Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe
-
Size
454KB
-
MD5
e9c67b045418d5ca6bf22f4028e31407
-
SHA1
b919b145bb1ee2163288f5806fc183ae883c8e70
-
SHA256
027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458
-
SHA512
5b19505daef27dadc2fce7e67515d7d30c54c8757d8ff688cba4b6495d9a43791cbd7d97d2a17f525a5b0ac4b143a353161462e0b6144b45fdaef5724bdeea20
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetM:q7Tc2NYHUrAwfMp3CDtM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1876-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-1123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-1297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 htbtnn.exe 2496 7vvvp.exe 3184 vpvpp.exe 4788 lxxxlfx.exe 2088 nnntth.exe 112 1tbttt.exe 2608 xxfffff.exe 4916 vvvvd.exe 3520 nnhhhh.exe 4564 pppjj.exe 3708 bntnnh.exe 4300 5fffxfx.exe 4404 flrfrlf.exe 3836 nbbbbb.exe 4320 vjjjd.exe 4688 lrfrlfr.exe 3396 bbhbtt.exe 2696 pjjvj.exe 1672 7lrlxxr.exe 4548 5ttnnn.exe 2460 pjdvp.exe 1988 jjjdv.exe 2560 5llfrrf.exe 4704 3htnbt.exe 692 jjjjd.exe 2548 rxfxlfl.exe 4388 tbtnnh.exe 5072 1vvpj.exe 4844 5xfxrff.exe 3908 nntnbt.exe 2312 btbttn.exe 4496 vpppj.exe 3968 lrxrlll.exe 2568 tbhbtt.exe 4600 jdjdv.exe 3164 dpddv.exe 888 bbntbn.exe 5076 hnthnh.exe 1336 pjvpp.exe 4880 rrlrfxf.exe 556 bntnhh.exe 1032 nbhbtn.exe 3260 jvvpj.exe 1728 3htnhh.exe 4376 djvpj.exe 3332 3flfrxx.exe 1428 pjjjd.exe 4340 xrxxflr.exe 2836 flrllfx.exe 2044 nbbbbt.exe 224 dpvpj.exe 3292 xfflllf.exe 4492 thbbhh.exe 2500 nhtnbt.exe 4056 rffxrlf.exe 4788 xlrllfx.exe 3764 lflfffl.exe 2124 5rrlfxr.exe 988 3btbbh.exe 3728 9ddvp.exe 1644 pvvpd.exe 4576 llrxrrl.exe 1084 djppp.exe 5080 xrfxxxx.exe -
resource yara_rule behavioral2/memory/1876-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-1104-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2428 1876 027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe 83 PID 1876 wrote to memory of 2428 1876 027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe 83 PID 1876 wrote to memory of 2428 1876 027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe 83 PID 2428 wrote to memory of 2496 2428 htbtnn.exe 84 PID 2428 wrote to memory of 2496 2428 htbtnn.exe 84 PID 2428 wrote to memory of 2496 2428 htbtnn.exe 84 PID 2496 wrote to memory of 3184 2496 7vvvp.exe 85 PID 2496 wrote to memory of 3184 2496 7vvvp.exe 85 PID 2496 wrote to memory of 3184 2496 7vvvp.exe 85 PID 3184 wrote to memory of 4788 3184 vpvpp.exe 86 PID 3184 wrote to memory of 4788 3184 vpvpp.exe 86 PID 3184 wrote to memory of 4788 3184 vpvpp.exe 86 PID 4788 wrote to memory of 2088 4788 lxxxlfx.exe 87 PID 4788 wrote to memory of 2088 4788 lxxxlfx.exe 87 PID 4788 wrote to memory of 2088 4788 lxxxlfx.exe 87 PID 2088 wrote to memory of 112 2088 nnntth.exe 88 PID 2088 wrote to memory of 112 2088 nnntth.exe 88 PID 2088 wrote to memory of 112 2088 nnntth.exe 88 PID 112 wrote to memory of 2608 112 1tbttt.exe 89 PID 112 wrote to memory of 2608 112 1tbttt.exe 89 PID 112 wrote to memory of 2608 112 1tbttt.exe 89 PID 2608 wrote to memory of 4916 2608 xxfffff.exe 90 PID 2608 wrote to memory of 4916 2608 xxfffff.exe 