Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe
-
Size
455KB
-
MD5
7bc90ec0afd9d0d6a07309904d891094
-
SHA1
d3d91e21f53ba5022523fa101dd41891e4679092
-
SHA256
c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3
-
SHA512
0dd0f22e7f8d8fc508ba62f25ad3eab5a53cedce74f47b6d33f1a178672c86a801d4ad0a7f032bcac16a70e159d481985dab9ab6bd9e21c04dca73ae69f2175f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4376-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-984-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-1926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4872 hbbbtt.exe 2124 pvjjd.exe 3328 bbtbth.exe 3424 nhttnn.exe 3828 pvdvp.exe 2716 xlrxrlf.exe 2284 nbhbnn.exe 4988 pdppj.exe 4992 rlrlffx.exe 3152 vvvjd.exe 436 thbhhh.exe 1828 tntbnh.exe 536 tnnnnn.exe 444 5vjdj.exe 4412 rfrlxxr.exe 4628 1vdvp.exe 4668 vjvdv.exe 856 lrrllxx.exe 3000 pvvpp.exe 4688 tbbntb.exe 4788 3lffllx.exe 4296 hhhhnt.exe 3292 lrrfrfl.exe 1756 xllfrrl.exe 1644 bttttt.exe 1976 rrrrrrr.exe 3568 ttbbtt.exe 424 7rrrlrl.exe 3128 1htttn.exe 1076 pjvjd.exe 2416 3pvpp.exe 1860 xxrrrrl.exe 4924 lrfxxxr.exe 2208 bnbtnn.exe 4200 jvpjj.exe 3848 3vvpd.exe 3460 lfllxxx.exe 2272 hhbtbb.exe 1636 xxffxxx.exe 2408 lflfllf.exe 1608 tnbttt.exe 4672 ppppj.exe 1384 frxxxfl.exe 3308 7tnhhh.exe 2240 djdvp.exe 3964 ffllrrx.exe 4856 ttttnn.exe 4276 nhnhtt.exe 3324 pjpjd.exe 1352 tnhbbt.exe 3708 5vppp.exe 3560 5lfxrrl.exe 1420 bhhhbn.exe 3352 3djdj.exe 1596 fxllfxx.exe 4188 fffrlxr.exe 2716 1bbtth.exe 1896 dvvpj.exe 1836 llrrlrl.exe 3528 3btnhh.exe 3684 thhtnh.exe 4704 vdvvp.exe 3208 llfxxxx.exe 3152 nnnnhn.exe -
resource yara_rule behavioral2/memory/4376-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-793-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4872 4376 c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe 83 PID 4376 wrote to memory of 4872 4376 c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe 83 PID 4376 wrote to memory of 4872 4376 c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe 83 PID 4872 wrote to memory of 2124 4872 hbbbtt.exe 84 PID 4872 wrote to memory of 2124 4872 hbbbtt.exe 84 PID 4872 wrote to memory of 2124 4872 hbbbtt.exe 84 PID 2124 wrote to memory of 3328 2124 pvjjd.exe 85 PID 2124 wrote to memory of 3328 2124 pvjjd.exe 85 PID 2124 wrote to memory of 3328 2124 pvjjd.exe 85 PID 3328 wrote to memory of 3424 3328 bbtbth.exe 86 PID 3328 wrote to memory of 3424 3328 bbtbth.exe 86 PID 3328 wrote to memory of 3424 3328 bbtbth.exe 86 PID 3424 wrote to memory of 3828 3424 nhttnn.exe 87 PID 3424 wrote to memory of 3828 3424 nhttnn.exe 87 PID 3424 wrote to memory of 3828 3424 nhttnn.exe 87 PID 3828 wrote to memory of 2716 3828 pvdvp.exe 88 PID 3828 wrote to memory of 2716 3828 pvdvp.exe 88 PID 3828 wrote to memory of 2716 3828 pvdvp.exe 88 PID 2716 wrote to memory of 2284 2716 xlrxrlf.exe 89 PID 2716 wrote to memory of 2284 2716 xlrxrlf.exe 89 PID 2716 wrote to memory of 2284 2716 xlrxrlf.exe 89 PID 2284 wrote to memory of 4988 2284 nbhbnn.exe 90 PID 2284 wrote to memory of 4988 2284 nbhbnn.exe 90 PID 2284 wrote to memory of 4988 2284 