Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 21:10
Behavioral task
behavioral1
Sample
086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe
-
Size
68KB
-
MD5
49a62c2595ad1dea48806fa1dee79a41
-
SHA1
73d90c84aa4e87010db8c3e5a9133f78c2854eac
-
SHA256
086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84
-
SHA512
3a4b13cd858916e7ea92f21817cae61feefd480677795cbf1c3e0aa0f29c00a6009d2fb4085c61d4b2aca6af530c356c81c1c93865a26a7b9ce80f14ba18a6d2
-
SSDEEP
1536:CvQBeOGtrYS3srx93UBWfwC6Ggnouy8AeZh:ChOmTsF93UYfwC6GIoutAeL
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3860-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3388-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3316-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1200-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1660-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4536-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3712-16-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3628-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2428-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2140-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/8-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2264-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2176-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1196-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2884-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3928-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2076-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4840-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2076-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4308-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4228-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4980-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2332-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2956-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2792-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1944-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4352-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4880-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1392-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2240-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4408-223-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2008-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1620-241-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2852-257-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1596-270-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4436-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1612-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4768-311-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/688-333-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4976-337-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3852-347-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2668-357-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4428-377-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2008-422-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3104-462-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4264-472-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1340-489-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3496-499-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3412-524-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-583-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/752-605-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3008-642-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2108-727-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4032-734-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2064-750-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4264-811-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4404-878-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3044-921-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4388-1109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3352-1238-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3944-1314-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3712 