Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 02:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe
-
Size
453KB
-
MD5
c6fbc3babf1a902730ec36e3fbf475f8
-
SHA1
c644eb4d9fb880ba759eb5ad5c11fe4a6119f868
-
SHA256
9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26
-
SHA512
8c5652dfc434c6061be2f8502342b2f67a4481b3a120d7bb54b33bfcb2a3fdc9a8501a710c25596f43ba7c44807cb767da9e748f0e377d4048df4973b1fec8e1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4900-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-1114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-1235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-1464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3532 vvjjp.exe 2780 nbhtbt.exe 1424 jdjjj.exe 3572 fffxxxx.exe 3604 tthnnt.exe 4052 nnbttb.exe 4804 vvjjd.exe 2724 rllllll.exe 4048 tnbttt.exe 4680 vpjvd.exe 3316 pvpdj.exe 4340 ffxxxff.exe 2452 7bbhbh.exe 4304 ttbhhh.exe 4648 ddpdp.exe 4716 rrrlllr.exe 1544 xlxrrrr.exe 3816 1hnnnn.exe 5096 dvpdv.exe 4424 vpvvv.exe 4632 xxfllll.exe 4992 9bhhbh.exe 5012 bthbhh.exe 1628 ppppp.exe 112 7llfxff.exe 4056 fflllrr.exe 1860 bbhhhn.exe 2808 dpvvp.exe 3448 vpvvj.exe 2020 fllllll.exe 4784 tbbtbn.exe 3012 1bnnnn.exe 4176 ddjdp.exe 3988 rlrllll.exe 2552 xflxrff.exe 1156 7bnnhb.exe 4600 ppdvv.exe 1180 pjpdd.exe 4200 xlxxxxr.exe 4156 bbhbbb.exe 3452 nbbbhn.exe 5004 jvjjj.exe 3708 3lxxxxl.exe 3668 lfxxrrl.exe 5016 5hnhhh.exe 4980 vjvpp.exe 3552 jjvvd.exe 4848 xrxxrrl.exe 2340 xxfflxx.exe 3648 bbhhhh.exe 2388 jdvvd.exe 2708 ppddj.exe 4708 frfxrrl.exe 2304 hbnnnn.exe 4012 9tbbtb.exe 4188 3jppp.exe 3496 xfxxlrf.exe 4924 9llllrr.exe 4660 hhnhhn.exe 4616 jjvvj.exe 4724 vvddd.exe 4488 9xfrlrl.exe 412 hbhhhh.exe 2496 ntnntb.exe -
resource yara_rule behavioral2/memory/4900-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-1005-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-1114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-1235-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3532 4900 9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe 83 PID 4900 wrote to memory of 3532 4900 9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe 83 PID 4900 wrote to memory of 3532 4900 9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe 83 PID 3532 wrote to memory of 2780 3532 vvjjp.exe 84 PID 3532 wrote to memory of 2780 3532 vvjjp.exe 84 PID 3532 wrote to memory of 2780 3532 vvjjp.exe 84 PID 2780 wrote to memory of 1424 2780 nbhtbt.exe 85 PID 2780 wrote to memory of 1424 2780 nbhtbt.exe 85 PID 2780 wrote to memory of 1424 2780 nbhtbt.exe 85 PID 1424 wrote to memory of 3572 1424 jdjjj.exe 86 PID 1424 wrote to memory of 3572 1424 jdjjj.exe 86 PID 1424 wrote to memory of 3572 1424 jdjjj.exe 86 PID 3572 wrote to memory of 3604 3572 fffxxxx.exe 87 PID 3572 wrote to memory of 3604 3572 fffxxxx.exe 87 PID 3572 wrote to memory of 3604 3572 fffxxxx.exe 87 PID 3604 wrote to memory of 4052 3604 tthnnt.exe 88 PID 3604 wrote to memory of 4052 3604 tthnnt.exe 88 PID 3604 wrote to memory of 4052 3604 tthnnt.exe 88 PID 4052 wrote to memory of 4804 4052 nnbttb.exe 89 PID 4052 wrote to memory of 4804 4052 nnbttb.exe 89 PID 4052 wrote to memory of 4804 4052 nnbttb.exe 89 PID 4804 wrote to memory of 2724 4804 vvjjd.exe 90 PID 4804 wrote to memory of 2724 4804 vvjjd.exe 90 PID 4804 wrote to memory of 2724 4804 vvjjd.exe 90 PID 2724 wrote to memory of 4048 2724 rllllll.exe 91 PID 2724 wrote to memory of 4048 2724 rllllll.exe 91 PID 2724 wrote to memory of 4048 2724 rllllll.exe 91 PID 4048 wrote to memory of 4680 4048 tnbttt.exe 156 PID 4048 wrote to memory of 4680 4048 tnbttt.exe 156 PID 4048 wrote to memory of 4680 4048 tnbttt.exe 156 PID 4680 wrote to memory of 3316 4680 vpjvd.exe 93 PID 4680 wrote to memory of 3316 4680 vpjvd.exe 93 PID 4680 wrote to memory of 3316 4680 vpjvd.exe 93 PID 3316 wrote to memory of 4340 3316 pvpdj.exe 158 PID 3316 wrote to memory of 4340 3316 pvpdj.exe 158 PID 3316 wrote to memory of 4340 3316 pvpdj.exe 158 PID 4340 wrote to memory of 2452 4340 ffxxxff.exe 95 PID 4340 wrote to memory of 2452 4340 ffxxxff.exe 95 PID 4340 wrote to memory of 2452 4340 ffxxxff.exe 95 PID 2452 wrote to memory of 4304 2452 7bbhbh.exe 96 PID 2452 wrote to memory of 4304 2452 7bbhbh.exe 96 PID 2452 wrote to memory of 4304 2452 7bbhbh.exe 96 PID 4304 wrote to memory of 4648 4304 ttbhhh.exe 160 PID 4304 wrote to memory of 4648 4304 ttbhhh.exe 160 PID 4304 wrote to memory of 4648 4304 ttbhhh.exe 160 PID 4648 wrote to memory of 4716 4648 ddpdp.exe 98 PID 4648 wrote to memory of 4716 4648 ddpdp.exe 98 PID 4648 wrote to memory of 4716 4648 ddpdp.exe 98 PID 4716 wrote to memory of 1544 4716 rrrlllr.exe 99 PID 4716 wrote to memory of 1544 4716 rrrlllr.exe 99 PID 4716 wrote to memory of 1544 4716 rrrlllr.exe 99 PID 1544 wrote to memory of 3816 1544 xlxrrrr.exe 100 PID 1544 wrote to memory of 3816 1544 xlxrrrr.exe 100 PID 1544 wrote to memory of 3816 1544 xlxrrrr.exe 100 PID 3816 wrote to memory of 5096 3816 1hnnnn.exe 101 PID 3816 wrote to memory of 5096 3816 1hnnnn.exe 101 PID 3816 wrote to memory of 5096 3816 1hnnnn.exe 101 PID 5096 wrote to memory of 4424 5096 dvpdv.exe 102 PID 5096 wrote to memory of 4424 5096 dvpdv.exe 102 PID 5096 wrote to memory of 4424 5096 dvpdv.exe 102 PID 4424 wrote to memory of 4632 4424 vpvvv.exe 103 PID 4424 wrote to memory of 4632 4424 vpvvv.exe 103 PID 4424 wrote to memory of 4632 4424 vpvvv.exe 103 PID 4632 wrote to memory of 4992 4632 xxfllll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe"C:\Users\Admin\AppData\Local\Temp\9526d940a6ed841f3c7866c10c3a4f65a3baed7dd8edcbe16bab05b9ac56af26.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\vvjjp.exec:\vvjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\nbhtbt.exec:\nbhtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\jdjjj.exec:\jdjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\fffxxxx.exec:\fffxxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\tthnnt.exec:\tthnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\nnbttb.exec:\nnbttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\vvjjd.exec:\vvjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\rllllll.exec:\rllllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\tnbttt.exec:\tnbttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\vpjvd.exec:\vpjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\pvpdj.exec:\pvpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\ffxxxff.exec:\ffxxxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\7bbhbh.exec:\7bbhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\ttbhhh.exec:\ttbhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\ddpdp.exec:\ddpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\rrrlllr.exec:\rrrlllr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\1hnnnn.exec:\1hnnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\dvpdv.exec:\dvpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\vpvvv.exec:\vpvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\xxfllll.exec:\xxfllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\9bhhbh.exec:\9bhhbh.exe23⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bthbhh.exec:\bthbhh.exe24⤵
- Executes dropped EXE
PID:5012 -
\??\c:\ppppp.exec:\ppppp.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\7llfxff.exec:\7llfxff.exe26⤵
- Executes dropped EXE
PID:112 -
\??\c:\fflllrr.exec:\fflllrr.exe27⤵
- Executes dropped EXE
PID:4056 -
\??\c:\bbhhhn.exec:\bbhhhn.exe28⤵
- Executes dropped EXE
PID:1860 -
\??\c:\dpvvp.exec:\dpvvp.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\vpvvj.exec:\vpvvj.exe30⤵
- Executes dropped EXE
PID:3448 -
\??\c:\fllllll.exec:\fllllll.exe31⤵
- Executes dropped EXE
PID:2020 -
\??\c:\tbbtbn.exec:\tbbtbn.exe32⤵
- Executes dropped EXE
PID:4784 -
\??\c:\1bnnnn.exec:\1bnnnn.exe33⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ddjdp.exec:\ddjdp.exe34⤵
- Executes dropped EXE
PID:4176 -
\??\c:\rlrllll.exec:\rlrllll.exe35⤵
- Executes dropped EXE
PID:3988 -
\??\c:\xflxrff.exec:\xflxrff.exe36⤵
- Executes dropped EXE
PID:2552 -
\??\c:\7bnnhb.exec:\7bnnhb.exe37⤵
- Executes dropped EXE
PID:1156 -
\??\c:\ppdvv.exec:\ppdvv.exe38⤵
- Executes dropped EXE
PID:4600 -
\??\c:\pjpdd.exec:\pjpdd.exe39⤵
- Executes dropped EXE
PID:1180 -
\??\c:\xlxxxxr.exec:\xlxxxxr.exe40⤵
- Executes dropped EXE
PID:4200 -
\??\c:\bbhbbb.exec:\bbhbbb.exe41⤵
- Executes dropped EXE
PID:4156 -
\??\c:\nbbbhn.exec:\nbbbhn.exe42⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jvjjj.exec:\jvjjj.exe43⤵
- Executes dropped EXE
PID:5004 -
\??\c:\3lxxxxl.exec:\3lxxxxl.exe44⤵
- Executes dropped EXE
PID:3708 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe45⤵
- Executes dropped EXE
PID:3668 -
\??\c:\5hnhhh.exec:\5hnhhh.exe46⤵
- Executes dropped EXE
PID:5016 -
\??\c:\vjvpp.exec:\vjvpp.exe47⤵
- Executes dropped EXE
PID:4980 -
\??\c:\jjvvd.exec:\jjvvd.exe48⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe49⤵
- Executes dropped EXE
PID:4848 -
\??\c:\xxfflxx.exec:\xxfflxx.exe50⤵
- Executes dropped EXE
PID:2340 -
\??\c:\bbhhhh.exec:\bbhhhh.exe51⤵
- Executes dropped EXE
PID:3648 -
\??\c:\jdvvd.exec:\jdvvd.exe52⤵
- Executes dropped EXE
PID:2388 -
\??\c:\ppddj.exec:\ppddj.exe53⤵
- Executes dropped EXE
PID:2708 -
\??\c:\frfxrrl.exec:\frfxrrl.exe54⤵
- Executes dropped EXE
PID:4708 -
\??\c:\hbnnnn.exec:\hbnnnn.exe55⤵
- Executes dropped EXE
PID:2304 -
\??\c:\9tbbtb.exec:\9tbbtb.exe56⤵
- Executes dropped EXE
PID:4012 -
\??\c:\3jppp.exec:\3jppp.exe57⤵
