Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe
-
Size
454KB
-
MD5
316a06cf5af6ea8c9e4cb1dfb9beeb56
-
SHA1
616ad28bd80881541984301f98ed8b02a96cca70
-
SHA256
0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1
-
SHA512
35cc946b503c3e42be9536ddac577eaa8d636a5b27e2a981c07c7b61e0567680981567b76a2ea5cecaaf3a473e5e3cf890dc2c26ff6f8be7c92cc54338fa9778
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1W/:q7Tc2NYHUrAwfMp3CD1W/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/728-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-1204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-1352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-1380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-1848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2804 vppjv.exe 4428 9htntt.exe 1324 dddjj.exe 1124 bbbbbh.exe 3120 pvvpj.exe 4132 vjdvj.exe 560 3dvpd.exe 700 lffxfrr.exe 4460 thtnhb.exe 2692 1nnbtn.exe 1636 3pvdj.exe 2892 rrlfllx.exe 4232 9bbnnh.exe 2972 vddpd.exe 1488 pppjj.exe 1328 rfxlflx.exe 4140 bbbnbt.exe 4528 1hnbnh.exe 4860 3jdpj.exe 1032 lrrfrlx.exe 4356 1ffxlfr.exe 4056 hnnhtn.exe 544 vdpjv.exe 1476 xxrfxlr.exe 472 5dvjj.exe 4068 jvvjd.exe 2004 xlrfrlf.exe 4280 bntnbt.exe 2348 1ddvp.exe 872 7rllxrl.exe 4144 thbthb.exe 1620 nbtnhh.exe 3440 1vpdp.exe 3452 flfrlxr.exe 1868 7nhbnb.exe 3800 jjjpd.exe 756 dvpjd.exe 3992 fflxxrf.exe 4320 thbthh.exe 1088 vddvv.exe 884 pvvjd.exe 1084 llrllff.exe 824 3tthtt.exe 4960 3bhtnh.exe 2044 jdpdj.exe 3732 rlrrrrf.exe 1408 rffrfxl.exe 4740 ttbhbn.exe 2696 3vpjv.exe 1508 jdpdv.exe 1756 9rxrfrf.exe 2500 frrfxrl.exe 3744 tbhnnn.exe 320 ntthtn.exe 3348 jvvpj.exe 3672 rflxrll.exe 3304 llfxlfr.exe 4772 bbbnhb.exe 4576 nbbbnh.exe 2928 dvdpp.exe 628 3jdpd.exe 3824 rlfrfxr.exe 1852 tbbnhn.exe 908 nhnhnh.exe -
resource yara_rule behavioral2/memory/728-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-735-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 728 wrote to memory of 2804 728 0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe 82 PID 728 wrote to memory of 2804 728 0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe 82 PID 728 wrote to memory of 2804 728 0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe 82 PID 2804 wrote to memory of 4428 2804 vppjv.exe 83 PID 2804 wrote to memory of 4428 2804 vppjv.exe 83 PID 2804 wrote to memory of 4428 2804 vppjv.exe 83 PID 4428 wrote to memory of 1324 4428 9htntt.exe 84 PID 4428 wrote to memory of 1324 4428 9htntt.exe 84 PID 4428 wrote to memory of 1324 4428 9htntt.exe 84 PID 1324 wrote to memory of 1124 1324 dddjj.exe 85 PID 1324 wrote to memory of 1124 1324 dddjj.exe 85 PID 1324 wrote to memory of 1124 1324 dddjj.exe 85 PID 1124 wrote to memory of 3120 1124 bbbbbh.exe 86 PID 1124 wrote to memory of 3120 1124 bbbbbh.exe 86 PID 1124 wrote to memory of 3120 1124 bbbbbh.exe 86 PID 3120 wrote to memory of 4132 3120 pvvpj.exe 87 PID 3120 wrote to memory of 4132 3120 pvvpj.exe 87 PID 3120 wrote to memory of 4132 3120 pvvpj.exe 87 PID 4132 wrote to memory of 560 4132 vjdvj.exe 88 PID 4132 wrote to memory of 560 4132 vjdvj.exe 88 PID 4132 wrote to memory of 560 4132 vjdvj.exe 88 PID 560 