Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 21:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe
-
Size
453KB
-
MD5
604db61ad7c97378efd7a3515ea1c41d
-
SHA1
323f621ccc8593b0a2170a50a1ab9a827e3be608
-
SHA256
dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b
-
SHA512
11c91f7dafe62b1420efeaba6e1dbd868b29c9184c89259918ef92bfbf786ddf05079000732051746b9715f9d6fff0e3cd9c8a563e3d36a66fdd7eb794ed4b38
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1704-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-1339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-1545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1432 ddjvj.exe 3268 tnhbhh.exe 2612 vpjvp.exe 1648 dpvjp.exe 3324 1xfxrlr.exe 4572 hththn.exe 4536 7nthnh.exe 2476 ffrlfxr.exe 1068 ntnbnb.exe 1964 rxrflxf.exe 1076 htthth.exe 4704 lxxlxrf.exe 4940 pjdvj.exe 2744 bnnhtn.exe 4788 bntbtn.exe 1604 jjdvp.exe 3056 lrrfrfr.exe 1484 bntbnh.exe 4164 djjpd.exe 3016 xxrxllx.exe 3820 5hnbtn.exe 5072 jdvjp.exe 4196 vpdpp.exe 4968 htbnbt.exe 1240 nnnbnb.exe 4808 9jdvp.exe 2508 9hhtht.exe 3744 nnnbtn.exe 1276 jddpp.exe 3516 flflrxx.exe 3900 pdvpd.exe 2288 bttnhh.exe 2564 pvjvv.exe 4516 xlxrffx.exe 3960 7thnhn.exe 2120 ppdvj.exe 3448 1pjvp.exe 4648 ffxrlfr.exe 4016 1thbtb.exe 2976 nbtthn.exe 2700 1jpdj.exe 1408 xlrfrll.exe 3180 nbbhhb.exe 1684 pjdpj.exe 4540 7dpjd.exe 3984 htbnnh.exe 4916 3btntn.exe 2736 pjpdd.exe 224 lrffflf.exe 924 hthbtn.exe 3648 dpdpd.exe 2996 7xlfrfl.exe 2740 xlrfxlf.exe 3704 bhthnh.exe 1592 jjvpp.exe 1976 pdvjv.exe 2476 nbbnbt.exe 1992 pvpdd.exe 1844 pddvp.exe 436 rxfxrlf.exe 4412 hnnnbt.exe 3432 vppdv.exe 1628 lxrlrrf.exe 4236 3hthth.exe -
resource yara_rule behavioral2/memory/1704-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hththn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1432 1704 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 82 PID 1704 wrote to memory of 1432 1704 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 82 PID 1704 wrote to memory of 1432 1704 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 82 PID 1432 wrote to memory of 3268 1432 ddjvj.exe 83 PID 1432 wrote to memory of 3268 1432 ddjvj.exe 83 PID 1432 wrote to memory of 3268 1432 ddjvj.exe 83 PID 3268 wrote to memory of 2612 3268 tnhbhh.exe 84 PID 3268 wrote to memory of 2612 3268 tnhbhh.exe 84 PID 3268 wrote to memory of 2612 3268 tnhbhh.exe 84 PID 2612 wrote to memory of 1648 2612 vpjvp.exe 85 PID 2612 wrote to memory of 1648 2612 vpjvp.exe 85 PID 2612 wrote to memory of 1648 2612 vpjvp.exe 85 PID 1648 wrote to memory of 3324 1648 dpvjp.exe 86 PID 1648 wrote to memory of 3324 1648 dpvjp.exe 86 PID 1648 wrote to memory of 3324 1648 dpvjp.exe 86 PID 3324 wrote to memory of 4572 3324 1xfxrlr.exe 87 PID 3324 wrote to memory of 4572 3324 1xfxrlr.exe 87 PID 3324 wrote to memory of 4572 3324 1xfxrlr.exe 87 PID 4572 wrote to memory of 4536 4572 hththn.exe 88 PID 4572 wrote to memory of 4536 4572 hththn.exe 88 PID 4572 wrote to memory of 4536 4572 hththn.exe 88 PID 4536 wrote to memory of 2476 4536 7nthnh.exe 89 PID 4536 wrote to memory of 2476 4536 7nthnh.exe 89 PID 