Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe
-
Size
454KB
-
MD5
e7f447eac120811f0a2b4539dccc0771
-
SHA1
66a2f961fbfb85e3f56acf8ab9232af03f714d7f
-
SHA256
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7
-
SHA512
82a118ed96d2bfc17b6da3dd944a87bc5a8309c690da3713b0ac963190355402979f0cf11c6213780a4c8a3542eab3c6587942648ab903d70c483fc5ed7ecbd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3092-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5012 ttbbbh.exe 1520 1nhtnb.exe 3408 pjpjd.exe 4464 lxxrllf.exe 3376 vvvpj.exe 4812 rffffxx.exe 3948 rrxlfxr.exe 4548 tntnhh.exe 3332 dvddv.exe 4572 tnnnhb.exe 1496 9pvpp.exe 2056 7nnnhn.exe 4184 vppjj.exe 2232 nhbttn.exe 3232 hnbthh.exe 316 ddvvp.exe 2680 xxfxrrr.exe 1968 xrxffll.exe 780 hhnhnh.exe 4792 jvvvp.exe 2372 1vdvv.exe 988 hbbttt.exe 3728 nhnbtb.exe 2316 jdpjj.exe 1228 5tnhbb.exe 4476 nnhtnh.exe 1688 lflllll.exe 2084 1hhbbb.exe 4516 5ffxrrl.exe 1816 pvdvj.exe 3744 lllffxx.exe 3736 nbnbbt.exe 2672 jjvpj.exe 2016 pvvjv.exe 2340 3xrlfxr.exe 4196 tbnhtn.exe 4656 dppdp.exe 2112 3xfrlfx.exe 212 1ttnbb.exe 1840 5pjdj.exe 2204 5rxrffx.exe 4000 nbtnhh.exe 4404 ntnhhh.exe 1068 jpvpd.exe 220 rrrfrlf.exe 4672 bbbnhh.exe 8 jpvpd.exe 1176 fxfxllf.exe 3676 bhhthb.exe 1664 pdvjd.exe 4920 7lrlxxr.exe 3472 1rlfxxr.exe 976 vjdvd.exe 3948 lxxlrxx.exe 1540 1rxrrxl.exe 2884 hbtnhh.exe 4364 lrxlrxr.exe 3796 bthttb.exe 336 bhhthb.exe 1556 vpvjj.exe 3568 5rlrfxr.exe 4788 1hbnhb.exe 4072 jjdvv.exe 324 7dpjd.exe -
resource yara_rule behavioral2/memory/3092-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3092 wrote to memory of 5012 3092 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 82 PID 3092 wrote to memory of 5012 3092 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 82 PID 3092 wrote to memory of 5012 3092 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 82 PID 5012 wrote to memory of 1520 5012 ttbbbh.exe 83 PID 5012 wrote to memory of 1520 5012 ttbbbh.exe 83 PID 5012 wrote to memory of 1520 5012 ttbbbh.exe 83 PID 1520 wrote to memory of 3408 1520 1nhtnb.exe 84 PID 1520 wrote to memory of 3408 1520 1nhtnb.exe 84 PID 1520 wrote to memory of 3408 1520 1nhtnb.exe 84 PID 3408 wrote to memory of 4464 3408 pjpjd.exe 85 PID 3408 wrote to memory of 4464 3408 pjpjd.exe 85 PID 3408 wrote to memory of 4464 3408 pjpjd.exe 85 PID 4464 wrote to memory of 3376 4464 lxxrllf.exe 86 PID 4464 wrote to memory of 3376 4464 lxxrllf.exe 86 PID 4464 wrote to memory of 3376 4464 lxxrllf.exe 86 PID 3376 wrote to memory of 4812 3376 vvvpj.exe 87 PID 3376 wrote to memory of 4812 3376 vvvpj.exe 87 PID 3376 wrote to memory of 4812 3376 vvvpj.exe 87 PID 4812 wrote to memory of 3948 4812 rffffxx.exe 88 PID 4812 wrote to memory of 3948 4812 rffffxx.exe 88 PID 4812 wrote to memory of 3948 4812 rffffxx.exe 88 PID 3948 wrote to memory of 4548 3948 rrxlfxr.exe 89 PID 3948 wrote to memory of 4548 3948 rrxlfxr.exe 89 PID 3948 wrote to memory of 4548 3948 rrxlfxr.exe 89 PID 4548 wrote to memory of 3332 4548 tntnhh.exe 90 PID 4548 wrote to memory of 3332 4548 tntnhh.exe 90 PID 