Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 13:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe
-
Size
452KB
-
MD5
8e8808c2d771557dc8659462242b2f51
-
SHA1
e71c1397686aea58de2bcac3a7a8751b417b5549
-
SHA256
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9
-
SHA512
8f2a9b7fb69589d66c95e3b061bafcae0aa2391e8dcc188e17eead506e5b1c9ee28c4c92410975af16e37829bee0962bc59b03be5cd1474674fc0ce831ffb227
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-1071-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-1154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-1364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4040 1ntttt.exe 2692 nnnhhh.exe 4880 3llfrrl.exe 2864 jdjvd.exe 4904 bthbbb.exe 3424 vpvpj.exe 1036 hbbtnn.exe 4248 3vddv.exe 2888 fffxrrl.exe 1664 5hnnhn.exe 3384 jdvpj.exe 3532 1nhtbt.exe 636 xxxxrll.exe 3048 hbhthh.exe 5040 ppjvj.exe 4488 xxrfrfr.exe 556 bbthth.exe 388 7vpvj.exe 4624 btthth.exe 436 vpdpj.exe 3016 9nbthn.exe 2884 dppjd.exe 1596 ntnbhb.exe 4860 7jjjv.exe 688 3thbnh.exe 1360 vdpjv.exe 1176 flfrfxl.exe 1856 3jvjd.exe 4984 lllxfxl.exe 3628 djjvj.exe 4428 nbnbhb.exe 4504 djjvj.exe 1536 xlffrrl.exe 3248 vdvjp.exe 4132 7ddvv.exe 2488 rfllxlr.exe 2040 thhthb.exe 2296 nbbnbt.exe 3748 jdvjd.exe 2928 nbhthn.exe 3520 dpjdj.exe 448 rxrfrll.exe 4608 xffrfrl.exe 2264 ttnhbt.exe 1140 jvpdp.exe 4560 xfrfrfr.exe 4676 xrxrrxr.exe 3004 tnthhb.exe 3264 jpvjv.exe 752 9dddj.exe 4356 7lxlxlx.exe 4992 nbnbth.exe 4372 tnhthb.exe 2072 jjdpv.exe 1484 jvpvp.exe 2492 rxflxrf.exe 5032 thhthb.exe 2864 bttbnh.exe 2832 vppjp.exe 2056 rfrfrfx.exe 4588 xflxlfr.exe 2156 hnhbtn.exe 756 jddpj.exe 2272 5vpdv.exe -
resource yara_rule behavioral2/memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-935-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 4040 404 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 82 PID 404 wrote to memory of 4040 404 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 82 PID 404 wrote to memory of 4040 404 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 82 PID 4040 wrote to memory of 2692 4040 1ntttt.exe 83 PID 4040 wrote to memory of 2692 4040 1ntttt.exe 83 PID 4040 wrote to memory of 2692 4040 1ntttt.exe 83 PID 2692 wrote to memory of 4880 2692 nnnhhh.exe 84 PID 2692 wrote to memory of 4880 2692 nnnhhh.exe 84 PID 2692 wrote to memory of 4880 2692 nnnhhh.exe 84 PID 4880 wrote to memory of 2864 4880 3llfrrl.exe 85 PID 4880 wrote to memory of 2864 4880 3llfrrl.exe 85 PID 4880 wrote to memory of 2864 4880 3llfrrl.exe 85 PID 2864 wrote to memory of 4904 2864 jdjvd.exe 86 PID 2864 wrote to memory of 4904 2864 jdjvd.exe 86 PID 2864 wrote to memory of 4904 2864 jdjvd.exe 86 PID 4904 wrote to memory of 3424 4904 bthbbb.exe 87 PID 4904 wrote to memory of 3424 4904 bthbbb.exe 87 PID 4904 wrote to memory of 3424 4904 bthbbb.exe 87 PID 3424 wrote to memory of 1036 3424 vpvpj.exe 88 PID 3424 wrote to memory of 1036 3424 vpvpj.exe 88 PID 3424 wrote to memory of 1036 3424 vpvpj.exe 88 PID 1036 wrote to memory of 4248 1036 hbbtnn.exe 89 PID 1036 wrote to memory of 4248 1036 hbbtnn.exe 89 PID 1036 wrote to