rlxrrrr.exe 3388 bthbbb.exe 3316 nbttnn.exe 4536 jvjdv.exe 4816 ddppd.exe 1200 lrfxxxx.exe 1660 lrlrflx.exe 3628 hhttnn.exe 2428 dpdvp.exe 2140 lrxrllx.exe 8 nbbttt.exe 2264 5dvdv.exe 2176 jvdjd.exe 1196 xrrlllf.exe 1436 hbbbth.exe 2884 vppdv.exe 3928 jdvpd.exe 4840 fxffrrl.exe 2076 btbttt.exe 1412 nbnhbb.exe 4308 1jppj.exe 1416 xlffxxx.exe 4228 7rlllrr.exe 4980 ntbthh.exe 4376 dvppv.exe 2332 fflfrrl.exe 3924 nnnttb.exe 4712 bbtntt.exe 2956 9vvpd.exe 1788 fxlfxxr.exe 5088 bhhhnt.exe 2792 tnnbtt.exe 3864 vdpvv.exe 1944 rrlrlxx.exe 3652 5bnhtt.exe 4352 vdppv.exe 4888 1pvpd.exe 4880 frrflxx.exe 1392 xfrlfrl.exe 3880 ttbtth.exe 2240 bhhnhh.exe 4408 ddjjp.exe 3988 jpddd.exe 4876 lxrlffx.exe 2564 xrxxrxx.exe 2008 hbhhtt.exe 1620 3bnnth.exe 932 pvvvv.exe 4536 9rxxlll.exe 1728 xxrlfff.exe 1664 hhbbtt.exe 2852 nhthnn.exe 972 tbnbbb.exe 2480 jdjdv.exe 1440 lrrlrrl.exe 1596 fxrlfxr.exe 3440 nbhhhn.exe 4436 btbbtt.exe 5008 dvvvv.exe 1612 3dppv.exe 1860 fxlfxrr.exe 4020 thnnhh.exe 2028 bbttnn.exe 1196 nnbbnn.exe -
resource yara_rule behavioral2/memory/3860-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0009000000023462-3.dat upx behavioral2/memory/3860-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c0-10.dat upx behavioral2/memory/3388-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c1-17.dat upx behavioral2/memory/3316-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c4-33.dat upx behavioral2/memory/1200-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c5-41.dat upx behavioral2/memory/1660-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c3-30.dat upx behavioral2/files/0x00070000000234c6-47.dat upx behavioral2/memory/4536-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c2-24.dat upx behavioral2/memory/3712-16-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3712-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c7-51.dat upx behavioral2/memory/3628-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c8-57.dat upx behavioral2/memory/2428-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234c9-64.dat upx behavioral2/memory/2140-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234ca-69.dat upx behavioral2/memory/8-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234cb-77.dat upx behavioral2/memory/2264-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234cc-81.dat upx behavioral2/memory/2176-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234cd-87.dat upx behavioral2/memory/1196-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234ce-92.dat upx behavioral2/files/0x00070000000234cf-97.dat upx behavioral2/memory/2884-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234d0-103.dat upx behavioral2/memory/3928-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2076-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4840-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234d2-117.dat upx behavioral2/files/0x00070000000234d3-122.dat upx behavioral2/memory/2076-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234d1-109.dat upx behavioral2/memory/4308-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234d4-129.dat upx behavioral2/files/0x00070000000234d5-133.dat upx behavioral2/files/0x00070000000234d6-138.dat upx behavioral2/memory/4228-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234d7-144.dat upx