Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe
-
Size
456KB
-
MD5
b67a6b8c5b78cac9621d1645f2cb99ae
-
SHA1
107d4292f50d6a9ed35b34a6fde28fdcf17613da
-
SHA256
42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022
-
SHA512
e6a4135839b9387e60f73aa1abde72eebbf486a2141a922dfac637b7770e886cffcbc584f302e8b16ada8067063ea59ecabd3eaaa6407dfb041d2dbd2cb3759e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRM:q7Tc2NYHUrAwfMp3CDRM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4712-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-1095-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-1321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3292 3ttnhh.exe 3680 5vppd.exe 4012 xflfrrl.exe 3164 5hbbtt.exe 2956 ddvvp.exe 2916 1pdvv.exe 4676 xrrrlll.exe 4740 ntbtnh.exe 4460 thhbtt.exe 3248 3jjdv.exe 3668 bnbhtt.exe 4220 bhtnnh.exe 1700 ddppj.exe 3984 xllxrrf.exe 1288 bhthbt.exe 4188 bbhnhb.exe 228 xxrrllf.exe 4540 tnnbtn.exe 4692 3pjdv.exe 3172 vdjdv.exe 1552 pjppp.exe 3156 3bnhhh.exe 4648 dvjdd.exe 1220 fffxllf.exe 4552 3pjdv.exe 4584 5xxxfff.exe 4636 3nnhbb.exe 3644 1flfllr.exe 4268 tnnhhh.exe 4448 pdjdd.exe 2408 hbhhnn.exe 3312 lfxrrlf.exe 728 tbhbbb.exe 60 rfrfxrr.exe 4148 ppjdd.exe 1524 hntnhb.exe 1576 5htnhb.exe 1872 jddpd.exe 4412 vdjdd.exe 2544 xrfrfff.exe 4292 7nnhbb.exe 4784 thhtnb.exe 1276 pjvjv.exe 3260 xrrfxfx.exe 4080 tnhbtt.exe 4116 1jpjv.exe 3104 pjpjv.exe 1460 tnbtnn.exe 3404 bttnbt.exe 4632 vpppd.exe 3528 rfrrrrl.exe 1196 nnnhbb.exe 4504 jvpdv.exe 3120 dvvpj.exe 3640 lrlxrlf.exe 4544 7nbtnh.exe 3824 pvjdv.exe 4340 frxrlfx.exe 2340 lfxrfxr.exe 3708 thtnnh.exe 4968 bbhbtt.exe 5044 pdjjd.exe 2576 7llxllx.exe 2980 tnhhtb.exe -
resource yara_rule behavioral2/memory/4712-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3292 4712 42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe 82 PID 4712 wrote to memory of 3292 4712 42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe 82 PID 4712 wrote to memory of 3292 4712 42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe 82 PID 3292 wrote to memory of 3680 3292 3ttnhh.exe 83 PID 3292 wrote to memory of 3680 3292 3ttnhh.exe 83 PID 3292 wrote to memory of 3680 3292 3ttnhh.exe 83 PID 3680 wrote to memory of 4012 3680 5vppd.exe 84 PID 3680 wrote to memory of 4012 3680 5vppd.exe 84 PID 3680 wrote to memory of 4012 3680 5vppd.exe 84 PID 4012 wrote to memory of 3164 4012 xflfrrl.exe 85 PID 4012 wrote to memory of 3164 4012 xflfrrl.exe 85 PID 4012 wrote to memory of 3164 4012 xflfrrl.exe 85 PID 3164 wrote to memory of 2956 3164 5hbbtt.exe 86 PID 3164 wrote to memory of 2956 3164 5hbbtt.exe 86 PID 3164 wrote to memory of 2956 3164 5hbbtt.exe 86 PID 2956 wrote to memory of 2916 2956 ddvvp.exe 87 PID 2956 wrote to memory of 2916 2956 ddvvp.exe 87 PID 2956 wrote to memory of 2916 2956 ddvvp.exe 87 PID 2916 wrote to memory of 4676 2916 1pdvv.exe 88 PID 2916 wrote to memory of 4676 2916 1pdvv.exe 88 PID 2916 wrote to memory of 4676 2916 1pdvv.exe 88 PID 4676 wrote to memory of 4740 4676 xrrrlll.exe 89 PID 4676 wrote to memory of 4740 4676 xrrrlll.exe 89 PID 4676 wrote to memory of 4740 4676 xrrrlll.exe 89 PID 4740 wrote to