Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe
-
Size
454KB
-
MD5
0d9208739f24bbddee36bedc4e9dca9c
-
SHA1
7cd4f54060fbca47a9494d8ae5ce1a6767877f23
-
SHA256
9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85
-
SHA512
4c1d30dfa91456b85087c4e64b6a9dabcd1a1b7a15553dec5337594b1f4cf97fd36a5b6d69063a3ea450b2035497a4c755d89fe8966b2205eae581c2e3510ca1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1236-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-1100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-1210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-1341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3696 5pjjd.exe 1664 7hhbbb.exe 3412 vvjjd.exe 4092 ntbbbn.exe 1204 ppjdd.exe 3956 bbhbtt.exe 408 vdjjp.exe 4956 7pppj.exe 2200 ffxrrrr.exe 4980 5pdvd.exe 452 5dvpj.exe 1488 lrfxxxx.exe 1320 jjddp.exe 2912 ffxrxrl.exe 4040 tbbbbt.exe 4772 7jjdp.exe 812 frrlllf.exe 5104 7llfffx.exe 2436 tttntn.exe 1960 djdvp.exe 1004 flfxxrl.exe 3620 hnhbtn.exe 2988 nhbbbn.exe 3640 1llrxxl.exe 548 pjjpj.exe 1632 9tthtt.exe 1144 dpjjd.exe 2796 fllflll.exe 2056 7dddd.exe 4072 lffllll.exe 60 5rfxlll.exe 816 tttnnn.exe 2676 vvppj.exe 4872 nnbbtb.exe 3596 9dpvp.exe 3976 rrffxxr.exe 2448 3ntbtn.exe 3712 7vdvd.exe 4340 lrlllll.exe 1584 hhthtn.exe 2300 jdjjj.exe 760 dpvvd.exe 2548 7llfffx.exe 2556 5bnhhb.exe 4508 pvjjj.exe 4808 dpppp.exe 3684 xlfrlll.exe 4952 bbnhtt.exe 1216 ddjjd.exe 4212 lrfxflr.exe 2104 3tnbth.exe 748 dvppj.exe 3284 lfxrxrx.exe 408 rrrrrrl.exe 4956 tttttt.exe 2356 djjdv.exe 1360 jpddd.exe 4800 lfffflf.exe 4756 3thhtb.exe 1488 btnhhh.exe 368 vpppp.exe 4948 lrxxllx.exe 384 9btnhb.exe 3028 jdjjd.exe -
resource yara_rule behavioral2/memory/1236-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-1100-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 3696 1236 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 83 PID 1236 wrote to memory of 3696 1236 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 83 PID 1236 wrote to memory of 3696 1236 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 83 PID 3696 wrote to memory of 1664 3696 5pjjd.exe 84 PID 3696 wrote to memory of 1664 3696 5pjjd.exe 84 PID 3696 wrote to memory of 1664 3696 5pjjd.exe 84 PID 1664 wrote to memory of 3412 1664 7hhbbb.exe 85 PID 1664 wrote to memory of 3412 1664 7hhbbb.exe 85 PID 1664 wrote to memory of 3412 1664 7hhbbb.exe 85 PID 3412 wrote to memory of 4092 3412 vvjjd.exe 86 PID 3412 wrote to memory of 4092 3412 vvjjd.exe 86 PID 3412 wrote to memory of 4092 3412 vvjjd.exe 86 PID 4092 wrote to memory of 1204 4092 ntbbbn.exe 87 PID 4092 wrote to memory of 1204 4092 ntbbbn.exe 87 PID 4092 wrote to memory of 1204 4092 ntbbbn.exe 87 PID 1204 wrote to memory of 3956 1204 ppjdd.exe 88 PID 1204 wrote to memory of 3956 1204 ppjdd.exe 88 PID 1204 wrote to memory of 3956 1204 ppjdd.exe 88 PID 3956 wrote to memory of 408 3956 bbhbtt.exe 89 PID 3956 wrote to memory of 408 3956 bbhbtt.exe 89 PID 3956 wrote to memory of 408 3956 bbhbtt.exe 89 PID 408 wrote to memory of 4956 408 vdjjp.exe 90 PID 408 wrote to memory of 4956 408 vdjjp.exe 90 