4548 wrote to memory of 3332 4548 tntnhh.exe 90 PID 3332 wrote to memory of 4572 3332 dvddv.exe 91 PID 3332 wrote to memory of 4572 3332 dvddv.exe 91 PID 3332 wrote to memory of 4572 3332 dvddv.exe 91 PID 4572 wrote to memory of 1496 4572 tnnnhb.exe 92 PID 4572 wrote to memory of 1496 4572 tnnnhb.exe 92 PID 4572 wrote to memory of 1496 4572 tnnnhb.exe 92 PID 1496 wrote to memory of 2056 1496 9pvpp.exe 93 PID 1496 wrote to memory of 2056 1496 9pvpp.exe 93 PID 1496 wrote to memory of 2056 1496 9pvpp.exe 93 PID 2056 wrote to memory of 4184 2056 7nnnhn.exe 94 PID 2056 wrote to memory of 4184 2056 7nnnhn.exe 94 PID 2056 wrote to memory of 4184 2056 7nnnhn.exe 94 PID 4184 wrote to memory of 2232 4184 vppjj.exe 95 PID 4184 wrote to memory of 2232 4184 vppjj.exe 95 PID 4184 wrote to memory of 2232 4184 vppjj.exe 95 PID 2232 wrote to memory of 3232 2232 nhbttn.exe 96 PID 2232 wrote to memory of 3232 2232 nhbttn.exe 96 PID 2232 wrote to memory of 3232 2232 nhbttn.exe 96 PID 3232 wrote to memory of 316 3232 hnbthh.exe 97 PID 3232 wrote to memory of 316 3232 hnbthh.exe 97 PID 3232 wrote to memory of 316 3232 hnbthh.exe 97 PID 316 wrote to memory of 2680 316 ddvvp.exe 98 PID 316 wrote to memory of 2680 316 ddvvp.exe 98 PID 316 wrote to memory of 2680 316 ddvvp.exe 98 PID 2680 wrote to memory of 1968 2680 xxfxrrr.exe 99 PID 2680 wrote to memory of 1968 2680 xxfxrrr.exe 99 PID 2680 wrote to memory of 1968 2680 xxfxrrr.exe 99 PID 1968 wrote to memory of 780 1968 xrxffll.exe 100 PID 1968 wrote to memory of 780 1968 xrxffll.exe 100 PID 1968 wrote to memory of 780 1968 xrxffll.exe 100 PID 780 wrote to memory of 4792 780 hhnhnh.exe 101 PID 780 wrote to memory of 4792 780 hhnhnh.exe 101 PID 780 wrote to memory of 4792 780 hhnhnh.exe 101 PID 4792 wrote to memory of 2372 4792 jvvvp.exe 102 PID 4792 wrote to memory of 2372 4792 jvvvp.exe 102 PID 4792 wrote to memory of 2372 4792 jvvvp.exe 102 PID 2372 wrote to memory of 988 2372 1vdvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe"C:\Users\Admin\AppData\Local\Temp\18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\ttbbbh.exec:\ttbbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\1nhtnb.exec:\1nhtnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\pjpjd.exec:\pjpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\lxxrllf.exec:\lxxrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\vvvpj.exec:\vvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\rffffxx.exec:\rffffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\rrxlfxr.exec:\rrxlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\tntnhh.exec:\tntnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\dvddv.exec:\dvddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\tnnnhb.exec:\tnnnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\9pvpp.exec:\9pvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\7nnnhn.exec:\7nnnhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\vppjj.exec:\vppjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\nhbttn.exec:\nhbttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