memory of 4460 4740 ntbtnh.exe 90 PID 4740 wrote to memory of 4460 4740 ntbtnh.exe 90 PID 4740 wrote to memory of 4460 4740 ntbtnh.exe 90 PID 4460 wrote to memory of 3248 4460 thhbtt.exe 91 PID 4460 wrote to memory of 3248 4460 thhbtt.exe 91 PID 4460 wrote to memory of 3248 4460 thhbtt.exe 91 PID 3248 wrote to memory of 3668 3248 3jjdv.exe 92 PID 3248 wrote to memory of 3668 3248 3jjdv.exe 92 PID 3248 wrote to memory of 3668 3248 3jjdv.exe 92 PID 3668 wrote to memory of 4220 3668 bnbhtt.exe 93 PID 3668 wrote to memory of 4220 3668 bnbhtt.exe 93 PID 3668 wrote to memory of 4220 3668 bnbhtt.exe 93 PID 4220 wrote to memory of 1700 4220 bhtnnh.exe 94 PID 4220 wrote to memory of 1700 4220 bhtnnh.exe 94 PID 4220 wrote to memory of 1700 4220 bhtnnh.exe 94 PID 1700 wrote to memory of 3984 1700 ddppj.exe 95 PID 1700 wrote to memory of 3984 1700 ddppj.exe 95 PID 1700 wrote to memory of 3984 1700 ddppj.exe 95 PID 3984 wrote to memory of 1288 3984 xllxrrf.exe 96 PID 3984 wrote to memory of 1288 3984 xllxrrf.exe 96 PID 3984 wrote to memory of 1288 3984 xllxrrf.exe 96 PID 1288 wrote to memory of 4188 1288 bhthbt.exe 97 PID 1288 wrote to memory of 4188 1288 bhthbt.exe 97 PID 1288 wrote to memory of 4188 1288 bhthbt.exe 97 PID 4188 wrote to memory of 228 4188 bbhnhb.exe 98 PID 4188 wrote to memory of 228 4188 bbhnhb.exe 98 PID 4188 wrote to memory of 228 4188 bbhnhb.exe 98 PID 228 wrote to memory of 4540 228 xxrrllf.exe 99 PID 228 wrote to memory of 4540 228 xxrrllf.exe 99 PID 228 wrote to memory of 4540 228 xxrrllf.exe 99 PID 4540 wrote to memory of 4692 4540 tnnbtn.exe 100 PID 4540 wrote to memory of 4692 4540 tnnbtn.exe 100 PID 4540 wrote to memory of 4692 4540 tnnbtn.exe 100 PID 4692 wrote to memory of 3172 4692 3pjdv.exe 101 PID 4692 wrote to memory of 3172 4692 3pjdv.exe 101 PID 4692 wrote to memory of 3172 4692 3pjdv.exe 101 PID 3172 wrote to memory of 1552 3172 vdjdv.exe 102 PID 3172 wrote to memory of 1552 3172 vdjdv.exe 102 PID 3172 wrote to memory of 1552 3172 vdjdv.exe 102 PID 1552 wrote to memory of 3156 1552 pjppp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe"C:\Users\Admin\AppData\Local\Temp\42b265fe652a9630774b55859cc2fce40916bc813a969e242941ecc0195f6022.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\3ttnhh.exec:\3ttnhh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\5vppd.exec:\5vppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\xflfrrl.exec:\xflfrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\5hbbtt.exec:\5hbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\ddvvp.exec:\ddvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\1pdvv.exec:\1pdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\xrrrlll.exec:\xrrrlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\ntbtnh.exec:\ntbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\thhbtt.exec:\thhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\3jjdv.exec:\3jjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\bnbhtt.exec:\bnbhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\bhtnnh.exec:\bhtnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\ddppj.exec:\ddppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