Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe
-
Size
454KB
-
MD5
e3a4dbcf27d4b64e126d834c63a21c62
-
SHA1
1ac94a8574337a2cc636ef31111370b04c1aa079
-
SHA256
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7
-
SHA512
09d947e82a84631ebef6a25203eede57834941c86021bef933f47e448827eb8356bf9cbeedf99ab7818cdc89469f891c46540ead23bc44c9744971b9064ff4be
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1240-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 3nnntn.exe 1904 xxxrllf.exe 5112 hhnhnh.exe 4168 rlllfff.exe 4560 vppjd.exe 2248 hnnbtt.exe 1300 vpppd.exe 3572 nntnnh.exe 856 jdjvp.exe 1848 bbbhhb.exe 2404 hnttnh.exe 3732 nthbnh.exe 1448 djvdv.exe 3780 hbntnn.exe 620 xxxlxlx.exe 2208 lxxrlxr.exe 1336 bhnhbb.exe 4328 rxxfxrr.exe 4548 tnhbtt.exe 2068 7pdvj.exe 4732 frxxrxr.exe 3564 3tbnhb.exe 4856 vvddv.exe 3516 btnnht.exe 964 3jpdp.exe 3476 3vjjj.exe 1060 3tnhnh.exe 2648 nntttt.exe 4660 tttbth.exe 2768 nbhbbb.exe 3584 9vvpd.exe 5064 frxrllf.exe 4412 9xlxlfr.exe 1016 5rlfxxx.exe 2912 bbnhbt.exe 2844 dvdpp.exe 3832 nbtnbt.exe 3448 7nttnb.exe 4540 3dpjd.exe 4912 1ffxffx.exe 388 9nnnhb.exe 3716 hbbtnn.exe 2888 ppjdp.exe 312 5llxlfr.exe 2056 bbbtnh.exe 2688 tnnhtt.exe 1504 5vdvj.exe 2188 lrlffxr.exe 2296 tthbhb.exe 4488 5tttnn.exe 5096 vjpjj.exe 4804 3llxlfr.exe 2292 htbhhh.exe 1640 dvvjd.exe 1868 5ddvp.exe 3316 9xxrrlx.exe 3736 9thbtt.exe 736 jvvjv.exe 2592 jddvj.exe 3536 xlfflxf.exe 5052 tbbtbb.exe 1460 7ddjv.exe 2328 7jvjj.exe 2528 rlfrrll.exe -
resource yara_rule behavioral2/memory/1240-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-766-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 228 1240 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 82 PID 1240 wrote to memory of 228 1240 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 82 PID 1240 wrote to memory of 228 1240 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 82 PID 228 wrote to memory of 1904 228 3nnntn.exe 83 PID 228 wrote to memory of 1904 228 3nnntn.exe 83 PID 228 wrote to memory of 1904 228 3nnntn.exe 83 PID 1904 wrote to memory of 5112 1904 xxxrllf.exe 84 PID 1904 wrote to memory of 5112 1904 xxxrllf.exe 84 PID 1904 wrote to memory of 5112 1904 xxxrllf.exe 84 PID 5112 wrote to memory of 4168 5112 hhnhnh.exe 85 PID 5112 wrote to memory of 4168 5112 hhnhnh.exe 85 PID 5112 wrote to memory of 4168 5112 hhnhnh.exe 85 PID 4168 wrote to memory of 4560 4168 rlllfff.exe 86 PID 4168 wrote to memory of 4560 4168 rlllfff.exe 86 PID 4168 wrote to memory of 4560 4168 rlllfff.exe 86 PID 4560 wrote to memory of 2248 4560 vppjd.exe 87 PID 4560 wrote to memory of 2248 4560 vppjd.exe 87 PID 4560 wrote to memory of 2248 4560 vppjd.exe 87 PID 2248 wrote to memory of 1300 2248 hnnbtt.exe 88 PID 2248 wrote to memory of 1300 2248 hnnbtt.exe 88 PID 2248 wrote to memory of 1300 2248 hnnbtt.exe 88 PID 1300 wrote to memory of 3572 1300 vpppd.exe 89 PID 1300 wrote to memory of 3572 1300 vpppd.exe 89 PID 1300 wrote to memory of 3572 1300 vpppd.exe 89 PID 3572 wrote to memory of 856 3572 nntnnh.exe 90 PID 3572 wrote to memory of 856 3572 nntnnh.exe 90 PID 3572 