Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2024, 19:22
Behavioral task
behavioral1
Sample
c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe
-
Size
97KB
-
MD5
eeb39b0b1e87217cf85782bed9d49c70
-
SHA1
02951e33772381f707ee7b43cf6e87ae2caffad4
-
SHA256
c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2d
-
SHA512
f2ef1aea64812c01c9c13a666ee19f0bdbe6b87e6a416e4378498f8d138276b0250e1336627c42dd6f3cef5ced4af0474388a112aef5bd3340a35072d888e570
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgiG:8cm4FmowdHoSgWrXUgiG
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1828-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/620-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1232-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/264-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/364-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2416-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/620-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4640-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3204-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/692-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-558-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-648-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 620 5tbbbb.exe 3576 jvddv.exe 5104 rrrfflx.exe 3500 nhbnbn.exe 2456 ppppd.exe 3340 3jjjd.exe 1232 xxxxxxx.exe 3604 htttnn.exe 4128 bbhbth.exe 1772 3djdd.exe 1416 9flllrr.exe 4852 fflffff.exe 3448 1bnhhh.exe 2312 djddv.exe 3508 jdvvv.exe 3152 lfllfrr.exe 220 xrrxxff.exe 264 hhhhhh.exe 4872 btbtnn.exe 3240 jjjjd.exe 3744 rrfflrr.exe 1292 bbhhhn.exe 2160 nthhnt.exe 3688 pdppv.exe 2964 hbhhhn.exe 2300 hhhhhn.exe 3284 jjjjj.exe 4736 dvdpd.exe 4976 frlfxfx.exe 1264 rrlrrxx.exe 4948 nhtnhb.exe 872 tntnnn.exe 2724 djvvp.exe 1516 jvjpj.exe 4556 9rrrrlx.exe 4732 7rxxxxl.exe 4860 9thhnb.exe 4036 nnnhbt.exe 1668 nbhnnh.exe 232 ddjdj.exe 364 rlfflxf.exe 2844 xflxrxf.exe 2416 bbhhnt.exe 4880 nhttbb.exe 3716 vjjdv.exe 380 lfrrxxl.exe 4744 fllfffx.exe 4148 hnnnnb.exe 1360 7jvvv.exe 4016 rrffxxl.exe 3196 nnttnb.exe 3132 5htnnt.exe 4668 7pdvd.exe 4300 rllfxrr.exe 2092 xrxrrlx.exe 5048 3bhhnn.exe 1876 ddvpv.exe 4452 xrlfrlf.exe 4660 llrllll.exe 1828 hnbnnt.exe 620 3jjjj.exe 244 pvvjp.exe 1916 fflrrxf.exe 2288 3htttt.exe -
resource yara_rule behavioral2/memory/1828-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000234b1-3.dat upx behavioral2/memory/1828-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cb-8.dat upx behavioral2/memory/620-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cc-11.dat upx behavioral2/memory/5104-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3576-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cd-20.dat upx behavioral2/files/0x00070000000234ce-23.dat upx behavioral2/memory/3500-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cf-28.dat upx behavioral2/files/0x00070000000234d0-33.dat upx behavioral2/memory/3340-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d1-38.dat upx behavioral2/memory/1232-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d2-42.dat upx behavioral2/memory/3604-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4128-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d3-48.dat