Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe
-
Size
347KB
-
MD5
d39d1a14153143d31d0dbd9acad218e4
-
SHA1
7a4b7e3ca8a43a40ced6601fb98aecd6d742f2af
-
SHA256
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3
-
SHA512
2127321eef7ce5afcf18231c2a5eb35a87cbe1d70ee839a6af41206d4faa4c13418fa6d0517bef71e923722d748a30dbb6bae2b1d6a88534e2a5bd279c28d7bc
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAu:l7TcbWXZshJX2VGdu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2160-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5012-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4104-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3216-25-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3260-31-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4664-40-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2132-46-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/60-52-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/724-57-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3428-63-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2848-68-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2908-80-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/456-85-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2400-93-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2268-97-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2996-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3540-106-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4064-115-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/956-123-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1132-130-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4300-142-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3968-133-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5036-154-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/316-152-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3472-162-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3424-169-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3784-177-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3184-185-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3972-191-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4744-208-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2640-215-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5084-221-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3500-225-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4396-229-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5012-239-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4484-243-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1148-250-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2488-256-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5028-260-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4664-264-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3696-282-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5032-296-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3312-311-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2704-315-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1580-322-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2232-332-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4408-360-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1948-370-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3164-398-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4440-408-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3284-412-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5044-416-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4396-438-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3260-457-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1812-479-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1568-483-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2420-538-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3384-542-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3764-567-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1644-605-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2568-621-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1508-667-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2532-901-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5012 