Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe
-
Size
454KB
-
MD5
76b3947c781fd3e3181d28d91f695ac4
-
SHA1
41932a1675bbce5927dc24ded2eebd8bb9df80cd
-
SHA256
b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937
-
SHA512
41da3b27e70202d02a45d367ba362e2a63bf16763b4eff10ecaa512d32fb89e6c549e286f3e511a80845aa9a3852deb791b64d98af7edb6a0e175c83251e0813
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1100-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-1460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-1503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4044 nnnhth.exe 3512 vddpd.exe 1180 rfxxfxl.exe 2700 9nbtnt.exe 3340 3rrfxrf.exe 2324 3btnnh.exe 2040 fxxxrrr.exe 4228 pvvpp.exe 4352 xxrfxrl.exe 2924 vpddv.exe 528 7nhnbh.exe 5064 dvjpv.exe 3288 hbnbbt.exe 2400 3llflrl.exe 4564 bttnhh.exe 720 lrrlfrl.exe 232 ttnhnh.exe 3108 5pjvj.exe 1600 tbhhht.exe 5012 3bbnth.exe 696 rflxlfr.exe 3184 frlxlxl.exe 3196 pddvj.exe 408 lrlffxr.exe 3192 jjvpj.exe 2348 tbhttn.exe 4072 dpvpp.exe 1304 tntnhh.exe 1452 5hhnbn.exe 2948 dpjvj.exe 2932 bhnhtn.exe 2688 vpjvd.exe 4628 lxlxrfx.exe 4844 vjjdp.exe 1584 vvvjv.exe 632 7rrlxfx.exe 2676 hhhbnh.exe 1516 vpvpj.exe 4736 rfxxrrl.exe 2988 1tthtn.exe 3460 vddpd.exe 4440 jdppd.exe 540 xrlrllx.exe 3796 1jvjv.exe 440 dpjvd.exe 5032 1xxxrrx.exe 3896 7hbthh.exe 2056 nnnhbh.exe 2336 5pvvd.exe 3824 frxrlfx.exe 3092 bnnnhh.exe 2324 9vvpd.exe 1456 1llllrr.exe 4856 nbhbtt.exe 3300 7ttnhb.exe 1916 vpvpp.exe 3124 rxfxrlf.exe 2924 thnnbh.exe 528 tttnbb.exe 3116 ppvjd.exe 1648 fflfffx.exe 1996 7rrlfxx.exe 4624 hnbthh.exe 3204 dpvpd.exe -
resource yara_rule behavioral2/memory/1100-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-928-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxrrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 4044 1100 b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe 83 PID 1100 wrote to memory of 4044 1100 b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe 83 PID 1100 wrote to memory of 4044 1100 b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe 83 PID 4044 wrote to memory of 3512 4044 nnnhth.exe 84 PID 4044 wrote to memory of 3512 4044 nnnhth.exe 84 PID 4044 wrote to memory of 3512 4044 nnnhth.exe 84 PID 3512 wrote to memory of 1180 3512 vddpd.exe 85 PID 3512 wrote to memory of 1180 3512 vddpd.exe 85 PID 3512 wrote to memory of 1180 3512 vddpd.exe 85 PID 1180 wrote to memory of 2700 1180 rfxxfxl.exe 86 PID 1180 wrote to memory of 2700 1180 rfxxfxl.exe 86 PID 1180 wrote to memory of 2700 1180 rfxxfxl.exe 86 PID 2700 wrote to memory of 3340 2700 9nbtnt.exe 87 PID 2700 wrote to memory of 3340 2700 9nbtnt.exe 87 PID 2700 wrote to memory of 3340 2700 9nbtnt.exe 87 PID 3340 wrote to memory of 2324 3340 3rrfxrf.exe 88 PID 3340 wrote to memory of 2324 3340 3rrfxrf.exe 88 PID 3340 wrote to memory of 2324 3340 3rrfxrf.exe 88 PID 2324 wrote to memory of 2040 2324 3btnnh.exe 89 PID 2324 wrote to memory of 2040 2324 3btnnh.exe 89 PID 2324 wrote to memory of 2040 2324 3btnnh.exe 89 PID 2040 wrote to memory of 4228 2040 fxxxrrr.exe 90 PID 2040 