Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:29
Behavioral task
behavioral1
Sample
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe
-
Size
130KB
-
MD5
52039e11a38cbca607d22dbc06785fc7
-
SHA1
1beb567a22d519b6530301280644df6375f390bf
-
SHA256
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33
-
SHA512
76fab7b3065e222b48efc4b51faed6f647a09b1e8d5f42d7cb4d78e3c4760619c5e13aa782fa288c1bbed0e00f5c2aacbc0434ed4456129d8f74a4933aecac3c
-
SSDEEP
3072:0hOmTsF93UYfwC6GIoutX8Kikz9qI+fPl/d:0cm4FmowdHoSH5L+Zd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3672-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/424-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/384-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/696-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2952-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/384-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2388-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-551-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-713-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-777-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-1411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-1496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 732 668642.exe 5020 3nnbnh.exe 2904 bttnhb.exe 1716 i460262.exe 384 8004882.exe 424 8644448.exe 4592 dvvpv.exe 4276 68086.exe 4336 pppjv.exe 3960 xlfrrfr.exe 4264 8848860.exe 5116 rxlfrrf.exe 4844 62824.exe 4024 6442004.exe 4256 8426426.exe 1940 4684686.exe 2052 bnhbth.exe 2180 s6808.exe 3296 vjjvp.exe 1132 8486046.exe 3680 1btnhh.exe 696 044426.exe 4768 48224.exe 4076 htntbn.exe 2664 e26884.exe 2952 3pjdj.exe 1192 3rrlffx.exe 1568 ppdvj.exe 64 m6602.exe 5032 3lxrfrf.exe 2340 1ttnbh.exe 4800 vpjdp.exe 4396 jpvpv.exe 1136 fxlxllr.exe 1360 66648.exe 872 rlfrllx.exe 1688 26882.exe 3564 g0682.exe 1828 7btntn.exe 3180 u666482.exe 2320 hbbtbt.exe 4940 m6648.exe 364 8220826.exe 372 tnnhbb.exe 4788 w22868.exe 4740 rflffxx.exe 3692 g0208.exe 812 7jdvj.exe 4312 42448.exe 4324 8620260.exe 1764 9lxrllx.exe 3320 640426.exe 732 3xxxrrl.exe 848 frfrlfr.exe 3880 220660.exe 3644 fllfrrl.exe 2140 s4260.exe 2144 86248.exe 384 6844888.exe 424 jvdpp.exe 4592 frlxllx.exe 3480 hhhbtt.exe 1804 ffrlxrl.exe 4616 606044.exe -
resource yara_rule behavioral2/memory/3672-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b71-3.dat upx behavioral2/memory/732-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3672-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/732-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c60-10.dat upx behavioral2/files/0x0007000000023c67-14.dat upx behavioral2/memory/2904-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c68-23.dat upx behavioral2/files/0x0007000000023c69-30.dat upx behavioral2/memory/4592-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4336-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6f-63.dat upx behavioral2/files/0x0007000000023c70-68.dat upx behavioral2/files/0x0007000000023c71-74.dat upx behavioral2/memory/5116-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c72-79.dat upx behavioral2/memory/4024-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6e-60.dat upx behavioral2/files/0x0007000000023c6d-53.dat upx behavioral2/memory/4276-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6c-47.dat upx behavioral2/files/0x0007000000023c6b-41.dat upx behavioral2/memory/424-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6a-35.dat upx behavioral2/memory/384-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1716-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5020-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c73-85.dat upx behavioral2/files/0x0007000000023c74-90.dat upx behavioral2/memory/4256-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c75-96.dat upx behavioral2/memory/1940-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c77-102.dat upx behavioral2/memory/2052-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-108.dat upx behavioral2/files/0x0007000000023c79-114.dat