nbhbnn.exe 90 PID 4988 wrote to memory of 4992 4988 pdppj.exe 91 PID 4988 wrote to memory of 4992 4988 pdppj.exe 91 PID 4988 wrote to memory of 4992 4988 pdppj.exe 91 PID 4992 wrote to memory of 3152 4992 rlrlffx.exe 92 PID 4992 wrote to memory of 3152 4992 rlrlffx.exe 92 PID 4992 wrote to memory of 3152 4992 rlrlffx.exe 92 PID 3152 wrote to memory of 436 3152 vvvjd.exe 93 PID 3152 wrote to memory of 436 3152 vvvjd.exe 93 PID 3152 wrote to memory of 436 3152 vvvjd.exe 93 PID 436 wrote to memory of 1828 436 thbhhh.exe 94 PID 436 wrote to memory of 1828 436 thbhhh.exe 94 PID 436 wrote to memory of 1828 436 thbhhh.exe 94 PID 1828 wrote to memory of 536 1828 tntbnh.exe 95 PID 1828 wrote to memory of 536 1828 tntbnh.exe 95 PID 1828 wrote to memory of 536 1828 tntbnh.exe 95 PID 536 wrote to memory of 444 536 tnnnnn.exe 96 PID 536 wrote to memory of 444 536 tnnnnn.exe 96 PID 536 wrote to memory of 444 536 tnnnnn.exe 96 PID 444 wrote to memory of 4412 444 5vjdj.exe 97 PID 444 wrote to memory of 4412 444 5vjdj.exe 97 PID 444 wrote to memory of 4412 444 5vjdj.exe 97 PID 4412 wrote to memory of 4628 4412 rfrlxxr.exe 98 PID 4412 wrote to memory of 4628 4412 rfrlxxr.exe 98 PID 4412 wrote to memory of 4628 4412 rfrlxxr.exe 98 PID 4628 wrote to memory of 4668 4628 1vdvp.exe 99 PID 4628 wrote to memory of 4668 4628 1vdvp.exe 99 PID 4628 wrote to memory of 4668 4628 1vdvp.exe 99 PID 4668 wrote to memory of 856 4668 vjvdv.exe 100 PID 4668 wrote to memory of 856 4668 vjvdv.exe 100 PID 4668 wrote to memory of 856 4668 vjvdv.exe 100 PID 856 wrote to memory of 3000 856 lrrllxx.exe 101 PID 856 wrote to memory of 3000 856 lrrllxx.exe 101 PID 856 wrote to memory of 3000 856 lrrllxx.exe 101 PID 3000 wrote to memory of 4688 3000 pvvpp.exe 102 PID 3000 wrote to memory of 4688 3000 pvvpp.exe 102 PID 3000 wrote to memory of 4688 3000 pvvpp.exe 102 PID 4688 wrote to memory of 4788 4688 tbbntb.exe 103 PID 4688 wrote to memory of 4788 4688 tbbntb.exe 103 PID 4688 wrote to memory of 4788 4688 tbbntb.exe 103 PID 4788 wrote to memory of 4296 4788 3lffllx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe"C:\Users\Admin\AppData\Local\Temp\c4e3ee804d9fb9dd306a88dcde3bb21e196fedc4038c157f151746e8a6600ab3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\hbbbtt.exec:\hbbbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\pvjjd.exec:\pvjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\bbtbth.exec:\bbtbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\nhttnn.exec:\nhttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\pvdvp.exec:\pvdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\xlrxrlf.exec:\xlrxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\nbhbnn.exec:\nbhbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\pdppj.exec:\pdppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\rlrlffx.exec:\rlrlffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\vvvjd.exec:\vvvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\thbhhh.exec:\thbhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\tntbnh.exec:\tntbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\tnnnnn.exec:\tnnnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\5vjdj.exec:\5vjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\rfrlxxr.exec:\rfrlxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\1vdvp.exec:\1vdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\vjvdv.exec:\vjvdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\lrrllxx.exec:\lrrllxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\pvvpp.exec:\pvvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\tbbntb.exec:\tbbntb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\3lffllx.exec:\3lffllx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\hhhhnt.exec:\hhhhnt.exe23⤵
- Executes dropped EXE
PID:4296 -
\??\c:\lrrfrfl.exec:\lrrfrfl.exe24⤵
- Executes dropped EXE
PID:3292 -
\??\c:\xllfrrl.exec:\xllfrrl.exe25⤵
- Executes dropped EXE
PID:1756 -
\??\c:\bttttt.exec:\bttttt.exe26⤵
- Executes dropped EXE
PID:1644 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe27⤵
- Executes dropped EXE
PID:1976 -
\??\c:\ttbbtt.exec:\ttbbtt.exe28⤵
- Executes dropped EXE
PID:3568 -
\??\c:\7rrrlrl.exec:\7rrrlrl.exe29⤵
- Executes dropped EXE
PID:424 -
\??\c:\1htttn.exec:\1htttn.exe30⤵
- Executes dropped EXE
PID:3128 -
\??\c:\pjvjd.exec:\pjvjd.exe31⤵
- Executes dropped EXE
PID:1076 -
\??\c:\3pvpp.exec:\3pvpp.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\xxrrrrl.exec:\xxrrrrl.exe33⤵
- Executes dropped EXE
PID:1860 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe34⤵
- Executes dropped EXE
PID:4924 -
\??\c:\bnbtnn.exec:\bnbtnn.exe35⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jvpjj.exec:\jvpjj.exe36⤵
- Executes dropped EXE
PID:4200 -
\??\c:\3vvpd.exec:\3vvpd.exe37⤵
- Executes dropped EXE
PID:3848 -
\??\c:\lfllxxx.exec:\lfllxxx.exe38⤵
- Executes dropped EXE
PID:3460 -
\??\c:\hhbtbb.exec:\hhbtbb.exe39⤵
- Executes dropped EXE
PID:2272 -
\??\c:\xxffxxx.exec:\xxffxxx.exe40⤵
- Executes dropped EXE
PID:1636 -
\??\c:\lflfllf.exec:\lflfllf.exe41⤵
- Executes dropped EXE
PID:2408 -
\??\c:\tnbttt.exec:\tnbttt.exe42⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ppppj.exec:\ppppj.exe43⤵
- Executes dropped EXE
PID:4672 -
\??\c:\frxxxfl.exec:\frxxxfl.exe44⤵
- Executes dropped EXE
PID:1384 -
\??\c:\7tnhhh.exec:\7tnhhh.exe45⤵
- Executes dropped EXE
PID:3308 -
\??\c:\djdvp.exec:\djdvp.exe46⤵
- Executes dropped EXE
PID:2240 -
\??\c:\ffllrrx.exec:\ffllrrx.exe47⤵
- Executes dropped EXE
PID:3964 -
\??\c:\ttttnn.exec:\ttttnn.exe48⤵
- Executes dropped EXE
PID:4856 -
\??\c:\nhnhtt.exec:\nhnhtt.exe49⤵
- Executes dropped EXE
PID:4276 -
\??\c:\pjpjd.exec:\pjpjd.exe50⤵
- Executes dropped EXE
PID:3324 -
\??\c:\5xllllf.exec:\5xllllf.exe51⤵PID:3920
-
\??\c:\tnhbbt.exec:\tnhbbt.exe52⤵
- Executes dropped EXE
PID:1352 -
\??\c:\5vppp.exec:\5vppp.exe53⤵
- Executes dropped EXE
PID:3708 -
\??\c:\5lfxrrl.exec:\5lfxrrl.exe54⤵
- Executes dropped EXE
PID:3560 -
\??\c:\bhhhbn.exec:\bhhhbn.exe55⤵
- Executes dropped EXE
PID:1420 -
\??\c:\3djdj.exec:\3djdj.exe56⤵
- Executes dropped EXE
PID:3352 -
\??\c:\fxllfxx.exec:\fxllfxx.exe57⤵
- Executes dropped EXE
PID:1596 -