4536 wrote to memory of 2476 4536 7nthnh.exe 89 PID 2476 wrote to memory of 1068 2476 ffrlfxr.exe 90 PID 2476 wrote to memory of 1068 2476 ffrlfxr.exe 90 PID 2476 wrote to memory of 1068 2476 ffrlfxr.exe 90 PID 1068 wrote to memory of 1964 1068 ntnbnb.exe 91 PID 1068 wrote to memory of 1964 1068 ntnbnb.exe 91 PID 1068 wrote to memory of 1964 1068 ntnbnb.exe 91 PID 1964 wrote to memory of 1076 1964 rxrflxf.exe 92 PID 1964 wrote to memory of 1076 1964 rxrflxf.exe 92 PID 1964 wrote to memory of 1076 1964 rxrflxf.exe 92 PID 1076 wrote to memory of 4704 1076 htthth.exe 93 PID 1076 wrote to memory of 4704 1076 htthth.exe 93 PID 1076 wrote to memory of 4704 1076 htthth.exe 93 PID 4704 wrote to memory of 4940 4704 lxxlxrf.exe 94 PID 4704 wrote to memory of 4940 4704 lxxlxrf.exe 94 PID 4704 wrote to memory of 4940 4704 lxxlxrf.exe 94 PID 4940 wrote to memory of 2744 4940 pjdvj.exe 95 PID 4940 wrote to memory of 2744 4940 pjdvj.exe 95 PID 4940 wrote to memory of 2744 4940 pjdvj.exe 95 PID 2744 wrote to memory of 4788 2744 bnnhtn.exe 96 PID 2744 wrote to memory of 4788 2744 bnnhtn.exe 96 PID 2744 wrote to memory of 4788 2744 bnnhtn.exe 96 PID 4788 wrote to memory of 1604 4788 bntbtn.exe 97 PID 4788 wrote to memory of 1604 4788 bntbtn.exe 97 PID 4788 wrote to memory of 1604 4788 bntbtn.exe 97 PID 1604 wrote to memory of 3056 1604 jjdvp.exe 98 PID 1604 wrote to memory of 3056 1604 jjdvp.exe 98 PID 1604 wrote to memory of 3056 1604 jjdvp.exe 98 PID 3056 wrote to memory of 1484 3056 lrrfrfr.exe 99 PID 3056 wrote to memory of 1484 3056 lrrfrfr.exe 99 PID 3056 wrote to memory of 1484 3056 lrrfrfr.exe 99 PID 1484 wrote to memory of 4164 1484 bntbnh.exe 100 PID 1484 wrote to memory of 4164 1484 bntbnh.exe 100 PID 1484 wrote to memory of 4164 1484 bntbnh.exe 100 PID 4164 wrote to memory of 3016 4164 djjpd.exe 101 PID 4164 wrote to memory of 3016 4164 djjpd.exe 101 PID 4164 wrote to memory of 3016 4164 djjpd.exe 101 PID 3016 wrote to memory of 3820 3016 xxrxllx.exe 102 PID 3016 wrote to memory of 3820 3016 xxrxllx.exe 102 PID 3016 wrote to memory of 3820 3016 xxrxllx.exe 102 PID 3820 wrote to memory of 5072 3820 5hnbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe"C:\Users\Admin\AppData\Local\Temp\dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\ddjvj.exec:\ddjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\tnhbhh.exec:\tnhbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\vpjvp.exec:\vpjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\dpvjp.exec:\dpvjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\1xfxrlr.exec:\1xfxrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\hththn.exec:\hththn.