Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 06:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe
-
Size
455KB
-
MD5
03ea91904e473929c7743d63eb64520b
-
SHA1
df9bdb8e0683ee1d9f4eee6050889b8f28acfa87
-
SHA256
d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b
-
SHA512
ce0a63308ee51106587ffd92d94a54030c79f40b7e137019cf83a2ed479746e2a35a3478a01efb95a066ce45e734ce4aa250eaa6f677fbe9678a4fb8288f6c97
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/404-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-1383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-1730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3608 nbhnnh.exe 2156 vjpjp.exe 932 7fxffll.exe 4836 bttnnn.exe 3476 pjppj.exe 3140 dvvpp.exe 4416 btbbhh.exe 4388 fffxxxx.exe 184 hhtnbb.exe 2912 nnhbbt.exe 4300 lffllfr.exe 3052 ddppv.exe 2400 pjvvd.exe 1208 xfrlllf.exe 2272 thhbbb.exe 4460 tnnbnn.exe 1288 ppjdv.exe 3372 vpppp.exe 3500 9nnnhn.exe 3724 ppddd.exe 2476 nbbbbb.exe 2644 pdpjd.exe 720 9pddj.exe 664 pdjjd.exe 4528 nhnhnn.exe 540 jvjjd.exe 2712 pvvvp.exe 2596 1lllflf.exe 4500 tthhhh.exe 3276 7jddv.exe 5084 1hnhtt.exe 1596 lllffff.exe 4420 5rrffff.exe 1780 hbhbtt.exe 4260 thhhtt.exe 3544 jpdvp.exe 1608 3lrfxxr.exe 3512 ttttnn.exe 4840 pjvpv.exe 4236 vjpvp.exe 3096 9flxxxx.exe 1276 frxxrrl.exe 3700 bthhhh.exe 3516 vjvpj.exe 3984 flrlffx.exe 1620 nhthnn.exe 3164 jdjdd.exe 4432 xrffffl.exe 4360 lxffxxx.exe 4952 btbbhh.exe 640 3djvp.exe 2564 xrxrlrl.exe 1084 rxxrllf.exe 3340 tbhbtt.exe 4344 ddjdv.exe 3288 dvdvj.exe 1296 xlrlffx.exe 3176 bbbnnh.exe 3476 btbbtb.exe 2516 ttbttt.exe 4656 7vdvv.exe 5052 rllfllf.exe 1388 tttttt.exe 1192 vpddv.exe -
resource yara_rule behavioral2/memory/404-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-723-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 3608 404 d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe 82 PID 404 wrote to memory of 3608 404 d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe 82 PID 404 wrote to memory of 3608 404 d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe 82 PID 3608 wrote to memory of 2156 3608 nbhnnh.exe 83 PID 3608 wrote to memory of 2156 3608 nbhnnh.exe 83 PID 3608 wrote to memory of 2156 3608 nbhnnh.exe 83 PID 2156 wrote to memory of 932 2156 vjpjp.exe 84 PID 2156 wrote to memory of 932 2156 vjpjp.exe 84 PID 2156 wrote to memory of 932 2156 vjpjp.exe 84 PID 932 wrote to memory of 4836 932 7fxffll.exe 85 PID 932 wrote to memory of 4836 932 7fxffll.exe 85 PID 932 wrote to memory of 4836 932 7fxffll.exe 85 PID 4836 wrote to memory of 3476 4836 bttnnn.exe 86 PID 4836 wrote to memory of 3476 4836 bttnnn.exe 86 PID 4836 wrote to memory of 3476 4836 bttnnn.exe 86 PID 3476 wrote to memory of 3140 3476 pjppj.exe 88 PID 3476 wrote to memory of 3140 3476 pjppj.exe 88 PID 3476 wrote to memory of 3140 3476 pjppj.exe 88 PID 3140 wrote to memory of 4416 3140 dvvpp.exe 89 PID 3140 wrote to memory of 4416 3140 dvvpp.exe 89 PID 3140 wrote to memory of 4416 3140 dvvpp.exe 89 PID 4416 wrote to memory of 4388 4416 btbbhh.exe 90 PID 4416 wrote to memory of 4388 4416 btbbhh.exe 90 PID 4416 wrote to memory