Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 18:14
Behavioral task
behavioral1
Sample
bdb8d747883a19bdc372a12bf1c91bc0N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
bdb8d747883a19bdc372a12bf1c91bc0N.exe
-
Size
124KB
-
MD5
bdb8d747883a19bdc372a12bf1c91bc0
-
SHA1
7a8d096af95c04cfc04dd17242e82e3b8a6fb310
-
SHA256
86dfdcdd7087aa7abed3280273828b26f49a9516e7e5d5c1a2bf448492e2e92e
-
SHA512
682e99aa98b55cb53a455666519cc17bc9d207a19ec7cc559e80adbee63e32d2f57053a7d572dbd0238d983aa46aa9c5a77a4f4f6c32bf94f17465773609a63e
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH5nZU/8:kcm4FmowdHoSphraHcpOFltHJZU/8
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/640-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3928-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2536-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-480-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-594-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-653-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-861-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-883-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-978-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-1079-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4488 jvddj.exe 232 djvpd.exe 3928 5rrllrl.exe 5056 hbnhnh.exe 5016 pdpjj.exe 2320 vvppj.exe 1704 5rxrfxr.exe 968 5hhhbb.exe 1592 bttnnn.exe 4512 vvppd.exe 1980 lflflfl.exe 3808 5hhhtt.exe 2644 dpjdp.exe 4200 jjjdd.exe 1740 thhthh.exe 4324 nhhbtb.exe 3404 pdvpp.exe 628 xrfxlfl.exe 3328 nbbttt.exe 3920 nbtnhh.exe 2908 jvpdv.exe 4456 rflfrrl.exe 3632 bnhbnh.exe 4496 9nbtnt.exe 2852 jvvjd.exe 3444 lxxrflf.exe 592 ttnhtb.exe 1600 rlrfrrf.exe 3620 7ntnnn.exe 2712 jjpjv.exe 2136 3pvvj.exe 2932 hbnbnh.exe 2268 dpvvj.exe 364 5xxlxxr.exe 1560 btttht.exe 5076 hhhhnn.exe 3512 pjpdv.exe 4012 pjjdv.exe 4604 rrrlllr.exe 760 httthh.exe 548 jpjdv.exe 4840 jpjvp.exe 4932 flrlxrr.exe 3628 lrxxllf.exe 1484 nhhbbb.exe 4236 vpddd.exe 4624 jvpjd.exe 3384 flrlffr.exe 4484 9lrlllf.exe 3052 htttnh.exe 1068 7ntnbb.exe 3716 jjjvp.exe 1120 xxlfrrl.exe 2192 frrlffx.exe 1044 thnnhh.exe 1592 bthbnb.exe 2464 vvddp.exe 1216 xflxfxl.exe 4804 rrrlxxl.exe 824 bhbthh.exe 2828 dvvjd.exe 2716 5vjdp.exe 4936 fllfrxr.exe 2760 xrrrllf.exe -
resource yara_rule behavioral2/memory/640-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023487-3.dat upx behavioral2/memory/640-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4488-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4488-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348e-13.dat upx behavioral2/memory/232-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000800000002348d-11.dat upx behavioral2/memory/3928-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348f-23.dat upx behavioral2/memory/5056-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023490-30.dat upx behavioral2/memory/5016-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023491-36.dat upx behavioral2/files/0x0007000000023492-40.dat upx behavioral2/memory/2320-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023493-46.dat upx behavioral2/memory/1704-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/968-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023494-53.dat