Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe
-
Size
454KB
-
MD5
c08cae73261da112c1fa0bfd4111bd7d
-
SHA1
83f5e53605b13ad93454984445ebc1ed2dfed100
-
SHA256
3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574
-
SHA512
19aea5ec0c69166999297c4a30d62a30cd755d1ba40898c47c59206bb400e569d2cd51509bcb72516bfd455d043f8409403c5f5cab2480b0a9abac101ab6be32
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2176-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-949-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-1777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 0242820.exe 3896 jdddv.exe 1272 w68244.exe 2932 9ttnhh.exe 1808 9xlffxx.exe 3104 xlxrrrl.exe 1872 60282.exe 3672 42626.exe 2980 68826.exe 4936 xxlfxxx.exe 2564 vpjvv.exe 4052 2682620.exe 4232 djpjj.exe 1696 1nbbtt.exe 3228 ntnbbt.exe 2804 822600.exe 1008 600048.exe 556 ttnhbt.exe 3976 jddvd.exe 2848 28088.exe 3644 6484882.exe 2240 dvdvp.exe 4564 208422.exe 2864 268882.exe 3056 i404044.exe 4336 m6828.exe 664 6060400.exe 876 nbhbbt.exe 3724 84204.exe 468 o406448.exe 3772 ddddv.exe 4968 2682600.exe 928 0060448.exe 3428 82484.exe 3132 ttthnh.exe 640 0826604.exe 4272 0400488.exe 3688 vdjpv.exe 4992 402044.exe 4468 bttnhh.exe 2936 48482.exe 3968 06820.exe 2724 86200.exe 4004 2602608.exe 5020 464220.exe 3320 pvdpd.exe 4852 tbbhhb.exe 752 002666.exe 2996 nnbnbt.exe 4888 vjvjd.exe 1556 4002080.exe 3124 48044.exe 4972 dvpdd.exe 1936 hhthtn.exe 4656 vjpdv.exe 3500 006422.exe 2424 042042.exe 4456 46648.exe 3996 862660.exe 4756 08882.exe 3608 djjdv.exe 1504 6804608.exe 2036 fxrfrrf.exe 2608 2626486.exe -
resource yara_rule behavioral2/memory/2176-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-694-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i482042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w28644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0802604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2176 2880 3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe 83 PID 2880 wrote to memory of 2176 2880 3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe 83 PID 2880 wrote to memory of 2176 2880 3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe 83 PID 2176 wrote to memory of 3896 2176 0242820.exe 84 PID 2176 wrote to memory of 3896 2176 0242820.exe 84 PID 2176 wrote to memory of 3896 2176 0242820.exe 84 PID 3896 wrote to memory of 1272 3896 jdddv.exe 85 PID 3896 wrote to memory of 1272 3896 jdddv.exe 85 PID 3896 wrote to memory of 1272 3896 jdddv.exe 85 PID 1272 wrote to memory of 2932 1272 w68244.exe 86 PID 1272 wrote to memory of 2932 1272 w68244.exe 86 PID 1272 wrote to memory of 2932 1272 w68244.exe 86 PID 2932 wrote to memory of 1808 2932 9ttnhh.exe 87 PID 2932 wrote to memory of 1808 2932 9ttnhh.exe 87 PID 2932 wrote to memory of 1808 2932 9ttnhh.exe 87 PID 1808 wrote to memory of 3104 1808 9xlffxx.exe 88 PID 1808 wrote to memory of 3104 1808 9xlffxx.exe 88 PID 1808 wrote to memory of 3104 1808 9xlffxx.exe 88 PID 3104 wrote to memory of 1872 3104 xlxrrrl.exe 89 PID 3104 wrote to memory of 1872 3104 xlxrrrl.exe 89 PID 3104 wrote to memory