Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:51
Behavioral task
behavioral1
Sample
1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe
-
Size
332KB
-
MD5
246a5c7ee9e210bece204aaffc95b6ce
-
SHA1
2e78dd70dd639ec3cdb63f0ac28f2350aebd7c75
-
SHA256
1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026
-
SHA512
c186d7d09e75aea0910322ad10db819e11b25585093bc74f2368b15cd70c7c66f9f29cfbef4dd33a1b1746188535fe280c2272dc623e466ab644967379f2ccbe
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbex:R4wFHoSHYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3084-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2420-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3896-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1660-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1256-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-591-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/888-622-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-753-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-902-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3504 pdpjp.exe 2420 5ffxlll.exe 4728 thtttt.exe 4396 xffxrrl.exe 3896 1vvpj.exe 3668 nttnhn.exe 4844 vpvvv.exe 5028 lrxlffx.exe 1604 tbbtnh.exe 3700 hhhnhn.exe 1724 bbtnhh.exe 4992 7dpjp.exe 3816 nhbthb.exe 2528 pjdpj.exe 1900 1rrlrrl.exe 216 bhhttn.exe 3520 djppp.exe 3484 lxfxfrf.exe 1136 tnhhbb.exe 884 vppjv.exe 1664 nnthnt.exe 2984 ddddv.exe 1660 lxrxfrx.exe 2976 tnnbtn.exe 3772 1vvvj.exe 1348 bthbbt.exe 212 7bhbtb.exe 812 rrxxrll.exe 4156 bttthb.exe 3324 jdvjv.exe 4520 3hhhbt.exe 1500 tthbnh.exe 2564 dvpdv.exe 3344 frxllxf.exe 3316 3btnnn.exe 4088 tnhbtn.exe 4972 3djdp.exe 3172 5nhbtt.exe 4568 pdpvp.exe 1072 lflfrll.exe 5044 lrxrrrr.exe 2092 hbbtnn.exe 3412 ppvjd.exe 652 rxfrxll.exe 1316 xlrlrxl.exe 5112 thnhhb.exe 792 vvddv.exe 3208 pjpdp.exe 2400 xlxrrrl.exe 4316 ntbnbn.exe 4420 pvvdv.exe 3432 xlflrlr.exe 2676 fxrlfxl.exe 4968 htttht.exe 1256 jpdpd.exe 4976 rffxxrl.exe 2072 hbbnhb.exe 4396 nhbnhb.exe 4904 dddpj.exe 1700 xxrfrlf.exe 3668 9rxrxrl.exe 1652 5nttnn.exe 4908 vjpjp.exe 3296 dvdpv.exe -
resource yara_rule behavioral2/memory/3084-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b19-3.dat upx behavioral2/memory/3084-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b69-8.dat upx behavioral2/memory/3504-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-14.dat upx behavioral2/memory/2420-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4728-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-19.dat upx behavioral2/files/0x000a000000023b70-23.dat upx behavioral2/memory/4396-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b71-28.dat upx behavioral2/memory/3896-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-35.dat upx behavioral2/memory/3668-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b73-38.dat upx behavioral2/memory/4844-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b74-43.dat upx behavioral2/memory/5028-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b75-48.dat upx behavioral2/memory/1604-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-52.dat upx