Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe
-
Size
453KB
-
MD5
d39bb7af27f102defd19429d31a5fa5c
-
SHA1
b2f1643aff977d2f033b7abbdda630dbb6e99b3f
-
SHA256
3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319
-
SHA512
d1a6cc077666f1586b5193d6ae3d66c68830b90142b04cce8a2b82d2f64b62bab7225a886038f899251ee4a5af6865641cd8c707cc08fb74f21fa505d24dd391
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3716-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-1088-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4136 tnnhhb.exe 3776 jvjpv.exe 2224 ffrrlll.exe 5060 tntnbb.exe 1880 hhhhbb.exe 1904 7vdvv.exe 1504 9rxrxxl.exe 3212 thhnnn.exe 4316 vjjjj.exe 3476 fffxxfx.exe 2040 ttnthh.exe 4612 xfxrlfx.exe 372 hbnttt.exe 4164 thnbtt.exe 1616 5vdvd.exe 2280 hhttth.exe 4204 nthttn.exe 2940 vvppj.exe 1500 pvvjv.exe 4592 fffrrrr.exe 1452 dvddj.exe 3084 rlxxfff.exe 1516 nbhbtb.exe 1676 7rlllrr.exe 3900 rrrllll.exe 3208 pjdvp.exe 4776 lffxxxl.exe 2364 5vvvp.exe 4340 rxrlffr.exe 3824 jvdvv.exe 1320 ffxrlll.exe 1760 bnnnhh.exe 2152 lfrlxrr.exe 2368 vpvpd.exe 1396 rffxrxr.exe 4624 tnnhnh.exe 4660 vdvjj.exe 1300 rxlxllf.exe 1660 hbbtnn.exe 2840 vdvdj.exe 4608 jvjdv.exe 1892 1flffrf.exe 4656 bbbtnt.exe 2868 fxfxxrx.exe 3636 rfrlrrx.exe 4496 9bbbtb.exe 3672 1jjdd.exe 4868 fxrlfxr.exe 1848 bbhbhh.exe 2704 3hnbhh.exe 1484 jddvv.exe 4544 frfxlfx.exe 2108 1nbhbb.exe 856 pvvpd.exe 2620 fxxxrrl.exe 1700 fxfxrrl.exe 2636 5tbtnn.exe 3004 dddvv.exe 904 1rrlllf.exe 1904 lrxrllf.exe 1808 tbnbhb.exe 3504 vjvjv.exe 2184 rlxxllf.exe 4848 3lxxffl.exe -
resource yara_rule behavioral2/memory/3716-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-645-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4136 3716 3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe 84 PID 3716 wrote to memory of 4136 3716 3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe 84 PID 3716 wrote to memory of 4136 3716 3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe 84 PID 4136 wrote to memory of 3776 4136 tnnhhb.exe 85 PID 4136 wrote to memory of 3776 4136 tnnhhb.exe 85 PID 4136 wrote to memory of 3776 4136 tnnhhb.exe 85 PID 3776 wrote to memory of 2224 3776 jvjpv.exe 86 PID 3776 wrote to memory of 2224 3776 jvjpv.exe 86 PID 3776 wrote to memory of 2224 3776 jvjpv.exe 86 PID 2224 wrote to memory of 5060 2224 ffrrlll.exe 87 PID 2224 wrote to memory of 5060 2224 ffrrlll.exe 87 PID 2224 wrote to memory of 5060 2224 ffrrlll.exe 87 PID 5060 wrote to memory of 1880 5060 tntnbb.exe 88 PID 5060 wrote to memory of 1880 5060 tntnbb.exe 88 PID 5060 wrote to memory of 1880 5060 tntnbb.exe 88 PID 1880 wrote to memory of 1904 1880 hhhhbb.exe 89 PID 1880 wrote to memory of 1904 1880 hhhhbb.exe 89 PID 1880 wrote to memory of 1904 1880 hhhhbb.exe 89 PID 1904 wrote to memory of 1504 1904 7vdvv.exe 90 PID 1904 wrote to memory of 1504 1904 7vdvv.exe 90 PID 1904 wrote to memory of 1504 1904 7vdvv.exe 90 PID 1504 wrote to memory of 3212 1504 9rxrxxl.exe 91 PID 1504 wrote to memory of 3212 1504 9rxrxxl.exe 91 PID 1504 wrote to memory of 3212 1504 9rxrxxl.exe 91 PID 3212 wrote to memory