Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 22:16
Behavioral task
behavioral1
Sample
4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe
-
Size
334KB
-
MD5
a3dbbd28f2a2d907d8b5433ae6909a96
-
SHA1
7a479aea6032abb1c4b75ab2c576fcf5856f1f1d
-
SHA256
4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d
-
SHA512
29edaa4cd14c9de5d037bb81f01ae52a650334d18f7b1dcab80047d696a70df2d9bf46f37e61d5b94a03ccce77d18440f069c8356612abea29b044e2789018eb
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRO:R4wFHoSHYHUrAwfMp3CDRO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1276-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/832-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/436-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/608-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2292-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3796-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-605-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-644-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-651-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-742-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3028-810-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-862-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-1267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3212 flrfrll.exe 4780 3djdj.exe 2260 1nhtbb.exe 1924 dpvdj.exe 4888 bhthbt.exe 1268 vdvpj.exe 4312 tbhbnn.exe 2392 dvpjv.exe 984 hhnbtt.exe 2236 3bhhtt.exe 832 pdvjv.exe 2008 xxlfffr.exe 2024 bhnhtn.exe 2324 tnnhbb.exe 116 vdvjd.exe 4812 xrxlfxr.exe 4856 9lrffxx.exe 2224 hbhhhn.exe 3488 vjjpd.exe 4912 lfrffff.exe 2124 xllfxrf.exe 1452 htnthb.exe 4724 9hhbtt.exe 5004 pjpjv.exe 640 pjvvj.exe 4968 xfffrxr.exe 3324 ttbtbt.exe 436 vdvdp.exe 608 rrxrlfx.exe 2184 lxxrllx.exe 5064 thnhbn.exe 316 jddvd.exe 1508 9lxrllx.exe 3264 frrlffr.exe 3888 rflrxxf.exe 1896 nnnhbt.exe 1764 xlrxxxx.exe 4532 9pjdd.exe 1124 fxxlfxr.exe 1908 hnttbb.exe 1368 hhhhbt.exe 2488 5dvpj.exe 404 lffxllx.exe 1872 vvddd.exe 4296 fxrffxr.exe 3544 tbhbtn.exe 4972 nbhhtn.exe 4684 7vpdv.exe 2276 xrlfrlf.exe 4372 fxxrffx.exe 4084 bbhhbt.exe 2328 9pjdv.exe 3096 9rrlrrf.exe 3492 nthtnh.exe 4884 nbtnhb.exe 532 jpdpj.exe 4324 xxxlfxx.exe 3948 9rlfxxx.exe 1956 bntbtn.exe 1248 pddvv.exe 1156 7jdvp.exe 1244 7xlxrrl.exe 2028 ttbttn.exe 1308 dvddd.exe -
resource yara_rule behavioral2/memory/1276-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b57-3.dat upx behavioral2/memory/1276-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf9-8.dat upx behavioral2/memory/3212-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfa-13.dat upx behavioral2/memory/2260-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4780-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfb-19.dat upx behavioral2/memory/1924-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c00-24.dat upx behavioral2/files/0x0008000000023c01-28.dat upx behavioral2/memory/4888-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c02-33.dat upx behavioral2/memory/1268-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c14-38.dat upx behavioral2/memory/4312-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2392-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1a-43.dat