Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 21:20
Behavioral task
behavioral1
Sample
282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe
-
Size
91KB
-
MD5
7c0169178ab535c09016221ecb93dcc0
-
SHA1
9caaaa8bd9e183e4f45f24a09b360e941cb8dde0
-
SHA256
282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6
-
SHA512
bc0cbebbad1eef89d38788c27ee6d7069367239d0138ce2af5d18c03bded1825c09d76a7ddc4afe36f1cde0ea8a5a35980f65932054ad387d08b8a775447f7e4
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8HglWxR9Yii9J01qCxNi2:chOmTsF93UYfwC6GIout3xR9nx02
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3336-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4180-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2832-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-480-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-570-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-624-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-769-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-977-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4552 thhttt.exe 1484 vvjpp.exe 3340 rffrfxf.exe 4496 nbhhhn.exe 2220 jddvv.exe 3656 rrxfffr.exe 3452 tthtnn.exe 4868 pdppp.exe 3472 bbhbbb.exe 1256 pppdd.exe 3628 ffflllf.exe 2476 bttnbn.exe 1628 7jpjd.exe 980 7xrffll.exe 844 bhnnht.exe 1616 tntttb.exe 4932 lflxllx.exe 3832 bthhtb.exe 5080 vpdpd.exe 2920 9dppv.exe 3060 5bhhht.exe 1348 jvjvd.exe 4072 fxxxlxx.exe 2996 hthtbh.exe 3032 pvjpv.exe 4520 5fxllll.exe 772 7hhhhb.exe 4416 pdvpp.exe 4180 pvppp.exe 2380 bbbnth.exe 4824 ddppd.exe 1124 lrxxxff.exe 3172 bttthb.exe 5092 jvjjd.exe 548 5xlxxxr.exe 944 xxxlrrr.exe 4540 3btttb.exe 1640 jpvdd.exe 1724 xxlxrff.exe 4508 ffxxxxx.exe 4804 nnhnhh.exe 448 jddvp.exe 1704 vjjvj.exe 3852 rfllllf.exe 3168 nbtbnh.exe 1384 nbhbtn.exe 4556 pdjpd.exe 2472 fxxlffx.exe 1048 tnbhhn.exe 2016 hbhbbb.exe 3868 vddpj.exe 1852 nhbbtt.exe 5028 hhhhnt.exe 4336 jvvdv.exe 3444 9frffll.exe 3552 fxlllll.exe 4076 btnbht.exe 4496 9jpdv.exe 1896 llxrrrr.exe 2576 ntnnnt.exe 5036 vjdvd.exe 3452 ttnthh.exe 1060 vpdjd.exe 1080 dvdjj.exe -
resource yara_rule behavioral2/memory/3336-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b5a-3.dat upx behavioral2/memory/3336-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4552-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c33-9.dat upx behavioral2/files/0x0008000000023c45-13.dat upx behavioral2/memory/1484-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c46-21.dat upx behavioral2/memory/3340-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c47-28.dat upx behavioral2/memory/4496-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c48-32.dat upx behavioral2/memory/2220-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c49-38.dat upx behavioral2/memory/3656-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4a-44.dat upx behavioral2/memory/3452-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4868-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4b-53.dat upx behavioral2/files/0x0008000000023c4c-56.dat upx behavioral2/memory/3472-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4d-62.dat upx