wrote to memory of 856 3572 nntnnh.exe 90 PID 856 wrote to memory of 1848 856 jdjvp.exe 91 PID 856 wrote to memory of 1848 856 jdjvp.exe 91 PID 856 wrote to memory of 1848 856 jdjvp.exe 91 PID 1848 wrote to memory of 2404 1848 bbbhhb.exe 92 PID 1848 wrote to memory of 2404 1848 bbbhhb.exe 92 PID 1848 wrote to memory of 2404 1848 bbbhhb.exe 92 PID 2404 wrote to memory of 3732 2404 hnttnh.exe 93 PID 2404 wrote to memory of 3732 2404 hnttnh.exe 93 PID 2404 wrote to memory of 3732 2404 hnttnh.exe 93 PID 3732 wrote to memory of 1448 3732 nthbnh.exe 94 PID 3732 wrote to memory of 1448 3732 nthbnh.exe 94 PID 3732 wrote to memory of 1448 3732 nthbnh.exe 94 PID 1448 wrote to memory of 3780 1448 djvdv.exe 95 PID 1448 wrote to memory of 3780 1448 djvdv.exe 95 PID 1448 wrote to memory of 3780 1448 djvdv.exe 95 PID 3780 wrote to memory of 620 3780 hbntnn.exe 96 PID 3780 wrote to memory of 620 3780 hbntnn.exe 96 PID 3780 wrote to memory of 620 3780 hbntnn.exe 96 PID 620 wrote to memory of 2208 620 xxxlxlx.exe 97 PID 620 wrote to memory of 2208 620 xxxlxlx.exe 97 PID 620 wrote to memory of 2208 620 xxxlxlx.exe 97 PID 2208 wrote to memory of 1336 2208 lxxrlxr.exe 98 PID 2208 wrote to memory of 1336 2208 lxxrlxr.exe 98 PID 2208 wrote to memory of 1336 2208 lxxrlxr.exe 98 PID 1336 wrote to memory of 4328 1336 bhnhbb.exe 99 PID 1336 wrote to memory of 4328 1336 bhnhbb.exe 99 PID 1336 wrote to memory of 4328 1336 bhnhbb.exe 99 PID 4328 wrote to memory of 4548 4328 rxxfxrr.exe 100 PID 4328 wrote to memory of 4548 4328 rxxfxrr.exe 100 PID 4328 wrote to memory of 4548 4328 rxxfxrr.exe 100 PID 4548 wrote to memory of 2068 4548 tnhbtt.exe 101 PID 4548 wrote to memory of 2068 4548 tnhbtt.exe 101 PID 4548 wrote to memory of 2068 4548 tnhbtt.exe 101 PID 2068 wrote to memory of 4732 2068 7pdvj.exe 102 PID 2068 wrote to memory of 4732 2068 7pdvj.exe 102 PID 2068 wrote to memory of 4732 2068 7pdvj.exe 102 PID 4732 wrote to memory of 3564 4732 frxxrxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe"C:\Users\Admin\AppData\Local\Temp\949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\3nnntn.exec:\3nnntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\xxxrllf.exec:\xxxrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\hhnhnh.exec:\hhnhnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\rlllfff.exec:\rlllfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\vppjd.exec:\vppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\hnnbtt.exec:\hnnbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\vpppd.exec:\vpppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\nntnnh.exec:\nntnnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\jdjvp.exec:\jdjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\bbbhhb.exec:\bbbhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\hnttnh.exec:\hnttnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\nthbnh.exec:\nthbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\djvdv.exec:\djvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\hbntnn.exec:\hbntnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