wrote to memory of 700 560 3dvpd.exe 89 PID 560 wrote to memory of 700 560 3dvpd.exe 89 PID 560 wrote to memory of 700 560 3dvpd.exe 89 PID 700 wrote to memory of 4460 700 lffxfrr.exe 90 PID 700 wrote to memory of 4460 700 lffxfrr.exe 90 PID 700 wrote to memory of 4460 700 lffxfrr.exe 90 PID 4460 wrote to memory of 2692 4460 thtnhb.exe 91 PID 4460 wrote to memory of 2692 4460 thtnhb.exe 91 PID 4460 wrote to memory of 2692 4460 thtnhb.exe 91 PID 2692 wrote to memory of 1636 2692 1nnbtn.exe 92 PID 2692 wrote to memory of 1636 2692 1nnbtn.exe 92 PID 2692 wrote to memory of 1636 2692 1nnbtn.exe 92 PID 1636 wrote to memory of 2892 1636 3pvdj.exe 149 PID 1636 wrote to memory of 2892 1636 3pvdj.exe 149 PID 1636 wrote to memory of 2892 1636 3pvdj.exe 149 PID 2892 wrote to memory of 4232 2892 rrlfllx.exe 150 PID 2892 wrote to memory of 4232 2892 rrlfllx.exe 150 PID 2892 wrote to memory of 4232 2892 rrlfllx.exe 150 PID 4232 wrote to memory of 2972 4232 9bbnnh.exe 95 PID 4232 wrote to memory of 2972 4232 9bbnnh.exe 95 PID 4232 wrote to memory of 2972 4232 9bbnnh.exe 95 PID 2972 wrote to memory of 1488 2972 vddpd.exe 96 PID 2972 wrote to memory of 1488 2972 vddpd.exe 96 PID 2972 wrote to memory of 1488 2972 vddpd.exe 96 PID 1488 wrote to memory of 1328 1488 pppjj.exe 97 PID 1488 wrote to memory of 1328 1488 pppjj.exe 97 PID 1488 wrote to memory of 1328 1488 pppjj.exe 97 PID 1328 wrote to memory of 4140 1328 rfxlflx.exe 98 PID 1328 wrote to memory of 4140 1328 rfxlflx.exe 98 PID 1328 wrote to memory of 4140 1328 rfxlflx.exe 98 PID 4140 wrote to memory of 4528 4140 bbbnbt.exe 99 PID 4140 wrote to memory of 4528 4140 bbbnbt.exe 99 PID 4140 wrote to memory of 4528 4140 bbbnbt.exe 99 PID 4528 wrote to memory of 4860 4528 1hnbnh.exe 100 PID 4528 wrote to memory of 4860 4528 1hnbnh.exe 100 PID 4528 wrote to memory of 4860 4528 1hnbnh.exe 100 PID 4860 wrote to memory of 1032 4860 3jdpj.exe 101 PID 4860 wrote to memory of 1032 4860 3jdpj.exe 101 PID 4860 wrote to memory of 1032 4860 3jdpj.exe 101 PID 1032 wrote to memory of 4356 1032 lrrfrlx.exe 102 PID 1032 wrote to memory of 4356 1032 lrrfrlx.exe 102 PID 1032 wrote to memory of 4356 1032 lrrfrlx.exe 102 PID 4356 wrote to memory of 4056 4356 1ffxlfr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe"C:\Users\Admin\AppData\Local\Temp\0172c3039fe7e4d5492198ed756fc06213b4c1629347d494c2b247cd23faa6f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\vppjv.exec:\vppjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\9htntt.exec:\9htntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\dddjj.exec:\dddjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\bbbbbh.exec:\bbbbbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\pvvpj.exec:\pvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\vjdvj.exec:\vjdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\3dvpd.exec:\3dvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\lffxfrr.exec:\lffxfrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\thtnhb.exec:\thtnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\1nnbtn.exec:\1nnbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\3pvdj.exec:\3pvdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\rrlfllx.exec:\rrlfllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\9bbnnh.exec:\9bbnnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\vddpd.exec:\vddpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\pppjj.exec:\pppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\rfxlflx.exec:\rfxlflx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\bbbnbt.exec:\bbbnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\1hnbnh.exec:\1hnbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\3jdpj.exec:\3jdpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\1ffxlfr.exec:\1ffxlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\hnnhtn.exec:\hnnhtn.exe23⤵
- Executes dropped EXE
PID:4056 -
\??\c:\vdpjv.exec:\vdpjv.exe24⤵
- Executes dropped EXE
PID:544 -
\??\c:\xxrfxlr.exec:\xxrfxlr.exe25⤵
- Executes dropped EXE
PID:1476 -
\??\c:\5dvjj.exec:\5dvjj.exe26⤵
- Executes dropped EXE
PID:472 -
\??\c:\jvvjd.exec:\jvvjd.exe27⤵
- Executes dropped EXE
PID:4068 -
\??\c:\xlrfrlf.exec:\xlrfrlf.exe28⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bntnbt.exec:\bntnbt.exe29⤵
- Executes dropped EXE
PID:4280 -
\??\c:\1ddvp.exec:\1ddvp.exe30⤵
- Executes dropped EXE
PID:2348 -
\??\c:\7rllxrl.exec:\7rllxrl.exe31⤵
- Executes dropped EXE
PID:872 -
\??\c:\thbthb.exec:\thbthb.exe32⤵
- Executes dropped EXE
PID:4144 -
\??\c:\nbtnhh.exec:\nbtnhh.exe33⤵
- Executes dropped EXE
PID:1620 -
\??\c:\1vpdp.exec:\1vpdp.exe34⤵
- Executes dropped EXE
PID:3440 -
\??\c:\flfrlxr.exec:\flfrlxr.exe35⤵
- Executes dropped EXE
PID:3452 -
\??\c:\7nhbnb.exec:\7nhbnb.exe36⤵
- Executes dropped EXE
PID:1868 -
\??\c:\jjjpd.exec:\jjjpd.exe37⤵
- Executes dropped EXE
PID:3800 -
\??\c:\dvpjd.exec:\dvpjd.exe38⤵
- Executes dropped EXE
PID:756 -
\??\c:\fflxxrf.exec:\fflxxrf.exe39⤵
- Executes dropped EXE
PID:3992 -
\??\c:\thbthh.exec:\thbthh.exe40⤵
- Executes dropped EXE
PID:4320 -
\??\c:\vddvv.exec:\vddvv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088 -
\??\c:\pvvjd.exec:\pvvjd.exe42⤵
- Executes dropped EXE
PID:884 -
\??\c:\llrllff.exec:\llrllff.exe43⤵
- Executes dropped EXE
PID:1084 -
\??\c:\3tthtt.exec:\3tthtt.exe44⤵
- Executes dropped EXE
PID:824 -
\??\c:\3bhtnh.exec:\3bhtnh.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
\??\c:\jdpdj.exec:\jdpdj.exe46⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rlrrrrf.exec:\rlrrrrf.exe47⤵
- Executes dropped EXE
PID:3732 -
\??\c:\rffrfxl.exec:\rffrfxl.exe48⤵
- Executes dropped EXE
PID:1408 -
\??\c:\ttbhbn.exec:\ttbhbn.exe49⤵
- Executes dropped EXE
PID:4740 -
\??\c:\3vpjv.exec:\3vpjv.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
\??\c:\jdpdv.exec:\jdpdv.exe51⤵
- Executes dropped EXE
PID:1508 -
\??\c:\9rxrfrf.exec:\9rxrfrf.exe52⤵
- Executes dropped EXE
PID:1756 -
\??\c:\frrfxrl.exec:\frrfxrl.exe53⤵
- Executes dropped EXE
PID:2500 -
\??\c:\tbhnnn.exec:\tbhnnn.exe54⤵
- Executes dropped EXE
PID:3744 -
\??\c:\ntthtn.exec:\ntthtn.exe55⤵
- Executes dropped EXE
PID:320 -
\??\c:\jvvpj.exec:\jvvpj.exe56⤵
- Executes dropped EXE
PID:3348 -
\??\c:\rflxrll.exec:\rflxrll.exe57⤵
- Executes dropped EXE
PID:3672 -
\??\c:\llfxlfr.exec:\llfxlfr.exe58⤵