behavioral2/memory/3628-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c57-67.dat upx behavioral2/files/0x0007000000023c58-73.dat upx behavioral2/files/0x0007000000023c59-77.dat upx behavioral2/files/0x0007000000023c5a-82.dat upx behavioral2/files/0x0007000000023c5b-89.dat upx behavioral2/memory/844-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c5c-94.dat upx behavioral2/files/0x0007000000023c5d-100.dat upx behavioral2/memory/4932-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c5e-104.dat upx behavioral2/memory/5080-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c5f-110.dat upx behavioral2/memory/5080-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c37-116.dat upx behavioral2/files/0x0007000000023c60-121.dat upx behavioral2/memory/1348-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c61-128.dat upx behavioral2/files/0x0007000000023c62-132.dat upx behavioral2/memory/4072-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c63-138.dat upx behavioral2/memory/2996-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c64-145.dat upx behavioral2/files/0x0007000000023c65-149.dat upx behavioral2/memory/4520-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c66-155.dat upx behavioral2/files/0x0007000000023c67-162.dat upx behavioral2/memory/4416-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c68-167.dat upx behavioral2/memory/4180-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2380-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c69-174.dat upx behavioral2/files/0x0007000000023c6a-179.dat upx behavioral2/memory/1124-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3172-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5092-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/548-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/944-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4540-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1640-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1724-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4508-215-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3336 wrote to memory of 4552 3336 282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe 83 PID 3336 wrote to memory of 4552 3336 282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe 83 PID 3336 wrote to memory of 4552 3336 282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe 83 PID 4552 wrote to memory of 1484 4552 thhttt.exe 84 PID 4552 wrote to memory of 1484 4552 thhttt.exe 84 PID 4552 wrote to memory of 1484 4552 thhttt.exe 84 PID 1484 wrote to memory of 3340 1484 vvjpp.exe 85 PID 1484 wrote to memory of 3340 1484 vvjpp.exe 85 PID 1484 wrote to memory of 3340 1484 vvjpp.exe 85 PID 3340 wrote to memory of 4496 3340 rffrfxf.exe 86 PID 3340 wrote to memory of 4496 3340 rffrfxf.exe 86 PID 3340 wrote to memory of 4496 3340 rffrfxf.exe 86 PID 4496 wrote to memory of 2220 4496 nbhhhn.exe 87 PID 4496 wrote to memory of 2220 4496 nbhhhn.exe 87 PID 4496 wrote to memory of 2220 4496 nbhhhn.exe 87 PID 2220 wrote to memory of 3656 2220 jddvv.exe 88 PID 2220 wrote to memory of 3656 2220 jddvv.exe 88 PID 2220 wrote to memory of 3656 2220 jddvv.exe 88 PID 3656 wrote to memory of 3452 3656 rrxfffr.exe 89 