Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 17:47
Behavioral task
behavioral1
Sample
a3c39a8c50987a5ffc69652f37ff72c0N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a3c39a8c50987a5ffc69652f37ff72c0N.exe
-
Size
93KB
-
MD5
a3c39a8c50987a5ffc69652f37ff72c0
-
SHA1
ea780f614401c6afedf96fc5bcdfaaf8e7d8a742
-
SHA256
17128672a4965f7cb90700c1b436bd6dd30aa661418837c9d69d9d17a2a88315
-
SHA512
a4df3b3cfe5100e85a74b5a58b33dc08b856dca2c14c845a86df12c577344300db95e5b8fe1882376788de603aa01e98aa6e7637f9aeb67511d651a93982d930
-
SSDEEP
1536:kvQBeOGtrYS3srx93UBWfwC6Ggnouy8p5yAXNlIQkPvA3qrEvO7C87FLoT:khOmTsF93UYfwC6GIoutpYcvrqrE6dkT
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2560-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6136-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5520-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5196-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5560-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5416-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5648-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5584-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2088-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5996-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5880-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5976-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5872-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5928-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5944-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5836-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5736-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5708-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1260-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5324-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5124-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6108-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-547-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-620-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-655-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-728-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-786-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5452-823-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-1133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-1162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-1466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 6136 frffflr.exe 5196 hnhhtt.exe 5520 jjppv.exe 5560 ffllffl.exe 1428 1nthbt.exe 4868 ttnnnt.exe 5416 jjvvp.exe 5648 frxfflr.exe 2172 bhttbh.exe 5584 9dpvd.exe 2088 rllfxxl.exe 5996 tnnbbh.exe 5880 9pdvv.exe 5976 jdvvv.exe 5020 rrrxxff.exe 5872 nhbtbb.exe 5944 ddvvv.exe 6088 vpdvv.exe 5928 lxxxxrx.exe 5836 fxxxxff.exe 1200 jjjdd.exe 1548 jpjjj.exe 3916 ffffxfl.exe 3600 httbbb.exe 3588 5btnbh.exe 3512 jjppp.exe 1904 pjjjj.exe 1744 xffflrr.exe 4784 bbbntn.exe 3168 thnnnt.exe 3804 pvvvp.exe 3672 dvppj.exe 1292 lfrrlrx.exe 5736 hntttb.exe 5252 tbnnnb.exe 1364 tnnnhn.exe 5708 vvjpp.exe 3056 vvjjj.exe 5108 fflllll.exe 4448 hnthbh.exe 4244 3bnnnt.exe 2944 ddjjp.exe 5260 pdjpj.exe 924 fxxfxxx.exe 992 flflxll.exe 1872 nbnhnt.exe 2336 3htttt.exe 2736 dvjdd.exe 3864 jdddv.exe 2064 3frxflr.exe 4632 ntbbhh.exe 4736 tbhbhn.exe 4296 nthhht.exe 4792 vpjpv.exe 4996 lfrxxll.exe 1196 xflllrx.exe 5240 hhtttb.exe 2216 jvddv.exe 4516 vjvvd.exe 1116 xffflll.exe 4336 xllrflx.exe 1260 7hnttb.exe 5704 pdjpv.exe 756 jpppj.exe -