of 4388 4416 btbbhh.exe 90 PID 4388 wrote to memory of 184 4388 fffxxxx.exe 91 PID 4388 wrote to memory of 184 4388 fffxxxx.exe 91 PID 4388 wrote to memory of 184 4388 fffxxxx.exe 91 PID 184 wrote to memory of 2912 184 hhtnbb.exe 92 PID 184 wrote to memory of 2912 184 hhtnbb.exe 92 PID 184 wrote to memory of 2912 184 hhtnbb.exe 92 PID 2912 wrote to memory of 4300 2912 nnhbbt.exe 93 PID 2912 wrote to memory of 4300 2912 nnhbbt.exe 93 PID 2912 wrote to memory of 4300 2912 nnhbbt.exe 93 PID 4300 wrote to memory of 3052 4300 lffllfr.exe 94 PID 4300 wrote to memory of 3052 4300 lffllfr.exe 94 PID 4300 wrote to memory of 3052 4300 lffllfr.exe 94 PID 3052 wrote to memory of 2400 3052 ddppv.exe 95 PID 3052 wrote to memory of 2400 3052 ddppv.exe 95 PID 3052 wrote to memory of 2400 3052 ddppv.exe 95 PID 2400 wrote to memory of 1208 2400 pjvvd.exe 96 PID 2400 wrote to memory of 1208 2400 pjvvd.exe 96 PID 2400 wrote to memory of 1208 2400 pjvvd.exe 96 PID 1208 wrote to memory of 2272 1208 xfrlllf.exe 97 PID 1208 wrote to memory of 2272 1208 xfrlllf.exe 97 PID 1208 wrote to memory of 2272 1208 xfrlllf.exe 97 PID 2272 wrote to memory of 4460 2272 thhbbb.exe 98 PID 2272 wrote to memory of 4460 2272 thhbbb.exe 98 PID 2272 wrote to memory of 4460 2272 thhbbb.exe 98 PID 4460 wrote to memory of 1288 4460 tnnbnn.exe 99 PID 4460 wrote to memory of 1288 4460 tnnbnn.exe 99 PID 4460 wrote to memory of 1288 4460 tnnbnn.exe 99 PID 1288 wrote to memory of 3372 1288 ppjdv.exe 100 PID 1288 wrote to memory of 3372 1288 ppjdv.exe 100 PID 1288 wrote to memory of 3372 1288 ppjdv.exe 100 PID 3372 wrote to memory of 3500 3372 vpppp.exe 101 PID 3372 wrote to memory of 3500 3372 vpppp.exe 101 PID 3372 wrote to memory of 3500 3372 vpppp.exe 101 PID 3500 wrote to memory of 3724 3500 9nnnhn.exe 102 PID 3500 wrote to memory of 3724 3500 9nnnhn.exe 102 PID 3500 wrote to memory of 3724 3500 9nnnhn.exe 102 PID 3724 wrote to memory of 2476 3724 ppddd.exe 103 PID 3724 wrote to memory of 2476 3724 ppddd.exe 103 PID 3724 wrote to memory of 2476 3724 ppddd.exe 103 PID 2476 wrote to memory of 2644 2476 nbbbbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe"C:\Users\Admin\AppData\Local\Temp\d15b7cd78e3307f1b65754a04dc23530114f80d5f7c7d59aa96afa440251a60b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\nbhnnh.exec:\nbhnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\vjpjp.exec:\vjpjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\7fxffll.exec:\7fxffll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\bttnnn.exec:\bttnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\pjppj.exec:\pjppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\dvvpp.exec:\dvvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\btbbhh.exec:\btbbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\fffxxxx.exec:\fffxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\hhtnbb.exec:\hhtnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\nnhbbt.exec:\nnhbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\lffllfr.exec:\lffllfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\ddppv.exec:\ddppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\pjvvd.exec:\pjvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\xfrlllf.exec:\xfrlllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\thhbbb.exec:\thhbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\tnnbnn.exec:\tnnbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\ppjdv.exec:\ppjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\vpppp.exec:\vpppp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\9nnnhn.exec:\9nnnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\ppddd.exec:\ppddd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\nbbbbb.exec:\nbbbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\pdpjd.exec:\pdpjd.exe23⤵
- Executes dropped EXE
PID:2644 -
\??\c:\9pddj.exec:\9pddj.exe24⤵
- Executes dropped EXE
PID:720 -
\??\c:\pdjjd.exec:\pdjjd.exe25⤵
- Executes dropped EXE
PID:664 -
\??\c:\nhnhnn.exec:\nhnhnn.exe26⤵
- Executes dropped EXE
PID:4528 -
\??\c:\jvjjd.exec:\jvjjd.exe27⤵
- Executes dropped EXE
PID:540 -
\??\c:\pvvvp.exec:\pvvvp.exe28⤵
- Executes dropped EXE
PID:2712 -
\??\c:\1lllflf.exec:\1lllflf.exe29⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tthhhh.exec:\tthhhh.exe30⤵
- Executes dropped EXE
PID:4500 -
\??\c:\7jddv.exec:\7jddv.exe31⤵
- Executes dropped EXE
PID:3276 -
\??\c:\1hnhtt.exec:\1hnhtt.exe32⤵
- Executes dropped EXE
PID:5084 -
\??\c:\lllffff.exec:\lllffff.exe33⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5rrffff.exec:\5rrffff.exe34⤵
- Executes dropped EXE
PID:4420 -
\??\c:\hbhbtt.exec:\hbhbtt.exe35⤵
- Executes dropped EXE
PID:1780 -
\??\c:\thhhtt.exec:\thhhtt.exe36⤵
- Executes dropped EXE
PID:4260 -
\??\c:\jpdvp.exec:\jpdvp.exe37⤵
- Executes dropped EXE
PID:3544 -
\??\c:\3lrfxxr.exec:\3lrfxxr.exe38⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ttttnn.exec:\ttttnn.exe39⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pjvpv.exec:\pjvpv.exe40⤵
- Executes dropped EXE
PID:4840 -
\??\c:\vjpvp.exec:\vjpvp.exe41⤵
- Executes dropped EXE
PID:4236 -
\??\c:\9flxxxx.exec:\9flxxxx.exe42⤵
- Executes dropped EXE
PID:3096 -
\??\c:\frxxrrl.exec:\frxxrrl.exe43⤵
- Executes dropped EXE
PID:1276 -
\??\c:\bthhhh.exec:\bthhhh.exe44⤵
- Executes dropped EXE
PID:3700 -
\??\c:\vjvpj.exec:\vjvpj.exe45⤵
- Executes dropped EXE
PID:3516 -
\??\c:\flrlffx.exec:\flrlffx.exe46⤵
- Executes dropped EXE
PID:3984 -
\??\c:\nhthnn.exec:\nhthnn.exe47⤵
- Executes dropped EXE
PID:1620 -
\??\c:\jdjdd.exec:\jdjdd.exe48⤵
- Executes dropped EXE
PID:3164 -
\??\c:\xrffffl.exec:\xrffffl.exe49⤵
- Executes dropped EXE
PID:4432 -
\??\c:\lxffxxx.exec:\lxffxxx.exe50⤵
- Executes dropped EXE
PID:4360 -
\??\c:\btbbhh.exec:\btbbhh.exe51⤵
- Executes dropped EXE
PID:4952 -
\??\c:\3djvp.exec:\3djvp.exe52⤵
- Executes dropped EXE
PID:640 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe53⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rxxrllf.exec:\rxxrllf.exe54⤵
- Executes dropped EXE
PID:1084 -
\??\c:\tbhbtt.exec:\tbhbtt.exe55⤵
- Executes dropped EXE
PID:3340 -
\??\c:\ddjdv.exec:\ddjdv.exe56⤵
- Executes dropped EXE
PID:4344 -
\??\c:\dvdvj.exec:\dvdvj.exe57⤵
- Executes dropped EXE
PID:3288 -