PID 3656 wrote to memory of 3452 3656 rrxfffr.exe 89 PID 3656 wrote to memory of 3452 3656 rrxfffr.exe 89 PID 3452 wrote to memory of 4868 3452 tthtnn.exe 90 PID 3452 wrote to memory of 4868 3452 tthtnn.exe 90 PID 3452 wrote to memory of 4868 3452 tthtnn.exe 90 PID 4868 wrote to memory of 3472 4868 pdppp.exe 91 PID 4868 wrote to memory of 3472 4868 pdppp.exe 91 PID 4868 wrote to memory of 3472 4868 pdppp.exe 91 PID 3472 wrote to memory of 1256 3472 bbhbbb.exe 92 PID 3472 wrote to memory of 1256 3472 bbhbbb.exe 92 PID 3472 wrote to memory of 1256 3472 bbhbbb.exe 92 PID 1256 wrote to memory of 3628 1256 pppdd.exe 93 PID 1256 wrote to memory of 3628 1256 pppdd.exe 93 PID 1256 wrote to memory of 3628 1256 pppdd.exe 93 PID 3628 wrote to memory of 2476 3628 ffflllf.exe 94 PID 3628 wrote to memory of 2476 3628 ffflllf.exe 94 PID 3628 wrote to memory of 2476 3628 ffflllf.exe 94 PID 2476 wrote to memory of 1628 2476 bttnbn.exe 95 PID 2476 wrote to memory of 1628 2476 bttnbn.exe 95 PID 2476 wrote to memory of 1628 2476 bttnbn.exe 95 PID 1628 wrote to memory of 980 1628 7jpjd.exe 96 PID 1628 wrote to memory of 980 1628 7jpjd.exe 96 PID 1628 wrote to memory of 980 1628 7jpjd.exe 96 PID 980 wrote to memory of 844 980 7xrffll.exe 97 PID 980 wrote to memory of 844 980 7xrffll.exe 97 PID 980 wrote to memory of 844 980 7xrffll.exe 97 PID 844 wrote to memory of 1616 844 bhnnht.exe 98 PID 844 wrote to memory of 1616 844 bhnnht.exe 98 PID 844 wrote to memory of 1616 844 bhnnht.exe 98 PID 1616 wrote to memory of 4932 1616 tntttb.exe 99 PID 1616 wrote to memory of 4932 1616 tntttb.exe 99 PID 1616 wrote to memory of 4932 1616 tntttb.exe 99 PID 4932 wrote to memory of 3832 4932 lflxllx.exe 100 PID 4932 wrote to memory of 3832 4932 lflxllx.exe 100 PID 4932 wrote to memory of 3832 4932 lflxllx.exe 100 PID 3832 wrote to memory of 5080 3832 bthhtb.exe 101 PID 3832 wrote to memory of 5080 3832 bthhtb.exe 101 PID 3832 wrote to memory of 5080 3832 bthhtb.exe 101 PID 5080 wrote to memory of 2920 5080 vpdpd.exe 102 PID 5080 wrote to memory of 2920 5080 vpdpd.exe 102 PID 5080 wrote to memory of 2920 5080 vpdpd.exe 102 PID 2920 wrote to memory of 3060 2920 9dppv.exe 103 PID 2920 wrote to memory of 3060 2920 9dppv.exe 103 PID 2920 wrote to memory of 3060 2920 9dppv.exe 103 PID 3060 wrote to memory of 1348 3060 5bhhht.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe"C:\Users\Admin\AppData\Local\Temp\282915e590d7031d690a385a53fe5d3fbc1b9797c43315e215010c055e565ea6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\thhttt.exec:\thhttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\vvjpp.exec:\vvjpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\rffrfxf.exec:\rffrfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\nbhhhn.exec:\nbhhhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\jddvv.exec:\jddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\rrxfffr.exec:\rrxfffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\tthtnn.exec:\tthtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\pdppp.exec:\pdppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\bbhbbb.exec:\bbhbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\pppdd.exec:\pppdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\ffflllf.exec:\ffflllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\bttnbn.exec:\bttnbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\7jpjd.exec:\7jpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\7xrffll.exec:\7xrffll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\bhnnht.exec:\bhnnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\tntttb.exec:\tntttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\lflxllx.exec:\lflxllx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\bthhtb.exec:\bthhtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\vpdpd.exec:\vpdpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\9dppv.exec:\9dppv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\5bhhht.exec:\5bhhht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\jvjvd.exec:\jvjvd.exe23⤵
- Executes dropped EXE
PID:1348 -
\??\c:\fxxxlxx.exec:\fxxxlxx.exe24⤵
- Executes dropped EXE
PID:4072 -
\??\c:\hthtbh.exec:\hthtbh.exe25⤵
- Executes dropped EXE
PID:2996 -
\??\c:\pvjpv.exec:\pvjpv.exe26⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5fxllll.exec:\5fxllll.exe27⤵
- Executes dropped EXE
PID:4520 -
\??\c:\7hhhhb.exec:\7hhhhb.exe28⤵
- Executes dropped EXE
PID:772 -
\??\c:\pdvpp.exec:\pdvpp.exe29⤵
- Executes dropped EXE
PID:4416 -
\??\c:\pvppp.exec:\pvppp.exe30⤵
- Executes dropped EXE
PID:4180 -
\??\c:\bbbnth.exec:\bbbnth.exe31⤵
- Executes dropped EXE
PID:2380 -
\??\c:\ddppd.exec:\ddppd.exe32⤵
- Executes dropped EXE
PID:4824 -
\??\c:\lrxxxff.exec:\lrxxxff.exe33⤵
- Executes dropped EXE
PID:1124 -
\??\c:\bttthb.exec:\bttthb.exe34⤵
- Executes dropped EXE
PID:3172 -
\??\c:\jvjjd.exec:\jvjjd.exe35⤵
- Executes dropped EXE
PID:5092 -
\??\c:\5xlxxxr.exec:\5xlxxxr.exe36⤵
- Executes dropped EXE
PID:548 -
\??\c:\xxxlrrr.exec:\xxxlrrr.exe37⤵
- Executes dropped EXE
PID:944 -
\??\c:\3btttb.exec:\3btttb.exe38⤵
- Executes dropped EXE
PID:4540 -
\??\c:\jpvdd.exec:\jpvdd.exe39⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xxlxrff.exec:\xxlxrff.exe40⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe41⤵
- Executes dropped EXE
PID:4508 -
\??\c:\nnhnhh.exec:\nnhnhh.exe42⤵
- Executes dropped EXE
PID:4804 -
\??\c:\jddvp.exec:\jddvp.exe43⤵
- Executes dropped EXE
PID:448 -
\??\c:\vjjvj.exec:\vjjvj.exe44⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rfllllf.exec:\rfllllf.exe45⤵
- Executes dropped EXE
PID:3852 -
\??\c:\nbtbnh.exec:\nbtbnh.exe46⤵
- Executes dropped EXE
PID:3168 -
\??\c:\nbhbtn.exec:\nbhbtn.exe47⤵
- Executes dropped EXE
PID:1384 -
\??\c:\pdjpd.exec:\pdjpd.exe48⤵
- Executes dropped EXE
PID:4556 -
\??\c:\fxxlffx.exec:\fxxlffx.exe49⤵
- Executes dropped EXE
PID:2472 -
\??\c:\tnbhhn.exec:\tnbhhn.exe50⤵
- Executes dropped EXE
PID:1048 -
\??\c:\hbhbbb.exec:\hbhbbb.exe51⤵
- Executes dropped EXE
PID:2016 -
\??\c:\vddpj.exec:\vddpj.exe52⤵
- Executes dropped EXE
PID:3868 -
\??\c:\nhbbtt.exec:\nhbbtt.exe53⤵
- Executes dropped EXE
PID:1852 -
\??\c:\hhhhnt.exec:\hhhhnt.exe54⤵
- Executes dropped EXE
PID:5028 -
\??\c:\jvvdv.exec:\jvvdv.exe55⤵
- Executes dropped EXE
PID:4336 -
\??\c:\9frffll.exec:\9frffll.exe56⤵
- Executes dropped EXE
PID:3444 -
\??\c:\fxlllll.exec:\fxlllll.exe57⤵
