Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:02
Behavioral task
behavioral1
Sample
dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe
-
Size
406KB
-
MD5
a54435cfa0729aba573f4eb2abd3f827
-
SHA1
3d8968b4c79a64ac0e61ad27808301b65e74c5ff
-
SHA256
dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518
-
SHA512
f86dae4b94c54600a1a10aea59b325ca4269f49e2319330f492fb47b20ec82b295f48b7771cb86c539436cdd7d9274d07a098dc86e156e51306057292bb3282d
-
SSDEEP
6144:0cm4FmowdHoSH5BCwdyPUVn1/PRN2kIHVtS6o:C4wFHoS3C8Vnnqo6o
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2972-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/820-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-648-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-655-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-791-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-795-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-1046-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-1582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-1866-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2172 rrxrlrl.exe 548 btbtnh.exe 3460 5djjd.exe 3416 vvvpp.exe 4924 lrxrllf.exe 1268 7bbbtt.exe 2432 3hnhtt.exe 2244 bnhhbb.exe 4856 vvjjd.exe 2108 lffxllr.exe 216 5bhtnn.exe 4736 rffxxxr.exe 4992 3tttth.exe 4968 vpvpj.exe 4028 lflfffx.exe 1532 nhnhbb.exe 4480 jdddv.exe 4464 9vpjd.exe 2724 3flffrl.exe 5064 jdvvp.exe 1484 1nhhbb.exe 2528 pvjjj.exe 2376 9dpjp.exe 2808 nhttbb.exe 3244 dppjp.exe 4036 3bhhbh.exe 2256 ppdvd.exe 2784 1btbnb.exe 4080 7vdvj.exe 856 nbnhhh.exe 1424 fxrlfff.exe 1416 jjvpp.exe 820 htttnn.exe 1976 dvppj.exe 1044 xxffxxr.exe 1580 9htttt.exe 4848 jjvpj.exe 4408 nhtnbh.exe 2816 vvvpp.exe 4788 7rxlfll.exe 3396 pjvpp.exe 2384 vpvpp.exe 64 1xxfrrf.exe 2500 5nttnn.exe 4708 5dddd.exe 4868 ppvpj.exe 1968 5rrllll.exe 2992 5hnhbh.exe 2248 3vdvp.exe 4060 9vdvj.exe 1344 xrfllff.exe 2496 htbbbb.exe 2588 nhbbht.exe 1824 vjppp.exe 3976 rflfffx.exe 3508 7ntnnn.exe 1464 tbntnn.exe 4792 djppj.exe 4820 ffflxfx.exe 216 hthhhh.exe 4736 ddvpp.exe 4508 9pdvv.exe 528 xlfxlxr.exe 5096 ththth.exe -
resource yara_rule behavioral2/memory/2972-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b0e-3.dat upx behavioral2/memory/2972-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2172-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b63-15.dat upx behavioral2/memory/3460-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-21.dat upx behavioral2/files/0x000a000000023b66-27.dat upx behavioral2/files/0x000a000000023b67-31.dat upx behavioral2/memory/2432-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b68-38.dat upx behavioral2/memory/1268-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3416-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/548-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b5f-9.dat upx behavioral2/files/0x000a000000023b69-43.dat upx behavioral2/files/0x000a000000023b6a-48.dat upx behavioral2/memory/2244-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6b-54.dat upx behavioral2/files/0x000a000000023b6c-59.dat upx behavioral2/memory/2108-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4856-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-66.dat upx behavioral2/files/0x000a000000023b6e-70.dat upx behavioral2/memory/4992-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4736-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-77.dat upx behavioral2/memory/4028-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b71-90.dat upx behavioral2/memory/1532-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-95.dat upx behavioral2/memory/4480-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4968-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-84.dat upx