Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe
-
Size
456KB
-
MD5
044c864cf0553ce844727934000d968c
-
SHA1
d845f6017ba164abc08c17d129ff7e42b50dbc6a
-
SHA256
713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08
-
SHA512
7fbd5ce6db4f13cd58d5a12dad8b610c6fe22e5a15b816acd54b5b29ee9675d5910d118487c95554b97044b650045ba8094698f27cb5e8ad073d9f79a2a50931
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4468-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-1575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 tbbbth.exe 1360 vpvpj.exe 4980 ppddv.exe 4676 9ntttb.exe 4556 9xxxxxx.exe 3504 pddpj.exe 3876 jjppj.exe 112 7hnhbh.exe 1400 jjddd.exe 3524 fxlfffx.exe 2144 rlffxff.exe 3696 bhhhbn.exe 3432 ffffxfx.exe 3476 hthnbn.exe 2028 pjvpv.exe 3056 vpvpp.exe 4144 5hhbbh.exe 4064 vppjj.exe 4044 rlrlllf.exe 3332 tnbbbn.exe 3172 jjppv.exe 1332 xrxrrrr.exe 2080 hbnbhh.exe 4472 jdjdp.exe 688 rrlrlrr.exe 3856 ntnnnt.exe 5004 dpdpj.exe 3196 hnhhhh.exe 2060 vjjjv.exe 1820 htbbtt.exe 880 5ttnhh.exe 1048 ffrrrrx.exe 4780 vjpjj.exe 3272 1dpjp.exe 3924 1rrlllf.exe 1976 1tbnhn.exe 772 vvdjj.exe 3808 frffxff.exe 2496 hnthhh.exe 4560 9jpdd.exe 936 rxlfrxx.exe 4344 3tbtbh.exe 2440 pjjpj.exe 4436 xlrrxlr.exe 4916 hhhhbh.exe 212 bbbnhb.exe 1952 vjjvp.exe 1028 fxrfxrl.exe 4020 5ttnbt.exe 1392 1jjvv.exe 3632 3lxxxxx.exe 4824 7nnnnn.exe 4704 bnbtnn.exe 4584 pjpjj.exe 3160 rrfxfff.exe 624 1rllfff.exe 3504 9hhnnn.exe 4156 5pvvp.exe 2788 5fxrlxr.exe 4952 bhtnhn.exe 3372 9ddvp.exe 1128 ddjjj.exe 3524 frllxxx.exe 3748 9tbtnn.exe -
resource yara_rule behavioral2/memory/4468-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-908-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1720 4468 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 82 PID 4468 wrote to memory of 1720 4468 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 82 PID 4468 wrote to memory of 1720 4468 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 82 PID 1720 wrote to memory of 1360 1720 tbbbth.exe 83 PID 1720 wrote to memory of 1360 1720 tbbbth.exe 83 PID 1720 wrote to memory of 1360 1720 tbbbth.exe 83 PID 1360 wrote to memory of 4980 1360 vpvpj.exe 84 PID 1360 wrote to memory of 4980 1360 vpvpj.exe 84 PID 1360 wrote to memory of 4980 1360 vpvpj.exe 84 PID 4980 wrote to memory of 4676 4980 ppddv.exe 85 PID 4980 wrote to memory of 4676 4980 ppddv.exe 85 PID 4980 wrote to memory of 4676 4980 ppddv.exe 85 PID 4676 wrote to memory of 4556 4676 9ntttb.exe 86 PID 4676 wrote to memory of 4556 4676 9ntttb.exe 86 PID 4676 wrote to memory of 4556 4676 9ntttb.exe 86 PID 4556 wrote to memory of 3504 4556 9xxxxxx.exe 87 PID 4556 wrote to memory of 3504 4556 9xxxxxx.exe 87 PID 4556 wrote to memory of 3504 4556 9xxxxxx.exe 87 PID 3504 wrote to memory of 3876 3504 pddpj.exe 88 PID 3504 wrote to memory of 3876 3504 pddpj.exe 88 PID 3504 wrote to memory of 3876 3504 pddpj.exe 88 PID 3876 wrote to memory of 112 3876 jjppj.exe 89 PID 3876 wrote to memory of 112 3876 jjppj.exe 89 PID 3876 wrote to memory of 112 3876 jjppj.exe 89 PID 112 wrote to memory of 1400 