pvvdd.exe 4104 nhhhhh.exe 3216 tnbtnt.exe 3260 htntbt.exe 4052 vpjvj.exe 4664 hbbtbb.exe 2132 dddpj.exe 60 tbtbnh.exe 724 vdjdp.exe 3428 nnhbnh.exe 2848 dpvjv.exe 3480 xfrxlfx.exe 2908 7dpjd.exe 456 hnbtnn.exe 2400 xlrfrlx.exe 2268 3lflfxr.exe 2996 djjpp.exe 3540 rxxxrlf.exe 4064 tnntnn.exe 956 jvvjj.exe 1132 lxrfxlf.exe 3968 tnhnhb.exe 3544 pppjd.exe 4300 hhhthb.exe 316 jddvp.exe 5036 rllfrrf.exe 3472 ththbt.exe 3424 3rxrffx.exe 1736 bhhtbn.exe 3784 jjpjd.exe 3184 xrxrllf.exe 3972 vpjdd.exe 4820 tnnhnh.exe 608 bhhtht.exe 3028 ppvjd.exe 3284 xxxfxff.exe 4744 thhthb.exe 2616 rflfrfr.exe 2640 hbthbt.exe 4208 vvpdv.exe 5084 hhttnn.exe 3500 hhhbtn.exe 4396 frxfxxr.exe 1120 nbbtht.exe 1068 bttnht.exe 5012 ddvdp.exe 4484 rrxlfxr.exe 2700 btbtnn.exe 1148 jpppd.exe 3492 jdjdp.exe 2488 frlfxlf.exe 5028 hbttht.exe 4664 vjjdv.exe 3960 lfrflff.exe 2016 lrfffrx.exe 1684 nnnhbb.exe 2088 dvvpd.exe 4788 1lfxlff.exe 3696 tnthbn.exe 2276 vvdjd.exe 4376 1vvjd.exe 2532 9flxxrr.exe 5032 thnbnh.exe 628 5vvjd.exe -
resource yara_rule behavioral2/memory/2160-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5012-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3216-19-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4104-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3216-25-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3260-31-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4664-40-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2132-46-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/60-52-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/724-57-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3428-63-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2848-68-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2908-80-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/456-85-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2400-93-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2268-97-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2996-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3540-106-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4064-115-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/956-123-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1132-130-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4300-142-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3968-133-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5036-154-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/316-152-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3472-162-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3424-169-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3784-177-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3184-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3972-191-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4820-192-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4744-208-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2640-215-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5084-221-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3500-225-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4396-229-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5012-239-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4484-243-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1148-250-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2488-256-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5028-260-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4664-264-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3696-282-