Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe
-
Size
453KB
-
MD5
5d0de506f390fc44daed045414089f2f
-
SHA1
be0e5700f6be24b44cd2a66e034c279797b1339d
-
SHA256
d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e
-
SHA512
5f967b0521dc3edfc8b5f08a7a6cf033847cd59075b40cb3b7f889b665da5250273e47d264d5df4cadb4db9ce79d2cc19c4c6625c0ed737d6bdef3b59a507b78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3276-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5060 jpvvp.exe 3124 9ttnhh.exe 5032 nhbttt.exe 4532 pjdvp.exe 1432 lflflff.exe 1420 vpdvv.exe 1692 nttnhh.exe 5056 9tnbtt.exe 1716 xffffxr.exe 1644 3bthbn.exe 2780 flrrfxr.exe 3340 btbnnh.exe 2076 1vvpj.exe 4900 lflffxl.exe 3568 9tthbh.exe 1704 jvvpd.exe 4452 rrxrlfr.exe 4872 ttnhtn.exe 1480 rflflfl.exe 3912 rrxxlfx.exe 4616 hbnhtt.exe 3204 lxrxlff.exe 4044 xxfrfxr.exe 2252 ppvjv.exe 4460 jvjdd.exe 4380 9xxrfxl.exe 3848 7bbnbt.exe 4348 htthnh.exe 4996 pddpj.exe 3004 vjjvj.exe 540 5lrrlll.exe 3432 1nhbnn.exe 3064 3htnbt.exe 2820 3jjjd.exe 1216 9rrlflx.exe 4880 1rffrfr.exe 4600 nbbbnh.exe 3232 htbnnh.exe 4404 9dpdv.exe 920 xllxllf.exe 2304 rfllxfx.exe 4308 bbhtnh.exe 4584 pvdvj.exe 4916 ppvpv.exe 3500 rlxfrxl.exe 3124 frrxlrf.exe 2000 hhnhbt.exe 2704 dppdv.exe 5032 1dpdp.exe 4360 1fflffx.exe 4432 bhthbt.exe 4228 tnhntn.exe 1432 jjvpv.exe 5044 9vvpd.exe 2152 fxrfrlf.exe 1292 httnbt.exe 832 fxflflx.exe 3776 ttbbnn.exe 3052 jpjvp.exe 4992 xxfxfrf.exe 5040 btthtn.exe 4508 jvvdj.exe 2940 7hhbth.exe 2600 vjpjv.exe -
resource yara_rule behavioral2/memory/3276-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-678-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3276 wrote to memory of 5060 3276 d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe 83 PID 3276 wrote to memory of 5060 3276 d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe 83 PID 3276 wrote to memory of 5060 3276 d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe 83 PID 5060 wrote to memory of 3124 5060 jpvvp.exe 84 PID 5060 wrote to memory of 3124 5060 jpvvp.exe 84 PID 5060 wrote to memory of 3124 5060 jpvvp.exe 84 PID 3124 wrote to memory of 5032 3124 9ttnhh.exe 85 PID 3124 wrote to memory of 5032 3124 9ttnhh.exe 85 PID 3124 wrote to memory of 5032 3124 9ttnhh.exe 85 PID 5032 wrote to memory of 4532 5032 nhbttt.exe 86 PID 5032 wrote to memory of 4532 5032 nhbttt.exe 86 PID 5032 wrote to memory of 4532 5032 nhbttt.exe 86 PID 4532 wrote to memory of 1432 4532 pjdvp.exe 87 PID 4532 wrote to memory of 1432 4532 pjdvp.exe 87 PID 4532 wrote to memory of 1432 4532 pjdvp.exe 87 PID 1432 wrote to memory of 1420 1432 lflflff.exe 88 PID 1432 wrote to memory of 1420 1432 lflflff.exe 88 PID 1432 wrote to memory of 1420 1432 lflflff.exe 88 PID 1420 wrote to memory of 1692 1420 vpdvv.exe 89 PID 1420 wrote to memory of 1692 1420 vpdvv.exe 89 PID 1420 wrote to memory of 1692 1420 vpdvv.exe 89 PID 1692 wrote to memory of 5056 1692 nttnhh.exe 90 PID 1692 wrote to memory of 5056 1692 nttnhh.exe 90 PID 1692 wrote to memory of 5056 1692 nttnhh.exe 90 PID 5056 wrote to memory of 1716 5056 9tnbtt.exe 91 PID 5056 wrote to memory