Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe
-
Size
454KB
-
MD5
6718fd2576a8af410c2e2d32c2b6c508
-
SHA1
c1f6803bbc9823304d616dbfdbe33fb4cf5ded7c
-
SHA256
983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec
-
SHA512
e7d8992ba4fea854c7324a00b365edd6d21aced86f5d01a40ee5b24a5631168677f97f1f6c8bd836b87c9fa739cee222f8209a1579436f961844d3c5ec974e64
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4592-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-1187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-1654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-1830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3356 vdjdd.exe 468 ntthhb.exe 1440 5ntnbb.exe 436 9lffxxr.exe 3672 jjddv.exe 4040 tbhbbb.exe 3944 pdvvd.exe 1604 xffxxxx.exe 4932 nhnhbt.exe 2124 7djdv.exe 1760 xxfxrrl.exe 1176 xxfxlfl.exe 1976 rfrrlll.exe 2364 nhhbtt.exe 4016 1rlrlll.exe 1668 ppjdv.exe 4008 1xxfxlf.exe 4840 rrrlfxx.exe 2204 bhtnnn.exe 4820 rlllfxr.exe 3864 bnbtnh.exe 2400 3ddpp.exe 3912 tbbbth.exe 4260 xrrffrr.exe 3952 nbtttn.exe 2020 xfllffx.exe 1476 vpdpv.exe 1404 btbttt.exe 4880 rrflfff.exe 2824 7ththh.exe 4900 frxxxxr.exe 1104 ttbbhh.exe 4852 htnnhn.exe 3700 bthhht.exe 1964 vvddd.exe 4836 xxlfrxf.exe 3480 lxfxxfx.exe 5036 jdvpv.exe 1536 xfllrrf.exe 3512 nhhbbb.exe 960 dvddd.exe 4368 ffxrlfx.exe 1172 tntnhh.exe 2148 jvjjd.exe 1432 3xfxfxr.exe 2384 jdjvv.exe 4532 rxfxrrl.exe 116 nthbhh.exe 4592 9vjvj.exe 1296 xfllxxf.exe 1860 hnbbtt.exe 1428 7vdvp.exe 2696 rxfxrrl.exe 2884 bhtntt.exe 2032 vppjj.exe 3676 5rfxrrl.exe 2648 tbttnh.exe 4696 9ntnhb.exe 968 3jdvp.exe 3784 lffxrll.exe 4000 nnnhbt.exe 2728 9pvpj.exe 3548 rlflflf.exe 2724 fxfxlll.exe -
resource yara_rule behavioral2/memory/4592-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-634-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4592 wrote to memory of 3356 4592 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 83 PID 4592 wrote to memory of 3356 4592 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 83 PID 4592 wrote to memory of 3356 4592 983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe 83 PID 3356 wrote to memory of 468 3356 vdjdd.exe 84 PID 3356 wrote to memory of 468 3356 vdjdd.exe 84 PID 3356 wrote to memory of 468 3356 vdjdd.exe 84 PID 468 wrote to memory of 1440 468 ntthhb.exe 85 PID 468 wrote to memory of 1440 468 ntthhb.exe 85 PID 468 wrote to memory of 1440 468 ntthhb.exe 85 PID 1440 wrote to memory of 436 1440 5ntnbb.exe 86 PID 1440 wrote to memory of 436 1440 5ntnbb.exe 86 PID 1440 wrote to memory of 436 1440 5ntnbb.exe 86 PID 436 wrote to memory of 3672 436 9lffxxr.exe 87 PID 436 wrote to memory of 3672 436 9lffxxr.exe 87 PID 436 wrote to memory of 3672 436 9lffxxr.exe 87 PID 3672 wrote to memory of 4040 3672 jjddv.exe 88 PID 3672 wrote to memory of 4040 3672 jjddv.exe 88 PID 3672 wrote to memory of 4040 3672 jjddv.exe 88 PID 4040 wrote to memory of 3944 4040 tbhbbb.exe 89 PID 4040 wrote to memory of 3944 4040 tbhbbb.exe 89 PID 4040 wrote to memory of 3944 4040 tbhbbb.exe 89 PID 3944 wrote to memory of 1604 3944 pdvvd.exe 90 PID 3944 wrote to memory of 1604 3944 pdvvd.exe 90 