Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe
-
Size
456KB
-
MD5
cfc564fd6ab46ae44b73e7f871553c52
-
SHA1
a4db7b4c317ca1f63dcdf328ab32933fdbb118ee
-
SHA256
7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236
-
SHA512
86b437fa648e289d3f10d38370d16be7d7ff418a6ab8b6886ba9db5d344fcfce8d2db315b4d25b883eee48ca061a59dceabfe819ee6a103e0cb0555aa1628f2a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR8w:q7Tc2NYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3304-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-1065-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-1292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-1376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-1392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3304 vvppj.exe 4852 lfrlxrl.exe 3200 bbhtnh.exe 4040 bbbbtt.exe 2924 7xxlfxr.exe 1332 nntnhb.exe 2876 hnhthb.exe 3576 ntbnhn.exe 4256 bhbttn.exe 3588 httnhb.exe 4000 pjjvd.exe 2524 htntnn.exe 552 vjdpj.exe 3420 tttnhh.exe 2856 jdvpj.exe 3308 7rlxfxx.exe 4752 9xrfxrl.exe 4060 tbhtnh.exe 1756 vpvpj.exe 2388 pvdvp.exe 4916 bnnbnh.exe 5004 frxxrrl.exe 716 1pvvv.exe 2624 5nttnb.exe 3132 1pjvp.exe 1472 lfxxrxr.exe 3292 xrxrfxx.exe 1644 rrxrfxx.exe 4556 lflfxrl.exe 1984 9nbtnn.exe 1816 htbntn.exe 1268 ppvdp.exe 4496 vjvvp.exe 1284 lflfffx.exe 3980 nbbtnh.exe 4064 ppjdp.exe 1760 lfrlfxl.exe 460 tnbtbt.exe 4640 ppvdd.exe 392 frrfxrl.exe 2896 nhhbtt.exe 4516 7bttnn.exe 3140 pppdv.exe 548 7rxrlxx.exe 4164 vpvjv.exe 4204 frrfrrf.exe 4632 bhhbnh.exe 4612 djpdv.exe 5028 dvdvp.exe 2848 lxfrfxr.exe 4316 lffxrlf.exe 4676 thnbtt.exe 3416 vjpjd.exe 4648 jvdpj.exe 596 rlrxxlr.exe 2680 nhhbtn.exe 3408 pjpdj.exe 3124 lxffxfx.exe 3524 fxxrrlf.exe 4180 7ttnhh.exe 1516 vddvp.exe 116 flrlfxl.exe 1988 lxfxrrl.exe 4580 bhnhbb.exe -
resource yara_rule behavioral2/memory/3304-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3304 3512 7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe 82 PID 3512 wrote to memory of 3304 3512 7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe 82 PID 3512 wrote to memory of 3304 3512 7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe 82 PID 3304 wrote to memory of 4852 3304 vvppj.exe 83 PID 3304 wrote to memory of 4852 3304 vvppj.exe 83 PID 3304 wrote to memory of 4852 3304 vvppj.exe 83 PID 4852 wrote to memory of 3200 4852 lfrlxrl.exe 84 PID 4852 wrote to memory of 3200 4852 lfrlxrl.exe 84 PID 4852 wrote to memory of 3200 4852 lfrlxrl.exe 84 PID 3200 wrote to memory of 4040 3200 bbhtnh.exe 85 PID 3200 wrote to memory of 4040 3200 bbhtnh.exe 85 PID 3200 wrote to memory of 4040 3200 bbhtnh.exe 85 PID 4040 wrote to memory of 2924 4040 bbbbtt.exe 86 PID 4040 wrote to memory of 2924 4040 bbbbtt.exe 86 PID 4040 wrote to memory of 2924 4040 bbbbtt.exe 86 PID 2924 wrote to memory of 1332 2924 7xxlfxr.exe 87 PID 2924 wrote to memory of 1332 2924 7xxlfxr.exe 87 PID 2924 wrote to memory of 1332 2924 7xxlfxr.exe 87 PID 1332 wrote to memory of 2876 1332 nntnhb.exe 88 PID 1332 wrote to memory of 2876 1332 nntnhb.exe 88 PID 1332 wrote to memory of 2876 1332 nntnhb.exe 88 PID 2876 wrote to memory of 3576 2876 hnhthb.exe 89 PID 2876 wrote to memory of 3576 2876 hnhthb.exe 89 PID 