Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe
-
Size
456KB
-
MD5
82a4e924db671a043ffd2c247cc2d2c2
-
SHA1
1f064ee11cd0adb3ade13a31a0c0233255c7c61c
-
SHA256
af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be
-
SHA512
d892e20088a46debb3e532b9b5337eb6dcc1dace7986ba8dfb47fd39400d522b2917e0ee27c87cf797213ec14dd6145ba403d7f320c5bbe1bae1e114a82fda03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/244-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/340-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-1287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-1513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-1717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4556 jvvpp.exe 3428 bnhthh.exe 812 jdvvp.exe 920 1bhbhh.exe 4308 fllrlff.exe 3904 bbhbht.exe 3684 rlfrffr.exe 3480 9bbtnn.exe 952 vdvpd.exe 428 7vdpd.exe 2944 nhnhbb.exe 2628 3pvpj.exe 1404 1lrrlfl.exe 3416 hhbnbb.exe 340 7vpjd.exe 4328 1lrllll.exe 5108 vppjj.exe 968 xrxxxxx.exe 860 btnntt.exe 3040 rlrrrll.exe 3064 ffxxrrl.exe 3296 3hnnhn.exe 2472 vddvv.exe 3044 rfrrlfx.exe 2552 bbbbbb.exe 1260 ppvpj.exe 1832 ntnhhh.exe 3060 btnnnn.exe 3908 vjvpv.exe 4436 llrlrll.exe 3364 nnbbtt.exe 3028 pjpjp.exe 2884 1rllfff.exe 2232 bnttth.exe 1656 xlfrfrr.exe 1612 btnhtb.exe 2984 vjvpj.exe 2524 jvdvp.exe 3488 rxrflll.exe 3764 tntttn.exe 3616 pddvp.exe 748 xrxxrrl.exe 4116 fxxxxff.exe 2076 tttnhh.exe 1200 jvjdp.exe 4804 fxflflr.exe 884 tttttt.exe 4840 3djdd.exe 1804 xxxrlll.exe 3608 9bbhhh.exe 4888 5dvpj.exe 4556 rlfxrlf.exe 3428 llxfxxr.exe 2504 3bhbhh.exe 812 pvvpp.exe 2908 xflfxrl.exe 4680 llrrrrx.exe 4292 nnnbtn.exe 652 vvvpp.exe 3264 vddjj.exe 4604 fxlrlrf.exe 3480 nnttnn.exe 2316 dvdjj.exe 2256 lxrlffx.exe -
resource yara_rule behavioral2/memory/244-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/340-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-659-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 244 wrote to memory of 4556 244 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 82 PID 244 wrote to memory of 4556 244 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 82 PID 244 wrote to memory of 4556 244 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 82 PID 4556 wrote to memory of 3428 4556 jvvpp.exe 83 PID 4556 wrote to memory of 3428 4556 jvvpp.exe 83 PID 4556 wrote to memory of 3428 4556 jvvpp.exe 83 PID 3428 wrote to memory of 812 3428 bnhthh.exe 84 PID 3428 wrote to memory of 812 3428 bnhthh.exe 84 PID 3428 wrote to memory of 812 3428 bnhthh.exe 84 PID 812 wrote to memory of 920 812 jdvvp.exe 85 PID 812 wrote to memory of 920 812 jdvvp.exe 85 PID 812 wrote to memory of 920 812 jdvvp.exe 85 PID 920 wrote to memory of 4308 920 1bhbhh.exe 86 PID 920 wrote to memory of 4308 920 1bhbhh.exe 86 PID 920 wrote to memory of 4308 920 1bhbhh.exe 86 PID 4308 wrote to memory of 3904 4308 fllrlff.exe 87 PID 4308 wrote to memory of 3904 4308 fllrlff.exe 87 PID 4308 wrote to memory of 3904 4308 fllrlff.exe 87 PID 3904 wrote to memory of 3684 3904 bbhbht.exe 88 PID 3904 wrote to memory of 3684 3904 bbhbht.exe 88 PID 3904 wrote to