upx behavioral2/files/0x0007000000023c7a-119.dat upx behavioral2/memory/3680-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7b-125.dat upx behavioral2/memory/4768-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-131.dat upx behavioral2/memory/696-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c64-136.dat upx behavioral2/memory/4768-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-143.dat upx behavioral2/memory/4076-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2664-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-148.dat upx behavioral2/memory/2952-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-155.dat upx behavioral2/memory/1568-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-168.dat upx behavioral2/memory/64-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-172.dat upx behavioral2/files/0x0007000000023c83-178.dat upx behavioral2/files/0x0007000000023c80-161.dat upx behavioral2/memory/1192-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c84-182.dat upx behavioral2/memory/2340-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4800-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1360-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/872-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1688-207-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k68422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u482040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhtn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 732 3672 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 83 PID 3672 wrote to memory of 732 3672 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 83 PID 3672 wrote to memory of 732 3672 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 83 PID 732 wrote to memory of 5020 732 668642.exe 84 PID 732 wrote to memory of 5020 732 668642.exe 84 PID 732 wrote to memory of 5020 732 668642.exe 84 PID 5020 wrote to memory of 2904 5020 3nnbnh.exe 85 PID 5020 wrote to memory of 2904 5020 3nnbnh.exe 85 PID 5020 wrote to memory of 2904 5020 3nnbnh.exe 85 PID 2904 wrote to memory of 1716 2904 bttnhb.exe 86 PID 2904 wrote to memory of 1716 2904 bttnhb.exe 86 PID 2904 wrote to memory of 1716 2904 bttnhb.exe 86 PID 1716 wrote to memory of 384 1716 i460262.exe 87 PID 1716 wrote to memory of 384 1716 i460262.exe 87 PID 1716 wrote to memory of 384 1716 i460262.exe 87 PID 384 wrote to memory of 424 384 8004882.exe 88 PID 384 wrote to memory of 424 384 8004882.exe 88 PID 384 wrote to memory of 424 384 8004882.exe 88 PID 424 wrote to memory of 4592 424 8644448.exe 89 PID 424 wrote to memory of 4592 424 8644448.exe 89 PID 424 wrote to memory of 4592 424 8644448.exe 89 PID 4592 wrote to memory of 4276 4592 dvvpv.exe 90 PID 4592 wrote to memory of 4276 4592 dvvpv.exe 90 PID 4592 wrote to memory of 4276 4592 dvvpv.exe 90 PID 4276 wrote to memory of 4336 4276 68086.exe 91 PID 4276 wrote to memory of 4336 4276 68086.exe 91 PID 4276 wrote to memory of 4336 4276 68086.exe 91 PID 4336 wrote to memory of 3960 4336 pppjv.exe 92 PID 4336 wrote to memory of 3960 4336 pppjv.exe 92 PID 4336 wrote to memory of 3960 4336 pppjv.exe 92 PID 3960 wrote to memory of 4264 3960 xlfrrfr.exe 93 PID 3960 wrote to memory of 4264 3960 xlfrrfr.exe 93 PID 3960 wrote to memory of 4264 3960 xlfrrfr.exe 93 PID 4264 wrote to memory of 5116 4264 8848860.exe 94 PID 4264 wrote to memory of 5116 4264 8848860.exe 94 PID 4264 wrote to memory of 5116 4264 8848860.exe 94 PID 5116 wrote to memory of 4844 5116 rxlfrrf.exe 95 PID 5116 wrote to memory of 4844 5116 rxlfrrf.exe 95 PID 5116 wrote to memory of 4844 5116 rxlfrrf.exe 95 PID 4844 wrote to memory of 4024 4844 62824.exe 96 PID 4844 wrote to memory of 4024 4844 62824.exe 96 PID 4844 wrote to memory of 4024 4844 62824.exe 96 PID 4024 wrote to memory of 4256 4024 6442004.exe 97 PID 4024 wrote to memory of 4256 4024 6442004.exe 97 PID 4024 wrote to memory of 4256 4024 6442004.exe 97 PID 4256 wrote to memory of 1940 4256 8426426.exe 98 PID 4256 wrote to memory of 1940 4256 8426426.exe 98 PID 4256 wrote to