2876 wrote to memory of 3576 2876 hnhthb.exe 89 PID 3576 wrote to memory of 4256 3576 ntbnhn.exe 90 PID 3576 wrote to memory of 4256 3576 ntbnhn.exe 90 PID 3576 wrote to memory of 4256 3576 ntbnhn.exe 90 PID 4256 wrote to memory of 3588 4256 bhbttn.exe 91 PID 4256 wrote to memory of 3588 4256 bhbttn.exe 91 PID 4256 wrote to memory of 3588 4256 bhbttn.exe 91 PID 3588 wrote to memory of 4000 3588 httnhb.exe 92 PID 3588 wrote to memory of 4000 3588 httnhb.exe 92 PID 3588 wrote to memory of 4000 3588 httnhb.exe 92 PID 4000 wrote to memory of 2524 4000 pjjvd.exe 93 PID 4000 wrote to memory of 2524 4000 pjjvd.exe 93 PID 4000 wrote to memory of 2524 4000 pjjvd.exe 93 PID 2524 wrote to memory of 552 2524 htntnn.exe 94 PID 2524 wrote to memory of 552 2524 htntnn.exe 94 PID 2524 wrote to memory of 552 2524 htntnn.exe 94 PID 552 wrote to memory of 3420 552 vjdpj.exe 95 PID 552 wrote to memory of 3420 552 vjdpj.exe 95 PID 552 wrote to memory of 3420 552 vjdpj.exe 95 PID 3420 wrote to memory of 2856 3420 tttnhh.exe 96 PID 3420 wrote to memory of 2856 3420 tttnhh.exe 96 PID 3420 wrote to memory of 2856 3420 tttnhh.exe 96 PID 2856 wrote to memory of 3308 2856 jdvpj.exe 97 PID 2856 wrote to memory of 3308 2856 jdvpj.exe 97 PID 2856 wrote to memory of 3308 2856 jdvpj.exe 97 PID 3308 wrote to memory of 4752 3308 7rlxfxx.exe 98 PID 3308 wrote to memory of 4752 3308 7rlxfxx.exe 98 PID 3308 wrote to memory of 4752 3308 7rlxfxx.exe 98 PID 4752 wrote to memory of 4060 4752 9xrfxrl.exe 99 PID 4752 wrote to memory of 4060 4752 9xrfxrl.exe 99 PID 4752 wrote to memory of 4060 4752 9xrfxrl.exe 99 PID 4060 wrote to memory of 1756 4060 tbhtnh.exe 100 PID 4060 wrote to memory of 1756 4060 tbhtnh.exe 100 PID 4060 wrote to memory of 1756 4060 tbhtnh.exe 100 PID 1756 wrote to memory of 2388 1756 vpvpj.exe 101 PID 1756 wrote to memory of 2388 1756 vpvpj.exe 101 PID 1756 wrote to memory of 2388 1756 vpvpj.exe 101 PID 2388 wrote to memory of 4916 2388 pvdvp.exe 102 PID 2388 wrote to memory of 4916 2388 pvdvp.exe 102 PID 2388 wrote to memory of 4916 2388 pvdvp.exe 102 PID 4916 wrote to memory of 5004 4916 bnnbnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe"C:\Users\Admin\AppData\Local\Temp\7ac4a4d9955681bc5b64b9f8f8a396998b1c29d4be900a18cd6e9330ea185236.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\vvppj.exec:\vvppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\lfrlxrl.exec:\lfrlxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\bbhtnh.exec:\bbhtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\bbbbtt.exec:\bbbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\7xxlfxr.exec:\7xxlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\nntnhb.exec:\nntnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\hnhthb.exec:\hnhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\ntbnhn.exec:\ntbnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\bhbttn.exec:\bhbttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\httnhb.exec:\httnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\pjjvd.exec:\pjjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\htntnn.exec:\htntnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\vjdpj.exec:\vjdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\tttnhh.exec:\tttnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\jdvpj.exec:\jdvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\7rlxfxx.exec:\7rlxfxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\9xrfxrl.exec:\9xrfxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\tbhtnh.exec:\tbhtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\vpvpj.exec:\vpvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\pvdvp.exec:\pvdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\bnnbnh.exec:\bnnbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\frxxrrl.exec:\frxxrrl.exe23⤵
- Executes dropped EXE
PID:5004 -
\??\c:\1pvvv.exec:\1pvvv.exe24⤵
- Executes dropped EXE
PID:716 -
\??\c:\5nttnb.exec:\5nttnb.exe25⤵
- Executes dropped EXE
PID:2624 -
\??\c:\1pjvp.exec:\1pjvp.exe26⤵
- Executes dropped EXE
PID:3132 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe27⤵
- Executes dropped EXE
PID:1472 -
\??\c:\xrxrfxx.exec:\xrxrfxx.exe28⤵
- Executes dropped EXE
PID:3292 -
\??\c:\rrxrfxx.exec:\rrxrfxx.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\lflfxrl.exec:\lflfxrl.exe30⤵
- Executes dropped EXE
PID:4556 -
\??\c:\9nbtnn.exec:\9nbtnn.exe31⤵
- Executes dropped EXE
PID:1984 -
\??\c:\htbntn.exec:\htbntn.exe32⤵
- Executes dropped EXE
PID:1816 -
\??\c:\ppvdp.exec:\ppvdp.exe33⤵
- Executes dropped EXE
PID:1268 -
\??\c:\vjvvp.exec:\vjvvp.exe34⤵
- Executes dropped EXE
PID:4496 -
\??\c:\lflfffx.exec:\lflfffx.exe35⤵
- Executes dropped EXE
PID:1284 -
\??\c:\nbbtnh.exec:\nbbtnh.exe36⤵
- Executes dropped EXE
PID:3980 -
\??\c:\ppjdp.exec:\ppjdp.exe37⤵
- Executes dropped EXE
PID:4064 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe38⤵
- Executes dropped EXE
PID:1760 -
\??\c:\tnbtbt.exec:\tnbtbt.exe39⤵
- Executes dropped EXE
PID:460 -
\??\c:\ppvdd.exec:\ppvdd.exe40⤵
- Executes dropped EXE
PID:4640 -
\??\c:\frrfxrl.exec:\frrfxrl.exe41⤵
- Executes dropped EXE
PID:392 -
\??\c:\nhhbtt.exec:\nhhbtt.exe42⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7bttnn.exec:\7bttnn.exe43⤵
- Executes dropped EXE
PID:4516 -
\??\c:\pppdv.exec:\pppdv.exe44⤵
- Executes dropped EXE
PID:3140 -
\??\c:\7rxrlxx.exec:\7rxrlxx.exe45⤵
- Executes dropped EXE
PID:548 -
\??\c:\vpvjv.exec:\vpvjv.exe46⤵
- Executes dropped EXE
PID:4164 -
\??\c:\frrfrrf.exec:\frrfrrf.exe47⤵
- Executes dropped EXE
PID:4204 -
\??\c:\bhhbnh.exec:\bhhbnh.exe48⤵
- Executes dropped EXE
PID:4632 -
\??\c:\djpdv.exec:\djpdv.exe49⤵
- Executes dropped EXE
PID:4612 -
\??\c:\dvdvp.exec:\dvdvp.exe50⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lxfrfxr.exec:\lxfrfxr.exe51⤵
- Executes dropped EXE
PID:2848 -
\??\c:\lffxrlf.exec:\lffxrlf.exe52⤵
- Executes dropped EXE
PID:4316 -
\??\c:\thnbtt.exec:\thnbtt.exe53⤵
- Executes dropped EXE
PID:4676 -
\??\c:\vjpjd.exec:\vjpjd.exe54⤵
- Executes dropped EXE
PID:3416 -
\??\c:\jvdpj.exec:\jvdpj.exe55⤵
- Executes dropped EXE
PID:4648 -
\??\c:\rlrxxlr.exec:\rlrxxlr.exe56⤵
- Executes dropped EXE
PID:596 -
\??\c:\nhhbtn.exec:\nhhbtn.exe57⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pjpdj.exec:\pjpdj.exe58⤵
- Executes dropped EXE
PID:3408 -
\??\c:\lxffxfx.exec:\lxffxfx.exe59⤵
- Executes dropped EXE
