Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe
-
Size
456KB
-
MD5
6aa204ccb952d4cbe50e49d7c9f2be9c
-
SHA1
8f88775b0fa83df85ff9de2554c930dfba7d860c
-
SHA256
b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086
-
SHA512
18e7d7c66f117c0f0b717307253b00472c290e41a5690c24fccda4197ff44ca7a17af83ac7e5e473473ae1ab4273ba25a41ed377d0fcb411e1b721176affa16d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/452-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-925-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-1112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-1364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-1888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3968 1vvdd.exe 3552 xxxrrrr.exe 4940 jvvvj.exe 2664 jjppp.exe 2236 btbhnn.exe 2404 frxrfxl.exe 3124 dvjdp.exe 1032 llfrxxl.exe 2780 nbnhht.exe 4644 frfrrlx.exe 2920 rxxrrxx.exe 1036 5hthhn.exe 4396 ddjpp.exe 4596 nbhthh.exe 424 ntttnh.exe 1404 jvpjd.exe 1568 rxxxrxx.exe 1532 tbbbbt.exe 1424 ppppp.exe 928 nhtttn.exe 2556 1vddv.exe 2356 xxlfxxx.exe 3820 bbnnnn.exe 3304 ddpdj.exe 1176 llllllf.exe 3616 vpdjv.exe 2192 hntnnh.exe 3808 dpdvv.exe 1148 vdvvv.exe 3908 tbbbth.exe 3852 vjvvj.exe 4592 frrlrlr.exe 3280 1bbbth.exe 2400 jjpdv.exe 1472 lxfrxfl.exe 4356 hnhthh.exe 4588 vjpjd.exe 4360 pddjd.exe 3692 xxxllxx.exe 4916 xxfffrr.exe 4980 htbtnh.exe 3484 1vddv.exe 536 flllllf.exe 3972 nhhhbb.exe 4100 jvjdv.exe 840 dvjvp.exe 1616 3xrlxlf.exe 4308 vvjjj.exe 2668 jvvpd.exe 452 xlrlxrr.exe 4556 hbhbnn.exe 3028 vppdv.exe 4152 lxfxxlf.exe 4940 bbtbnh.exe 2104 9hnhbt.exe 4604 9vvjd.exe 4652 7lxrxxx.exe 2444 7bbbnh.exe 3364 pjjjp.exe 2784 lxfxrll.exe 740 vjddp.exe 216 fxxffff.exe 2012 nhbbnn.exe 3196 jjvvd.exe -
resource yara_rule behavioral2/memory/452-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 452 wrote to memory of 3968 452 b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe 84 PID 452 wrote to memory of 3968 452 b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe 84 PID 452 wrote to memory of 3968 452 b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe 84 PID 3968 wrote to memory of 3552 3968 1vvdd.exe 85 PID 3968 wrote to memory of 3552 3968 1vvdd.exe 85 PID 3968 wrote to memory of 3552 3968 1vvdd.exe 85 PID 3552 wrote to memory of 4940 3552 xxxrrrr.exe 86 PID 3552 wrote to memory of 4940 3552 xxxrrrr.exe 86 PID 3552 wrote to memory of 4940 3552 xxxrrrr.exe 86 PID 4940 wrote to memory of 2664 4940 jvvvj.exe 87 PID 4940 wrote to memory of 2664 4940 jvvvj.exe 87 PID 4940 wrote to memory of 2664 4940 jvvvj.exe 87 PID 2664 wrote to memory of 2236 2664 jjppp.exe 88 PID 2664 wrote to memory of 2236 2664 jjppp.exe 88 PID 2664 wrote to memory of 2236 2664 jjppp.exe 88 PID 2236 wrote to memory of 2404 2236 btbhnn.exe 89 PID 2236 wrote to memory of 2404 2236 btbhnn.exe 89 PID 2236 wrote to memory of 2404 2236 btbhnn.exe 89 PID 2404 wrote to memory of 3124 2404 frxrfxl.exe 90 PID 2404 wrote to memory of 3124 2404 frxrfxl.exe 90 PID 2404 wrote to memory of 3124 2404 frxrfxl.exe 90 PID 3124 wrote to memory of 1032 3124 dvjdp.exe 91 PID 3124 wrote to memory of 1032 3124 dvjdp.exe 