behavioral2/memory/3700-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-58.dat upx behavioral2/memory/1724-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-63.dat upx behavioral2/memory/4992-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-67.dat upx behavioral2/files/0x000a000000023b7a-72.dat upx behavioral2/memory/2528-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-77.dat upx behavioral2/memory/1900-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/216-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6a-83.dat upx behavioral2/files/0x000a000000023b7c-87.dat upx behavioral2/memory/3520-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-92.dat upx behavioral2/memory/3484-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-97.dat upx behavioral2/memory/1136-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-102.dat upx behavioral2/files/0x000a000000023b81-106.dat upx behavioral2/memory/1664-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2984-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1660-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-112.dat upx behavioral2/files/0x000a000000023b83-117.dat upx behavioral2/memory/2976-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-123.dat upx behavioral2/memory/3772-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-128.dat upx behavioral2/memory/3772-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-132.dat upx behavioral2/memory/1348-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-138.dat upx behavioral2/memory/812-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-144.dat upx behavioral2/memory/812-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4156-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-148.dat upx behavioral2/files/0x000a000000023b8a-152.dat upx behavioral2/memory/3324-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4520-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-159.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3084 wrote to memory of 3504 3084 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 82 PID 3084 wrote to memory of 3504 3084 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 82 PID 3084 wrote to memory of 3504 3084 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 82 PID 3504 wrote to memory of 2420 3504 pdpjp.exe 83 PID 3504 wrote to memory of 2420 3504 pdpjp.exe 83 PID 3504 wrote to memory of 2420 3504 pdpjp.exe 83 PID 2420 wrote to memory of 4728 2420 5ffxlll.exe 84 PID 2420 wrote to memory of 4728 2420 5ffxlll.exe 84 PID 2420 wrote to memory of 4728 2420 5ffxlll.exe 84 PID 4728 wrote to memory of 4396 4728 thtttt.exe 85 PID 4728 wrote to memory of 4396 4728 thtttt.exe 85 PID 4728 wrote to memory of 4396 4728 thtttt.exe 85 PID 4396 wrote to memory of 3896 4396 xffxrrl.exe 86 PID 4396 wrote to memory of 3896 4396 xffxrrl.exe 86 PID 4396 wrote to memory of 3896 4396 xffxrrl.exe 86 PID 3896 wrote to memory of 3668 3896 1vvpj.exe 87 PID 3896 wrote to memory of 3668 3896 1vvpj.exe 87 PID 3896 wrote to memory of 3668 3896 1vvpj.exe 87 PID 3668 wrote to memory of 4844 3668 nttnhn.exe 88 PID 3668 wrote to memory of 4844 3668 nttnhn.exe 88 PID 3668 wrote to memory of 4844 3668 