Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 23:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe
-
Size
453KB
-
MD5
6faa190b65fbd925c6ee7b31bc25eba0
-
SHA1
17c96ad75b13b2f54bafa788d6af7ff24ccd659b
-
SHA256
0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92
-
SHA512
e5d3259c9b0c07a8cb2c07f4ebed9b33fff3838a4f7068c4b616105770d98c6196c12fab595eb53143e9c57ccea3912b044eb8030a4551dc97e461fb841507ab
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3652-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-947-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-1763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4380 tthhnt.exe 4640 pdvjv.exe 4496 ttntnb.exe 3036 dvvpj.exe 4576 bththb.exe 2660 rxrfllr.exe 3244 ttnnbh.exe 1028 ttbttn.exe 2916 1jvpp.exe 2172 vvdvp.exe 4540 bthtbt.exe 4912 flrllrr.exe 4684 hhnhnn.exe 4516 xlffxrx.exe 3892 dppjv.exe 4728 nthhhn.exe 3388 vdjdd.exe 3040 rrrrrff.exe 4172 rrxxlrr.exe 512 bhhhnt.exe 5028 jjvdp.exe 116 tnnnbh.exe 680 lxfrxrx.exe 3880 1jvvv.exe 1996 3bhbbb.exe 2412 rlxrrfl.exe 3488 pvvvd.exe 2348 xllfrrf.exe 1136 ppvvj.exe 3308 vpddd.exe 4600 tbbnhh.exe 4024 thtttb.exe 2028 thhntt.exe 1556 jpvvd.exe 1420 bhnhtt.exe 1052 djvvj.exe 1168 bhbbhn.exe 3772 pvvvd.exe 4700 flrrrrr.exe 3640 ttbbbh.exe 4332 jvpvp.exe 1536 5llrrxx.exe 3020 thnnnb.exe 2708 flfxxfx.exe 5060 rxllflf.exe 1184 ntnhnt.exe 2324 pvjdj.exe 3788 lflrrrr.exe 1244 jjppj.exe 3700 pjppp.exe 4808 lfflfrf.exe 1112 dpvvp.exe 3900 pvvvj.exe 3548 xfflllr.exe 3696 hnbtbh.exe 1896 jjjjj.exe 3192 5dddv.exe 3912 lfrrrff.exe 4684 nhnttt.exe 2036 xrlfxxr.exe 2100 fllllrx.exe 2468 nbnhht.exe 4580 ppvdd.exe 4728 xlllfxx.exe -
resource yara_rule behavioral2/memory/3652-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-947-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3652 wrote to memory of 4380 3652 0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe 83 PID 3652 wrote to memory of 4380 3652 0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe 83 PID 3652 wrote to memory of 4380 3652 0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe 83 PID 4380 wrote to memory of 4640 4380 tthhnt.exe 84 PID 4380 wrote to memory of 4640 4380 tthhnt.exe 84 PID 4380 wrote to memory of 4640 4380 tthhnt.exe 84 PID 4640 wrote to memory of 4496 4640 pdvjv.exe 85 PID 4640 wrote to memory of 4496 4640 pdvjv.exe 85 PID 4640 wrote to memory of 4496 4640 pdvjv.exe 85 PID 4496 wrote to memory of 3036 4496 ttntnb.exe 86 PID 4496 wrote to memory of 3036 4496 ttntnb.exe 86 PID 4496 wrote to memory of 3036 4496 ttntnb.exe 86 PID 3036 wrote to memory of 4576 3036 dvvpj.exe 87 PID 3036 wrote to memory of 4576 3036 dvvpj.exe 87 PID 3036 wrote to memory of 4576 3036 dvvpj.exe 87 PID 4576 wrote to memory of 2660 4576 bththb.exe 88 PID 4576 wrote to memory of 2660 4576 bththb.exe 88 PID 4576 wrote to memory of 2660 4576 bththb.exe 88 PID 2660 wrote to memory of 3244 2660 rxrfllr.exe 89 PID 2660 wrote to memory of 3244 2660 rxrfllr.exe 89 PID 2660 wrote to memory of 3244 2660 rxrfllr.exe 89 PID 3244 wrote to memory of 1028 3244 ttnnbh.exe 90 PID 3244 wrote to memory of 1028 3244 ttnnbh.exe 