Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe
-
Size
454KB
-
MD5
5bd3c5a83b4a45614e163ce8d8c4648e
-
SHA1
810a05636b2e38176953f9714a6ae652ae93654c
-
SHA256
ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852
-
SHA512
df12dadf9b63696841f17015d2ded03a68e2819edf165428d73690d4f0b26fb1dbba085c03cfaf241b76c9c003da024e2a466b14a407562265439edd5566d879
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4524-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5076 vdpvv.exe 4352 1nnbbn.exe 2564 hntttb.exe 1124 jdpjp.exe 2132 lrxrrrl.exe 1596 nbnntt.exe 3504 ddjjj.exe 2072 nbnttt.exe 2180 ntbbbb.exe 1384 pjpvv.exe 4948 tthhnt.exe 2232 5xxxxfl.exe 2080 7nnbbn.exe 3020 ffrrxfx.exe 4248 pvdvp.exe 4896 lxrrlrf.exe 2084 dvjjj.exe 4448 xrfffff.exe 1072 hthhhh.exe 3416 3ntttb.exe 2524 rfxrffx.exe 3620 nhhbnn.exe 2496 9pvpv.exe 972 xfllffx.exe 3840 frfxxrl.exe 3988 tnnhbn.exe 4092 fflrfll.exe 5032 5dppp.exe 3636 dvpdv.exe 4256 ntntbn.exe 3604 3jdvp.exe 3172 rllfxxr.exe 468 5xlfflf.exe 1152 fffxfxf.exe 1304 9rffrxr.exe 668 rlrrrrr.exe 3652 nbnnhb.exe 4960 vvjdp.exe 4240 5lrlrrr.exe 4692 5tttnn.exe 4024 ppppp.exe 3140 9xfxrrl.exe 4348 xxfrrrr.exe 2100 nhnntt.exe 1788 dpppj.exe 2352 jjdvv.exe 1376 xxfffll.exe 1836 hnnbnn.exe 3712 vvppv.exe 3964 lffxfff.exe 4508 7hnhbb.exe 3496 1bhbnh.exe 3612 dvpjd.exe 2756 3rfxrxr.exe 3468 rfllrrl.exe 3628 jjpjj.exe 3948 jjjdd.exe 2008 xxxxllr.exe 4468 1nhbbh.exe 1940 9jdjv.exe 2016 rxflfff.exe 3112 hhnbhb.exe 1852 pjppp.exe 2096 9rrrlrr.exe -
resource yara_rule behavioral2/memory/4524-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-952-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4524 wrote to memory of 5076 4524 ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe 82 PID 4524 wrote to memory of 5076 4524 ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe 82 PID 4524 wrote to memory of 5076 4524 ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe 82 PID 5076 wrote to memory of 4352 5076 vdpvv.exe 83 PID 5076 wrote to memory of 4352 5076 vdpvv.exe 83 PID 5076 wrote to memory of 4352 5076 vdpvv.exe 83 PID 4352 wrote to memory of 2564 4352 1nnbbn.exe 84 PID 4352 wrote to memory of 2564 4352 1nnbbn.exe 84 PID 4352 wrote to memory of 2564 4352 1nnbbn.exe 84 PID 2564 wrote to memory of 1124 2564 hntttb.exe 85 PID 2564 wrote to memory of 1124 2564 hntttb.exe 85 PID 2564 wrote to memory of 1124 2564 hntttb.exe 85 PID 1124 wrote to memory of 2132 1124 jdpjp.exe 86 PID 1124 wrote to memory of 2132 1124 jdpjp.exe 86 PID 1124 wrote to memory of 2132 1124 jdpjp.exe 86 PID 2132 wrote to memory of 1596 2132 lrxrrrl.exe 87 PID 2132 wrote to memory of 1596 2132 lrxrrrl.exe 87 PID 2132 wrote to memory of 1596 2132 lrxrrrl.exe 87 PID 1596 wrote to memory of 3504 1596 nbnntt.exe 88 PID 1596 wrote to memory of 3504 1596 nbnntt.exe 88 PID 1596 wrote to memory of 3504 1596 nbnntt.exe 88 PID 3504 wrote to memory of 2072 3504 ddjjj.exe 89 PID 3504 wrote to memory of 2072 3504 ddjjj.exe 89 PID 3504 wrote to memory of 2072 3504 ddjjj.exe 89 PID 2072 wrote to memory of 2180 2072 nbnttt.exe 90 PID 2072 wrote to memory of 2180 