memory of 1940 4256 8426426.exe 98 PID 1940 wrote to memory of 2052 1940 4684686.exe 99 PID 1940 wrote to memory of 2052 1940 4684686.exe 99 PID 1940 wrote to memory of 2052 1940 4684686.exe 99 PID 2052 wrote to memory of 2180 2052 bnhbth.exe 100 PID 2052 wrote to memory of 2180 2052 bnhbth.exe 100 PID 2052 wrote to memory of 2180 2052 bnhbth.exe 100 PID 2180 wrote to memory of 3296 2180 s6808.exe 101 PID 2180 wrote to memory of 3296 2180 s6808.exe 101 PID 2180 wrote to memory of 3296 2180 s6808.exe 101 PID 3296 wrote to memory of 1132 3296 vjjvp.exe 102 PID 3296 wrote to memory of 1132 3296 vjjvp.exe 102 PID 3296 wrote to memory of 1132 3296 vjjvp.exe 102 PID 1132 wrote to memory of 3680 1132 8486046.exe 103 PID 1132 wrote to memory of 3680 1132 8486046.exe 103 PID 1132 wrote to memory of 3680 1132 8486046.exe 103 PID 3680 wrote to memory of 696 3680 1btnhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe"C:\Users\Admin\AppData\Local\Temp\f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\668642.exec:\668642.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\3nnbnh.exec:\3nnbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\bttnhb.exec:\bttnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\i460262.exec:\i460262.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\8004882.exec:\8004882.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\8644448.exec:\8644448.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424 -
\??\c:\dvvpv.exec:\dvvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\68086.exec:\68086.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\pppjv.exec:\pppjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\xlfrrfr.exec:\xlfrrfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\8848860.exec:\8848860.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\rxlfrrf.exec:\rxlfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\62824.exec:\62824.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\6442004.exec:\6442004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\8426426.exec:\8426426.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\4684686.exec:\4684686.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\bnhbth.exec:\bnhbth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\s6808.exec:\s6808.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vjjvp.exec:\vjjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\8486046.exec:\8486046.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\1btnhh.exec:\1btnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\044426.exec:\044426.exe23⤵
- Executes dropped EXE
PID:696 -
\??\c:\48224.exec:\48224.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768 -
\??\c:\htntbn.exec:\htntbn.exe25⤵
- Executes dropped EXE
PID:4076 -
\??\c:\e26884.exec:\e26884.exe26⤵
- Executes dropped EXE
PID:2664 -
\??\c:\3pjdj.exec:\3pjdj.exe27⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3rrlffx.exec:\3rrlffx.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
\??\c:\ppdvj.exec:\ppdvj.exe29⤵
- Executes dropped EXE
PID:1568 -
\??\c:\m6602.exec:\m6602.exe30⤵
- Executes dropped EXE
PID:64 -
\??\c:\3lxrfrf.exec:\3lxrfrf.exe31⤵
- Executes dropped EXE
PID:5032 -
\??\c:\1ttnbh.exec:\1ttnbh.exe32⤵
- Executes dropped EXE
PID:2340 -
\??\c:\vpjdp.exec:\vpjdp.exe33⤵
- Executes dropped EXE
PID:4800 -
\??\c:\jpvpv.exec:\jpvpv.exe34⤵
- Executes dropped EXE
PID:4396 -
\??\c:\fxlxllr.exec:\fxlxllr.exe35⤵
- Executes dropped EXE
PID:1136 -
\??\c:\66648.exec:\66648.exe36⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rlfrllx.exec:\rlfrllx.exe37⤵
- Executes dropped EXE
PID:872 -
\??\c:\26882.exec:\26882.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
\??\c:\g0682.exec:\g0682.exe39⤵
- Executes dropped EXE
PID:3564 -
\??\c:\7btntn.exec:\7btntn.exe40⤵
- Executes dropped EXE
PID:1828 -
\??\c:\u666482.exec:\u666482.exe41⤵
- Executes dropped EXE
PID:3180 -
\??\c:\hbbtbt.exec:\hbbtbt.exe42⤵
- Executes dropped EXE
PID:2320 -
\??\c:\m6648.exec:\m6648.exe43⤵
- Executes dropped EXE
PID:4940 -
\??\c:\8220826.exec:\8220826.exe44⤵