- Executes dropped EXE
PID:3552 -
\??\c:\btnbht.exec:\btnbht.exe58⤵
- Executes dropped EXE
PID:4076 -
\??\c:\9jpdv.exec:\9jpdv.exe59⤵
- Executes dropped EXE
PID:4496 -
\??\c:\llxrrrr.exec:\llxrrrr.exe60⤵
- Executes dropped EXE
PID:1896 -
\??\c:\ntnnnt.exec:\ntnnnt.exe61⤵
- Executes dropped EXE
PID:2576 -
\??\c:\vjdvd.exec:\vjdvd.exe62⤵
- Executes dropped EXE
PID:5036 -
\??\c:\ttnthh.exec:\ttnthh.exe63⤵
- Executes dropped EXE
PID:3452 -
\??\c:\vpdjd.exec:\vpdjd.exe64⤵
- Executes dropped EXE
PID:1060 -
\??\c:\dvdjj.exec:\dvdjj.exe65⤵
- Executes dropped EXE
PID:1080 -
\??\c:\fxffflx.exec:\fxffflx.exe66⤵PID:3424
-
\??\c:\7rxffll.exec:\7rxffll.exe67⤵PID:3700
-
\??\c:\nbnnnb.exec:\nbnnnb.exe68⤵PID:644
-
\??\c:\vdppp.exec:\vdppp.exe69⤵PID:1188
-
\??\c:\pjjjj.exec:\pjjjj.exe70⤵PID:4560
-
\??\c:\lrllrrr.exec:\lrllrrr.exe71⤵PID:2396
-
\??\c:\7lrllrr.exec:\7lrllrr.exe72⤵PID:980
-
\??\c:\nnhttb.exec:\nnhttb.exe73⤵PID:1468
-
\??\c:\jdvpv.exec:\jdvpv.exe74⤵PID:2832
-
\??\c:\lllffff.exec:\lllffff.exe75⤵PID:1616
-
\??\c:\xlrrlrx.exec:\xlrrlrx.exe76⤵PID:2628
-
\??\c:\ttbhbn.exec:\ttbhbn.exe77⤵PID:1660
-
\??\c:\ppjjp.exec:\ppjjp.exe78⤵PID:456
-
\??\c:\xrrlrrl.exec:\xrrlrrl.exe79⤵PID:8
-
\??\c:\3rfrrxr.exec:\3rfrrxr.exe80⤵PID:640
-
\??\c:\5thhnn.exec:\5thhnn.exe81⤵PID:1220
-
\??\c:\hhnbtn.exec:\hhnbtn.exe82⤵PID:4812
-
\??\c:\ppvvp.exec:\ppvvp.exe83⤵PID:3060
-
\??\c:\jjppv.exec:\jjppv.exe84⤵PID:3904
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe85⤵PID:2456
-
\??\c:\bhtbbb.exec:\bhtbbb.exe86⤵PID:4896
-
\??\c:\ttbhnb.exec:\ttbhnb.exe87⤵PID:5100
-
\??\c:\3vpdd.exec:\3vpdd.exe88⤵PID:2728
-
\??\c:\pjpjd.exec:\pjpjd.exe89⤵
- System Location Discovery: System Language Discovery
PID:2988 -
\??\c:\3frrrxx.exec:\3frrrxx.exe90⤵PID:3920
-
\??\c:\bbbhbb.exec:\bbbhbb.exe91⤵PID:1228
-
\??\c:\vdvpj.exec:\vdvpj.exe92⤵PID:4972
-
\??\c:\3llflfl.exec:\3llflfl.exe93⤵PID:3660
-
\??\c:\fffxlfr.exec:\fffxlfr.exe94⤵PID:4776
-
\??\c:\bttttn.exec:\bttttn.exe95⤵PID:4624
-
\??\c:\vjvpj.exec:\vjvpj.exe96⤵PID:4824
-
\??\c:\3xxrlff.exec:\3xxrlff.exe97⤵PID:3616
-
\??\c:\frlrrxf.exec:\frlrrxf.exe98⤵PID:3164
-
\??\c:\9tbbtt.exec:\9tbbtt.exe99⤵PID:2976
-
\??\c:\hnbbtt.exec:\hnbbtt.exe100⤵PID:4952
-
\??\c:\ddpdv.exec:\ddpdv.exe101⤵PID:4740
-
\??\c:\jpvvv.exec:\jpvvv.exe102⤵PID:3576
-
\??\c:\rlrxxff.exec:\rlrxxff.exe103⤵PID:2092
-
\??\c:\nntbtt.exec:\nntbtt.exe104⤵PID:4808
-
\??\c:\vpddv.exec:\vpddv.exe105⤵PID:4392
-
\??\c:\llflllf.exec:\llflllf.exe106⤵PID:4940
-
\??\c:\btbnbh.exec:\btbnbh.exe107⤵PID:3488
-
\??\c:\bnhhbh.exec:\bnhhbh.exe108⤵PID:448
-
\??\c:\vvjjv.exec:\vvjjv.exe109⤵PID:1704
-
\??\c:\vjjjd.exec:\vjjjd.exe110⤵PID:3492
-
\??\c:\lxfrlfx.exec:\lxfrlfx.exe111⤵PID:3168
-
\??\c:\bbbtbh.exec:\bbbtbh.exe112⤵PID:228
-
\??\c:\ththth.exec:\ththth.exe113⤵PID:3080
-
\??\c:\jjdpp.exec:\jjdpp.exe114⤵PID:2472
-
\??\c:\rfrlrrf.exec:\rfrlrrf.exe115⤵PID:4604
-
\??\c:\nhhhnn.exec:\nhhhnn.exe116⤵PID:4308
-
\??\c:\pvvdp.exec:\pvvdp.exe117⤵PID:628
-
\??\c:\jpvdd.exec:\jpvdd.exe118⤵PID:1852
-
\??\c:\lrrllll.exec:\lrrllll.exe119⤵PID:2252
-
\??\c:\btbbbh.exec:\btbbbh.exe120⤵PID:2980
-
\??\c:\vdpjd.exec:\vdpjd.exe121⤵PID:3900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-