upx behavioral2/files/0x00070000000234d4-53.dat upx behavioral2/files/0x00070000000234d5-57.dat upx behavioral2/memory/1416-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d6-61.dat upx behavioral2/memory/3448-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d7-66.dat upx behavioral2/files/0x00070000000234d8-72.dat upx behavioral2/memory/2312-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3508-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234da-82.dat upx behavioral2/memory/220-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234db-86.dat upx behavioral2/memory/3152-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234dc-92.dat upx behavioral2/memory/4872-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234dd-95.dat upx behavioral2/files/0x00070000000234de-101.dat upx behavioral2/files/0x00070000000234df-106.dat upx behavioral2/memory/3744-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e0-111.dat upx behavioral2/memory/1292-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e2-119.dat upx behavioral2/files/0x00070000000234e4-129.dat upx behavioral2/files/0x00070000000234e3-125.dat upx behavioral2/files/0x00070000000234e5-133.dat upx behavioral2/files/0x00070000000234e6-137.dat upx behavioral2/files/0x00070000000234e7-142.dat upx behavioral2/memory/4976-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e8-146.dat upx behavioral2/files/0x00080000000234c8-150.dat upx behavioral2/memory/872-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1516-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4860-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4732-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/232-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1264-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3688-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2160-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e1-115.dat upx behavioral2/memory/264-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d9-76.dat upx behavioral2/memory/364-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2416-183-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1828 wrote to memory of 620 1828 c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe 82 PID 1828 wrote to memory of 620 1828 c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe 82 PID 1828 wrote to memory of 620 1828 c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe 82 PID 620 wrote to memory of 3576 620 5tbbbb.exe 83 PID 620 wrote to memory of 3576 620 5tbbbb.exe 83 PID 620 wrote to memory of 3576 620 5tbbbb.exe 83 PID 3576 wrote to memory of 5104 3576 jvddv.exe 84 PID 3576 wrote to memory of 5104 3576 jvddv.exe 84 PID 3576 wrote to memory of 5104 3576 jvddv.exe 84 PID 5104 wrote to memory of 3500 5104 rrrfflx.exe 85 PID 5104 wrote to memory of 3500 5104 rrrfflx.exe 85 PID 5104 wrote to memory of 3500 5104 rrrfflx.exe 85 PID 3500 wrote to memory of 2456 3500 nhbnbn.exe 86 PID 3500 wrote to memory of 2456 3500 nhbnbn.exe 86 PID 3500 wrote to memory of 2456 3500 nhbnbn.exe 86 PID 2456 wrote to memory of 3340 2456 ppppd.exe 87 PID 2456 wrote to memory of 3340 2456 ppppd.exe 87 PID 2456 wrote to