Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe
-
Size
454KB
-
MD5
0cb6ac7063d2ee3b0575c197b2327714
-
SHA1
6bff88c1e230c4a431d339ca22bf965fac68b02a
-
SHA256
ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad
-
SHA512
4b55c3ca372cf3df300db4417bbdc14ad70c604e156e31ff476d8bb87043043ca276f0a66c49a9cdd75dfbaff6a9d2aebc54589a3d47040a4fc70b24ce72fde3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4532-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-1519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2268 hbbbbh.exe 2912 dvdjv.exe 5104 ttbbbn.exe 2120 djvvd.exe 208 ppppj.exe 232 bbbbbb.exe 3024 ppppp.exe 3116 rrxrffl.exe 1892 bnhhbh.exe 628 lrlllrl.exe 1052 nthbhb.exe 5064 dvvvv.exe 552 hhhbnn.exe 4512 5jvvp.exe 2716 nhhhtn.exe 1120 rfxrllf.exe 1916 bbhhhh.exe 3976 1vjjp.exe 2516 nhbtnt.exe 5096 rrllxfr.exe 2300 dvvpd.exe 3248 djvdp.exe 3372 bhhbbt.exe 3440 tthnht.exe 2332 vvvjj.exe 392 ppddj.exe 4212 pjpjj.exe 1340 xfrlfrr.exe 4944 bhnhbb.exe 4556 bttthb.exe 2852 djvvj.exe 1488 xxxxrxx.exe 1176 lllllll.exe 444 bnttbh.exe 1108 vvvvd.exe 4580 lrrlllf.exe 4440 nhttnt.exe 4508 djdvj.exe 5100 7ffffll.exe 3424 bnhbbb.exe 2380 pjvjp.exe 4344 fxxlrrr.exe 2220 lxrrlfx.exe 1872 ddddv.exe 3184 vppvd.exe 2928 fxlllrx.exe 1680 hnhbtb.exe 4332 jvdpp.exe 2208 rflffll.exe 3156 pvppp.exe 2764 5lllflf.exe 4744 hthhhh.exe 764 ppjdd.exe 1936 rrxfllx.exe 976 xxrxxff.exe 3516 bhhhhh.exe 5028 jvvpj.exe 2936 fffxrrl.exe 232 bbbbbb.exe 3160 bhnnnh.exe 3024 vjjjd.exe 3116 rxxxxxx.exe 464 nhhhbh.exe 1288 vpjjj.exe -
resource yara_rule behavioral2/memory/4532-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-580-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4532 wrote to memory of 2268 4532 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 83 PID 4532 wrote to memory of 2268 4532 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 83 PID 4532 wrote to memory of 2268 4532 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 83 PID 2268 wrote to memory of 2912 2268 hbbbbh.exe 84 PID 2268 wrote to memory of 2912 2268 hbbbbh.exe 84 PID 2268 wrote to memory of 2912 2268 hbbbbh.exe 84 PID 2912 wrote to memory of 5104 2912 dvdjv.exe 85 PID 2912 wrote to memory of 5104 2912 dvdjv.exe 85 PID 2912 wrote to memory of 5104 2912 dvdjv.exe 85 PID 5104 wrote to memory of 2120 5104 ttbbbn.exe 86 PID 5104 wrote to memory of 2120 5104 ttbbbn.exe 86 PID 5104 wrote to memory of 2120 5104 ttbbbn.exe 86 PID 2120 wrote to memory of 208 2120 djvvd.exe 87 PID 2120 wrote to memory of 208 2120 djvvd.exe 87 PID 2120 wrote to memory of 208 2120 djvvd.exe 87 PID 208 wrote to memory of 232 208 ppppj.exe 88 PID 208 wrote to memory of 232 208 ppppj.exe 88 PID 208 wrote to memory of 232 208 ppppj.exe 88 PID 232 wrote to memory of 3024 232 bbbbbb.exe 89 PID 232 wrote to memory of 3024 232 bbbbbb.exe 89 PID 232 wrote to memory of 3024 232 bbbbbb.exe 89 PID 3024 wrote to memory of 3116 3024 ppppp.exe 90 PID 3024 wrote to memory of 3116 3024 ppppp.exe 90 PID 3024 wrote to memory of 3116 3024 ppppp.exe 90 PID 3116 wrote to memory of 1892 3116 rrxrffl.exe 91 PID 3116 wrote