\xxxlxlx.exec:\xxxlxlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\lxxrlxr.exec:\lxxrlxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\bhnhbb.exec:\bhnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\rxxfxrr.exec:\rxxfxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\tnhbtt.exec:\tnhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\7pdvj.exec:\7pdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\frxxrxr.exec:\frxxrxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\3tbnhb.exec:\3tbnhb.exe23⤵
- Executes dropped EXE
PID:3564 -
\??\c:\vvddv.exec:\vvddv.exe24⤵
- Executes dropped EXE
PID:4856 -
\??\c:\btnnht.exec:\btnnht.exe25⤵
- Executes dropped EXE
PID:3516 -
\??\c:\3jpdp.exec:\3jpdp.exe26⤵
- Executes dropped EXE
PID:964 -
\??\c:\3vjjj.exec:\3vjjj.exe27⤵
- Executes dropped EXE
PID:3476 -
\??\c:\3tnhnh.exec:\3tnhnh.exe28⤵
- Executes dropped EXE
PID:1060 -
\??\c:\nntttt.exec:\nntttt.exe29⤵
- Executes dropped EXE
PID:2648 -
\??\c:\tttbth.exec:\tttbth.exe30⤵
- Executes dropped EXE
PID:4660 -
\??\c:\nbhbbb.exec:\nbhbbb.exe31⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9vvpd.exec:\9vvpd.exe32⤵
- Executes dropped EXE
PID:3584 -
\??\c:\frxrllf.exec:\frxrllf.exe33⤵
- Executes dropped EXE
PID:5064 -
\??\c:\9xlxlfr.exec:\9xlxlfr.exe34⤵
- Executes dropped EXE
PID:4412 -
\??\c:\5rlfxxx.exec:\5rlfxxx.exe35⤵
- Executes dropped EXE
PID:1016 -
\??\c:\bbnhbt.exec:\bbnhbt.exe36⤵
- Executes dropped EXE
PID:2912 -
\??\c:\dvdpp.exec:\dvdpp.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nbtnbt.exec:\nbtnbt.exe38⤵
- Executes dropped EXE
PID:3832 -
\??\c:\7nttnb.exec:\7nttnb.exe39⤵
- Executes dropped EXE
PID:3448 -
\??\c:\3dpjd.exec:\3dpjd.exe40⤵
- Executes dropped EXE
PID:4540 -
\??\c:\1ffxffx.exec:\1ffxffx.exe41⤵
- Executes dropped EXE
PID:4912 -
\??\c:\9nnnhb.exec:\9nnnhb.exe42⤵
- Executes dropped EXE
PID:388 -
\??\c:\hbbtnn.exec:\hbbtnn.exe43⤵
- Executes dropped EXE
PID:3716 -
\??\c:\ppjdp.exec:\ppjdp.exe44⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5llxlfr.exec:\5llxlfr.exe45⤵
- Executes dropped EXE
PID:312 -
\??\c:\bbbtnh.exec:\bbbtnh.exe46⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tnnhtt.exec:\tnnhtt.exe47⤵
- Executes dropped EXE
PID:2688 -
\??\c:\5vdvj.exec:\5vdvj.exe48⤵
- Executes dropped EXE
PID:1504 -
\??\c:\lrlffxr.exec:\lrlffxr.exe49⤵
- Executes dropped EXE
PID:2188 -
\??\c:\tthbhb.exec:\tthbhb.exe50⤵
- Executes dropped EXE
PID:2296 -
\??\c:\5tttnn.exec:\5tttnn.exe51⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vjpjj.exec:\vjpjj.exe52⤵
- Executes dropped EXE
PID:5096 -
\??\c:\3llxlfr.exec:\3llxlfr.exe53⤵
- Executes dropped EXE
PID:4804 -
\??\c:\htbhhh.exec:\htbhhh.exe54⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dvvjd.exec:\dvvjd.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\5ddvp.exec:\5ddvp.exe56⤵
- Executes dropped EXE
PID:1868 -
\??\c:\9xxrrlx.exec:\9xxrrlx.exe57⤵
- Executes dropped EXE
PID:3316 -
\??\c:\9thbtt.exec:\9thbtt.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736 -
\??\c:\jvvjv.exec:\jvvjv.exe59⤵
- Executes dropped EXE