PID 408 wrote to memory of 4956 408 vdjjp.exe 90 PID 4956 wrote to memory of 2200 4956 7pppj.exe 91 PID 4956 wrote to memory of 2200 4956 7pppj.exe 91 PID 4956 wrote to memory of 2200 4956 7pppj.exe 91 PID 2200 wrote to memory of 4980 2200 ffxrrrr.exe 92 PID 2200 wrote to memory of 4980 2200 ffxrrrr.exe 92 PID 2200 wrote to memory of 4980 2200 ffxrrrr.exe 92 PID 4980 wrote to memory of 452 4980 5pdvd.exe 93 PID 4980 wrote to memory of 452 4980 5pdvd.exe 93 PID 4980 wrote to memory of 452 4980 5pdvd.exe 93 PID 452 wrote to memory of 1488 452 5dvpj.exe 94 PID 452 wrote to memory of 1488 452 5dvpj.exe 94 PID 452 wrote to memory of 1488 452 5dvpj.exe 94 PID 1488 wrote to memory of 1320 1488 lrfxxxx.exe 95 PID 1488 wrote to memory of 1320 1488 lrfxxxx.exe 95 PID 1488 wrote to memory of 1320 1488 lrfxxxx.exe 95 PID 1320 wrote to memory of 2912 1320 jjddp.exe 96 PID 1320 wrote to memory of 2912 1320 jjddp.exe 96 PID 1320 wrote to memory of 2912 1320 jjddp.exe 96 PID 2912 wrote to memory of 4040 2912 ffxrxrl.exe 97 PID 2912 wrote to memory of 4040 2912 ffxrxrl.exe 97 PID 2912 wrote to memory of 4040 2912 ffxrxrl.exe 97 PID 4040 wrote to memory of 4772 4040 tbbbbt.exe 98 PID 4040 wrote to memory of 4772 4040 tbbbbt.exe 98 PID 4040 wrote to memory of 4772 4040 tbbbbt.exe 98 PID 4772 wrote to memory of 812 4772 7jjdp.exe 99 PID 4772 wrote to memory of 812 4772 7jjdp.exe 99 PID 4772 wrote to memory of 812 4772 7jjdp.exe 99 PID 812 wrote to memory of 5104 812 frrlllf.exe 100 PID 812 wrote to memory of 5104 812 frrlllf.exe 100 PID 812 wrote to memory of 5104 812 frrlllf.exe 100 PID 5104 wrote to memory of 2436 5104 7llfffx.exe 101 PID 5104 wrote to memory of 2436 5104 7llfffx.exe 101 PID 5104 wrote to memory of 2436 5104 7llfffx.exe 101 PID 2436 wrote to memory of 1960 2436 tttntn.exe 102 PID 2436 wrote to memory of 1960 2436 tttntn.exe 102 PID 2436 wrote to memory of 1960 2436 tttntn.exe 102 PID 1960 wrote to memory of 1004 1960 djdvp.exe 103 PID 1960 wrote to memory of 1004 1960 djdvp.exe 103 PID 1960 wrote to memory of 1004 1960 djdvp.exe 103 PID 1004 wrote to memory of 3620 1004 flfxxrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe"C:\Users\Admin\AppData\Local\Temp\9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\5pjjd.exec:\5pjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\7hhbbb.exec:\7hhbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\vvjjd.exec:\vvjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\ntbbbn.exec:\ntbbbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\ppjdd.exec:\ppjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\bbhbtt.exec:\bbhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\vdjjp.exec:\vdjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\7pppj.exec:\7pppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\ffxrrrr.exec:\ffxrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\5pdvd.exec:\5pdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\5dvpj.exec:\5dvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\jjddp.exec:\jjddp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