behavioral2/files/0x000b000000023b60-102.dat upx behavioral2/memory/4464-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-108.dat upx behavioral2/memory/2724-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b75-115.dat upx behavioral2/memory/5064-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b76-119.dat upx behavioral2/memory/5064-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b77-125.dat upx behavioral2/files/0x000a000000023b78-131.dat upx behavioral2/files/0x000a000000023b79-136.dat upx behavioral2/memory/2376-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-141.dat upx behavioral2/memory/3244-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-147.dat upx behavioral2/files/0x000a000000023b7c-152.dat upx behavioral2/memory/4036-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-158.dat upx behavioral2/memory/4080-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2784-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-170.dat upx behavioral2/memory/856-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-164.dat upx behavioral2/memory/856-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-177.dat upx behavioral2/files/0x000a000000023b81-183.dat upx behavioral2/memory/820-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1976-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1044-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1580-203-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2172 2972 dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe 83 PID 2972 wrote to memory of 2172 2972 dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe 83 PID 2972 wrote to memory of 2172 2972 dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe 83 PID 2172 wrote to memory of 548 2172 rrxrlrl.exe 84 PID 2172 wrote to memory of 548 2172 rrxrlrl.exe 84 PID 2172 wrote to memory of 548 2172 rrxrlrl.exe 84 PID 548 wrote to memory of 3460 548 btbtnh.exe 85 PID 548 wrote to memory of 3460 548 btbtnh.exe 85 PID 548 wrote to memory of 3460 548 btbtnh.exe 85 PID 3460 wrote to memory of 3416 3460 5djjd.exe 86 PID 3460 wrote to memory of 3416 3460 5djjd.exe 86 PID 3460 wrote to memory of 3416 3460 5djjd.exe 86 PID 3416 wrote to memory of 4924 3416 vvvpp.exe 87 PID 3416 wrote to memory of 4924 3416 vvvpp.exe 87 PID 3416 wrote to memory of 4924 3416 vvvpp.exe 87 PID 4924 wrote to memory of 1268 4924 lrxrllf.exe 88 PID 4924 wrote to memory of 1268 4924 lrxrllf.exe 88 PID 4924 wrote to memory of 1268 4924 lrxrllf.exe 88 PID 1268 wrote to memory of 2432 1268 7bbbtt.exe 89 PID 1268 wrote to memory of 2432 1268 7bbbtt.exe 89 PID 1268 wrote to memory of 2432 1268 7bbbtt.exe 89 PID 2432 wrote to memory of 2244 2432 3hnhtt.exe 90 PID 2432 wrote to memory of 2244 2432 3hnhtt.exe 90 PID 2432 wrote to memory of 2244 2432 3hnhtt.exe 90 PID 2244 wrote to memory of 4856 2244 bnhhbb.exe 91 PID 2244 wrote to memory of 4856 2244 bnhhbb.exe 91 PID 2244 wrote to memory of 4856 2244 bnhhbb.exe 91 PID 4856 wrote to memory of 2108 4856 vvjjd.exe 92 PID 4856 wrote to memory of 2108 4856 vvjjd.exe 92 PID 4856 wrote to memory of 2108 4856 vvjjd.exe 92 PID 2108 wrote to memory of 216 2108 lffxllr.exe 93 PID 2108 wrote to memory of 216 2108 lffxllr.exe 93 PID 2108 wrote to memory of 216 2108 lffxllr.exe 93 PID 216 wrote to memory of 4736 216 5bhtnn.exe 94 PID 216 wrote to memory of 4736 216 5bhtnn.exe 94 PID 216 wrote to memory of 4736 216 5bhtnn.exe 94 PID 4736 wrote to memory of 4992 4736 rffxxxr.exe 95 PID 4736 wrote to memory of 4992 4736 rffxxxr.exe 95 PID 4736 wrote to memory of 4992 4736 rffxxxr.exe 95 PID 4992 wrote to memory of 4968 4992 3tttth.exe 96 PID 4992 wrote to memory of 4968 4992 3tttth.exe 96 PID 4992 wrote to memory of 4968 4992 3tttth.exe 96 PID 4968 wrote to memory