Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 00:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe
-
Size
454KB
-
MD5
7a912f215898b4563e5c31abd6104900
-
SHA1
9c7f3a944de31a9e981424053c2a2fff2f11b168
-
SHA256
53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3
-
SHA512
8636322cec27a3ca8c2282fa02c0b070c5e3a0ab4857c4a70226ce554871744994e2a204ce8331224e0d481a7366db688a8b3e236d55532d6fb4f4ff31376efd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbemj:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1392-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-1081-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1216 ttbnhh.exe 4436 ffrrxfl.exe 2500 nbbtnn.exe 4164 lxxrrxf.exe 1560 5jjjj.exe 1832 ffxxrrr.exe 4856 9thbnh.exe 3508 llxrrfl.exe 1020 jdpjv.exe 1736 1pdvp.exe 740 llrxxff.exe 3100 bhhhhn.exe 844 bbhhnn.exe 948 jdddj.exe 100 thnntt.exe 3992 dpvjj.exe 2020 hbbtbb.exe 2460 pvvjd.exe 3480 bnnnnt.exe 2120 dvvvd.exe 112 dvpdd.exe 4052 vppjv.exe 3740 3nnhhn.exe 932 jdppv.exe 2232 nnnnbh.exe 2004 ffrrxxf.exe 4032 djjjj.exe 1088 bhnnnb.exe 4000 ppvvv.exe 2248 3thhhb.exe 1436 lxrffrr.exe 2660 vjddv.exe 964 bhtnnn.exe 1964 7dvvp.exe 3532 fflfllf.exe 3076 5nnbnn.exe 4352 dpddv.exe 4848 tbntbb.exe 3540 7nntht.exe 2452 vpppp.exe 1128 7nntnt.exe 5032 btbbhn.exe 3236 lfrxfrx.exe 5020 bntbht.exe 3128 jvpdp.exe 2576 3llfxfx.exe 4832 nhnhhh.exe 4920 bthhhn.exe 4284 jvddp.exe 4296 1bnntb.exe 4820 dddvv.exe 5072 frxxrrr.exe 1768 bhbbbt.exe 1136 1jdjj.exe 3608 frffrxf.exe 4944 xfrrrxx.exe 4408 5nnnth.exe 1420 vjvvp.exe 3704 rrxxxll.exe 4516 hnbbnn.exe 3504 vvvvd.exe 3508 jdvdv.exe 5008 nnttbh.exe 4020 3jpvv.exe -
resource yara_rule behavioral2/memory/1392-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-659-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 1216 1392 53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe 85 PID 1392 wrote to memory of 1216 1392 53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe 85 PID 1392 wrote to memory of 1216 1392 53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe 85 PID 1216 wrote to memory of 4436 1216 ttbnhh.exe 86 PID 1216 wrote to memory of 4436 1216 ttbnhh.exe 86 PID 1216 wrote to memory of 4436 1216 ttbnhh.exe 86 PID 4436 wrote to memory of 2500 4436 ffrrxfl.exe 87 PID 4436 wrote to memory of 2500 4436 ffrrxfl.exe 87 PID 4436 wrote to memory of 2500 4436 ffrrxfl.exe 87 PID 2500 wrote to memory of 4164 2500 nbbtnn.exe 88 PID 2500 wrote to memory of 4164 2500 nbbtnn.exe 88 PID 2500 wrote to memory of 4164 2500 nbbtnn.exe 88 PID 4164 wrote to memory of 1560 4164 lxxrrxf.exe 89 PID 4164 wrote to memory of 1560 4164 lxxrrxf.exe 89 PID 4164 wrote to memory of 1560 4164 lxxrrxf.exe 89 PID 1560 wrote to memory of 1832 1560 5jjjj.exe 90 PID 1560 wrote to memory of 1832 1560 5jjjj.exe 90 PID 1560 wrote to memory of 1832 1560 5jjjj.exe 90 PID 1832 wrote to memory of 4856 1832 ffxxrrr.exe 91 PID 1832 wrote to memory of 4856 1832 ffxxrrr.exe 91 PID 1832 wrote to memory of 4856 1832 ffxxrrr.exe 91 PID 4856 wrote to memory of 3508 4856 9thbnh.exe 92 PID 4856 wrote to memory of 3508 4856 9thbnh.exe 92 PID 4856 wrote to memory