resource yara_rule behavioral2/memory/2560-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2560-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/6136-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000900000002345e-3.dat upx behavioral2/files/0x00070000000234c2-10.dat upx behavioral2/files/0x00070000000234c3-13.dat upx behavioral2/memory/5520-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c4-24.dat upx behavioral2/memory/5560-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5196-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5560-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c5-29.dat upx behavioral2/files/0x00070000000234c6-34.dat upx behavioral2/memory/1428-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c7-40.dat upx behavioral2/memory/4868-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c8-46.dat upx behavioral2/memory/5416-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c9-51.dat upx behavioral2/memory/5648-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ca-57.dat upx behavioral2/memory/2172-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5584-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cb-65.dat upx behavioral2/memory/2088-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cc-72.dat upx behavioral2/memory/5996-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5880-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cd-77.dat upx behavioral2/files/0x00070000000234ce-81.dat upx behavioral2/files/0x00070000000234cf-87.dat upx behavioral2/memory/5976-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d0-93.dat upx behavioral2/memory/5020-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d1-99.dat upx behavioral2/memory/5872-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d2-105.dat upx behavioral2/files/0x00070000000234d3-112.dat upx behavioral2/memory/5928-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5944-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d4-117.dat upx behavioral2/files/0x00070000000234d5-122.dat upx behavioral2/memory/5836-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d6-130.dat upx behavioral2/memory/1200-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d7-134.dat upx behavioral2/files/0x00070000000234d8-140.dat upx behavioral2/files/0x00070000000234d9-145.dat upx behavioral2/memory/3600-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234da-150.dat upx behavioral2/memory/3512-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234db-158.dat upx behavioral2/files/0x00070000000234dc-161.dat upx behavioral2/memory/1904-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234bf-169.dat upx behavioral2/files/0x00070000000234dd-174.dat upx behavioral2/memory/4784-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234de-180.dat upx behavioral2/memory/3168-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234df-184.dat upx behavioral2/memory/1292-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5736-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5708-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3056-210-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 6136 2560 a3c39a8c50987a5ffc69652f37ff72c0N.exe 85 PID 2560 wrote to memory of 6136 2560 a3c39a8c50987a5ffc69652f37ff72c0N.exe 85 PID 2560 wrote to memory of 6136 2560 a3c39a8c50987a5ffc69652f37ff72c0N.exe 85 PID 6136 wrote to memory of 5196 6136 frffflr.exe 86 PID 6136 wrote to memory of 5196 6136 frffflr.exe 86 PID 6136 wrote to