Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
-
Size
456KB
-
MD5
e91f5d4d855864c328e99d8e25a85c01
-
SHA1
f8f47a89ac1f3f845aa816e944ddb2220f59b124
-
SHA256
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1
-
SHA512
addb76e00ae6566614d920419fd703d8632508db6ec5740d3309def0a7d9ed94cdb71c8b95bed2832c74945c18aa641ddec4eb3c5380a62c45af91523ae9b550
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3780-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-1219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-1540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4056 jvdvp.exe 3376 nhhbtn.exe 396 bbbbtt.exe 4668 nnthtt.exe 4000 dpvpp.exe 4208 ntnhbh.exe 3828 jdpjd.exe 2072 vvdvv.exe 2128 fffxxff.exe 4832 rlxrlfr.exe 1396 frfrrxl.exe 668 bttnbh.exe 1656 dpvvp.exe 4192 fxllrfl.exe 4748 rxfxrrr.exe 2108 htbtnn.exe 1944 rffxrlf.exe 4324 ffxxfxl.exe 4184 tntttt.exe 2324 9dvpd.exe 184 dpjvv.exe 2508 jdpjp.exe 4432 xlrllll.exe 1652 pdpjd.exe 4900 lxrrrxx.exe 3548 lflfxxx.exe 2588 hnbtnn.exe 3040 ffflfxr.exe 3532 ntnhhh.exe 4828 vjjvp.exe 960 dvpdj.exe 2512 pdjjp.exe 3160 htbbbh.exe 3292 btbbhh.exe 2716 pjdjv.exe 2360 xrllrxx.exe 2496 nbbbhh.exe 3508 ppdvv.exe 4652 ffxxlrr.exe 3588 7hnnhh.exe 1572 bbnnnh.exe 1952 dvpvv.exe 2604 nbnnhn.exe 2236 djvvv.exe 4056 lfrllrr.exe 3444 xrfffff.exe 3376 hthttt.exe 1044 3pjdj.exe 1176 5rffrxl.exe 1480 bttttt.exe 1164 bbtbbh.exe 2740 9pppp.exe 4232 rflrfll.exe 1708 hhnntt.exe 2936 3bbbtb.exe 2320 3pvvp.exe 1424 rrffflr.exe 1252 btbhhn.exe 3232 9pvvv.exe 724 lfllflf.exe 2276 bbnnnt.exe 1468 tbhhhn.exe 1288 djddp.exe 4848 1rffrrf.exe -
resource yara_rule behavioral2/memory/3780-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-914-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbtbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 4056 3780 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 82 PID 3780 wrote to memory of 4056 3780 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 82 PID 3780 wrote to memory of 4056 3780 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 82 PID 4056 wrote to memory of 3376 4056 jvdvp.exe 83 PID 4056 wrote to memory of 3376 4056 jvdvp.exe 83 PID 4056 wrote to memory of 3376 4056 jvdvp.exe 83 PID 3376 wrote to memory of 396 3376 nhhbtn.exe 84 PID 3376 wrote to memory of 396 3376 nhhbtn.exe 84 PID 3376 wrote to memory of 396 3376 nhhbtn.exe 84 PID 396 wrote to memory of 4668 396 bbbbtt.exe 85 PID 396 wrote to memory of 4668 396 bbbbtt.exe 85 PID 396 wrote to memory of 4668 396 bbbbtt.exe 85 PID 4668 wrote to memory of 4000 4668 nnthtt.exe 86 PID 4668 wrote to memory of 4000 4668 nnthtt.exe 86 PID 4668 wrote to memory of 4000 4668 nnthtt.exe 86 PID 4000 wrote to memory of 4208 4000 dpvpp.exe 87 PID 4000 wrote to memory of 4208 4000 dpvpp.exe 87 PID 4000 wrote to memory of 4208 4000 dpvpp.exe 87 PID 4208 wrote to memory of 3828 4208 ntnhbh.exe 88 PID 4208 wrote to memory of 3828 4208 ntnhbh.exe 88 PID 4208 wrote to memory of 3828 4208 ntnhbh.exe 88 PID 3828 wrote to memory of 2072 3828 jdpjd.exe 89 PID 3828 wrote to memory of 2072 