to memory of 1892 3116 rrxrffl.exe 91 PID 3116 wrote to memory of 1892 3116 rrxrffl.exe 91 PID 1892 wrote to memory of 628 1892 bnhhbh.exe 92 PID 1892 wrote to memory of 628 1892 bnhhbh.exe 92 PID 1892 wrote to memory of 628 1892 bnhhbh.exe 92 PID 628 wrote to memory of 1052 628 lrlllrl.exe 93 PID 628 wrote to memory of 1052 628 lrlllrl.exe 93 PID 628 wrote to memory of 1052 628 lrlllrl.exe 93 PID 1052 wrote to memory of 5064 1052 nthbhb.exe 94 PID 1052 wrote to memory of 5064 1052 nthbhb.exe 94 PID 1052 wrote to memory of 5064 1052 nthbhb.exe 94 PID 5064 wrote to memory of 552 5064 dvvvv.exe 95 PID 5064 wrote to memory of 552 5064 dvvvv.exe 95 PID 5064 wrote to memory of 552 5064 dvvvv.exe 95 PID 552 wrote to memory of 4512 552 hhhbnn.exe 96 PID 552 wrote to memory of 4512 552 hhhbnn.exe 96 PID 552 wrote to memory of 4512 552 hhhbnn.exe 96 PID 4512 wrote to memory of 2716 4512 5jvvp.exe 97 PID 4512 wrote to memory of 2716 4512 5jvvp.exe 97 PID 4512 wrote to memory of 2716 4512 5jvvp.exe 97 PID 2716 wrote to memory of 1120 2716 nhhhtn.exe 98 PID 2716 wrote to memory of 1120 2716 nhhhtn.exe 98 PID 2716 wrote to memory of 1120 2716 nhhhtn.exe 98 PID 1120 wrote to memory of 1916 1120 rfxrllf.exe 99 PID 1120 wrote to memory of 1916 1120 rfxrllf.exe 99 PID 1120 wrote to memory of 1916 1120 rfxrllf.exe 99 PID 1916 wrote to memory of 3976 1916 bbhhhh.exe 100 PID 1916 wrote to memory of 3976 1916 bbhhhh.exe 100 PID 1916 wrote to memory of 3976 1916 bbhhhh.exe 100 PID 3976 wrote to memory of 2516 3976 1vjjp.exe 101 PID 3976 wrote to memory of 2516 3976 1vjjp.exe 101 PID 3976 wrote to memory of 2516 3976 1vjjp.exe 101 PID 2516 wrote to memory of 5096 2516 nhbtnt.exe 102 PID 2516 wrote to memory of 5096 2516 nhbtnt.exe 102 PID 2516 wrote to memory of 5096 2516 nhbtnt.exe 102 PID 5096 wrote to memory of 2300 5096 rrllxfr.exe 103 PID 5096 wrote to memory of 2300 5096 rrllxfr.exe 103 PID 5096 wrote to memory of 2300 5096 rrllxfr.exe 103 PID 2300 wrote to memory of 3248 2300 dvvpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe"C:\Users\Admin\AppData\Local\Temp\ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\hbbbbh.exec:\hbbbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\dvdjv.exec:\dvdjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\ttbbbn.exec:\ttbbbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\djvvd.exec:\djvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\ppppj.exec:\ppppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\bbbbbb.exec:\bbbbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ppppp.exec:\ppppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\rrxrffl.exec:\rrxrffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\bnhhbh.exec:\bnhhbh.