91 PID 3124 wrote to memory of 1032 3124 dvjdp.exe 91 PID 1032 wrote to memory of 2780 1032 llfrxxl.exe 92 PID 1032 wrote to memory of 2780 1032 llfrxxl.exe 92 PID 1032 wrote to memory of 2780 1032 llfrxxl.exe 92 PID 2780 wrote to memory of 4644 2780 nbnhht.exe 93 PID 2780 wrote to memory of 4644 2780 nbnhht.exe 93 PID 2780 wrote to memory of 4644 2780 nbnhht.exe 93 PID 4644 wrote to memory of 2920 4644 frfrrlx.exe 94 PID 4644 wrote to memory of 2920 4644 frfrrlx.exe 94 PID 4644 wrote to memory of 2920 4644 frfrrlx.exe 94 PID 2920 wrote to memory of 1036 2920 rxxrrxx.exe 95 PID 2920 wrote to memory of 1036 2920 rxxrrxx.exe 95 PID 2920 wrote to memory of 1036 2920 rxxrrxx.exe 95 PID 1036 wrote to memory of 4396 1036 5hthhn.exe 96 PID 1036 wrote to memory of 4396 1036 5hthhn.exe 96 PID 1036 wrote to memory of 4396 1036 5hthhn.exe 96 PID 4396 wrote to memory of 4596 4396 ddjpp.exe 97 PID 4396 wrote to memory of 4596 4396 ddjpp.exe 97 PID 4396 wrote to memory of 4596 4396 ddjpp.exe 97 PID 4596 wrote to memory of 424 4596 nbhthh.exe 98 PID 4596 wrote to memory of 424 4596 nbhthh.exe 98 PID 4596 wrote to memory of 424 4596 nbhthh.exe 98 PID 424 wrote to memory of 1404 424 ntttnh.exe 99 PID 424 wrote to memory of 1404 424 ntttnh.exe 99 PID 424 wrote to memory of 1404 424 ntttnh.exe 99 PID 1404 wrote to memory of 1568 1404 jvpjd.exe 100 PID 1404 wrote to memory of 1568 1404 jvpjd.exe 100 PID 1404 wrote to memory of 1568 1404 jvpjd.exe 100 PID 1568 wrote to memory of 1532 1568 rxxxrxx.exe 101 PID 1568 wrote to memory of 1532 1568 rxxxrxx.exe 101 PID 1568 wrote to memory of 1532 1568 rxxxrxx.exe 101 PID 1532 wrote to memory of 1424 1532 tbbbbt.exe 102 PID 1532 wrote to memory of 1424 1532 tbbbbt.exe 102 PID 1532 wrote to memory of 1424 1532 tbbbbt.exe 102 PID 1424 wrote to memory of 928 1424 ppppp.exe 103 PID 1424 wrote to memory of 928 1424 ppppp.exe 103 PID 1424 wrote to memory of 928 1424 ppppp.exe 103 PID 928 wrote to memory of 2556 928 nhtttn.exe 104 PID 928 wrote to memory of 2556 928 nhtttn.exe 104 PID 928 wrote to memory of 2556 928 nhtttn.exe 104 PID 2556 wrote to memory of 2356 2556 1vddv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe"C:\Users\Admin\AppData\Local\Temp\b297cb668eb53292630832b8bf44bdc0a9ee50063f27ef37aba908cd9111d086.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\1vvdd.exec:\1vvdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\jvvvj.exec:\jvvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\jjppp.exec:\jjppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\btbhnn.exec:\btbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\frxrfxl.exec:\frxrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\dvjdp.exec:\dvjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\llfrxxl.exec:\llfrxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\nbnhht.exec:\nbnhht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\frfrrlx.exec:\frfrrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\rxxrrxx.exec:\rxxrrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\5hthhn.exec:\5hthhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\ddjpp.exec:\ddjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\nbhthh.exec:\nbhthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\ntttnh.exec:\ntttnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424 -