3828 jdpjd.exe 89 PID 3828 wrote to memory of 2072 3828 jdpjd.exe 89 PID 2072 wrote to memory of 2128 2072 vvdvv.exe 90 PID 2072 wrote to memory of 2128 2072 vvdvv.exe 90 PID 2072 wrote to memory of 2128 2072 vvdvv.exe 90 PID 2128 wrote to memory of 4832 2128 fffxxff.exe 91 PID 2128 wrote to memory of 4832 2128 fffxxff.exe 91 PID 2128 wrote to memory of 4832 2128 fffxxff.exe 91 PID 4832 wrote to memory of 1396 4832 rlxrlfr.exe 92 PID 4832 wrote to memory of 1396 4832 rlxrlfr.exe 92 PID 4832 wrote to memory of 1396 4832 rlxrlfr.exe 92 PID 1396 wrote to memory of 668 1396 frfrrxl.exe 93 PID 1396 wrote to memory of 668 1396 frfrrxl.exe 93 PID 1396 wrote to memory of 668 1396 frfrrxl.exe 93 PID 668 wrote to memory of 1656 668 bttnbh.exe 94 PID 668 wrote to memory of 1656 668 bttnbh.exe 94 PID 668 wrote to memory of 1656 668 bttnbh.exe 94 PID 1656 wrote to memory of 4192 1656 dpvvp.exe 95 PID 1656 wrote to memory of 4192 1656 dpvvp.exe 95 PID 1656 wrote to memory of 4192 1656 dpvvp.exe 95 PID 4192 wrote to memory of 4748 4192 fxllrfl.exe 96 PID 4192 wrote to memory of 4748 4192 fxllrfl.exe 96 PID 4192 wrote to memory of 4748 4192 fxllrfl.exe 96 PID 4748 wrote to memory of 2108 4748 rxfxrrr.exe 97 PID 4748 wrote to memory of 2108 4748 rxfxrrr.exe 97 PID 4748 wrote to memory of 2108 4748 rxfxrrr.exe 97 PID 2108 wrote to memory of 1944 2108 htbtnn.exe 98 PID 2108 wrote to memory of 1944 2108 htbtnn.exe 98 PID 2108 wrote to memory of 1944 2108 htbtnn.exe 98 PID 1944 wrote to memory of 4324 1944 rffxrlf.exe 99 PID 1944 wrote to memory of 4324 1944 rffxrlf.exe 99 PID 1944 wrote to memory of 4324 1944 rffxrlf.exe 99 PID 4324 wrote to memory of 4184 4324 ffxxfxl.exe 100 PID 4324 wrote to memory of 4184 4324 ffxxfxl.exe 100 PID 4324 wrote to memory of 4184 4324 ffxxfxl.exe 100 PID 4184 wrote to memory of 2324 4184 tntttt.exe 101 PID 4184 wrote to memory of 2324 4184 tntttt.exe 101 PID 4184 wrote to memory of 2324 4184 tntttt.exe 101 PID 2324 wrote to memory of 184 2324 9dvpd.exe 102 PID 2324 wrote to memory of 184 2324 9dvpd.exe 102 PID 2324 wrote to memory of 184 2324 9dvpd.exe 102 PID 184 wrote to memory of 2508 184 dpjvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\jvdvp.exec:\jvdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\nhhbtn.exec:\nhhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\bbbbtt.exec:\bbbbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\nnthtt.exec:\nnthtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\dpvpp.exec:\dpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\ntnhbh.exec:\ntnhbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\jdpjd.exec:\jdpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\vvdvv.exec:\vvdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\fffxxff.exec:\fffxxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\rlxrlfr.exec:\rlxrlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\frfrrxl.exec:\frfrrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\bttnbh.exec:\bttnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\dpvvp.exec:\dpvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\fxllrfl.exec:\fxllrfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\htbtnn.exec:\htbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\rffxrlf.exec:\rffxrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\ffxxfxl.exec:\ffxxfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\tntttt.exec:\tntttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\9dvpd.exec:\9dvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\dpjvv.exec:\dpjvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\jdpjp.exec:\jdpjp.exe23⤵
- Executes dropped EXE
PID:2508 -
\??\c:\xlrllll.exec:\xlrllll.exe24⤵
- Executes dropped EXE
PID:4432 -
\??\c:\pdpjd.exec:\pdpjd.exe25⤵
- Executes dropped EXE
PID:1652 -
\??\c:\lxrrrxx.exec:\lxrrrxx.exe26⤵
- Executes dropped EXE
PID:4900 -
\??\c:\lflfxxx.exec:\lflfxxx.exe27⤵
- Executes dropped EXE
PID:3548 -
\??\c:\hnbtnn.exec:\hnbtnn.exe28⤵
- Executes dropped EXE
PID:2588 -
\??\c:\ffflfxr.exec:\ffflfxr.exe29⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ntnhhh.exec:\ntnhhh.exe30⤵
- Executes dropped EXE
PID:3532 -
\??\c:\vjjvp.exec:\vjjvp.exe31⤵
- Executes dropped EXE
PID:4828 -
\??\c:\dvpdj.exec:\dvpdj.exe32⤵
- Executes dropped EXE
PID:960 -
\??\c:\pdjjp.exec:\pdjjp.exe33⤵
- Executes dropped EXE
PID:2512 -
\??\c:\htbbbh.exec:\htbbbh.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160 -
\??\c:\btbbhh.exec:\btbbhh.exe35⤵
- Executes dropped EXE
PID:3292 -
\??\c:\pjdjv.exec:\pjdjv.exe36⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xrllrxx.exec:\xrllrxx.exe37⤵
- Executes dropped EXE
PID:2360 -
\??\c:\nbbbhh.exec:\nbbbhh.exe38⤵
- Executes dropped EXE
PID:2496 -
\??\c:\ppdvv.exec:\ppdvv.exe39⤵
- Executes dropped EXE
PID:3508 -
\??\c:\ffxxlrr.exec:\ffxxlrr.exe40⤵
- Executes dropped EXE
PID:4652 -
\??\c:\7hnnhh.exec:\7hnnhh.exe41⤵
- Executes dropped EXE
PID:3588 -
\??\c:\bbnnnh.exec:\bbnnnh.exe42⤵
- Executes dropped EXE
PID:1572 -
\??\c:\dvpvv.exec:\dvpvv.exe43⤵
- Executes dropped EXE
PID:1952 -
\??\c:\lrffrxr.exec:\lrffrxr.exe44⤵PID:2500
-
\??\c:\nbnnhn.exec:\nbnnhn.exe45⤵
- Executes dropped EXE
PID:2604 -
\??\c:\djvvv.exec:\djvvv.exe46⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lfrllrr.exec:\lfrllrr.exe47⤵
- Executes dropped EXE
PID:4056 -
\??\c:\xrfffff.exec:\xrfffff.exe48⤵
- Executes dropped EXE
PID:3444 -
\??\c:\hthttt.exec:\hthttt.exe49⤵
- Executes dropped EXE
PID:3376 -
\??\c:\3pjdj.exec:\3pjdj.exe50⤵
- Executes dropped EXE
PID:1044 -
\??\c:\5rffrxl.exec:\5rffrxl.exe51⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bttttt.exec:\bttttt.exe52⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bbtbbh.exec:\bbtbbh.exe53⤵
- Executes dropped EXE
PID:1164 -
\??\c:\9pppp.exec:\9pppp.exe54⤵
- Executes dropped EXE
PID:2740 -
\??\c:\rflrfll.exec:\rflrfll.exe55⤵
- Executes dropped EXE
PID:4232 -
\??\c:\hhnntt.exec:\hhnntt.exe56⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3bbbtb.exec:\3bbbtb.exe57⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3pvvp.exec:\3pvvp.exe58⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rrffflr.exec:\rrffflr.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\btbhhn.exec:\btbhhn.exe60⤵
