Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 02:38
Behavioral task
behavioral1
Sample
acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe
-
Size
331KB
-
MD5
42f24dd1c305704235a74a4c0f73cf17
-
SHA1
9e81cc8e147533bb05fb9ac99f7820f507430246
-
SHA256
acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f
-
SHA512
991b16e9dc2061cd567884aaebc3218d940ff7188db95632eeb2762d363117372be88e9f16be8d28d4615131e0ce78463748b79f9a08c2f4a4d8689ccf9f5759
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbex:R4wFHoSHYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4164-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1004-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4648-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1460-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-618-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-632-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-657-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-668-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4896 ththth.exe 3612 1pdpd.exe 2656 nbntnb.exe 2360 dpjjv.exe 2588 fflrrff.exe 3600 thhbtb.exe 3964 djjvd.exe 464 hnnbbt.exe 1004 vpvvd.exe 756 nbthtn.exe 932 vjpdv.exe 4468 xrfffff.exe 1592 pddpj.exe 2004 flxrfxr.exe 4060 bbtnbb.exe 3888 rxrlxrl.exe 4776 lfxxlfx.exe 2300 lxfllrr.exe 368 tthnth.exe 4112 vvvvd.exe 1456 rlrrrrr.exe 4736 ttbhnn.exe 3336 vvvjd.exe 4956 lrrfrlx.exe 208 ddjdp.exe 1804 ffrxxll.exe 4892 hthnbt.exe 1064 djpjv.exe 1580 nbhtnh.exe 2012 djjjv.exe 4660 thbntn.exe 4648 jvjvd.exe 1320 flrfxrl.exe 3784 thhbnh.exe 3616 jvvpp.exe 1260 jdjdv.exe 4904 rrrflff.exe 4792 bhtntn.exe 4548 pjddj.exe 2716 jdvvd.exe 692 xrxrlfx.exe 5108 bbnnbh.exe 1584 dpjdv.exe 1448 lrlrxfl.exe 3780 bnhhnb.exe 1700 htbnnt.exe 2632 vvppp.exe 3996 nthhhn.exe 2020 pvjjp.exe 4008 5fllrff.exe 2276 3rlxlrr.exe 2100 hnhnnh.exe 2912 ddddj.exe 3260 rlrrlrx.exe 3160 hhtbnn.exe 3992 vdjdd.exe 1988 1rfxrxx.exe 1460 btbtnt.exe 2292 1dvvp.exe 3688 frfrlll.exe 2832 lrflllr.exe 2476 tnnhbb.exe 4252 3jddd.exe 2872 xrxrrrr.exe -
resource yara_rule behavioral2/memory/4164-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bac-3.dat upx behavioral2/memory/4164-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c84-8.dat upx behavioral2/memory/4896-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-11.dat upx behavioral2/memory/2656-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3612-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-20.dat upx behavioral2/files/0x0007000000023c8c-23.dat upx behavioral2/memory/2360-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-28.dat upx behavioral2/memory/2588-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-33.dat upx behavioral2/memory/3600-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-38.dat upx behavioral2/files/0x0007000000023c91-42.dat upx behavioral2/memory/464-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-47.dat upx behavioral2/memory/1004-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-52.dat upx behavioral2/files/0x0007000000023c94-56.dat upx behavioral2/files/0x0007000000023c95-60.dat upx behavioral2/files/0x0007000000023c96-64.dat