of 1716 5056 9tnbtt.exe 91 PID 5056 wrote to memory of 1716 5056 9tnbtt.exe 91 PID 1716 wrote to memory of 1644 1716 xffffxr.exe 92 PID 1716 wrote to memory of 1644 1716 xffffxr.exe 92 PID 1716 wrote to memory of 1644 1716 xffffxr.exe 92 PID 1644 wrote to memory of 2780 1644 3bthbn.exe 93 PID 1644 wrote to memory of 2780 1644 3bthbn.exe 93 PID 1644 wrote to memory of 2780 1644 3bthbn.exe 93 PID 2780 wrote to memory of 3340 2780 flrrfxr.exe 94 PID 2780 wrote to memory of 3340 2780 flrrfxr.exe 94 PID 2780 wrote to memory of 3340 2780 flrrfxr.exe 94 PID 3340 wrote to memory of 2076 3340 btbnnh.exe 95 PID 3340 wrote to memory of 2076 3340 btbnnh.exe 95 PID 3340 wrote to memory of 2076 3340 btbnnh.exe 95 PID 2076 wrote to memory of 4900 2076 1vvpj.exe 96 PID 2076 wrote to memory of 4900 2076 1vvpj.exe 96 PID 2076 wrote to memory of 4900 2076 1vvpj.exe 96 PID 4900 wrote to memory of 3568 4900 lflffxl.exe 97 PID 4900 wrote to memory of 3568 4900 lflffxl.exe 97 PID 4900 wrote to memory of 3568 4900 lflffxl.exe 97 PID 3568 wrote to memory of 1704 3568 9tthbh.exe 98 PID 3568 wrote to memory of 1704 3568 9tthbh.exe 98 PID 3568 wrote to memory of 1704 3568 9tthbh.exe 98 PID 1704 wrote to memory of 4452 1704 jvvpd.exe 99 PID 1704 wrote to memory of 4452 1704 jvvpd.exe 99 PID 1704 wrote to memory of 4452 1704 jvvpd.exe 99 PID 4452 wrote to memory of 4872 4452 rrxrlfr.exe 100 PID 4452 wrote to memory of 4872 4452 rrxrlfr.exe 100 PID 4452 wrote to memory of 4872 4452 rrxrlfr.exe 100 PID 4872 wrote to memory of 1480 4872 ttnhtn.exe 101 PID 4872 wrote to memory of 1480 4872 ttnhtn.exe 101 PID 4872 wrote to memory of 1480 4872 ttnhtn.exe 101 PID 1480 wrote to memory of 3912 1480 rflflfl.exe 102 PID 1480 wrote to memory of 3912 1480 rflflfl.exe 102 PID 1480 wrote to memory of 3912 1480 rflflfl.exe 102 PID 3912 wrote to memory of 4616 3912 rrxxlfx.exe 103 PID 3912 wrote to memory of 4616 3912 rrxxlfx.exe 103 PID 3912 wrote to memory of 4616 3912 rrxxlfx.exe 103 PID 4616 wrote to memory of 3204 4616 hbnhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe"C:\Users\Admin\AppData\Local\Temp\d08b42e2890d978b3acd7b3050bc9384a11e7577356ccaf2d48394c6d324977e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\jpvvp.exec:\jpvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\9ttnhh.exec:\9ttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\nhbttt.exec:\nhbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\pjdvp.exec:\pjdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\lflflff.exec:\lflflff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\vpdvv.exec:\vpdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\nttnhh.exec:\nttnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\9tnbtt.exec:\9tnbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\xffffxr.exec:\xffffxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\3bthbn.exec:\3bthbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\flrrfxr.exec:\flrrfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\btbnnh.exec:\btbnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\1vvpj.exec:\1vvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\lflffxl.exec:\lflffxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\9tthbh.exec:\9tthbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\jvvpd.exec:\jvvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\rrxrlfr.exec:\rrxrlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\ttnhtn.exec:\ttnhtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\rflflfl.exec:\rflflfl.