of 4316 3212 thhnnn.exe 92 PID 3212 wrote to memory of 4316 3212 thhnnn.exe 92 PID 3212 wrote to memory of 4316 3212 thhnnn.exe 92 PID 4316 wrote to memory of 3476 4316 vjjjj.exe 93 PID 4316 wrote to memory of 3476 4316 vjjjj.exe 93 PID 4316 wrote to memory of 3476 4316 vjjjj.exe 93 PID 3476 wrote to memory of 2040 3476 fffxxfx.exe 94 PID 3476 wrote to memory of 2040 3476 fffxxfx.exe 94 PID 3476 wrote to memory of 2040 3476 fffxxfx.exe 94 PID 2040 wrote to memory of 4612 2040 ttnthh.exe 95 PID 2040 wrote to memory of 4612 2040 ttnthh.exe 95 PID 2040 wrote to memory of 4612 2040 ttnthh.exe 95 PID 4612 wrote to memory of 372 4612 xfxrlfx.exe 96 PID 4612 wrote to memory of 372 4612 xfxrlfx.exe 96 PID 4612 wrote to memory of 372 4612 xfxrlfx.exe 96 PID 372 wrote to memory of 4164 372 hbnttt.exe 97 PID 372 wrote to memory of 4164 372 hbnttt.exe 97 PID 372 wrote to memory of 4164 372 hbnttt.exe 97 PID 4164 wrote to memory of 1616 4164 thnbtt.exe 98 PID 4164 wrote to memory of 1616 4164 thnbtt.exe 98 PID 4164 wrote to memory of 1616 4164 thnbtt.exe 98 PID 1616 wrote to memory of 2280 1616 5vdvd.exe 99 PID 1616 wrote to memory of 2280 1616 5vdvd.exe 99 PID 1616 wrote to memory of 2280 1616 5vdvd.exe 99 PID 2280 wrote to memory of 4204 2280 hhttth.exe 100 PID 2280 wrote to memory of 4204 2280 hhttth.exe 100 PID 2280 wrote to memory of 4204 2280 hhttth.exe 100 PID 4204 wrote to memory of 2940 4204 nthttn.exe 101 PID 4204 wrote to memory of 2940 4204 nthttn.exe 101 PID 4204 wrote to memory of 2940 4204 nthttn.exe 101 PID 2940 wrote to memory of 1500 2940 vvppj.exe 102 PID 2940 wrote to memory of 1500 2940 vvppj.exe 102 PID 2940 wrote to memory of 1500 2940 vvppj.exe 102 PID 1500 wrote to memory of 4592 1500 pvvjv.exe 103 PID 1500 wrote to memory of 4592 1500 pvvjv.exe 103 PID 1500 wrote to memory of 4592 1500 pvvjv.exe 103 PID 4592 wrote to memory of 1452 4592 fffrrrr.exe 104 PID 4592 wrote to memory of 1452 4592 fffrrrr.exe 104 PID 4592 wrote to memory of 1452 4592 fffrrrr.exe 104 PID 1452 wrote to memory of 3084 1452 dvddj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe"C:\Users\Admin\AppData\Local\Temp\3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\tnnhhb.exec:\tnnhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\jvjpv.exec:\jvjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\ffrrlll.exec:\ffrrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\tntnbb.exec:\tntnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\hhhhbb.exec:\hhhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\7vdvv.exec:\7vdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\9rxrxxl.exec:\9rxrxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\thhnnn.exec:\thhnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\vjjjj.exec:\vjjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\fffxxfx.exec:\fffxxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\ttnthh.exec:\ttnthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\hbnttt.exec:\hbnttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\thnbtt.exec:\thnbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