112 7hnhbh.exe 90 PID 112 wrote to memory of 1400 112 7hnhbh.exe 90 PID 112 wrote to memory of 1400 112 7hnhbh.exe 90 PID 1400 wrote to memory of 3524 1400 jjddd.exe 91 PID 1400 wrote to memory of 3524 1400 jjddd.exe 91 PID 1400 wrote to memory of 3524 1400 jjddd.exe 91 PID 3524 wrote to memory of 2144 3524 fxlfffx.exe 92 PID 3524 wrote to memory of 2144 3524 fxlfffx.exe 92 PID 3524 wrote to memory of 2144 3524 fxlfffx.exe 92 PID 2144 wrote to memory of 3696 2144 rlffxff.exe 93 PID 2144 wrote to memory of 3696 2144 rlffxff.exe 93 PID 2144 wrote to memory of 3696 2144 rlffxff.exe 93 PID 3696 wrote to memory of 3432 3696 bhhhbn.exe 94 PID 3696 wrote to memory of 3432 3696 bhhhbn.exe 94 PID 3696 wrote to memory of 3432 3696 bhhhbn.exe 94 PID 3432 wrote to memory of 3476 3432 ffffxfx.exe 95 PID 3432 wrote to memory of 3476 3432 ffffxfx.exe 95 PID 3432 wrote to memory of 3476 3432 ffffxfx.exe 95 PID 3476 wrote to memory of 2028 3476 hthnbn.exe 96 PID 3476 wrote to memory of 2028 3476 hthnbn.exe 96 PID 3476 wrote to memory of 2028 3476 hthnbn.exe 96 PID 2028 wrote to memory of 3056 2028 pjvpv.exe 97 PID 2028 wrote to memory of 3056 2028 pjvpv.exe 97 PID 2028 wrote to memory of 3056 2028 pjvpv.exe 97 PID 3056 wrote to memory of 4144 3056 vpvpp.exe 98 PID 3056 wrote to memory of 4144 3056 vpvpp.exe 98 PID 3056 wrote to memory of 4144 3056 vpvpp.exe 98 PID 4144 wrote to memory of 4064 4144 5hhbbh.exe 99 PID 4144 wrote to memory of 4064 4144 5hhbbh.exe 99 PID 4144 wrote to memory of 4064 4144 5hhbbh.exe 99 PID 4064 wrote to memory of 4044 4064 vppjj.exe 100 PID 4064 wrote to memory of 4044 4064 vppjj.exe 100 PID 4064 wrote to memory of 4044 4064 vppjj.exe 100 PID 4044 wrote to memory of 3332 4044 rlrlllf.exe 101 PID 4044 wrote to memory of 3332 4044 rlrlllf.exe 101 PID 4044 wrote to memory of 3332 4044 rlrlllf.exe 101 PID 3332 wrote to memory of 3172 3332 tnbbbn.exe 102 PID 3332 wrote to memory of 3172 3332 tnbbbn.exe 102 PID 3332 wrote to memory of 3172 3332 tnbbbn.exe 102 PID 3172 wrote to memory of 1332 3172 jjppv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe"C:\Users\Admin\AppData\Local\Temp\713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\tbbbth.exec:\tbbbth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\vpvpj.exec:\vpvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\ppddv.exec:\ppddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\9ntttb.exec:\9ntttb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\9xxxxxx.exec:\9xxxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\pddpj.exec:\pddpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\jjppj.exec:\jjppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\7hnhbh.exec:\7hnhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\jjddd.exec:\jjddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\fxlfffx.exec:\fxlfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\rlffxff.exec:\rlffxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\bhhhbn.exec:\bhhhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\ffffxfx.exec:\ffffxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\hthnbn.exec:\hthnbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\pjvpv.exec:\pjvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\vpvpp.exec:\vpvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\5hhbbh.exec:\5hhbbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\vppjj.exec:\vppjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\rlrlllf.exec:\rlrlllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\tnbbbn.exec:\tnbbbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\jjppv.exec:\jjppv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe23⤵
- Executes dropped EXE
PID:1332 -
\??\c:\hbnbhh.exec:\hbnbhh.exe24⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jdjdp.exec:\jdjdp.exe25⤵
- Executes dropped EXE
PID:4472 -
\??\c:\rrlrlrr.exec:\rrlrlrr.exe26⤵
- Executes dropped EXE
PID:688 -
\??\c:\ntnnnt.exec:\ntnnnt.exe27⤵
- Executes dropped EXE
PID:3856 -
\??\c:\dpdpj.exec:\dpdpj.exe28⤵
- Executes dropped EXE
PID:5004 -
\??\c:\hnhhhh.exec:\hnhhhh.exe29⤵
- Executes dropped EXE
PID:3196 -
\??\c:\vjjjv.exec:\vjjjv.exe30⤵
- Executes dropped EXE
PID:2060 -
\??\c:\htbbtt.exec:\htbbtt.exe31⤵
- Executes dropped EXE
PID:1820 -
\??\c:\5ttnhh.exec:\5ttnhh.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\ffrrrrx.exec:\ffrrrrx.exe33⤵
- Executes dropped EXE
PID:1048 -
\??\c:\vjpjj.exec:\vjpjj.exe34⤵
- Executes dropped EXE
PID:4780 -
\??\c:\1dpjp.exec:\1dpjp.exe35⤵
- Executes dropped EXE
PID:3272 -
\??\c:\1rrlllf.exec:\1rrlllf.exe36⤵
- Executes dropped EXE
PID:3924 -
\??\c:\1tbnhn.exec:\1tbnhn.exe37⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vvdjj.exec:\vvdjj.exe38⤵
- Executes dropped EXE
PID:772 -
\??\c:\frffxff.exec:\frffxff.exe39⤵
- Executes dropped EXE
PID:3808 -
\??\c:\hnthhh.exec:\hnthhh.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
\??\c:\9jpdd.exec:\9jpdd.exe41⤵
- Executes dropped EXE
PID:4560 -
\??\c:\rxlfrxx.exec:\rxlfrxx.exe42⤵
- Executes dropped EXE
PID:936 -
\??\c:\3tbtbh.exec:\3tbtbh.exe43⤵
- Executes dropped EXE
PID:4344 -
\??\c:\pjjpj.exec:\pjjpj.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\xlrrxlr.exec:\xlrrxlr.exe45⤵
- Executes dropped EXE
PID:4436 -
\??\c:\hhhhbh.exec:\hhhhbh.exe46⤵
- Executes dropped EXE
PID:4916 -
\??\c:\bbbnhb.exec:\bbbnhb.exe47⤵
- Executes dropped EXE
PID:212 -
\??\c:\vjjvp.exec:\vjjvp.exe48⤵
- Executes dropped EXE
PID:1952 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe49⤵
- Executes dropped EXE
PID:1028 -
\??\c:\5ttnbt.exec:\5ttnbt.exe50⤵
- Executes dropped EXE
PID:4020 -
\??\c:\1jjvv.exec:\1jjvv.exe51⤵
- Executes dropped EXE
PID:1392 -
\??\c:\3lxxxxx.exec:\3lxxxxx.exe52⤵
- Executes dropped EXE
PID:3632 -
\??\c:\7nnnnn.exec:\7nnnnn.exe53⤵
- Executes dropped EXE
PID:4824 -
\??\c:\bnbtnn.exec:\bnbtnn.exe54⤵
- Executes dropped EXE
PID:4704 -
\??\c:\pjpjj.exec:\pjpjj.exe55⤵
- Executes dropped EXE
PID:4584 -
\??\c:\rrfxfff.exec:\rrfxfff.exe56⤵
- Executes dropped EXE
PID:3160 -
\??\c:\1rllfff.exec:\1rllfff.exe57⤵
- Executes dropped EXE
PID:624 -
\??\c:\9hhnnn.exec:\9hhnnn.exe58⤵
