Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe
-
Size
456KB
-
MD5
0c02684a7a7b494619ecb05e101ddaca
-
SHA1
2530b6fa799b0215adefa51fa6a886241539e652
-
SHA256
86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84
-
SHA512
95ea1dbe1b9ec6c8a1f351dacf429746809531306a01cb901cc61563ced574ee0520ae38fad4b895e3044f8104727c4431fff89c8aa2c7bea6c1efb254f947d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2608-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-1430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-1570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4640 1tbbhh.exe 3516 tnbttn.exe 1608 vpddd.exe 1672 xrlrllx.exe 2324 ntbbnn.exe 1896 jpppj.exe 2188 9ffxxxr.exe 644 bbtttt.exe 5032 dvpdv.exe 2312 rlfxrff.exe 2976 jjdvp.exe 4804 flrrrrx.exe 4896 pvppj.exe 2392 9llfxxl.exe 224 dvvpj.exe 1332 xxxrflx.exe 3992 dppjd.exe 3100 lllllxx.exe 4044 ntbnhb.exe 1624 xrffxrl.exe 2488 9xxrrrl.exe 3968 ppppp.exe 4964 dpvpp.exe 3156 7rxrfff.exe 4800 tnnnbb.exe 2724 vvddj.exe 656 btthth.exe 4960 pdddv.exe 1660 fxfxlll.exe 2684 ttbbbb.exe 4144 dddvp.exe 4928 pdddv.exe 4720 flfllrr.exe 4916 9htnhn.exe 404 pvjdp.exe 2400 xflllll.exe 2740 thnbnb.exe 2560 ttnnhb.exe 1192 dpvpp.exe 2016 xxfxrrl.exe 4324 rlrlxxr.exe 2476 tnnnbb.exe 2308 hbttnt.exe 1876 pjppj.exe 1240 fxxrrrl.exe 1048 tbhhbb.exe 4656 jddvv.exe 4664 fxlfrrx.exe 4052 pdjdv.exe 4852 tbhbtt.exe 1608 bnhbbb.exe 752 hbbtth.exe 980 vjjjd.exe 2820 rfffflr.exe 1460 bhnhhh.exe 4276 pjjdp.exe 4264 tnntbn.exe 2180 hhnhbb.exe 644 djjdv.exe 3512 1lffxxr.exe 2296 bhnhbb.exe 748 djjdp.exe 4900 rlxrllr.exe 4128 nhtnth.exe -
resource yara_rule behavioral2/memory/2608-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-778-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 4640 2608 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe 82 PID 2608 wrote to memory of 4640 2608 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe 82 PID 2608 wrote to memory of 4640 2608 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe 82 PID 4640 wrote to memory of 3516 4640 1tbbhh.exe 83 PID 4640 wrote to memory of 3516 4640 1tbbhh.exe 83 PID 4640 wrote to memory of 3516 4640 1tbbhh.exe 83 PID 3516 wrote to memory of 1608 3516 tnbttn.exe 84 PID 3516 wrote to memory of 1608 3516 tnbttn.exe 84 PID 3516 wrote to memory of 1608 3516 tnbttn.exe 84 PID 1608 wrote to memory of 1672 1608 vpddd.exe 85 PID 1608 wrote to memory of 1672 1608 vpddd.exe 85 PID 1608 wrote to memory of 1672 1608 vpddd.exe 85 PID 1672 wrote to memory of 2324 1672 xrlrllx.exe 86 PID 1672 wrote to memory of 2324 1672 xrlrllx.exe 86 PID 1672 wrote to memory of 2324 1672 xrlrllx.exe 86 PID 2324 wrote to memory of 1896 2324 ntbbnn.exe 87 PID 2324 wrote to memory of 1896 2324 ntbbnn.exe 87 PID 2324 wrote to memory of 1896 2324 ntbbnn.exe 87 PID 1896 wrote to memory of 2188 1896 jpppj.exe 88 PID 1896 wrote to memory of 2188 1896 jpppj.exe 88 PID 1896 wrote to memory of 2188 1896 jpppj.exe 88 PID 2188 wrote to memory of 644 2188 9ffxxxr.exe 89 PID 2188 wrote to memory of 644 2188 9ffxxxr.exe 89 PID 2188 wrote to memory of 644 2188 9ffxxxr.exe 89 PID 644 wrote to