\??\c:\xlrlffx.exec:\xlrlffx.exe58⤵
- Executes dropped EXE
PID:1296 -
\??\c:\bbbnnh.exec:\bbbnnh.exe59⤵
- Executes dropped EXE
PID:3176 -
\??\c:\btbbtb.exec:\btbbtb.exe60⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ttbttt.exec:\ttbttt.exe61⤵
- Executes dropped EXE
PID:2516 -
\??\c:\7vdvv.exec:\7vdvv.exe62⤵
- Executes dropped EXE
PID:4656 -
\??\c:\rllfllf.exec:\rllfllf.exe63⤵
- Executes dropped EXE
PID:5052 -
\??\c:\tttttt.exec:\tttttt.exe64⤵
- Executes dropped EXE
PID:1388 -
\??\c:\vpddv.exec:\vpddv.exe65⤵
- Executes dropped EXE
PID:1192 -
\??\c:\dvdvj.exec:\dvdvj.exe66⤵PID:1952
-
\??\c:\9llfxxr.exec:\9llfxxr.exe67⤵PID:5080
-
\??\c:\nthbbb.exec:\nthbbb.exe68⤵PID:2776
-
\??\c:\dvdvj.exec:\dvdvj.exe69⤵PID:3784
-
\??\c:\lflxlfx.exec:\lflxlfx.exe70⤵PID:1712
-
\??\c:\rxffrlr.exec:\rxffrlr.exe71⤵PID:3272
-
\??\c:\thhbtn.exec:\thhbtn.exe72⤵PID:924
-
\??\c:\1djpj.exec:\1djpj.exe73⤵PID:4620
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe74⤵PID:4008
-
\??\c:\nnnnhh.exec:\nnnnhh.exe75⤵PID:4304
-
\??\c:\tnhtbt.exec:\tnhtbt.exe76⤵PID:3008
-
\??\c:\djvpp.exec:\djvpp.exe77⤵PID:4908
-
\??\c:\rflfxrl.exec:\rflfxrl.exe78⤵PID:1392
-
\??\c:\hntttt.exec:\hntttt.exe79⤵PID:4728
-
\??\c:\9pvpd.exec:\9pvpd.exe80⤵PID:3724
-
\??\c:\llfffxr.exec:\llfffxr.exe81⤵PID:5068
-
\??\c:\lllfxxf.exec:\lllfxxf.exe82⤵PID:748
-
\??\c:\3hnhbb.exec:\3hnhbb.exe83⤵PID:2940
-
\??\c:\vjjdp.exec:\vjjdp.exe84⤵PID:3312
-
\??\c:\ppdpd.exec:\ppdpd.exe85⤵PID:3852
-
\??\c:\xfllffx.exec:\xfllffx.exe86⤵PID:1736
-
\??\c:\1btnhh.exec:\1btnhh.exe87⤵PID:3264
-
\??\c:\9btnbb.exec:\9btnbb.exe88⤵PID:4072
-
\??\c:\vjpdp.exec:\vjpdp.exe89⤵PID:2016
-
\??\c:\frxrlxr.exec:\frxrlxr.exe90⤵PID:4596
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe91⤵PID:2500
-
\??\c:\hbbtnh.exec:\hbbtnh.exe92⤵PID:2804
-
\??\c:\dvvpv.exec:\dvvpv.exe93⤵PID:4024
-
\??\c:\xrrllll.exec:\xrrllll.exe94⤵PID:4924
-
\??\c:\bbbtnh.exec:\bbbtnh.exe95⤵PID:2872
-
\??\c:\5thbtt.exec:\5thbtt.exe96⤵PID:456
-
\??\c:\jdjdv.exec:\jdjdv.exe97⤵PID:5084
-
\??\c:\lrxlxfr.exec:\lrxlxfr.exe98⤵PID:4876
-
\??\c:\5tbbbb.exec:\5tbbbb.exe99⤵PID:4644
-
\??\c:\djjdp.exec:\djjdp.exe100⤵PID:1884
-
\??\c:\llxrfff.exec:\llxrfff.exe101⤵PID:1196
-
\??\c:\btbttn.exec:\btbttn.exe102⤵PID:3116
-
\??\c:\djpjp.exec:\djpjp.exe103⤵PID:3544
-
\??\c:\pdjdp.exec:\pdjdp.exe104⤵PID:1212
-
\??\c:\rrlfllx.exec:\rrlfllx.exe105⤵PID:3044
-
\??\c:\tnbhht.exec:\tnbhht.exe106⤵PID:4456
-
\??\c:\1vvpd.exec:\1vvpd.exe107⤵PID:4236
-
\??\c:\xlrfxlf.exec:\xlrfxlf.exe108⤵PID:3096
-
\??\c:\llrlxxr.exec:\llrlxxr.exe109⤵PID:4068
-
\??\c:\bbttnn.exec:\bbttnn.exe110⤵PID:3700
-
\??\c:\7jjdv.exec:\7jjdv.exe111⤵PID:3992
-
\??\c:\jjjdv.exec:\jjjdv.exe112⤵PID:4252
-
\??\c:\xlffxxr.exec:\xlffxxr.exe113⤵PID:2452
-
\??\c:\ntbbtt.exec:\ntbbtt.exe114⤵PID:4532
-
\??\c:\hbnnnt.exec:\hbnnnt.exe115⤵PID:3396
-
\??\c:\pjvpv.exec:\pjvpv.exe116⤵PID:4716
-
\??\c:\xrffxxf.exec:\xrffxxf.exe117⤵PID:3608
-
\??\c:\nhnnhn.exec:\nhnnhn.exe118⤵PID:2772
-
\??\c:\vpppj.exec:\vpppj.exe119⤵PID:3492
-
\??\c:\djvvp.exec:\djvvp.exe120⤵PID:4384
-
\??\c:\xxlfxff.exec:\xxlfxff.exe121⤵PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-