memory of 3340 2456 ppppd.exe 87 PID 3340 wrote to memory of 1232 3340 3jjjd.exe 88 PID 3340 wrote to memory of 1232 3340 3jjjd.exe 88 PID 3340 wrote to memory of 1232 3340 3jjjd.exe 88 PID 1232 wrote to memory of 3604 1232 xxxxxxx.exe 89 PID 1232 wrote to memory of 3604 1232 xxxxxxx.exe 89 PID 1232 wrote to memory of 3604 1232 xxxxxxx.exe 89 PID 3604 wrote to memory of 4128 3604 htttnn.exe 90 PID 3604 wrote to memory of 4128 3604 htttnn.exe 90 PID 3604 wrote to memory of 4128 3604 htttnn.exe 90 PID 4128 wrote to memory of 1772 4128 bbhbth.exe 91 PID 4128 wrote to memory of 1772 4128 bbhbth.exe 91 PID 4128 wrote to memory of 1772 4128 bbhbth.exe 91 PID 1772 wrote to memory of 1416 1772 3djdd.exe 92 PID 1772 wrote to memory of 1416 1772 3djdd.exe 92 PID 1772 wrote to memory of 1416 1772 3djdd.exe 92 PID 1416 wrote to memory of 4852 1416 9flllrr.exe 93 PID 1416 wrote to memory of 4852 1416 9flllrr.exe 93 PID 1416 wrote to memory of 4852 1416 9flllrr.exe 93 PID 4852 wrote to memory of 3448 4852 fflffff.exe 94 PID 4852 wrote to memory of 3448 4852 fflffff.exe 94 PID 4852 wrote to memory of 3448 4852 fflffff.exe 94 PID 3448 wrote to memory of 2312 3448 1bnhhh.exe 95 PID 3448 wrote to memory of 2312 3448 1bnhhh.exe 95 PID 3448 wrote to memory of 2312 3448 1bnhhh.exe 95 PID 2312 wrote to memory of 3508 2312 djddv.exe 96 PID 2312 wrote to memory of 3508 2312 djddv.exe 96 PID 2312 wrote to memory of 3508 2312 djddv.exe 96 PID 3508 wrote to memory of 3152 3508 jdvvv.exe 97 PID 3508 wrote to memory of 3152 3508 jdvvv.exe 97 PID 3508 wrote to memory of 3152 3508 jdvvv.exe 97 PID 3152 wrote to memory of 220 3152 lfllfrr.exe 98 PID 3152 wrote to memory of 220 3152 lfllfrr.exe 98 PID 3152 wrote to memory of 220 3152 lfllfrr.exe 98 PID 220 wrote to memory of 264 220 xrrxxff.exe 99 PID 220 wrote to memory of 264 220 xrrxxff.exe 99 PID 220 wrote to memory of 264 220 xrrxxff.exe 99 PID 264 wrote to memory of 4872 264 hhhhhh.exe 100 PID 264 wrote to memory of 4872 264 hhhhhh.exe 100 PID 264 wrote to memory of 4872 264 hhhhhh.exe 100 PID 4872 wrote to memory of 3240 4872 btbtnn.exe 101 PID 4872 wrote to memory of 3240 4872 btbtnn.exe 101 PID 4872 wrote to memory of 3240 4872 btbtnn.exe 101 PID 3240 wrote to memory of 3744 3240 jjjjd.exe 102 PID 3240 wrote to memory of 3744 3240 jjjjd.exe 102 PID 3240 wrote to memory of 3744 3240 jjjjd.exe 102 PID 3744 wrote to memory of 1292 3744 rrfflrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe"C:\Users\Admin\AppData\Local\Temp\c486ce718200e6a62868de445f2b887f37002d2241dc281058e1e3540a849f2dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\5tbbbb.exec:\5tbbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\jvddv.exec:\jvddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\rrrfflx.exec:\rrrfflx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\nhbnbn.exec:\nhbnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\ppppd.exec:\ppppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\3jjjd.exec:\3jjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\htttnn.exec:\htttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\bbhbth.exec:\bbhbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\3djdd.exec:\3djdