp.exec:\djjdp.exe90⤵PID:432
-
\??\c:\xxffxfx.exec:\xxffxfx.exe91⤵PID:2748
-
\??\c:\nttttt.exec:\nttttt.exe92⤵PID:3372
-
\??\c:\bhthtt.exec:\bhthtt.exe93⤵PID:2712
-
\??\c:\ddjjv.exec:\ddjjv.exe94⤵PID:3084
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe95⤵PID:3596
-
\??\c:\nnnnnn.exec:\nnnnnn.exe96⤵PID:2228
-
\??\c:\bhbbhh.exec:\bhbbhh.exe97⤵PID:3744
-
\??\c:\vdvpj.exec:\vdvpj.exe98⤵PID:636
-
\??\c:\xlxfrrl.exec:\xlxfrrl.exe99⤵PID:1728
-
\??\c:\rrxxffl.exec:\rrxxffl.exe100⤵PID:760
-
\??\c:\nntbnt.exec:\nntbnt.exe101⤵PID:4812
-
\??\c:\pvpdv.exec:\pvpdv.exe102⤵PID:2400
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe103⤵PID:2240
-
\??\c:\thnnnh.exec:\thnnnh.exe104⤵PID:4916
-
\??\c:\1tttnn.exec:\1tttnn.exe105⤵PID:3828
-
\??\c:\jppdd.exec:\jppdd.exe106⤵PID:4328
-
\??\c:\3ffffll.exec:\3ffffll.exe107⤵PID:4468
-
\??\c:\tttnnn.exec:\tttnnn.exe108⤵PID:2000
-
\??\c:\hhhttb.exec:\hhhttb.exe109⤵PID:3912
-
\??\c:\ddddv.exec:\ddddv.exe110⤵PID:2856
-
\??\c:\llllrxr.exec:\llllrxr.exe111⤵PID:2588
-
\??\c:\btbtnn.exec:\btbtnn.exe112⤵PID:1336
-
\??\c:\1pjdd.exec:\1pjdd.exe113⤵PID:4488
-
\??\c:\vdppj.exec:\vdppj.exe114⤵PID:3668
-
\??\c:\3rlllll.exec:\3rlllll.exe115⤵PID:2812
-
\??\c:\3hbbtt.exec:\3hbbtt.exe116⤵PID:804
-
\??\c:\ddvvp.exec:\ddvvp.exe117⤵PID:3872
-
\??\c:\ffrrllf.exec:\ffrrllf.exe118⤵PID:5044
-
\??\c:\bhnhtt.exec:\bhnhtt.exe119⤵PID:1232
-
\??\c:\hntttn.exec:\hntttn.exe120⤵PID:1612
-
\??\c:\7vjdj.exec:\7vjdj.exe121⤵PID:372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-