upx behavioral2/memory/2004-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-70.dat upx behavioral2/memory/1592-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3888-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-75.dat upx behavioral2/files/0x0008000000023c87-80.dat upx behavioral2/memory/3964-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3888-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-85.dat upx behavioral2/memory/4776-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-90.dat upx behavioral2/memory/2300-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-95.dat upx behavioral2/memory/368-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-100.dat upx behavioral2/memory/4112-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-105.dat upx behavioral2/files/0x0007000000023c9e-109.dat upx behavioral2/memory/3336-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4736-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-115.dat upx behavioral2/memory/4956-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-121.dat upx behavioral2/files/0x0007000000023ca2-125.dat upx behavioral2/files/0x0007000000023ca3-129.dat upx behavioral2/memory/1804-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-133.dat upx behavioral2/files/0x0007000000023ca5-139.dat upx behavioral2/memory/1580-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1064-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-144.dat upx behavioral2/memory/2012-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-149.dat upx behavioral2/files/0x0007000000023ca8-152.dat upx behavioral2/memory/4660-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4648-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1320-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3616-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2716-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-181-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4164 wrote to memory of 4896 4164 acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe 83 PID 4164 wrote to memory of 4896 4164 acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe 83 PID 4164 wrote to memory of 4896 4164 acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe 83 PID 4896 wrote to memory of 3612 4896 ththth.exe 84 PID 4896 wrote to memory of 3612 4896 ththth.exe 84 PID 4896 wrote to memory of 3612 4896 ththth.exe 84 PID 3612 wrote to memory of 2656 3612 1pdpd.exe 85 PID 3612 wrote to memory of 2656 3612 1pdpd.exe 85 PID 3612 wrote to memory of 2656 3612 1pdpd.exe 85 PID 2656 wrote to memory of 2360 2656 nbntnb.exe 86 PID 2656 wrote to memory of 2360 2656 nbntnb.exe 86 PID 2656 wrote to memory of 2360 2656 nbntnb.exe 86 PID 2360 wrote to memory of 2588 2360 dpjjv.exe 87 PID 2360 wrote to memory of 2588 2360 dpjjv.exe 87 PID 2360 wrote to memory of 2588 2360 dpjjv.exe 87 PID 2588 wrote to memory of 3600 2588 fflrrff.exe 88 PID 2588 wrote to memory of 3600 2588 fflrrff.exe 88 PID 2588 wrote to memory of 3600 2588 fflrrff.exe 88 PID 3600 wrote to memory of 3964 3600 thhbtb.exe 89 PID 3600 wrote to memory of 3964 3600 