of 4028 4968 vpvpj.exe 97 PID 4968 wrote to memory of 4028 4968 vpvpj.exe 97 PID 4968 wrote to memory of 4028 4968 vpvpj.exe 97 PID 4028 wrote to memory of 1532 4028 lflfffx.exe 98 PID 4028 wrote to memory of 1532 4028 lflfffx.exe 98 PID 4028 wrote to memory of 1532 4028 lflfffx.exe 98 PID 1532 wrote to memory of 4480 1532 nhnhbb.exe 99 PID 1532 wrote to memory of 4480 1532 nhnhbb.exe 99 PID 1532 wrote to memory of 4480 1532 nhnhbb.exe 99 PID 4480 wrote to memory of 4464 4480 jdddv.exe 100 PID 4480 wrote to memory of 4464 4480 jdddv.exe 100 PID 4480 wrote to memory of 4464 4480 jdddv.exe 100 PID 4464 wrote to memory of 2724 4464 9vpjd.exe 101 PID 4464 wrote to memory of 2724 4464 9vpjd.exe 101 PID 4464 wrote to memory of 2724 4464 9vpjd.exe 101 PID 2724 wrote to memory of 5064 2724 3flffrl.exe 102 PID 2724 wrote to memory of 5064 2724 3flffrl.exe 102 PID 2724 wrote to memory of 5064 2724 3flffrl.exe 102 PID 5064 wrote to memory of 1484 5064 jdvvp.exe 103 PID 5064 wrote to memory of 1484 5064 jdvvp.exe 103 PID 5064 wrote to memory of 1484 5064 jdvvp.exe 103 PID 1484 wrote to memory of 2528 1484 1nhhbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe"C:\Users\Admin\AppData\Local\Temp\dba6988841f86d18a62df5ab724e9d96b170ea0071d5f5f03b6bcf34e2171518.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\rrxrlrl.exec:\rrxrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\btbtnh.exec:\btbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\5djjd.exec:\5djjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\vvvpp.exec:\vvvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\lrxrllf.exec:\lrxrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\7bbbtt.exec:\7bbbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\3hnhtt.exec:\3hnhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\bnhhbb.exec:\bnhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\vvjjd.exec:\vvjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\lffxllr.exec:\lffxllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\5bhtnn.exec:\5bhtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\rffxxxr.exec:\rffxxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\3tttth.exec:\3tttth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\vpvpj.exec:\vpvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\lflfffx.exec:\lflfffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\nhnhbb.exec:\nhnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\jdddv.exec:\jdddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\9vpjd.exec:\9vpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\3flffrl.exec:\3flffrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\jdvvp.exec:\jdvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\1nhhbb.exec:\1nhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\pvjjj.exec:\pvjjj.exe23⤵
- Executes dropped EXE
PID:2528 -
\??\c:\9dpjp.exec:\9dpjp.exe24⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nhttbb.exec:\nhttbb.exe25⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dppjp.exec:\dppjp.exe26⤵
- Executes dropped EXE
PID:3244 -
\??\c:\3bhhbh.exec:\3bhhbh.exe27⤵
- Executes dropped EXE
PID:4036 -
\??\c:\ppdvd.exec:\ppdvd.exe28⤵
- Executes dropped EXE
PID:2256 -
\??\c:\1btbnb.exec:\1btbnb.exe29⤵
- Executes dropped EXE
PID:2784 -
\??\c:\7vdvj.exec:\7vdvj.exe30⤵
- Executes dropped EXE
PID:4080 -
\??\c:\nbnhhh.exec:\nbnhhh.exe31⤵
- Executes dropped EXE
PID:856 -
\??\c:\fxrlfff.exec:\fxrlfff.exe32⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jjvpp.exec:\jjvpp.exe33⤵
- Executes dropped EXE
PID:1416 -
\??\c:\htttnn.exec:\htttnn.exe34⤵
- Executes dropped EXE
PID:820 -
\??\c:\dvppj.exec:\dvppj.exe35⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xxffxxr.exec:\xxffxxr.exe36⤵