\hnbthh.exec:\hnbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\ddvvp.exec:\ddvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xrxffll.exec:\xrxffll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\hhnhnh.exec:\hhnhnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\jvvvp.exec:\jvvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\1vdvv.exec:\1vdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\hbbttt.exec:\hbbttt.exe23⤵
- Executes dropped EXE
PID:988 -
\??\c:\nhnbtb.exec:\nhnbtb.exe24⤵
- Executes dropped EXE
PID:3728 -
\??\c:\jdpjj.exec:\jdpjj.exe25⤵
- Executes dropped EXE
PID:2316 -
\??\c:\5tnhbb.exec:\5tnhbb.exe26⤵
- Executes dropped EXE
PID:1228 -
\??\c:\nnhtnh.exec:\nnhtnh.exe27⤵
- Executes dropped EXE
PID:4476 -
\??\c:\lflllll.exec:\lflllll.exe28⤵
- Executes dropped EXE
PID:1688 -
\??\c:\1hhbbb.exec:\1hhbbb.exe29⤵
- Executes dropped EXE
PID:2084 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe30⤵
- Executes dropped EXE
PID:4516 -
\??\c:\pvdvj.exec:\pvdvj.exe31⤵
- Executes dropped EXE
PID:1816 -
\??\c:\lllffxx.exec:\lllffxx.exe32⤵
- Executes dropped EXE
PID:3744 -
\??\c:\nbnbbt.exec:\nbnbbt.exe33⤵
- Executes dropped EXE
PID:3736 -
\??\c:\jjvpj.exec:\jjvpj.exe34⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pvvjv.exec:\pvvjv.exe35⤵
- Executes dropped EXE
PID:2016 -
\??\c:\3xrlfxr.exec:\3xrlfxr.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\tbnhtn.exec:\tbnhtn.exe37⤵
- Executes dropped EXE
PID:4196 -
\??\c:\dppdp.exec:\dppdp.exe38⤵
- Executes dropped EXE
PID:4656 -
\??\c:\3xfrlfx.exec:\3xfrlfx.exe39⤵
- Executes dropped EXE
PID:2112 -
\??\c:\1ttnbb.exec:\1ttnbb.exe40⤵
- Executes dropped EXE
PID:212 -
\??\c:\5pjdj.exec:\5pjdj.exe41⤵
- Executes dropped EXE
PID:1840 -
\??\c:\5rxrffx.exec:\5rxrffx.exe42⤵
- Executes dropped EXE
PID:2204 -
\??\c:\nbtnhh.exec:\nbtnhh.exe43⤵
- Executes dropped EXE
PID:4000 -
\??\c:\ntnhhh.exec:\ntnhhh.exe44⤵
- Executes dropped EXE
PID:4404 -
\??\c:\jpvpd.exec:\jpvpd.exe45⤵
- Executes dropped EXE
PID:1068 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe46⤵
- Executes dropped EXE
PID:220 -
\??\c:\bbbnhh.exec:\bbbnhh.exe47⤵
- Executes dropped EXE
PID:4672 -
\??\c:\jpvpd.exec:\jpvpd.exe48⤵
- Executes dropped EXE
PID:8 -
\??\c:\fxfxllf.exec:\fxfxllf.exe49⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bhhthb.exec:\bhhthb.exe50⤵
- Executes dropped EXE
PID:3676 -
\??\c:\pdvjd.exec:\pdvjd.exe51⤵
- Executes dropped EXE
PID:1664 -
\??\c:\7lrlxxr.exec:\7lrlxxr.exe52⤵
- Executes dropped EXE
PID:4920 -
\??\c:\1rlfxxr.exec:\1rlfxxr.exe53⤵
- Executes dropped EXE
PID:3472 -
\??\c:\vjdvd.exec:\vjdvd.exe54⤵
- Executes dropped EXE
PID:976 -
\??\c:\lxxlrxx.exec:\lxxlrxx.exe55⤵
- Executes dropped EXE
PID:3948 -
\??\c:\1rxrrxl.exec:\1rxrrxl.exe56⤵
- Executes dropped EXE
PID:1540 -
\??\c:\hbtnhh.exec:\hbtnhh.exe57⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lrxlrxr.exec:\lrxlrxr.exe58⤵
- Executes dropped EXE
PID:4364 -
\??\c:\bthttb.exec:\bthttb.exe59⤵
- Executes dropped EXE
PID:3796 -
\??\c:\bhhthb.exec:\bhhthb.exe60⤵