- Executes dropped EXE
PID:364 -
\??\c:\tnnhbb.exec:\tnnhbb.exe45⤵
- Executes dropped EXE
PID:372 -
\??\c:\w22868.exec:\w22868.exe46⤵
- Executes dropped EXE
PID:4788 -
\??\c:\rflffxx.exec:\rflffxx.exe47⤵
- Executes dropped EXE
PID:4740 -
\??\c:\g0208.exec:\g0208.exe48⤵
- Executes dropped EXE
PID:3692 -
\??\c:\7jdvj.exec:\7jdvj.exe49⤵
- Executes dropped EXE
PID:812 -
\??\c:\42448.exec:\42448.exe50⤵
- Executes dropped EXE
PID:4312 -
\??\c:\8620260.exec:\8620260.exe51⤵
- Executes dropped EXE
PID:4324 -
\??\c:\9lxrllx.exec:\9lxrllx.exe52⤵
- Executes dropped EXE
PID:1764 -
\??\c:\640426.exec:\640426.exe53⤵
- Executes dropped EXE
PID:3320 -
\??\c:\3xxxrrl.exec:\3xxxrrl.exe54⤵
- Executes dropped EXE
PID:732 -
\??\c:\frfrlfr.exec:\frfrlfr.exe55⤵
- Executes dropped EXE
PID:848 -
\??\c:\220660.exec:\220660.exe56⤵
- Executes dropped EXE
PID:3880 -
\??\c:\fllfrrl.exec:\fllfrrl.exe57⤵
- Executes dropped EXE
PID:3644 -
\??\c:\s4260.exec:\s4260.exe58⤵
- Executes dropped EXE
PID:2140 -
\??\c:\86248.exec:\86248.exe59⤵
- Executes dropped EXE
PID:2144 -
\??\c:\6844888.exec:\6844888.exe60⤵
- Executes dropped EXE
PID:384 -
\??\c:\jvdpp.exec:\jvdpp.exe61⤵
- Executes dropped EXE
PID:424 -
\??\c:\frlxllx.exec:\frlxllx.exe62⤵
- Executes dropped EXE
PID:4592 -
\??\c:\hhhbtt.exec:\hhhbtt.exe63⤵
- Executes dropped EXE
PID:3480 -
\??\c:\ffrlxrl.exec:\ffrlxrl.exe64⤵
- Executes dropped EXE
PID:1804 -
\??\c:\606044.exec:\606044.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616 -
\??\c:\5hbnbt.exec:\5hbnbt.exe66⤵PID:3184
-
\??\c:\6468444.exec:\6468444.exe67⤵PID:1284
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe68⤵PID:684
-
\??\c:\246206.exec:\246206.exe69⤵PID:3156
-
\??\c:\7tnhtn.exec:\7tnhtn.exe70⤵PID:4156
-
\??\c:\20822.exec:\20822.exe71⤵PID:4808
-
\??\c:\68486.exec:\68486.exe72⤵PID:2920
-
\??\c:\4460662.exec:\4460662.exe73⤵PID:4256
-
\??\c:\066606.exec:\066606.exe74⤵PID:1452
-
\??\c:\0628806.exec:\0628806.exe75⤵PID:2736
-
\??\c:\5djjd.exec:\5djjd.exe76⤵PID:3384
-
\??\c:\28486.exec:\28486.exe77⤵PID:2180
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe78⤵PID:2052
-
\??\c:\0004822.exec:\0004822.exe79⤵PID:2284
-
\??\c:\8804222.exec:\8804222.exe80⤵PID:2712
-
\??\c:\40482.exec:\40482.exe81⤵PID:716
-
\??\c:\20200.exec:\20200.exe82⤵PID:3232
-
\??\c:\48820.exec:\48820.exe83⤵PID:4764
-
\??\c:\9hnhtt.exec:\9hnhtt.exe84⤵PID:1028
-
\??\c:\48666.exec:\48666.exe85⤵PID:2252
-
\??\c:\c220826.exec:\c220826.exe86⤵PID:3024
-
\??\c:\a8822.exec:\a8822.exe87⤵PID:5004
-
\??\c:\bbthnh.exec:\bbthnh.exe88⤵PID:3696
-
\??\c:\vdvpj.exec:\vdvpj.exe89⤵PID:2388
-
\??\c:\rfrlflf.exec:\rfrlflf.exe90⤵PID:1568
-
\??\c:\flrrrrl.exec:\flrrrrl.exe91⤵PID:4684
-
\??\c:\7rxxlfl.exec:\7rxxlfl.exe92⤵PID:2744
-
\??\c:\842222.exec:\842222.exe93⤵PID:3900
-
\??\c:\w26008.exec:\w26008.exe94⤵PID:2340
-
\??\c:\2260268.exec:\2260268.exe95⤵PID:2408
-
\??\c:\i460482.exec:\i460482.exe96⤵PID:900
-
\??\c:\60260.exec:\60260.exe97⤵PID:2916
-
\??\c:\jdjdp.exec:\jdjdp.exe98⤵PID:4928
-
\??\c:\u444882.exec:\u444882.exe99⤵PID:4812
-
\??\c:\pddvj.exec:\pddvj.exe100⤵PID:1748
-
\??\c:\jpppd.exec:\jpppd.exe101⤵PID:3484
-
\??\c:\2004000.exec:\2004000.exe102⤵PID:4352
-
\??\c:\pppdd.exec:\pppdd.exe103⤵PID:1880
-
\??\c:\lllxrfx.exec:\lllxrfx.exe104⤵PID:2064
-
\??\c:\c000822.exec:\c000822.exe105⤵PID:376
-
\??\c:\nbhtbb.exec:\nbhtbb.exe106⤵PID:2040
-
\??\c:\48062.exec:\48062.exe107⤵PID:2156
-
\??\c:\fxrfllf.exec:\fxrfllf.exe108⤵PID:228
-
\??\c:\a4826.exec:\a4826.exe109⤵PID:4900
-
\??\c:\ffxllxr.exec:\ffxllxr.exe110⤵PID:4968
-
\??\c:\1bbnbt.exec:\1bbnbt.exe111⤵PID:4804
-
\??\c:\fxlflfl.exec:\fxlflfl.exe112⤵PID:4600
-
\??\c:\hnhhhh.exec:\hnhhhh.exe113⤵PID:1484
-
\??\c:\2848608.exec:\2848608.exe114⤵PID:3748
-
\??\c:\8282600.exec:\8282600.exe115⤵PID:1524
-
\??\c:\864444.exec:\864444.exe116⤵PID:3520
-
\??\c:\e84208.exec:\e84208.exe117⤵PID:2160
-
\??\c:\e22040.exec:\e22040.exe118⤵PID:848
-
\??\c:\840860.exec:\840860.exe119⤵PID:3560
-
\??\c:\0624260.exec:\0624260.exe120⤵PID:3496
-
\??\c:\ppppj.exec:\ppppj.exe121⤵PID:1596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-