PID 3944 wrote to memory of 1604 3944 pdvvd.exe 90 PID 1604 wrote to memory of 4932 1604 xffxxxx.exe 91 PID 1604 wrote to memory of 4932 1604 xffxxxx.exe 91 PID 1604 wrote to memory of 4932 1604 xffxxxx.exe 91 PID 4932 wrote to memory of 2124 4932 nhnhbt.exe 92 PID 4932 wrote to memory of 2124 4932 nhnhbt.exe 92 PID 4932 wrote to memory of 2124 4932 nhnhbt.exe 92 PID 2124 wrote to memory of 1760 2124 7djdv.exe 93 PID 2124 wrote to memory of 1760 2124 7djdv.exe 93 PID 2124 wrote to memory of 1760 2124 7djdv.exe 93 PID 1760 wrote to memory of 1176 1760 xxfxrrl.exe 94 PID 1760 wrote to memory of 1176 1760 xxfxrrl.exe 94 PID 1760 wrote to memory of 1176 1760 xxfxrrl.exe 94 PID 1176 wrote to memory of 1976 1176 xxfxlfl.exe 95 PID 1176 wrote to memory of 1976 1176 xxfxlfl.exe 95 PID 1176 wrote to memory of 1976 1176 xxfxlfl.exe 95 PID 1976 wrote to memory of 2364 1976 rfrrlll.exe 96 PID 1976 wrote to memory of 2364 1976 rfrrlll.exe 96 PID 1976 wrote to memory of 2364 1976 rfrrlll.exe 96 PID 2364 wrote to memory of 4016 2364 nhhbtt.exe 97 PID 2364 wrote to memory of 4016 2364 nhhbtt.exe 97 PID 2364 wrote to memory of 4016 2364 nhhbtt.exe 97 PID 4016 wrote to memory of 1668 4016 1rlrlll.exe 98 PID 4016 wrote to memory of 1668 4016 1rlrlll.exe 98 PID 4016 wrote to memory of 1668 4016 1rlrlll.exe 98 PID 1668 wrote to memory of 4008 1668 ppjdv.exe 99 PID 1668 wrote to memory of 4008 1668 ppjdv.exe 99 PID 1668 wrote to memory of 4008 1668 ppjdv.exe 99 PID 4008 wrote to memory of 4840 4008 1xxfxlf.exe 100 PID 4008 wrote to memory of 4840 4008 1xxfxlf.exe 100 PID 4008 wrote to memory of 4840 4008 1xxfxlf.exe 100 PID 4840 wrote to memory of 2204 4840 rrrlfxx.exe 101 PID 4840 wrote to memory of 2204 4840 rrrlfxx.exe 101 PID 4840 wrote to memory of 2204 4840 rrrlfxx.exe 101 PID 2204 wrote to memory of 4820 2204 bhtnnn.exe 102 PID 2204 wrote to memory of 4820 2204 bhtnnn.exe 102 PID 2204 wrote to memory of 4820 2204 bhtnnn.exe 102 PID 4820 wrote to memory of 3864 4820 rlllfxr.exe 103 PID 4820 wrote to memory of 3864 4820 rlllfxr.exe 103 PID 4820 wrote to memory of 3864 4820 rlllfxr.exe 103 PID 3864 wrote to memory of 2400 3864 bnbtnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe"C:\Users\Admin\AppData\Local\Temp\983cf326ba84c23c872714ec115dbd1f5b66681e1ba6105e2ebdcfca142433ec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\vdjdd.exec:\vdjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\ntthhb.exec:\ntthhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\5ntnbb.exec:\5ntnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\9lffxxr.exec:\9lffxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\jjddv.exec:\jjddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\tbhbbb.exec:\tbhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\pdvvd.exec:\pdvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\xffxxxx.exec:\xffxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\nhnhbt.exec:\nhnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\7djdv.exec:\7djdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\xxfxlfl.exec:\xxfxlfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