nttnhn.exe 88 PID 4844 wrote to memory of 5028 4844 vpvvv.exe 89 PID 4844 wrote to memory of 5028 4844 vpvvv.exe 89 PID 4844 wrote to memory of 5028 4844 vpvvv.exe 89 PID 5028 wrote to memory of 1604 5028 lrxlffx.exe 90 PID 5028 wrote to memory of 1604 5028 lrxlffx.exe 90 PID 5028 wrote to memory of 1604 5028 lrxlffx.exe 90 PID 1604 wrote to memory of 3700 1604 tbbtnh.exe 91 PID 1604 wrote to memory of 3700 1604 tbbtnh.exe 91 PID 1604 wrote to memory of 3700 1604 tbbtnh.exe 91 PID 3700 wrote to memory of 1724 3700 hhhnhn.exe 92 PID 3700 wrote to memory of 1724 3700 hhhnhn.exe 92 PID 3700 wrote to memory of 1724 3700 hhhnhn.exe 92 PID 1724 wrote to memory of 4992 1724 bbtnhh.exe 93 PID 1724 wrote to memory of 4992 1724 bbtnhh.exe 93 PID 1724 wrote to memory of 4992 1724 bbtnhh.exe 93 PID 4992 wrote to memory of 3816 4992 7dpjp.exe 94 PID 4992 wrote to memory of 3816 4992 7dpjp.exe 94 PID 4992 wrote to memory of 3816 4992 7dpjp.exe 94 PID 3816 wrote to memory of 2528 3816 nhbthb.exe 95 PID 3816 wrote to memory of 2528 3816 nhbthb.exe 95 PID 3816 wrote to memory of 2528 3816 nhbthb.exe 95 PID 2528 wrote to memory of 1900 2528 pjdpj.exe 96 PID 2528 wrote to memory of 1900 2528 pjdpj.exe 96 PID 2528 wrote to memory of 1900 2528 pjdpj.exe 96 PID 1900 wrote to memory of 216 1900 1rrlrrl.exe 97 PID 1900 wrote to memory of 216 1900 1rrlrrl.exe 97 PID 1900 wrote to memory of 216 1900 1rrlrrl.exe 97 PID 216 wrote to memory of 3520 216 bhhttn.exe 98 PID 216 wrote to memory of 3520 216 bhhttn.exe 98 PID 216 wrote to memory of 3520 216 bhhttn.exe 98 PID 3520 wrote to memory of 3484 3520 djppp.exe 99 PID 3520 wrote to memory of 3484 3520 djppp.exe 99 PID 3520 wrote to memory of 3484 3520 djppp.exe 99 PID 3484 wrote to memory of 1136 3484 lxfxfrf.exe 100 PID 3484 wrote to memory of 1136 3484 lxfxfrf.exe 100 PID 3484 wrote to memory of 1136 3484 lxfxfrf.exe 100 PID 1136 wrote to memory of 884 1136 tnhhbb.exe 101 PID 1136 wrote to memory of 884 1136 tnhhbb.exe 101 PID 1136 wrote to memory of 884 1136 tnhhbb.exe 101 PID 884 wrote to memory of 1664 884 vppjv.exe 102 PID 884 wrote to memory of 1664 884 vppjv.exe 102 PID 884 wrote to memory of 1664 884 vppjv.exe 102 PID 1664 wrote to memory of 2984 1664 nnthnt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe"C:\Users\Admin\AppData\Local\Temp\1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\pdpjp.exec:\pdpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\5ffxlll.exec:\5ffxlll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\thtttt.exec:\thtttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\xffxrrl.exec:\xffxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\1vvpj.exec:\1vvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\nttnhn.exec:\nttnhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\vpvvv.exec:\vpvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\lrxlffx.exec:\lrxlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\tbbtnh.exec:\tbbtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\hhhnhn.exec:\hhhnhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\bbtnhh.exec:\bbtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\7dpjp.exec:\7dpjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\nhbthb.exec:\nhbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\pjdpj.exec:\pjdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\1rrlrrl.exec:\1rrlrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\bhhttn.exec:\bhhttn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\djppp.exec:\djppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\lxfxfrf.exec:\lxfxfrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\tnhhbb.exec:\tnhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\vppjv.exec:\vppjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\nnthnt.exec:\nnthnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\ddddv.exec:\ddddv.exe23⤵
- Executes dropped EXE
PID:2984 -
\??\c:\lxrxfrx.exec:\lxrxfrx.exe24⤵
- Executes dropped EXE
PID:1660 -
\??\c:\tnnbtn.exec:\tnnbtn.exe25⤵
- Executes dropped EXE
PID:2976 -
\??\c:\1vvvj.exec:\1vvvj.exe26⤵
- Executes dropped EXE
PID:3772 -
\??\c:\bthbbt.exec:\bthbbt.exe27⤵
- Executes dropped EXE
PID:1348 -
\??\c:\7bhbtb.exec:\7bhbtb.exe28⤵
- Executes dropped EXE
PID:212 -
\??\c:\rrxxrll.exec:\rrxxrll.exe29⤵
- Executes dropped EXE
PID:812 -
\??\c:\bttthb.exec:\bttthb.exe30⤵
- Executes dropped EXE
PID:4156 -
\??\c:\jdvjv.exec:\jdvjv.exe31⤵
- Executes dropped EXE
PID:3324 -
\??\c:\3hhhbt.exec:\3hhhbt.exe32⤵
- Executes dropped EXE
PID:4520 -
\??\c:\tthbnh.exec:\tthbnh.exe33⤵
- Executes dropped EXE
PID:1500 -
\??\c:\dvpdv.exec:\dvpdv.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\frxllxf.exec:\frxllxf.exe35⤵
- Executes dropped EXE
PID:3344 -
\??\c:\3btnnn.exec:\3btnnn.exe36⤵
- Executes dropped EXE
PID:3316 -
\??\c:\tnhbtn.exec:\tnhbtn.exe37⤵
- Executes dropped EXE
PID:4088 -
\??\c:\3djdp.exec:\3djdp.exe38⤵
- Executes dropped EXE
PID:4972 -
\??\c:\5nhbtt.exec:\5nhbtt.exe39⤵
- Executes dropped EXE
PID:3172 -
\??\c:\pdpvp.exec:\pdpvp.exe40⤵
- Executes dropped EXE
PID:4568 -
\??\c:\lflfrll.exec:\lflfrll.exe41⤵
- Executes dropped EXE
PID:1072 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe42⤵
- Executes dropped EXE
PID:5044 -
\??\c:\hbbtnn.exec:\hbbtnn.exe43⤵
- Executes dropped EXE
PID:2092 -
\??\c:\ppvjd.exec:\ppvjd.exe44⤵
- Executes dropped EXE
PID:3412 -
\??\c:\rxfrxll.exec:\rxfrxll.exe45⤵
- Executes dropped EXE
PID:652 -
\??\c:\xlrlrxl.exec:\xlrlrxl.exe46⤵
- Executes dropped EXE
PID:1316 -
\??\c:\thnhhb.exec:\thnhhb.exe47⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vvddv.exec:\vvddv.exe48⤵
- Executes dropped EXE
PID:792 -
\??\c:\pjpdp.exec:\pjpdp.exe49⤵
- Executes dropped EXE
PID:3208 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe50⤵
- Executes dropped EXE
PID:2400 -
\??\c:\ntbnbn.exec:\ntbnbn.exe51⤵
- Executes dropped EXE
PID:4316 -
\??\c:\pvvdv.exec:\pvvdv.exe52⤵
- Executes dropped EXE
PID:4420 -
\??\c:\xlflrlr.exec:\xlflrlr.exe53⤵
- Executes dropped EXE
PID:3432 -
\??\c:\fxrlfxl.exec:\fxrlfxl.exe54⤵
- Executes dropped EXE
PID:2676 -
\??\c:\htttht.exec:\htttht.exe55⤵
- Executes dropped EXE
PID:4968 -
\??\c:\jpdpd.exec:\jpdpd.exe56⤵
- Executes dropped EXE
PID:1256 -
\??\c:\rffxxrl.exec:\rffxxrl.exe57⤵
- Executes dropped EXE
PID:4976 -
\??\c:\hbbnhb.exec:\hbbnhb.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nhbnhb.exec:\nhbnhb.exe59⤵
