Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe
-
Size
454KB
-
MD5
5dd2a08a739411a270e5fe3502697720
-
SHA1
babcac3f02b5e93dca3b20f5f68b5a8669248923
-
SHA256
99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602
-
SHA512
6e49c3df179f33d05eb3b9fb43369c2d6127860aff8e9d91796ccfd1633a751a39333a95358d099e25dad5de099b4373890432c9439aea3fc6194bd6e9e6c390
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/620-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-1420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1512 ttbttt.exe 444 dvdvv.exe 3768 hnbttt.exe 3712 djjjj.exe 1344 rlxlffr.exe 2352 5htnnt.exe 3936 3jpjj.exe 2492 bnthbb.exe 2176 7ttnhb.exe 952 nhbthh.exe 736 lxxlxrl.exe 4168 fxxrrrf.exe 2964 ttbnbt.exe 2860 pddpj.exe 2848 rfffrlr.exe 636 7pvjv.exe 4136 xllfrlf.exe 748 xllfrrf.exe 4152 nhtnbt.exe 4016 vjvjd.exe 3984 nhbtnh.exe 3820 5vvvv.exe 4588 thhbnh.exe 2356 7dvpd.exe 3664 hhnhhb.exe 968 jdvpj.exe 3048 bbhhhh.exe 976 nhnnhb.exe 2332 pjvvp.exe 1004 jjppp.exe 2548 thtttt.exe 4712 rlrrrxx.exe 1868 5hnnhn.exe 1528 ddvdv.exe 3472 flrllll.exe 1652 bnbbtt.exe 4724 jdppj.exe 3692 lxfffff.exe 4528 ttbttb.exe 4508 1dvvv.exe 2388 vdjdd.exe 2916 xfrrxfr.exe 4812 hbnhbt.exe 2008 ddjjj.exe 3532 ddddd.exe 2140 rlxrlll.exe 4448 nnbbtb.exe 3588 ppvdd.exe 4916 jvppv.exe 4428 rrxxrxx.exe 740 nbnhhb.exe 812 dvddp.exe 3768 vvppj.exe 4008 lllfxxr.exe 3228 hhtttt.exe 4300 vvvdp.exe 5076 lflfxxx.exe 4620 tntbnt.exe 1684 7djdp.exe 3412 ppddv.exe 3964 lxxrlrl.exe 1068 rrxllff.exe 952 pjpjd.exe 400 5pvpj.exe -
resource yara_rule behavioral2/memory/620-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 620 wrote to memory of 1512 620 99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe 82 PID 620 wrote to memory of 1512 620 99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe 82 PID 620 wrote to memory of 1512 620 99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe 82 PID 1512 wrote to memory of 444 1512 ttbttt.exe 83 PID 1512 wrote to memory of 444 1512 ttbttt.exe 83 PID 1512 wrote to memory of 444 1512 ttbttt.exe 83 PID 444 wrote to memory of 3768 444 dvdvv.exe 84 PID 444 wrote to memory of 3768 444 dvdvv.exe 84 PID 444 wrote to memory of 3768 444 dvdvv.exe 84 PID 3768 wrote to memory of 3712 3768 hnbttt.exe 85 PID 3768 wrote to memory of 3712 3768 hnbttt.exe 85 PID 3768 wrote to memory of 3712 3768 hnbttt.exe 85 PID 3712 wrote to memory of 1344 3712 djjjj.exe 86 PID 3712 wrote to memory of 1344 3712 djjjj.exe 86 PID 3712 wrote to memory of 1344 3712 djjjj.exe 86 PID 1344 wrote to memory of 2352 1344 rlxlffr.exe 87 PID 1344 wrote to memory of 2352 1344 rlxlffr.exe 87 PID 1344 wrote to memory of 2352 1344 rlxlffr.exe 87 PID 2352 wrote to memory of 3936 2352 5htnnt.exe 88 PID 2352 wrote to memory of 3936 2352 5htnnt.exe 88 PID 2352 wrote to memory of 3936 2352 5htnnt.exe 88 PID 3936 wrote to memory of 2492 3936 3jpjj.exe 89 PID 3936 wrote to memory of 2492 3936 3jpjj.exe 89 PID 3936 wrote to memory of 2492 3936 3jpjj.exe 89 PID 2492 wrote to memory of 2176 2492 bnthbb.exe 90 PID 2492 wrote