behavioral2/memory/4980-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234d8-150.dat upx behavioral2/files/0x00070000000234d9-155.dat upx behavioral2/memory/2332-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234da-161.dat upx behavioral2/memory/4712-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00070000000234db-168.dat upx behavioral2/files/0x00070000000234dc-175.dat upx behavioral2/memory/2956-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00080000000234bd-179.dat upx behavioral2/files/0x00070000000234dd-184.dat upx behavioral2/memory/2792-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1944-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4352-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4880-210-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3860 wrote to memory of 3712 3860 086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe 84 PID 3860 wrote to memory of 3712 3860 086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe 84 PID 3860 wrote to memory of 3712 3860 086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe 84 PID 3712 wrote to memory of 3388 3712 rlxrrrr.exe 85 PID 3712 wrote to memory of 3388 3712 rlxrrrr.exe 85 PID 3712 wrote to memory of 3388 3712 rlxrrrr.exe 85 PID 3388 wrote to memory of 3316 3388 bthbbb.exe 86 PID 3388 wrote to memory of 3316 3388 bthbbb.exe 86 PID 3388 wrote to memory of 3316 3388 bthbbb.exe 86 PID 3316 wrote to memory of 4536 3316 nbttnn.exe 87 PID 3316 wrote to memory of 4536 3316 nbttnn.exe 87 PID 3316 wrote to memory of 4536 3316 nbttnn.exe 87 PID 4536 wrote to memory of 4816 4536 jvjdv.exe 88 PID 4536 wrote to memory of 4816 4536 jvjdv.exe 88 PID 4536 wrote to memory of 4816 4536 jvjdv.exe 88 PID 4816 wrote to memory of 1200 4816 ddppd.exe 89 PID 4816 wrote to memory of 1200 4816 ddppd.exe 89 PID 4816 wrote to memory of 1200 4816 ddppd.exe 89 PID 1200 wrote to memory of 1660 1200 lrfxxxx.exe 90 PID 1200 wrote to memory of 1660 1200 lrfxxxx.exe 90 PID 1200 wrote to memory of 1660 1200 lrfxxxx.exe 90 PID 1660 wrote to memory of 3628 1660 lrlrflx.exe 91 PID 1660 wrote to memory of 3628 1660 lrlrflx.exe 91 PID 1660 wrote to memory of 3628 1660 lrlrflx.exe 91 PID 3628 wrote to memory of 2428 3628 hhttnn.exe 92 PID 3628 wrote to memory of 2428 3628 hhttnn.exe 92 PID 3628 wrote to memory of 2428 3628 hhttnn.exe 92 PID 2428 wrote to memory of 2140 2428 dpdvp.exe 93 PID 2428 wrote to memory of 2140 2428 dpdvp.exe 93 PID 2428 wrote to memory of 2140 2428 dpdvp.exe 93 PID 2140 wrote to memory of 8 2140 lrxrllx.exe 94 PID 2140 wrote to memory of 8 2140 lrxrllx.exe 94 PID 2140 wrote to memory of 8 2140 lrxrllx.exe 94 PID 8 wrote to memory of 2264 8 nbbttt.exe 95 PID 8 wrote to memory of 2264 8 nbbttt.exe 95 PID 8 wrote to memory of 2264 8 nbbttt.exe 95 PID 2264 wrote to memory of 2176 2264 5dvdv.exe 96 PID 2264 wrote to memory of 2176 2264 5dvdv.exe 96 PID 2264 wrote to memory of 2176 2264 5dvdv.exe 96 PID 2176 wrote to memory of 1196 2176 jvdjd.exe 97 PID 2176 wrote to memory of 1196 2176 jvdjd.exe 97 PID 2176 wrote to memory of 1196 2176 jvdjd.exe 97 PID 1196 wrote to memory of 1436 1196 xrrlllf.exe 98 PID 1196 wrote to memory of 1436 1196 xrrlllf.exe 98 PID 1196 wrote to memory of 1436 1196 xrrlllf.exe 98 PID 1436 wrote to memory of 2884 1436 hbbbth.exe 99 PID 1436 wrote to memory of 2884 1436 hbbbth.exe 99 PID 1436 wrote to memory of 2884 1436 hbbbth.exe 99 PID 2884 wrote to memory of 3928 2884 vppdv.exe 100 PID 2884 wrote to memory of 3928 2884 vppdv.exe 100 PID 2884 wrote to memory of 3928 2884 vppdv.exe 100 PID 3928 wrote to memory of 4840 3928 jdvpd.exe 101 PID 3928 wrote to memory of 4840 3928 jdvpd.exe 101 PID 3928 wrote to memory of 4840 3928 jdvpd.exe 101 PID 4840 wrote to memory of 2076 4840 fxffrrl.exe 102 PID 4840 wrote to memory of 