wrote to memory of 4228 2040 fxxxrrr.exe 90 PID 2040 wrote to memory of 4228 2040 fxxxrrr.exe 90 PID 4228 wrote to memory of 4352 4228 pvvpp.exe 91 PID 4228 wrote to memory of 4352 4228 pvvpp.exe 91 PID 4228 wrote to memory of 4352 4228 pvvpp.exe 91 PID 4352 wrote to memory of 2924 4352 xxrfxrl.exe 92 PID 4352 wrote to memory of 2924 4352 xxrfxrl.exe 92 PID 4352 wrote to memory of 2924 4352 xxrfxrl.exe 92 PID 2924 wrote to memory of 528 2924 vpddv.exe 93 PID 2924 wrote to memory of 528 2924 vpddv.exe 93 PID 2924 wrote to memory of 528 2924 vpddv.exe 93 PID 528 wrote to memory of 5064 528 7nhnbh.exe 94 PID 528 wrote to memory of 5064 528 7nhnbh.exe 94 PID 528 wrote to memory of 5064 528 7nhnbh.exe 94 PID 5064 wrote to memory of 3288 5064 dvjpv.exe 95 PID 5064 wrote to memory of 3288 5064 dvjpv.exe 95 PID 5064 wrote to memory of 3288 5064 dvjpv.exe 95 PID 3288 wrote to memory of 2400 3288 hbnbbt.exe 96 PID 3288 wrote to memory of 2400 3288 hbnbbt.exe 96 PID 3288 wrote to memory of 2400 3288 hbnbbt.exe 96 PID 2400 wrote to memory of 4564 2400 3llflrl.exe 97 PID 2400 wrote to memory of 4564 2400 3llflrl.exe 97 PID 2400 wrote to memory of 4564 2400 3llflrl.exe 97 PID 4564 wrote to memory of 720 4564 bttnhh.exe 98 PID 4564 wrote to memory of 720 4564 bttnhh.exe 98 PID 4564 wrote to memory of 720 4564 bttnhh.exe 98 PID 720 wrote to memory of 232 720 lrrlfrl.exe 99 PID 720 wrote to memory of 232 720 lrrlfrl.exe 99 PID 720 wrote to memory of 232 720 lrrlfrl.exe 99 PID 232 wrote to memory of 3108 232 ttnhnh.exe 100 PID 232 wrote to memory of 3108 232 ttnhnh.exe 100 PID 232 wrote to memory of 3108 232 ttnhnh.exe 100 PID 3108 wrote to memory of 1600 3108 5pjvj.exe 101 PID 3108 wrote to memory of 1600 3108 5pjvj.exe 101 PID 3108 wrote to memory of 1600 3108 5pjvj.exe 101 PID 1600 wrote to memory of 5012 1600 tbhhht.exe 102 PID 1600 wrote to memory of 5012 1600 tbhhht.exe 102 PID 1600 wrote to memory of 5012 1600 tbhhht.exe 102 PID 5012 wrote to memory of 696 5012 3bbnth.exe 103 PID 5012 wrote to memory of 696 5012 3bbnth.exe 103 PID 5012 wrote to memory of 696 5012 3bbnth.exe 103 PID 696 wrote to memory of 3184 696 rflxlfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe"C:\Users\Admin\AppData\Local\Temp\b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\nnnhth.exec:\nnnhth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\vddpd.exec:\vddpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\rfxxfxl.exec:\rfxxfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\9nbtnt.exec:\9nbtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\3rrfxrf.exec:\3rrfxrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\3btnnh.exec:\3btnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\pvvpp.exec:\pvvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\xxrfxrl.exec:\xxrfxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\vpddv.exec:\vpddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\7nhnbh.exec:\7nhnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\dvjpv.exec:\dvjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\hbnbbt.exec:\hbnbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\3llflrl.exec:\3llflrl.