to memory of 2176 2492 bnthbb.exe 90 PID 2492 wrote to memory of 2176 2492 bnthbb.exe 90 PID 2176 wrote to memory of 952 2176 7ttnhb.exe 91 PID 2176 wrote to memory of 952 2176 7ttnhb.exe 91 PID 2176 wrote to memory of 952 2176 7ttnhb.exe 91 PID 952 wrote to memory of 736 952 nhbthh.exe 92 PID 952 wrote to memory of 736 952 nhbthh.exe 92 PID 952 wrote to memory of 736 952 nhbthh.exe 92 PID 736 wrote to memory of 4168 736 lxxlxrl.exe 93 PID 736 wrote to memory of 4168 736 lxxlxrl.exe 93 PID 736 wrote to memory of 4168 736 lxxlxrl.exe 93 PID 4168 wrote to memory of 2964 4168 fxxrrrf.exe 94 PID 4168 wrote to memory of 2964 4168 fxxrrrf.exe 94 PID 4168 wrote to memory of 2964 4168 fxxrrrf.exe 94 PID 2964 wrote to memory of 2860 2964 ttbnbt.exe 95 PID 2964 wrote to memory of 2860 2964 ttbnbt.exe 95 PID 2964 wrote to memory of 2860 2964 ttbnbt.exe 95 PID 2860 wrote to memory of 2848 2860 pddpj.exe 96 PID 2860 wrote to memory of 2848 2860 pddpj.exe 96 PID 2860 wrote to memory of 2848 2860 pddpj.exe 96 PID 2848 wrote to memory of 636 2848 rfffrlr.exe 97 PID 2848 wrote to memory of 636 2848 rfffrlr.exe 97 PID 2848 wrote to memory of 636 2848 rfffrlr.exe 97 PID 636 wrote to memory of 4136 636 7pvjv.exe 98 PID 636 wrote to memory of 4136 636 7pvjv.exe 98 PID 636 wrote to memory of 4136 636 7pvjv.exe 98 PID 4136 wrote to memory of 748 4136 xllfrlf.exe 99 PID 4136 wrote to memory of 748 4136 xllfrlf.exe 99 PID 4136 wrote to memory of 748 4136 xllfrlf.exe 99 PID 748 wrote to memory of 4152 748 xllfrrf.exe 100 PID 748 wrote to memory of 4152 748 xllfrrf.exe 100 PID 748 wrote to memory of 4152 748 xllfrrf.exe 100 PID 4152 wrote to memory of 4016 4152 nhtnbt.exe 101 PID 4152 wrote to memory of 4016 4152 nhtnbt.exe 101 PID 4152 wrote to memory of 4016 4152 nhtnbt.exe 101 PID 4016 wrote to memory of 3984 4016 vjvjd.exe 102 PID 4016 wrote to memory of 3984 4016 vjvjd.exe 102 PID 4016 wrote to memory of 3984 4016 vjvjd.exe 102 PID 3984 wrote to memory of 3820 3984 nhbtnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe"C:\Users\Admin\AppData\Local\Temp\99e41f3bfd42ae8548f1cf9e6cb8b74a692c9d5f635a3ea7ef70073bdde7b602.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\ttbttt.exec:\ttbttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\dvdvv.exec:\dvdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\hnbttt.exec:\hnbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\djjjj.exec:\djjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\rlxlffr.exec:\rlxlffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\5htnnt.exec:\5htnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\3jpjj.exec:\3jpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\bnthbb.exec:\bnthbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\7ttnhb.exec:\7ttnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\nhbthh.exec:\nhbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\fxxrrrf.exec:\fxxrrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\ttbnbt.exec:\ttbnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\pddpj.exec:\pddpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\rfffrlr.exec:\rfffrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\7pvjv.exec:\7pvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\xllfrlf.exec:\xllfrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\xllfrrf.exec:\xllfrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\nhtnbt.exec:\nhtnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\vjvjd.exec:\vjvjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\nhbtnh.exec:\nhbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\5vvvv.exec:\5vvvv.exe23⤵
- Executes dropped EXE
PID:3820 -
\??\c:\thhbnh.exec:\thhbnh.exe24⤵
- Executes dropped EXE
PID:4588 -
\??\c:\7dvpd.exec:\7dvpd.exe25⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhnhhb.exec:\hhnhhb.exe26⤵
- Executes dropped EXE
PID:3664 -
\??\c:\jdvpj.exec:\jdvpj.exe27⤵
- Executes dropped EXE
PID:968 -
\??\c:\bbhhhh.exec:\bbhhhh.exe28⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nhnnhb.exec:\nhnnhb.exe29⤵
- Executes dropped EXE
PID:976 -
\??\c:\pjvvp.exec:\pjvvp.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\jjppp.exec:\jjppp.exe31⤵
- Executes dropped EXE
PID:1004 -
\??\c:\thtttt.exec:\thtttt.exe32⤵
- Executes dropped EXE
PID:2548 -
\??\c:\rlrrrxx.exec:\rlrrrxx.exe33⤵
- Executes dropped EXE
PID:4712 -
\??\c:\5hnnhn.exec:\5hnnhn.exe34⤵
- Executes dropped EXE
PID:1868 -
\??\c:\ddvdv.exec:\ddvdv.exe35⤵
- Executes dropped EXE
PID:1528 -
\??\c:\flrllll.exec:\flrllll.exe36⤵
- Executes dropped EXE
PID:3472 -
\??\c:\bnbbtt.exec:\bnbbtt.exe37⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdppj.exec:\jdppj.exe38⤵
- Executes dropped EXE
PID:4724 -
\??\c:\lxfffff.exec:\lxfffff.exe39⤵
- Executes dropped EXE
PID:3692 -
\??\c:\ttbttb.exec:\ttbttb.exe40⤵
- Executes dropped EXE
PID:4528 -
\??\c:\1dvvv.exec:\1dvvv.exe41⤵
- Executes dropped EXE
PID:4508 -
\??\c:\vdjdd.exec:\vdjdd.exe42⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xfrrxfr.exec:\xfrrxfr.exe43⤵
- Executes dropped EXE
PID:2916 -
\??\c:\hbnhbt.exec:\hbnhbt.exe44⤵
- Executes dropped EXE
PID:4812 -
\??\c:\ddjjj.exec:\ddjjj.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2008 -
\??\c:\ddddd.exec:\ddddd.exe46⤵
- Executes dropped EXE
PID:3532 -
\??\c:\rlxrlll.exec:\rlxrlll.exe47⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nnbbtb.exec:\nnbbtb.exe48⤵
- Executes dropped EXE
PID:4448 -
\??\c:\ppvdd.exec:\ppvdd.exe49⤵
- Executes dropped EXE
PID:3588 -
\??\c:\jvppv.exec:\jvppv.exe50⤵
- Executes dropped EXE
PID:4916 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe51⤵
- Executes dropped EXE
PID:4428 -
\??\c:\nbnhhb.exec:\nbnhhb.exe52⤵
- Executes dropped EXE
PID:740 -
\??\c:\dvddp.exec:\dvddp.exe53⤵
- Executes dropped EXE
PID:812 -
\??\c:\vvppj.exec:\vvppj.exe54⤵
- Executes dropped EXE
PID:3768 -
\??\c:\lllfxxr.exec:\lllfxxr.exe55⤵
- Executes dropped EXE
PID:4008 -
\??\c:\hhtttt.exec:\hhtttt.exe56⤵
- Executes dropped EXE
PID:3228 -
\??\c:\vvvdp.exec:\vvvdp.exe57⤵
- Executes dropped EXE
PID:4300 -
\??\c:\lflfxxx.exec:\lflfxxx.exe58⤵
- Executes dropped EXE