PID:3124 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe60⤵
- Executes dropped EXE
PID:3524 -
\??\c:\7ttnhh.exec:\7ttnhh.exe61⤵
- Executes dropped EXE
PID:4180 -
\??\c:\vddvp.exec:\vddvp.exe62⤵
- Executes dropped EXE
PID:1516 -
\??\c:\flrlfxl.exec:\flrlfxl.exe63⤵
- Executes dropped EXE
PID:116 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe64⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bhnhbb.exec:\bhnhbb.exe65⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jvjdp.exec:\jvjdp.exe66⤵PID:2964
-
\??\c:\vppjd.exec:\vppjd.exe67⤵PID:4536
-
\??\c:\rxlfrrr.exec:\rxlfrrr.exe68⤵PID:1172
-
\??\c:\nhhbtn.exec:\nhhbtn.exe69⤵PID:4248
-
\??\c:\pjjjd.exec:\pjjjd.exe70⤵PID:3856
-
\??\c:\lllfxlf.exec:\lllfxlf.exe71⤵PID:368
-
\??\c:\nbhbnh.exec:\nbhbnh.exe72⤵PID:1260
-
\??\c:\1jdpj.exec:\1jdpj.exe73⤵PID:3052
-
\??\c:\3vvpd.exec:\3vvpd.exe74⤵PID:2468
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe75⤵
- System Location Discovery: System Language Discovery
PID:3420 -
\??\c:\7bhbhh.exec:\7bhbhh.exe76⤵PID:2856
-
\??\c:\vjpjp.exec:\vjpjp.exe77⤵PID:3636
-
\??\c:\pvddv.exec:\pvddv.exe78⤵PID:4944
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe79⤵PID:1720
-
\??\c:\bttbht.exec:\bttbht.exe80⤵PID:5020
-
\??\c:\vvdvp.exec:\vvdvp.exe81⤵PID:968
-
\??\c:\lfffxxx.exec:\lfffxxx.exe82⤵PID:1196
-
\??\c:\tnhbbn.exec:\tnhbbn.exe83⤵PID:4812
-
\??\c:\hhbtnh.exec:\hhbtnh.exe84⤵PID:1680
-
\??\c:\1pdvj.exec:\1pdvj.exe85⤵PID:1548
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe86⤵PID:3076
-
\??\c:\rffxrrf.exec:\rffxrrf.exe87⤵PID:1852
-
\??\c:\nbbnhb.exec:\nbbnhb.exe88⤵PID:2620
-
\??\c:\pddjv.exec:\pddjv.exe89⤵PID:3424
-
\??\c:\frlfxrr.exec:\frlfxrr.exe90⤵PID:2692
-
\??\c:\xrlxrlr.exec:\xrlxrlr.exe91⤵PID:2872
-
\??\c:\thhbtn.exec:\thhbtn.exe92⤵PID:1616
-
\??\c:\1vvpj.exec:\1vvpj.exe93⤵PID:1780
-
\??\c:\7jvjp.exec:\7jvjp.exe94⤵PID:3292
-
\??\c:\nnttnh.exec:\nnttnh.exe95⤵PID:4520
-
\??\c:\nhbthh.exec:\nhbthh.exe96⤵PID:864
-
\??\c:\ddppj.exec:\ddppj.exe97⤵PID:1028
-
\??\c:\xrrxffl.exec:\xrrxffl.exe98⤵PID:908
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe99⤵PID:2804
-
\??\c:\hnbtnh.exec:\hnbtnh.exe100⤵PID:3404
-
\??\c:\ppppj.exec:\ppppj.exe101⤵PID:232
-
\??\c:\rflrffx.exec:\rflrffx.exe102⤵
- System Location Discovery: System Language Discovery
PID:4496 -
\??\c:\btnttt.exec:\btnttt.exe103⤵PID:516
-
\??\c:\jdjpd.exec:\jdjpd.exe104⤵PID:8
-
\??\c:\5flfxxx.exec:\5flfxxx.exe105⤵PID:4064
-
\??\c:\hbtnhh.exec:\hbtnhh.exe106⤵PID:2788
-
\??\c:\ttbtnh.exec:\ttbtnh.exe107⤵PID:812
-
\??\c:\pdjdv.exec:\pdjdv.exe108⤵PID:3584
-
\??\c:\xrrrrfr.exec:\xrrrrfr.exe109⤵PID:676
-
\??\c:\tttbnb.exec:\tttbnb.exe110⤵PID:4488
-
\??\c:\7bhhtb.exec:\7bhhtb.exe111⤵PID:3948
-
\??\c:\jvvpj.exec:\jvvpj.exe112⤵PID:4748
-
\??\c:\3rrllrl.exec:\3rrllrl.exe113⤵PID:648
-
\??\c:\btnhbt.exec:\btnhbt.exe114⤵PID:4380
-
\??\c:\9thbnn.exec:\9thbnn.exe115⤵PID:4164
-
\??\c:\1pdvp.exec:\1pdvp.exe116⤵PID:4204
-
\??\c:\fxrfxxr.exec:\fxrfxxr.exe117⤵PID:4632
-
\??\c:\frxrrrr.exec:\frxrrrr.exe118⤵PID:4776
-
\??\c:\bttnhh.exec:\bttnhh.exe119⤵PID:4300
-
\??\c:\vjvvj.exec:\vjvvj.exe120⤵PID:4304
-
\??\c:\7frrxxf.exec:\7frrxxf.exe121⤵PID:776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-