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\bttnhh.exec:\bttnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\ttnhnh.exec:\ttnhnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\5pjvj.exec:\5pjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\tbhhht.exec:\tbhhht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\3bbnth.exec:\3bbnth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\rflxlfr.exec:\rflxlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\frlxlxl.exec:\frlxlxl.exe23⤵
- Executes dropped EXE
PID:3184 -
\??\c:\pddvj.exec:\pddvj.exe24⤵
- Executes dropped EXE
PID:3196 -
\??\c:\lrlffxr.exec:\lrlffxr.exe25⤵
- Executes dropped EXE
PID:408 -
\??\c:\jjvpj.exec:\jjvpj.exe26⤵
- Executes dropped EXE
PID:3192 -
\??\c:\tbhttn.exec:\tbhttn.exe27⤵
- Executes dropped EXE
PID:2348 -
\??\c:\dpvpp.exec:\dpvpp.exe28⤵
- Executes dropped EXE
PID:4072 -
\??\c:\tntnhh.exec:\tntnhh.exe29⤵
- Executes dropped EXE
PID:1304 -
\??\c:\5hhnbn.exec:\5hhnbn.exe30⤵
- Executes dropped EXE
PID:1452 -
\??\c:\dpjvj.exec:\dpjvj.exe31⤵
- Executes dropped EXE
PID:2948 -
\??\c:\bhnhtn.exec:\bhnhtn.exe32⤵
- Executes dropped EXE
PID:2932 -
\??\c:\vpjvd.exec:\vpjvd.exe33⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lxlxrfx.exec:\lxlxrfx.exe34⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vjjdp.exec:\vjjdp.exe35⤵
- Executes dropped EXE
PID:4844 -
\??\c:\vvvjv.exec:\vvvjv.exe36⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7rrlxfx.exec:\7rrlxfx.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\hhhbnh.exec:\hhhbnh.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\vpvpj.exec:\vpvpj.exe39⤵
- Executes dropped EXE
PID:1516 -
\??\c:\rfxxrrl.exec:\rfxxrrl.exe40⤵
- Executes dropped EXE
PID:4736 -
\??\c:\1tthtn.exec:\1tthtn.exe41⤵
- Executes dropped EXE
PID:2988 -
\??\c:\vddpd.exec:\vddpd.exe42⤵
- Executes dropped EXE
PID:3460 -
\??\c:\jdppd.exec:\jdppd.exe43⤵
- Executes dropped EXE
PID:4440 -
\??\c:\xrlrllx.exec:\xrlrllx.exe44⤵
- Executes dropped EXE
PID:540 -
\??\c:\tthnbb.exec:\tthnbb.exe45⤵PID:5076
-
\??\c:\1jvjv.exec:\1jvjv.exe46⤵
- Executes dropped EXE
PID:3796 -
\??\c:\dpjvd.exec:\dpjvd.exe47⤵
- Executes dropped EXE
PID:440 -
\??\c:\1xxxrrx.exec:\1xxxrrx.exe48⤵
- Executes dropped EXE
PID:5032 -
\??\c:\7hbthh.exec:\7hbthh.exe49⤵
- Executes dropped EXE
PID:3896 -
\??\c:\nnnhbh.exec:\nnnhbh.exe50⤵
- Executes dropped EXE
PID:2056 -
\??\c:\5pvvd.exec:\5pvvd.exe51⤵
- Executes dropped EXE
PID:2336 -
\??\c:\frxrlfx.exec:\frxrlfx.exe52⤵
- Executes dropped EXE
PID:3824 -
\??\c:\bnnnhh.exec:\bnnnhh.exe53⤵
- Executes dropped EXE
PID:3092 -
\??\c:\9vvpd.exec:\9vvpd.exe54⤵
- Executes dropped EXE
PID:2324 -
\??\c:\1llllrr.exec:\1llllrr.exe55⤵
- Executes dropped EXE
PID:1456 -
\??\c:\nbhbtt.exec:\nbhbtt.exe56⤵
- Executes dropped EXE
PID:4856 -
\??\c:\7ttnhb.exec:\7ttnhb.exe57⤵
- Executes dropped EXE
PID:3300 -
\??\c:\vpvpp.exec:\vpvpp.exe58⤵
- Executes dropped EXE
PID:1916 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe59⤵