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5032-296-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3312-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2704-315-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1580-322-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2232-332-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4408-360-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1948-370-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3164-398-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4440-408-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3284-412-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5044-416-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4396-438-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3260-457-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1812-479-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1568-483-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2420-538-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3384-542-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3764-567-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2936-599-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1644-605-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2568-621-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 5012 2160 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 82 PID 2160 wrote to memory of 5012 2160 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 82 PID 2160 wrote to memory of 5012 2160 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 82 PID 5012 wrote to memory of 4104 5012 pvvdd.exe 83 PID 5012 wrote to memory of 4104 5012 pvvdd.exe 83 PID 5012 wrote to memory of 4104 5012 pvvdd.exe 83 PID 4104 wrote to memory of 3216 4104 nhhhhh.exe 84 PID 4104 wrote to memory of 3216 4104 nhhhhh.exe 84 PID 4104 wrote to memory of 3216 4104 nhhhhh.exe 84 PID 3216 wrote to memory of 3260 3216 tnbtnt.exe 85 PID 3216 wrote to memory of 3260 3216 tnbtnt.exe 85 PID 3216 wrote to memory of 3260 3216 tnbtnt.exe 85 PID 3260 wrote to memory of 4052 3260 htntbt.exe 86 PID 3260 wrote to memory of 4052 3260 htntbt.exe 86 PID 3260 wrote to memory of 4052 3260 htntbt.exe 86 PID 4052 wrote to memory of 4664 4052 vpjvj.exe 87 PID 4052 wrote to memory of 4664 4052 vpjvj.exe 87 PID 4052 wrote to memory of 4664 4052 vpjvj.exe 87 PID 4664 wrote to memory of 2132 4664 hbbtbb.exe 88 PID 4664 wrote to memory of 2132 4664 hbbtbb.exe 88 PID 4664 wrote to memory of 2132 4664 hbbtbb.exe 88 PID 2132 wrote to memory of 60 2132 dddpj.exe 89 PID 2132 wrote to memory of 60 2132 dddpj.exe 89 PID 2132 wrote to memory of 60 2132 dddpj.exe 89 PID 60 wrote to memory of 724 60 tbtbnh.exe 90 PID 60 wrote to memory of 724 60 tbtbnh.exe 90 PID 60 wrote to memory of 724 60 tbtbnh.exe 90 PID 724 wrote to memory of 3428 724 vdjdp.exe 91 PID 724 wrote to memory of 3428 724 vdjdp.exe 91 PID 724 wrote to memory of 3428 724 vdjdp.exe 91 PID 3428 wrote to memory of 2848 3428 nnhbnh.exe 92 PID 3428 wrote to memory of 2848 3428 nnhbnh.exe 92 PID 3428 wrote to memory of 2848 3428 nnhbnh.exe 92 PID 2848 wrote to memory of 3480 2848 dpvjv.exe 93 PID 2848 wrote to memory of 3480 2848 dpvjv.exe 93 PID 2848 wrote to memory of 3480 2848 dpvjv.exe 93 PID 3480 wrote to memory of 2908 3480 xfrxlfx.exe 94 PID 3480 wrote to memory of 2908 3480 xfrxlfx.exe 94 PID 3480 wrote to memory of 2908 3480 xfrxlfx.exe 94 PID 2908 wrote to memory of 456 2908 7dpjd.exe 95 PID 2908 wrote to memory of 456 2908 7dpjd.exe 95 PID 2908 wrote to memory of 456 2908 7dpjd.exe 95 PID 456 wrote to memory of 2400 456 hnbtnn.exe 96 PID 456 wrote to memory of 2400 456 hnbtnn.exe 96 PID 456 wrote to memory of 2400 456 hnbtnn.exe 96 PID 2400 wrote to memory of 2268 2400 xlrfrlx.exe 97 PID 2400 wrote to memory of 2268 2400 xlrfrlx.exe 97 PID 2400 wrote to memory of 2268 2400 xlrfrlx.exe 97 PID 2268 wrote to memory of 2996 2268 3lflfxr.exe 98 PID 2268 wrote to memory of 2996 2268 