\??\c:\jvpjd.exec:\jvpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\rxxxrxx.exec:\rxxxrxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\tbbbbt.exec:\tbbbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\ppppp.exec:\ppppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\nhtttn.exec:\nhtttn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\1vddv.exec:\1vddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\xxlfxxx.exec:\xxlfxxx.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\bbnnnn.exec:\bbnnnn.exe24⤵
- Executes dropped EXE
PID:3820 -
\??\c:\ddpdj.exec:\ddpdj.exe25⤵
- Executes dropped EXE
PID:3304 -
\??\c:\llllllf.exec:\llllllf.exe26⤵
- Executes dropped EXE
PID:1176 -
\??\c:\vpdjv.exec:\vpdjv.exe27⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hntnnh.exec:\hntnnh.exe28⤵
- Executes dropped EXE
PID:2192 -
\??\c:\dpdvv.exec:\dpdvv.exe29⤵
- Executes dropped EXE
PID:3808 -
\??\c:\vdvvv.exec:\vdvvv.exe30⤵
- Executes dropped EXE
PID:1148 -
\??\c:\tbbbth.exec:\tbbbth.exe31⤵
- Executes dropped EXE
PID:3908 -
\??\c:\vjvvj.exec:\vjvvj.exe32⤵
- Executes dropped EXE
PID:3852 -
\??\c:\frrlrlr.exec:\frrlrlr.exe33⤵
- Executes dropped EXE
PID:4592 -
\??\c:\1bbbth.exec:\1bbbth.exe34⤵
- Executes dropped EXE
PID:3280 -
\??\c:\jjpdv.exec:\jjpdv.exe35⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lxfrxfl.exec:\lxfrxfl.exe36⤵
- Executes dropped EXE
PID:1472 -
\??\c:\hnhthh.exec:\hnhthh.exe37⤵
- Executes dropped EXE
PID:4356 -
\??\c:\vjpjd.exec:\vjpjd.exe38⤵
- Executes dropped EXE
PID:4588 -
\??\c:\pddjd.exec:\pddjd.exe39⤵
- Executes dropped EXE
PID:4360 -
\??\c:\xxxllxx.exec:\xxxllxx.exe40⤵
- Executes dropped EXE
PID:3692 -
\??\c:\xxfffrr.exec:\xxfffrr.exe41⤵
- Executes dropped EXE
PID:4916 -
\??\c:\htbtnh.exec:\htbtnh.exe42⤵
- Executes dropped EXE
PID:4980 -
\??\c:\1vddv.exec:\1vddv.exe43⤵
- Executes dropped EXE
PID:3484 -
\??\c:\flllllf.exec:\flllllf.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\nhhhbb.exec:\nhhhbb.exe45⤵
- Executes dropped EXE
PID:3972 -
\??\c:\jvjdv.exec:\jvjdv.exe46⤵
- Executes dropped EXE
PID:4100 -
\??\c:\dvjvp.exec:\dvjvp.exe47⤵
- Executes dropped EXE
PID:840 -
\??\c:\3xrlxlf.exec:\3xrlxlf.exe48⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vvjjj.exec:\vvjjj.exe49⤵
- Executes dropped EXE
PID:4308 -
\??\c:\jvvpd.exec:\jvvpd.exe50⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xlrlxrr.exec:\xlrlxrr.exe51⤵
- Executes dropped EXE
PID:452 -
\??\c:\hbhbnn.exec:\hbhbnn.exe52⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vppdv.exec:\vppdv.exe53⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lxfxxlf.exec:\lxfxxlf.exe54⤵
- Executes dropped EXE
PID:4152 -
\??\c:\bbtbnh.exec:\bbtbnh.exe55⤵
- Executes dropped EXE
PID:4940 -
\??\c:\9hnhbt.exec:\9hnhbt.exe56⤵
- Executes dropped EXE
PID:2104 -
\??\c:\9vvjd.exec:\9vvjd.exe57⤵
- Executes dropped EXE
PID:4604 -
\??\c:\7lxrxxx.exec:\7lxrxxx.exe58⤵