memory of 4248 1036 hbbtnn.exe 89 PID 4248 wrote to memory of 2888 4248 3vddv.exe 90 PID 4248 wrote to memory of 2888 4248 3vddv.exe 90 PID 4248 wrote to memory of 2888 4248 3vddv.exe 90 PID 2888 wrote to memory of 1664 2888 fffxrrl.exe 91 PID 2888 wrote to memory of 1664 2888 fffxrrl.exe 91 PID 2888 wrote to memory of 1664 2888 fffxrrl.exe 91 PID 1664 wrote to memory of 3384 1664 5hnnhn.exe 92 PID 1664 wrote to memory of 3384 1664 5hnnhn.exe 92 PID 1664 wrote to memory of 3384 1664 5hnnhn.exe 92 PID 3384 wrote to memory of 3532 3384 jdvpj.exe 93 PID 3384 wrote to memory of 3532 3384 jdvpj.exe 93 PID 3384 wrote to memory of 3532 3384 jdvpj.exe 93 PID 3532 wrote to memory of 636 3532 1nhtbt.exe 94 PID 3532 wrote to memory of 636 3532 1nhtbt.exe 94 PID 3532 wrote to memory of 636 3532 1nhtbt.exe 94 PID 636 wrote to memory of 3048 636 xxxxrll.exe 95 PID 636 wrote to memory of 3048 636 xxxxrll.exe 95 PID 636 wrote to memory of 3048 636 xxxxrll.exe 95 PID 3048 wrote to memory of 5040 3048 hbhthh.exe 96 PID 3048 wrote to memory of 5040 3048 hbhthh.exe 96 PID 3048 wrote to memory of 5040 3048 hbhthh.exe 96 PID 5040 wrote to memory of 4488 5040 ppjvj.exe 97 PID 5040 wrote to memory of 4488 5040 ppjvj.exe 97 PID 5040 wrote to memory of 4488 5040 ppjvj.exe 97 PID 4488 wrote to memory of 556 4488 xxrfrfr.exe 98 PID 4488 wrote to memory of 556 4488 xxrfrfr.exe 98 PID 4488 wrote to memory of 556 4488 xxrfrfr.exe 98 PID 556 wrote to memory of 388 556 bbthth.exe 99 PID 556 wrote to memory of 388 556 bbthth.exe 99 PID 556 wrote to memory of 388 556 bbthth.exe 99 PID 388 wrote to memory of 4624 388 7vpvj.exe 100 PID 388 wrote to memory of 4624 388 7vpvj.exe 100 PID 388 wrote to memory of 4624 388 7vpvj.exe 100 PID 4624 wrote to memory of 436 4624 btthth.exe 101 PID 4624 wrote to memory of 436 4624 btthth.exe 101 PID 4624 wrote to memory of 436 4624 btthth.exe 101 PID 436 wrote to memory of 3016 436 vpdpj.exe 102 PID 436 wrote to memory of 3016 436 vpdpj.exe 102 PID 436 wrote to memory of 3016 436 vpdpj.exe 102 PID 3016 wrote to memory of 2884 3016 9nbthn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe"C:\Users\Admin\AppData\Local\Temp\79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\1ntttt.exec:\1ntttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\nnnhhh.exec:\nnnhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\3llfrrl.exec:\3llfrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\jdjvd.exec:\jdjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\bthbbb.exec:\bthbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\vpvpj.exec:\vpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\hbbtnn.exec:\hbbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\3vddv.exec:\3vddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\fffxrrl.exec:\fffxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\5hnnhn.exec:\5hnnhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\jdvpj.exec:\jdvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\1nhtbt.exec:\1nhtbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\xxxxrll.exec:\xxxxrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\hbhthh.exec:\hbhthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\ppjvj.exec:\ppjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\xxrfrfr.exec:\xxrfrfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\bbthth.exec:\bbthth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\7vpvj.exec:\7vpvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\btthth.exec:\btthth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\vpdpj.exec:\vpdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\9nbthn.exec:\9nbthn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\dppjd.exec:\dppjd.exe23⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ntnbhb.exec:\ntnbhb.exe24⤵
- Executes dropped EXE
PID:1596 -
\??\c:\7jjjv.exec:\7jjjv.exe25⤵
- Executes dropped EXE
PID:4860 -
\??\c:\3thbnh.exec:\3thbnh.exe26⤵
- Executes dropped EXE
PID:688 -
\??\c:\vdpjv.exec:\vdpjv.exe27⤵
- Executes dropped EXE
PID:1360 -
\??\c:\flfrfxl.exec:\flfrfxl.exe28⤵
- Executes dropped EXE
PID:1176 -
\??\c:\3jvjd.exec:\3jvjd.exe29⤵
- Executes dropped EXE
PID:1856 -
\??\c:\lllxfxl.exec:\lllxfxl.exe30⤵
- Executes dropped EXE
PID:4984 -
\??\c:\djjvj.exec:\djjvj.exe31⤵
- Executes dropped EXE
PID:3628 -
\??\c:\nbnbhb.exec:\nbnbhb.exe32⤵
- Executes dropped EXE
PID:4428 -
\??\c:\djjvj.exec:\djjvj.exe33⤵
- Executes dropped EXE
PID:4504 -
\??\c:\xlffrrl.exec:\xlffrrl.exe34⤵
- Executes dropped EXE
PID:1536 -
\??\c:\vdvjp.exec:\vdvjp.exe35⤵
- Executes dropped EXE
PID:3248 -
\??\c:\7ddvv.exec:\7ddvv.exe36⤵
- Executes dropped EXE
PID:4132 -
\??\c:\rfllxlr.exec:\rfllxlr.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2488 -
\??\c:\thhthb.exec:\thhthb.exe38⤵
- Executes dropped EXE
PID:2040 -
\??\c:\nbbnbt.exec:\nbbnbt.exe39⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jdvjd.exec:\jdvjd.exe40⤵
- Executes dropped EXE
PID:3748 -
\??\c:\nbhthn.exec:\nbhthn.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\dpjdj.exec:\dpjdj.exe42⤵
- Executes dropped EXE
PID:3520 -
\??\c:\rxrfrll.exec:\rxrfrll.exe43⤵
- Executes dropped EXE
PID:448 -
\??\c:\xffrfrl.exec:\xffrfrl.exe44⤵
- Executes dropped EXE
PID:4608 -
\??\c:\ttnhbt.exec:\ttnhbt.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jvpdp.exec:\jvpdp.exe46⤵
- Executes dropped EXE
PID:1140 -
\??\c:\xfrfrfr.exec:\xfrfrfr.exe47⤵
- Executes dropped EXE
PID:4560 -
\??\c:\xrxrrxr.exec:\xrxrrxr.exe48⤵
- Executes dropped EXE
PID:4676 -
\??\c:\tnthhb.exec:\tnthhb.exe49⤵
- Executes dropped EXE
PID:3004 -
\??\c:\jpvjv.exec:\jpvjv.exe50⤵
- Executes dropped EXE
PID:3264 -
\??\c:\9dddj.exec:\9dddj.exe51⤵
- Executes dropped EXE
PID:752 -
\??\c:\7lxlxlx.exec:\7lxlxlx.exe52⤵
- Executes dropped EXE
PID:4356 -
\??\c:\nbnbth.exec:\nbnbth.exe53⤵
- Executes dropped EXE
PID:4992 -
\??\c:\tnhthb.exec:\tnhthb.exe54⤵
- Executes dropped EXE
PID:4372 -
\??\c:\jjdpv.exec:\jjdpv.exe55⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jvpvp.exec:\jvpvp.exe56⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rxflxrf.exec:\rxflxrf.exe57⤵
- Executes dropped EXE
PID:2492 -
\??\c:\thhthb.exec:\thhthb.exe58⤵
- Executes dropped EXE
PID:5032 -