memory of 5032 644 bbtttt.exe 90 PID 644 wrote to memory of 5032 644 bbtttt.exe 90 PID 644 wrote to memory of 5032 644 bbtttt.exe 90 PID 5032 wrote to memory of 2312 5032 dvpdv.exe 91 PID 5032 wrote to memory of 2312 5032 dvpdv.exe 91 PID 5032 wrote to memory of 2312 5032 dvpdv.exe 91 PID 2312 wrote to memory of 2976 2312 rlfxrff.exe 92 PID 2312 wrote to memory of 2976 2312 rlfxrff.exe 92 PID 2312 wrote to memory of 2976 2312 rlfxrff.exe 92 PID 2976 wrote to memory of 4804 2976 jjdvp.exe 93 PID 2976 wrote to memory of 4804 2976 jjdvp.exe 93 PID 2976 wrote to memory of 4804 2976 jjdvp.exe 93 PID 4804 wrote to memory of 4896 4804 flrrrrx.exe 94 PID 4804 wrote to memory of 4896 4804 flrrrrx.exe 94 PID 4804 wrote to memory of 4896 4804 flrrrrx.exe 94 PID 4896 wrote to memory of 2392 4896 pvppj.exe 95 PID 4896 wrote to memory of 2392 4896 pvppj.exe 95 PID 4896 wrote to memory of 2392 4896 pvppj.exe 95 PID 2392 wrote to memory of 224 2392 9llfxxl.exe 96 PID 2392 wrote to memory of 224 2392 9llfxxl.exe 96 PID 2392 wrote to memory of 224 2392 9llfxxl.exe 96 PID 224 wrote to memory of 1332 224 dvvpj.exe 97 PID 224 wrote to memory of 1332 224 dvvpj.exe 97 PID 224 wrote to memory of 1332 224 dvvpj.exe 97 PID 1332 wrote to memory of 3992 1332 xxxrflx.exe 98 PID 1332 wrote to memory of 3992 1332 xxxrflx.exe 98 PID 1332 wrote to memory of 3992 1332 xxxrflx.exe 98 PID 3992 wrote to memory of 3100 3992 dppjd.exe 99 PID 3992 wrote to memory of 3100 3992 dppjd.exe 99 PID 3992 wrote to memory of 3100 3992 dppjd.exe 99 PID 3100 wrote to memory of 4044 3100 lllllxx.exe 100 PID 3100 wrote to memory of 4044 3100 lllllxx.exe 100 PID 3100 wrote to memory of 4044 3100 lllllxx.exe 100 PID 4044 wrote to memory of 1624 4044 ntbnhb.exe 101 PID 4044 wrote to memory of 1624 4044 ntbnhb.exe 101 PID 4044 wrote to memory of 1624 4044 ntbnhb.exe 101 PID 1624 wrote to memory of 2488 1624 xrffxrl.exe 102 PID 1624 wrote to memory of 2488 1624 xrffxrl.exe 102 PID 1624 wrote to memory of 2488 1624 xrffxrl.exe 102 PID 2488 wrote to memory of 3968 2488 9xxrrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe"C:\Users\Admin\AppData\Local\Temp\86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\1tbbhh.exec:\1tbbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\tnbttn.exec:\tnbttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\vpddd.exec:\vpddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\xrlrllx.exec:\xrlrllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\ntbbnn.exec:\ntbbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\jpppj.exec:\jpppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\9ffxxxr.exec:\9ffxxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\bbtttt.exec:\bbtttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\dvpdv.exec:\dvpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\rlfxrff.exec:\rlfxrff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jjdvp.exec:\jjdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\flrrrrx.exec:\flrrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\pvppj.exec:\pvppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