of 1872 3104 xlxrrrl.exe 89 PID 1872 wrote to memory of 3672 1872 60282.exe 90 PID 1872 wrote to memory of 3672 1872 60282.exe 90 PID 1872 wrote to memory of 3672 1872 60282.exe 90 PID 3672 wrote to memory of 2980 3672 42626.exe 91 PID 3672 wrote to memory of 2980 3672 42626.exe 91 PID 3672 wrote to memory of 2980 3672 42626.exe 91 PID 2980 wrote to memory of 4936 2980 68826.exe 92 PID 2980 wrote to memory of 4936 2980 68826.exe 92 PID 2980 wrote to memory of 4936 2980 68826.exe 92 PID 4936 wrote to memory of 2564 4936 xxlfxxx.exe 93 PID 4936 wrote to memory of 2564 4936 xxlfxxx.exe 93 PID 4936 wrote to memory of 2564 4936 xxlfxxx.exe 93 PID 2564 wrote to memory of 4052 2564 vpjvv.exe 94 PID 2564 wrote to memory of 4052 2564 vpjvv.exe 94 PID 2564 wrote to memory of 4052 2564 vpjvv.exe 94 PID 4052 wrote to memory of 4232 4052 2682620.exe 95 PID 4052 wrote to memory of 4232 4052 2682620.exe 95 PID 4052 wrote to memory of 4232 4052 2682620.exe 95 PID 4232 wrote to memory of 1696 4232 djpjj.exe 96 PID 4232 wrote to memory of 1696 4232 djpjj.exe 96 PID 4232 wrote to memory of 1696 4232 djpjj.exe 96 PID 1696 wrote to memory of 3228 1696 1nbbtt.exe 97 PID 1696 wrote to memory of 3228 1696 1nbbtt.exe 97 PID 1696 wrote to memory of 3228 1696 1nbbtt.exe 97 PID 3228 wrote to memory of 2804 3228 ntnbbt.exe 98 PID 3228 wrote to memory of 2804 3228 ntnbbt.exe 98 PID 3228 wrote to memory of 2804 3228 ntnbbt.exe 98 PID 2804 wrote to memory of 1008 2804 822600.exe 99 PID 2804 wrote to memory of 1008 2804 822600.exe 99 PID 2804 wrote to memory of 1008 2804 822600.exe 99 PID 1008 wrote to memory of 556 1008 600048.exe 100 PID 1008 wrote to memory of 556 1008 600048.exe 100 PID 1008 wrote to memory of 556 1008 600048.exe 100 PID 556 wrote to memory of 3976 556 ttnhbt.exe 101 PID 556 wrote to memory of 3976 556 ttnhbt.exe 101 PID 556 wrote to memory of 3976 556 ttnhbt.exe 101 PID 3976 wrote to memory of 2848 3976 jddvd.exe 102 PID 3976 wrote to memory of 2848 3976 jddvd.exe 102 PID 3976 wrote to memory of 2848 3976 jddvd.exe 102 PID 2848 wrote to memory of 3644 2848 28088.exe 103 PID 2848 wrote to memory of 3644 2848 28088.exe 103 PID 2848 wrote to memory of 3644 2848 28088.exe 103 PID 3644 wrote to memory of 2240 3644 6484882.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe"C:\Users\Admin\AppData\Local\Temp\3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\0242820.exec:\0242820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\jdddv.exec:\jdddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\w68244.exec:\w68244.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\9ttnhh.exec:\9ttnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\9xlffxx.exec:\9xlffxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\60282.exec:\60282.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\42626.exec:\42626.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\68826.exec:\68826.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\xxlfxxx.exec:\xxlfxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\vpjvv.exec:\vpjvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\2682620.exec:\2682620.