3lflfxr.exe 98 PID 2268 wrote to memory of 2996 2268 3lflfxr.exe 98 PID 2996 wrote to memory of 3540 2996 djjpp.exe 99 PID 2996 wrote to memory of 3540 2996 djjpp.exe 99 PID 2996 wrote to memory of 3540 2996 djjpp.exe 99 PID 3540 wrote to memory of 4064 3540 rxxxrlf.exe 100 PID 3540 wrote to memory of 4064 3540 rxxxrlf.exe 100 PID 3540 wrote to memory of 4064 3540 rxxxrlf.exe 100 PID 4064 wrote to memory of 956 4064 tnntnn.exe 101 PID 4064 wrote to memory of 956 4064 tnntnn.exe 101 PID 4064 wrote to memory of 956 4064 tnntnn.exe 101 PID 956 wrote to memory of 1132 956 jvvjj.exe 102 PID 956 wrote to memory of 1132 956 jvvjj.exe 102 PID 956 wrote to memory of 1132 956 jvvjj.exe 102 PID 1132 wrote to memory of 3968 1132 lxrfxlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe"C:\Users\Admin\AppData\Local\Temp\e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\pvvdd.exec:\pvvdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\nhhhhh.exec:\nhhhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\tnbtnt.exec:\tnbtnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\htntbt.exec:\htntbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\vpjvj.exec:\vpjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\hbbtbb.exec:\hbbtbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\dddpj.exec:\dddpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\tbtbnh.exec:\tbtbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\vdjdp.exec:\vdjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\nnhbnh.exec:\nnhbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\dpvjv.exec:\dpvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\xfrxlfx.exec:\xfrxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\7dpjd.exec:\7dpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\hnbtnn.exec:\hnbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\xlrfrlx.exec:\xlrfrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\3lflfxr.exec:\3lflfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\djjpp.exec:\djjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\rxxxrlf.exec:\rxxxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\tnntnn.exec:\tnntnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\jvvjj.exec:\jvvjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\lxrfxlf.exec:\lxrfxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\tnhnhb.exec:\tnhnhb.exe23⤵
- Executes dropped EXE
PID:3968 -
\??\c:\pppjd.exec:\pppjd.exe24⤵
- Executes dropped EXE
PID:3544 -
\??\c:\hhhthb.exec:\hhhthb.exe25⤵
- Executes dropped EXE
PID:4300 -
\??\c:\jddvp.exec:\jddvp.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\rllfrrf.exec:\rllfrrf.exe27⤵
- Executes dropped EXE
PID:5036 -
\??\c:\ththbt.exec:\ththbt.exe28⤵
- Executes dropped EXE
PID:3472 -
\??\c:\3rxrffx.exec:\3rxrffx.exe29⤵
- Executes dropped EXE
PID:3424 -
\??\c:\bhhtbn.exec:\bhhtbn.exe30⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jjpjd.exec:\jjpjd.exe31⤵
- Executes dropped EXE
PID:3784 -
\??\c:\xrxrllf.exec:\xrxrllf.exe32⤵
- Executes dropped EXE
PID:3184 -
\??\c:\vpjdd.exec:\vpjdd.exe33⤵
- Executes dropped EXE
PID:3972 -
\??\c:\tnnhnh.exec:\tnnhnh.exe34⤵
- Executes dropped EXE
PID:4820 -
\??\c:\bhhtht.exec:\bhhtht.exe35⤵
- Executes dropped EXE
PID:608 -
\??\c:\ppvjd.exec:\ppvjd.exe36⤵
- Executes dropped EXE
PID:3028 -
\??\c:\xxxfxff.exec:\xxxfxff.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3284 -
\??\c:\thhthb.exec:\thhthb.exe38⤵
- Executes dropped EXE
PID:4744 -
\??\c:\rflfrfr.exec:\rflfrfr.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\hbthbt.exec:\hbthbt.exe40⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vvpdv.exec:\vvpdv.exe41⤵
- Executes dropped EXE
PID:4208 -
\??\c:\hhttnn.exec:\hhttnn.exe42⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hhhbtn.exec:\hhhbtn.exe43⤵
- Executes dropped EXE
PID:3500 -
\??\c:\frxfxxr.exec:\frxfxxr.exe44⤵
- Executes dropped EXE
PID:4396 -
\??\c:\nbbtht.exec:\nbbtht.exe45⤵
- Executes dropped EXE
PID:1120 -
