Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 21:26
Behavioral task
behavioral1
Sample
586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe
-
Size
92KB
-
MD5
fb721cdc8ec37139881060f3912b8925
-
SHA1
194b2a876681063553db56de33adcdf462aebc3d
-
SHA256
586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b
-
SHA512
9c46c107f50b735310a6835738e6f46376d4f9d49efa9cb1dad6870dbab8329de1f1d3511a3f4b443363eef1feb3c769dcdb1ef1780fafda689110d50709d265
-
SSDEEP
1536:8vQBeOGtrYS3srx93UBWfwC6Ggnouy80fg3Cip8iXAsG5M0u5fVBA1zO:8hOmTsF93UYfwC6GIout0fmCiiiXA6NL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4380-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5404-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5584-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5512-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5604-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5868-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6092-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6112-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6072-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5476-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5364-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5436-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5948-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5760-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1784-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5324-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6052-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5440-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5656-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5212-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/384-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/244-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5380-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5404-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5616-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5380-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-660-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-726-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-759-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5404-841-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3164 xxxxrll.exe 5404 bbhhtt.exe 1196 5dddd.exe 2280 fxrlflf.exe 4172 7hnnhh.exe 2636 9btnnh.exe 5584 jvdvd.exe 3216 bbnntt.exe 5512 9vppj.exe 5604 jdpvd.exe 5868 rfrxrrx.exe 3200 tnbtnh.exe 736 pddvv.exe 6092 lffxrrr.exe 1752 thnnnn.exe 4908 vvddd.exe 4740 lrrrlll.exe 4788 nhtnht.exe 6112 ttbbnh.exe 1452 vvjvj.exe 5224 llxxxxl.exe 6072 nnttnn.exe 3504 nhhbtn.exe 5000 pjvdv.exe 4992 fllllxf.exe 5072 hbhhhh.exe 5476 5jppj.exe 5424 1vppp.exe 3820 7llxrlr.exe 2180 xrxlflf.exe 4824 bntnnt.exe 5364 jvjjd.exe 732 vjjjd.exe 5436 lrlxrrr.exe 2408 tnnnhh.exe 4860 nhhbnn.exe 5948 pjjdj.exe 816 vjpjj.exe 6032 xrlfxxr.exe 1428 9lrrllf.exe 2576 thnntn.exe 5812 vvdvp.exe 5760 lffxrrl.exe 1784 xrxxrxx.exe 2544 nhtbbb.exe 1020 nhnnhn.exe 2112 dpddv.exe 3104 lllfxff.exe 5324 9fllxxl.exe 6052 1tnhbb.exe 3996 nbttnn.exe 3708 jvvpj.exe 5440 lllfffx.exe 2460 xfffffx.exe 4532 htnttt.exe 1116 1ttnhn.exe 2368 jdvpp.exe 3112 jddvp.exe 3136 rlfrllf.exe 3576 lxxxffx.exe 528 hbhhnn.exe 3616 httthh.exe 5656 dpjjv.exe 3668 pvvvp.exe -