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\djpjj.exec:\djpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\1nbbtt.exec:\1nbbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\ntnbbt.exec:\ntnbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\822600.exec:\822600.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\600048.exec:\600048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\ttnhbt.exec:\ttnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\jddvd.exec:\jddvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\28088.exec:\28088.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\6484882.exec:\6484882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\dvdvp.exec:\dvdvp.exe23⤵
- Executes dropped EXE
PID:2240 -
\??\c:\208422.exec:\208422.exe24⤵
- Executes dropped EXE
PID:4564 -
\??\c:\268882.exec:\268882.exe25⤵
- Executes dropped EXE
PID:2864 -
\??\c:\i404044.exec:\i404044.exe26⤵
- Executes dropped EXE
PID:3056 -
\??\c:\m6828.exec:\m6828.exe27⤵
- Executes dropped EXE
PID:4336 -
\??\c:\6060400.exec:\6060400.exe28⤵
- Executes dropped EXE
PID:664 -
\??\c:\nbhbbt.exec:\nbhbbt.exe29⤵
- Executes dropped EXE
PID:876 -
\??\c:\84204.exec:\84204.exe30⤵
- Executes dropped EXE
PID:3724 -
\??\c:\o406448.exec:\o406448.exe31⤵
- Executes dropped EXE
PID:468 -
\??\c:\ddddv.exec:\ddddv.exe32⤵
- Executes dropped EXE
PID:3772 -
\??\c:\2682600.exec:\2682600.exe33⤵
- Executes dropped EXE
PID:4968 -
\??\c:\0060448.exec:\0060448.exe34⤵
- Executes dropped EXE
PID:928 -
\??\c:\82484.exec:\82484.exe35⤵
- Executes dropped EXE
PID:3428 -
\??\c:\ttthnh.exec:\ttthnh.exe36⤵
- Executes dropped EXE
PID:3132 -
\??\c:\0826604.exec:\0826604.exe37⤵
- Executes dropped EXE
PID:640 -
\??\c:\0400488.exec:\0400488.exe38⤵
- Executes dropped EXE
PID:4272 -
\??\c:\vdjpv.exec:\vdjpv.exe39⤵
- Executes dropped EXE
PID:3688 -
\??\c:\402044.exec:\402044.exe40⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bttnhh.exec:\bttnhh.exe41⤵
- Executes dropped EXE
PID:4468 -
\??\c:\48482.exec:\48482.exe42⤵
- Executes dropped EXE
PID:2936 -
\??\c:\06820.exec:\06820.exe43⤵
- Executes dropped EXE
PID:3968 -
\??\c:\86200.exec:\86200.exe44⤵
- Executes dropped EXE
PID:2724 -
\??\c:\2602608.exec:\2602608.exe45⤵
- Executes dropped EXE
PID:4004 -
\??\c:\464220.exec:\464220.exe46⤵
- Executes dropped EXE
PID:5020 -
\??\c:\pvdpd.exec:\pvdpd.exe47⤵
- Executes dropped EXE
PID:3320 -
\??\c:\tbbhhb.exec:\tbbhhb.exe48⤵
- Executes dropped EXE
PID:4852 -
\??\c:\002666.exec:\002666.exe49⤵
- Executes dropped EXE
PID:752 -
\??\c:\nnbnbt.exec:\nnbnbt.exe50⤵
- Executes dropped EXE
PID:2996 -
\??\c:\vjvjd.exec:\vjvjd.exe51⤵
- Executes dropped EXE
PID:4888 -
\??\c:\4002080.exec:\4002080.exe52⤵
- Executes dropped EXE
PID:1556 -
\??\c:\48044.exec:\48044.exe53⤵
- Executes dropped EXE
PID:3124 -
\??\c:\dvpdd.exec:\dvpdd.exe54⤵
- Executes dropped EXE
PID:4972 -
\??\c:\hhthtn.exec:\hhthtn.exe55⤵
- Executes dropped EXE
PID:1936 -
\??\c:\vjpdv.exec:\vjpdv.exe56⤵
- Executes dropped EXE
PID:4656 -
\??\c:\006422.exec:\006422.exe57⤵
- Executes dropped EXE
PID:3500 -