PID:5076 -
\??\c:\tntbnt.exec:\tntbnt.exe59⤵
- Executes dropped EXE
PID:4620 -
\??\c:\7djdp.exec:\7djdp.exe60⤵
- Executes dropped EXE
PID:1684 -
\??\c:\ppddv.exec:\ppddv.exe61⤵
- Executes dropped EXE
PID:3412 -
\??\c:\lxxrlrl.exec:\lxxrlrl.exe62⤵
- Executes dropped EXE
PID:3964 -
\??\c:\rrxllff.exec:\rrxllff.exe63⤵
- Executes dropped EXE
PID:1068 -
\??\c:\pjpjd.exec:\pjpjd.exe64⤵
- Executes dropped EXE
PID:952 -
\??\c:\5pvpj.exec:\5pvpj.exe65⤵
- Executes dropped EXE
PID:400 -
\??\c:\9lrxrrr.exec:\9lrxrrr.exe66⤵PID:5012
-
\??\c:\nnhbnt.exec:\nnhbnt.exe67⤵PID:3332
-
\??\c:\ppvjd.exec:\ppvjd.exe68⤵PID:2084
-
\??\c:\pvddd.exec:\pvddd.exe69⤵PID:5000
-
\??\c:\xfrrlrr.exec:\xfrrlrr.exe70⤵PID:2120
-
\??\c:\nnbbnn.exec:\nnbbnn.exe71⤵PID:3996
-
\??\c:\jddvp.exec:\jddvp.exe72⤵PID:2144
-
\??\c:\djjjp.exec:\djjjp.exe73⤵PID:636
-
\??\c:\ffrrxfr.exec:\ffrrxfr.exe74⤵PID:4136
-
\??\c:\ttnnnn.exec:\ttnnnn.exe75⤵PID:632
-
\??\c:\ntnnhn.exec:\ntnnhn.exe76⤵PID:2904
-
\??\c:\jvjjj.exec:\jvjjj.exe77⤵PID:4360
-
\??\c:\rfrlfff.exec:\rfrlfff.exe78⤵PID:1592
-
\??\c:\9ntnnn.exec:\9ntnnn.exe79⤵PID:2404
-
\??\c:\vpvpj.exec:\vpvpj.exe80⤵PID:4076
-
\??\c:\dvvvv.exec:\dvvvv.exe81⤵PID:3100
-
\??\c:\bbnhbh.exec:\bbnhbh.exe82⤵PID:2356
-
\??\c:\3bnbnt.exec:\3bnbnt.exe83⤵PID:3592
-
\??\c:\ddvpj.exec:\ddvpj.exe84⤵PID:4904
-
\??\c:\xfffrxr.exec:\xfffrxr.exe85⤵PID:1000
-
\??\c:\rfrrrrf.exec:\rfrrrrf.exe86⤵
- System Location Discovery: System Language Discovery
PID:4412 -
\??\c:\5pjdp.exec:\5pjdp.exe87⤵PID:2560
-
\??\c:\jjvdv.exec:\jjvdv.exe88⤵PID:2212
-
\??\c:\fxllxxx.exec:\fxllxxx.exe89⤵PID:4264
-
\??\c:\3tbtbt.exec:\3tbtbt.exe90⤵PID:2548
-
\??\c:\pdpjd.exec:\pdpjd.exe91⤵PID:3812
-
\??\c:\7llfxxr.exec:\7llfxxr.exe92⤵PID:3416
-
\??\c:\nnnhbn.exec:\nnnhbn.exe93⤵PID:916
-
\??\c:\1vpjv.exec:\1vpjv.exe94⤵PID:1064
-
\??\c:\5flffxx.exec:\5flffxx.exe95⤵PID:4504
-
\??\c:\rxlfxrx.exec:\rxlfxrx.exe96⤵PID:1440
-
\??\c:\bnbttt.exec:\bnbttt.exe97⤵PID:2272
-
\??\c:\jdvdv.exec:\jdvdv.exe98⤵PID:2344
-
\??\c:\llxfrrl.exec:\llxfrrl.exe99⤵PID:1912
-
\??\c:\htbthb.exec:\htbthb.exe100⤵PID:4992
-
\??\c:\btbbtb.exec:\btbbtb.exe101⤵PID:1428
-
\??\c:\vvjjd.exec:\vvjjd.exe102⤵PID:3336
-
\??\c:\flrlxrl.exec:\flrlxrl.exe103⤵PID:3104
-
\??\c:\hbnnnn.exec:\hbnnnn.exe104⤵PID:2040
-
\??\c:\thtnhh.exec:\thtnhh.exe105⤵PID:4364
-
\??\c:\dpdpj.exec:\dpdpj.exe106⤵PID:2140
-
\??\c:\7lrlffr.exec:\7lrlffr.exe107⤵PID:4448
-
\??\c:\9hbnht.exec:\9hbnht.exe108⤵PID:1512
-
\??\c:\dppdv.exec:\dppdv.exe109⤵PID:1960
-
\??\c:\1rlxlff.exec:\1rlxlff.exe110⤵PID:444
-
\??\c:\xffffll.exec:\xffffll.exe111⤵PID:4164
-
\??\c:\bthhht.exec:\bthhht.exe112⤵PID:2792
-
\??\c:\tbnbbt.exec:\tbnbbt.exe113⤵PID:1032
-
\??\c:\pvdvj.exec:\pvdvj.exe114⤵PID:4008
-
\??\c:\frfxrrl.exec:\frfxrrl.exe115⤵PID:3480
-
\??\c:\nnnnhb.exec:\nnnnhb.exe116⤵PID:2352
-
\??\c:\jjvvd.exec:\jjvvd.exe117⤵PID:64
-
\??\c:\rrxllxx.exec:\rrxllxx.exe118⤵PID:3956
-
\??\c:\rxflffx.exec:\rxflffx.exe119⤵PID:4896
-
\??\c:\nhnhbh.exec:\nhnhbh.exe120⤵PID:1472
-
\??\c:\dvpdv.exec:\dvpdv.exe121⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-