resource yara_rule behavioral2/memory/4380-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0004000000022791-3.dat upx behavioral2/memory/4380-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000800000002429a-8.dat upx behavioral2/memory/5404-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3164-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002429e-14.dat upx behavioral2/memory/1196-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1196-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002429f-21.dat upx behavioral2/files/0x00070000000242a0-26.dat upx behavioral2/memory/2280-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a1-29.dat upx behavioral2/memory/4172-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a2-34.dat upx behavioral2/memory/2636-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a3-39.dat upx behavioral2/memory/5584-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a4-44.dat upx behavioral2/memory/5512-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a6-48.dat upx behavioral2/files/0x00070000000242a7-53.dat upx behavioral2/memory/5604-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a8-58.dat upx behavioral2/memory/5868-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242a9-63.dat upx behavioral2/memory/3200-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/736-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242aa-68.dat upx behavioral2/files/0x00070000000242ab-75.dat upx behavioral2/memory/6092-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242ac-78.dat upx behavioral2/memory/1752-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242ad-83.dat upx behavioral2/memory/4908-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242ae-88.dat upx behavioral2/memory/4740-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4788-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242af-93.dat upx behavioral2/memory/6112-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242b0-99.dat upx behavioral2/files/0x00070000000242b1-103.dat upx behavioral2/files/0x00070000000242b2-107.dat upx behavioral2/files/0x00070000000242b3-112.dat upx behavioral2/memory/6072-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242b4-116.dat upx behavioral2/files/0x00070000000242b5-120.dat upx behavioral2/memory/5000-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000800000002429b-124.dat upx behavioral2/memory/4992-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242b6-130.dat upx behavioral2/files/0x00070000000242b7-134.dat upx behavioral2/memory/5476-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242b8-139.dat upx behavioral2/files/0x00070000000242b9-143.dat upx behavioral2/files/0x00070000000242ba-147.dat upx behavioral2/memory/4824-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000242bb-152.dat upx behavioral2/memory/5364-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/732-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5436-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4860-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5948-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/816-173-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4380 wrote to memory of 3164 4380 586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe 85 PID 4380 wrote to memory of 3164 4380 586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe 85 PID 4380 wrote to memory of 3164 4380 586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe 85 PID 3164 wrote to memory of 5404 3164 xxxxrll.exe 86 PID 3164 wrote to memory of 5404 3164 xxxxrll.exe 86 PID 3164 wrote to