\??\c:\fffrlxr.exec:\fffrlxr.exe58⤵
- Executes dropped EXE
PID:4188 -
\??\c:\1bbtth.exec:\1bbtth.exe59⤵
- Executes dropped EXE
PID:2716 -
\??\c:\dvvpj.exec:\dvvpj.exe60⤵
- Executes dropped EXE
PID:1896 -
\??\c:\llrrlrl.exec:\llrrlrl.exe61⤵
- Executes dropped EXE
PID:1836 -
\??\c:\3btnhh.exec:\3btnhh.exe62⤵
- Executes dropped EXE
PID:3528 -
\??\c:\thhtnh.exec:\thhtnh.exe63⤵
- Executes dropped EXE
PID:3684 -
\??\c:\vdvvp.exec:\vdvvp.exe64⤵
- Executes dropped EXE
PID:4704 -
\??\c:\llfxxxx.exec:\llfxxxx.exe65⤵
- Executes dropped EXE
PID:3208 -
\??\c:\nnnnhn.exec:\nnnnhn.exe66⤵
- Executes dropped EXE
PID:3152 -
\??\c:\3jpjd.exec:\3jpjd.exe67⤵PID:1036
-
\??\c:\vpjdj.exec:\vpjdj.exe68⤵PID:3332
-
\??\c:\xxxrllf.exec:\xxxrllf.exe69⤵PID:3624
-
\??\c:\3hhhbt.exec:\3hhhbt.exe70⤵PID:1720
-
\??\c:\dvvpj.exec:\dvvpj.exe71⤵PID:1068
-
\??\c:\lrxxrxx.exec:\lrxxrxx.exe72⤵PID:2404
-
\??\c:\htbttt.exec:\htbttt.exe73⤵PID:1204
-
\??\c:\btbttt.exec:\btbttt.exe74⤵PID:4628
-
\??\c:\ppddj.exec:\ppddj.exe75⤵PID:1472
-
\??\c:\rrrxllx.exec:\rrrxllx.exe76⤵PID:2200
-
\??\c:\ttbbbb.exec:\ttbbbb.exe77⤵PID:220
-
\??\c:\7vddv.exec:\7vddv.exe78⤵PID:2184
-
\??\c:\rllllll.exec:\rllllll.exe79⤵PID:1544
-
\??\c:\xfrrrrx.exec:\xfrrrrx.exe80⤵PID:3580
-
\??\c:\ttbbtb.exec:\ttbbtb.exe81⤵PID:1196
-
\??\c:\pdjjd.exec:\pdjjd.exe82⤵PID:2220
-
\??\c:\5flllll.exec:\5flllll.exe83⤵PID:4480
-
\??\c:\bttnhh.exec:\bttnhh.exe84⤵PID:3136
-
\??\c:\pjpjd.exec:\pjpjd.exe85⤵PID:4828
-
\??\c:\vvjjd.exec:\vvjjd.exe86⤵PID:4940
-
\??\c:\xxrllll.exec:\xxrllll.exe87⤵PID:2740
-
\??\c:\nntnhn.exec:\nntnhn.exe88⤵PID:3864
-
\??\c:\jjppv.exec:\jjppv.exe89⤵PID:2116
-
\??\c:\lrxrlll.exec:\lrxrlll.exe90⤵PID:912
-
\??\c:\xxllfff.exec:\xxllfff.exe91⤵PID:4792
-
\??\c:\hnnhbb.exec:\hnnhbb.exe92⤵PID:3128
-
\??\c:\jvjdv.exec:\jvjdv.exe93⤵PID:4424
-
\??\c:\rfrlffx.exec:\rfrlffx.exe94⤵PID:2872
-
\??\c:\bbhbtt.exec:\bbhbtt.exe95⤵PID:1460
-
\??\c:\nhtnnn.exec:\nhtnnn.exe96⤵PID:4564
-
\??\c:\dvdvp.exec:\dvdvp.exe97⤵PID:4924
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe98⤵PID:2208
-
\??\c:\hbbthb.exec:\hbbthb.exe99⤵PID:2264
-
\??\c:\nnnnbb.exec:\nnnnbb.exe100⤵PID:3848
-
\??\c:\vvdvj.exec:\vvdvj.exe101⤵PID:2876
-
\??\c:\xrrlffx.exec:\xrrlffx.exe102⤵PID:4764
-
\??\c:\nnbbtt.exec:\nnbbtt.exe103⤵PID:2976
-
\??\c:\pdddv.exec:\pdddv.exe104⤵PID:3196
-
\??\c:\dvpjd.exec:\dvpjd.exe105⤵PID:2064
-
\??\c:\lfflxrr.exec:\lfflxrr.exe106⤵PID:4012
-
\??\c:\9tnhbb.exec:\9tnhbb.exe107⤵PID:2684
-
\??\c:\dvdvv.exec:\dvdvv.exe108⤵PID:4588
-
\??\c:\3lfxrrl.exec:\3lfxrrl.exe109⤵PID:2844
-
\??\c:\xrxlxxr.exec:\xrxlxxr.exe110⤵PID:4496
-
\??\c:\bhhbtt.exec:\bhhbtt.exe111⤵PID:4264
-
\??\c:\jvdjd.exec:\jvdjd.exe112⤵PID:3740
-
\??\c:\xfxrllf.exec:\xfxrllf.exe113⤵PID:3324
-
\??\c:\flxrlrf.exec:\flxrlrf.exe114⤵PID:4516
-
\??\c:\hbhhhn.exec:\hbhhhn.exe115⤵PID:2320
-
\??\c:\9ppvj.exec:\9ppvj.exe116⤵PID:1336
-
\??\c:\dpvpp.exec:\dpvpp.exe117⤵PID:4752
-
\??\c:\fxffxfx.exec:\fxffxfx.exe118⤵PID:924
-
\??\c:\7bhhhh.exec:\7bhhhh.exe119⤵PID:2856
-
\??\c:\ddjjd.exec:\ddjjd.exe120⤵PID:3828
-
\??\c:\dvdvp.exec:\dvdvp.exe121⤵PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-