of 3508 4856 9thbnh.exe 92 PID 3508 wrote to memory of 1020 3508 llxrrfl.exe 93 PID 3508 wrote to memory of 1020 3508 llxrrfl.exe 93 PID 3508 wrote to memory of 1020 3508 llxrrfl.exe 93 PID 1020 wrote to memory of 1736 1020 jdpjv.exe 94 PID 1020 wrote to memory of 1736 1020 jdpjv.exe 94 PID 1020 wrote to memory of 1736 1020 jdpjv.exe 94 PID 1736 wrote to memory of 740 1736 1pdvp.exe 95 PID 1736 wrote to memory of 740 1736 1pdvp.exe 95 PID 1736 wrote to memory of 740 1736 1pdvp.exe 95 PID 740 wrote to memory of 3100 740 llrxxff.exe 96 PID 740 wrote to memory of 3100 740 llrxxff.exe 96 PID 740 wrote to memory of 3100 740 llrxxff.exe 96 PID 3100 wrote to memory of 844 3100 bhhhhn.exe 97 PID 3100 wrote to memory of 844 3100 bhhhhn.exe 97 PID 3100 wrote to memory of 844 3100 bhhhhn.exe 97 PID 844 wrote to memory of 948 844 bbhhnn.exe 98 PID 844 wrote to memory of 948 844 bbhhnn.exe 98 PID 844 wrote to memory of 948 844 bbhhnn.exe 98 PID 948 wrote to memory of 100 948 jdddj.exe 99 PID 948 wrote to memory of 100 948 jdddj.exe 99 PID 948 wrote to memory of 100 948 jdddj.exe 99 PID 100 wrote to memory of 3992 100 thnntt.exe 100 PID 100 wrote to memory of 3992 100 thnntt.exe 100 PID 100 wrote to memory of 3992 100 thnntt.exe 100 PID 3992 wrote to memory of 2020 3992 dpvjj.exe 101 PID 3992 wrote to memory of 2020 3992 dpvjj.exe 101 PID 3992 wrote to memory of 2020 3992 dpvjj.exe 101 PID 2020 wrote to memory of 2460 2020 hbbtbb.exe 102 PID 2020 wrote to memory of 2460 2020 hbbtbb.exe 102 PID 2020 wrote to memory of 2460 2020 hbbtbb.exe 102 PID 2460 wrote to memory of 3480 2460 pvvjd.exe 103 PID 2460 wrote to memory of 3480 2460 pvvjd.exe 103 PID 2460 wrote to memory of 3480 2460 pvvjd.exe 103 PID 3480 wrote to memory of 2120 3480 bnnnnt.exe 104 PID 3480 wrote to memory of 2120 3480 bnnnnt.exe 104 PID 3480 wrote to memory of 2120 3480 bnnnnt.exe 104 PID 2120 wrote to memory of 112 2120 dvvvd.exe 105 PID 2120 wrote to memory of 112 2120 dvvvd.exe 105 PID 2120 wrote to memory of 112 2120 dvvvd.exe 105 PID 112 wrote to memory of 4052 112 dvpdd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe"C:\Users\Admin\AppData\Local\Temp\53c1ce720fd1063a019575474f8668cb5ca70524374437dc8611cb360a2f79e3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\ttbnhh.exec:\ttbnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\ffrrxfl.exec:\ffrrxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\nbbtnn.exec:\nbbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\lxxrrxf.exec:\lxxrrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\5jjjj.exec:\5jjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\9thbnh.exec:\9thbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\llxrrfl.exec:\llxrrfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\jdpjv.exec:\jdpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\1pdvp.exec:\1pdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\llrxxff.exec:\llrxxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\bhhhhn.exec:\bhhhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\bbhhnn.exec:\bbhhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\jdddj.exec:\jdddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\thnntt.exec:\thnntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\dpvjj.exec:\dpvjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\hbbtbb.exec:\hbbtbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\pvvjd.exec:\pvvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\bnnnnt.exec:\bnnnnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\dvvvd.exec:\dvvvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\dvpdd.exec:\dvpdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\vppjv.exec:\vppjv.exe23⤵
- Executes dropped EXE
PID:4052 -
\??\c:\3nnhhn.exec:\3nnhhn.exe24⤵
- Executes dropped EXE
PID:3740 -
\??\c:\jdppv.exec:\jdppv.exe25⤵
- Executes dropped EXE
PID:932 -
\??\c:\nnnnbh.exec:\nnnnbh.exe26⤵
- Executes dropped EXE
PID:2232 -
\??\c:\ffrrxxf.exec:\ffrrxxf.exe27⤵
- Executes dropped EXE
PID:2004 -
\??\c:\djjjj.exec:\djjjj.exe28⤵
- Executes dropped EXE
PID:4032 -
\??\c:\bhnnnb.exec:\bhnnnb.exe29⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ppvvv.exec:\ppvvv.exe30⤵
- Executes dropped EXE
PID:4000 -
\??\c:\3thhhb.exec:\3thhhb.exe31⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lxrffrr.exec:\lxrffrr.exe32⤵
- Executes dropped EXE
PID:1436 -
\??\c:\vjddv.exec:\vjddv.exe33⤵
- Executes dropped EXE
PID:2660 -
\??\c:\bhtnnn.exec:\bhtnnn.exe34⤵
- Executes dropped EXE
PID:964 -
\??\c:\7dvvp.exec:\7dvvp.exe35⤵
- Executes dropped EXE
PID:1964 -
\??\c:\fflfllf.exec:\fflfllf.exe36⤵
- Executes dropped EXE
PID:3532 -
\??\c:\5nnbnn.exec:\5nnbnn.exe37⤵
- Executes dropped EXE
PID:3076 -
\??\c:\dpddv.exec:\dpddv.exe38⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tbntbb.exec:\tbntbb.exe39⤵
- Executes dropped EXE
PID:4848 -
\??\c:\7nntht.exec:\7nntht.exe40⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vpppp.exec:\vpppp.exe41⤵
- Executes dropped EXE
PID:2452 -
\??\c:\7nntnt.exec:\7nntnt.exe42⤵
- Executes dropped EXE
PID:1128 -
\??\c:\btbbhn.exec:\btbbhn.exe43⤵
- Executes dropped EXE
PID:5032 -
\??\c:\lfrxfrx.exec:\lfrxfrx.exe44⤵
- Executes dropped EXE
PID:3236 -
\??\c:\bntbht.exec:\bntbht.exe45⤵
- Executes dropped EXE
PID:5020 -
\??\c:\jvpdp.exec:\jvpdp.exe46⤵
- Executes dropped EXE
PID:3128 -
\??\c:\3llfxfx.exec:\3llfxfx.exe47⤵
- Executes dropped EXE
PID:2576 -
\??\c:\nhnhhh.exec:\nhnhhh.exe48⤵
- Executes dropped EXE
PID:4832 -
\??\c:\bthhhn.exec:\bthhhn.exe49⤵
- Executes dropped EXE
PID:4920 -
\??\c:\jvddp.exec:\jvddp.exe50⤵
- Executes dropped EXE
PID:4284 -
\??\c:\1bnntb.exec:\1bnntb.exe51⤵
- Executes dropped EXE
PID:4296 -
\??\c:\dddvv.exec:\dddvv.exe52⤵
- Executes dropped EXE
PID:4820 -
\??\c:\frxxrrr.exec:\frxxrrr.exe53⤵
- Executes dropped EXE
PID:5072 -
\??\c:\bhbbbt.exec:\bhbbbt.exe54⤵
- Executes dropped EXE
PID:1768 -
\??\c:\1jdjj.exec:\1jdjj.exe55⤵
- Executes dropped EXE
PID:1136 -
\??\c:\frffrxf.exec:\frffrxf.exe56⤵
- Executes dropped EXE
PID:3608 -
\??\c:\xfrrrxx.exec:\xfrrrxx.exe57⤵
- Executes dropped EXE
PID:4944 -
\??\c:\5nnnth.exec:\5nnnth.exe58⤵
- Executes dropped EXE
PID:4408 -
\??\c:\vjvvp.exec:\vjvvp.exe59⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rrxxxll.exec:\rrxxxll.exe60⤵