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\lrlllrl.exec:\lrlllrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\nthbhb.exec:\nthbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\dvvvv.exec:\dvvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\hhhbnn.exec:\hhhbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\5jvvp.exec:\5jvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\nhhhtn.exec:\nhhhtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\rfxrllf.exec:\rfxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\bbhhhh.exec:\bbhhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\1vjjp.exec:\1vjjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\nhbtnt.exec:\nhbtnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\rrllxfr.exec:\rrllxfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\dvvpd.exec:\dvvpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\djvdp.exec:\djvdp.exe23⤵
- Executes dropped EXE
PID:3248 -
\??\c:\bhhbbt.exec:\bhhbbt.exe24⤵
- Executes dropped EXE
PID:3372 -
\??\c:\tthnht.exec:\tthnht.exe25⤵
- Executes dropped EXE
PID:3440 -
\??\c:\vvvjj.exec:\vvvjj.exe26⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ppddj.exec:\ppddj.exe27⤵
- Executes dropped EXE
PID:392 -
\??\c:\pjpjj.exec:\pjpjj.exe28⤵
- Executes dropped EXE
PID:4212 -
\??\c:\xfrlfrr.exec:\xfrlfrr.exe29⤵
- Executes dropped EXE
PID:1340 -
\??\c:\bhnhbb.exec:\bhnhbb.exe30⤵
- Executes dropped EXE
PID:4944 -
\??\c:\bttthb.exec:\bttthb.exe31⤵
- Executes dropped EXE
PID:4556 -
\??\c:\djvvj.exec:\djvvj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\xxxxrxx.exec:\xxxxrxx.exe33⤵
- Executes dropped EXE
PID:1488 -
\??\c:\lllllll.exec:\lllllll.exe34⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bnttbh.exec:\bnttbh.exe35⤵
- Executes dropped EXE
PID:444 -
\??\c:\vvvvd.exec:\vvvvd.exe36⤵
- Executes dropped EXE
PID:1108 -
\??\c:\lrrlllf.exec:\lrrlllf.exe37⤵
- Executes dropped EXE
PID:4580 -
\??\c:\nhttnt.exec:\nhttnt.exe38⤵
- Executes dropped EXE
PID:4440 -
\??\c:\djdvj.exec:\djdvj.exe39⤵
- Executes dropped EXE
PID:4508 -
\??\c:\7ffffll.exec:\7ffffll.exe40⤵
- Executes dropped EXE
PID:5100 -
\??\c:\bnhbbb.exec:\bnhbbb.exe41⤵
- Executes dropped EXE
PID:3424 -
\??\c:\pjvjp.exec:\pjvjp.exe42⤵
- Executes dropped EXE
PID:2380 -
\??\c:\fxxlrrr.exec:\fxxlrrr.exe43⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lxrrlfx.exec:\lxrrlfx.exe44⤵
- Executes dropped EXE
PID:2220 -
\??\c:\ddddv.exec:\ddddv.exe45⤵
- Executes dropped EXE
PID:1872 -
\??\c:\vppvd.exec:\vppvd.exe46⤵
- Executes dropped EXE
PID:3184 -
\??\c:\fxlllrx.exec:\fxlllrx.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\hnhbtb.exec:\hnhbtb.exe48⤵
- Executes dropped EXE
PID:1680 -
\??\c:\jvdpp.exec:\jvdpp.exe49⤵
- Executes dropped EXE
PID:4332 -
\??\c:\rflffll.exec:\rflffll.exe50⤵
- Executes dropped EXE
PID:2208 -
\??\c:\bbbbtb.exec:\bbbbtb.exe51⤵PID:3212
-
\??\c:\pvppp.exec:\pvppp.exe52⤵
- Executes dropped EXE
PID:3156 -
\??\c:\5lllflf.exec:\5lllflf.exe53⤵
- Executes dropped EXE
PID:2764 -
\??\c:\hthhhh.exec:\hthhhh.exe54⤵
- Executes dropped EXE
PID:4744 -
\??\c:\ppjdd.exec:\ppjdd.exe55⤵
- Executes dropped EXE
PID:764 -
\??\c:\rrxfllx.exec:\rrxfllx.exe56⤵
- Executes dropped EXE
PID:1936 -
\??\c:\xxrxxff.exec:\xxrxxff.exe57⤵
- Executes dropped EXE
PID:976 -
\??\c:\bhhhhh.exec:\bhhhhh.exe58⤵
- Executes dropped EXE
PID:3516 -
\??\c:\jvvpj.exec:\jvvpj.exe59⤵
- Executes dropped EXE
PID:5028 -
\??\c:\fffxrrl.exec:\fffxrrl.exe60⤵