\9llfxxl.exec:\9llfxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\dvvpj.exec:\dvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\xxxrflx.exec:\xxxrflx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\dppjd.exec:\dppjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\lllllxx.exec:\lllllxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\ntbnhb.exec:\ntbnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\xrffxrl.exec:\xrffxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\9xxrrrl.exec:\9xxrrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\ppppp.exec:\ppppp.exe23⤵
- Executes dropped EXE
PID:3968 -
\??\c:\dpvpp.exec:\dpvpp.exe24⤵
- Executes dropped EXE
PID:4964 -
\??\c:\7rxrfff.exec:\7rxrfff.exe25⤵
- Executes dropped EXE
PID:3156 -
\??\c:\tnnnbb.exec:\tnnnbb.exe26⤵
- Executes dropped EXE
PID:4800 -
\??\c:\vvddj.exec:\vvddj.exe27⤵
- Executes dropped EXE
PID:2724 -
\??\c:\btthth.exec:\btthth.exe28⤵
- Executes dropped EXE
PID:656 -
\??\c:\pdddv.exec:\pdddv.exe29⤵
- Executes dropped EXE
PID:4960 -
\??\c:\fxfxlll.exec:\fxfxlll.exe30⤵
- Executes dropped EXE
PID:1660 -
\??\c:\ttbbbb.exec:\ttbbbb.exe31⤵
- Executes dropped EXE
PID:2684 -
\??\c:\dddvp.exec:\dddvp.exe32⤵
- Executes dropped EXE
PID:4144 -
\??\c:\pdddv.exec:\pdddv.exe33⤵
- Executes dropped EXE
PID:4928 -
\??\c:\flfllrr.exec:\flfllrr.exe34⤵
- Executes dropped EXE
PID:4720 -
\??\c:\9htnhn.exec:\9htnhn.exe35⤵
- Executes dropped EXE
PID:4916 -
\??\c:\pvjdp.exec:\pvjdp.exe36⤵
- Executes dropped EXE
PID:404 -
\??\c:\xflllll.exec:\xflllll.exe37⤵
- Executes dropped EXE
PID:2400 -
\??\c:\thnbnb.exec:\thnbnb.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\ttnnhb.exec:\ttnnhb.exe39⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dpvpp.exec:\dpvpp.exe40⤵
- Executes dropped EXE
PID:1192 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe41⤵
- Executes dropped EXE
PID:2016 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe42⤵
- Executes dropped EXE
PID:4324 -
\??\c:\tnnnbb.exec:\tnnnbb.exe43⤵
- Executes dropped EXE
PID:2476 -
\??\c:\hbttnt.exec:\hbttnt.exe44⤵
- Executes dropped EXE
PID:2308 -
\??\c:\pjppj.exec:\pjppj.exe45⤵
- Executes dropped EXE
PID:1876 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe46⤵
- Executes dropped EXE
PID:1240 -
\??\c:\nntntt.exec:\nntntt.exe47⤵PID:4848
-
\??\c:\tbhhbb.exec:\tbhhbb.exe48⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jddvv.exec:\jddvv.exe49⤵
- Executes dropped EXE
PID:4656 -
\??\c:\fxlfrrx.exec:\fxlfrrx.exe50⤵
- Executes dropped EXE
PID:4664 -
\??\c:\pdjdv.exec:\pdjdv.exe51⤵
- Executes dropped EXE
PID:4052 -
\??\c:\tbhbtt.exec:\tbhbtt.exe52⤵
- Executes dropped EXE
PID:4852 -
\??\c:\bnhbbb.exec:\bnhbbb.exe53⤵
- Executes dropped EXE
PID:1608 -
\??\c:\hbbtth.exec:\hbbtth.exe54⤵
- Executes dropped EXE
PID:752 -
\??\c:\vjjjd.exec:\vjjjd.exe55⤵
- Executes dropped EXE
PID:980 -
\??\c:\rfffflr.exec:\rfffflr.exe56⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bhnhhh.exec:\bhnhhh.exe57⤵
- Executes dropped EXE
PID:1460 -
\??\c:\pjjdp.exec:\pjjdp.exe58⤵
- Executes dropped EXE
PID:4276 -
\??\c:\tnntbn.exec:\tnntbn.exe59⤵