90 PID 3244 wrote to memory of 1028 3244 ttnnbh.exe 90 PID 1028 wrote to memory of 2916 1028 ttbttn.exe 91 PID 1028 wrote to memory of 2916 1028 ttbttn.exe 91 PID 1028 wrote to memory of 2916 1028 ttbttn.exe 91 PID 2916 wrote to memory of 2172 2916 1jvpp.exe 92 PID 2916 wrote to memory of 2172 2916 1jvpp.exe 92 PID 2916 wrote to memory of 2172 2916 1jvpp.exe 92 PID 2172 wrote to memory of 4540 2172 vvdvp.exe 93 PID 2172 wrote to memory of 4540 2172 vvdvp.exe 93 PID 2172 wrote to memory of 4540 2172 vvdvp.exe 93 PID 4540 wrote to memory of 4912 4540 bthtbt.exe 94 PID 4540 wrote to memory of 4912 4540 bthtbt.exe 94 PID 4540 wrote to memory of 4912 4540 bthtbt.exe 94 PID 4912 wrote to memory of 4684 4912 flrllrr.exe 95 PID 4912 wrote to memory of 4684 4912 flrllrr.exe 95 PID 4912 wrote to memory of 4684 4912 flrllrr.exe 95 PID 4684 wrote to memory of 4516 4684 hhnhnn.exe 96 PID 4684 wrote to memory of 4516 4684 hhnhnn.exe 96 PID 4684 wrote to memory of 4516 4684 hhnhnn.exe 96 PID 4516 wrote to memory of 3892 4516 xlffxrx.exe 97 PID 4516 wrote to memory of 3892 4516 xlffxrx.exe 97 PID 4516 wrote to memory of 3892 4516 xlffxrx.exe 97 PID 3892 wrote to memory of 4728 3892 dppjv.exe 98 PID 3892 wrote to memory of 4728 3892 dppjv.exe 98 PID 3892 wrote to memory of 4728 3892 dppjv.exe 98 PID 4728 wrote to memory of 3388 4728 nthhhn.exe 99 PID 4728 wrote to memory of 3388 4728 nthhhn.exe 99 PID 4728 wrote to memory of 3388 4728 nthhhn.exe 99 PID 3388 wrote to memory of 3040 3388 vdjdd.exe 100 PID 3388 wrote to memory of 3040 3388 vdjdd.exe 100 PID 3388 wrote to memory of 3040 3388 vdjdd.exe 100 PID 3040 wrote to memory of 4172 3040 rrrrrff.exe 101 PID 3040 wrote to memory of 4172 3040 rrrrrff.exe 101 PID 3040 wrote to memory of 4172 3040 rrrrrff.exe 101 PID 4172 wrote to memory of 512 4172 rrxxlrr.exe 102 PID 4172 wrote to memory of 512 4172 rrxxlrr.exe 102 PID 4172 wrote to memory of 512 4172 rrxxlrr.exe 102 PID 512 wrote to memory of 5028 512 bhhhnt.exe 103 PID 512 wrote to memory of 5028 512 bhhhnt.exe 103 PID 512 wrote to memory of 5028 512 bhhhnt.exe 103 PID 5028 wrote to memory of 116 5028 jjvdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe"C:\Users\Admin\AppData\Local\Temp\0d020facf2bfe69125543fff52825c68a16671a2201acc3e20c4eb549c20fc92N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\tthhnt.exec:\tthhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\pdvjv.exec:\pdvjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\ttntnb.exec:\ttntnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\dvvpj.exec:\dvvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\bththb.exec:\bththb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\rxrfllr.exec:\rxrfllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\ttnnbh.exec:\ttnnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\ttbttn.exec:\ttbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\1jvpp.exec:\1jvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\vvdvp.exec:\vvdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\bthtbt.exec:\bthtbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\flrllrr.exec:\flrllrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\hhnhnn.exec:\hhnhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\xlffxrx.exec:\xlffxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\dppjv.exec:\dppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\nthhhn.exec:\nthhhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\vdjdd.exec:\vdjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\rrrrrff.exec:\rrrrrff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\rrxxlrr.exec:\rrxxlrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\bhhhnt.exec:\bhhhnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\jjvdp.exec:\jjvdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\tnnnbh.exec:\tnnnbh.exe23⤵
- Executes dropped EXE
PID:116 -
\??\c:\lxfrxrx.exec:\lxfrxrx.exe24⤵
- Executes dropped EXE
PID:680 -
\??\c:\1jvvv.exec:\1jvvv.exe25⤵
- Executes dropped EXE
PID:3880 -
\??\c:\3bhbbb.exec:\3bhbbb.exe26⤵
- Executes dropped EXE
PID:1996 -
\??\c:\rlxrrfl.exec:\rlxrrfl.exe27⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pvvvd.exec:\pvvvd.exe28⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xllfrrf.exec:\xllfrrf.exe29⤵
- Executes dropped EXE
PID:2348 -
\??\c:\ppvvj.exec:\ppvvj.exe30⤵
- Executes dropped EXE
PID:1136 -
\??\c:\vpddd.exec:\vpddd.exe31⤵
- Executes dropped EXE
PID:3308 -
\??\c:\tbbnhh.exec:\tbbnhh.exe32⤵
- Executes dropped EXE
PID:4600 -
\??\c:\thtttb.exec:\thtttb.exe33⤵
- Executes dropped EXE
PID:4024 -
\??\c:\thhntt.exec:\thhntt.exe34⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jpvvd.exec:\jpvvd.exe35⤵
- Executes dropped EXE
PID:1556 -
\??\c:\bhnhtt.exec:\bhnhtt.exe36⤵
- Executes dropped EXE
PID:1420 -
\??\c:\djvvj.exec:\djvvj.exe37⤵
- Executes dropped EXE
PID:1052 -
\??\c:\bhbbhn.exec:\bhbbhn.exe38⤵
- Executes dropped EXE
PID:1168 -
\??\c:\pvvvd.exec:\pvvvd.exe39⤵
- Executes dropped EXE
PID:3772 -
\??\c:\3ffrxff.exec:\3ffrxff.exe40⤵PID:4472
-
\??\c:\flrrrrr.exec:\flrrrrr.exe41⤵
- Executes dropped EXE
PID:4700 -
\??\c:\ttbbbh.exec:\ttbbbh.exe42⤵
- Executes dropped EXE
PID:3640 -
\??\c:\jvpvp.exec:\jvpvp.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\5llrrxx.exec:\5llrrxx.exe44⤵
- Executes dropped EXE
PID:1536 -
\??\c:\thnnnb.exec:\thnnnb.exe45⤵
- Executes dropped EXE
PID:3020 -
\??\c:\flfxxfx.exec:\flfxxfx.exe46⤵
- Executes dropped EXE
PID:2708 -
\??\c:\rxllflf.exec:\rxllflf.exe47⤵
- Executes dropped EXE
PID:5060 -
\??\c:\ntnhnt.exec:\ntnhnt.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184 -
\??\c:\pvjdj.exec:\pvjdj.exe49⤵
- Executes dropped EXE
PID:2324 -
\??\c:\lflrrrr.exec:\lflrrrr.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3788 -
\??\c:\jjppj.exec:\jjppj.exe51⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjppp.exec:\pjppp.exe52⤵
- Executes dropped EXE
PID:3700 -
\??\c:\lfflfrf.exec:\lfflfrf.exe53⤵
- Executes dropped EXE
PID:4808 -
\??\c:\dpvvp.exec:\dpvvp.exe54⤵
- Executes dropped EXE
PID:1112 -
\??\c:\pvvvj.exec:\pvvvj.exe55⤵
- Executes dropped EXE
PID:3900 -
\??\c:\xfflllr.exec:\xfflllr.exe56⤵
- Executes dropped EXE
PID:3548 -
\??\c:\hnbtbh.exec:\hnbtbh.exe57⤵
- Executes dropped EXE
PID:3696 -