- Executes dropped EXE
PID:2936 -
\??\c:\bbbbbb.exec:\bbbbbb.exe61⤵
- Executes dropped EXE
PID:232 -
\??\c:\bhnnnh.exec:\bhnnnh.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160 -
\??\c:\vjjjd.exec:\vjjjd.exe63⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rxxxxxx.exec:\rxxxxxx.exe64⤵
- Executes dropped EXE
PID:3116 -
\??\c:\nhhhbh.exec:\nhhhbh.exe65⤵
- Executes dropped EXE
PID:464 -
\??\c:\vpjjj.exec:\vpjjj.exe66⤵
- Executes dropped EXE
PID:1288 -
\??\c:\xrrrlll.exec:\xrrrlll.exe67⤵
- System Location Discovery: System Language Discovery
PID:2720 -
\??\c:\1hhhbh.exec:\1hhhbh.exe68⤵PID:4636
-
\??\c:\vdpjv.exec:\vdpjv.exe69⤵PID:2156
-
\??\c:\1llllll.exec:\1llllll.exe70⤵PID:3480
-
\??\c:\tnnnhh.exec:\tnnnhh.exe71⤵PID:552
-
\??\c:\pddjv.exec:\pddjv.exe72⤵PID:2452
-
\??\c:\5jjjd.exec:\5jjjd.exe73⤵PID:4492
-
\??\c:\lrrllfx.exec:\lrrllfx.exe74⤵PID:4584
-
\??\c:\9nnnnb.exec:\9nnnnb.exe75⤵PID:2608
-
\??\c:\vvvpv.exec:\vvvpv.exe76⤵PID:1540
-
\??\c:\xxlrxrx.exec:\xxlrxrx.exe77⤵PID:2652
-
\??\c:\bhbttb.exec:\bhbttb.exe78⤵PID:5000
-
\??\c:\tbnntb.exec:\tbnntb.exe79⤵PID:1796
-
\??\c:\jpjjj.exec:\jpjjj.exe80⤵PID:5040
-
\??\c:\xxxlxxx.exec:\xxxlxxx.exe81⤵PID:2132
-
\??\c:\bbbbbb.exec:\bbbbbb.exe82⤵PID:3248
-
\??\c:\5httnn.exec:\5httnn.exe83⤵PID:1432
-
\??\c:\3vvdv.exec:\3vvdv.exe84⤵PID:776
-
\??\c:\lffxxxx.exec:\lffxxxx.exe85⤵PID:1748
-
\??\c:\ttnbnh.exec:\ttnbnh.exe86⤵PID:4820
-
\??\c:\pvddp.exec:\pvddp.exe87⤵PID:392
-
\??\c:\lrrlffx.exec:\lrrlffx.exe88⤵
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\fxxxrlf.exec:\fxxxrlf.exe89⤵PID:2968
-
\??\c:\vjjvv.exec:\vjjvv.exe90⤵PID:1340
-
\??\c:\dvdvp.exec:\dvdvp.exe91⤵PID:4944
-
\??\c:\rllfxxr.exec:\rllfxxr.exe92⤵PID:4556
-
\??\c:\9nnnhn.exec:\9nnnhn.exe93⤵PID:3536
-
\??\c:\ppjpd.exec:\ppjpd.exe94⤵PID:3012
-
\??\c:\rllllll.exec:\rllllll.exe95⤵PID:1092
-
\??\c:\httnnh.exec:\httnnh.exe96⤵PID:4716
-
\??\c:\pvpjv.exec:\pvpjv.exe97⤵PID:3584
-
\??\c:\9frllfx.exec:\9frllfx.exe98⤵PID:1108
-
\??\c:\ffxrflr.exec:\ffxrflr.exe99⤵PID:924
-
\??\c:\btbhhh.exec:\btbhhh.exe100⤵PID:4540
-
\??\c:\dvpjd.exec:\dvpjd.exe101⤵PID:1608
-
\??\c:\lxfxrlx.exec:\lxfxrlx.exe102⤵PID:3428
-
\??\c:\3bhbnb.exec:\3bhbnb.exe103⤵PID:3424
-
\??\c:\tnnbtn.exec:\tnnbtn.exe104⤵PID:2380
-
\??\c:\1jdvj.exec:\1jdvj.exe105⤵
- System Location Discovery: System Language Discovery
PID:3624 -
\??\c:\fffxrfx.exec:\fffxrfx.exe106⤵PID:2220
-
\??\c:\tnntnh.exec:\tnntnh.exe107⤵PID:3216
-
\??\c:\dvdvd.exec:\dvdvd.exe108⤵PID:2372
-
\??\c:\rflfffx.exec:\rflfffx.exe109⤵PID:1172
-
\??\c:\xxflrrx.exec:\xxflrrx.exe110⤵PID:2328
-
\??\c:\thbhnh.exec:\thbhnh.exe111⤵PID:4288
-
\??\c:\vddpj.exec:\vddpj.exe112⤵PID:4296
-
\??\c:\lfllffx.exec:\lfllffx.exe113⤵PID:2024
-
\??\c:\tthbtt.exec:\tthbtt.exe114⤵PID:3924
-
\??\c:\pvppv.exec:\pvppv.exe115⤵PID:1592
-
\??\c:\rflllll.exec:\rflllll.exe116⤵PID:1216
-
\??\c:\tnbbtt.exec:\tnbbtt.exe117⤵PID:4724
-
\??\c:\ddvvp.exec:\ddvvp.exe118⤵PID:4016
-
\??\c:\rlxffrr.exec:\rlxffrr.exe119⤵PID:2304
-
\??\c:\5bnhnt.exec:\5bnhnt.exe120⤵PID:1152
-
\??\c:\vvpjd.exec:\vvpjd.exe121⤵PID:312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-