- Executes dropped EXE
PID:4188 -
\??\c:\xfxxlrf.exec:\xfxxlrf.exe58⤵
- Executes dropped EXE
PID:3496 -
\??\c:\9llllrr.exec:\9llllrr.exe59⤵
- Executes dropped EXE
PID:4924 -
\??\c:\hhnhhn.exec:\hhnhhn.exe60⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jjvvj.exec:\jjvvj.exe61⤵
- Executes dropped EXE
PID:4616 -
\??\c:\vvddd.exec:\vvddd.exe62⤵
- Executes dropped EXE
PID:4724 -
\??\c:\9xfrlrl.exec:\9xfrlrl.exe63⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hbhhhh.exec:\hbhhhh.exe64⤵
- Executes dropped EXE
PID:412 -
\??\c:\ntnntb.exec:\ntnntb.exe65⤵
- Executes dropped EXE
PID:2496 -
\??\c:\pjdvv.exec:\pjdvv.exe66⤵PID:3488
-
\??\c:\xfrrrll.exec:\xfrrrll.exe67⤵PID:1356
-
\??\c:\hbnhhn.exec:\hbnhhn.exe68⤵PID:4664
-
\??\c:\ntntbh.exec:\ntntbh.exe69⤵PID:2664
-
\??\c:\vdjdd.exec:\vdjdd.exe70⤵PID:3948
-
\??\c:\1rxrrff.exec:\1rxrrff.exe71⤵PID:1160
-
\??\c:\xxllflf.exec:\xxllflf.exe72⤵PID:1924
-
\??\c:\hnbhbh.exec:\hnbhbh.exe73⤵PID:2784
-
\??\c:\vvjjv.exec:\vvjjv.exe74⤵PID:4676
-
\??\c:\9frrllx.exec:\9frrllx.exe75⤵PID:4680
-
\??\c:\llrrrrr.exec:\llrrrrr.exe76⤵PID:4380
-
\??\c:\nnttnb.exec:\nnttnb.exe77⤵PID:4340
-
\??\c:\vjdvv.exec:\vjdvv.exe78⤵PID:2744
-
\??\c:\lflrlrr.exec:\lflrlrr.exe79⤵PID:4648
-
\??\c:\bhhhhh.exec:\bhhhhh.exe80⤵PID:4524
-
\??\c:\jpvvp.exec:\jpvvp.exe81⤵PID:4948
-
\??\c:\vpdjj.exec:\vpdjj.exe82⤵PID:1788
-
\??\c:\7llfxxx.exec:\7llfxxx.exe83⤵PID:3528
-
\??\c:\thtnnn.exec:\thtnnn.exe84⤵PID:3476
-
\??\c:\tbbbtb.exec:\tbbbtb.exe85⤵PID:4024
-
\??\c:\djppj.exec:\djppj.exe86⤵PID:3584
-
\??\c:\fflffff.exec:\fflffff.exe87⤵PID:2196
-
\??\c:\bbnttb.exec:\bbnttb.exe88⤵PID:2504
-
\??\c:\9lxrrxx.exec:\9lxrrxx.exe89⤵PID:464
-
\??\c:\9htttt.exec:\9htttt.exe90⤵PID:532
-
\??\c:\ppvvv.exec:\ppvvv.exe91⤵PID:948
-
\??\c:\llfrlll.exec:\llfrlll.exe92⤵PID:2020
-
\??\c:\llrlfff.exec:\llrlfff.exe93⤵PID:3012
-
\??\c:\ntttbb.exec:\ntttbb.exe94⤵PID:4176
-
\??\c:\jvjjj.exec:\jvjjj.exe95⤵PID:4080
-
\??\c:\rrlllrr.exec:\rrlllrr.exe96⤵PID:2552
-
\??\c:\vdjpp.exec:\vdjpp.exe97⤵PID:812
-
\??\c:\7flfxxx.exec:\7flfxxx.exe98⤵PID:1920
-
\??\c:\vpvpv.exec:\vpvpv.exe99⤵PID:1872
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe100⤵PID:4624
-
\??\c:\jdjdd.exec:\jdjdd.exe101⤵PID:2136
-
\??\c:\hhnnnn.exec:\hhnnnn.exe102⤵PID:1840
-
\??\c:\pjddj.exec:\pjddj.exe103⤵PID:2308
-
\??\c:\flfffxx.exec:\flfffxx.exe104⤵PID:4920
-
\??\c:\vvppd.exec:\vvppd.exe105⤵PID:3552
-
\??\c:\lfllffx.exec:\lfllffx.exe106⤵PID:5112
-
\??\c:\hhnhhh.exec:\hhnhhh.exe107⤵PID:4032
-
\??\c:\tttnnh.exec:\tttnnh.exe108⤵PID:5080
-
\??\c:\rxffflr.exec:\rxffflr.exe109⤵PID:2992
-
\??\c:\frrrrlf.exec:\frrrrlf.exe110⤵PID:4144
-
\??\c:\rlxxfff.exec:\rlxxfff.exe111⤵PID:4184
-
\??\c:\nhttnh.exec:\nhttnh.exe112⤵PID:1516
-
\??\c:\thhnnt.exec:\thhnnt.exe113⤵PID:4012
-
\??\c:\vdvvj.exec:\vdvvj.exe114⤵PID:2560
-
\??\c:\rlxlfll.exec:\rlxlfll.exe115⤵PID:4188
-
\??\c:\ttbnhh.exec:\ttbnhh.exe116⤵PID:2376
-
\??\c:\hhhhhh.exec:\hhhhhh.exe117⤵PID:432
-
\??\c:\vdvvp.exec:\vdvvp.exe118⤵PID:5076
-
\??\c:\xxrrfll.exec:\xxrrfll.exe119⤵PID:2584
-
\??\c:\nttbnn.exec:\nttbnn.exe120⤵PID:8
-
\??\c:\jpddp.exec:\jpddp.exe121⤵PID:4160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-