90 PID 2608 wrote to memory of 4916 2608 xxfffff.exe 90 PID 4916 wrote to memory of 3520 4916 vvvvd.exe 91 PID 4916 wrote to memory of 3520 4916 vvvvd.exe 91 PID 4916 wrote to memory of 3520 4916 vvvvd.exe 91 PID 3520 wrote to memory of 4564 3520 nnhhhh.exe 92 PID 3520 wrote to memory of 4564 3520 nnhhhh.exe 92 PID 3520 wrote to memory of 4564 3520 nnhhhh.exe 92 PID 4564 wrote to memory of 3708 4564 pppjj.exe 93 PID 4564 wrote to memory of 3708 4564 pppjj.exe 93 PID 4564 wrote to memory of 3708 4564 pppjj.exe 93 PID 3708 wrote to memory of 4300 3708 bntnnh.exe 94 PID 3708 wrote to memory of 4300 3708 bntnnh.exe 94 PID 3708 wrote to memory of 4300 3708 bntnnh.exe 94 PID 4300 wrote to memory of 4404 4300 5fffxfx.exe 95 PID 4300 wrote to memory of 4404 4300 5fffxfx.exe 95 PID 4300 wrote to memory of 4404 4300 5fffxfx.exe 95 PID 4404 wrote to memory of 3836 4404 flrfrlf.exe 96 PID 4404 wrote to memory of 3836 4404 flrfrlf.exe 96 PID 4404 wrote to memory of 3836 4404 flrfrlf.exe 96 PID 3836 wrote to memory of 4320 3836 nbbbbb.exe 97 PID 3836 wrote to memory of 4320 3836 nbbbbb.exe 97 PID 3836 wrote to memory of 4320 3836 nbbbbb.exe 97 PID 4320 wrote to memory of 4688 4320 vjjjd.exe 98 PID 4320 wrote to memory of 4688 4320 vjjjd.exe 98 PID 4320 wrote to memory of 4688 4320 vjjjd.exe 98 PID 4688 wrote to memory of 3396 4688 lrfrlfr.exe 99 PID 4688 wrote to memory of 3396 4688 lrfrlfr.exe 99 PID 4688 wrote to memory of 3396 4688 lrfrlfr.exe 99 PID 3396 wrote to memory of 2696 3396 bbhbtt.exe 100 PID 3396 wrote to memory of 2696 3396 bbhbtt.exe 100 PID 3396 wrote to memory of 2696 3396 bbhbtt.exe 100 PID 2696 wrote to memory of 1672 2696 pjjvj.exe 101 PID 2696 wrote to memory of 1672 2696 pjjvj.exe 101 PID 2696 wrote to memory of 1672 2696 pjjvj.exe 101 PID 1672 wrote to memory of 4548 1672 7lrlxxr.exe 102 PID 1672 wrote to memory of 4548 1672 7lrlxxr.exe 102 PID 1672 wrote to memory of 4548 1672 7lrlxxr.exe 102 PID 4548 wrote to memory of 2460 4548 5ttnnn.exe 103 PID 4548 wrote to memory of 2460 4548 5ttnnn.exe 103 PID 4548 wrote to memory of 2460 4548 5ttnnn.exe 103 PID 2460 wrote to memory of 1988 2460 pjdvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe"C:\Users\Admin\AppData\Local\Temp\027535a35bf13178692250b8e04e49d100e62522e25decfa2b8df9cfc6b37458.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\htbtnn.exec:\htbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\7vvvp.exec:\7vvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\vpvpp.exec:\vpvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\lxxxlfx.exec:\lxxxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\nnntth.exec:\nnntth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\1tbttt.exec:\1tbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\xxfffff.exec:\xxfffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\vvvvd.exec:\vvvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\nnhhhh.exec:\nnhhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\pppjj.exec:\pppjj.