- Executes dropped EXE
PID:3304 -
\??\c:\bbbnhb.exec:\bbbnhb.exe59⤵
- Executes dropped EXE
PID:4772 -
\??\c:\nbbbnh.exec:\nbbbnh.exe60⤵
- Executes dropped EXE
PID:4576 -
\??\c:\dvdpp.exec:\dvdpp.exe61⤵
- Executes dropped EXE
PID:2928 -
\??\c:\3jdpd.exec:\3jdpd.exe62⤵
- Executes dropped EXE
PID:628 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe63⤵
- Executes dropped EXE
PID:3824 -
\??\c:\tbbnhn.exec:\tbbnhn.exe64⤵
- Executes dropped EXE
PID:1852 -
\??\c:\nhnhnh.exec:\nhnhnh.exe65⤵
- Executes dropped EXE
PID:908 -
\??\c:\ddjvv.exec:\ddjvv.exe66⤵PID:1496
-
\??\c:\flrfxrx.exec:\flrfxrx.exe67⤵PID:2000
-
\??\c:\rlrfrrl.exec:\rlrfrrl.exe68⤵PID:4352
-
\??\c:\7hbnnh.exec:\7hbnnh.exe69⤵PID:2892
-
\??\c:\tnhhtn.exec:\tnhhtn.exe70⤵PID:4232
-
\??\c:\jjjvj.exec:\jjjvj.exe71⤵PID:1996
-
\??\c:\rrrrxxl.exec:\rrrrxxl.exe72⤵PID:2684
-
\??\c:\tbhthh.exec:\tbhthh.exe73⤵PID:3012
-
\??\c:\bntttn.exec:\bntttn.exe74⤵PID:1148
-
\??\c:\dpvjv.exec:\dpvjv.exe75⤵PID:4916
-
\??\c:\ppjvj.exec:\ppjvj.exe76⤵PID:3720
-
\??\c:\3ffrfxr.exec:\3ffrfxr.exe77⤵PID:3524
-
\??\c:\bnthtt.exec:\bnthtt.exe78⤵PID:2408
-
\??\c:\btnhhb.exec:\btnhhb.exe79⤵PID:5060
-
\??\c:\vpvjj.exec:\vpvjj.exe80⤵PID:4356
-
\??\c:\lxxlxlx.exec:\lxxlxlx.exe81⤵PID:4404
-
\??\c:\9xrfrlf.exec:\9xrfrlf.exe82⤵PID:4764
-
\??\c:\btthbt.exec:\btthbt.exe83⤵PID:312
-
\??\c:\thhtnh.exec:\thhtnh.exe84⤵PID:4652
-
\??\c:\vdddd.exec:\vdddd.exe85⤵PID:472
-
\??\c:\ddjvv.exec:\ddjvv.exe86⤵PID:4468
-
\??\c:\9xxlxrl.exec:\9xxlxrl.exe87⤵PID:2064
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe88⤵PID:5024
-
\??\c:\dvjdp.exec:\dvjdp.exe89⤵PID:1920
-
\??\c:\1xfxlfr.exec:\1xfxlfr.exe90⤵PID:3588
-
\??\c:\9bthbt.exec:\9bthbt.exe91⤵PID:2784
-
\??\c:\nbbtbt.exec:\nbbtbt.exe92⤵PID:3268
-
\??\c:\djpdv.exec:\djpdv.exe93⤵PID:2368
-
\??\c:\lfrrlfx.exec:\lfrrlfx.exe94⤵PID:1620
-
\??\c:\1nhbnn.exec:\1nhbnn.exe95⤵PID:4456
-
\??\c:\7ddpj.exec:\7ddpj.exe96⤵PID:4952
-
\??\c:\5bhbhh.exec:\5bhbhh.exe97⤵PID:3336
-
\??\c:\jdpjp.exec:\jdpjp.exe98⤵PID:1868
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe99⤵PID:3800
-
\??\c:\btbtnn.exec:\btbtnn.exe100⤵PID:1036
-
\??\c:\btbtnn.exec:\btbtnn.exe101⤵PID:4412
-
\??\c:\hnbbbb.exec:\hnbbbb.exe102⤵PID:4888
-
\??\c:\jdvjd.exec:\jdvjd.exe103⤵PID:4276
-
\??\c:\htbnbt.exec:\htbnbt.exe104⤵PID:3176
-
\??\c:\rxxrrrl.exec:\rxxrrrl.exe105⤵
- System Location Discovery: System Language Discovery
PID:1088 -
\??\c:\7dvvp.exec:\7dvvp.exe106⤵PID:3952
-
\??\c:\bhnhtn.exec:\bhnhtn.exe107⤵PID:4748
-
\??\c:\pjpjj.exec:\pjpjj.exe108⤵PID:2852
-
\??\c:\lflffrx.exec:\lflffrx.exe109⤵PID:420
-
\??\c:\nhnbnh.exec:\nhnbnh.exe110⤵PID:3532
-
\??\c:\3vdvp.exec:\3vdvp.exe111⤵PID:4060
-
\??\c:\rlrflfx.exec:\rlrflfx.exe112⤵PID:4004
-
\??\c:\nhnhnn.exec:\nhnhnn.exe113⤵PID:2752
-
\??\c:\tnbnhh.exec:\tnbnhh.exe114⤵PID:4396
-
\??\c:\1ppdp.exec:\1ppdp.exe115⤵PID:3180
-
\??\c:\9rxlflf.exec:\9rxlflf.exe116⤵PID:4400
-
\??\c:\3nhbnn.exec:\3nhbnn.exe117⤵PID:1756
-
\??\c:\lxxxrxl.exec:\lxxxrxl.exe118⤵PID:2500
-
\??\c:\btbthb.exec:\btbthb.exe119⤵PID:2152
-
\??\c:\9ddvj.exec:\9ddvj.exe120⤵PID:3316
-
\??\c:\5rlfrlx.exec:\5rlfrlx.exe121⤵PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-