\5vdvd.exec:\5vdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\hhttth.exec:\hhttth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\nthttn.exec:\nthttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\vvppj.exec:\vvppj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pvvjv.exec:\pvvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\fffrrrr.exec:\fffrrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\dvddj.exec:\dvddj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\rlxxfff.exec:\rlxxfff.exe23⤵
- Executes dropped EXE
PID:3084 -
\??\c:\nbhbtb.exec:\nbhbtb.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
\??\c:\7rlllrr.exec:\7rlllrr.exe25⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rrrllll.exec:\rrrllll.exe26⤵
- Executes dropped EXE
PID:3900 -
\??\c:\pjdvp.exec:\pjdvp.exe27⤵
- Executes dropped EXE
PID:3208 -
\??\c:\lffxxxl.exec:\lffxxxl.exe28⤵
- Executes dropped EXE
PID:4776 -
\??\c:\5vvvp.exec:\5vvvp.exe29⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rxrlffr.exec:\rxrlffr.exe30⤵
- Executes dropped EXE
PID:4340 -
\??\c:\jvdvv.exec:\jvdvv.exe31⤵
- Executes dropped EXE
PID:3824 -
\??\c:\ffxrlll.exec:\ffxrlll.exe32⤵
- Executes dropped EXE
PID:1320 -
\??\c:\bnnnhh.exec:\bnnnhh.exe33⤵
- Executes dropped EXE
PID:1760 -
\??\c:\lfrlxrr.exec:\lfrlxrr.exe34⤵
- Executes dropped EXE
PID:2152 -
\??\c:\vpvpd.exec:\vpvpd.exe35⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rffxrxr.exec:\rffxrxr.exe36⤵
- Executes dropped EXE
PID:1396 -
\??\c:\tnnhnh.exec:\tnnhnh.exe37⤵
- Executes dropped EXE
PID:4624 -
\??\c:\vdvjj.exec:\vdvjj.exe38⤵
- Executes dropped EXE
PID:4660 -
\??\c:\rxlxllf.exec:\rxlxllf.exe39⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hbbtnn.exec:\hbbtnn.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vdvdj.exec:\vdvdj.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jvjdv.exec:\jvjdv.exe42⤵
- Executes dropped EXE
PID:4608 -
\??\c:\1flffrf.exec:\1flffrf.exe43⤵
- Executes dropped EXE
PID:1892 -
\??\c:\bbbtnt.exec:\bbbtnt.exe44⤵
- Executes dropped EXE
PID:4656 -
\??\c:\fxfxxrx.exec:\fxfxxrx.exe45⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe46⤵
- Executes dropped EXE
PID:3636 -
\??\c:\9bbbtb.exec:\9bbbtb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496 -
\??\c:\1jjdd.exec:\1jjdd.exe48⤵
- Executes dropped EXE
PID:3672 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe49⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bbhbhh.exec:\bbhbhh.exe50⤵
- Executes dropped EXE
PID:1848 -
\??\c:\3hnbhh.exec:\3hnbhh.exe51⤵
- Executes dropped EXE
PID:2704 -
\??\c:\jddvv.exec:\jddvv.exe52⤵
- Executes dropped EXE
PID:1484 -
\??\c:\frfxlfx.exec:\frfxlfx.exe53⤵
- Executes dropped EXE
PID:4544 -
\??\c:\1nbhbb.exec:\1nbhbb.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\pvvpd.exec:\pvvpd.exe55⤵
- Executes dropped EXE
PID:856 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe56⤵
- Executes dropped EXE
PID:2620 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe57⤵
- Executes dropped EXE
PID:1700 -
\??\c:\5tbtnn.exec:\5tbtnn.exe58⤵
