Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 21:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe
-
Size
495KB
-
MD5
843be149f32c55ef88c4925783dedca0
-
SHA1
3dea64d371f6777705f47237681e2c0433ac9423
-
SHA256
f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29d
-
SHA512
63c3dc6b2cdccb148fe47ceaa0be48b59f9862795b6d8852d4d41a24cc19e1075facee0ff8276eaa644347ee64cb307cf4c1c5b8830535137206d8489876214a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2CfNnkymTwaJ3o8K31Os:q7Tc2NYHUrAwfMHNnpls48I1Os
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1508-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4516 820620.exe 3304 vvjjv.exe 4920 u002004.exe 1592 dvvdv.exe 4052 7tnbtt.exe 3580 8202664.exe 1528 2886082.exe 1756 6084006.exe 2224 ddpvj.exe 4292 248068.exe 2016 u464482.exe 2312 dpjjp.exe 3276 6880682.exe 2708 4444666.exe 732 c288222.exe 3336 7jjdd.exe 4852 04660.exe 4616 bbbtnn.exe 512 frrlxrl.exe 4124 nbhhnn.exe 2604 htbbtt.exe 1636 q24482.exe 2696 204448.exe 4432 fflxrrl.exe 3156 pvpjj.exe 1608 42206.exe 4628 o442660.exe 4392 u288226.exe 836 260466.exe 2320 ppdvv.exe 4672 dpvpj.exe 4700 3hnbnb.exe 1652 pdvjv.exe 3764 vppjd.exe 2348 4448048.exe 1864 bhtbnt.exe 3428 vddvv.exe 800 5ppjd.exe 5064 204866.exe 1500 0848824.exe 2280 5dvvd.exe 3412 0622660.exe 772 btnthn.exe 1668 48408.exe 3268 ttbbbn.exe 3036 5jdvj.exe 3344 8622604.exe 4412 dvdjv.exe 4668 vdpdv.exe 636 c866884.exe 4468 frxrfxr.exe 116 4220480.exe 1220 4882288.exe 4308 0486600.exe 2676 3ntnbh.exe 220 o204848.exe 4876 u248882.exe 1156 868208.exe 3116 686006.exe 1028 828844.exe 1540 7nhnnt.exe 1528 4626280.exe 4692 dpvvp.exe 4956 rrrllll.exe -
resource yara_rule behavioral2/memory/1508-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-748-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i664822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8466600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8682222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w84206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 842868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4822004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2022848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnntt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 4516 1508 f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe 83 PID 1508 wrote to memory of 4516 1508 f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe 83 PID 1508 wrote to memory of 4516 1508 f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe 83 PID 4516 wrote to memory of 3304 4516 820620.exe 84 PID 4516 wrote to memory of 3304 4516 820620.exe 84 PID 4516 wrote to memory of 3304 4516 820620.exe 84 PID 3304 wrote to memory of 4920 3304 vvjjv.exe 85 PID 3304 wrote to memory of 4920 3304 vvjjv.exe 85 PID 3304 wrote to memory of 4920 3304 vvjjv.exe 85 PID 4920 wrote to memory of 1592 4920 u002004.exe 86 PID 4920 wrote to memory of 1592 4920 u002004.exe 86 PID 4920 wrote to memory of 1592 4920 u002004.exe 86 PID 1592 wrote to memory of 4052 1592 dvvdv.exe 87 PID 1592 wrote to memory of 4052 1592 dvvdv.exe 87 PID 1592 wrote to memory of 4052 1592 dvvdv.exe 87 PID 4052 wrote to memory of 3580 4052 7tnbtt.exe 88 PID 4052 wrote to memory of 3580 4052 7tnbtt.exe 