\??\c:\bttnht.exec:\bttnht.exe46⤵
- Executes dropped EXE
PID:1068 -
\??\c:\ddvdp.exec:\ddvdp.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5012 -
\??\c:\rrxlfxr.exec:\rrxlfxr.exe48⤵
- Executes dropped EXE
PID:4484 -
\??\c:\btbtnn.exec:\btbtnn.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jpppd.exec:\jpppd.exe50⤵
- Executes dropped EXE
PID:1148 -
\??\c:\jdjdp.exec:\jdjdp.exe51⤵
- Executes dropped EXE
PID:3492 -
\??\c:\frlfxlf.exec:\frlfxlf.exe52⤵
- Executes dropped EXE
PID:2488 -
\??\c:\hbttht.exec:\hbttht.exe53⤵
- Executes dropped EXE
PID:5028 -
\??\c:\vjjdv.exec:\vjjdv.exe54⤵
- Executes dropped EXE
PID:4664 -
\??\c:\lfrflff.exec:\lfrflff.exe55⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lrfffrx.exec:\lrfffrx.exe56⤵
- Executes dropped EXE
PID:2016 -
\??\c:\nnnhbb.exec:\nnnhbb.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\dvvpd.exec:\dvvpd.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\1lfxlff.exec:\1lfxlff.exe59⤵
- Executes dropped EXE
PID:4788 -
\??\c:\tnthbn.exec:\tnthbn.exe60⤵
- Executes dropped EXE
PID:3696 -
\??\c:\vvdjd.exec:\vvdjd.exe61⤵
- Executes dropped EXE
PID:2276 -
\??\c:\1vvjd.exec:\1vvjd.exe62⤵
- Executes dropped EXE
PID:4376 -
\??\c:\9flxxrr.exec:\9flxxrr.exe63⤵
- Executes dropped EXE
PID:2532 -
\??\c:\thnbnh.exec:\thnbnh.exe64⤵
- Executes dropped EXE
PID:5032 -
\??\c:\5vvjd.exec:\5vvjd.exe65⤵
- Executes dropped EXE
PID:628 -
\??\c:\1rrlllf.exec:\1rrlllf.exe66⤵PID:456
-
\??\c:\xlfrlfx.exec:\xlfrlfx.exe67⤵PID:380
-
\??\c:\nhhnhb.exec:\nhhnhb.exe68⤵PID:656
-
\??\c:\ppdpj.exec:\ppdpj.exe69⤵PID:3312
-
\??\c:\3jjpd.exec:\3jjpd.exe70⤵PID:2704
-
\??\c:\xllfxrr.exec:\xllfxrr.exe71⤵PID:1792
-
\??\c:\btntnb.exec:\btntnb.exe72⤵PID:1580
-
\??\c:\5bbthb.exec:\5bbthb.exe73⤵PID:3384
-
\??\c:\1djvp.exec:\1djvp.exe74⤵PID:2796
-
\??\c:\9llrllf.exec:\9llrllf.exe75⤵PID:2232
-
\??\c:\thhthb.exec:\thhthb.exe76⤵PID:3000
-
\??\c:\tnthhb.exec:\tnthhb.exe77⤵PID:3116
-
\??\c:\dppjd.exec:\dppjd.exe78⤵PID:3760
-
\??\c:\frfrllf.exec:\frfrllf.exe79⤵PID:1152
-
\??\c:\jddvp.exec:\jddvp.exe80⤵PID:2416
-
\??\c:\5jvpp.exec:\5jvpp.exe81⤵PID:3764
-
\??\c:\5llfrrl.exec:\5llfrrl.exe82⤵PID:404
-
\??\c:\bhhbtn.exec:\bhhbtn.exe83⤵PID:812
-
\??\c:\pjppj.exec:\pjppj.exe84⤵PID:4408
-
\??\c:\xrllxrx.exec:\xrllxrx.exe85⤵PID:1688
-
\??\c:\lxlfflf.exec:\lxlfflf.exe86⤵PID:4916
-
\??\c:\nhnhbb.exec:\nhnhbb.exe87⤵PID:1948
-
\??\c:\dppjd.exec:\dppjd.exe88⤵PID:3472
-
\??\c:\lflxxxf.exec:\lflxxxf.exe89⤵PID:3772
-
\??\c:\bhnntt.exec:\bhnntt.exe90⤵PID:464
-
\??\c:\pjjdp.exec:\pjjdp.exe91⤵PID:4552
-
\??\c:\rllxrlf.exec:\rllxrlf.exe92⤵PID:2936
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe93⤵PID:4592
-
\??\c:\tnhbbb.exec:\tnhbbb.exe94⤵PID:2588
-
\??\c:\ddvjv.exec:\ddvjv.exe95⤵PID:4772
-
\??\c:\1vvpd.exec:\1vvpd.exe96⤵PID:3164
-
\??\c:\lrrlrfr.exec:\lrrlrfr.exe97⤵PID:4820
-
\??\c:\bnbthb.exec:\bnbthb.exe98⤵PID:3504
-
\??\c:\vjjjd.exec:\vjjjd.exe99⤵PID:4440
-
\??\c:\vppdp.exec:\vppdp.exe100⤵PID:3284
-
\??\c:\frxlrff.exec:\frxlrff.exe101⤵PID:5044
-
\??\c:\3bhbbn.exec:\3bhbbn.exe102⤵PID:1332
-
\??\c:\vvjdj.exec:\vvjdj.exe103⤵PID:1456
-
\??\c:\pjpdp.exec:\pjpdp.exe104⤵PID:2884
-
\??\c:\llrrrff.exec:\llrrrff.exe105⤵PID:4208
-
\??\c:\1tbnbt.exec:\1tbnbt.exe106⤵PID:4380
-
\??\c:\pjdvp.exec:\pjdvp.exe107⤵PID:1584
-
\??\c:\rxxrrrl.exec:\rxxrrrl.exe108⤵PID:4396
-
\??\c:\fxxrfff.exec:\fxxrfff.exe109⤵PID:4804
-
\??\c:\hnhtnn.exec:\hnhtnn.exe110⤵PID:1372
-
\??\c:\1vpdj.exec:\1vpdj.exe111⤵PID:2160
-
\??\c:\rlrffxx.exec:\rlrffxx.exe112⤵PID:4120
-
\??\c:\rfxlffx.exec:\rfxlffx.exe113⤵PID:4464
-
\??\c:\bbhhnh.exec:\bbhhnh.exe114⤵
- System Location Discovery: System Language Discovery
PID:3260 -
\??\c:\djjdv.exec:\djjdv.exe115⤵PID:1576
-
\??\c:\lfllrfr.exec:\lfllrfr.exe116⤵PID:3492
-
\??\c:\fflxxrf.exec:\fflxxrf.exe117⤵PID:1760
-
\??\c:\tntbnh.exec:\tntbnh.exe118⤵PID:1144
-
\??\c:\jvvpp.exec:\jvvpp.exe119⤵PID:4472
-
\??\c:\5frlxxx.exec:\5frlxxx.exe120⤵PID:324
-
\??\c:\5lrlffx.exec:\5lrlffx.exe121⤵PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-