- Executes dropped EXE
PID:3504 -
\??\c:\5pvvp.exec:\5pvvp.exe59⤵
- Executes dropped EXE
PID:4156 -
\??\c:\5fxrlxr.exec:\5fxrlxr.exe60⤵
- Executes dropped EXE
PID:2788 -
\??\c:\bhtnhn.exec:\bhtnhn.exe61⤵
- Executes dropped EXE
PID:4952 -
\??\c:\9ddvp.exec:\9ddvp.exe62⤵
- Executes dropped EXE
PID:3372 -
\??\c:\ddjjj.exec:\ddjjj.exe63⤵
- Executes dropped EXE
PID:1128 -
\??\c:\frllxxx.exec:\frllxxx.exe64⤵
- Executes dropped EXE
PID:3524 -
\??\c:\9tbtnn.exec:\9tbtnn.exe65⤵
- Executes dropped EXE
PID:3748 -
\??\c:\pddvv.exec:\pddvv.exe66⤵PID:2144
-
\??\c:\lxfxlrx.exec:\lxfxlrx.exe67⤵PID:2288
-
\??\c:\hbthtn.exec:\hbthtn.exe68⤵PID:4940
-
\??\c:\pjjjj.exec:\pjjjj.exe69⤵PID:5060
-
\??\c:\ddvpj.exec:\ddvpj.exe70⤵PID:3476
-
\??\c:\ffllxlx.exec:\ffllxlx.exe71⤵PID:4736
-
\??\c:\nbbttt.exec:\nbbttt.exe72⤵PID:2120
-
\??\c:\jppjv.exec:\jppjv.exe73⤵PID:2028
-
\??\c:\9ffxrrf.exec:\9ffxrrf.exe74⤵PID:2632
-
\??\c:\ntbbht.exec:\ntbbht.exe75⤵PID:4040
-
\??\c:\9nnhbb.exec:\9nnhbb.exe76⤵PID:3060
-
\??\c:\5pvpp.exec:\5pvpp.exe77⤵PID:4032
-
\??\c:\rlffxrr.exec:\rlffxrr.exe78⤵PID:3332
-
\??\c:\nhbbbb.exec:\nhbbbb.exe79⤵PID:2168
-
\??\c:\jdvpd.exec:\jdvpd.exe80⤵PID:3792
-
\??\c:\fflxxrf.exec:\fflxxrf.exe81⤵PID:412
-
\??\c:\xrlxxxx.exec:\xrlxxxx.exe82⤵PID:4056
-
\??\c:\1bbbhn.exec:\1bbbhn.exe83⤵PID:4168
-
\??\c:\vvvvv.exec:\vvvvv.exe84⤵PID:2296
-
\??\c:\frxrlll.exec:\frxrlll.exe85⤵PID:5112
-
\??\c:\ntbbtn.exec:\ntbbtn.exe86⤵PID:2492
-
\??\c:\nbbbhh.exec:\nbbbhh.exe87⤵PID:1960
-
\??\c:\pdjjj.exec:\pdjjj.exe88⤵PID:3488
-
\??\c:\rffrlfx.exec:\rffrlfx.exe89⤵PID:4908
-
\??\c:\9nhbbb.exec:\9nhbbb.exe90⤵PID:4696
-
\??\c:\dpvjd.exec:\dpvjd.exe91⤵PID:2384
-
\??\c:\vpdpp.exec:\vpdpp.exe92⤵PID:4052
-
\??\c:\fxrffll.exec:\fxrffll.exe93⤵PID:612
-
\??\c:\bthbbb.exec:\bthbbb.exe94⤵PID:3952
-
\??\c:\ddpjv.exec:\ddpjv.exe95⤵PID:3596
-
\??\c:\lffrfxr.exec:\lffrfxr.exe96⤵PID:880
-
\??\c:\hnnbtn.exec:\hnnbtn.exe97⤵PID:1160
-
\??\c:\bnhhbb.exec:\bnhhbb.exe98⤵PID:3180
-
\??\c:\jvdvv.exec:\jvdvv.exe99⤵PID:1048
-
\??\c:\1rlrffr.exec:\1rlrffr.exe100⤵PID:920
-
\??\c:\1htnbt.exec:\1htnbt.exe101⤵PID:1484
-
\??\c:\3jjdd.exec:\3jjdd.exe102⤵PID:3100
-
\??\c:\3xfxrrr.exec:\3xfxrrr.exe103⤵PID:1336
-
\??\c:\9xlfffx.exec:\9xlfffx.exe104⤵PID:4260
-
\??\c:\7htnnn.exec:\7htnnn.exe105⤵PID:3600
-
\??\c:\7vpjj.exec:\7vpjj.exe106⤵PID:2748
-
\??\c:\xflfxxf.exec:\xflfxxf.exe107⤵PID:1604
-
\??\c:\lxxrllf.exec:\lxxrllf.exe108⤵PID:4480
-
\??\c:\btnhnn.exec:\btnhnn.exe109⤵PID:712
-
\??\c:\dpjjj.exec:\dpjjj.exe110⤵PID:4344
-
\??\c:\7xxxfxx.exec:\7xxxfxx.exe111⤵PID:2440
-
\??\c:\bnbttt.exec:\bnbttt.exe112⤵PID:3648
-
\??\c:\bnbbnn.exec:\bnbbnn.exe113⤵PID:4060
-
\??\c:\5pjjj.exec:\5pjjj.exe114⤵PID:4836
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe115⤵PID:4792
-
\??\c:\tnbtnn.exec:\tnbtnn.exe116⤵PID:4980
-
\??\c:\pjvpp.exec:\pjvpp.exe117⤵PID:972
-
\??\c:\rxxlxlx.exec:\rxxlxlx.exe118⤵PID:4336
-
\??\c:\hhtnht.exec:\hhtnht.exe119⤵PID:2308
-
\??\c:\nhnhbb.exec:\nhnhbb.exe120⤵PID:2928
-
\??\c:\dpdvp.exec:\dpdvp.exe121⤵PID:976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-