- Executes dropped EXE
PID:3704 -
\??\c:\hnbbnn.exec:\hnbbnn.exe61⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vvvvd.exec:\vvvvd.exe62⤵
- Executes dropped EXE
PID:3504 -
\??\c:\jdvdv.exec:\jdvdv.exe63⤵
- Executes dropped EXE
PID:3508 -
\??\c:\nnttbh.exec:\nnttbh.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008 -
\??\c:\3jpvv.exec:\3jpvv.exe65⤵
- Executes dropped EXE
PID:4020 -
\??\c:\jvddv.exec:\jvddv.exe66⤵PID:4212
-
\??\c:\llrrxff.exec:\llrrxff.exe67⤵PID:3228
-
\??\c:\tththh.exec:\tththh.exe68⤵
- System Location Discovery: System Language Discovery
PID:3848 -
\??\c:\pdddd.exec:\pdddd.exe69⤵PID:4588
-
\??\c:\lxxxrxx.exec:\lxxxrxx.exe70⤵PID:3244
-
\??\c:\bhhtnt.exec:\bhhtnt.exe71⤵PID:3724
-
\??\c:\dpppp.exec:\dpppp.exe72⤵
- System Location Discovery: System Language Discovery
PID:620 -
\??\c:\5vvvv.exec:\5vvvv.exe73⤵PID:3792
-
\??\c:\xxfxxxr.exec:\xxfxxxr.exe74⤵PID:2960
-
\??\c:\tbnnnn.exec:\tbnnnn.exe75⤵PID:3048
-
\??\c:\pdpdd.exec:\pdpdd.exe76⤵PID:2460
-
\??\c:\frxxffx.exec:\frxxffx.exe77⤵PID:3480
-
\??\c:\hbbbnn.exec:\hbbbnn.exe78⤵PID:5052
-
\??\c:\1ppjp.exec:\1ppjp.exe79⤵PID:732
-
\??\c:\7fxrxxf.exec:\7fxrxxf.exe80⤵PID:3088
-
\??\c:\ttbtth.exec:\ttbtth.exe81⤵PID:4728
-
\??\c:\7jvdd.exec:\7jvdd.exe82⤵PID:3804
-
\??\c:\fllrlrf.exec:\fllrlrf.exe83⤵PID:4788
-
\??\c:\hnbbnt.exec:\hnbbnt.exe84⤵
- System Location Discovery: System Language Discovery
PID:4432 -
\??\c:\5dppj.exec:\5dppj.exe85⤵PID:932
-
\??\c:\3dvvv.exec:\3dvvv.exe86⤵PID:4444
-
\??\c:\rfffllr.exec:\rfffllr.exe87⤵PID:672
-
\??\c:\ntbnbt.exec:\ntbnbt.exe88⤵PID:4328
-
\??\c:\7thhnt.exec:\7thhnt.exe89⤵PID:1876
-
\??\c:\djpjp.exec:\djpjp.exe90⤵PID:2024
-
\??\c:\1lxxrxx.exec:\1lxxrxx.exe91⤵PID:1084
-
\??\c:\3bhhhn.exec:\3bhhhn.exe92⤵PID:3024
-
\??\c:\dvpvp.exec:\dvpvp.exe93⤵PID:1272
-
\??\c:\jjddd.exec:\jjddd.exe94⤵PID:1536
-
\??\c:\nthhnh.exec:\nthhnh.exe95⤵PID:4260
-
\??\c:\9nnttb.exec:\9nnttb.exe96⤵PID:1228
-
\??\c:\dvddv.exec:\dvddv.exe97⤵PID:2900
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe98⤵PID:2224
-
\??\c:\3tbbtb.exec:\3tbbtb.exe99⤵PID:3768
-
\??\c:\dpdjj.exec:\dpdjj.exe100⤵PID:3332
-
\??\c:\fxffflf.exec:\fxffflf.exe101⤵PID:4676
-
\??\c:\hhhbbb.exec:\hhhbbb.exe102⤵PID:1696
-
\??\c:\vvvvd.exec:\vvvvd.exe103⤵PID:3980
-
\??\c:\jpvdd.exec:\jpvdd.exe104⤵PID:4900
-
\??\c:\3hbhtb.exec:\3hbhtb.exe105⤵PID:3964
-
\??\c:\vdddv.exec:\vdddv.exe106⤵
- System Location Discovery: System Language Discovery
PID:3528 -
\??\c:\1djdd.exec:\1djdd.exe107⤵PID:724
-
\??\c:\rxflfll.exec:\rxflfll.exe108⤵PID:3152
-
\??\c:\tttttb.exec:\tttttb.exe109⤵PID:2892
-
\??\c:\vpjjd.exec:\vpjjd.exe110⤵PID:2572
-
\??\c:\xrxrlfr.exec:\xrxrlfr.exe111⤵PID:2112
-
\??\c:\hbtttb.exec:\hbtttb.exe112⤵PID:4720
-
\??\c:\dpppd.exec:\dpppd.exe113⤵PID:4312
-
\??\c:\xxrllfx.exec:\xxrllfx.exe114⤵PID:1392
-
\??\c:\ntbhhh.exec:\ntbhhh.exe115⤵PID:4760
-
\??\c:\tbtttb.exec:\tbtttb.exe116⤵PID:1552
-
\??\c:\ddjjj.exec:\ddjjj.exe117⤵PID:5072
-
\??\c:\flrrrxl.exec:\flrrrxl.exe118⤵PID:1380
-
\??\c:\bbhhhh.exec:\bbhhhh.exe119⤵PID:4144
-
\??\c:\dpppp.exec:\dpppp.exe120⤵PID:4164
-
\??\c:\lrfxxlr.exec:\lrfxxlr.exe121⤵PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-