memory of 5196 6136 frffflr.exe 86 PID 5196 wrote to memory of 5520 5196 hnhhtt.exe 87 PID 5196 wrote to memory of 5520 5196 hnhhtt.exe 87 PID 5196 wrote to memory of 5520 5196 hnhhtt.exe 87 PID 5520 wrote to memory of 5560 5520 jjppv.exe 88 PID 5520 wrote to memory of 5560 5520 jjppv.exe 88 PID 5520 wrote to memory of 5560 5520 jjppv.exe 88 PID 5560 wrote to memory of 1428 5560 ffllffl.exe 89 PID 5560 wrote to memory of 1428 5560 ffllffl.exe 89 PID 5560 wrote to memory of 1428 5560 ffllffl.exe 89 PID 1428 wrote to memory of 4868 1428 1nthbt.exe 90 PID 1428 wrote to memory of 4868 1428 1nthbt.exe 90 PID 1428 wrote to memory of 4868 1428 1nthbt.exe 90 PID 4868 wrote to memory of 5416 4868 ttnnnt.exe 92 PID 4868 wrote to memory of 5416 4868 ttnnnt.exe 92 PID 4868 wrote to memory of 5416 4868 ttnnnt.exe 92 PID 5416 wrote to memory of 5648 5416 jjvvp.exe 93 PID 5416 wrote to memory of 5648 5416 jjvvp.exe 93 PID 5416 wrote to memory of 5648 5416 jjvvp.exe 93 PID 5648 wrote to memory of 2172 5648 frxfflr.exe 94 PID 5648 wrote to memory of 2172 5648 frxfflr.exe 94 PID 5648 wrote to memory of 2172 5648 frxfflr.exe 94 PID 2172 wrote to memory of 5584 2172 bhttbh.exe 95 PID 2172 wrote to memory of 5584 2172 bhttbh.exe 95 PID 2172 wrote to memory of 5584 2172 bhttbh.exe 95 PID 5584 wrote to memory of 2088 5584 9dpvd.exe 96 PID 5584 wrote to memory of 2088 5584 9dpvd.exe 96 PID 5584 wrote to memory of 2088 5584 9dpvd.exe 96 PID 2088 wrote to memory of 5996 2088 rllfxxl.exe 97 PID 2088 wrote to memory of 5996 2088 rllfxxl.exe 97 PID 2088 wrote to memory of 5996 2088 rllfxxl.exe 97 PID 5996 wrote to memory of 5880 5996 tnnbbh.exe 98 PID 5996 wrote to memory of 5880 5996 tnnbbh.exe 98 PID 5996 wrote to memory of 5880 5996 tnnbbh.exe 98 PID 5880 wrote to memory of 5976 5880 9pdvv.exe 99 PID 5880 wrote to memory of 5976 5880 9pdvv.exe 99 PID 5880 wrote to memory of 5976 5880 9pdvv.exe 99 PID 5976 wrote to memory of 5020 5976 jdvvv.exe 100 PID 5976 wrote to memory of 5020 5976 jdvvv.exe 100 PID 5976 wrote to memory of 5020 5976 jdvvv.exe 100 PID 5020 wrote to memory of 5872 5020 rrrxxff.exe 101 PID 5020 wrote to memory of 5872 5020 rrrxxff.exe 101 PID 5020 wrote to memory of 5872 5020 rrrxxff.exe 101 PID 5872 wrote to memory of 5944 5872 nhbtbb.exe 102 PID 5872 wrote to memory of 5944 5872 nhbtbb.exe 102 PID 5872 wrote to memory of 5944 5872 nhbtbb.exe 102 PID 5944 wrote to memory of 6088 5944 ddvvv.exe 103 PID 5944 wrote to memory of 6088 5944 ddvvv.exe 103 PID 5944 wrote to memory of 6088 5944 ddvvv.exe 103 PID 6088 wrote to memory of 5928 6088 vpdvv.exe 104 PID 6088 wrote to memory of 5928 6088 vpdvv.exe 104 PID 6088 wrote to memory of 5928 6088 vpdvv.exe 104 PID 5928 wrote to memory of 5836 5928 lxxxxrx.exe 105 PID 5928 wrote to memory of 5836 5928 lxxxxrx.exe 105 PID 5928 wrote to memory of 5836 5928 lxxxxrx.exe 105 PID 5836 wrote to memory of 1200 5836 fxxxxff.exe 106 PID 5836 wrote to memory of 1200 5836 fxxxxff.exe 106 PID 5836 wrote to memory of 1200 5836 fxxxxff.exe 106 PID 1200 wrote to memory of 1548 1200 jjjdd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3c39a8c50987a5ffc69652f37ff72c0N.exe"C:\Users\Admin\AppData\Local\Temp\a3c39a8c50987a5ffc69652f37ff72c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\frffflr.exec:\frffflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6136 -
\??\c:\hnhhtt.exec:\hnhhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5196 -
\??\c:\jjppv.exec:\jjppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5520 -