88 PID 4052 wrote to memory of 3580 4052 7tnbtt.exe 88 PID 3580 wrote to memory of 1528 3580 8202664.exe 89 PID 3580 wrote to memory of 1528 3580 8202664.exe 89 PID 3580 wrote to memory of 1528 3580 8202664.exe 89 PID 1528 wrote to memory of 1756 1528 2886082.exe 90 PID 1528 wrote to memory of 1756 1528 2886082.exe 90 PID 1528 wrote to memory of 1756 1528 2886082.exe 90 PID 1756 wrote to memory of 2224 1756 6084006.exe 91 PID 1756 wrote to memory of 2224 1756 6084006.exe 91 PID 1756 wrote to memory of 2224 1756 6084006.exe 91 PID 2224 wrote to memory of 4292 2224 ddpvj.exe 92 PID 2224 wrote to memory of 4292 2224 ddpvj.exe 92 PID 2224 wrote to memory of 4292 2224 ddpvj.exe 92 PID 4292 wrote to memory of 2016 4292 248068.exe 93 PID 4292 wrote to memory of 2016 4292 248068.exe 93 PID 4292 wrote to memory of 2016 4292 248068.exe 93 PID 2016 wrote to memory of 2312 2016 u464482.exe 94 PID 2016 wrote to memory of 2312 2016 u464482.exe 94 PID 2016 wrote to memory of 2312 2016 u464482.exe 94 PID 2312 wrote to memory of 3276 2312 dpjjp.exe 95 PID 2312 wrote to memory of 3276 2312 dpjjp.exe 95 PID 2312 wrote to memory of 3276 2312 dpjjp.exe 95 PID 3276 wrote to memory of 2708 3276 6880682.exe 96 PID 3276 wrote to memory of 2708 3276 6880682.exe 96 PID 3276 wrote to memory of 2708 3276 6880682.exe 96 PID 2708 wrote to memory of 732 2708 4444666.exe 97 PID 2708 wrote to memory of 732 2708 4444666.exe 97 PID 2708 wrote to memory of 732 2708 4444666.exe 97 PID 732 wrote to memory of 3336 732 c288222.exe 98 PID 732 wrote to memory of 3336 732 c288222.exe 98 PID 732 wrote to memory of 3336 732 c288222.exe 98 PID 3336 wrote to memory of 4852 3336 7jjdd.exe 99 PID 3336 wrote to memory of 4852 3336 7jjdd.exe 99 PID 3336 wrote to memory of 4852 3336 7jjdd.exe 99 PID 4852 wrote to memory of 4616 4852 04660.exe 100 PID 4852 wrote to memory of 4616 4852 04660.exe 100 PID 4852 wrote to memory of 4616 4852 04660.exe 100 PID 4616 wrote to memory of 512 4616 bbbtnn.exe 101 PID 4616 wrote to memory of 512 4616 bbbtnn.exe 101 PID 4616 wrote to memory of 512 4616 bbbtnn.exe 101 PID 512 wrote to memory of 4124 512 frrlxrl.exe 102 PID 512 wrote to memory of 4124 512 frrlxrl.exe 102 PID 512 wrote to memory of 4124 512 frrlxrl.exe 102 PID 4124 wrote to memory of 2604 4124 nbhhnn.exe 103 PID 4124 wrote to memory of 2604 4124 nbhhnn.exe 103 PID 4124 wrote to memory of 2604 4124 nbhhnn.exe 103 PID 2604 wrote to memory of 1636 2604 htbbtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe"C:\Users\Admin\AppData\Local\Temp\f9c7ee941bec33f38aaab322f20f12dcf5530ebbd60d11d4741baeb327f4f29dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\820620.exec:\820620.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\vvjjv.exec:\vvjjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\u002004.exec:\u002004.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\dvvdv.exec:\dvvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\7tnbtt.exec:\7tnbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\8202664.exec:\8202664.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\2886082.exec:\2886082.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\6084006.exec:\6084006.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\ddpvj.exec:\ddpvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\248068.exec:\248068.