memory of 3684 3904 bbhbht.exe 88 PID 3684 wrote to memory of 3480 3684 rlfrffr.exe 89 PID 3684 wrote to memory of 3480 3684 rlfrffr.exe 89 PID 3684 wrote to memory of 3480 3684 rlfrffr.exe 89 PID 3480 wrote to memory of 952 3480 9bbtnn.exe 90 PID 3480 wrote to memory of 952 3480 9bbtnn.exe 90 PID 3480 wrote to memory of 952 3480 9bbtnn.exe 90 PID 952 wrote to memory of 428 952 vdvpd.exe 91 PID 952 wrote to memory of 428 952 vdvpd.exe 91 PID 952 wrote to memory of 428 952 vdvpd.exe 91 PID 428 wrote to memory of 2944 428 7vdpd.exe 92 PID 428 wrote to memory of 2944 428 7vdpd.exe 92 PID 428 wrote to memory of 2944 428 7vdpd.exe 92 PID 2944 wrote to memory of 2628 2944 nhnhbb.exe 93 PID 2944 wrote to memory of 2628 2944 nhnhbb.exe 93 PID 2944 wrote to memory of 2628 2944 nhnhbb.exe 93 PID 2628 wrote to memory of 1404 2628 3pvpj.exe 94 PID 2628 wrote to memory of 1404 2628 3pvpj.exe 94 PID 2628 wrote to memory of 1404 2628 3pvpj.exe 94 PID 1404 wrote to memory of 3416 1404 1lrrlfl.exe 95 PID 1404 wrote to memory of 3416 1404 1lrrlfl.exe 95 PID 1404 wrote to memory of 3416 1404 1lrrlfl.exe 95 PID 3416 wrote to memory of 340 3416 hhbnbb.exe 96 PID 3416 wrote to memory of 340 3416 hhbnbb.exe 96 PID 3416 wrote to memory of 340 3416 hhbnbb.exe 96 PID 340 wrote to memory of 4328 340 7vpjd.exe 97 PID 340 wrote to memory of 4328 340 7vpjd.exe 97 PID 340 wrote to memory of 4328 340 7vpjd.exe 97 PID 4328 wrote to memory of 5108 4328 1lrllll.exe 98 PID 4328 wrote to memory of 5108 4328 1lrllll.exe 98 PID 4328 wrote to memory of 5108 4328 1lrllll.exe 98 PID 5108 wrote to memory of 968 5108 vppjj.exe 99 PID 5108 wrote to memory of 968 5108 vppjj.exe 99 PID 5108 wrote to memory of 968 5108 vppjj.exe 99 PID 968 wrote to memory of 860 968 xrxxxxx.exe 100 PID 968 wrote to memory of 860 968 xrxxxxx.exe 100 PID 968 wrote to memory of 860 968 xrxxxxx.exe 100 PID 860 wrote to memory of 3040 860 btnntt.exe 101 PID 860 wrote to memory of 3040 860 btnntt.exe 101 PID 860 wrote to memory of 3040 860 btnntt.exe 101 PID 3040 wrote to memory of 3064 3040 rlrrrll.exe 102 PID 3040 wrote to memory of 3064 3040 rlrrrll.exe 102 PID 3040 wrote to memory of 3064 3040 rlrrrll.exe 102 PID 3064 wrote to memory of 3296 3064 ffxxrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe"C:\Users\Admin\AppData\Local\Temp\af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\jvvpp.exec:\jvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\bnhthh.exec:\bnhthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\jdvvp.exec:\jdvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\1bhbhh.exec:\1bhbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\fllrlff.exec:\fllrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\bbhbht.exec:\bbhbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\rlfrffr.exec:\rlfrffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\9bbtnn.exec:\9bbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\vdvpd.exec:\vdvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\7vdpd.exec:\7vdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\nhnhbb.exec:\nhnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\3pvpj.exec:\3pvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\1lrrlfl.exec:\1lrrlfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\hhbnbb.exec:\hhbnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\7vpjd.exec:\7vpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\1lrllll.exec:\1lrllll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\vppjj.exec:\vppjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\btnntt.exec:\btnntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\rlrrrll.exec:\rlrrrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\3hnnhn.exec:\3hnnhn.exe23⤵
- Executes dropped EXE
PID:3296 -
\??\c:\vddvv.exec:\vddvv.exe24⤵
- Executes dropped EXE
PID:2472 -
\??\c:\rfrrlfx.exec:\rfrrlfx.exe25⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bbbbbb.exec:\bbbbbb.exe26⤵
- Executes dropped EXE
PID:2552 -
\??\c:\ppvpj.exec:\ppvpj.exe27⤵
- Executes dropped EXE
PID:1260 -
\??\c:\ntnhhh.exec:\ntnhhh.exe28⤵
- Executes dropped EXE
PID:1832 -
\??\c:\btnnnn.exec:\btnnnn.exe29⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vjvpv.exec:\vjvpv.exe30⤵
- Executes dropped EXE
PID:3908 -
\??\c:\llrlrll.exec:\llrlrll.exe31⤵
- Executes dropped EXE
PID:4436 -
\??\c:\nnbbtt.exec:\nnbbtt.exe32⤵
- Executes dropped EXE
PID:3364 -
\??\c:\pjpjp.exec:\pjpjp.exe33⤵
- Executes dropped EXE
PID:3028 -
\??\c:\1rllfff.exec:\1rllfff.exe34⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bnttth.exec:\bnttth.exe35⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xlfrfrr.exec:\xlfrfrr.exe36⤵
- Executes dropped EXE
PID:1656 -
\??\c:\btnhtb.exec:\btnhtb.exe37⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vjvpj.exec:\vjvpj.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jvdvp.exec:\jvdvp.exe39⤵
- Executes dropped EXE
PID:2524 -
\??\c:\rxrflll.exec:\rxrflll.exe40⤵
- Executes dropped EXE
PID:3488 -
\??\c:\tntttn.exec:\tntttn.exe41⤵
- Executes dropped EXE
PID:3764 -
\??\c:\pddvp.exec:\pddvp.exe42⤵
- Executes dropped EXE
PID:3616 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe43⤵
- Executes dropped EXE
PID:748 -
\??\c:\fxxxxff.exec:\fxxxxff.exe44⤵
- Executes dropped EXE
PID:4116 -
\??\c:\tttnhh.exec:\tttnhh.exe45⤵
- Executes dropped EXE
PID:2076 -
\??\c:\jvjdp.exec:\jvjdp.exe46⤵
- Executes dropped EXE
PID:1200 -
\??\c:\fxflflr.exec:\fxflflr.exe47⤵
- Executes dropped EXE
PID:4804 -
\??\c:\tttttt.exec:\tttttt.exe48⤵
- Executes dropped EXE
PID:884 -
\??\c:\3djdd.exec:\3djdd.exe49⤵
- Executes dropped EXE
PID:4840 -
\??\c:\xxxrlll.exec:\xxxrlll.exe50⤵
- Executes dropped EXE
PID:1804 -
\??\c:\xxrlffx.exec:\xxrlffx.exe51⤵PID:2372
-
\??\c:\9bbhhh.exec:\9bbhhh.exe52⤵
- Executes dropped EXE
PID:3608 -
\??\c:\5dvpj.exec:\5dvpj.exe53⤵
- Executes dropped EXE
PID:4888 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe54⤵
- Executes dropped EXE
PID:4556 -
\??\c:\llxfxxr.exec:\llxfxxr.exe55⤵
- Executes dropped EXE
PID:3428 -
\??\c:\3bhbhh.exec:\3bhbhh.exe56⤵
- Executes dropped EXE
PID:2504 -
\??\c:\pvvpp.exec:\pvvpp.exe57⤵
- Executes dropped EXE
PID:812 -