2072 nbnttt.exe 90 PID 2072 wrote to memory of 2180 2072 nbnttt.exe 90 PID 2180 wrote to memory of 1384 2180 ntbbbb.exe 91 PID 2180 wrote to memory of 1384 2180 ntbbbb.exe 91 PID 2180 wrote to memory of 1384 2180 ntbbbb.exe 91 PID 1384 wrote to memory of 4948 1384 pjpvv.exe 92 PID 1384 wrote to memory of 4948 1384 pjpvv.exe 92 PID 1384 wrote to memory of 4948 1384 pjpvv.exe 92 PID 4948 wrote to memory of 2232 4948 tthhnt.exe 93 PID 4948 wrote to memory of 2232 4948 tthhnt.exe 93 PID 4948 wrote to memory of 2232 4948 tthhnt.exe 93 PID 2232 wrote to memory of 2080 2232 5xxxxfl.exe 94 PID 2232 wrote to memory of 2080 2232 5xxxxfl.exe 94 PID 2232 wrote to memory of 2080 2232 5xxxxfl.exe 94 PID 2080 wrote to memory of 3020 2080 7nnbbn.exe 95 PID 2080 wrote to memory of 3020 2080 7nnbbn.exe 95 PID 2080 wrote to memory of 3020 2080 7nnbbn.exe 95 PID 3020 wrote to memory of 4248 3020 ffrrxfx.exe 96 PID 3020 wrote to memory of 4248 3020 ffrrxfx.exe 96 PID 3020 wrote to memory of 4248 3020 ffrrxfx.exe 96 PID 4248 wrote to memory of 4896 4248 pvdvp.exe 97 PID 4248 wrote to memory of 4896 4248 pvdvp.exe 97 PID 4248 wrote to memory of 4896 4248 pvdvp.exe 97 PID 4896 wrote to memory of 2084 4896 lxrrlrf.exe 98 PID 4896 wrote to memory of 2084 4896 lxrrlrf.exe 98 PID 4896 wrote to memory of 2084 4896 lxrrlrf.exe 98 PID 2084 wrote to memory of 4448 2084 dvjjj.exe 99 PID 2084 wrote to memory of 4448 2084 dvjjj.exe 99 PID 2084 wrote to memory of 4448 2084 dvjjj.exe 99 PID 4448 wrote to memory of 1072 4448 xrfffff.exe 100 PID 4448 wrote to memory of 1072 4448 xrfffff.exe 100 PID 4448 wrote to memory of 1072 4448 xrfffff.exe 100 PID 1072 wrote to memory of 3416 1072 hthhhh.exe 101 PID 1072 wrote to memory of 3416 1072 hthhhh.exe 101 PID 1072 wrote to memory of 3416 1072 hthhhh.exe 101 PID 3416 wrote to memory of 2524 3416 3ntttb.exe 102 PID 3416 wrote to memory of 2524 3416 3ntttb.exe 102 PID 3416 wrote to memory of 2524 3416 3ntttb.exe 102 PID 2524 wrote to memory of 3620 2524 rfxrffx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe"C:\Users\Admin\AppData\Local\Temp\ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\vdpvv.exec:\vdpvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\1nnbbn.exec:\1nnbbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\hntttb.exec:\hntttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\jdpjp.exec:\jdpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\lrxrrrl.exec:\lrxrrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\nbnntt.exec:\nbnntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\ddjjj.exec:\ddjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\nbnttt.exec:\nbnttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\ntbbbb.exec:\ntbbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\pjpvv.exec:\pjpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\tthhnt.exec:\tthhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\5xxxxfl.exec:\5xxxxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\7nnbbn.exec:\7nnbbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\ffrrxfx.exec:\ffrrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\pvdvp.exec:\pvdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\lxrrlrf.exec:\lxrrlrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\dvjjj.exec:\dvjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\xrfffff.exec:\xrfffff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\hthhhh.exec:\hthhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\3ntttb.exec:\3ntttb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\rfxrffx.exec:\rfxrffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nhhbnn.exec:\nhhbnn.exe23⤵
- Executes dropped EXE
PID:3620 -
\??\c:\9pvpv.exec:\9pvpv.exe24⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xfllffx.exec:\xfllffx.exe25⤵
- Executes dropped EXE
PID:972 -
\??\c:\frfxxrl.exec:\frfxxrl.exe26⤵
- Executes dropped EXE
PID:3840 -
\??\c:\tnnhbn.exec:\tnnhbn.exe27⤵
- Executes dropped EXE
PID:3988 -
\??\c:\fflrfll.exec:\fflrfll.exe28⤵
- Executes dropped EXE
PID:4092 -
\??\c:\5dppp.exec:\5dppp.exe29⤵
- Executes dropped EXE
PID:5032 -
\??\c:\dvpdv.exec:\dvpdv.exe30⤵
- Executes dropped EXE
PID:3636 -
\??\c:\ntntbn.exec:\ntntbn.exe31⤵
- Executes dropped EXE
PID:4256 -
\??\c:\3jdvp.exec:\3jdvp.exe32⤵
- Executes dropped EXE
PID:3604 -
\??\c:\rllfxxr.exec:\rllfxxr.exe33⤵
- Executes dropped EXE
PID:3172 -
\??\c:\5xlfflf.exec:\5xlfflf.exe34⤵
- Executes dropped EXE
PID:468 -
\??\c:\fffxfxf.exec:\fffxfxf.exe35⤵
- Executes dropped EXE
PID:1152 -
\??\c:\9rffrxr.exec:\9rffrxr.exe36⤵
- Executes dropped EXE
PID:1304 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe37⤵
- Executes dropped EXE
PID:668 -
\??\c:\nbnnhb.exec:\nbnnhb.exe38⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vvjdp.exec:\vvjdp.exe39⤵
- Executes dropped EXE
PID:4960 -
\??\c:\5lrlrrr.exec:\5lrlrrr.exe40⤵
- Executes dropped EXE
PID:4240 -
\??\c:\5tttnn.exec:\5tttnn.exe41⤵
- Executes dropped EXE
PID:4692 -
\??\c:\ppppp.exec:\ppppp.exe42⤵
- Executes dropped EXE
PID:4024 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe43⤵
- Executes dropped EXE
PID:3140 -
\??\c:\xxfrrrr.exec:\xxfrrrr.exe44⤵
- Executes dropped EXE
PID:4348 -
\??\c:\nhnntt.exec:\nhnntt.exe45⤵
- Executes dropped EXE
PID:2100 -
\??\c:\dpppj.exec:\dpppj.exe46⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jjdvv.exec:\jjdvv.exe47⤵
- Executes dropped EXE
PID:2352 -
\??\c:\xxfffll.exec:\xxfffll.exe48⤵
- Executes dropped EXE
PID:1376 -
\??\c:\hnnbnn.exec:\hnnbnn.exe49⤵
- Executes dropped EXE
PID:1836 -
\??\c:\vvppv.exec:\vvppv.exe50⤵
- Executes dropped EXE
PID:3712 -
\??\c:\lffxfff.exec:\lffxfff.exe51⤵
- Executes dropped EXE
PID:3964 -
\??\c:\7hnhbb.exec:\7hnhbb.exe52⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1bhbnh.exec:\1bhbnh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3496 -
\??\c:\dvpjd.exec:\dvpjd.exe54⤵
- Executes dropped EXE
PID:3612 -
\??\c:\3rfxrxr.exec:\3rfxrxr.exe55⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rfllrrl.exec:\rfllrrl.exe56⤵
- Executes dropped EXE
PID:3468 -
\??\c:\jjpjj.exec:\jjpjj.exe57⤵
- Executes dropped EXE
PID:3628 -
\??\c:\jjjdd.exec:\jjjdd.exe58⤵
- Executes dropped EXE
PID:3948 -