- Executes dropped EXE
PID:4264 -
\??\c:\hhnhbb.exec:\hhnhbb.exe60⤵
- Executes dropped EXE
PID:2180 -
\??\c:\djjdv.exec:\djjdv.exe61⤵
- Executes dropped EXE
PID:644 -
\??\c:\1lffxxr.exec:\1lffxxr.exe62⤵
- Executes dropped EXE
PID:3512 -
\??\c:\bhnhbb.exec:\bhnhbb.exe63⤵
- Executes dropped EXE
PID:2296 -
\??\c:\djjdp.exec:\djjdp.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748 -
\??\c:\rlxrllr.exec:\rlxrllr.exe65⤵
- Executes dropped EXE
PID:4900 -
\??\c:\nhtnth.exec:\nhtnth.exe66⤵
- Executes dropped EXE
PID:4128 -
\??\c:\tnnhhb.exec:\tnnhhb.exe67⤵PID:5088
-
\??\c:\vppjj.exec:\vppjj.exe68⤵PID:2812
-
\??\c:\lrxxrll.exec:\lrxxrll.exe69⤵PID:3008
-
\??\c:\thnnhb.exec:\thnnhb.exe70⤵PID:1340
-
\??\c:\tnhhhh.exec:\tnhhhh.exe71⤵PID:4672
-
\??\c:\vjjdp.exec:\vjjdp.exe72⤵PID:3144
-
\??\c:\fxxrllf.exec:\fxxrllf.exe73⤵PID:2448
-
\??\c:\nnbtnn.exec:\nnbtnn.exe74⤵PID:740
-
\??\c:\dpddv.exec:\dpddv.exe75⤵PID:2576
-
\??\c:\lxfxxrl.exec:\lxfxxrl.exe76⤵PID:4840
-
\??\c:\hhthnn.exec:\hhthnn.exe77⤵PID:3992
-
\??\c:\nbhbbt.exec:\nbhbbt.exe78⤵PID:4588
-
\??\c:\vvjjp.exec:\vvjjp.exe79⤵PID:3928
-
\??\c:\frlffxf.exec:\frlffxf.exe80⤵PID:4044
-
\??\c:\btnhhh.exec:\btnhhh.exe81⤵PID:1624
-
\??\c:\tnbnhh.exec:\tnbnhh.exe82⤵PID:3124
-
\??\c:\jvdpv.exec:\jvdpv.exe83⤵PID:1816
-
\??\c:\fxrlfxx.exec:\fxrlfxx.exe84⤵PID:4740
-
\??\c:\pvvpv.exec:\pvvpv.exe85⤵PID:3104
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe86⤵PID:3156
-
\??\c:\5nttnb.exec:\5nttnb.exe87⤵PID:3176
-
\??\c:\hhnbth.exec:\hhnbth.exe88⤵PID:1372
-
\??\c:\vjjjd.exec:\vjjjd.exe89⤵PID:2384
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe90⤵PID:5004
-
\??\c:\nhhtnn.exec:\nhhtnn.exe91⤵PID:4036
-
\??\c:\ppvpv.exec:\ppvpv.exe92⤵PID:1792
-
\??\c:\1jjdp.exec:\1jjdp.exe93⤵
- System Location Discovery: System Language Discovery
PID:924 -
\??\c:\xxllffx.exec:\xxllffx.exe94⤵PID:5044
-
\??\c:\nbnhhb.exec:\nbnhhb.exe95⤵PID:3732
-
\??\c:\jjvvv.exec:\jjvvv.exe96⤵PID:532
-
\??\c:\9rrlllf.exec:\9rrlllf.exe97⤵PID:2884
-
\??\c:\lxxxrlf.exec:\lxxxrlf.exe98⤵PID:4556
-
\??\c:\bhhhbb.exec:\bhhhbb.exe99⤵PID:5056
-
\??\c:\1vdvp.exec:\1vdvp.exe100⤵PID:2072
-
\??\c:\1rxrrrl.exec:\1rxrrrl.exe101⤵PID:3064
-
\??\c:\fxrxffx.exec:\fxrxffx.exe102⤵PID:4056
-
\??\c:\bhbthh.exec:\bhbthh.exe103⤵PID:4120
-
\??\c:\dpjdv.exec:\dpjdv.exe104⤵PID:4480
-
\??\c:\7frxllr.exec:\7frxllr.exe105⤵PID:4340
-
\??\c:\lrxllfx.exec:\lrxllfx.exe106⤵PID:2864
-
\??\c:\nhnttb.exec:\nhnttb.exe107⤵PID:3680
-
\??\c:\dddjj.exec:\dddjj.exe108⤵PID:1388
-
\??\c:\llrxlfx.exec:\llrxlfx.exe109⤵PID:700
-
\??\c:\ttbtnh.exec:\ttbtnh.exe110⤵PID:4812
-
\??\c:\vjpjj.exec:\vjpjj.exe111⤵PID:716
-
\??\c:\xffxxrr.exec:\xffxxrr.exe112⤵PID:1012
-
\??\c:\htbbtt.exec:\htbbtt.exe113⤵PID:1876
-
\??\c:\7dvjv.exec:\7dvjv.exe114⤵PID:4372
-
\??\c:\pjjjd.exec:\pjjjd.exe115⤵PID:2292
-
\??\c:\rflfxxr.exec:\rflfxxr.exe116⤵PID:1048
-
\??\c:\dvppj.exec:\dvppj.exe117⤵PID:2708
-
\??\c:\pdvpd.exec:\pdvpd.exe118⤵PID:4664
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe119⤵PID:4052
-
\??\c:\hhbttb.exec:\hhbttb.exe120⤵PID:4852
-
\??\c:\1ddvv.exec:\1ddvv.exe121⤵PID:1260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-