- Executes dropped EXE
PID:4396 -
\??\c:\dddpj.exec:\dddpj.exe60⤵
- Executes dropped EXE
PID:4904 -
\??\c:\xxrfrlf.exec:\xxrfrlf.exe61⤵
- Executes dropped EXE
PID:1700 -
\??\c:\9rxrxrl.exec:\9rxrxrl.exe62⤵
- Executes dropped EXE
PID:3668 -
\??\c:\5nttnn.exec:\5nttnn.exe63⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vjpjp.exec:\vjpjp.exe64⤵
- Executes dropped EXE
PID:4908 -
\??\c:\dvdpv.exec:\dvdpv.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3296 -
\??\c:\5rrlrrl.exec:\5rrlrrl.exe66⤵PID:2156
-
\??\c:\hnnhbb.exec:\hnnhbb.exe67⤵PID:4052
-
\??\c:\bbbthb.exec:\bbbthb.exe68⤵PID:560
-
\??\c:\dvvpj.exec:\dvvpj.exe69⤵PID:3512
-
\??\c:\1xrlfff.exec:\1xrlfff.exe70⤵PID:2132
-
\??\c:\bbbthb.exec:\bbbthb.exe71⤵PID:2940
-
\??\c:\ttthbt.exec:\ttthbt.exe72⤵PID:2740
-
\??\c:\vppvj.exec:\vppvj.exe73⤵PID:1104
-
\??\c:\rlllffx.exec:\rlllffx.exe74⤵
- System Location Discovery: System Language Discovery
PID:3092 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe75⤵PID:1196
-
\??\c:\ntthth.exec:\ntthth.exe76⤵PID:3024
-
\??\c:\vvvpj.exec:\vvvpj.exe77⤵PID:4452
-
\??\c:\3pvpj.exec:\3pvpj.exe78⤵PID:3304
-
\??\c:\7lffflf.exec:\7lffflf.exe79⤵PID:3292
-
\??\c:\7lxrlff.exec:\7lxrlff.exe80⤵PID:8
-
\??\c:\bhbnhn.exec:\bhbnhn.exe81⤵PID:3928
-
\??\c:\pdddv.exec:\pdddv.exe82⤵PID:3988
-
\??\c:\1xrrffx.exec:\1xrrffx.exe83⤵PID:3528
-
\??\c:\fllxxrx.exec:\fllxxrx.exe84⤵PID:2796
-
\??\c:\ntbnhh.exec:\ntbnhh.exe85⤵PID:2924
-
\??\c:\vvvjv.exec:\vvvjv.exe86⤵PID:3580
-
\??\c:\fffrffx.exec:\fffrffx.exe87⤵PID:2464
-
\??\c:\rrlxxlr.exec:\rrlxxlr.exe88⤵PID:1764
-
\??\c:\1ntnhh.exec:\1ntnhh.exe89⤵PID:3460
-
\??\c:\dppdv.exec:\dppdv.exe90⤵PID:4516
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe91⤵PID:412
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe92⤵PID:1488
-
\??\c:\nbbtnn.exec:\nbbtnn.exe93⤵PID:4996
-
\??\c:\pjjdp.exec:\pjjdp.exe94⤵PID:3836
-
\??\c:\xxlflfl.exec:\xxlflfl.exe95⤵PID:2792
-
\??\c:\nbnhtn.exec:\nbnhtn.exe96⤵PID:4232
-
\??\c:\hnhnnn.exec:\hnhnnn.exe97⤵PID:748
-
\??\c:\dvjdj.exec:\dvjdj.exe98⤵PID:2436
-
\??\c:\lfxfxxr.exec:\lfxfxxr.exe99⤵PID:1740
-
\??\c:\xxflrxf.exec:\xxflrxf.exe100⤵PID:1080
-
\??\c:\hthbnn.exec:\hthbnn.exe101⤵PID:2280
-
\??\c:\pjdvp.exec:\pjdvp.exe102⤵PID:4080
-
\??\c:\3xxlxxl.exec:\3xxlxxl.exe103⤵PID:724
-
\??\c:\lxxxxxr.exec:\lxxxxxr.exe104⤵PID:3272
-
\??\c:\tbtbnh.exec:\tbtbnh.exe105⤵PID:3080
-
\??\c:\nnnhbt.exec:\nnnhbt.exe106⤵PID:3960
-
\??\c:\vppjd.exec:\vppjd.exe107⤵PID:3956
-
\??\c:\vdjdp.exec:\vdjdp.exe108⤵PID:1880
-
\??\c:\3fxrllf.exec:\3fxrllf.exe109⤵PID:5008
-
\??\c:\btnbtn.exec:\btnbtn.exe110⤵PID:1072
-
\??\c:\thbtnh.exec:\thbtnh.exe111⤵PID:5044
-
\??\c:\jpjjv.exec:\jpjjv.exe112⤵PID:2092
-
\??\c:\rfxrlrf.exec:\rfxrlrf.exe113⤵PID:3412
-
\??\c:\lxxrlrl.exec:\lxxrlrl.exe114⤵PID:5104
-
\??\c:\ttnnht.exec:\ttnnht.exe115⤵PID:2452
-
\??\c:\jppvd.exec:\jppvd.exe116⤵PID:1780
-
\??\c:\jvpjd.exec:\jvpjd.exe117⤵PID:2596
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe118⤵PID:3208
-
\??\c:\tnnhnn.exec:\tnnhnn.exe119⤵PID:2400
-
\??\c:\7bhbhh.exec:\7bhbhh.exe120⤵PID:3288
-
\??\c:\pdjdv.exec:\pdjdv.exe121⤵PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-