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\7nthnh.exec:\7nthnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\ffrlfxr.exec:\ffrlfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\ntnbnb.exec:\ntnbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\rxrflxf.exec:\rxrflxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\htthth.exec:\htthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\pjdvj.exec:\pjdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\bnnhtn.exec:\bnnhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\bntbtn.exec:\bntbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\jjdvp.exec:\jjdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\lrrfrfr.exec:\lrrfrfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\bntbnh.exec:\bntbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\djjpd.exec:\djjpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\xxrxllx.exec:\xxrxllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\5hnbtn.exec:\5hnbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\jdvjp.exec:\jdvjp.exe23⤵
- Executes dropped EXE
PID:5072 -
\??\c:\vpdpp.exec:\vpdpp.exe24⤵
- Executes dropped EXE
PID:4196 -
\??\c:\htbnbt.exec:\htbnbt.exe25⤵
- Executes dropped EXE
PID:4968 -
\??\c:\nnnbnb.exec:\nnnbnb.exe26⤵
- Executes dropped EXE
PID:1240 -
\??\c:\9jdvp.exec:\9jdvp.exe27⤵
- Executes dropped EXE
PID:4808 -
\??\c:\9hhtht.exec:\9hhtht.exe28⤵
- Executes dropped EXE
PID:2508 -
\??\c:\nnnbtn.exec:\nnnbtn.exe29⤵
- Executes dropped EXE
PID:3744 -
\??\c:\jddpp.exec:\jddpp.exe30⤵
- Executes dropped EXE
PID:1276 -
\??\c:\flflrxx.exec:\flflrxx.exe31⤵
- Executes dropped EXE
PID:3516 -
\??\c:\pdvpd.exec:\pdvpd.exe32⤵
- Executes dropped EXE
PID:3900 -
\??\c:\bttnhh.exec:\bttnhh.exe33⤵
- Executes dropped EXE
PID:2288 -
\??\c:\pvjvv.exec:\pvjvv.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\xlxrffx.exec:\xlxrffx.exe35⤵
- Executes dropped EXE
PID:4516 -
\??\c:\7thnhn.exec:\7thnhn.exe36⤵
- Executes dropped EXE
PID:3960 -
\??\c:\ppdvj.exec:\ppdvj.exe37⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1pjvp.exec:\1pjvp.exe38⤵
- Executes dropped EXE
PID:3448 -
\??\c:\ffxrlfr.exec:\ffxrlfr.exe39⤵
- Executes dropped EXE
PID:4648 -
\??\c:\1thbtb.exec:\1thbtb.exe40⤵
- Executes dropped EXE
PID:4016 -
\??\c:\nbtthn.exec:\nbtthn.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\1jpdj.exec:\1jpdj.exe42⤵
- Executes dropped EXE
PID:2700 -
\??\c:\xlrfrll.exec:\xlrfrll.exe43⤵
- Executes dropped EXE
PID:1408 -
\??\c:\nbbhhb.exec:\nbbhhb.exe44⤵
- Executes dropped EXE
PID:3180 -
\??\c:\pjdpj.exec:\pjdpj.exe45⤵
- Executes dropped EXE
PID:1684 -
\??\c:\7dpjd.exec:\7dpjd.exe46⤵
- Executes dropped EXE
PID:4540 -
\??\c:\fllfrlx.exec:\fllfrlx.exe47⤵PID:2304
-
\??\c:\htbnnh.exec:\htbnnh.exe48⤵
- Executes dropped EXE
PID:3984 -
\??\c:\3btntn.exec:\3btntn.exe49⤵
- Executes dropped EXE
PID:4916 -
\??\c:\pjpdd.exec:\pjpdd.exe50⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lrffflf.exec:\lrffflf.exe51⤵
- Executes dropped EXE
PID:224 -
\??\c:\hthbtn.exec:\hthbtn.exe52⤵
- Executes dropped EXE
PID:924 -
\??\c:\dpdpd.exec:\dpdpd.exe53⤵
- Executes dropped EXE
PID:3648 -
\??\c:\7xlfrfl.exec:\7xlfrfl.exe54⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xlrfxlf.exec:\xlrfxlf.exe55⤵
- Executes dropped EXE
PID:2740 -
\??\c:\bhthnh.exec:\bhthnh.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704 -
\??\c:\jjvpp.exec:\jjvpp.exe57⤵
- Executes dropped EXE
PID:1592 -
\??\c:\pdvjv.exec:\pdvjv.exe58⤵
- Executes dropped EXE
PID:1976 -
\??\c:\nbbnbt.exec:\nbbnbt.exe59⤵