upx behavioral2/files/0x0008000000023c1b-48.dat upx behavioral2/memory/2236-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/984-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/832-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1d-59.dat upx behavioral2/memory/2008-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1f-69.dat upx behavioral2/memory/2024-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1e-65.dat upx behavioral2/memory/2324-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c34-75.dat upx behavioral2/files/0x0016000000023c35-80.dat upx behavioral2/memory/4812-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4856-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c3f-91.dat upx behavioral2/files/0x0008000000023c3b-86.dat upx behavioral2/memory/116-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2324-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1c-55.dat upx behavioral2/files/0x0008000000023c4b-95.dat upx behavioral2/files/0x0008000000023c4c-99.dat upx behavioral2/memory/3488-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4d-104.dat upx behavioral2/memory/4912-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4e-109.dat upx behavioral2/memory/1452-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c50-118.dat upx behavioral2/memory/4724-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4f-114.dat upx behavioral2/files/0x0008000000023c51-122.dat upx behavioral2/files/0x0008000000023c52-126.dat upx behavioral2/files/0x0008000000023c53-130.dat upx behavioral2/memory/4968-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c54-135.dat upx behavioral2/files/0x0008000000023c55-141.dat upx behavioral2/memory/436-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/608-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c5e-145.dat upx behavioral2/memory/2184-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c5f-149.dat upx behavioral2/files/0x0007000000023c60-154.dat upx behavioral2/memory/5064-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/316-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3264-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3888-167-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 3212 1276 4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe 82 PID 1276 wrote to memory of 3212 1276 4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe 82 PID 1276 wrote to memory of 3212 1276 4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe 82 PID 3212 wrote to memory of 4780 3212 flrfrll.exe 83 PID 3212 wrote to memory of 4780 3212 flrfrll.exe 83 PID 3212 wrote to memory of 4780 3212 flrfrll.exe 83 PID 4780 wrote to memory of 2260 4780 3djdj.exe 84 PID 4780 wrote to memory of 2260 4780 3djdj.exe 84 PID 4780 wrote to memory of 2260 4780 3djdj.exe 84 PID 2260 wrote to memory of 1924 2260 1nhtbb.exe 85 PID 2260 wrote to memory of 1924 2260 1nhtbb.exe 85 PID 2260 wrote to memory of 1924 2260 1nhtbb.exe 85 PID 1924 wrote to memory of 4888 1924 dpvdj.exe 86 PID 1924 wrote to memory of 4888 1924 dpvdj.exe 86 PID 1924 wrote to memory of 4888 1924 dpvdj.exe 86 PID 4888 wrote to memory of 1268 4888 bhthbt.exe 87 PID 4888 wrote to memory of 1268 