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\u464482.exec:\u464482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\dpjjp.exec:\dpjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\6880682.exec:\6880682.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\4444666.exec:\4444666.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\c288222.exec:\c288222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\7jjdd.exec:\7jjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\04660.exec:\04660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\bbbtnn.exec:\bbbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\frrlxrl.exec:\frrlxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\nbhhnn.exec:\nbhhnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\htbbtt.exec:\htbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\q24482.exec:\q24482.exe23⤵
- Executes dropped EXE
PID:1636 -
\??\c:\204448.exec:\204448.exe24⤵
- Executes dropped EXE
PID:2696 -
\??\c:\fflxrrl.exec:\fflxrrl.exe25⤵
- Executes dropped EXE
PID:4432 -
\??\c:\pvpjj.exec:\pvpjj.exe26⤵
- Executes dropped EXE
PID:3156 -
\??\c:\42206.exec:\42206.exe27⤵
- Executes dropped EXE
PID:1608 -
\??\c:\o442660.exec:\o442660.exe28⤵
- Executes dropped EXE
PID:4628 -
\??\c:\u288226.exec:\u288226.exe29⤵
- Executes dropped EXE
PID:4392 -
\??\c:\260466.exec:\260466.exe30⤵
- Executes dropped EXE
PID:836 -
\??\c:\ppdvv.exec:\ppdvv.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\dpvpj.exec:\dpvpj.exe32⤵
- Executes dropped EXE
PID:4672 -
\??\c:\3hnbnb.exec:\3hnbnb.exe33⤵
- Executes dropped EXE
PID:4700 -
\??\c:\pdvjv.exec:\pdvjv.exe34⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vppjd.exec:\vppjd.exe35⤵
- Executes dropped EXE
PID:3764 -
\??\c:\4448048.exec:\4448048.exe36⤵
- Executes dropped EXE
PID:2348 -
\??\c:\bhtbnt.exec:\bhtbnt.exe37⤵
- Executes dropped EXE
PID:1864 -
\??\c:\vddvv.exec:\vddvv.exe38⤵
- Executes dropped EXE
PID:3428 -
\??\c:\5ppjd.exec:\5ppjd.exe39⤵
- Executes dropped EXE
PID:800 -
\??\c:\204866.exec:\204866.exe40⤵
- Executes dropped EXE
PID:5064 -
\??\c:\0848824.exec:\0848824.exe41⤵
- Executes dropped EXE
PID:1500 -
\??\c:\5dvvd.exec:\5dvvd.exe42⤵
- Executes dropped EXE
PID:2280 -
\??\c:\0622660.exec:\0622660.exe43⤵
- Executes dropped EXE
PID:3412 -
\??\c:\btnthn.exec:\btnthn.exe44⤵
- Executes dropped EXE
PID:772 -
\??\c:\48408.exec:\48408.exe45⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ttbbbn.exec:\ttbbbn.exe46⤵
- Executes dropped EXE
PID:3268 -
\??\c:\5jdvj.exec:\5jdvj.exe47⤵
- Executes dropped EXE
PID:3036 -
\??\c:\8622604.exec:\8622604.exe48⤵
- Executes dropped EXE
PID:3344 -
\??\c:\dvdjv.exec:\dvdjv.exe49⤵
- Executes dropped EXE
PID:4412 -
\??\c:\vdpdv.exec:\vdpdv.exe50⤵
- Executes dropped EXE
PID:4668 -
\??\c:\c866884.exec:\c866884.exe51⤵
- Executes dropped EXE
PID:636 -
\??\c:\frxrfxr.exec:\frxrfxr.exe52⤵
- Executes dropped EXE
PID:4468 -
\??\c:\4220480.exec:\4220480.exe53⤵
- Executes dropped EXE
PID:116 -
\??\c:\4882288.exec:\4882288.exe54⤵
- Executes dropped EXE
PID:1220 -
\??\c:\0486600.exec:\0486600.exe55⤵
- Executes dropped EXE
PID:4308 -
\??\c:\3ntnbh.exec:\3ntnbh.exe56⤵
- Executes dropped EXE
PID:2676 -
\??\c:\o204848.exec:\o204848.exe57⤵