- Executes dropped EXE
PID:2636 -
\??\c:\dddvv.exec:\dddvv.exe59⤵
- Executes dropped EXE
PID:3004 -
\??\c:\1rrlllf.exec:\1rrlllf.exe60⤵
- Executes dropped EXE
PID:904 -
\??\c:\lrxrllf.exec:\lrxrllf.exe61⤵
- Executes dropped EXE
PID:1904 -
\??\c:\tbnbhb.exec:\tbnbhb.exe62⤵
- Executes dropped EXE
PID:1808 -
\??\c:\vjvjv.exec:\vjvjv.exe63⤵
- Executes dropped EXE
PID:3504 -
\??\c:\rlxxllf.exec:\rlxxllf.exe64⤵
- Executes dropped EXE
PID:2184 -
\??\c:\3lxxffl.exec:\3lxxffl.exe65⤵
- Executes dropped EXE
PID:4848 -
\??\c:\bttnnn.exec:\bttnnn.exe66⤵PID:944
-
\??\c:\7pddv.exec:\7pddv.exe67⤵PID:1064
-
\??\c:\pvvdd.exec:\pvvdd.exe68⤵PID:1780
-
\??\c:\xffflxr.exec:\xffflxr.exe69⤵PID:4032
-
\??\c:\3ttttt.exec:\3ttttt.exe70⤵PID:980
-
\??\c:\3ppjd.exec:\3ppjd.exe71⤵PID:4744
-
\??\c:\3ppjj.exec:\3ppjj.exe72⤵PID:3556
-
\??\c:\xxrllll.exec:\xxrllll.exe73⤵PID:3652
-
\??\c:\hbbtbb.exec:\hbbtbb.exe74⤵PID:1616
-
\??\c:\3dvjd.exec:\3dvjd.exe75⤵PID:2936
-
\??\c:\xlrllll.exec:\xlrllll.exe76⤵PID:3784
-
\??\c:\tnnbhn.exec:\tnnbhn.exe77⤵PID:4948
-
\??\c:\pppvd.exec:\pppvd.exe78⤵PID:1460
-
\??\c:\vvpvp.exec:\vvpvp.exe79⤵PID:1664
-
\??\c:\rfrrxff.exec:\rfrrxff.exe80⤵PID:412
-
\??\c:\hbntbb.exec:\hbntbb.exe81⤵PID:4592
-
\??\c:\pdvpj.exec:\pdvpj.exe82⤵PID:3388
-
\??\c:\5pvjp.exec:\5pvjp.exe83⤵PID:1312
-
\??\c:\rffxrrl.exec:\rffxrrl.exe84⤵PID:2552
-
\??\c:\bthhnh.exec:\bthhnh.exe85⤵PID:4332
-
\??\c:\dpddp.exec:\dpddp.exe86⤵PID:3404
-
\??\c:\jpjdv.exec:\jpjdv.exe87⤵PID:3984
-
\??\c:\flxrllf.exec:\flxrllf.exe88⤵PID:4968
-
\??\c:\1nhbtt.exec:\1nhbtt.exe89⤵PID:4652
-
\??\c:\3vddj.exec:\3vddj.exe90⤵PID:4396
-
\??\c:\ddjpp.exec:\ddjpp.exe91⤵PID:2856
-
\??\c:\9xffxfx.exec:\9xffxfx.exe92⤵PID:1584
-
\??\c:\nnhtnh.exec:\nnhtnh.exe93⤵PID:3532
-
\??\c:\vvvdv.exec:\vvvdv.exe94⤵PID:4340
-
\??\c:\xxlrrfr.exec:\xxlrrfr.exe95⤵PID:3824
-
\??\c:\hhbnhh.exec:\hhbnhh.exe96⤵PID:2876
-
\??\c:\vpvpv.exec:\vpvpv.exe97⤵PID:4212
-
\??\c:\ffxrlll.exec:\ffxrlll.exe98⤵PID:4588
-
\??\c:\1lrrlrr.exec:\1lrrlrr.exe99⤵PID:1304
-
\??\c:\hntnhb.exec:\hntnhb.exe100⤵PID:2684
-
\??\c:\jdppp.exec:\jdppp.exe101⤵PID:1984
-
\??\c:\3xlfrlx.exec:\3xlfrlx.exe102⤵PID:3468
-
\??\c:\hbhhbn.exec:\hbhhbn.exe103⤵PID:1424
-
\??\c:\pvjjj.exec:\pvjjj.exe104⤵PID:2096
-
\??\c:\5flxrrx.exec:\5flxrrx.exe105⤵PID:2236
-
\??\c:\xfxllrl.exec:\xfxllrl.exe106⤵PID:2788
-
\??\c:\9bhbtb.exec:\9bhbtb.exe107⤵PID:692
-
\??\c:\dvdjp.exec:\dvdjp.exe108⤵PID:3076
-
\??\c:\flflfxl.exec:\flflfxl.exe109⤵PID:5080
-
\??\c:\9hbnhn.exec:\9hbnhn.exe110⤵PID:4936
-
\??\c:\vjpdv.exec:\vjpdv.exe111⤵PID:4084
-
\??\c:\3xfxlll.exec:\3xfxlll.exe112⤵PID:5044
-
\??\c:\rlllrrf.exec:\rlllrrf.exe113⤵PID:4868
-
\??\c:\3hbhnh.exec:\3hbhnh.exe114⤵PID:4740
-
\??\c:\vppvp.exec:\vppvp.exe115⤵PID:3596
-
\??\c:\7llrrrl.exec:\7llrrrl.exe116⤵PID:936
-
\??\c:\5bbnhb.exec:\5bbnhb.exe117⤵PID:1976
-
\??\c:\7vdvj.exec:\7vdvj.exe118⤵PID:2424
-
\??\c:\frxlfxr.exec:\frxlfxr.exe119⤵
- System Location Discovery: System Language Discovery
PID:5060 -
\??\c:\ntbbtt.exec:\ntbbtt.exe120⤵PID:1184
-
\??\c:\dvjdv.exec:\dvjdv.exe121⤵PID:2532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-