\ffxrxrl.exec:\ffxrxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\tbbbbt.exec:\tbbbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\7jjdp.exec:\7jjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\frrlllf.exec:\frrlllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\7llfffx.exec:\7llfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\tttntn.exec:\tttntn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\djdvp.exec:\djdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\flfxxrl.exec:\flfxxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\hnhbtn.exec:\hnhbtn.exe23⤵
- Executes dropped EXE
PID:3620 -
\??\c:\nhbbbn.exec:\nhbbbn.exe24⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1llrxxl.exec:\1llrxxl.exe25⤵
- Executes dropped EXE
PID:3640 -
\??\c:\pjjpj.exec:\pjjpj.exe26⤵
- Executes dropped EXE
PID:548 -
\??\c:\9tthtt.exec:\9tthtt.exe27⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dpjjd.exec:\dpjjd.exe28⤵
- Executes dropped EXE
PID:1144 -
\??\c:\fllflll.exec:\fllflll.exe29⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7dddd.exec:\7dddd.exe30⤵
- Executes dropped EXE
PID:2056 -
\??\c:\lffllll.exec:\lffllll.exe31⤵
- Executes dropped EXE
PID:4072 -
\??\c:\5rfxlll.exec:\5rfxlll.exe32⤵
- Executes dropped EXE
PID:60 -
\??\c:\tttnnn.exec:\tttnnn.exe33⤵
- Executes dropped EXE
PID:816 -
\??\c:\vvppj.exec:\vvppj.exe34⤵
- Executes dropped EXE
PID:2676 -
\??\c:\nnbbtb.exec:\nnbbtb.exe35⤵
- Executes dropped EXE
PID:4872 -
\??\c:\9dpvp.exec:\9dpvp.exe36⤵
- Executes dropped EXE
PID:3596 -
\??\c:\rrffxxr.exec:\rrffxxr.exe37⤵
- Executes dropped EXE
PID:3976 -
\??\c:\3ntbtn.exec:\3ntbtn.exe38⤵
- Executes dropped EXE
PID:2448 -
\??\c:\7vdvd.exec:\7vdvd.exe39⤵
- Executes dropped EXE
PID:3712 -
\??\c:\lrlllll.exec:\lrlllll.exe40⤵
- Executes dropped EXE
PID:4340 -
\??\c:\hhthtn.exec:\hhthtn.exe41⤵
- Executes dropped EXE
PID:1584 -
\??\c:\jdjjj.exec:\jdjjj.exe42⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dpvvd.exec:\dpvvd.exe43⤵
- Executes dropped EXE
PID:760 -
\??\c:\7llfffx.exec:\7llfffx.exe44⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5bnhhb.exec:\5bnhhb.exe45⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pvjjj.exec:\pvjjj.exe46⤵
- Executes dropped EXE
PID:4508 -
\??\c:\dpppp.exec:\dpppp.exe47⤵
- Executes dropped EXE
PID:4808 -
\??\c:\xlfrlll.exec:\xlfrlll.exe48⤵
- Executes dropped EXE
PID:3684 -
\??\c:\bbnhtt.exec:\bbnhtt.exe49⤵
- Executes dropped EXE
PID:4952 -
\??\c:\ddjjd.exec:\ddjjd.exe50⤵
- Executes dropped EXE
PID:1216 -
\??\c:\lrfxflr.exec:\lrfxflr.exe51⤵
- Executes dropped EXE
PID:4212 -
\??\c:\3tnbth.exec:\3tnbth.exe52⤵
- Executes dropped EXE
PID:2104 -
\??\c:\dvppj.exec:\dvppj.exe53⤵
- Executes dropped EXE
PID:748 -
\??\c:\lfxrxrx.exec:\lfxrxrx.exe54⤵
- Executes dropped EXE
PID:3284 -
\??\c:\rrrrrrl.exec:\rrrrrrl.exe55⤵
- Executes dropped EXE
PID:408 -
\??\c:\tttttt.exec:\tttttt.exe56⤵
- Executes dropped EXE
PID:4956 -
\??\c:\djjdv.exec:\djjdv.exe57⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jpddd.exec:\jpddd.exe58⤵
- Executes dropped EXE
PID:1360 -