upx behavioral2/files/0x0007000000023495-58.dat upx behavioral2/memory/1592-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4512-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023496-64.dat upx behavioral2/memory/1980-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023497-71.dat upx behavioral2/files/0x0007000000023498-76.dat upx behavioral2/memory/2644-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023499-82.dat upx behavioral2/files/0x000700000002349a-87.dat upx behavioral2/memory/1740-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349b-95.dat upx behavioral2/memory/4324-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4200-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349c-99.dat upx behavioral2/files/0x000700000002349d-104.dat upx behavioral2/files/0x000700000002349e-109.dat upx behavioral2/memory/628-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349f-114.dat upx behavioral2/memory/3328-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3920-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a0-121.dat upx behavioral2/memory/2908-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a1-128.dat upx behavioral2/files/0x00070000000234a2-135.dat upx behavioral2/memory/3632-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a3-139.dat upx behavioral2/memory/4496-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a4-145.dat upx behavioral2/memory/2852-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a5-152.dat upx behavioral2/memory/3444-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a6-158.dat upx behavioral2/files/0x000800000002348b-163.dat upx behavioral2/files/0x00070000000234a7-167.dat upx behavioral2/files/0x00070000000234a8-171.dat upx behavioral2/memory/3620-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a9-179.dat upx behavioral2/files/0x00070000000234aa-183.dat upx behavioral2/memory/2136-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2932-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1560-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5076-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3512-208-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 4488 640 bdb8d747883a19bdc372a12bf1c91bc0N.exe 83 PID 640 wrote to memory of 4488 640 bdb8d747883a19bdc372a12bf1c91bc0N.exe 83 PID 640 wrote to memory of 4488 640 bdb8d747883a19bdc372a12bf1c91bc0N.exe 83 PID 4488 wrote to memory of 232 4488 jvddj.exe 84 PID 4488 wrote to memory of 232 4488 jvddj.exe 84 PID 4488 wrote to memory of 232 4488 jvddj.exe 84 PID 232 wrote to memory of 3928 232 djvpd.exe 85 PID 232 wrote to memory of 3928 232 djvpd.exe 85 PID 232 wrote to memory of 3928 232 djvpd.exe 85 PID 3928 wrote to memory of 5056 3928 5rrllrl.exe 86 PID 3928 wrote to memory of 5056 3928 5rrllrl.exe 86 PID 3928 wrote to memory of 5056 3928 5rrllrl.exe 86 PID 5056 wrote to memory of 5016 5056 hbnhnh.exe 87 PID 5056 wrote to memory of 5016 5056 hbnhnh.exe 87 PID 5056 wrote to memory of 5016 5056 hbnhnh.exe 87 PID 5016 wrote to memory of 2320 5016 pdpjj.exe 88 PID 5016 wrote to memory of 2320 5016 pdpjj.exe 88 PID 5016 wrote to memory of 2320 5016 pdpjj.exe 88 PID 2320 wrote to memory of 1704 2320 vvppj.exe 90 PID 2320 wrote