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\rrxxlfx.exec:\rrxxlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\hbnhtt.exec:\hbnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\lxrxlff.exec:\lxrxlff.exe23⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xxfrfxr.exec:\xxfrfxr.exe24⤵
- Executes dropped EXE
PID:4044 -
\??\c:\ppvjv.exec:\ppvjv.exe25⤵
- Executes dropped EXE
PID:2252 -
\??\c:\jvjdd.exec:\jvjdd.exe26⤵
- Executes dropped EXE
PID:4460 -
\??\c:\9xxrfxl.exec:\9xxrfxl.exe27⤵
- Executes dropped EXE
PID:4380 -
\??\c:\7bbnbt.exec:\7bbnbt.exe28⤵
- Executes dropped EXE
PID:3848 -
\??\c:\htthnh.exec:\htthnh.exe29⤵
- Executes dropped EXE
PID:4348 -
\??\c:\pddpj.exec:\pddpj.exe30⤵
- Executes dropped EXE
PID:4996 -
\??\c:\vjjvj.exec:\vjjvj.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\5lrrlll.exec:\5lrrlll.exe32⤵
- Executes dropped EXE
PID:540 -
\??\c:\1nhbnn.exec:\1nhbnn.exe33⤵
- Executes dropped EXE
PID:3432 -
\??\c:\3htnbt.exec:\3htnbt.exe34⤵
- Executes dropped EXE
PID:3064 -
\??\c:\3jjjd.exec:\3jjjd.exe35⤵
- Executes dropped EXE
PID:2820 -
\??\c:\9rrlflx.exec:\9rrlflx.exe36⤵
- Executes dropped EXE
PID:1216 -
\??\c:\1rffrfr.exec:\1rffrfr.exe37⤵
- Executes dropped EXE
PID:4880 -
\??\c:\nbbbnh.exec:\nbbbnh.exe38⤵
- Executes dropped EXE
PID:4600 -
\??\c:\htbnnh.exec:\htbnnh.exe39⤵
- Executes dropped EXE
PID:3232 -
\??\c:\9dpdv.exec:\9dpdv.exe40⤵
- Executes dropped EXE
PID:4404 -
\??\c:\xllxllf.exec:\xllxllf.exe41⤵
- Executes dropped EXE
PID:920 -
\??\c:\rfllxfx.exec:\rfllxfx.exe42⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bbhtnh.exec:\bbhtnh.exe43⤵
- Executes dropped EXE
PID:4308 -
\??\c:\pvdvj.exec:\pvdvj.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584 -
\??\c:\ppvpv.exec:\ppvpv.exe45⤵
- Executes dropped EXE
PID:4916 -
\??\c:\rlxfrxl.exec:\rlxfrxl.exe46⤵
- Executes dropped EXE
PID:3500 -
\??\c:\frrxlrf.exec:\frrxlrf.exe47⤵
- Executes dropped EXE
PID:3124 -
\??\c:\hhnhbt.exec:\hhnhbt.exe48⤵
- Executes dropped EXE
PID:2000 -
\??\c:\dppdv.exec:\dppdv.exe49⤵
- Executes dropped EXE
PID:2704 -
\??\c:\1dpdp.exec:\1dpdp.exe50⤵
- Executes dropped EXE
PID:5032 -
\??\c:\1fflffx.exec:\1fflffx.exe51⤵
- Executes dropped EXE
PID:4360 -
\??\c:\bhthbt.exec:\bhthbt.exe52⤵
- Executes dropped EXE
PID:4432 -
\??\c:\tnhntn.exec:\tnhntn.exe53⤵
- Executes dropped EXE
PID:4228 -
\??\c:\jjvpv.exec:\jjvpv.exe54⤵
- Executes dropped EXE
PID:1432 -
\??\c:\9vvpd.exec:\9vvpd.exe55⤵
- Executes dropped EXE
PID:5044 -
\??\c:\fxrfrlf.exec:\fxrfrlf.exe56⤵
- Executes dropped EXE
PID:2152 -
\??\c:\httnbt.exec:\httnbt.exe57⤵
- Executes dropped EXE
PID:1292 -
\??\c:\fxflflx.exec:\fxflflx.exe58⤵