\??\c:\ffllffl.exec:\ffllffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5560 -
\??\c:\1nthbt.exec:\1nthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\ttnnnt.exec:\ttnnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\jjvvp.exec:\jjvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5416 -
\??\c:\frxfflr.exec:\frxfflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5648 -
\??\c:\bhttbh.exec:\bhttbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\9dpvd.exec:\9dpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5584 -
\??\c:\rllfxxl.exec:\rllfxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\tnnbbh.exec:\tnnbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5996 -
\??\c:\9pdvv.exec:\9pdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5880 -
\??\c:\jdvvv.exec:\jdvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5976 -
\??\c:\rrrxxff.exec:\rrrxxff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\nhbtbb.exec:\nhbtbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5872 -
\??\c:\ddvvv.exec:\ddvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5944 -
\??\c:\vpdvv.exec:\vpdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6088 -
\??\c:\lxxxxrx.exec:\lxxxxrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5928 -
\??\c:\fxxxxff.exec:\fxxxxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5836 -
\??\c:\jjjdd.exec:\jjjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\jpjjj.exec:\jpjjj.exe23⤵
- Executes dropped EXE
PID:1548 -
\??\c:\ffffxfl.exec:\ffffxfl.exe24⤵
- Executes dropped EXE
PID:3916 -
\??\c:\httbbb.exec:\httbbb.exe25⤵
- Executes dropped EXE
PID:3600 -
\??\c:\5btnbh.exec:\5btnbh.exe26⤵
- Executes dropped EXE
PID:3588 -
\??\c:\jjppp.exec:\jjppp.exe27⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pjjjj.exec:\pjjjj.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\xffflrr.exec:\xffflrr.exe29⤵
- Executes dropped EXE
PID:1744 -
\??\c:\bbbntn.exec:\bbbntn.exe30⤵
- Executes dropped EXE
PID:4784 -
\??\c:\thnnnt.exec:\thnnnt.exe31⤵
- Executes dropped EXE
PID:3168 -
\??\c:\pvvvp.exec:\pvvvp.exe32⤵
- Executes dropped EXE
PID:3804 -
\??\c:\dvppj.exec:\dvppj.exe33⤵
- Executes dropped EXE
PID:3672 -
\??\c:\lfrrlrx.exec:\lfrrlrx.exe34⤵
- Executes dropped EXE
PID:1292 -
\??\c:\hntttb.exec:\hntttb.exe35⤵
- Executes dropped EXE
PID:5736 -
\??\c:\tbnnnb.exec:\tbnnnb.exe36⤵
- Executes dropped EXE
PID:5252 -
\??\c:\tnnnhn.exec:\tnnnhn.exe37⤵
- Executes dropped EXE
PID:1364 -
\??\c:\vvjpp.exec:\vvjpp.exe38⤵
- Executes dropped EXE
PID:5708 -
\??\c:\vvjjj.exec:\vvjjj.exe39⤵
- Executes dropped EXE
PID:3056 -
\??\c:\fflllll.exec:\fflllll.exe40⤵
- Executes dropped EXE
PID:5108 -
\??\c:\hnthbh.exec:\hnthbh.exe41⤵
- Executes dropped EXE
PID:4448 -
\??\c:\3bnnnt.exec:\3bnnnt.exe42⤵
- Executes dropped EXE
PID:4244 -
\??\c:\ddjjp.exec:\ddjjp.exe43⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pdjpj.exec:\pdjpj.exe44⤵
- Executes dropped EXE
PID:5260 -
\??\c:\fxxfxxx.exec:\fxxfxxx.exe45⤵
- Executes dropped EXE
PID:924 -
\??\c:\flflxll.exec:\flflxll.exe46⤵
- Executes dropped EXE
PID:992 -
\??\c:\nbnhnt.exec:\nbnhnt.exe47⤵
- Executes dropped EXE
PID:1872 -
\??\c:\3htttt.exec:\3htttt.exe48⤵
- Executes dropped EXE
PID:2336 -
\??\c:\dvjdd.exec:\dvjdd.exe49⤵
- Executes dropped EXE
PID:2736 -
\??\c:\jdddv.exec:\jdddv.exe50⤵
- Executes dropped EXE
PID:3864 -
\??\c:\3frxflr.exec:\3frxflr.exe51⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ntbbhh.exec:\ntbbhh.exe52⤵
- Executes dropped EXE