\xllxrrf.exec:\xllxrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\bhthbt.exec:\bhthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\bbhnhb.exec:\bbhnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\xxrrllf.exec:\xxrrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\tnnbtn.exec:\tnnbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\3pjdv.exec:\3pjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\vdjdv.exec:\vdjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\pjppp.exec:\pjppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\3bnhhh.exec:\3bnhhh.exe23⤵
- Executes dropped EXE
PID:3156 -
\??\c:\dvjdd.exec:\dvjdd.exe24⤵
- Executes dropped EXE
PID:4648 -
\??\c:\fffxllf.exec:\fffxllf.exe25⤵
- Executes dropped EXE
PID:1220 -
\??\c:\3pjdv.exec:\3pjdv.exe26⤵
- Executes dropped EXE
PID:4552 -
\??\c:\5xxxfff.exec:\5xxxfff.exe27⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3nnhbb.exec:\3nnhbb.exe28⤵
- Executes dropped EXE
PID:4636 -
\??\c:\1flfllr.exec:\1flfllr.exe29⤵
- Executes dropped EXE
PID:3644 -
\??\c:\tnnhhh.exec:\tnnhhh.exe30⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pdjdd.exec:\pdjdd.exe31⤵
- Executes dropped EXE
PID:4448 -
\??\c:\hbhhnn.exec:\hbhhnn.exe32⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lfxrrlf.exec:\lfxrrlf.exe33⤵
- Executes dropped EXE
PID:3312 -
\??\c:\tbhbbb.exec:\tbhbbb.exe34⤵
- Executes dropped EXE
PID:728 -
\??\c:\rfrfxrr.exec:\rfrfxrr.exe35⤵
- Executes dropped EXE
PID:60 -
\??\c:\ppjdd.exec:\ppjdd.exe36⤵
- Executes dropped EXE
PID:4148 -
\??\c:\hntnhb.exec:\hntnhb.exe37⤵
- Executes dropped EXE
PID:1524 -
\??\c:\5htnhb.exec:\5htnhb.exe38⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jddpd.exec:\jddpd.exe39⤵
- Executes dropped EXE
PID:1872 -
\??\c:\vdjdd.exec:\vdjdd.exe40⤵
- Executes dropped EXE
PID:4412 -
\??\c:\xrfrfff.exec:\xrfrfff.exe41⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7nnhbb.exec:\7nnhbb.exe42⤵
- Executes dropped EXE
PID:4292 -
\??\c:\thhtnb.exec:\thhtnb.exe43⤵
- Executes dropped EXE
PID:4784 -
\??\c:\pjvjv.exec:\pjvjv.exe44⤵
- Executes dropped EXE
PID:1276 -
\??\c:\xrrfxfx.exec:\xrrfxfx.exe45⤵
- Executes dropped EXE
PID:3260 -
\??\c:\tnhbtt.exec:\tnhbtt.exe46⤵
- Executes dropped EXE
PID:4080 -
\??\c:\1jpjv.exec:\1jpjv.exe47⤵
- Executes dropped EXE
PID:4116 -
\??\c:\pjpjv.exec:\pjpjv.exe48⤵
- Executes dropped EXE
PID:3104 -
\??\c:\tnbtnn.exec:\tnbtnn.exe49⤵
- Executes dropped EXE
PID:1460 -
\??\c:\bttnbt.exec:\bttnbt.exe50⤵
- Executes dropped EXE
PID:3404 -
\??\c:\vpppd.exec:\vpppd.exe51⤵
- Executes dropped EXE
PID:4632 -
\??\c:\rfrrrrl.exec:\rfrrrrl.exe52⤵
- Executes dropped EXE
PID:3528 -
\??\c:\nnnhbb.exec:\nnnhbb.exe53⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jvpdv.exec:\jvpdv.exe54⤵
- Executes dropped EXE
PID:4504 -
\??\c:\dvvpj.exec:\dvvpj.exe55⤵
- Executes dropped EXE
PID:3120 -
\??\c:\lrlxrlf.exec:\lrlxrlf.exe56⤵
- Executes dropped EXE
PID:3640 -
\??\c:\7nbtnh.exec:\7nbtnh.exe57⤵
- Executes dropped EXE
PID:4544 -
\??\c:\pvjdv.exec:\pvjdv.exe58⤵
- Executes dropped EXE
PID:3824 -
\??\c:\frxrlfx.exec:\frxrlfx.exe59⤵
- Executes dropped EXE