- Executes dropped EXE
PID:336 -
\??\c:\vpvjj.exec:\vpvjj.exe61⤵
- Executes dropped EXE
PID:1556 -
\??\c:\5rlrfxr.exec:\5rlrfxr.exe62⤵
- Executes dropped EXE
PID:3568 -
\??\c:\1hbnhb.exec:\1hbnhb.exe63⤵
- Executes dropped EXE
PID:4788 -
\??\c:\jjdvv.exec:\jjdvv.exe64⤵
- Executes dropped EXE
PID:4072 -
\??\c:\7dpjd.exec:\7dpjd.exe65⤵
- Executes dropped EXE
PID:324 -
\??\c:\xrxxxxf.exec:\xrxxxxf.exe66⤵PID:1360
-
\??\c:\hnbtnn.exec:\hnbtnn.exe67⤵PID:3276
-
\??\c:\7pjvj.exec:\7pjvj.exe68⤵PID:1260
-
\??\c:\jdpdj.exec:\jdpdj.exe69⤵PID:1396
-
\??\c:\lxrfxlx.exec:\lxrfxlx.exe70⤵PID:4544
-
\??\c:\1ntnnn.exec:\1ntnnn.exe71⤵PID:4088
-
\??\c:\pjjvj.exec:\pjjvj.exe72⤵PID:1324
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe73⤵PID:5084
-
\??\c:\bthbbb.exec:\bthbbb.exe74⤵PID:3256
-
\??\c:\hbhbtt.exec:\hbhbtt.exe75⤵PID:1524
-
\??\c:\jvdvp.exec:\jvdvp.exe76⤵PID:988
-
\??\c:\xrfrllf.exec:\xrfrllf.exe77⤵PID:2652
-
\??\c:\1tthtn.exec:\1tthtn.exe78⤵PID:3996
-
\??\c:\jdjdd.exec:\jdjdd.exe79⤵PID:4900
-
\??\c:\5lfxllf.exec:\5lfxllf.exe80⤵PID:1228
-
\??\c:\3hnhhh.exec:\3hnhhh.exe81⤵PID:1100
-
\??\c:\tnnbtb.exec:\tnnbtb.exe82⤵PID:4476
-
\??\c:\djvpd.exec:\djvpd.exe83⤵PID:1688
-
\??\c:\rrfxrll.exec:\rrfxrll.exe84⤵PID:4604
-
\??\c:\nhhbnb.exec:\nhhbnb.exe85⤵PID:5008
-
\??\c:\ppjjd.exec:\ppjjd.exe86⤵PID:3044
-
\??\c:\5ppdp.exec:\5ppdp.exe87⤵PID:2308
-
\??\c:\rxfxrll.exec:\rxfxrll.exe88⤵PID:4108
-
\??\c:\tttbnb.exec:\tttbnb.exe89⤵PID:1152
-
\??\c:\7ppjj.exec:\7ppjj.exe90⤵PID:2936
-
\??\c:\5vpdp.exec:\5vpdp.exe91⤵PID:4796
-
\??\c:\rfllrxf.exec:\rfllrxf.exe92⤵PID:4616
-
\??\c:\htnhtt.exec:\htnhtt.exe93⤵PID:2008
-
\??\c:\9vdvd.exec:\9vdvd.exe94⤵PID:1464
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe95⤵PID:5104
-
\??\c:\bbbnnh.exec:\bbbnnh.exe96⤵PID:1956
-
\??\c:\dvvvd.exec:\dvvvd.exe97⤵PID:3704
-
\??\c:\rlrlxfx.exec:\rlrlxfx.exe98⤵PID:436
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe99⤵PID:2588
-
\??\c:\bhnntt.exec:\bhnntt.exe100⤵PID:2112
-
\??\c:\dvdvj.exec:\dvdvj.exe101⤵PID:212
-
\??\c:\pjjdp.exec:\pjjdp.exe102⤵PID:5072
-
\??\c:\xfxfxxr.exec:\xfxfxxr.exe103⤵PID:2392
-
\??\c:\btbbhh.exec:\btbbhh.exe104⤵PID:4408
-
\??\c:\7tbthh.exec:\7tbthh.exe105⤵PID:4028
-
\??\c:\pdddv.exec:\pdddv.exe106⤵
- System Location Discovery: System Language Discovery
PID:4692 -
\??\c:\frxrffx.exec:\frxrffx.exe107⤵PID:1276
-
\??\c:\nhnnhn.exec:\nhnnhn.exe108⤵PID:2136
-
\??\c:\5bnhht.exec:\5bnhht.exe109⤵PID:468
-
\??\c:\3dddv.exec:\3dddv.exe110⤵PID:1032
-
\??\c:\lxrlxfx.exec:\lxrlxfx.exe111⤵PID:1380
-
\??\c:\9hnhtt.exec:\9hnhtt.exe112⤵PID:4372
-
\??\c:\1hbnbb.exec:\1hbnbb.exe113⤵PID:4448
-
\??\c:\7dvjv.exec:\7dvjv.exe114⤵PID:1116
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe115⤵PID:1300
-
\??\c:\llrlxlf.exec:\llrlxlf.exe116⤵PID:540
-
\??\c:\1bthbt.exec:\1bthbt.exe117⤵PID:4548
-
\??\c:\pjjdp.exec:\pjjdp.exe118⤵PID:4836
-
\??\c:\pdpjp.exec:\pdpjp.exe119⤵PID:376
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe120⤵PID:4156
-
\??\c:\nbtnbt.exec:\nbtnbt.exe121⤵PID:1928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-