PID:4632 -
\??\c:\tbhbhn.exec:\tbhbhn.exe53⤵
- Executes dropped EXE
PID:4736 -
\??\c:\nthhht.exec:\nthhht.exe54⤵
- Executes dropped EXE
PID:4296 -
\??\c:\vpjpv.exec:\vpjpv.exe55⤵
- Executes dropped EXE
PID:4792 -
\??\c:\lfrxxll.exec:\lfrxxll.exe56⤵
- Executes dropped EXE
PID:4996 -
\??\c:\xflllrx.exec:\xflllrx.exe57⤵
- Executes dropped EXE
PID:1196 -
\??\c:\hhtttb.exec:\hhtttb.exe58⤵
- Executes dropped EXE
PID:5240 -
\??\c:\jvddv.exec:\jvddv.exe59⤵
- Executes dropped EXE
PID:2216 -
\??\c:\vjvvd.exec:\vjvvd.exe60⤵
- Executes dropped EXE
PID:4516 -
\??\c:\xffflll.exec:\xffflll.exe61⤵
- Executes dropped EXE
PID:1116 -
\??\c:\xllrflx.exec:\xllrflx.exe62⤵
- Executes dropped EXE
PID:4336 -
\??\c:\7hnttb.exec:\7hnttb.exe63⤵
- Executes dropped EXE
PID:1260 -
\??\c:\pdjpv.exec:\pdjpv.exe64⤵
- Executes dropped EXE
PID:5704 -
\??\c:\jpppj.exec:\jpppj.exe65⤵
- Executes dropped EXE
PID:756 -
\??\c:\5xlllrf.exec:\5xlllrf.exe66⤵PID:1880
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe67⤵PID:4268
-
\??\c:\bhbbtb.exec:\bhbbtb.exe68⤵PID:5472
-
\??\c:\bhhhhn.exec:\bhhhhn.exe69⤵PID:3216
-
\??\c:\vvdjd.exec:\vvdjd.exe70⤵PID:2396
-
\??\c:\rfllllr.exec:\rfllllr.exe71⤵PID:3524
-
\??\c:\llrllll.exec:\llrllll.exe72⤵
- System Location Discovery: System Language Discovery
PID:3428 -
\??\c:\bnttnn.exec:\bnttnn.exe73⤵PID:3488
-
\??\c:\nnbbtt.exec:\nnbbtt.exe74⤵PID:3516
-
\??\c:\jpvdj.exec:\jpvdj.exe75⤵PID:5464
-
\??\c:\djvvj.exec:\djvvj.exe76⤵PID:5324
-
\??\c:\xlrxxxr.exec:\xlrxxxr.exe77⤵PID:3772
-
\??\c:\lxlxllr.exec:\lxlxllr.exe78⤵PID:768
-
\??\c:\tnhhnt.exec:\tnhhnt.exe79⤵PID:2788
-
\??\c:\bhhnhn.exec:\bhhnhn.exe80⤵PID:2052
-
\??\c:\pvddj.exec:\pvddj.exe81⤵PID:4360
-
\??\c:\jdddd.exec:\jdddd.exe82⤵PID:4344
-
\??\c:\fflffff.exec:\fflffff.exe83⤵PID:2560
-
\??\c:\lfflfff.exec:\lfflfff.exe84⤵PID:6136
-
\??\c:\hbbbtn.exec:\hbbbtn.exe85⤵PID:5532
-
\??\c:\ddjpp.exec:\ddjpp.exe86⤵PID:3172
-
\??\c:\lllxxff.exec:\lllxxff.exe87⤵PID:5548
-
\??\c:\lfrxxfl.exec:\lfrxxfl.exe88⤵PID:1212
-
\??\c:\rlxxxfx.exec:\rlxxxfx.exe89⤵PID:1044
-
\??\c:\hntnnh.exec:\hntnnh.exe90⤵PID:4572
-
\??\c:\nttttn.exec:\nttttn.exe91⤵PID:368
-
\??\c:\pvddj.exec:\pvddj.exe92⤵PID:5680
-
\??\c:\xfrflxf.exec:\xfrflxf.exe93⤵PID:2280
-
\??\c:\nntbbh.exec:\nntbbh.exe94⤵PID:1324
-
\??\c:\hthhbh.exec:\hthhbh.exe95⤵PID:1788
-
\??\c:\jdjjj.exec:\jdjjj.exe96⤵PID:3368
-
\??\c:\jjppj.exec:\jjppj.exe97⤵PID:6000
-
\??\c:\xffrrxf.exec:\xffrrxf.exe98⤵PID:4888
-
\??\c:\rxrrllr.exec:\rxrrllr.exe99⤵PID:6004
-
\??\c:\bhnttb.exec:\bhnttb.exe100⤵PID:5124
-
\??\c:\ttbtbb.exec:\ttbtbb.exe101⤵PID:6068
-
\??\c:\jdjdj.exec:\jdjdj.exe102⤵PID:2960
-
\??\c:\ddppp.exec:\ddppp.exe103⤵PID:5896
-
\??\c:\ffxxrll.exec:\ffxxrll.exe104⤵PID:5992
-
\??\c:\xrlrxxx.exec:\xrlrxxx.exe105⤵PID:6108
-
\??\c:\bbhbbh.exec:\bbhbbh.exe106⤵PID:5868
-
\??\c:\bhnnhn.exec:\bhnnhn.exe107⤵PID:2716
-
\??\c:\vpjjp.exec:\vpjjp.exe108⤵PID:5908
-
\??\c:\jjppp.exec:\jjppp.exe109⤵PID:5848
-
\??\c:\jpppp.exec:\jpppp.exe110⤵PID:4380
-
\??\c:\llxfrxx.exec:\llxfrxx.exe111⤵PID:808
-
\??\c:\xxfllrx.exec:\xxfllrx.exe112⤵PID:3844
-
\??\c:\9hnbbt.exec:\9hnbbt.exe113⤵PID:4620
-
\??\c:\bbnnbh.exec:\bbnnbh.exe114⤵PID:2792
-
\??\c:\ddpvj.exec:\ddpvj.exe115⤵PID:3916
-
\??\c:\ppvvv.exec:\ppvvv.exe116⤵PID:3600
-
\??\c:\rflrflf.exec:\rflrflf.exe117⤵PID:3444
-
\??\c:\fxfxxfx.exec:\fxfxxfx.exe118⤵PID:5444
-
\??\c:\hnbntt.exec:\hnbntt.exe119⤵PID:3376
-
\??\c:\nhhnhn.exec:\nhhnhn.exe120⤵PID:5048
-
\??\c:\djppv.exec:\djppv.exe121⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-