- Executes dropped EXE
PID:3124 -
\??\c:\thnnbh.exec:\thnnbh.exe60⤵
- Executes dropped EXE
PID:2924 -
\??\c:\tttnbb.exec:\tttnbb.exe61⤵
- Executes dropped EXE
PID:528 -
\??\c:\ppvjd.exec:\ppvjd.exe62⤵
- Executes dropped EXE
PID:3116 -
\??\c:\fflfffx.exec:\fflfffx.exe63⤵
- Executes dropped EXE
PID:1648 -
\??\c:\7rrlfxx.exec:\7rrlfxx.exe64⤵
- Executes dropped EXE
PID:1996 -
\??\c:\hnbthh.exec:\hnbthh.exe65⤵
- Executes dropped EXE
PID:4624 -
\??\c:\dpvpd.exec:\dpvpd.exe66⤵
- Executes dropped EXE
PID:3204 -
\??\c:\rllfxxf.exec:\rllfxxf.exe67⤵PID:4420
-
\??\c:\rllffll.exec:\rllffll.exe68⤵PID:4464
-
\??\c:\thbttt.exec:\thbttt.exe69⤵PID:2552
-
\??\c:\pdjjv.exec:\pdjjv.exe70⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\5frlllr.exec:\5frlllr.exe71⤵PID:4092
-
\??\c:\bbhnhh.exec:\bbhnhh.exe72⤵PID:3532
-
\??\c:\tttntn.exec:\tttntn.exe73⤵PID:5104
-
\??\c:\vdjdp.exec:\vdjdp.exe74⤵PID:4340
-
\??\c:\5ffrfxl.exec:\5ffrfxl.exe75⤵PID:372
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe76⤵PID:2188
-
\??\c:\nhnntt.exec:\nhnntt.exe77⤵PID:4372
-
\??\c:\djdpv.exec:\djdpv.exe78⤵PID:3652
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe79⤵PID:2000
-
\??\c:\xrfffxx.exec:\xrfffxx.exe80⤵PID:376
-
\??\c:\bbbbht.exec:\bbbbht.exe81⤵PID:4764
-
\??\c:\vddvv.exec:\vddvv.exe82⤵PID:4756
-
\??\c:\vdppv.exec:\vdppv.exe83⤵PID:5008
-
\??\c:\ffxrffr.exec:\ffxrffr.exe84⤵PID:3220
-
\??\c:\9hhthb.exec:\9hhthb.exe85⤵PID:3768
-
\??\c:\7vvvj.exec:\7vvvj.exe86⤵PID:4116
-
\??\c:\3rlrlll.exec:\3rlrlll.exe87⤵PID:2176
-
\??\c:\bhnttn.exec:\bhnttn.exe88⤵PID:1000
-
\??\c:\bthbbb.exec:\bthbbb.exe89⤵PID:5000
-
\??\c:\vvjjv.exec:\vvjjv.exe90⤵PID:3396
-
\??\c:\frxlxxr.exec:\frxlxxr.exe91⤵PID:2480
-
\??\c:\fxfxfrl.exec:\fxfxfrl.exe92⤵PID:2472
-
\??\c:\bttnnt.exec:\bttnnt.exe93⤵PID:4580
-
\??\c:\3ddvj.exec:\3ddvj.exe94⤵PID:4964
-
\??\c:\7ppjj.exec:\7ppjj.exe95⤵PID:4184
-
\??\c:\rxllxxr.exec:\rxllxxr.exe96⤵PID:1368
-
\??\c:\fffxrlf.exec:\fffxrlf.exe97⤵PID:1236
-
\??\c:\nhhhbb.exec:\nhhhbb.exe98⤵PID:1960
-
\??\c:\jvvjp.exec:\jvvjp.exe99⤵PID:4636
-
\??\c:\xlflrlx.exec:\xlflrlx.exe100⤵PID:2912
-
\??\c:\lffxrrl.exec:\lffxrrl.exe101⤵PID:3960
-
\??\c:\thnhbt.exec:\thnhbt.exe102⤵PID:1620
-
\??\c:\1dvjp.exec:\1dvjp.exe103⤵PID:1480
-
\??\c:\rllfrrl.exec:\rllfrrl.exe104⤵PID:432
-
\??\c:\hbtbth.exec:\hbtbth.exe105⤵PID:4432
-
\??\c:\hbnhhb.exec:\hbnhhb.exe106⤵PID:872
-
\??\c:\jddvp.exec:\jddvp.exe107⤵PID:644
-
\??\c:\fffrffx.exec:\fffrffx.exe108⤵PID:4740
-
\??\c:\nhhbtn.exec:\nhhbtn.exe109⤵PID:3480
-
\??\c:\pddjd.exec:\pddjd.exe110⤵PID:3512
-
\??\c:\jvdvj.exec:\jvdvj.exe111⤵PID:5032
-
\??\c:\rffrxrl.exec:\rffrxrl.exe112⤵PID:3896
-
\??\c:\1nnbbb.exec:\1nnbbb.exe113⤵PID:4684
-
\??\c:\vvvjp.exec:\vvvjp.exe114⤵PID:212
-
\??\c:\3fflxlx.exec:\3fflxlx.exe115⤵PID:468
-
\??\c:\3thtbn.exec:\3thtbn.exe116⤵PID:2152
-
\??\c:\9vpdj.exec:\9vpdj.exe117⤵PID:4008
-
\??\c:\lxrfllx.exec:\lxrfllx.exe118⤵PID:4528
-
\??\c:\ntthtn.exec:\ntthtn.exe119⤵PID:3964
-
\??\c:\vddpv.exec:\vddpv.exe120⤵PID:1748
-
\??\c:\pddjv.exec:\pddjv.exe121⤵PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-