thhbtb.exe 89 PID 3600 wrote to memory of 3964 3600 thhbtb.exe 89 PID 3964 wrote to memory of 464 3964 djjvd.exe 90 PID 3964 wrote to memory of 464 3964 djjvd.exe 90 PID 3964 wrote to memory of 464 3964 djjvd.exe 90 PID 464 wrote to memory of 1004 464 hnnbbt.exe 91 PID 464 wrote to memory of 1004 464 hnnbbt.exe 91 PID 464 wrote to memory of 1004 464 hnnbbt.exe 91 PID 1004 wrote to memory of 756 1004 vpvvd.exe 92 PID 1004 wrote to memory of 756 1004 vpvvd.exe 92 PID 1004 wrote to memory of 756 1004 vpvvd.exe 92 PID 756 wrote to memory of 932 756 nbthtn.exe 94 PID 756 wrote to memory of 932 756 nbthtn.exe 94 PID 756 wrote to memory of 932 756 nbthtn.exe 94 PID 932 wrote to memory of 4468 932 vjpdv.exe 95 PID 932 wrote to memory of 4468 932 vjpdv.exe 95 PID 932 wrote to memory of 4468 932 vjpdv.exe 95 PID 4468 wrote to memory of 1592 4468 xrfffff.exe 96 PID 4468 wrote to memory of 1592 4468 xrfffff.exe 96 PID 4468 wrote to memory of 1592 4468 xrfffff.exe 96 PID 1592 wrote to memory of 2004 1592 pddpj.exe 97 PID 1592 wrote to memory of 2004 1592 pddpj.exe 97 PID 1592 wrote to memory of 2004 1592 pddpj.exe 97 PID 2004 wrote to memory of 4060 2004 flxrfxr.exe 98 PID 2004 wrote to memory of 4060 2004 flxrfxr.exe 98 PID 2004 wrote to memory of 4060 2004 flxrfxr.exe 98 PID 4060 wrote to memory of 3888 4060 bbtnbb.exe 100 PID 4060 wrote to memory of 3888 4060 bbtnbb.exe 100 PID 4060 wrote to memory of 3888 4060 bbtnbb.exe 100 PID 3888 wrote to memory of 4776 3888 rxrlxrl.exe 101 PID 3888 wrote to memory of 4776 3888 rxrlxrl.exe 101 PID 3888 wrote to memory of 4776 3888 rxrlxrl.exe 101 PID 4776 wrote to memory of 2300 4776 lfxxlfx.exe 102 PID 4776 wrote to memory of 2300 4776 lfxxlfx.exe 102 PID 4776 wrote to memory of 2300 4776 lfxxlfx.exe 102 PID 2300 wrote to memory of 368 2300 lxfllrr.exe 104 PID 2300 wrote to memory of 368 2300 lxfllrr.exe 104 PID 2300 wrote to memory of 368 2300 lxfllrr.exe 104 PID 368 wrote to memory of 4112 368 tthnth.exe 105 PID 368 wrote to memory of 4112 368 tthnth.exe 105 PID 368 wrote to memory of 4112 368 tthnth.exe 105 PID 4112 wrote to memory of 1456 4112 vvvvd.exe 106 PID 4112 wrote to memory of 1456 4112 vvvvd.exe 106 PID 4112 wrote to memory of 1456 4112 vvvvd.exe 106 PID 1456 wrote to memory of 4736 1456 rlrrrrr.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe"C:\Users\Admin\AppData\Local\Temp\acc08a9c40953c262b16ad1b384e534a75ba6c7d7eb14eddb1659104560f8b3f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\ththth.exec:\ththth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\1pdpd.exec:\1pdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\nbntnb.exec:\nbntnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\dpjjv.exec:\dpjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\fflrrff.exec:\fflrrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\thhbtb.exec:\thhbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\djjvd.exec:\djjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\hnnbbt.exec:\hnnbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\vpvvd.exec:\vpvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\nbthtn.exec:\nbthtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\vjpdv.exec:\vjpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\xrfffff.exec:\xrfffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\pddpj.exec:\pddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\flxrfxr.exec:\flxrfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\bbtnbb.exec:\bbtnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\rxrlxrl.exec:\rxrlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\lfxxlfx.exec:\lfxxlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\lxfllrr.exec:\lxfllrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\tthnth.exec:\tthnth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\vvvvd.exec:\vvvvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\ttbhnn.exec:\ttbhnn.exe23⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vvvjd.exec:\vvvjd.exe24⤵
- Executes dropped EXE
PID:3336 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe25⤵
- Executes dropped EXE
PID:4956 -
\??\c:\ddjdp.exec:\ddjdp.exe26⤵
- Executes dropped EXE
PID:208 -
\??\c:\ffrxxll.exec:\ffrxxll.exe27⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hthnbt.exec:\hthnbt.exe28⤵
- Executes dropped EXE
PID:4892 -
\??\c:\djpjv.exec:\djpjv.exe29⤵
- Executes dropped EXE
PID:1064 -
\??\c:\nbhtnh.exec:\nbhtnh.exe30⤵
- Executes dropped EXE
PID:1580 -
\??\c:\djjjv.exec:\djjjv.exe31⤵
- Executes dropped EXE
PID:2012 -
\??\c:\thbntn.exec:\thbntn.exe32⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jvjvd.exec:\jvjvd.exe33⤵
- Executes dropped EXE
PID:4648 -
\??\c:\flrfxrl.exec:\flrfxrl.exe34⤵
- Executes dropped EXE
PID:1320 -
\??\c:\thhbnh.exec:\thhbnh.exe35⤵
- Executes dropped EXE
PID:3784 -
\??\c:\jvvpp.exec:\jvvpp.exe36⤵
- Executes dropped EXE
PID:3616 -
\??\c:\jdjdv.exec:\jdjdv.exe37⤵
- Executes dropped EXE
PID:1260 -
\??\c:\rrrflff.exec:\rrrflff.exe38⤵
- Executes dropped EXE
PID:4904 -
\??\c:\bhtntn.exec:\bhtntn.exe39⤵
- Executes dropped EXE
PID:4792 -
\??\c:\pjddj.exec:\pjddj.exe40⤵
- Executes dropped EXE
PID:4548 -
\??\c:\jdvvd.exec:\jdvvd.exe41⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe42⤵
- Executes dropped EXE
PID:692 -
\??\c:\bbnnbh.exec:\bbnnbh.exe43⤵
- Executes dropped EXE
PID:5108 -
\??\c:\dpjdv.exec:\dpjdv.exe44⤵
- Executes dropped EXE
PID:1584 -
\??\c:\lrlrxfl.exec:\lrlrxfl.exe45⤵
- Executes dropped EXE
PID:1448 -
\??\c:\bnhhnb.exec:\bnhhnb.exe46⤵
- Executes dropped EXE
PID:3780 -
\??\c:\htbnnt.exec:\htbnnt.exe47⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vvppp.exec:\vvppp.exe48⤵
- Executes dropped EXE
PID:2632 -
\??\c:\rrlfrrf.exec:\rrlfrrf.exe49⤵PID:3900
-
\??\c:\nthhhn.exec:\nthhhn.exe50⤵
- Executes dropped EXE
PID:3996 -
\??\c:\pvjjp.exec:\pvjjp.exe51⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5fllrff.exec:\5fllrff.exe52⤵
- Executes dropped EXE
PID:4008 -
\??\c:\3rlxlrr.exec:\3rlxlrr.exe53⤵
- Executes dropped EXE
PID:2276 -
\??\c:\hnhnnh.exec:\hnhnnh.exe54⤵
- Executes dropped EXE
PID:2100 -
\??\c:\ddddj.exec:\ddddj.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\rlrrlrx.exec:\rlrrlrx.exe56⤵
- Executes dropped EXE
PID:3260 -
\??\c:\hhtbnn.exec:\hhtbnn.exe57⤵
- Executes dropped EXE