\??\c:\bttbnh.exec:\bttbnh.exe59⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vppjp.exec:\vppjp.exe60⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rfrfrfx.exec:\rfrfrfx.exe61⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xflxlfr.exec:\xflxlfr.exe62⤵
- Executes dropped EXE
PID:4588 -
\??\c:\hnhbtn.exec:\hnhbtn.exe63⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jddpj.exec:\jddpj.exe64⤵
- Executes dropped EXE
PID:756 -
\??\c:\5vpdv.exec:\5vpdv.exe65⤵
- Executes dropped EXE
PID:2272 -
\??\c:\fffrfrl.exec:\fffrfrl.exe66⤵PID:4248
-
\??\c:\bntntn.exec:\bntntn.exe67⤵PID:1656
-
\??\c:\xllxxrl.exec:\xllxxrl.exe68⤵PID:2748
-
\??\c:\rllffxr.exec:\rllffxr.exe69⤵PID:4672
-
\??\c:\nthhbt.exec:\nthhbt.exe70⤵PID:1844
-
\??\c:\1ppdj.exec:\1ppdj.exe71⤵PID:3880
-
\??\c:\xflrfxl.exec:\xflrfxl.exe72⤵PID:4100
-
\??\c:\nbhnhb.exec:\nbhnhb.exe73⤵PID:4900
-
\??\c:\ppvpd.exec:\ppvpd.exe74⤵PID:2104
-
\??\c:\vvjvj.exec:\vvjvj.exe75⤵PID:4252
-
\??\c:\9rrfrlx.exec:\9rrfrlx.exe76⤵PID:5040
-
\??\c:\3tnbtb.exec:\3tnbtb.exe77⤵PID:4828
-
\??\c:\jdvjd.exec:\jdvjd.exe78⤵PID:2784
-
\??\c:\flffxxx.exec:\flffxxx.exe79⤵PID:3972
-
\??\c:\hbhnnn.exec:\hbhnnn.exe80⤵
- System Location Discovery: System Language Discovery
PID:2188 -
\??\c:\nhtnnn.exec:\nhtnnn.exe81⤵PID:620
-
\??\c:\3vdvv.exec:\3vdvv.exe82⤵PID:2780
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe83⤵PID:4884
-
\??\c:\hnbnhh.exec:\hnbnhh.exe84⤵PID:1244
-
\??\c:\3nhbtt.exec:\3nhbtt.exe85⤵PID:3876
-
\??\c:\vpppj.exec:\vpppj.exe86⤵PID:2980
-
\??\c:\fffrffr.exec:\fffrffr.exe87⤵PID:5028
-
\??\c:\1thbbb.exec:\1thbbb.exe88⤵PID:1264
-
\??\c:\htbtnn.exec:\htbtnn.exe89⤵PID:2168
-
\??\c:\pvvpj.exec:\pvvpj.exe90⤵PID:1920
-
\??\c:\frxfrxr.exec:\frxfrxr.exe91⤵PID:220
-
\??\c:\htbnht.exec:\htbnht.exe92⤵PID:5012
-
\??\c:\9dvvj.exec:\9dvvj.exe93⤵PID:2628
-
\??\c:\dvdvj.exec:\dvdvj.exe94⤵PID:456
-
\??\c:\frrlfll.exec:\frrlfll.exe95⤵PID:1868
-
\??\c:\tnnbtt.exec:\tnnbtt.exe96⤵PID:4984
-
\??\c:\1thbnb.exec:\1thbnb.exe97⤵PID:3504
-
\??\c:\djvjd.exec:\djvjd.exe98⤵PID:5020
-
\??\c:\7jdpd.exec:\7jdpd.exe99⤵PID:3112
-
\??\c:\lxxxllx.exec:\lxxxllx.exe100⤵PID:4956
-
\??\c:\tntttb.exec:\tntttb.exe101⤵PID:3516
-
\??\c:\pjjdv.exec:\pjjdv.exe102⤵PID:2456
-
\??\c:\xrllffr.exec:\xrllffr.exe103⤵PID:2608
-
\??\c:\nbnhtt.exec:\nbnhtt.exe104⤵PID:1652
-
\??\c:\tnnnbb.exec:\tnnnbb.exe105⤵PID:4404
-
\??\c:\pddpd.exec:\pddpd.exe106⤵PID:4112
-
\??\c:\1fxrffx.exec:\1fxrffx.exe107⤵PID:4584
-
\??\c:\nnnhbh.exec:\nnnhbh.exe108⤵PID:2280
-
\??\c:\jdvjv.exec:\jdvjv.exe109⤵PID:3604
-
\??\c:\dddvp.exec:\dddvp.exe110⤵PID:1464
-
\??\c:\lxlxfxr.exec:\lxlxfxr.exe111⤵PID:400
-
\??\c:\9hnhbt.exec:\9hnhbt.exe112⤵PID:4976
-
\??\c:\dpdpd.exec:\dpdpd.exe113⤵PID:2184
-
\??\c:\lxfxrxx.exec:\lxfxrxx.exe114⤵PID:3676
-
\??\c:\3bbbtt.exec:\3bbbtt.exe115⤵PID:2460
-
\??\c:\hhnhbb.exec:\hhnhbb.exe116⤵PID:904
-
\??\c:\ddvjp.exec:\ddvjp.exe117⤵PID:4440
-
\??\c:\5lxxxxl.exec:\5lxxxxl.exe118⤵PID:4356
-
\??\c:\tnthhn.exec:\tnthhn.exe119⤵PID:4992
-
\??\c:\tnnhtt.exec:\tnnhtt.exe120⤵PID:4892
-
\??\c:\djjdp.exec:\djjdp.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-