- Executes dropped EXE
PID:220 -
\??\c:\u248882.exec:\u248882.exe58⤵
- Executes dropped EXE
PID:4876 -
\??\c:\868208.exec:\868208.exe59⤵
- Executes dropped EXE
PID:1156 -
\??\c:\686006.exec:\686006.exe60⤵
- Executes dropped EXE
PID:3116 -
\??\c:\828844.exec:\828844.exe61⤵
- Executes dropped EXE
PID:1028 -
\??\c:\7nhnnt.exec:\7nhnnt.exe62⤵
- Executes dropped EXE
PID:1540 -
\??\c:\4626280.exec:\4626280.exe63⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dpvvp.exec:\dpvvp.exe64⤵
- Executes dropped EXE
PID:4692 -
\??\c:\rrrllll.exec:\rrrllll.exe65⤵
- Executes dropped EXE
PID:4956 -
\??\c:\htbttn.exec:\htbttn.exe66⤵PID:2600
-
\??\c:\6048204.exec:\6048204.exe67⤵PID:1356
-
\??\c:\2882660.exec:\2882660.exe68⤵PID:2016
-
\??\c:\bbtnhh.exec:\bbtnhh.exe69⤵PID:3360
-
\??\c:\842868.exec:\842868.exe70⤵
- System Location Discovery: System Language Discovery
PID:3180 -
\??\c:\fllllrr.exec:\fllllrr.exe71⤵PID:1392
-
\??\c:\nttttt.exec:\nttttt.exe72⤵PID:3536
-
\??\c:\624488.exec:\624488.exe73⤵PID:2708
-
\??\c:\5jvvp.exec:\5jvvp.exe74⤵PID:2012
-
\??\c:\262266.exec:\262266.exe75⤵PID:3336
-
\??\c:\jjpjd.exec:\jjpjd.exe76⤵PID:964
-
\??\c:\jpvdv.exec:\jpvdv.exe77⤵PID:4852
-
\??\c:\8648806.exec:\8648806.exe78⤵PID:1752
-
\??\c:\nhhthb.exec:\nhhthb.exe79⤵PID:2212
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe80⤵
- System Location Discovery: System Language Discovery
PID:3616 -
\??\c:\bbnhbb.exec:\bbnhbb.exe81⤵PID:2276
-
\??\c:\3vjpp.exec:\3vjpp.exe82⤵PID:3480
-
\??\c:\jjjjd.exec:\jjjjd.exe83⤵PID:1636
-
\??\c:\g0806.exec:\g0806.exe84⤵PID:468
-
\??\c:\4622060.exec:\4622060.exe85⤵PID:4432
-
\??\c:\4064208.exec:\4064208.exe86⤵PID:4420
-
\??\c:\htbnhn.exec:\htbnhn.exe87⤵PID:3284
-
\??\c:\btnhtn.exec:\btnhtn.exe88⤵PID:4960
-
\??\c:\e88682.exec:\e88682.exe89⤵PID:4060
-
\??\c:\2064446.exec:\2064446.exe90⤵PID:2812
-
\??\c:\6026482.exec:\6026482.exe91⤵PID:1504
-
\??\c:\02860.exec:\02860.exe92⤵PID:3576
-
\??\c:\7nbttn.exec:\7nbttn.exe93⤵PID:940
-
\??\c:\pdvpd.exec:\pdvpd.exe94⤵PID:1424
-
\??\c:\4228622.exec:\4228622.exe95⤵PID:3224
-
\??\c:\a8260.exec:\a8260.exe96⤵PID:1772
-
\??\c:\pvdpd.exec:\pvdpd.exe97⤵PID:1496
-
\??\c:\88860.exec:\88860.exe98⤵PID:3764
-
\??\c:\280628.exec:\280628.exe99⤵PID:2348
-
\??\c:\86086.exec:\86086.exe100⤵PID:1824
-
\??\c:\hbnbbt.exec:\hbnbbt.exe101⤵PID:3404
-
\??\c:\w66420.exec:\w66420.exe102⤵PID:2044
-
\??\c:\0066042.exec:\0066042.exe103⤵PID:2960
-
\??\c:\86024.exec:\86024.exe104⤵PID:2024
-
\??\c:\nnbbtt.exec:\nnbbtt.exe105⤵PID:1184
-
\??\c:\jpvpj.exec:\jpvpj.exe106⤵PID:4948
-
\??\c:\8004826.exec:\8004826.exe107⤵PID:1076
-
\??\c:\u884880.exec:\u884880.exe108⤵PID:1092
-
\??\c:\pvvpj.exec:\pvvpj.exe109⤵PID:4932
-
\??\c:\nnbthb.exec:\nnbthb.exe110⤵PID:1840
-
\??\c:\tttntt.exec:\tttntt.exe111⤵PID:4872
-
\??\c:\842200.exec:\842200.exe112⤵PID:3164
-
\??\c:\jpjpd.exec:\jpjpd.exe113⤵PID:4668
-
\??\c:\22822.exec:\22822.exe114⤵PID:1616
-
\??\c:\lrrrlrl.exec:\lrrrlrl.exe115⤵PID:1520
-
\??\c:\o884004.exec:\o884004.exe116⤵PID:3920
-
\??\c:\nttnhh.exec:\nttnhh.exe117⤵PID:1220
-
\??\c:\3xlfxlf.exec:\3xlfxlf.exe118⤵PID:2968
-
\??\c:\vvjjd.exec:\vvjjd.exe119⤵PID:2572
-
\??\c:\a6248.exec:\a6248.exe120⤵PID:640
-
\??\c:\tbbnbh.exec:\tbbnbh.exe121⤵PID:3988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-