\??\c:\xxxxllr.exec:\xxxxllr.exe59⤵
- Executes dropped EXE
PID:2008 -
\??\c:\1nhbbh.exec:\1nhbbh.exe60⤵
- Executes dropped EXE
PID:4468 -
\??\c:\9jdjv.exec:\9jdjv.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\rxflfff.exec:\rxflfff.exe62⤵
- Executes dropped EXE
PID:2016 -
\??\c:\hhnbhb.exec:\hhnbhb.exe63⤵
- Executes dropped EXE
PID:3112 -
\??\c:\pjppp.exec:\pjppp.exe64⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9rrrlrr.exec:\9rrrlrr.exe65⤵
- Executes dropped EXE
PID:2096 -
\??\c:\thnnnn.exec:\thnnnn.exe66⤵PID:3412
-
\??\c:\vvvpv.exec:\vvvpv.exe67⤵PID:672
-
\??\c:\pdjjj.exec:\pdjjj.exe68⤵PID:2204
-
\??\c:\lxfxfxx.exec:\lxfxfxx.exe69⤵PID:4984
-
\??\c:\tbhbtn.exec:\tbhbtn.exe70⤵PID:1688
-
\??\c:\9ddpj.exec:\9ddpj.exe71⤵PID:4324
-
\??\c:\pjppp.exec:\pjppp.exe72⤵PID:5016
-
\??\c:\xxxxllf.exec:\xxxxllf.exe73⤵PID:3852
-
\??\c:\bbbttb.exec:\bbbttb.exe74⤵PID:3560
-
\??\c:\jjpjj.exec:\jjpjj.exe75⤵PID:4040
-
\??\c:\jdvvv.exec:\jdvvv.exe76⤵PID:2360
-
\??\c:\lffrxff.exec:\lffrxff.exe77⤵PID:2540
-
\??\c:\bthbtn.exec:\bthbtn.exe78⤵PID:4672
-
\??\c:\pdvjj.exec:\pdvjj.exe79⤵PID:4892
-
\??\c:\xrxfffx.exec:\xrxfffx.exe80⤵PID:1536
-
\??\c:\hntttt.exec:\hntttt.exe81⤵PID:2552
-
\??\c:\bttnnn.exec:\bttnnn.exe82⤵PID:2112
-
\??\c:\7dvdd.exec:\7dvdd.exe83⤵PID:2608
-
\??\c:\lrffflx.exec:\lrffflx.exe84⤵PID:4764
-
\??\c:\btbbbb.exec:\btbbbb.exe85⤵PID:884
-
\??\c:\vvjvv.exec:\vvjvv.exe86⤵PID:4004
-
\??\c:\llrrrxf.exec:\llrrrxf.exe87⤵PID:4716
-
\??\c:\nnbnhb.exec:\nnbnhb.exe88⤵PID:5004
-
\??\c:\tnbbbb.exec:\tnbbbb.exe89⤵
- System Location Discovery: System Language Discovery
PID:392 -
\??\c:\vpvpj.exec:\vpvpj.exe90⤵PID:2400
-
\??\c:\lrflxxl.exec:\lrflxxl.exe91⤵PID:676
-
\??\c:\hnntnn.exec:\hnntnn.exe92⤵PID:1308
-
\??\c:\vpvpj.exec:\vpvpj.exe93⤵PID:4456
-
\??\c:\xfxfxff.exec:\xfxfxff.exe94⤵PID:384
-
\??\c:\bntnhh.exec:\bntnhh.exe95⤵PID:2468
-
\??\c:\vvpjd.exec:\vvpjd.exe96⤵PID:3992
-
\??\c:\rxffxff.exec:\rxffxff.exe97⤵PID:4712
-
\??\c:\bbbthh.exec:\bbbthh.exe98⤵PID:3692
-
\??\c:\nntnbh.exec:\nntnbh.exe99⤵PID:956
-
\??\c:\vvvvp.exec:\vvvvp.exe100⤵PID:4544
-
\??\c:\rflfxxx.exec:\rflfxxx.exe101⤵PID:4276
-
\??\c:\llllfff.exec:\llllfff.exe102⤵PID:4608
-
\??\c:\hnttnn.exec:\hnttnn.exe103⤵
- System Location Discovery: System Language Discovery
PID:1500 -
\??\c:\9vpjj.exec:\9vpjj.exe104⤵PID:1752
-
\??\c:\rrlfllx.exec:\rrlfllx.exe105⤵PID:1136
-
\??\c:\rfllxxf.exec:\rfllxxf.exe106⤵PID:1032
-
\??\c:\jjddj.exec:\jjddj.exe107⤵PID:1492
-
\??\c:\dvdjd.exec:\dvdjd.exe108⤵PID:1376
-
\??\c:\rrrrrxf.exec:\rrrrrxf.exe109⤵PID:1836
-
\??\c:\5bhbbb.exec:\5bhbbb.exe110⤵PID:1584
-
\??\c:\jdpjj.exec:\jdpjj.exe111⤵PID:2440
-
\??\c:\xrlrxlr.exec:\xrlrxlr.exe112⤵PID:3488
-
\??\c:\rfrrlll.exec:\rfrrlll.exe113⤵PID:4508
-
\??\c:\nbtntb.exec:\nbtntb.exe114⤵PID:3496
-
\??\c:\pdvpj.exec:\pdvpj.exe115⤵PID:3504
-
\??\c:\vjppp.exec:\vjppp.exe116⤵PID:3428
-
\??\c:\3xxxllf.exec:\3xxxllf.exe117⤵PID:1184
-
\??\c:\9ntnht.exec:\9ntnht.exe118⤵PID:4836
-
\??\c:\vjddp.exec:\vjddp.exe119⤵PID:4864
-
\??\c:\jdjjj.exec:\jdjjj.exe120⤵PID:3948
-
\??\c:\lrxlffx.exec:\lrxlffx.exe121⤵PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-