\??\c:\042042.exec:\042042.exe58⤵
- Executes dropped EXE
PID:2424 -
\??\c:\46648.exec:\46648.exe59⤵
- Executes dropped EXE
PID:4456 -
\??\c:\862660.exec:\862660.exe60⤵
- Executes dropped EXE
PID:3996 -
\??\c:\08882.exec:\08882.exe61⤵
- Executes dropped EXE
PID:4756 -
\??\c:\djjdv.exec:\djjdv.exe62⤵
- Executes dropped EXE
PID:3608 -
\??\c:\6804608.exec:\6804608.exe63⤵
- Executes dropped EXE
PID:1504 -
\??\c:\fxrfrrf.exec:\fxrfrrf.exe64⤵
- Executes dropped EXE
PID:2036 -
\??\c:\2626486.exec:\2626486.exe65⤵
- Executes dropped EXE
PID:2608 -
\??\c:\00208.exec:\00208.exe66⤵PID:4948
-
\??\c:\480828.exec:\480828.exe67⤵PID:3252
-
\??\c:\244260.exec:\244260.exe68⤵PID:432
-
\??\c:\w42204.exec:\w42204.exe69⤵PID:4824
-
\??\c:\9llxlrr.exec:\9llxlrr.exe70⤵PID:2720
-
\??\c:\0620864.exec:\0620864.exe71⤵PID:3832
-
\??\c:\nttnbb.exec:\nttnbb.exe72⤵PID:1632
-
\??\c:\24228.exec:\24228.exe73⤵PID:2632
-
\??\c:\bbhttn.exec:\bbhttn.exe74⤵PID:3976
-
\??\c:\thhbbn.exec:\thhbbn.exe75⤵PID:4292
-
\??\c:\5hhtnh.exec:\5hhtnh.exe76⤵PID:4996
-
\??\c:\bhbthb.exec:\bhbthb.exe77⤵PID:4696
-
\??\c:\c846084.exec:\c846084.exe78⤵PID:3548
-
\??\c:\nnhbhh.exec:\nnhbhh.exe79⤵PID:4400
-
\??\c:\68442.exec:\68442.exe80⤵PID:372
-
\??\c:\jpvjv.exec:\jpvjv.exe81⤵PID:3624
-
\??\c:\c226482.exec:\c226482.exe82⤵PID:2728
-
\??\c:\20626.exec:\20626.exe83⤵PID:2508
-
\??\c:\w28082.exec:\w28082.exe84⤵PID:1080
-
\??\c:\dvppd.exec:\dvppd.exe85⤵PID:992
-
\??\c:\llxrxrl.exec:\llxrxrl.exe86⤵PID:4872
-
\??\c:\24422.exec:\24422.exe87⤵PID:3724
-
\??\c:\6882082.exec:\6882082.exe88⤵PID:1416
-
\??\c:\00262.exec:\00262.exe89⤵PID:464
-
\??\c:\20488.exec:\20488.exe90⤵PID:4124
-
\??\c:\vdjdv.exec:\vdjdv.exe91⤵PID:1332
-
\??\c:\vpdpj.exec:\vpdpj.exe92⤵PID:3848
-
\??\c:\m6204.exec:\m6204.exe93⤵PID:3428
-
\??\c:\68260.exec:\68260.exe94⤵PID:3684
-
\??\c:\e00426.exec:\e00426.exe95⤵PID:640
-
\??\c:\6660486.exec:\6660486.exe96⤵PID:1720
-
\??\c:\6464264.exec:\6464264.exe97⤵PID:4380
-
\??\c:\djjvj.exec:\djjvj.exe98⤵PID:4992
-
\??\c:\fxlxrll.exec:\fxlxrll.exe99⤵PID:2516
-
\??\c:\djpjv.exec:\djpjv.exe100⤵PID:2936
-
\??\c:\2864488.exec:\2864488.exe101⤵PID:3384
-
\??\c:\202664.exec:\202664.exe102⤵PID:3488
-
\??\c:\668248.exec:\668248.exe103⤵PID:4344
-
\??\c:\4064264.exec:\4064264.exe104⤵PID:4440
-
\??\c:\668648.exec:\668648.exe105⤵PID:4852
-
\??\c:\2204866.exec:\2204866.exe106⤵PID:552
-
\??\c:\28426.exec:\28426.exe107⤵PID:5008
-
\??\c:\hbhnbt.exec:\hbhnbt.exe108⤵PID:2932
-
\??\c:\4266048.exec:\4266048.exe109⤵PID:2928
-
\??\c:\s2200.exec:\s2200.exe110⤵PID:4656
-
\??\c:\0008820.exec:\0008820.exe111⤵PID:4040
-
\??\c:\260482.exec:\260482.exe112⤵PID:3996
-
\??\c:\m0086.exec:\m0086.exe113⤵PID:2980
-
\??\c:\s6864.exec:\s6864.exe114⤵PID:3676
-
\??\c:\402662.exec:\402662.exe115⤵PID:3276
-
\??\c:\7rfrfxr.exec:\7rfrfxr.exe116⤵
- System Location Discovery: System Language Discovery
PID:2608 -
\??\c:\o886486.exec:\o886486.exe117⤵PID:4640
-
\??\c:\jppdv.exec:\jppdv.exe118⤵PID:2088
-
\??\c:\424224.exec:\424224.exe119⤵PID:3252
-
\??\c:\jdvjv.exec:\jdvjv.exe120⤵PID:4904
-
\??\c:\486486.exec:\486486.exe121⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-