\??\c:\lfffflf.exec:\lfffflf.exe59⤵
- Executes dropped EXE
PID:4800 -
\??\c:\3thhtb.exec:\3thhtb.exe60⤵
- Executes dropped EXE
PID:4756 -
\??\c:\btnhhh.exec:\btnhhh.exe61⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vpppp.exec:\vpppp.exe62⤵
- Executes dropped EXE
PID:368 -
\??\c:\lrxxllx.exec:\lrxxllx.exe63⤵
- Executes dropped EXE
PID:4948 -
\??\c:\9btnhb.exec:\9btnhb.exe64⤵
- Executes dropped EXE
PID:384 -
\??\c:\jdjjd.exec:\jdjjd.exe65⤵
- Executes dropped EXE
PID:3028 -
\??\c:\5lllfll.exec:\5lllfll.exe66⤵PID:2384
-
\??\c:\bhbbnb.exec:\bhbbnb.exe67⤵PID:4496
-
\??\c:\vjdvd.exec:\vjdvd.exe68⤵PID:1068
-
\??\c:\xxffxfx.exec:\xxffxfx.exe69⤵PID:4696
-
\??\c:\tbhbtt.exec:\tbhbtt.exe70⤵PID:2900
-
\??\c:\ddjdd.exec:\ddjdd.exe71⤵PID:3576
-
\??\c:\jpppj.exec:\jpppj.exe72⤵PID:2456
-
\??\c:\frxxlll.exec:\frxxlll.exe73⤵PID:3476
-
\??\c:\bhnnnt.exec:\bhnnnt.exe74⤵PID:3620
-
\??\c:\dvvvv.exec:\dvvvv.exe75⤵PID:4960
-
\??\c:\5pvvv.exec:\5pvvv.exe76⤵PID:4576
-
\??\c:\9flflrf.exec:\9flflrf.exe77⤵PID:1896
-
\??\c:\5hnnhh.exec:\5hnnhh.exe78⤵PID:624
-
\??\c:\frlfxxx.exec:\frlfxxx.exe79⤵PID:1256
-
\??\c:\fxllrlr.exec:\fxllrlr.exe80⤵PID:2228
-
\??\c:\1nhhhn.exec:\1nhhhn.exe81⤵PID:3588
-
\??\c:\vvvdv.exec:\vvvdv.exe82⤵PID:4344
-
\??\c:\rxxrrff.exec:\rxxrrff.exe83⤵PID:4364
-
\??\c:\ttbbbb.exec:\ttbbbb.exe84⤵PID:4884
-
\??\c:\1jvpj.exec:\1jvpj.exe85⤵PID:1892
-
\??\c:\dvdvv.exec:\dvdvv.exe86⤵PID:1040
-
\??\c:\xrfxflr.exec:\xrfxflr.exe87⤵PID:4024
-
\??\c:\nnttnn.exec:\nnttnn.exe88⤵PID:664
-
\??\c:\vdvvp.exec:\vdvvp.exe89⤵PID:4872
-
\??\c:\lllffff.exec:\lllffff.exe90⤵PID:2592
-
\??\c:\ntnnhn.exec:\ntnnhn.exe91⤵PID:3976
-
\??\c:\ppddd.exec:\ppddd.exe92⤵PID:2312
-
\??\c:\djdvj.exec:\djdvj.exe93⤵PID:1836
-
\??\c:\9lxxffx.exec:\9lxxffx.exe94⤵PID:4340
-
\??\c:\bthhhh.exec:\bthhhh.exe95⤵PID:1584
-
\??\c:\7vppj.exec:\7vppj.exe96⤵PID:1236
-
\??\c:\ppjvp.exec:\ppjvp.exe97⤵PID:3292
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe98⤵PID:1856
-
\??\c:\ntbbhh.exec:\ntbbhh.exe99⤵PID:2572
-
\??\c:\jdppj.exec:\jdppj.exe100⤵PID:1196
-
\??\c:\1rxxffl.exec:\1rxxffl.exe101⤵PID:3060
-
\??\c:\lrllflr.exec:\lrllflr.exe102⤵PID:4280
-
\??\c:\nhnnhh.exec:\nhnnhh.exe103⤵PID:1768
-
\??\c:\7pvpv.exec:\7pvpv.exe104⤵PID:1288
-
\??\c:\1rfxrlf.exec:\1rfxrlf.exe105⤵PID:2724
-
\??\c:\lfrrffx.exec:\lfrrffx.exe106⤵PID:4736
-
\??\c:\thhbnn.exec:\thhbnn.exe107⤵PID:5112
-
\??\c:\vdppj.exec:\vdppj.exe108⤵PID:4028
-
\??\c:\lxrfxxl.exec:\lxrfxxl.exe109⤵PID:4716
-
\??\c:\llfxrlf.exec:\llfxrlf.exe110⤵PID:4700
-
\??\c:\bttnhb.exec:\bttnhb.exe111⤵PID:3920
-
\??\c:\vdddv.exec:\vdddv.exe112⤵PID:4956
-
\??\c:\llffrrl.exec:\llffrrl.exe113⤵PID:1392
-
\??\c:\llfxrrl.exec:\llfxrrl.exe114⤵PID:4480
-
\??\c:\bbbbhh.exec:\bbbbhh.exe115⤵PID:3952
-
\??\c:\3vvvv.exec:\3vvvv.exe116⤵PID:4444
-
\??\c:\xxrffrr.exec:\xxrffrr.exe117⤵PID:4732
-
\??\c:\nbhbbb.exec:\nbhbbb.exe118⤵PID:3408
-
\??\c:\3ttnhb.exec:\3ttnhb.exe119⤵PID:4188
-
\??\c:\dppjd.exec:\dppjd.exe120⤵PID:368
-
\??\c:\lllllff.exec:\lllllff.exe121⤵PID:4040
-
\??\c:\bnnhtt.exec:\bnnhtt.exe122⤵PID:4768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-