memory of 5404 3164 xxxxrll.exe 86 PID 5404 wrote to memory of 1196 5404 bbhhtt.exe 87 PID 5404 wrote to memory of 1196 5404 bbhhtt.exe 87 PID 5404 wrote to memory of 1196 5404 bbhhtt.exe 87 PID 1196 wrote to memory of 2280 1196 5dddd.exe 88 PID 1196 wrote to memory of 2280 1196 5dddd.exe 88 PID 1196 wrote to memory of 2280 1196 5dddd.exe 88 PID 2280 wrote to memory of 4172 2280 fxrlflf.exe 89 PID 2280 wrote to memory of 4172 2280 fxrlflf.exe 89 PID 2280 wrote to memory of 4172 2280 fxrlflf.exe 89 PID 4172 wrote to memory of 2636 4172 7hnnhh.exe 90 PID 4172 wrote to memory of 2636 4172 7hnnhh.exe 90 PID 4172 wrote to memory of 2636 4172 7hnnhh.exe 90 PID 2636 wrote to memory of 5584 2636 9btnnh.exe 91 PID 2636 wrote to memory of 5584 2636 9btnnh.exe 91 PID 2636 wrote to memory of 5584 2636 9btnnh.exe 91 PID 5584 wrote to memory of 3216 5584 jvdvd.exe 92 PID 5584 wrote to memory of 3216 5584 jvdvd.exe 92 PID 5584 wrote to memory of 3216 5584 jvdvd.exe 92 PID 3216 wrote to memory of 5512 3216 bbnntt.exe 93 PID 3216 wrote to memory of 5512 3216 bbnntt.exe 93 PID 3216 wrote to memory of 5512 3216 bbnntt.exe 93 PID 5512 wrote to memory of 5604 5512 9vppj.exe 94 PID 5512 wrote to memory of 5604 5512 9vppj.exe 94 PID 5512 wrote to memory of 5604 5512 9vppj.exe 94 PID 5604 wrote to memory of 5868 5604 jdpvd.exe 96 PID 5604 wrote to memory of 5868 5604 jdpvd.exe 96 PID 5604 wrote to memory of 5868 5604 jdpvd.exe 96 PID 5868 wrote to memory of 3200 5868 rfrxrrx.exe 97 PID 5868 wrote to memory of 3200 5868 rfrxrrx.exe 97 PID 5868 wrote to memory of 3200 5868 rfrxrrx.exe 97 PID 3200 wrote to memory of 736 3200 tnbtnh.exe 98 PID 3200 wrote to memory of 736 3200 tnbtnh.exe 98 PID 3200 wrote to memory of 736 3200 tnbtnh.exe 98 PID 736 wrote to memory of 6092 736 pddvv.exe 99 PID 736 wrote to memory of 6092 736 pddvv.exe 99 PID 736 wrote to memory of 6092 736 pddvv.exe 99 PID 6092 wrote to memory of 1752 6092 lffxrrr.exe 100 PID 6092 wrote to memory of 1752 6092 lffxrrr.exe 100 PID 6092 wrote to memory of 1752 6092 lffxrrr.exe 100 PID 1752 wrote to memory of 4908 1752 thnnnn.exe 101 PID 1752 wrote to memory of 4908 1752 thnnnn.exe 101 PID 1752 wrote to memory of 4908 1752 thnnnn.exe 101 PID 4908 wrote to memory of 4740 4908 vvddd.exe 103 PID 4908 wrote to memory of 4740 4908 vvddd.exe 103 PID 4908 wrote to memory of 4740 4908 vvddd.exe 103 PID 4740 wrote to memory of 4788 4740 lrrrlll.exe 104 PID 4740 wrote to memory of 4788 4740 lrrrlll.exe 104 PID 4740 wrote to memory of 4788 4740 lrrrlll.exe 104 PID 4788 wrote to memory of 6112 4788 nhtnht.exe 105 PID 4788 wrote to memory of 6112 4788 nhtnht.exe 105 PID 4788 wrote to memory of 6112 4788 nhtnht.exe 105 PID 6112 wrote to memory of 1452 6112 ttbbnh.exe 106 PID 6112 wrote to memory of 1452 6112 ttbbnh.exe 106 PID 6112 wrote to memory of 1452 6112 ttbbnh.exe 106 PID 1452 wrote to memory of 5224 1452 vvjvj.exe 107 PID 1452 wrote to memory of 5224 1452 vvjvj.exe 107 PID 1452 wrote to memory of 5224 1452 vvjvj.exe 107 PID 5224 wrote to memory of 6072 5224 llxxxxl.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe"C:\Users\Admin\AppData\Local\Temp\586bbd5e5a4b5cf47ad9e1a752ece69fe0e48686ab3381d87ecfeca0ee73bc2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\xxxxrll.exec:\xxxxrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\bbhhtt.exec:\bbhhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5404 -