PID:4340 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe60⤵
- Executes dropped EXE
PID:2340 -
\??\c:\thtnnh.exec:\thtnnh.exe61⤵
- Executes dropped EXE
PID:3708 -
\??\c:\bbhbtt.exec:\bbhbtt.exe62⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pdjjd.exec:\pdjjd.exe63⤵
- Executes dropped EXE
PID:5044 -
\??\c:\7llxllx.exec:\7llxllx.exe64⤵
- Executes dropped EXE
PID:2576 -
\??\c:\tnhhtb.exec:\tnhhtb.exe65⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnhbth.exec:\tnhbth.exe66⤵PID:3556
-
\??\c:\vvpjd.exec:\vvpjd.exe67⤵PID:3416
-
\??\c:\frxrlff.exec:\frxrlff.exe68⤵PID:4812
-
\??\c:\hbhbbn.exec:\hbhbbn.exe69⤵PID:4944
-
\??\c:\nhbbhn.exec:\nhbbhn.exe70⤵PID:1084
-
\??\c:\ddjvj.exec:\ddjvj.exe71⤵PID:2616
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe72⤵PID:220
-
\??\c:\thhbtn.exec:\thhbtn.exe73⤵PID:5080
-
\??\c:\jjvpv.exec:\jjvpv.exe74⤵PID:3984
-
\??\c:\flfrffx.exec:\flfrffx.exe75⤵PID:3444
-
\??\c:\frfxrrl.exec:\frfxrrl.exe76⤵PID:2012
-
\??\c:\ntbbth.exec:\ntbbth.exe77⤵PID:228
-
\??\c:\dvvvp.exec:\dvvvp.exe78⤵PID:4188
-
\??\c:\5dvpj.exec:\5dvpj.exe79⤵PID:4028
-
\??\c:\lffrlfx.exec:\lffrlfx.exe80⤵PID:3792
-
\??\c:\htbtnh.exec:\htbtnh.exe81⤵PID:3820
-
\??\c:\jddjd.exec:\jddjd.exe82⤵PID:1280
-
\??\c:\jddvj.exec:\jddvj.exe83⤵PID:2268
-
\??\c:\llllrrl.exec:\llllrrl.exe84⤵PID:3392
-
\??\c:\nbbnhb.exec:\nbbnhb.exe85⤵PID:4508
-
\??\c:\jjjdd.exec:\jjjdd.exe86⤵PID:3156
-
\??\c:\frrlrlx.exec:\frrlrlx.exe87⤵PID:2540
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe88⤵PID:5000
-
\??\c:\thhhbb.exec:\thhhbb.exe89⤵PID:3852
-
\??\c:\1bhbnn.exec:\1bhbnn.exe90⤵PID:1428
-
\??\c:\djpjd.exec:\djpjd.exe91⤵PID:2624
-
\??\c:\fxfxxfx.exec:\fxfxxfx.exe92⤵PID:3876
-
\??\c:\nthbbb.exec:\nthbbb.exe93⤵PID:4252
-
\??\c:\dvdjp.exec:\dvdjp.exe94⤵PID:2868
-
\??\c:\7ddpj.exec:\7ddpj.exe95⤵PID:4268
-
\??\c:\xrrffxr.exec:\xrrffxr.exe96⤵PID:2300
-
\??\c:\bnhthb.exec:\bnhthb.exe97⤵PID:4176
-
\??\c:\vpvpj.exec:\vpvpj.exe98⤵PID:748
-
\??\c:\pvdvp.exec:\pvdvp.exe99⤵
- System Location Discovery: System Language Discovery
PID:3684 -
\??\c:\xxfxxrx.exec:\xxfxxrx.exe100⤵PID:1840
-
\??\c:\nbhtnh.exec:\nbhtnh.exe101⤵PID:2344
-
\??\c:\hhbbbt.exec:\hhbbbt.exe102⤵PID:1516
-
\??\c:\jddpj.exec:\jddpj.exe103⤵PID:1960
-
\??\c:\flxlfxr.exec:\flxlfxr.exe104⤵PID:4828
-
\??\c:\nhhhbt.exec:\nhhhbt.exe105⤵PID:2148
-
\??\c:\tbhbtn.exec:\tbhbtn.exe106⤵PID:2772
-
\??\c:\dpvvp.exec:\dpvvp.exe107⤵PID:2680
-
\??\c:\xlrflfx.exec:\xlrflfx.exe108⤵PID:2040
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe109⤵PID:4136
-
\??\c:\bhnnhh.exec:\bhnnhh.exe110⤵PID:2520
-
\??\c:\jddpd.exec:\jddpd.exe111⤵PID:3712
-
\??\c:\vpdvv.exec:\vpdvv.exe112⤵PID:4560
-
\??\c:\9lfxllf.exec:\9lfxllf.exe113⤵PID:3308
-
\??\c:\hbbtnh.exec:\hbbtnh.exe114⤵PID:5048
-
\??\c:\jvvpd.exec:\jvvpd.exe115⤵PID:1932
-
\??\c:\fxxrllf.exec:\fxxrllf.exe116⤵PID:1460
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe117⤵PID:1596
-
\??\c:\1bhnht.exec:\1bhnht.exe118⤵PID:4632
-
\??\c:\bbbttt.exec:\bbbttt.exe119⤵PID:4576
-
\??\c:\3jdvv.exec:\3jdvv.exe120⤵PID:3816
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe121⤵PID:720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-