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\bntnnh.exec:\bntnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\5fffxfx.exec:\5fffxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\flrfrlf.exec:\flrfrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\nbbbbb.exec:\nbbbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\vjjjd.exec:\vjjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\lrfrlfr.exec:\lrfrlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\bbhbtt.exec:\bbhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\pjjvj.exec:\pjjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\7lrlxxr.exec:\7lrlxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\5ttnnn.exec:\5ttnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\pjdvp.exec:\pjdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\jjjdv.exec:\jjjdv.exe23⤵
- Executes dropped EXE
PID:1988 -
\??\c:\5llfrrf.exec:\5llfrrf.exe24⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3htnbt.exec:\3htnbt.exe25⤵
- Executes dropped EXE
PID:4704 -
\??\c:\jjjjd.exec:\jjjjd.exe26⤵
- Executes dropped EXE
PID:692 -
\??\c:\rxfxlfl.exec:\rxfxlfl.exe27⤵
- Executes dropped EXE
PID:2548 -
\??\c:\tbtnnh.exec:\tbtnnh.exe28⤵
- Executes dropped EXE
PID:4388 -
\??\c:\1vvpj.exec:\1vvpj.exe29⤵
- Executes dropped EXE
PID:5072 -
\??\c:\5xfxrff.exec:\5xfxrff.exe30⤵
- Executes dropped EXE
PID:4844 -
\??\c:\nntnbt.exec:\nntnbt.exe31⤵
- Executes dropped EXE
PID:3908 -
\??\c:\btbttn.exec:\btbttn.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vpppj.exec:\vpppj.exe33⤵
- Executes dropped EXE
PID:4496 -
\??\c:\lrxrlll.exec:\lrxrlll.exe34⤵
- Executes dropped EXE
PID:3968 -
\??\c:\tbhbtt.exec:\tbhbtt.exe35⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jdjdv.exec:\jdjdv.exe36⤵
- Executes dropped EXE
PID:4600 -
\??\c:\dpddv.exec:\dpddv.exe37⤵
- Executes dropped EXE
PID:3164 -
\??\c:\bbntbn.exec:\bbntbn.exe38⤵
- Executes dropped EXE
PID:888 -
\??\c:\hnthnh.exec:\hnthnh.exe39⤵
- Executes dropped EXE
PID:5076 -
\??\c:\pjvpp.exec:\pjvpp.exe40⤵
- Executes dropped EXE
PID:1336 -
\??\c:\rrlrfxf.exec:\rrlrfxf.exe41⤵
- Executes dropped EXE
PID:4880 -
\??\c:\bntnhh.exec:\bntnhh.exe42⤵
- Executes dropped EXE
PID:556 -
\??\c:\nbhbtn.exec:\nbhbtn.exe43⤵
- Executes dropped EXE
PID:1032 -
\??\c:\jvvpj.exec:\jvvpj.exe44⤵
- Executes dropped EXE
PID:3260 -
\??\c:\3htnhh.exec:\3htnhh.exe45⤵
- Executes dropped EXE
PID:1728 -
\??\c:\djvpj.exec:\djvpj.exe46⤵
- Executes dropped EXE
PID:4376 -
\??\c:\3flfrxx.exec:\3flfrxx.exe47⤵
- Executes dropped EXE
PID:3332 -
\??\c:\pjjjd.exec:\pjjjd.exe48⤵
- Executes dropped EXE
PID:1428 -
\??\c:\xrxxflr.exec:\xrxxflr.exe49⤵
- Executes dropped EXE
PID:4340 -
\??\c:\flrllfx.exec:\flrllfx.exe50⤵
- Executes dropped EXE
PID:2836 -
\??\c:\nbbbbt.exec:\nbbbbt.exe51⤵
- Executes dropped EXE
PID:2044 -
\??\c:\dpvpj.exec:\dpvpj.exe52⤵
- Executes dropped EXE
PID:224 -
\??\c:\xfflllf.exec:\xfflllf.exe53⤵
- Executes dropped EXE
PID:3292 -
\??\c:\thbbhh.exec:\thbbhh.exe54⤵
- Executes dropped EXE
PID:4492 -
\??\c:\nhtnbt.exec:\nhtnbt.exe55⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rffxrlf.exec:\rffxrlf.exe56⤵
- Executes dropped EXE
PID:4056 -
\??\c:\xlrllfx.exec:\xlrllfx.exe57⤵
- Executes dropped EXE
PID:4788 -
\??\c:\lflfffl.exec:\lflfffl.exe58⤵