PID:3160 -
\??\c:\vdjdd.exec:\vdjdd.exe58⤵
- Executes dropped EXE
PID:3992 -
\??\c:\1rfxrxx.exec:\1rfxrxx.exe59⤵
- Executes dropped EXE
PID:1988 -
\??\c:\btbtnt.exec:\btbtnt.exe60⤵
- Executes dropped EXE
PID:1460 -
\??\c:\1dvvp.exec:\1dvvp.exe61⤵
- Executes dropped EXE
PID:2292 -
\??\c:\frfrlll.exec:\frfrlll.exe62⤵
- Executes dropped EXE
PID:3688 -
\??\c:\lrflllr.exec:\lrflllr.exe63⤵
- Executes dropped EXE
PID:2832 -
\??\c:\tnnhbb.exec:\tnnhbb.exe64⤵
- Executes dropped EXE
PID:2476 -
\??\c:\3jddd.exec:\3jddd.exe65⤵
- Executes dropped EXE
PID:4252 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe66⤵
- Executes dropped EXE
PID:2872 -
\??\c:\1thhhn.exec:\1thhhn.exe67⤵PID:968
-
\??\c:\htbbbn.exec:\htbbbn.exe68⤵PID:4864
-
\??\c:\jdvpp.exec:\jdvpp.exe69⤵PID:4340
-
\??\c:\xxrrllx.exec:\xxrrllx.exe70⤵PID:5016
-
\??\c:\3thbnn.exec:\3thbnn.exe71⤵PID:3088
-
\??\c:\vddvv.exec:\vddvv.exe72⤵PID:3420
-
\??\c:\flxllll.exec:\flxllll.exe73⤵PID:1444
-
\??\c:\hnnnnt.exec:\hnnnnt.exe74⤵PID:3196
-
\??\c:\hnhtnh.exec:\hnhtnh.exe75⤵PID:2180
-
\??\c:\vjjdj.exec:\vjjdj.exe76⤵PID:3856
-
\??\c:\llffffx.exec:\llffffx.exe77⤵PID:2824
-
\??\c:\fxrrlrr.exec:\fxrrlrr.exe78⤵PID:2880
-
\??\c:\hbhbnh.exec:\hbhbnh.exe79⤵PID:2836
-
\??\c:\pddjd.exec:\pddjd.exe80⤵PID:1940
-
\??\c:\lfrxlfx.exec:\lfrxlfx.exe81⤵PID:3028
-
\??\c:\hnbnhb.exec:\hnbnhb.exe82⤵PID:3476
-
\??\c:\ppppp.exec:\ppppp.exe83⤵PID:4736
-
\??\c:\3rxrlrl.exec:\3rxrlrl.exe84⤵PID:748
-
\??\c:\fxxxxff.exec:\fxxxxff.exe85⤵PID:3708
-
\??\c:\bnbnnt.exec:\bnbnnt.exe86⤵PID:4564
-
\??\c:\dvppp.exec:\dvppp.exe87⤵PID:980
-
\??\c:\rfffxxr.exec:\rfffxxr.exe88⤵PID:2372
-
\??\c:\thhbnt.exec:\thhbnt.exe89⤵PID:2944
-
\??\c:\ppvjj.exec:\ppvjj.exe90⤵PID:4808
-
\??\c:\pjpvv.exec:\pjpvv.exe91⤵PID:1600
-
\??\c:\rflfxxf.exec:\rflfxxf.exe92⤵PID:1924
-
\??\c:\nhbtht.exec:\nhbtht.exe93⤵PID:1972
-
\??\c:\bttnnb.exec:\bttnnb.exe94⤵PID:1656
-
\??\c:\vdvvj.exec:\vdvvj.exe95⤵PID:920
-
\??\c:\xxlfrrf.exec:\xxlfrrf.exe96⤵PID:1320
-
\??\c:\frrfrrl.exec:\frrfrrl.exe97⤵PID:1292
-
\??\c:\bhhtht.exec:\bhhtht.exe98⤵PID:1208
-
\??\c:\vpppv.exec:\vpppv.exe99⤵PID:1260
-
\??\c:\rfllfrr.exec:\rfllfrr.exe100⤵PID:1728
-
\??\c:\fxxxxlf.exec:\fxxxxlf.exe101⤵PID:4724
-
\??\c:\hbtbnh.exec:\hbtbnh.exe102⤵PID:3516
-
\??\c:\vdvjv.exec:\vdvjv.exe103⤵PID:3280
-
\??\c:\lflrlfl.exec:\lflrlfl.exe104⤵PID:2432
-
\??\c:\lxxlxxr.exec:\lxxlxxr.exe105⤵PID:4392
-
\??\c:\tntttt.exec:\tntttt.exe106⤵PID:3032
-
\??\c:\vdjdv.exec:\vdjdv.exe107⤵PID:4812
-
\??\c:\pjjdd.exec:\pjjdd.exe108⤵PID:4144
-
\??\c:\lllrlrl.exec:\lllrlrl.exe109⤵PID:4436
-
\??\c:\thbhbb.exec:\thbhbb.exe110⤵PID:4972
-
\??\c:\pjpjv.exec:\pjpjv.exe111⤵PID:4164
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe112⤵PID:3676
-
\??\c:\nhtttt.exec:\nhtttt.exe113⤵PID:4212
-
\??\c:\ddjjp.exec:\ddjjp.exe114⤵PID:400
-
\??\c:\jpvpp.exec:\jpvpp.exe115⤵PID:2728
-
\??\c:\5xrxffx.exec:\5xrxffx.exe116⤵PID:1028
-
\??\c:\bthttb.exec:\bthttb.exe117⤵PID:64
-
\??\c:\9bbttt.exec:\9bbttt.exe118⤵PID:1364
-
\??\c:\pddvv.exec:\pddvv.exe119⤵PID:1460
-
\??\c:\lrlxrll.exec:\lrlxrll.exe120⤵PID:2292
-
\??\c:\tthhbt.exec:\tthhbt.exe121⤵PID:3688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-