2076 4840 fxffrrl.exe 102 PID 4840 wrote to memory of 2076 4840 fxffrrl.exe 102 PID 2076 wrote to memory of 1412 2076 btbttt.exe 103 PID 2076 wrote to memory of 1412 2076 btbttt.exe 103 PID 2076 wrote to memory of 1412 2076 btbttt.exe 103 PID 1412 wrote to memory of 4308 1412 nbnhbb.exe 105 PID 1412 wrote to memory of 4308 1412 nbnhbb.exe 105 PID 1412 wrote to memory of 4308 1412 nbnhbb.exe 105 PID 4308 wrote to memory of 1416 4308 1jppj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe"C:\Users\Admin\AppData\Local\Temp\086a675e9bd1848a909cd94a7587479276f9c3f61362d1938b92b2700d519e84.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\bthbbb.exec:\bthbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\nbttnn.exec:\nbttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\jvjdv.exec:\jvjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\ddppd.exec:\ddppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\lrlrflx.exec:\lrlrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\hhttnn.exec:\hhttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\dpdvp.exec:\dpdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\lrxrllx.exec:\lrxrllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\nbbttt.exec:\nbbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\5dvdv.exec:\5dvdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\jvdjd.exec:\jvdjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\xrrlllf.exec:\xrrlllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\hbbbth.exec:\hbbbth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\vppdv.exec:\vppdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\jdvpd.exec:\jdvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\fxffrrl.exec:\fxffrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\btbttt.exec:\btbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\nbnhbb.exec:\nbnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\1jppj.exec:\1jppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\xlffxxx.exec:\xlffxxx.exe23⤵
- Executes dropped EXE
PID:1416 -
\??\c:\7rlllrr.exec:\7rlllrr.exe24⤵
- Executes dropped EXE
PID:4228 -
\??\c:\ntbthh.exec:\ntbthh.exe25⤵
- Executes dropped EXE
PID:4980 -
\??\c:\dvppv.exec:\dvppv.exe26⤵
- Executes dropped EXE
PID:4376 -
\??\c:\fflfrrl.exec:\fflfrrl.exe27⤵
- Executes dropped EXE
PID:2332 -
\??\c:\nnnttb.exec:\nnnttb.exe28⤵
- Executes dropped EXE
PID:3924 -
\??\c:\bbtntt.exec:\bbtntt.exe29⤵
- Executes dropped EXE
PID:4712 -
\??\c:\9vvpd.exec:\9vvpd.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe31⤵
- Executes dropped EXE
PID:1788 -
\??\c:\bhhhnt.exec:\bhhhnt.exe32⤵
- Executes dropped EXE
PID:5088 -
\??\c:\tnnbtt.exec:\tnnbtt.exe33⤵
- Executes dropped EXE
PID:2792 -
\??\c:\vdpvv.exec:\vdpvv.exe34⤵
- Executes dropped EXE
PID:3864 -
\??\c:\rrlrlxx.exec:\rrlrlxx.exe35⤵
- Executes dropped EXE
PID:1944 -
\??\c:\5bnhtt.exec:\5bnhtt.exe36⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vdppv.exec:\vdppv.exe37⤵
- Executes dropped EXE
PID:4352 -
\??\c:\1pvpd.exec:\1pvpd.exe38⤵
- Executes dropped EXE
PID:4888 -
\??\c:\frrflxx.exec:\frrflxx.exe39⤵
- Executes dropped EXE
PID:4880 -
\??\c:\xfrlfrl.exec:\xfrlfrl.exe40⤵
- Executes dropped EXE
PID:1392 -
\??\c:\ttbtth.exec:\ttbtth.exe41⤵
- Executes dropped EXE
PID:3880 -
\??\c:\bhhnhh.exec:\bhhnhh.exe42⤵
- Executes dropped EXE
PID:2240 -
\??\c:\ddjjp.exec:\ddjjp.exe43⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jpddd.exec:\jpddd.exe44⤵
- Executes dropped EXE
PID:3988 -
\??\c:\lxrlffx.exec:\lxrlffx.exe45⤵
- Executes dropped EXE
PID:4876 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe46⤵
- Executes dropped EXE
PID:2564 -
\??\c:\hbhhtt.exec:\hbhhtt.exe47⤵
- Executes dropped EXE
PID:2008 -
\??\c:\3bnnth.exec:\3bnnth.exe48⤵
- Executes dropped EXE
PID:1620 -