- Executes dropped EXE
PID:832 -
\??\c:\ttbbnn.exec:\ttbbnn.exe59⤵
- Executes dropped EXE
PID:3776 -
\??\c:\jpjvp.exec:\jpjvp.exe60⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xxfxfrf.exec:\xxfxfrf.exe61⤵
- Executes dropped EXE
PID:4992 -
\??\c:\btthtn.exec:\btthtn.exe62⤵
- Executes dropped EXE
PID:5040 -
\??\c:\jvvdj.exec:\jvvdj.exe63⤵
- Executes dropped EXE
PID:4508 -
\??\c:\7hhbth.exec:\7hhbth.exe64⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vjpjv.exec:\vjpjv.exe65⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xrxrffx.exec:\xrxrffx.exe66⤵PID:1704
-
\??\c:\ntnhbb.exec:\ntnhbb.exe67⤵PID:4016
-
\??\c:\ddpjd.exec:\ddpjd.exe68⤵PID:2908
-
\??\c:\lrxlffx.exec:\lrxlffx.exe69⤵PID:4012
-
\??\c:\hbbtnh.exec:\hbbtnh.exe70⤵PID:3392
-
\??\c:\xrlxllx.exec:\xrlxllx.exe71⤵PID:4156
-
\??\c:\nbbbnt.exec:\nbbbnt.exe72⤵PID:848
-
\??\c:\jpvpj.exec:\jpvpj.exe73⤵PID:3476
-
\??\c:\jjpjv.exec:\jjpjv.exe74⤵PID:4892
-
\??\c:\xllrffr.exec:\xllrffr.exe75⤵PID:372
-
\??\c:\3hnhhh.exec:\3hnhhh.exe76⤵PID:5088
-
\??\c:\5dvpd.exec:\5dvpd.exe77⤵PID:4380
-
\??\c:\bnbnhn.exec:\bnbnhn.exe78⤵PID:2892
-
\??\c:\frfxfxf.exec:\frfxfxf.exe79⤵PID:3956
-
\??\c:\7ffxxrx.exec:\7ffxxrx.exe80⤵PID:3648
-
\??\c:\jvvpj.exec:\jvvpj.exe81⤵PID:3004
-
\??\c:\btthtt.exec:\btthtt.exe82⤵PID:2972
-
\??\c:\frxrlfx.exec:\frxrlfx.exe83⤵PID:3636
-
\??\c:\hhnhbb.exec:\hhnhbb.exe84⤵PID:1344
-
\??\c:\9lfxrlf.exec:\9lfxrlf.exe85⤵PID:916
-
\??\c:\nhhhbb.exec:\nhhhbb.exe86⤵PID:1952
-
\??\c:\vddvj.exec:\vddvj.exe87⤵PID:3308
-
\??\c:\flrfrfl.exec:\flrfrfl.exe88⤵PID:2828
-
\??\c:\7xrxrlf.exec:\7xrxrlf.exe89⤵PID:2724
-
\??\c:\nhtnnn.exec:\nhtnnn.exe90⤵PID:1156
-
\??\c:\jppdp.exec:\jppdp.exe91⤵PID:64
-
\??\c:\jddvj.exec:\jddvj.exe92⤵PID:264
-
\??\c:\rfffrrl.exec:\rfffrrl.exe93⤵PID:3580
-
\??\c:\hbbtnh.exec:\hbbtnh.exe94⤵PID:4916
-
\??\c:\7nnhtt.exec:\7nnhtt.exe95⤵PID:4812
-
\??\c:\jvvpd.exec:\jvvpd.exe96⤵PID:836
-
\??\c:\7xrxxff.exec:\7xrxxff.exe97⤵PID:924
-
\??\c:\bbhhbb.exec:\bbhhbb.exe98⤵PID:5068
-
\??\c:\vpvvd.exec:\vpvvd.exe99⤵PID:1204
-
\??\c:\flrlffx.exec:\flrlffx.exe100⤵PID:5032
-
\??\c:\xlxfxrl.exec:\xlxfxrl.exe101⤵PID:2072
-
\??\c:\3nnbtn.exec:\3nnbtn.exe102⤵PID:3336
-
\??\c:\vppdp.exec:\vppdp.exe103⤵PID:1972
-
\??\c:\fxfxxfx.exec:\fxfxxfx.exe104⤵PID:4320
-
\??\c:\thtnnh.exec:\thtnnh.exe105⤵PID:4744
-
\??\c:\htbtbb.exec:\htbtbb.exe106⤵PID:2636
-
\??\c:\1vpjv.exec:\1vpjv.exe107⤵PID:1360
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe108⤵PID:3584
-
\??\c:\bttnhh.exec:\bttnhh.exe109⤵PID:3816
-
\??\c:\bthtnt.exec:\bthtnt.exe110⤵PID:1508
-
\??\c:\dpdvj.exec:\dpdvj.exe111⤵PID:1292
-
\??\c:\lfrlxrx.exec:\lfrlxrx.exe112⤵PID:1064
-
\??\c:\xxlfrrl.exec:\xxlfrrl.exe113⤵PID:3776
-
\??\c:\nbnbbt.exec:\nbnbbt.exe114⤵PID:3968
-
\??\c:\jjdvv.exec:\jjdvv.exe115⤵PID:1748
-
\??\c:\lxfflll.exec:\lxfflll.exe116⤵PID:4900
-
\??\c:\tnbbtt.exec:\tnbbtt.exe117⤵PID:1200
-
\??\c:\nhnnnn.exec:\nhnnnn.exe118⤵PID:3472
-
\??\c:\jddvp.exec:\jddvp.exe119⤵PID:444
-
\??\c:\rllrxrl.exec:\rllrxrl.exe120⤵PID:4452
-
\??\c:\thhbnn.exec:\thhbnn.exe121⤵PID:4352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-