- Executes dropped EXE
PID:2476 -
\??\c:\pvpdd.exec:\pvpdd.exe60⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pddvp.exec:\pddvp.exe61⤵
- Executes dropped EXE
PID:1844 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe62⤵
- Executes dropped EXE
PID:436 -
\??\c:\hnnnbt.exec:\hnnnbt.exe63⤵
- Executes dropped EXE
PID:4412 -
\??\c:\vppdv.exec:\vppdv.exe64⤵
- Executes dropped EXE
PID:3432 -
\??\c:\lxrlrrf.exec:\lxrlrrf.exe65⤵
- Executes dropped EXE
PID:1628 -
\??\c:\3hthth.exec:\3hthth.exe66⤵
- Executes dropped EXE
PID:4236 -
\??\c:\3pdpj.exec:\3pdpj.exe67⤵PID:4964
-
\??\c:\jvjdv.exec:\jvjdv.exe68⤵PID:4076
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe69⤵PID:4876
-
\??\c:\hbhhbh.exec:\hbhhbh.exe70⤵PID:2012
-
\??\c:\ppvvp.exec:\ppvvp.exe71⤵PID:3724
-
\??\c:\ddvjv.exec:\ddvjv.exe72⤵PID:1536
-
\??\c:\hbnnhh.exec:\hbnnhh.exe73⤵PID:5112
-
\??\c:\ntnbth.exec:\ntnbth.exe74⤵PID:4820
-
\??\c:\7jdvv.exec:\7jdvv.exe75⤵PID:1636
-
\??\c:\3xlrfxr.exec:\3xlrfxr.exe76⤵PID:5000
-
\??\c:\1xfrfxl.exec:\1xfrfxl.exe77⤵PID:3124
-
\??\c:\3hbnbn.exec:\3hbnbn.exe78⤵PID:5072
-
\??\c:\3ddvj.exec:\3ddvj.exe79⤵PID:4952
-
\??\c:\fxxlxrl.exec:\fxxlxrl.exe80⤵PID:2004
-
\??\c:\thnhtn.exec:\thnhtn.exe81⤵PID:4384
-
\??\c:\jddjd.exec:\jddjd.exe82⤵PID:4776
-
\??\c:\5xfxllx.exec:\5xfxllx.exe83⤵PID:2484
-
\??\c:\tbbnbn.exec:\tbbnbn.exe84⤵PID:1944
-
\??\c:\thhhbb.exec:\thhhbb.exe85⤵PID:5016
-
\??\c:\7dddv.exec:\7dddv.exe86⤵PID:2132
-
\??\c:\5xllxrf.exec:\5xllxrf.exe87⤵PID:4752
-
\??\c:\nttnbt.exec:\nttnbt.exe88⤵PID:3364
-
\??\c:\vvddj.exec:\vvddj.exe89⤵PID:2504
-
\??\c:\jvjpd.exec:\jvjpd.exe90⤵PID:3684
-
\??\c:\lrfrllf.exec:\lrfrllf.exe91⤵PID:1948
-
\??\c:\bnnhbb.exec:\bnnhbb.exe92⤵PID:3488
-
\??\c:\dppjd.exec:\dppjd.exe93⤵PID:1856
-
\??\c:\5llffxf.exec:\5llffxf.exe94⤵PID:4824
-
\??\c:\5ttnhh.exec:\5ttnhh.exe95⤵PID:1504
-
\??\c:\dvvpp.exec:\dvvpp.exe96⤵PID:4980
-
\??\c:\xlrlffx.exec:\xlrlffx.exe97⤵PID:4840
-
\??\c:\nnbthn.exec:\nnbthn.exe98⤵PID:2524
-
\??\c:\5jvdj.exec:\5jvdj.exe99⤵PID:4860
-
\??\c:\jdvvp.exec:\jdvvp.exe100⤵PID:3420
-
\??\c:\htnbth.exec:\htnbth.exe101⤵PID:4924
-
\??\c:\pdvpj.exec:\pdvpj.exe102⤵PID:552
-
\??\c:\1pvpv.exec:\1pvpv.exe103⤵PID:3848
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe104⤵PID:2448
-
\??\c:\9bnnhn.exec:\9bnnhn.exe105⤵PID:3252
-
\??\c:\pvvpj.exec:\pvvpj.exe106⤵PID:732
-
\??\c:\rrrflfr.exec:\rrrflfr.exe107⤵PID:1352
-
\??\c:\5fllflf.exec:\5fllflf.exe108⤵PID:3304
-
\??\c:\hnbbnn.exec:\hnbbnn.exe109⤵PID:332
-
\??\c:\nbhbbt.exec:\nbhbbt.exe110⤵PID:4396
-
\??\c:\dpvpj.exec:\dpvpj.exe111⤵PID:2388
-
\??\c:\1frlxxx.exec:\1frlxxx.exe112⤵PID:2304
-
\??\c:\hbbttt.exec:\hbbttt.exe113⤵PID:3156
-
\??\c:\jdpjp.exec:\jdpjp.exe114⤵PID:1432
-
\??\c:\frffxxr.exec:\frffxxr.exe115⤵PID:3612
-
\??\c:\9lxrlrl.exec:\9lxrlrl.exe116⤵PID:3672
-
\??\c:\nhnnhh.exec:\nhnnhh.exe117⤵PID:384
-
\??\c:\vjvpj.exec:\vjvpj.exe118⤵PID:4756
-
\??\c:\lxfxllf.exec:\lxfxllf.exe119⤵PID:1160
-
\??\c:\rffxrrf.exec:\rffxrrf.exe120⤵
- System Location Discovery: System Language Discovery
PID:3936 -
\??\c:\btnhbb.exec:\btnhbb.exe121⤵PID:844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-