\??\c:\5dddd.exec:\5dddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\fxrlflf.exec:\fxrlflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\7hnnhh.exec:\7hnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\9btnnh.exec:\9btnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\jvdvd.exec:\jvdvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5584 -
\??\c:\bbnntt.exec:\bbnntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\9vppj.exec:\9vppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5512 -
\??\c:\jdpvd.exec:\jdpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5604 -
\??\c:\rfrxrrx.exec:\rfrxrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5868 -
\??\c:\tnbtnh.exec:\tnbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\pddvv.exec:\pddvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\lffxrrr.exec:\lffxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6092 -
\??\c:\thnnnn.exec:\thnnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\vvddd.exec:\vvddd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\lrrrlll.exec:\lrrrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\nhtnht.exec:\nhtnht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\ttbbnh.exec:\ttbbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6112 -
\??\c:\vvjvj.exec:\vvjvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\llxxxxl.exec:\llxxxxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5224 -
\??\c:\nnttnn.exec:\nnttnn.exe23⤵
- Executes dropped EXE
PID:6072 -
\??\c:\nhhbtn.exec:\nhhbtn.exe24⤵
- Executes dropped EXE
PID:3504 -
\??\c:\pjvdv.exec:\pjvdv.exe25⤵
- Executes dropped EXE
PID:5000 -
\??\c:\fllllxf.exec:\fllllxf.exe26⤵
- Executes dropped EXE
PID:4992 -
\??\c:\hbhhhh.exec:\hbhhhh.exe27⤵
- Executes dropped EXE
PID:5072 -
\??\c:\5jppj.exec:\5jppj.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5476 -
\??\c:\1vppp.exec:\1vppp.exe29⤵
- Executes dropped EXE
PID:5424 -
\??\c:\7llxrlr.exec:\7llxrlr.exe30⤵
- Executes dropped EXE
PID:3820 -
\??\c:\xrxlflf.exec:\xrxlflf.exe31⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bntnnt.exec:\bntnnt.exe32⤵
- Executes dropped EXE
PID:4824 -
\??\c:\jvjjd.exec:\jvjjd.exe33⤵
- Executes dropped EXE
PID:5364 -
\??\c:\vjjjd.exec:\vjjjd.exe34⤵
- Executes dropped EXE
PID:732 -
\??\c:\lrlxrrr.exec:\lrlxrrr.exe35⤵
- Executes dropped EXE
PID:5436 -
\??\c:\tnnnhh.exec:\tnnnhh.exe36⤵
- Executes dropped EXE
PID:2408 -
\??\c:\nhhbnn.exec:\nhhbnn.exe37⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pjjdj.exec:\pjjdj.exe38⤵
- Executes dropped EXE
PID:5948 -
\??\c:\vjpjj.exec:\vjpjj.exe39⤵
- Executes dropped EXE
PID:816 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe40⤵
- Executes dropped EXE
PID:6032 -
\??\c:\9lrrllf.exec:\9lrrllf.exe41⤵
- Executes dropped EXE
PID:1428 -
\??\c:\thnntn.exec:\thnntn.exe42⤵
- Executes dropped EXE
PID:2576 -
\??\c:\vvdvp.exec:\vvdvp.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5812 -
\??\c:\lffxrrl.exec:\lffxrrl.exe44⤵
- Executes dropped EXE
PID:5760 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe45⤵
- Executes dropped EXE
PID:1784 -
\??\c:\nhtbbb.exec:\nhtbbb.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhnnhn.exec:\nhnnhn.exe47⤵
- Executes dropped EXE
PID:1020 -
\??\c:\dpddv.exec:\dpddv.exe48⤵
- Executes dropped EXE
PID:2112 -
\??\c:\lllfxff.exec:\lllfxff.exe49⤵
- Executes dropped EXE
PID:3104 -
\??\c:\9fllxxl.exec:\9fllxxl.exe50⤵
- Executes dropped EXE
PID:5324 -
\??\c:\1tnhbb.exec:\1tnhbb.exe51⤵
- Executes dropped EXE
PID:6052 -
\??\c:\nbttnn.exec:\nbttnn.exe52⤵
- Executes dropped EXE
PID:3996 -