\??\c:\pvvvv.exec:\pvvvv.exe49⤵
- Executes dropped EXE
PID:932 -
\??\c:\9rxxlll.exec:\9rxxlll.exe50⤵
- Executes dropped EXE
PID:4536 -
\??\c:\xxrlfff.exec:\xxrlfff.exe51⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hhbbtt.exec:\hhbbtt.exe52⤵
- Executes dropped EXE
PID:1664 -
\??\c:\nhthnn.exec:\nhthnn.exe53⤵
- Executes dropped EXE
PID:2852 -
\??\c:\tbnbbb.exec:\tbnbbb.exe54⤵
- Executes dropped EXE
PID:972 -
\??\c:\jdjdv.exec:\jdjdv.exe55⤵
- Executes dropped EXE
PID:2480 -
\??\c:\lrrlrrl.exec:\lrrlrrl.exe56⤵
- Executes dropped EXE
PID:1440 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe57⤵
- Executes dropped EXE
PID:1596 -
\??\c:\nbhhhn.exec:\nbhhhn.exe58⤵
- Executes dropped EXE
PID:3440 -
\??\c:\btbbtt.exec:\btbbtt.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436 -
\??\c:\dvvvv.exec:\dvvvv.exe60⤵
- Executes dropped EXE
PID:5008 -
\??\c:\3dppv.exec:\3dppv.exe61⤵
- Executes dropped EXE
PID:1612 -
\??\c:\fxlfxrr.exec:\fxlfxrr.exe62⤵
- Executes dropped EXE
PID:1860 -
\??\c:\thnnhh.exec:\thnnhh.exe63⤵
- Executes dropped EXE
PID:4020 -
\??\c:\bbttnn.exec:\bbttnn.exe64⤵
- Executes dropped EXE
PID:2028 -
\??\c:\nnbbnn.exec:\nnbbnn.exe65⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jdvdv.exec:\jdvdv.exe66⤵PID:1616
-
\??\c:\dvjdv.exec:\dvjdv.exe67⤵PID:4348
-
\??\c:\xrfrfrf.exec:\xrfrfrf.exe68⤵PID:396
-
\??\c:\xflllll.exec:\xflllll.exe69⤵PID:4768
-
\??\c:\nhnnhh.exec:\nhnnhh.exe70⤵PID:3116
-
\??\c:\hhtnbb.exec:\hhtnbb.exe71⤵PID:2476
-
\??\c:\hnbbtt.exec:\hnbbtt.exe72⤵PID:3424
-
\??\c:\1pvpd.exec:\1pvpd.exe73⤵PID:2880
-
\??\c:\pjjvp.exec:\pjjvp.exe74⤵PID:3900
-
\??\c:\5lrrlff.exec:\5lrrlff.exe75⤵PID:3648
-
\??\c:\llxxlff.exec:\llxxlff.exe76⤵PID:688
-
\??\c:\hhttbb.exec:\hhttbb.exe77⤵PID:4976
-
\??\c:\hbnhnh.exec:\hbnhnh.exe78⤵PID:968
-
\??\c:\vjjjj.exec:\vjjjj.exe79⤵PID:4168
-
\??\c:\fxlllll.exec:\fxlllll.exe80⤵PID:3852
-
\??\c:\5lrfflf.exec:\5lrfflf.exe81⤵PID:3948
-
\??\c:\btbbbt.exec:\btbbbt.exe82⤵PID:3924
-
\??\c:\hbbnnn.exec:\hbbnnn.exe83⤵
- System Location Discovery: System Language Discovery
PID:2668 -
\??\c:\vpjjd.exec:\vpjjd.exe84⤵PID:2156
-
\??\c:\dpjjj.exec:\dpjjj.exe85⤵PID:2956
-
\??\c:\lrlrflx.exec:\lrlrflx.exe86⤵PID:4340
-
\??\c:\tnthhh.exec:\tnthhh.exe87⤵PID:4404
-
\??\c:\nhbtbb.exec:\nhbtbb.exe88⤵PID:5088
-
\??\c:\pdjvd.exec:\pdjvd.exe89⤵PID:4520
-
\??\c:\vpjdd.exec:\vpjdd.exe90⤵PID:4428
-
\??\c:\rflfxxr.exec:\rflfxxr.exe91⤵PID:2684
-
\??\c:\tntnnn.exec:\tntnnn.exe92⤵PID:3624
-
\??\c:\vppdd.exec:\vppdd.exe93⤵PID:4780
-
\??\c:\vpjdv.exec:\vpjdv.exe94⤵PID:1904
-
\??\c:\5fflfll.exec:\5fflfll.exe95⤵PID:4888
-
\??\c:\tbttnn.exec:\tbttnn.exe96⤵PID:3356
-
\??\c:\nthhbh.exec:\nthhbh.exe97⤵PID:2764
-
\??\c:\jpjdv.exec:\jpjdv.exe98⤵PID:1580
-
\??\c:\jdjdp.exec:\jdjdp.exe99⤵PID:1028
-
\??\c:\rllxrrl.exec:\rllxrrl.exe100⤵PID:4492
-
\??\c:\5hhttn.exec:\5hhttn.exe101⤵PID:3640
-
\??\c:\bnnhbh.exec:\bnnhbh.exe102⤵PID:3044
-
\??\c:\3vjdd.exec:\3vjdd.exe103⤵PID:4700
-
\??\c:\xfxlfff.exec:\xfxlfff.exe104⤵PID:2008
-
\??\c:\rlfxffr.exec:\rlfxffr.exe105⤵PID:3192
-
\??\c:\bhbbbb.exec:\bhbbbb.exe106⤵PID:2460
-
\??\c:\tnnhhh.exec:\tnnhhh.exe107⤵PID:1828
-
\??\c:\vjppd.exec:\vjppd.exe108⤵PID:636
-
\??\c:\pddpj.exec:\pddpj.exe109⤵PID:4236
-
\??\c:\1pjjp.exec:\1pjjp.exe110⤵PID:4476
-
\??\c:\rrflflf.exec:\rrflflf.exe111⤵PID:216
-
\??\c:\xlrxlrf.exec:\xlrxlrf.exe112⤵PID:3468
-
\??\c:\nhnbbb.exec:\nhnbbb.exe113⤵PID:1792
-
\??\c:\djjjd.exec:\djjjd.exe114⤵PID:2140
-
\??\c:\ddjjj.exec:\ddjjj.exe115⤵PID:2604
-
\??\c:\rxfffxx.exec:\rxfffxx.exe116⤵PID:8
-
\??\c:\fxrllrr.exec:\fxrllrr.exe117⤵PID:3104
-
\??\c:\hnhnnt.exec:\hnhnnt.exe118⤵PID:2036
-
\??\c:\7ntttb.exec:\7ntttb.exe119⤵PID:2560
-
\??\c:\jjddv.exec:\jjddv.exe120⤵PID:4264
-
\??\c:\rffxrxr.exec:\rffxrxr.exe121⤵PID:1436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-