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\9flllrr.exec:\9flllrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\fflffff.exec:\fflffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\1bnhhh.exec:\1bnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\djddv.exec:\djddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jdvvv.exec:\jdvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\lfllfrr.exec:\lfllfrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\xrrxxff.exec:\xrrxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\hhhhhh.exec:\hhhhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\btbtnn.exec:\btbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\jjjjd.exec:\jjjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\rrfflrr.exec:\rrfflrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\bbhhhn.exec:\bbhhhn.exe23⤵
- Executes dropped EXE
PID:1292 -
\??\c:\nthhnt.exec:\nthhnt.exe24⤵
- Executes dropped EXE
PID:2160 -
\??\c:\pdppv.exec:\pdppv.exe25⤵
- Executes dropped EXE
PID:3688 -
\??\c:\hbhhhn.exec:\hbhhhn.exe26⤵
- Executes dropped EXE
PID:2964 -
\??\c:\hhhhhn.exec:\hhhhhn.exe27⤵
- Executes dropped EXE
PID:2300 -
\??\c:\jjjjj.exec:\jjjjj.exe28⤵
- Executes dropped EXE
PID:3284 -
\??\c:\dvdpd.exec:\dvdpd.exe29⤵
- Executes dropped EXE
PID:4736 -
\??\c:\frlfxfx.exec:\frlfxfx.exe30⤵
- Executes dropped EXE
PID:4976 -
\??\c:\rrlrrxx.exec:\rrlrrxx.exe31⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nhtnhb.exec:\nhtnhb.exe32⤵
- Executes dropped EXE
PID:4948 -
\??\c:\tntnnn.exec:\tntnnn.exe33⤵
- Executes dropped EXE
PID:872 -
\??\c:\djvvp.exec:\djvvp.exe34⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jvjpj.exec:\jvjpj.exe35⤵
- Executes dropped EXE
PID:1516 -
\??\c:\9rrrrlx.exec:\9rrrrlx.exe36⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7rxxxxl.exec:\7rxxxxl.exe37⤵
- Executes dropped EXE
PID:4732 -
\??\c:\9thhnb.exec:\9thhnb.exe38⤵
- Executes dropped EXE
PID:4860 -
\??\c:\nnnhbt.exec:\nnnhbt.exe39⤵
- Executes dropped EXE
PID:4036 -
\??\c:\nbhnnh.exec:\nbhnnh.exe40⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ddjdj.exec:\ddjdj.exe41⤵
- Executes dropped EXE
PID:232 -
\??\c:\rlfflxf.exec:\rlfflxf.exe42⤵
- Executes dropped EXE
PID:364 -
\??\c:\xflxrxf.exec:\xflxrxf.exe43⤵
- Executes dropped EXE
PID:2844 -
\??\c:\bbhhnt.exec:\bbhhnt.exe44⤵
- Executes dropped EXE
PID:2416 -
\??\c:\nhttbb.exec:\nhttbb.exe45⤵
- Executes dropped EXE
PID:4880 -
\??\c:\vjjdv.exec:\vjjdv.exe46⤵
- Executes dropped EXE
PID:3716 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe47⤵
- Executes dropped EXE
PID:380 -
\??\c:\fllfffx.exec:\fllfffx.exe48⤵
- Executes dropped EXE
PID:4744 -
\??\c:\hnnnnb.exec:\hnnnnb.exe49⤵
- Executes dropped EXE
PID:4148 -
\??\c:\7jvvv.exec:\7jvvv.exe50⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rrffxxl.exec:\rrffxxl.exe51⤵
- Executes dropped EXE
PID:4016 -
\??\c:\nnttnb.exec:\nnttnb.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3196 -
\??\c:\5htnnt.exec:\5htnnt.exe53⤵
- Executes dropped EXE
PID:3132 -
\??\c:\7pdvd.exec:\7pdvd.exe54⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rllfxrr.exec:\rllfxrr.exe55⤵
- Executes dropped EXE
PID:4300 -
\??\c:\xrxrrlx.exec:\xrxrrlx.exe56⤵
- Executes dropped EXE
PID:2092 -
\??\c:\3bhhnn.exec:\3bhhnn.exe57⤵
- Executes dropped EXE
PID:5048 -
\??\c:\ddvpv.exec:\ddvpv.exe58⤵
- Executes dropped EXE
PID:1876 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe59⤵
- Executes dropped EXE
PID:4452 -
\??\c:\llrllll.exec:\llrllll.exe60⤵
- Executes dropped EXE
PID:4660 -
\??\c:\hnbnnt.exec:\hnbnnt.exe61⤵
- Executes dropped EXE
PID:1828 -
\??\c:\3jjjj.exec:\3jjjj.exe62⤵
- Executes dropped EXE
PID:620 -
\??\c:\pvvjp.exec:\pvvjp.exe63⤵
- Executes dropped EXE
PID:244 -
\??\c:\fflrrxf.exec:\fflrrxf.exe64⤵
- Executes dropped EXE
PID:1916 -
\??\c:\3htttt.exec:\3htttt.exe65⤵
- Executes dropped EXE
PID:2288 -
\??\c:\nbhhhn.exec:\nbhhhn.exe66⤵PID:1608
-
\??\c:\ppvdv.exec:\ppvdv.exe67⤵PID:2456
-
\??\c:\rrxxfxx.exec:\rrxxfxx.exe68⤵PID:4836
-
\??\c:\hhbbbb.exec:\hhbbbb.exe69⤵PID:640
-
\??\c:\jpdpj.exec:\jpdpj.exe70⤵PID:4108
-
\??\c:\9lxxxxr.exec:\9lxxxxr.exe71⤵PID:4640
-
\??\c:\lffflrl.exec:\lffflrl.exe72⤵PID:2656
-
\??\c:\jpdvd.exec:\jpdvd.exe73⤵PID:540
-
\??\c:\hhnntt.exec:\hhnntt.exe74⤵PID:1772
-
\??\c:\5dpjj.exec:\5dpjj.exe75⤵PID:3328
-
\??\c:\jdvpp.exec:\jdvpp.exe76⤵
- System Location Discovery: System Language Discovery
PID:4852 -
\??\c:\lllffll.exec:\lllffll.exe77⤵PID:3308
-
\??\c:\hbnhhh.exec:\hbnhhh.exe78⤵PID:3708
-
\??\c:\vjvpp.exec:\vjvpp.exe79⤵PID:4508
-
\??\c:\5rxxlrr.exec:\5rxxlrr.exe80⤵PID:3204
-
\??\c:\pvpvp.exec:\pvpvp.exe81⤵PID:1672
-
\??\c:\xrfllrl.exec:\xrfllrl.exe82⤵PID:1172
-
\??\c:\ththnt.exec:\ththnt.exe83⤵PID:2988
-
\??\c:\vpjdv.exec:\vpjdv.exe84⤵PID:220
-
\??\c:\xlrxrxx.exec:\xlrxrxx.exe85⤵PID:2028
-
\??\c:\9fxllrf.exec:\9fxllrf.exe86⤵PID:5116
-
\??\c:\hhnnhn.exec:\hhnnhn.exe87⤵PID:4872
-
\??\c:\7jvjd.exec:\7jvjd.exe88⤵PID:864
-
\??\c:\rlfllxx.exec:\rlfllxx.exe89⤵PID:2716
-
\??\c:\frxrlff.exec:\frxrlff.exe90⤵PID:3948
-
\??\c:\hnttbh.exec:\hnttbh.exe91⤵PID:928
-
\??\c:\pdvpp.exec:\pdvpp.exe92⤵PID:1400
-
\??\c:\1tnhbb.exec:\1tnhbb.exe93⤵PID:4552
-
\??\c:\pjddp.exec:\pjddp.exe94⤵PID:1776
-
\??\c:\3fxrrrr.exec:\3fxrrrr.exe95⤵PID:1204
-
\??\c:\jdpjv.exec:\jdpjv.exe96⤵PID:1996
-
\??\c:\1fxfflr.exec:\1fxfflr.exe97⤵PID:3860
-
\??\c:\btbhtb.exec:\btbhtb.exe98⤵PID:4984
-
\??\c:\vvvpp.exec:\vvvpp.exe99⤵PID:940
-
\??\c:\lffxxrr.exec:\lffxxrr.exe100⤵PID:2912
-
\??\c:\llrlfxx.exec:\llrlfxx.exe101⤵PID:60
-
\??\c:\nnbhhh.exec:\nnbhhh.exe102⤵PID:3144
-
\??\c:\xrfllrr.exec:\xrfllrr.exe103⤵PID:3376
-
\??\c:\rrxrrxx.exec:\rrxrrxx.exe104⤵PID:4920
-
\??\c:\7vdjp.exec:\7vdjp.exe105⤵PID:3976
-
\??\c:\jdddj.exec:\jdddj.exe106⤵PID:1516
-
\??\c:\jjjdj.exec:\jjjdj.exe107⤵PID:3172
-
\??\c:\llxrrff.exec:\llxrrff.exe108⤵PID:4556
-
\??\c:\bbttbh.exec:\bbttbh.exe109⤵PID:4732
-
\??\c:\hbnnnb.exec:\hbnnnb.exe110⤵PID:2736
-
\??\c:\pjppp.exec:\pjppp.exe111⤵PID:3548
-
\??\c:\3lllllx.exec:\3lllllx.exe112⤵PID:2632
-
\??\c:\7flfxfx.exec:\7flfxfx.exe113⤵PID:3368
-
\??\c:\tnthhb.exec:\tnthhb.exe114⤵PID:4716
-
\??\c:\jjjjj.exec:\jjjjj.exe115⤵PID:4964
-
\??\c:\jjppp.exec:\jjppp.exe116⤵PID:5040
-
\??\c:\llxlxxl.exec:\llxlxxl.exe117⤵PID:548
-
\??\c:\btbhhh.exec:\btbhhh.exe118⤵PID:3212
-
\??\c:\vvvpj.exec:\vvvpj.exe119⤵PID:2500
-
\??\c:\vvppd.exec:\vvppd.exe120⤵PID:5112
-
\??\c:\7lrrrxl.exec:\7lrrrxl.exe121⤵PID:4116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-