4888 bhthbt.exe 87 PID 4888 wrote to memory of 1268 4888 bhthbt.exe 87 PID 1268 wrote to memory of 4312 1268 vdvpj.exe 88 PID 1268 wrote to memory of 4312 1268 vdvpj.exe 88 PID 1268 wrote to memory of 4312 1268 vdvpj.exe 88 PID 4312 wrote to memory of 2392 4312 tbhbnn.exe 89 PID 4312 wrote to memory of 2392 4312 tbhbnn.exe 89 PID 4312 wrote to memory of 2392 4312 tbhbnn.exe 89 PID 2392 wrote to memory of 984 2392 dvpjv.exe 90 PID 2392 wrote to memory of 984 2392 dvpjv.exe 90 PID 2392 wrote to memory of 984 2392 dvpjv.exe 90 PID 984 wrote to memory of 2236 984 hhnbtt.exe 91 PID 984 wrote to memory of 2236 984 hhnbtt.exe 91 PID 984 wrote to memory of 2236 984 hhnbtt.exe 91 PID 2236 wrote to memory of 832 2236 3bhhtt.exe 92 PID 2236 wrote to memory of 832 2236 3bhhtt.exe 92 PID 2236 wrote to memory of 832 2236 3bhhtt.exe 92 PID 832 wrote to memory of 2008 832 pdvjv.exe 93 PID 832 wrote to memory of 2008 832 pdvjv.exe 93 PID 832 wrote to memory of 2008 832 pdvjv.exe 93 PID 2008 wrote to memory of 2024 2008 xxlfffr.exe 94 PID 2008 wrote to memory of 2024 2008 xxlfffr.exe 94 PID 2008 wrote to memory of 2024 2008 xxlfffr.exe 94 PID 2024 wrote to memory of 2324 2024 bhnhtn.exe 95 PID 2024 wrote to memory of 2324 2024 bhnhtn.exe 95 PID 2024 wrote to memory of 2324 2024 bhnhtn.exe 95 PID 2324 wrote to memory of 116 2324 tnnhbb.exe 96 PID 2324 wrote to memory of 116 2324 tnnhbb.exe 96 PID 2324 wrote to memory of 116 2324 tnnhbb.exe 96 PID 116 wrote to memory of 4812 116 vdvjd.exe 97 PID 116 wrote to memory of 4812 116 vdvjd.exe 97 PID 116 wrote to memory of 4812 116 vdvjd.exe 97 PID 4812 wrote to memory of 4856 4812 xrxlfxr.exe 98 PID 4812 wrote to memory of 4856 4812 xrxlfxr.exe 98 PID 4812 wrote to memory of 4856 4812 xrxlfxr.exe 98 PID 4856 wrote to memory of 2224 4856 9lrffxx.exe 99 PID 4856 wrote to memory of 2224 4856 9lrffxx.exe 99 PID 4856 wrote to memory of 2224 4856 9lrffxx.exe 99 PID 2224 wrote to memory of 3488 2224 hbhhhn.exe 100 PID 2224 wrote to memory of 3488 2224 hbhhhn.exe 100 PID 2224 wrote to memory of 3488 2224 hbhhhn.exe 100 PID 3488 wrote to memory of 4912 3488 vjjpd.exe 101 PID 3488 wrote to memory of 4912 3488 vjjpd.exe 101 PID 3488 wrote to memory of 4912 3488 vjjpd.exe 101 PID 4912 wrote to memory of 2124 4912 lfrffff.exe 102 PID 4912 wrote to memory of 2124 4912 lfrffff.exe 102 PID 4912 wrote to memory of 2124 4912 lfrffff.exe 102 PID 2124 wrote to memory of 1452 2124 xllfxrf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe"C:\Users\Admin\AppData\Local\Temp\4ccaca10d878daadbf4cf83be9561206691fc89dee26ac027c78eddefb88228d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\flrfrll.exec:\flrfrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\3djdj.exec:\3djdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\1nhtbb.exec:\1nhtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\dpvdj.exec:\dpvdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\bhthbt.exec:\bhthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\vdvpj.exec:\vdvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\tbhbnn.exec:\tbhbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\dvpjv.exec:\dvpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\hhnbtt.exec:\hhnbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\3bhhtt.exec:\3bhhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\pdvjv.exec:\pdvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\xxlfffr.exec:\xxlfffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\bhnhtn.exec:\bhnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\tnnhbb.exec:\tnnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\vdvjd.exec:\vdvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\9lrffxx.exec:\9lrffxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\hbhhhn.exec:\hbhhhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\vjjpd.exec:\vjjpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\lfrffff.exec:\lfrffff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\xllfxrf.exec:\xllfxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\htnthb.exec:\htnthb.exe23⤵
- Executes dropped EXE
PID:1452 -
\??\c:\9hhbtt.exec:\9hhbtt.exe24⤵
- Executes dropped EXE
PID:4724 -
\??\c:\pjpjv.exec:\pjpjv.exe25⤵
- Executes dropped EXE
PID:5004 -
\??\c:\pjvvj.exec:\pjvvj.exe26⤵
- Executes dropped EXE
PID:640 -
\??\c:\xfffrxr.exec:\xfffrxr.exe27⤵
- Executes dropped EXE
PID:4968 -
\??\c:\ttbtbt.exec:\ttbtbt.exe28⤵
- Executes dropped EXE
PID:3324 -
\??\c:\vdvdp.exec:\vdvdp.exe29⤵
- Executes dropped EXE
PID:436 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe30⤵
- Executes dropped EXE
PID:608 -
\??\c:\lxxrllx.exec:\lxxrllx.exe31⤵
- Executes dropped EXE
PID:2184 -
\??\c:\thnhbn.exec:\thnhbn.exe32⤵
- Executes dropped EXE
PID:5064 -
\??\c:\jddvd.exec:\jddvd.exe33⤵
- Executes dropped EXE
PID:316 -
\??\c:\9lxrllx.exec:\9lxrllx.exe34⤵
- Executes dropped EXE
PID:1508 -
\??\c:\frrlffr.exec:\frrlffr.exe35⤵
- Executes dropped EXE
PID:3264 -
\??\c:\rflrxxf.exec:\rflrxxf.exe36⤵
- Executes dropped EXE
PID:3888 -
\??\c:\nnnhbt.exec:\nnnhbt.exe37⤵
- Executes dropped EXE
PID:1896 -
\??\c:\xlrxxxx.exec:\xlrxxxx.exe38⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9pjdd.exec:\9pjdd.exe39⤵
- Executes dropped EXE
PID:4532 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe40⤵
- Executes dropped EXE
PID:1124 -
\??\c:\hnttbb.exec:\hnttbb.exe41⤵
- Executes dropped EXE
PID:1908 -
\??\c:\hhhhbt.exec:\hhhhbt.exe42⤵
- Executes dropped EXE
PID:1368 -
\??\c:\5dvpj.exec:\5dvpj.exe43⤵
- Executes dropped EXE
PID:2488 -
\??\c:\lffxllx.exec:\lffxllx.exe44⤵
- Executes dropped EXE
PID:404 -
\??\c:\vvddd.exec:\vvddd.exe45⤵
- Executes dropped EXE
PID:1872 -
\??\c:\fxrffxr.exec:\fxrffxr.exe46⤵
- Executes dropped EXE
PID:4296 -
\??\c:\tbhbtn.exec:\tbhbtn.exe47⤵
- Executes dropped EXE
PID:3544 -
\??\c:\nbhhtn.exec:\nbhhtn.exe48⤵
- Executes dropped EXE
PID:4972 -
\??\c:\7vpdv.exec:\7vpdv.exe49⤵
- Executes dropped EXE
PID:4684 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe50⤵
- Executes dropped EXE
PID:2276 -
\??\c:\fxxrffx.exec:\fxxrffx.exe51⤵
- Executes dropped EXE
PID:4372 -
\??\c:\bbhhbt.exec:\bbhhbt.exe52⤵
- Executes dropped EXE
PID:4084 -
\??\c:\9pjdv.exec:\9pjdv.exe53⤵
- Executes dropped EXE
PID:2328 -
\??\c:\9rrlrrf.exec:\9rrlrrf.exe54⤵
- Executes dropped EXE
PID:3096 -
\??\c:\nthtnh.exec:\nthtnh.exe55⤵
- Executes dropped EXE
PID:3492 -
\??\c:\nbtnhb.exec:\nbtnhb.exe56⤵
- Executes dropped EXE
PID:4884 -
\??\c:\jpdpj.exec:\jpdpj.exe57⤵