\rfrrlll.exec:\rfrrlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\nhhbtt.exec:\nhhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\1rlrlll.exec:\1rlrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\ppjdv.exec:\ppjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\1xxfxlf.exec:\1xxfxlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\bhtnnn.exec:\bhtnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\rlllfxr.exec:\rlllfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\bnbtnh.exec:\bnbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\3ddpp.exec:\3ddpp.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\tbbbth.exec:\tbbbth.exe24⤵
- Executes dropped EXE
PID:3912 -
\??\c:\xrrffrr.exec:\xrrffrr.exe25⤵
- Executes dropped EXE
PID:4260 -
\??\c:\nbtttn.exec:\nbtttn.exe26⤵
- Executes dropped EXE
PID:3952 -
\??\c:\xfllffx.exec:\xfllffx.exe27⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vpdpv.exec:\vpdpv.exe28⤵
- Executes dropped EXE
PID:1476 -
\??\c:\btbttt.exec:\btbttt.exe29⤵
- Executes dropped EXE
PID:1404 -
\??\c:\rrflfff.exec:\rrflfff.exe30⤵
- Executes dropped EXE
PID:4880 -
\??\c:\7ththh.exec:\7ththh.exe31⤵
- Executes dropped EXE
PID:2824 -
\??\c:\frxxxxr.exec:\frxxxxr.exe32⤵
- Executes dropped EXE
PID:4900 -
\??\c:\ttbbhh.exec:\ttbbhh.exe33⤵
- Executes dropped EXE
PID:1104 -
\??\c:\htnnhn.exec:\htnnhn.exe34⤵
- Executes dropped EXE
PID:4852 -
\??\c:\bthhht.exec:\bthhht.exe35⤵
- Executes dropped EXE
PID:3700 -
\??\c:\vvddd.exec:\vvddd.exe36⤵
- Executes dropped EXE
PID:1964 -
\??\c:\xxlfrxf.exec:\xxlfrxf.exe37⤵
- Executes dropped EXE
PID:4836 -
\??\c:\lxfxxfx.exec:\lxfxxfx.exe38⤵
- Executes dropped EXE
PID:3480 -
\??\c:\jdvpv.exec:\jdvpv.exe39⤵
- Executes dropped EXE
PID:5036 -
\??\c:\xfllrrf.exec:\xfllrrf.exe40⤵
- Executes dropped EXE
PID:1536 -
\??\c:\nhhbbb.exec:\nhhbbb.exe41⤵
- Executes dropped EXE
PID:3512 -
\??\c:\dvddd.exec:\dvddd.exe42⤵
- Executes dropped EXE
PID:960 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe43⤵
- Executes dropped EXE
PID:4368 -
\??\c:\tntnhh.exec:\tntnhh.exe44⤵
- Executes dropped EXE
PID:1172 -
\??\c:\jvjjd.exec:\jvjjd.exe45⤵
- Executes dropped EXE
PID:2148 -
\??\c:\3xfxfxr.exec:\3xfxfxr.exe46⤵
- Executes dropped EXE
PID:1432 -
\??\c:\jdjvv.exec:\jdjvv.exe47⤵
- Executes dropped EXE
PID:2384 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe48⤵
- Executes dropped EXE
PID:4532 -
\??\c:\nthbhh.exec:\nthbhh.exe49⤵
- Executes dropped EXE
PID:116 -
\??\c:\9vjvj.exec:\9vjvj.exe50⤵
- Executes dropped EXE
PID:4592 -
\??\c:\xfllxxf.exec:\xfllxxf.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hnbbtt.exec:\hnbbtt.exe52⤵
- Executes dropped EXE
PID:1860 -
\??\c:\7vdvp.exec:\7vdvp.exe53⤵
- Executes dropped EXE
PID:1428 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe54⤵
- Executes dropped EXE
PID:2696 -
\??\c:\bhtntt.exec:\bhtntt.exe55⤵
- Executes dropped EXE
PID:2884 -
\??\c:\vppjj.exec:\vppjj.exe56⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5rfxrrl.exec:\5rfxrrl.exe57⤵
- Executes dropped EXE
PID:3676 -
\??\c:\tbttnh.exec:\tbttnh.exe58⤵
- Executes dropped EXE
PID:2648 -