\??\c:\jjjjj.exec:\jjjjj.exe58⤵
- Executes dropped EXE
PID:1896 -
\??\c:\5dddv.exec:\5dddv.exe59⤵
- Executes dropped EXE
PID:3192 -
\??\c:\lfrrrff.exec:\lfrrrff.exe60⤵
- Executes dropped EXE
PID:3912 -
\??\c:\nhnttt.exec:\nhnttt.exe61⤵
- Executes dropped EXE
PID:4684 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe62⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fllllrx.exec:\fllllrx.exe63⤵
- Executes dropped EXE
PID:2100 -
\??\c:\nbnhht.exec:\nbnhht.exe64⤵
- Executes dropped EXE
PID:2468 -
\??\c:\ppvdd.exec:\ppvdd.exe65⤵
- Executes dropped EXE
PID:4580 -
\??\c:\xlllfxx.exec:\xlllfxx.exe66⤵
- Executes dropped EXE
PID:4728 -
\??\c:\ntbbtb.exec:\ntbbtb.exe67⤵PID:4880
-
\??\c:\bttnhb.exec:\bttnhb.exe68⤵PID:1172
-
\??\c:\jjvvv.exec:\jjvvv.exe69⤵PID:696
-
\??\c:\xrlllrr.exec:\xrlllrr.exe70⤵PID:628
-
\??\c:\tbnnnn.exec:\tbnnnn.exe71⤵PID:4188
-
\??\c:\jdjpj.exec:\jdjpj.exe72⤵PID:3500
-
\??\c:\fxrfxrx.exec:\fxrfxrx.exe73⤵PID:3220
-
\??\c:\ttbbtb.exec:\ttbbtb.exe74⤵PID:512
-
\??\c:\7dppp.exec:\7dppp.exe75⤵PID:3916
-
\??\c:\rflfxlx.exec:\rflfxlx.exe76⤵PID:2376
-
\??\c:\3xlllrr.exec:\3xlllrr.exe77⤵PID:3228
-
\??\c:\tbtttb.exec:\tbtttb.exe78⤵PID:4160
-
\??\c:\3jppd.exec:\3jppd.exe79⤵PID:1804
-
\??\c:\lxxxfff.exec:\lxxxfff.exe80⤵PID:2728
-
\??\c:\rrlxxfx.exec:\rrlxxfx.exe81⤵PID:640
-
\??\c:\9hbhhh.exec:\9hbhhh.exe82⤵PID:2560
-
\??\c:\ppvvv.exec:\ppvvv.exe83⤵PID:3288
-
\??\c:\1xfflrr.exec:\1xfflrr.exe84⤵PID:2412
-
\??\c:\fflllrr.exec:\fflllrr.exe85⤵PID:3776
-
\??\c:\bnnnnt.exec:\bnnnnt.exe86⤵PID:2388
-
\??\c:\vpddj.exec:\vpddj.exe87⤵PID:768
-
\??\c:\fxffrrl.exec:\fxffrrl.exe88⤵PID:1080
-
\??\c:\xrfllrr.exec:\xrfllrr.exe89⤵PID:4780
-
\??\c:\1hnttt.exec:\1hnttt.exe90⤵PID:3232
-
\??\c:\5vvvp.exec:\5vvvp.exe91⤵PID:376
-
\??\c:\7xffxff.exec:\7xffxff.exe92⤵PID:812
-
\??\c:\7ntttb.exec:\7ntttb.exe93⤵PID:4488
-
\??\c:\bnhhhn.exec:\bnhhhn.exe94⤵PID:1976
-
\??\c:\jjddd.exec:\jjddd.exe95⤵PID:3688
-
\??\c:\rxffxxx.exec:\rxffxxx.exe96⤵PID:3504
-
\??\c:\nntttt.exec:\nntttt.exe97⤵PID:1556
-
\??\c:\vjpdj.exec:\vjpdj.exe98⤵PID:464
-
\??\c:\flllfxr.exec:\flllfxr.exe99⤵PID:2280
-
\??\c:\xfffxxx.exec:\xfffxxx.exe100⤵PID:4356
-
\??\c:\nbnnbh.exec:\nbnnbh.exe101⤵PID:4364
-
\??\c:\vvdvd.exec:\vvdvd.exe102⤵PID:3652
-
\??\c:\9flllrr.exec:\9flllrr.exe103⤵PID:4624
-
\??\c:\3tbbbn.exec:\3tbbbn.exe104⤵PID:4536
-
\??\c:\btnttn.exec:\btnttn.exe105⤵PID:2032
-
\??\c:\jdpjj.exec:\jdpjj.exe106⤵PID:4496
-
\??\c:\rllxrlf.exec:\rllxrlf.exe107⤵PID:3716
-
\??\c:\tttnbt.exec:\tttnbt.exe108⤵PID:2284
-
\??\c:\dvvpp.exec:\dvvpp.exe109⤵PID:436
-
\??\c:\ffrrxrx.exec:\ffrrxrx.exe110⤵PID:1816
-
\??\c:\llxrrrr.exec:\llxrrrr.exe111⤵PID:1472
-
\??\c:\nnbnht.exec:\nnbnht.exe112⤵PID:4572
-
\??\c:\jpddp.exec:\jpddp.exe113⤵PID:3208
-
\??\c:\vvvvd.exec:\vvvvd.exe114⤵PID:4512
-
\??\c:\7xxxxff.exec:\7xxxxff.exe115⤵PID:3788
-
\??\c:\thnbhb.exec:\thnbhb.exe116⤵PID:4460
-
\??\c:\3djjj.exec:\3djjj.exe117⤵PID:1964
-
\??\c:\xlllrrx.exec:\xlllrrx.exe118⤵PID:1312
-
\??\c:\llrrrxx.exec:\llrrrxx.exe119⤵PID:3296
-
\??\c:\bhttbh.exec:\bhttbh.exe120⤵PID:1444
-
\??\c:\jpddd.exec:\jpddd.exe121⤵PID:3792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-