\??\c:\xflfxrl.exec:\xflfxrl.exe58⤵
- Executes dropped EXE
PID:2908 -
\??\c:\llrrrrx.exec:\llrrrrx.exe59⤵
- Executes dropped EXE
PID:4680 -
\??\c:\nnnbtn.exec:\nnnbtn.exe60⤵
- Executes dropped EXE
PID:4292 -
\??\c:\vvvpp.exec:\vvvpp.exe61⤵
- Executes dropped EXE
PID:652 -
\??\c:\vddjj.exec:\vddjj.exe62⤵
- Executes dropped EXE
PID:3264 -
\??\c:\fxlrlrf.exec:\fxlrlrf.exe63⤵
- Executes dropped EXE
PID:4604 -
\??\c:\nnttnn.exec:\nnttnn.exe64⤵
- Executes dropped EXE
PID:3480 -
\??\c:\dvdjj.exec:\dvdjj.exe65⤵
- Executes dropped EXE
PID:2316 -
\??\c:\lxrlffx.exec:\lxrlffx.exe66⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe67⤵PID:1384
-
\??\c:\ntbbbh.exec:\ntbbbh.exe68⤵PID:4056
-
\??\c:\5dddv.exec:\5dddv.exe69⤵PID:2888
-
\??\c:\rrrxxxx.exec:\rrrxxxx.exe70⤵PID:4424
-
\??\c:\htbbhh.exec:\htbbhh.exe71⤵PID:116
-
\??\c:\pjjvj.exec:\pjjvj.exe72⤵PID:2772
-
\??\c:\vdpjj.exec:\vdpjj.exe73⤵PID:3268
-
\??\c:\rllrrrx.exec:\rllrrrx.exe74⤵PID:3544
-
\??\c:\hhtbbn.exec:\hhtbbn.exe75⤵PID:340
-
\??\c:\vvpjj.exec:\vvpjj.exe76⤵PID:3532
-
\??\c:\pddvp.exec:\pddvp.exe77⤵PID:2500
-
\??\c:\xxxrllx.exec:\xxxrllx.exe78⤵PID:1972
-
\??\c:\ththtn.exec:\ththtn.exe79⤵PID:2456
-
\??\c:\vjjjv.exec:\vjjjv.exe80⤵PID:3404
-
\??\c:\frffrfl.exec:\frffrfl.exe81⤵PID:4244
-
\??\c:\bnhbbb.exec:\bnhbbb.exe82⤵PID:2544
-
\??\c:\vdvdd.exec:\vdvdd.exe83⤵PID:4084
-
\??\c:\vdvpd.exec:\vdvpd.exe84⤵PID:3120
-
\??\c:\lfxrrlr.exec:\lfxrrlr.exe85⤵PID:2044
-
\??\c:\nnnhbb.exec:\nnnhbb.exe86⤵PID:4756
-
\??\c:\jpvdj.exec:\jpvdj.exe87⤵PID:2960
-
\??\c:\5rrrfxr.exec:\5rrrfxr.exe88⤵PID:3600
-
\??\c:\3bbtnh.exec:\3bbtnh.exe89⤵PID:2540
-
\??\c:\dpdpj.exec:\dpdpj.exe90⤵PID:4816
-
\??\c:\xllfrrl.exec:\xllfrrl.exe91⤵PID:1732
-
\??\c:\hbnhnn.exec:\hbnhnn.exe92⤵PID:4200
-
\??\c:\vvppp.exec:\vvppp.exe93⤵PID:2420
-
\??\c:\llfrrrf.exec:\llfrrrf.exe94⤵PID:2132
-
\??\c:\thhhhh.exec:\thhhhh.exe95⤵PID:1720
-
\??\c:\dddvp.exec:\dddvp.exe96⤵PID:1856
-
\??\c:\3lffxxx.exec:\3lffxxx.exe97⤵PID:2268
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe98⤵PID:2800
-
\??\c:\nbbbbb.exec:\nbbbbb.exe99⤵PID:2592
-
\??\c:\jdddd.exec:\jdddd.exe100⤵PID:4796
-
\??\c:\5vvpj.exec:\5vvpj.exe101⤵PID:456
-
\??\c:\btnnnb.exec:\btnnnb.exe102⤵PID:4704
-
\??\c:\hhbttt.exec:\hhbttt.exe103⤵PID:4132
-
\??\c:\vvjdj.exec:\vvjdj.exe104⤵PID:2524
-
\??\c:\fxrlffx.exec:\fxrlffx.exe105⤵PID:4824
-
\??\c:\rxxrrrf.exec:\rxxrrrf.exe106⤵PID:1568
-
\??\c:\bnbttt.exec:\bnbttt.exe107⤵PID:4860
-
\??\c:\fxrrxff.exec:\fxrrxff.exe108⤵PID:756
-
\??\c:\xxllrlr.exec:\xxllrlr.exe109⤵PID:4932
-
\??\c:\5nhhbb.exec:\5nhhbb.exe110⤵PID:3476
-
\??\c:\vpjjd.exec:\vpjjd.exe111⤵PID:3688
-
\??\c:\frxlffx.exec:\frxlffx.exe112⤵PID:3216
-
\??\c:\frrlllf.exec:\frrlllf.exe113⤵PID:672
-
\??\c:\hbbtbb.exec:\hbbtbb.exe114⤵PID:1420
-
\??\c:\jpdvj.exec:\jpdvj.exe115⤵PID:4316
-
\??\c:\rxrlfll.exec:\rxrlfll.exe116⤵PID:1456
-
\??\c:\bbhhhb.exec:\bbhhhb.exe117⤵PID:452
-
\??\c:\bhthht.exec:\bhthht.exe118⤵PID:3848
-
\??\c:\jjjpd.exec:\jjjpd.exe119⤵PID:3692
-
\??\c:\lrlrfxr.exec:\lrlrfxr.exe120⤵PID:4772
-
\??\c:\rrfffrr.exec:\rrfffrr.exe121⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-