to memory of 1704 2320 vvppj.exe 90 PID 2320 wrote to memory of 1704 2320 vvppj.exe 90 PID 1704 wrote to memory of 968 1704 5rxrfxr.exe 91 PID 1704 wrote to memory of 968 1704 5rxrfxr.exe 91 PID 1704 wrote to memory of 968 1704 5rxrfxr.exe 91 PID 968 wrote to memory of 1592 968 5hhhbb.exe 92 PID 968 wrote to memory of 1592 968 5hhhbb.exe 92 PID 968 wrote to memory of 1592 968 5hhhbb.exe 92 PID 1592 wrote to memory of 4512 1592 bttnnn.exe 93 PID 1592 wrote to memory of 4512 1592 bttnnn.exe 93 PID 1592 wrote to memory of 4512 1592 bttnnn.exe 93 PID 4512 wrote to memory of 1980 4512 vvppd.exe 94 PID 4512 wrote to memory of 1980 4512 vvppd.exe 94 PID 4512 wrote to memory of 1980 4512 vvppd.exe 94 PID 1980 wrote to memory of 3808 1980 lflflfl.exe 96 PID 1980 wrote to memory of 3808 1980 lflflfl.exe 96 PID 1980 wrote to memory of 3808 1980 lflflfl.exe 96 PID 3808 wrote to memory of 2644 3808 5hhhtt.exe 97 PID 3808 wrote to memory of 2644 3808 5hhhtt.exe 97 PID 3808 wrote to memory of 2644 3808 5hhhtt.exe 97 PID 2644 wrote to memory of 4200 2644 dpjdp.exe 98 PID 2644 wrote to memory of 4200 2644 dpjdp.exe 98 PID 2644 wrote to memory of 4200 2644 dpjdp.exe 98 PID 4200 wrote to memory of 1740 4200 jjjdd.exe 99 PID 4200 wrote to memory of 1740 4200 jjjdd.exe 99 PID 4200 wrote to memory of 1740 4200 jjjdd.exe 99 PID 1740 wrote to memory of 4324 1740 thhthh.exe 100 PID 1740 wrote to memory of 4324 1740 thhthh.exe 100 PID 1740 wrote to memory of 4324 1740 thhthh.exe 100 PID 4324 wrote to memory of 3404 4324 nhhbtb.exe 102 PID 4324 wrote to memory of 3404 4324 nhhbtb.exe 102 PID 4324 wrote to memory of 3404 4324 nhhbtb.exe 102 PID 3404 wrote to memory of 628 3404 pdvpp.exe 103 PID 3404 wrote to memory of 628 3404 pdvpp.exe 103 PID 3404 wrote to memory of 628 3404 pdvpp.exe 103 PID 628 wrote to memory of 3328 628 xrfxlfl.exe 104 PID 628 wrote to memory of 3328 628 xrfxlfl.exe 104 PID 628 wrote to memory of 3328 628 xrfxlfl.exe 104 PID 3328 wrote to memory of 3920 3328 nbbttt.exe 105 PID 3328 wrote to memory of 3920 3328 nbbttt.exe 105 PID 3328 wrote to memory of 3920 3328 nbbttt.exe 105 PID 3920 wrote to memory of 2908 3920 nbtnhh.exe 106 PID 3920 wrote to memory of 2908 3920 nbtnhh.exe 106 PID 3920 wrote to memory of 2908 3920 nbtnhh.exe 106 PID 2908 wrote to memory of 4456 2908 jvpdv.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdb8d747883a19bdc372a12bf1c91bc0N.exe"C:\Users\Admin\AppData\Local\Temp\bdb8d747883a19bdc372a12bf1c91bc0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\jvddj.exec:\jvddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\djvpd.exec:\djvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\5rrllrl.exec:\5rrllrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\hbnhnh.exec:\hbnhnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\pdpjj.exec:\pdpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\vvppj.exec:\vvppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\5rxrfxr.exec:\5rxrfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\5hhhbb.exec:\5hhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\bttnnn.exec:\bttnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\vvppd.exec:\vvppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\lflflfl.exec:\lflflfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\5hhhtt.exec:\5hhhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\dpjdp.exec:\dpjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\jjjdd.exec:\jjjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\thhthh.exec:\thhthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\nhhbtb.exec:\nhhbtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\pdvpp.exec:\pdvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\xrfxlfl.exec:\xrfxlfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\nbbttt.exec:\nbbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\nbtnhh.exec:\nbtnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\jvpdv.exec:\jvpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\rflfrrl.exec:\rflfrrl.exe23⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bnhbnh.exec:\bnhbnh.exe24⤵
- Executes dropped EXE
PID:3632 -
\??\c:\9nbtnt.exec:\9nbtnt.exe25⤵
- Executes dropped EXE
PID:4496 -
\??\c:\jvvjd.exec:\jvvjd.exe26⤵
- Executes dropped EXE
PID:2852 -
\??\c:\lxxrflf.exec:\lxxrflf.exe27⤵
- Executes dropped EXE
PID:3444 -
\??\c:\ttnhtb.exec:\ttnhtb.exe28⤵
- Executes dropped EXE
PID:592 -
\??\c:\rlrfrrf.exec:\rlrfrrf.exe29⤵
- Executes dropped EXE
PID:1600 -
\??\c:\7ntnnn.exec:\7ntnnn.exe30⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jjpjv.exec:\jjpjv.exe31⤵
- Executes dropped EXE
PID:2712 -
\??\c:\3pvvj.exec:\3pvvj.exe32⤵
- Executes dropped EXE
PID:2136 -
\??\c:\hbnbnh.exec:\hbnbnh.exe33⤵
- Executes dropped EXE
PID:2932 -
\??\c:\dpvvj.exec:\dpvvj.exe34⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5xxlxxr.exec:\5xxlxxr.exe35⤵
- Executes dropped EXE
PID:364 -
\??\c:\btttht.exec:\btttht.exe36⤵
- Executes dropped EXE
PID:1560 -
\??\c:\hhhhnn.exec:\hhhhnn.exe37⤵
- Executes dropped EXE
PID:5076 -
\??\c:\pjpdv.exec:\pjpdv.exe38⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pjjdv.exec:\pjjdv.exe39⤵
- Executes dropped EXE
PID:4012 -
\??\c:\rrrlllr.exec:\rrrlllr.exe40⤵
- Executes dropped EXE
PID:4604 -
\??\c:\httthh.exec:\httthh.exe41⤵
- Executes dropped EXE
PID:760 -
\??\c:\jpjdv.exec:\jpjdv.exe42⤵
- Executes dropped EXE
PID:548 -
\??\c:\jpjvp.exec:\jpjvp.exe43⤵
- Executes dropped EXE
PID:4840 -
\??\c:\flrlxrr.exec:\flrlxrr.exe44⤵
- Executes dropped EXE
PID:4932 -
\??\c:\lrxxllf.exec:\lrxxllf.exe45⤵
- Executes dropped EXE
PID:3628 -
\??\c:\nhhbbb.exec:\nhhbbb.exe46⤵
- Executes dropped EXE
PID:1484 -
\??\c:\vpddd.exec:\vpddd.exe47⤵
- Executes dropped EXE
PID:4236 -
\??\c:\jvpjd.exec:\jvpjd.exe48⤵
- Executes dropped EXE
PID:4624 -
\??\c:\flrlffr.exec:\flrlffr.exe49⤵
- Executes dropped EXE
PID:3384 -
\??\c:\9lrlllf.exec:\9lrlllf.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484 -
\??\c:\htttnh.exec:\htttnh.exe51⤵
- Executes dropped EXE
PID:3052 -
\??\c:\7ntnbb.exec:\7ntnbb.exe52⤵
- Executes dropped EXE
PID:1068 -
\??\c:\jjjvp.exec:\jjjvp.exe53⤵
- Executes dropped EXE
PID:3716 -
\??\c:\xxlfrrl.exec:\xxlfrrl.exe54⤵
- Executes dropped EXE
PID:1120 -
\??\c:\frrlffx.exec:\frrlffx.exe55⤵
- Executes dropped EXE
PID:2192 -
\??\c:\thnnhh.exec:\thnnhh.exe56⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bthbnb.exec:\bthbnb.exe57⤵
- Executes dropped EXE
PID:1592 -