- Executes dropped EXE
PID:532 -
\??\c:\xxxlfxx.exec:\xxxlfxx.exe58⤵
- Executes dropped EXE
PID:4324 -
\??\c:\9rlfxxx.exec:\9rlfxxx.exe59⤵
- Executes dropped EXE
PID:3948 -
\??\c:\bntbtn.exec:\bntbtn.exe60⤵
- Executes dropped EXE
PID:1956 -
\??\c:\pddvv.exec:\pddvv.exe61⤵
- Executes dropped EXE
PID:1248 -
\??\c:\7jdvp.exec:\7jdvp.exe62⤵
- Executes dropped EXE
PID:1156 -
\??\c:\7xlxrrl.exec:\7xlxrrl.exe63⤵
- Executes dropped EXE
PID:1244 -
\??\c:\ttbttn.exec:\ttbttn.exe64⤵
- Executes dropped EXE
PID:2028 -
\??\c:\dvddd.exec:\dvddd.exe65⤵
- Executes dropped EXE
PID:1308 -
\??\c:\jpjdv.exec:\jpjdv.exe66⤵PID:2736
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe67⤵PID:2240
-
\??\c:\bntnnh.exec:\bntnnh.exe68⤵PID:3000
-
\??\c:\3vvjv.exec:\3vvjv.exe69⤵PID:4172
-
\??\c:\jvdpd.exec:\jvdpd.exe70⤵PID:1992
-
\??\c:\rxfrllf.exec:\rxfrllf.exe71⤵PID:2292
-
\??\c:\bnnhnn.exec:\bnnhnn.exe72⤵PID:2212
-
\??\c:\hbhnbn.exec:\hbhnbn.exe73⤵PID:4944
-
\??\c:\vpjdd.exec:\vpjdd.exe74⤵PID:4476
-
\??\c:\ppvpj.exec:\ppvpj.exe75⤵PID:2944
-
\??\c:\rxlxlfx.exec:\rxlxlfx.exe76⤵PID:4304
-
\??\c:\nhnnnn.exec:\nhnnnn.exe77⤵PID:3840
-
\??\c:\jjvpd.exec:\jjvpd.exe78⤵PID:3672
-
\??\c:\jjjdp.exec:\jjjdp.exe79⤵PID:2076
-
\??\c:\flfxlll.exec:\flfxlll.exe80⤵PID:3448
-
\??\c:\nttnhh.exec:\nttnhh.exe81⤵PID:32
-
\??\c:\jdjvj.exec:\jdjvj.exe82⤵PID:952
-
\??\c:\rllffff.exec:\rllffff.exe83⤵PID:2636
-
\??\c:\lfxrlfr.exec:\lfxrlfr.exe84⤵PID:856
-
\??\c:\bnbttn.exec:\bnbttn.exe85⤵PID:1776
-
\??\c:\fflfrlf.exec:\fflfrlf.exe86⤵
- System Location Discovery: System Language Discovery
PID:3552 -
\??\c:\xflfrrr.exec:\xflfrrr.exe87⤵PID:5108
-
\??\c:\ttnnhb.exec:\ttnnhb.exe88⤵PID:4692
-
\??\c:\1vvjd.exec:\1vvjd.exe89⤵PID:3736
-
\??\c:\dpvjv.exec:\dpvjv.exe90⤵PID:1476
-
\??\c:\rlrrlfx.exec:\rlrrlfx.exe91⤵PID:2620
-
\??\c:\3hbtnn.exec:\3hbtnn.exe92⤵PID:4032
-
\??\c:\hntnnh.exec:\hntnnh.exe93⤵PID:1792
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe94⤵PID:3260
-
\??\c:\frrlxrl.exec:\frrlxrl.exe95⤵PID:4580
-
\??\c:\tbhbtt.exec:\tbhbtt.exe96⤵PID:2728
-
\??\c:\hntnbb.exec:\hntnbb.exe97⤵PID:1324
-
\??\c:\dvvpp.exec:\dvvpp.exe98⤵PID:216
-
\??\c:\lllxrrl.exec:\lllxrrl.exe99⤵PID:5032
-
\??\c:\3lffxxx.exec:\3lffxxx.exe100⤵PID:5072
-
\??\c:\nhhbbb.exec:\nhhbbb.exe101⤵PID:3496
-
\??\c:\dvjjp.exec:\dvjjp.exe102⤵PID:2216
-
\??\c:\1flfrrl.exec:\1flfrrl.exe103⤵PID:3820
-
\??\c:\rrrllrr.exec:\rrrllrr.exe104⤵PID:1668
-
\??\c:\bbtnnh.exec:\bbtnnh.exe105⤵PID:2012
-
\??\c:\jdjpd.exec:\jdjpd.exe106⤵PID:3112
-
\??\c:\rllxxrr.exec:\rllxxrr.exe107⤵PID:3868
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe108⤵PID:4388
-
\??\c:\5tnnhh.exec:\5tnnhh.exe109⤵PID:368
-
\??\c:\jvvpd.exec:\jvvpd.exe110⤵PID:4000
-
\??\c:\rlfxfxf.exec:\rlfxfxf.exe111⤵PID:2056
-
\??\c:\hnbtnh.exec:\hnbtnh.exe112⤵PID:852
-
\??\c:\nnbtbt.exec:\nnbtbt.exe113⤵PID:4148
-
\??\c:\jdjdv.exec:\jdjdv.exe114⤵PID:4808
-
\??\c:\pvjdp.exec:\pvjdp.exe115⤵PID:1288
-
\??\c:\xrxllfx.exec:\xrxllfx.exe116⤵PID:3880
-
\??\c:\bnhbtt.exec:\bnhbtt.exe117⤵PID:1840
-
\??\c:\hhnhtt.exec:\hhnhtt.exe118⤵PID:1488
-
\??\c:\vpjdp.exec:\vpjdp.exe119⤵PID:3536
-
\??\c:\vpjdv.exec:\vpjdv.exe120⤵PID:4684
-
\??\c:\rfxlffx.exec:\rfxlffx.exe121⤵PID:740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-