PID:736 -
\??\c:\jddvj.exec:\jddvj.exe60⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xlfflxf.exec:\xlfflxf.exe61⤵
- Executes dropped EXE
PID:3536 -
\??\c:\tbbtbb.exec:\tbbtbb.exe62⤵
- Executes dropped EXE
PID:5052 -
\??\c:\7ddjv.exec:\7ddjv.exe63⤵
- Executes dropped EXE
PID:1460 -
\??\c:\7jvjj.exec:\7jvjj.exe64⤵
- Executes dropped EXE
PID:2328 -
\??\c:\rlfrrll.exec:\rlfrrll.exe65⤵
- Executes dropped EXE
PID:2528 -
\??\c:\5thtbt.exec:\5thtbt.exe66⤵PID:3508
-
\??\c:\vpjdd.exec:\vpjdd.exe67⤵PID:3372
-
\??\c:\3xlfxxx.exec:\3xlfxxx.exe68⤵PID:3432
-
\??\c:\lfflfll.exec:\lfflfll.exe69⤵PID:824
-
\??\c:\bnnhtb.exec:\bnnhtb.exe70⤵PID:1444
-
\??\c:\ppvpj.exec:\ppvpj.exe71⤵PID:1168
-
\??\c:\9vvvv.exec:\9vvvv.exe72⤵PID:3948
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe73⤵PID:2196
-
\??\c:\nhnnhh.exec:\nhnnhh.exe74⤵PID:3368
-
\??\c:\dpppj.exec:\dpppj.exe75⤵PID:1616
-
\??\c:\5pjdd.exec:\5pjdd.exe76⤵PID:4980
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe77⤵PID:2408
-
\??\c:\hhnhhh.exec:\hhnhhh.exe78⤵PID:2868
-
\??\c:\vpdpp.exec:\vpdpp.exe79⤵PID:3960
-
\??\c:\ddjvp.exec:\ddjvp.exe80⤵PID:3616
-
\??\c:\9llllxx.exec:\9llllxx.exe81⤵PID:1924
-
\??\c:\nhbnhb.exec:\nhbnhb.exe82⤵PID:876
-
\??\c:\jvvpv.exec:\jvvpv.exe83⤵PID:4732
-
\??\c:\frfrlff.exec:\frfrlff.exe84⤵PID:4692
-
\??\c:\pjdjv.exec:\pjdjv.exe85⤵PID:4112
-
\??\c:\dvjjv.exec:\dvjjv.exe86⤵PID:2732
-
\??\c:\frrlfxr.exec:\frrlfxr.exe87⤵PID:4476
-
\??\c:\thhbtt.exec:\thhbtt.exe88⤵PID:4424
-
\??\c:\1vvjj.exec:\1vvjj.exe89⤵
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\pvvpp.exec:\pvvpp.exe90⤵PID:1068
-
\??\c:\frxrffx.exec:\frxrffx.exe91⤵PID:4564
-
\??\c:\btbbhh.exec:\btbbhh.exe92⤵PID:396
-
\??\c:\vjdpj.exec:\vjdpj.exe93⤵PID:5012
-
\??\c:\9dvpd.exec:\9dvpd.exe94⤵PID:3956
-
\??\c:\9lflrlf.exec:\9lflrlf.exe95⤵PID:1112
-
\??\c:\3tbtht.exec:\3tbtht.exe96⤵PID:3320
-
\??\c:\7vpdp.exec:\7vpdp.exe97⤵PID:4568
-
\??\c:\pvjjd.exec:\pvjjd.exe98⤵
- System Location Discovery: System Language Discovery
PID:5064 -
\??\c:\llxrrrr.exec:\llxrrrr.exe99⤵PID:2244
-
\??\c:\3ntbhn.exec:\3ntbhn.exe100⤵PID:2168
-
\??\c:\dppdv.exec:\dppdv.exe101⤵PID:1304
-
\??\c:\1rxlfxx.exec:\1rxlfxx.exe102⤵PID:4044
-
\??\c:\xffrflx.exec:\xffrflx.exe103⤵PID:4648
-
\??\c:\nhtnbb.exec:\nhtnbb.exe104⤵PID:3792
-
\??\c:\7pjvj.exec:\7pjvj.exe105⤵PID:3172
-
\??\c:\vjjdp.exec:\vjjdp.exe106⤵PID:4936
-
\??\c:\5xxlfxx.exec:\5xxlfxx.exe107⤵PID:4728
-
\??\c:\hbhbtt.exec:\hbhbtt.exe108⤵PID:4132
-
\??\c:\7vdvv.exec:\7vdvv.exe109⤵PID:560
-
\??\c:\dpvdv.exec:\dpvdv.exe110⤵PID:4944
-
\??\c:\9lfxlfx.exec:\9lfxlfx.exe111⤵PID:3656
-
\??\c:\hbtnhh.exec:\hbtnhh.exe112⤵PID:2864
-
\??\c:\vpjdp.exec:\vpjdp.exe113⤵PID:4872
-
\??\c:\pdjdd.exec:\pdjdd.exe114⤵PID:3532
-
\??\c:\frxrlfx.exec:\frxrlfx.exe115⤵PID:4736
-
\??\c:\hbhbnn.exec:\hbhbnn.exe116⤵PID:4688
-
\??\c:\jjjdv.exec:\jjjdv.exe117⤵PID:244
-
\??\c:\pddpd.exec:\pddpd.exe118⤵PID:3544
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe119⤵PID:1240
-
\??\c:\hbhbtt.exec:\hbhbtt.exe120⤵PID:4608
-
\??\c:\pppjd.exec:\pppjd.exe121⤵PID:228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-