\??\c:\vvddp.exec:\vvddp.exe58⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xflxfxl.exec:\xflxfxl.exe59⤵
- Executes dropped EXE
PID:1216 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe60⤵
- Executes dropped EXE
PID:4804 -
\??\c:\bhbthh.exec:\bhbthh.exe61⤵
- Executes dropped EXE
PID:824 -
\??\c:\dvvjd.exec:\dvvjd.exe62⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5vjdp.exec:\5vjdp.exe63⤵
- Executes dropped EXE
PID:2716 -
\??\c:\fllfrxr.exec:\fllfrxr.exe64⤵
- Executes dropped EXE
PID:4936 -
\??\c:\xrrrllf.exec:\xrrrllf.exe65⤵
- Executes dropped EXE
PID:2760 -
\??\c:\thnhbb.exec:\thnhbb.exe66⤵PID:4200
-
\??\c:\hhhnhh.exec:\hhhnhh.exe67⤵PID:2516
-
\??\c:\jjdvj.exec:\jjdvj.exe68⤵PID:1096
-
\??\c:\9ppjd.exec:\9ppjd.exe69⤵PID:3916
-
\??\c:\fxfxfff.exec:\fxfxfff.exe70⤵PID:1960
-
\??\c:\flfffff.exec:\flfffff.exe71⤵PID:4040
-
\??\c:\hbtnnh.exec:\hbtnnh.exe72⤵PID:4860
-
\??\c:\bttbtt.exec:\bttbtt.exe73⤵PID:2420
-
\??\c:\hnnbtt.exec:\hnnbtt.exe74⤵PID:1684
-
\??\c:\7jppv.exec:\7jppv.exe75⤵PID:4204
-
\??\c:\vvdpj.exec:\vvdpj.exe76⤵PID:4904
-
\??\c:\rlrffxf.exec:\rlrffxf.exe77⤵PID:1504
-
\??\c:\fxrrffx.exec:\fxrrffx.exe78⤵PID:4100
-
\??\c:\tnbhnn.exec:\tnbhnn.exe79⤵PID:2536
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe80⤵PID:1836
-
\??\c:\lfrffxr.exec:\lfrffxr.exe81⤵PID:1792
-
\??\c:\9hnhbb.exec:\9hnhbb.exe82⤵PID:4740
-
\??\c:\nhbtnn.exec:\nhbtnn.exe83⤵PID:3444
-
\??\c:\jvvpj.exec:\jvvpj.exe84⤵PID:2248
-
\??\c:\jdjdv.exec:\jdjdv.exe85⤵PID:4928
-
\??\c:\flrxrlx.exec:\flrxrlx.exe86⤵PID:4896
-
\??\c:\rrrlfxl.exec:\rrrlfxl.exe87⤵PID:1564
-
\??\c:\9nnbbh.exec:\9nnbbh.exe88⤵PID:2892
-
\??\c:\3dvjv.exec:\3dvjv.exe89⤵PID:2136
-
\??\c:\3vpdp.exec:\3vpdp.exe90⤵PID:1832
-
\??\c:\lrrlfff.exec:\lrrlfff.exe91⤵PID:2268
-
\??\c:\7frllfx.exec:\7frllfx.exe92⤵PID:364
-
\??\c:\hhtnhh.exec:\hhtnhh.exe93⤵PID:1624
-
\??\c:\5bbbnn.exec:\5bbbnn.exe94⤵PID:3084
-
\??\c:\dvdvj.exec:\dvdvj.exe95⤵PID:2060
-
\??\c:\pjjvv.exec:\pjjvv.exe96⤵PID:428
-
\??\c:\nttbbh.exec:\nttbbh.exe97⤵PID:1156
-
\??\c:\tnhhbh.exec:\tnhhbh.exe98⤵PID:2980
-
\??\c:\pdvpj.exec:\pdvpj.exe99⤵PID:4016
-
\??\c:\jvpjv.exec:\jvpjv.exe100⤵PID:4916
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe101⤵PID:4840
-
\??\c:\bhhbnb.exec:\bhhbnb.exe102⤵PID:2692
-
\??\c:\9ntntt.exec:\9ntntt.exe103⤵PID:4452
-
\??\c:\9jjjv.exec:\9jjjv.exe104⤵PID:1484
-
\??\c:\jjdvj.exec:\jjdvj.exe105⤵PID:380
-
\??\c:\rfrrxxx.exec:\rfrrxxx.exe106⤵PID:3236
-
\??\c:\lfxrfrl.exec:\lfxrfrl.exe107⤵PID:1480
-
\??\c:\nttnhh.exec:\nttnhh.exe108⤵
- System Location Discovery: System Language Discovery
PID:3160 -
\??\c:\tbthbt.exec:\tbthbt.exe109⤵PID:1580
-
\??\c:\pjjdj.exec:\pjjdj.exe110⤵PID:4284
-
\??\c:\jdppj.exec:\jdppj.exe111⤵PID:1408
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe112⤵
- System Location Discovery: System Language Discovery
PID:1640 -
\??\c:\3fflffx.exec:\3fflffx.exe113⤵PID:3480
-
\??\c:\nhttnn.exec:\nhttnn.exe114⤵PID:1700
-
\??\c:\9tnhhh.exec:\9tnhhh.exe115⤵PID:2464
-
\??\c:\9pjdp.exec:\9pjdp.exe116⤵PID:4520
-
\??\c:\djdvj.exec:\djdvj.exe117⤵PID:3104
-
\??\c:\rlfrllf.exec:\rlfrllf.exe118⤵PID:3808
-
\??\c:\xfxfrrl.exec:\xfxfrrl.exe119⤵PID:3780
-
\??\c:\bthnhn.exec:\bthnhn.exe120⤵PID:2496
-
\??\c:\3pvdv.exec:\3pvdv.exe121⤵PID:4352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-