- Executes dropped EXE
PID:1252 -
\??\c:\9pvvv.exec:\9pvvv.exe61⤵
- Executes dropped EXE
PID:3232 -
\??\c:\lfllflf.exec:\lfllflf.exe62⤵
- Executes dropped EXE
PID:724 -
\??\c:\bbnnnt.exec:\bbnnnt.exe63⤵
- Executes dropped EXE
PID:2276 -
\??\c:\tbhhhn.exec:\tbhhhn.exe64⤵
- Executes dropped EXE
PID:1468 -
\??\c:\djddp.exec:\djddp.exe65⤵
- Executes dropped EXE
PID:1288 -
\??\c:\1rffrrf.exec:\1rffrrf.exe66⤵
- Executes dropped EXE
PID:4848 -
\??\c:\nnbbbh.exec:\nnbbbh.exe67⤵PID:4300
-
\??\c:\hbnnnn.exec:\hbnnnn.exe68⤵PID:1396
-
\??\c:\djpjj.exec:\djpjj.exe69⤵PID:212
-
\??\c:\lxllfff.exec:\lxllfff.exe70⤵PID:3852
-
\??\c:\7thbbb.exec:\7thbbb.exe71⤵PID:4244
-
\??\c:\djddd.exec:\djddd.exe72⤵PID:1676
-
\??\c:\vvddv.exec:\vvddv.exe73⤵PID:4628
-
\??\c:\xxllffr.exec:\xxllffr.exe74⤵PID:1432
-
\??\c:\hbnnnn.exec:\hbnnnn.exe75⤵PID:3256
-
\??\c:\ppddj.exec:\ppddj.exe76⤵PID:768
-
\??\c:\jjddj.exec:\jjddj.exe77⤵PID:2132
-
\??\c:\lrrrrxf.exec:\lrrrrxf.exe78⤵PID:1896
-
\??\c:\thbnnn.exec:\thbnnn.exe79⤵PID:3712
-
\??\c:\jvjdd.exec:\jvjdd.exe80⤵PID:1540
-
\??\c:\7lrrrff.exec:\7lrrrff.exe81⤵PID:976
-
\??\c:\hnbhnn.exec:\hnbhnn.exe82⤵PID:1916
-
\??\c:\bbhhbh.exec:\bbhhbh.exe83⤵PID:2012
-
\??\c:\jdppj.exec:\jdppj.exe84⤵PID:4704
-
\??\c:\rxfffll.exec:\rxfffll.exe85⤵PID:2280
-
\??\c:\hhbbtt.exec:\hhbbtt.exe86⤵PID:4988
-
\??\c:\bnhbbb.exec:\bnhbbb.exe87⤵PID:4912
-
\??\c:\pdvpp.exec:\pdvpp.exe88⤵PID:3416
-
\??\c:\lxxxxxr.exec:\lxxxxxr.exe89⤵PID:4340
-
\??\c:\hhnnnn.exec:\hhnnnn.exe90⤵PID:4708
-
\??\c:\pdppj.exec:\pdppj.exe91⤵PID:860
-
\??\c:\llfflll.exec:\llfflll.exe92⤵PID:3784
-
\??\c:\tbnnbb.exec:\tbnnbb.exe93⤵PID:4504
-
\??\c:\pdvpp.exec:\pdvpp.exe94⤵PID:3532
-
\??\c:\fllrrxf.exec:\fllrrxf.exe95⤵PID:4828
-
\??\c:\9ntnnn.exec:\9ntnnn.exe96⤵PID:2544
-
\??\c:\ddvpd.exec:\ddvpd.exe97⤵PID:2296
-
\??\c:\jppdd.exec:\jppdd.exe98⤵PID:4180
-
\??\c:\lfrllrr.exec:\lfrllrr.exe99⤵PID:876
-
\??\c:\nthhhn.exec:\nthhhn.exe100⤵PID:3224
-
\??\c:\1bbhhn.exec:\1bbhhn.exe101⤵PID:1736
-
\??\c:\rllxxxx.exec:\rllxxxx.exe102⤵PID:4548
-
\??\c:\hbbbbb.exec:\hbbbbb.exe103⤵PID:2716
-
\??\c:\hbnnnn.exec:\hbnnnn.exe104⤵PID:2224
-
\??\c:\3vvvp.exec:\3vvvp.exe105⤵PID:2496
-
\??\c:\llfxrrl.exec:\llfxrrl.exe106⤵PID:4700
-
\??\c:\rllllxx.exec:\rllllxx.exe107⤵PID:2524
-
\??\c:\5ttnnn.exec:\5ttnnn.exe108⤵PID:3848
-
\??\c:\jdvvv.exec:\jdvvv.exe109⤵PID:1572
-
\??\c:\lxllfff.exec:\lxllfff.exe110⤵PID:4608
-
\??\c:\flxxxff.exec:\flxxxff.exe111⤵PID:4656
-
\??\c:\nbnhhh.exec:\nbnhhh.exe112⤵PID:2652
-
\??\c:\vvvvj.exec:\vvvvj.exe113⤵PID:4116
-
\??\c:\ffrrrrr.exec:\ffrrrrr.exe114⤵PID:3904
-
\??\c:\xxxlffl.exec:\xxxlffl.exe115⤵PID:1200
-
\??\c:\thtnnn.exec:\thtnnn.exe116⤵PID:1864
-
\??\c:\vvdpp.exec:\vvdpp.exe117⤵PID:4256
-
\??\c:\vvpjv.exec:\vvpjv.exe118⤵PID:1596
-
\??\c:\1xxllrr.exec:\1xxllrr.exe119⤵PID:5000
-
\??\c:\5nnnnn.exec:\5nnnnn.exe120⤵PID:4692
-
\??\c:\dvdvp.exec:\dvdvp.exe121⤵PID:2740
-
\??\c:\xlxrlfr.exec:\xlxrlfr.exe122⤵PID:3348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-