\??\c:\jvvpj.exec:\jvvpj.exe53⤵
- Executes dropped EXE
PID:3708 -
\??\c:\lllfffx.exec:\lllfffx.exe54⤵
- Executes dropped EXE
PID:5440 -
\??\c:\xfffffx.exec:\xfffffx.exe55⤵
- Executes dropped EXE
PID:2460 -
\??\c:\htnttt.exec:\htnttt.exe56⤵
- Executes dropped EXE
PID:4532 -
\??\c:\1ttnhn.exec:\1ttnhn.exe57⤵
- Executes dropped EXE
PID:1116 -
\??\c:\jdvpp.exec:\jdvpp.exe58⤵
- Executes dropped EXE
PID:2368 -
\??\c:\jddvp.exec:\jddvp.exe59⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rlfrllf.exec:\rlfrllf.exe60⤵
- Executes dropped EXE
PID:3136 -
\??\c:\lxxxffx.exec:\lxxxffx.exe61⤵
- Executes dropped EXE
PID:3576 -
\??\c:\hbhhnn.exec:\hbhhnn.exe62⤵
- Executes dropped EXE
PID:528 -
\??\c:\httthh.exec:\httthh.exe63⤵
- Executes dropped EXE
PID:3616 -
\??\c:\dpjjv.exec:\dpjjv.exe64⤵
- Executes dropped EXE
PID:5656 -
\??\c:\pvvvp.exec:\pvvvp.exe65⤵
- Executes dropped EXE
PID:3668 -
\??\c:\xrxfrfr.exec:\xrxfrfr.exe66⤵PID:4496
-
\??\c:\3rrrllf.exec:\3rrrllf.exe67⤵PID:5168
-
\??\c:\ntbttt.exec:\ntbttt.exe68⤵PID:812
-
\??\c:\dpppj.exec:\dpppj.exe69⤵PID:5212
-
\??\c:\djdjd.exec:\djdjd.exe70⤵PID:5844
-
\??\c:\rlffxxx.exec:\rlffxxx.exe71⤵PID:384
-
\??\c:\hhhbbb.exec:\hhhbbb.exe72⤵PID:1796
-
\??\c:\7bbthh.exec:\7bbthh.exe73⤵PID:2868
-
\??\c:\dpvpp.exec:\dpvpp.exe74⤵PID:3204
-
\??\c:\jdvpd.exec:\jdvpd.exe75⤵PID:3484
-
\??\c:\1rrlfxr.exec:\1rrlfxr.exe76⤵PID:2688
-
\??\c:\9xfxllx.exec:\9xfxllx.exe77⤵PID:2024
-
\??\c:\3hhnhh.exec:\3hhnhh.exe78⤵PID:864
-
\??\c:\hbhbnn.exec:\hbhbnn.exe79⤵PID:2456
-
\??\c:\3vppd.exec:\3vppd.exe80⤵PID:244
-
\??\c:\xffxrll.exec:\xffxrll.exe81⤵PID:5380
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe82⤵PID:5360
-
\??\c:\7nhbbb.exec:\7nhbbb.exe83⤵
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\vppjv.exec:\vppjv.exe84⤵PID:2720
-
\??\c:\1ddjd.exec:\1ddjd.exe85⤵PID:5420
-
\??\c:\rxffllr.exec:\rxffllr.exe86⤵PID:5404
-
\??\c:\flxxxxx.exec:\flxxxxx.exe87⤵PID:2272
-
\??\c:\tbbbtt.exec:\tbbbtt.exe88⤵PID:4424
-
\??\c:\9jppv.exec:\9jppv.exe89⤵PID:5304
-
\??\c:\5pjdv.exec:\5pjdv.exe90⤵PID:4172
-
\??\c:\fxrlffx.exec:\fxrlffx.exe91⤵PID:5792
-
\??\c:\xlxrrlr.exec:\xlxrrlr.exe92⤵PID:3212
-
\??\c:\1bbtnn.exec:\1bbtnn.exe93⤵PID:2944
-
\??\c:\tnbthh.exec:\tnbthh.exe94⤵PID:5896
-
\??\c:\7vddj.exec:\7vddj.exe95⤵PID:3216
-
\??\c:\1llfrrl.exec:\1llfrrl.exe96⤵PID:2744
-
\??\c:\rrfrlxf.exec:\rrfrlxf.exe97⤵PID:5632
-
\??\c:\bbbhhh.exec:\bbbhhh.exe98⤵PID:6020
-
\??\c:\ddvvj.exec:\ddvvj.exe99⤵PID:5868
-
\??\c:\xrfffff.exec:\xrfffff.exe100⤵PID:1748
-
\??\c:\lflfxxx.exec:\lflfxxx.exe101⤵PID:748
-
\??\c:\7hbbbb.exec:\7hbbbb.exe102⤵PID:736
-
\??\c:\3vjdj.exec:\3vjdj.exe103⤵PID:6044
-
\??\c:\3xxlfxr.exec:\3xxlfxr.exe104⤵PID:1124
-
\??\c:\lfrlfrl.exec:\lfrlfrl.exe105⤵PID:4592
-
\??\c:\htnhhh.exec:\htnhhh.exe106⤵PID:4528
-
\??\c:\tnnhnn.exec:\tnnhnn.exe107⤵PID:4820
-
\??\c:\vdjvp.exec:\vdjvp.exe108⤵PID:4796
-
\??\c:\hntnnn.exec:\hntnnn.exe109⤵PID:4788
-
\??\c:\3hhhhn.exec:\3hhhhn.exe110⤵PID:6112
-
\??\c:\7vdvd.exec:\7vdvd.exe111⤵PID:5716
-
\??\c:\9djjj.exec:\9djjj.exe112⤵PID:1512
-
\??\c:\5lfxrrl.exec:\5lfxrrl.exe113⤵PID:4580
-
\??\c:\3llflxr.exec:\3llflxr.exe114⤵PID:1668
-
\??\c:\hbnhhn.exec:\hbnhhn.exe115⤵PID:3228
-
\??\c:\hthbhh.exec:\hthbhh.exe116⤵PID:4028
-
\??\c:\jdjjd.exec:\jdjjd.exe117⤵PID:2328
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe118⤵PID:4956
-
\??\c:\3rfflrx.exec:\3rfflrx.exe119⤵PID:5044
-
\??\c:\3nnnhh.exec:\3nnnhh.exe120⤵PID:4992
-
\??\c:\tthhhh.exec:\tthhhh.exe121⤵PID:5092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-