- Executes dropped EXE
PID:4652 -
\??\c:\7bbbnh.exec:\7bbbnh.exe59⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pjjjp.exec:\pjjjp.exe60⤵
- Executes dropped EXE
PID:3364 -
\??\c:\lxfxrll.exec:\lxfxrll.exe61⤵
- Executes dropped EXE
PID:2784 -
\??\c:\vjddp.exec:\vjddp.exe62⤵
- Executes dropped EXE
PID:740 -
\??\c:\fxxffff.exec:\fxxffff.exe63⤵
- Executes dropped EXE
PID:216 -
\??\c:\nhbbnn.exec:\nhbbnn.exe64⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jjvvd.exec:\jjvvd.exe65⤵
- Executes dropped EXE
PID:3196 -
\??\c:\xrrfrrf.exec:\xrrfrrf.exe66⤵PID:2212
-
\??\c:\hhhnnt.exec:\hhhnnt.exe67⤵PID:3088
-
\??\c:\vpddp.exec:\vpddp.exe68⤵PID:1040
-
\??\c:\xxxfxll.exec:\xxxfxll.exe69⤵PID:4800
-
\??\c:\rrllllf.exec:\rrllllf.exe70⤵PID:4700
-
\??\c:\thnhbb.exec:\thnhbb.exe71⤵PID:4280
-
\??\c:\pjvpd.exec:\pjvpd.exe72⤵PID:2280
-
\??\c:\1xffxll.exec:\1xffxll.exe73⤵PID:3452
-
\??\c:\5hnnnt.exec:\5hnnnt.exe74⤵PID:2140
-
\??\c:\vjvvv.exec:\vjvvv.exe75⤵PID:984
-
\??\c:\1rffxfx.exec:\1rffxfx.exe76⤵PID:5112
-
\??\c:\bbnbth.exec:\bbnbth.exe77⤵PID:1532
-
\??\c:\vdpjv.exec:\vdpjv.exe78⤵PID:2704
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe79⤵PID:3120
-
\??\c:\tnttnt.exec:\tnttnt.exe80⤵PID:3444
-
\??\c:\jdppp.exec:\jdppp.exe81⤵PID:2556
-
\??\c:\dvdvv.exec:\dvdvv.exe82⤵PID:5108
-
\??\c:\fffxxrr.exec:\fffxxrr.exe83⤵PID:4860
-
\??\c:\ttbhth.exec:\ttbhth.exe84⤵PID:4736
-
\??\c:\lxllflx.exec:\lxllflx.exe85⤵PID:2908
-
\??\c:\ntbthn.exec:\ntbthn.exe86⤵PID:2200
-
\??\c:\tnhtnh.exec:\tnhtnh.exe87⤵PID:1176
-
\??\c:\jvjpd.exec:\jvjpd.exe88⤵PID:648
-
\??\c:\rrxxlrr.exec:\rrxxlrr.exe89⤵PID:3860
-
\??\c:\jdpjd.exec:\jdpjd.exe90⤵PID:2192
-
\??\c:\rflflfl.exec:\rflflfl.exe91⤵PID:2560
-
\??\c:\5lfxllx.exec:\5lfxllx.exe92⤵PID:4032
-
\??\c:\djjpd.exec:\djjpd.exe93⤵PID:2912
-
\??\c:\fxlxfxx.exec:\fxlxfxx.exe94⤵PID:3152
-
\??\c:\tbbhhh.exec:\tbbhhh.exe95⤵PID:2752
-
\??\c:\pjjjv.exec:\pjjjv.exe96⤵PID:4728
-
\??\c:\llllrfl.exec:\llllrfl.exe97⤵PID:4268
-
\??\c:\bhbbtb.exec:\bhbbtb.exe98⤵PID:1184
-
\??\c:\vvpvp.exec:\vvpvp.exe99⤵PID:3432
-
\??\c:\dvjdv.exec:\dvjdv.exe100⤵PID:2544
-
\??\c:\1xxxflr.exec:\1xxxflr.exe101⤵PID:4356
-
\??\c:\bthhnn.exec:\bthhnn.exe102⤵PID:952
-
\??\c:\9jvpj.exec:\9jvpj.exe103⤵PID:2360
-
\??\c:\1rxlfxl.exec:\1rxlfxl.exe104⤵PID:3676
-
\??\c:\nnnbbb.exec:\nnnbbb.exe105⤵PID:1624
-
\??\c:\1dppd.exec:\1dppd.exe106⤵PID:4000
-
\??\c:\xrffxxf.exec:\xrffxxf.exe107⤵PID:4796
-
\??\c:\nhtttt.exec:\nhtttt.exe108⤵PID:2588
-
\??\c:\vvjvp.exec:\vvjvp.exe109⤵PID:3976
-
\??\c:\dpdvj.exec:\dpdvj.exe110⤵PID:1604
-
\??\c:\ffffffx.exec:\ffffffx.exe111⤵PID:2776
-
\??\c:\hhhhtt.exec:\hhhhtt.exe112⤵PID:1824
-
\??\c:\vpdvp.exec:\vpdvp.exe113⤵PID:4408
-
\??\c:\xxffxlr.exec:\xxffxlr.exe114⤵
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\7thhtt.exec:\7thhtt.exe115⤵PID:4964
-
\??\c:\rlrrrlx.exec:\rlrrrlx.exe116⤵PID:2512
-
\??\c:\ntbbbh.exec:\ntbbbh.exe117⤵PID:3884
-
\??\c:\5tnnbh.exec:\5tnnbh.exe118⤵PID:4760
-
\??\c:\rflfllf.exec:\rflfllf.exe119⤵PID:1844
-
\??\c:\5tnhhh.exec:\5tnhhh.exe120⤵PID:2872
-
\??\c:\pjddj.exec:\pjddj.exe121⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-