- Executes dropped EXE
PID:3764 -
\??\c:\5rrlfxr.exec:\5rrlfxr.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\3btbbh.exec:\3btbbh.exe60⤵
- Executes dropped EXE
PID:988 -
\??\c:\9ddvp.exec:\9ddvp.exe61⤵
- Executes dropped EXE
PID:3728 -
\??\c:\pvvpd.exec:\pvvpd.exe62⤵
- Executes dropped EXE
PID:1644 -
\??\c:\llrxrrl.exec:\llrxrrl.exe63⤵
- Executes dropped EXE
PID:4576 -
\??\c:\djppp.exec:\djppp.exe64⤵
- Executes dropped EXE
PID:1084 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe65⤵
- Executes dropped EXE
PID:5080 -
\??\c:\hbnhbb.exec:\hbnhbb.exe66⤵PID:2016
-
\??\c:\vppjd.exec:\vppjd.exe67⤵PID:4772
-
\??\c:\jpvvj.exec:\jpvvj.exe68⤵PID:4364
-
\??\c:\tnbtnh.exec:\tnbtnh.exe69⤵PID:4328
-
\??\c:\vpvdv.exec:\vpvdv.exe70⤵PID:4828
-
\??\c:\jjdjj.exec:\jjdjj.exe71⤵PID:3508
-
\??\c:\xllfxxr.exec:\xllfxxr.exe72⤵PID:3032
-
\??\c:\nbbtnh.exec:\nbbtnh.exe73⤵PID:3604
-
\??\c:\dvvvd.exec:\dvvvd.exe74⤵PID:4296
-
\??\c:\fxffrlx.exec:\fxffrlx.exe75⤵PID:2288
-
\??\c:\5htttt.exec:\5htttt.exe76⤵PID:396
-
\??\c:\btbbbb.exec:\btbbbb.exe77⤵PID:3664
-
\??\c:\dvjjj.exec:\dvjjj.exe78⤵PID:736
-
\??\c:\3hbtnn.exec:\3hbtnn.exe79⤵PID:5000
-
\??\c:\pvdpj.exec:\pvdpj.exe80⤵PID:3208
-
\??\c:\vvjdv.exec:\vvjdv.exe81⤵PID:1392
-
\??\c:\fxxrllf.exec:\fxxrllf.exe82⤵PID:2560
-
\??\c:\thhhhh.exec:\thhhhh.exe83⤵PID:1660
-
\??\c:\httnht.exec:\httnht.exe84⤵PID:4416
-
\??\c:\pdjjj.exec:\pdjjj.exe85⤵PID:408
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe86⤵PID:3456
-
\??\c:\fxrlffl.exec:\fxrlffl.exe87⤵PID:2800
-
\??\c:\nnbtbn.exec:\nnbtbn.exe88⤵PID:3188
-
\??\c:\3pdpj.exec:\3pdpj.exe89⤵PID:2232
-
\??\c:\lxlfllr.exec:\lxlfllr.exe90⤵PID:4852
-
\??\c:\lfllfff.exec:\lfllfff.exe91⤵PID:3372
-
\??\c:\bnnhbb.exec:\bnnhbb.exe92⤵PID:4504
-
\??\c:\dpjdv.exec:\dpjdv.exe93⤵PID:4084
-
\??\c:\frfxrrl.exec:\frfxrrl.exe94⤵PID:1808
-
\??\c:\bbtttn.exec:\bbtttn.exe95⤵PID:4032
-
\??\c:\nbthtt.exec:\nbthtt.exe96⤵PID:960
-
\??\c:\pdjdv.exec:\pdjdv.exe97⤵PID:888
-
\??\c:\xfxrlff.exec:\xfxrlff.exe98⤵PID:5040
-
\??\c:\nbhbbb.exec:\nbhbbb.exe99⤵PID:3340
-
\??\c:\jdddp.exec:\jdddp.exe100⤵PID:1500
-
\??\c:\dvvpj.exec:\dvvpj.exe101⤵PID:3744
-
\??\c:\xrrfxrr.exec:\xrrfxrr.exe102⤵PID:4824
-
\??\c:\nthtnh.exec:\nthtnh.exe103⤵
- System Location Discovery: System Language Discovery
PID:5060 -
\??\c:\3pjdv.exec:\3pjdv.exe104⤵PID:904
-
\??\c:\vdvdv.exec:\vdvdv.exe105⤵PID:856
-
\??\c:\xfrlffx.exec:\xfrlffx.exe106⤵PID:1680
-
\??\c:\bntttt.exec:\bntttt.exe107⤵PID:3020
-
\??\c:\jdjdv.exec:\jdjdv.exe108⤵PID:1728
-
\??\c:\9pvvp.exec:\9pvvp.exe109⤵PID:2072
-
\??\c:\lfrlflf.exec:\lfrlflf.exe110⤵PID:4876
-
\??\c:\nhnnnn.exec:\nhnnnn.exe111⤵PID:1972
-
\??\c:\pdjpj.exec:\pdjpj.exe112⤵PID:4340
-
\??\c:\vjvpp.exec:\vjvpp.exe113⤵PID:5108
-
\??\c:\lrfxrll.exec:\lrfxrll.exe114⤵PID:1928
-
\??\c:\tbhbtt.exec:\tbhbtt.exe115⤵PID:224
-
\??\c:\1djvv.exec:\1djvv.exe116⤵PID:3292
-
\??\c:\5ppjd.exec:\5ppjd.exe117⤵PID:3620
-
\??\c:\fffffxf.exec:\fffffxf.exe118⤵PID:1924
-
\??\c:\nbhhbt.exec:\nbhhbt.exe119⤵PID:1180
-
\??\c:\pdjjj.exec:\pdjjj.exe120⤵PID:4236
-
\??\c:\pppjj.exec:\pppjj.exe121⤵PID:5052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-