\??\c:\9ntnhb.exec:\9ntnhb.exe59⤵
- Executes dropped EXE
PID:4696 -
\??\c:\3jdvp.exec:\3jdvp.exe60⤵
- Executes dropped EXE
PID:968 -
\??\c:\lffxrll.exec:\lffxrll.exe61⤵
- Executes dropped EXE
PID:3784 -
\??\c:\nnnhbt.exec:\nnnhbt.exe62⤵
- Executes dropped EXE
PID:4000 -
\??\c:\9pvpj.exec:\9pvpj.exe63⤵
- Executes dropped EXE
PID:2728 -
\??\c:\rlflflf.exec:\rlflflf.exe64⤵
- Executes dropped EXE
PID:3548 -
\??\c:\fxfxlll.exec:\fxfxlll.exe65⤵
- Executes dropped EXE
PID:2724 -
\??\c:\nbhbbb.exec:\nbhbbb.exe66⤵PID:1000
-
\??\c:\dvddv.exec:\dvddv.exe67⤵PID:1176
-
\??\c:\xxlfllr.exec:\xxlfllr.exe68⤵PID:4408
-
\??\c:\3tbbnb.exec:\3tbbnb.exe69⤵PID:4372
-
\??\c:\pvjdv.exec:\pvjdv.exe70⤵PID:3472
-
\??\c:\1pppj.exec:\1pppj.exe71⤵PID:4444
-
\??\c:\llrlffx.exec:\llrlffx.exe72⤵PID:2264
-
\??\c:\bntnnn.exec:\bntnnn.exe73⤵PID:4956
-
\??\c:\3jjjd.exec:\3jjjd.exe74⤵PID:4248
-
\??\c:\3lrlxxr.exec:\3lrlxxr.exe75⤵PID:4492
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe76⤵PID:2216
-
\??\c:\9nhhnt.exec:\9nhhnt.exe77⤵PID:4384
-
\??\c:\jpdvd.exec:\jpdvd.exe78⤵PID:3176
-
\??\c:\5xrrxxx.exec:\5xrrxxx.exe79⤵PID:2436
-
\??\c:\ntnhtt.exec:\ntnhtt.exe80⤵PID:3896
-
\??\c:\9nthbt.exec:\9nthbt.exe81⤵PID:2400
-
\??\c:\jjddv.exec:\jjddv.exe82⤵PID:3912
-
\??\c:\7ffxxxr.exec:\7ffxxxr.exe83⤵PID:1924
-
\??\c:\ttbtbt.exec:\ttbtbt.exe84⤵PID:3436
-
\??\c:\5jvpj.exec:\5jvpj.exe85⤵PID:2544
-
\??\c:\llrrlxx.exec:\llrrlxx.exe86⤵PID:1548
-
\??\c:\hbbttn.exec:\hbbttn.exe87⤵PID:5068
-
\??\c:\3vvpj.exec:\3vvpj.exe88⤵PID:2392
-
\??\c:\xlrrllx.exec:\xlrrllx.exe89⤵PID:5112
-
\??\c:\tnttnn.exec:\tnttnn.exe90⤵PID:5084
-
\??\c:\jpvpj.exec:\jpvpj.exe91⤵PID:2152
-
\??\c:\1djdd.exec:\1djdd.exe92⤵PID:1784
-
\??\c:\rffrxrl.exec:\rffrxrl.exe93⤵PID:2324
-
\??\c:\tnnttt.exec:\tnnttt.exe94⤵PID:1800
-
\??\c:\jvvpj.exec:\jvvpj.exe95⤵PID:1944
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe96⤵PID:4812
-
\??\c:\1rrxrfr.exec:\1rrxrfr.exe97⤵PID:3736
-
\??\c:\bbbtnn.exec:\bbbtnn.exe98⤵PID:4236
-
\??\c:\dpvpj.exec:\dpvpj.exe99⤵PID:5036
-
\??\c:\lffxxxr.exec:\lffxxxr.exe100⤵PID:1536
-
\??\c:\bthhnn.exec:\bthhnn.exe101⤵PID:3512
-
\??\c:\jpppj.exec:\jpppj.exe102⤵PID:960
-
\??\c:\xrrlxfx.exec:\xrrlxfx.exe103⤵PID:4368
-
\??\c:\5tbttb.exec:\5tbttb.exe104⤵PID:3032
-
\??\c:\1vdvv.exec:\1vdvv.exe105⤵PID:1756
-
\??\c:\xrxrrxr.exec:\xrxrrxr.exe106⤵PID:1136
-
\??\c:\9xffxfx.exec:\9xffxfx.exe107⤵PID:2384
-
\??\c:\thtttt.exec:\thtttt.exe108⤵PID:3420
-
\??\c:\pjppv.exec:\pjppv.exe109⤵PID:4648
-
\??\c:\7lfxrrl.exec:\7lfxrrl.exe110⤵PID:3356
-
\??\c:\bbbbtn.exec:\bbbbtn.exe111⤵PID:4928
-
\??\c:\1pvpp.exec:\1pvpp.exe112⤵PID:656
-
\??\c:\9xfxrrl.exec:\9xfxrrl.exe113⤵PID:4720
-
\??\c:\9httnt.exec:\9httnt.exe114⤵PID:1748
-
\??\c:\ppddd.exec:\ppddd.exe115⤵PID:2604
-
\??\c:\pdjjj.exec:\pdjjj.exe116⤵PID:4176
-
\??\c:\fxfllrx.exec:\fxfllrx.exe117⤵PID:2032
-
\??\c:\hhttnb.exec:\hhttnb.exe118⤵PID:696
-
\??\c:\ppddd.exec:\ppddd.exe119⤵PID:4700
-
\??\c:\3lllrxr.exec:\3lllrxr.exe120⤵PID:1444
-
\??\c:\hbbbbb.exec:\hbbbbb.exe121⤵
- System Location Discovery: System Language Discovery
PID:2920 -
\??\c:\nbnnnh.exec:\nbnnnh.exe122⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-