- Executes dropped EXE
PID:1044 -
\??\c:\9htttt.exec:\9htttt.exe37⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jjvpj.exec:\jjvpj.exe38⤵
- Executes dropped EXE
PID:4848 -
\??\c:\nhtnbh.exec:\nhtnbh.exe39⤵
- Executes dropped EXE
PID:4408 -
\??\c:\vvvpp.exec:\vvvpp.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\7rxlfll.exec:\7rxlfll.exe41⤵
- Executes dropped EXE
PID:4788 -
\??\c:\pjvpp.exec:\pjvpp.exe42⤵
- Executes dropped EXE
PID:3396 -
\??\c:\vpvpp.exec:\vpvpp.exe43⤵
- Executes dropped EXE
PID:2384 -
\??\c:\1xxfrrf.exec:\1xxfrrf.exe44⤵
- Executes dropped EXE
PID:64 -
\??\c:\5nttnn.exec:\5nttnn.exe45⤵
- Executes dropped EXE
PID:2500 -
\??\c:\5dddd.exec:\5dddd.exe46⤵
- Executes dropped EXE
PID:4708 -
\??\c:\ppvpj.exec:\ppvpj.exe47⤵
- Executes dropped EXE
PID:4868 -
\??\c:\5rrllll.exec:\5rrllll.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\5hnhbh.exec:\5hnhbh.exe49⤵
- Executes dropped EXE
PID:2992 -
\??\c:\3vdvp.exec:\3vdvp.exe50⤵
- Executes dropped EXE
PID:2248 -
\??\c:\9vdvj.exec:\9vdvj.exe51⤵
- Executes dropped EXE
PID:4060 -
\??\c:\xrfllff.exec:\xrfllff.exe52⤵
- Executes dropped EXE
PID:1344 -
\??\c:\htbbbb.exec:\htbbbb.exe53⤵
- Executes dropped EXE
PID:2496 -
\??\c:\nhbbht.exec:\nhbbht.exe54⤵
- Executes dropped EXE
PID:2588 -
\??\c:\vjppp.exec:\vjppp.exe55⤵
- Executes dropped EXE
PID:1824 -
\??\c:\rflfffx.exec:\rflfffx.exe56⤵
- Executes dropped EXE
PID:3976 -
\??\c:\7ntnnn.exec:\7ntnnn.exe57⤵
- Executes dropped EXE
PID:3508 -
\??\c:\tbntnn.exec:\tbntnn.exe58⤵
- Executes dropped EXE
PID:1464 -
\??\c:\djppj.exec:\djppj.exe59⤵
- Executes dropped EXE
PID:4792 -
\??\c:\ffflxfx.exec:\ffflxfx.exe60⤵
- Executes dropped EXE
PID:4820 -
\??\c:\hthhhh.exec:\hthhhh.exe61⤵
- Executes dropped EXE
PID:216 -
\??\c:\ddvpp.exec:\ddvpp.exe62⤵
- Executes dropped EXE
PID:4736 -
\??\c:\9pdvv.exec:\9pdvv.exe63⤵
- Executes dropped EXE
PID:4508 -
\??\c:\xlfxlxr.exec:\xlfxlxr.exe64⤵
- Executes dropped EXE
PID:528 -
\??\c:\ththth.exec:\ththth.exe65⤵
- Executes dropped EXE
PID:5096 -
\??\c:\vvvdp.exec:\vvvdp.exe66⤵PID:4028
-
\??\c:\jjpjd.exec:\jjpjd.exe67⤵PID:4200
-
\??\c:\7xflffx.exec:\7xflffx.exe68⤵PID:2260
-
\??\c:\nnbbhb.exec:\nnbbhb.exe69⤵PID:3936
-
\??\c:\nhnhbn.exec:\nhnhbn.exe70⤵PID:2332
-
\??\c:\vdpjp.exec:\vdpjp.exe71⤵PID:376
-
\??\c:\fxffxxr.exec:\fxffxxr.exe72⤵PID:5012
-
\??\c:\1ffxxff.exec:\1ffxxff.exe73⤵PID:3664
-
\??\c:\htbtnn.exec:\htbtnn.exe74⤵PID:2352
-
\??\c:\5pvpj.exec:\5pvpj.exe75⤵PID:3592
-
\??\c:\vvjjj.exec:\vvjjj.exe76⤵PID:3332
-
\??\c:\rllfrrr.exec:\rllfrrr.exe77⤵PID:3360
-
\??\c:\3htbtt.exec:\3htbtt.exe78⤵PID:4252
-
\??\c:\ppvvp.exec:\ppvvp.exe79⤵PID:2376
-
\??\c:\xxxrrxx.exec:\xxxrrxx.exe80⤵PID:1872
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe81⤵PID:4528
-
\??\c:\dvvvd.exec:\dvvvd.exe82⤵PID:2628
-
\??\c:\ddpjj.exec:\ddpjj.exe83⤵PID:4912
-
\??\c:\fxrfxxr.exec:\fxrfxxr.exe84⤵PID:1384
-
\??\c:\thhbbb.exec:\thhbbb.exe85⤵PID:3972
-
\??\c:\ddjjv.exec:\ddjjv.exe86⤵PID:3908
-
\??\c:\jvvvp.exec:\jvvvp.exe87⤵PID:3012
-
\??\c:\9fllffx.exec:\9fllffx.exe88⤵PID:4536
-
\??\c:\5lrrlll.exec:\5lrrlll.exe89⤵PID:4808
-
\??\c:\7nbtnn.exec:\7nbtnn.exe90⤵PID:3680
-
\??\c:\3pjdv.exec:\3pjdv.exe91⤵PID:5000
-
\??\c:\jvjdv.exec:\jvjdv.exe92⤵
- System Location Discovery: System Language Discovery
PID:952 -
\??\c:\xrxrllx.exec:\xrxrllx.exe93⤵PID:4324
-
\??\c:\7rrxrrl.exec:\7rrxrrl.exe94⤵PID:2772
-
\??\c:\nnhhbb.exec:\nnhhbb.exe95⤵PID:2648
-
\??\c:\dvdvj.exec:\dvdvj.exe96⤵PID:1120
-
\??\c:\1llfrrl.exec:\1llfrrl.exe97⤵PID:4824
-
\??\c:\nhhhbb.exec:\nhhhbb.exe98⤵PID:1136
-
\??\c:\hnbhtt.exec:\hnbhtt.exe99⤵PID:4064
-
\??\c:\1vpvp.exec:\1vpvp.exe100⤵PID:4216
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe101⤵PID:516
-
\??\c:\bhbtnb.exec:\bhbtnb.exe102⤵PID:2360
-
\??\c:\7ntthh.exec:\7ntthh.exe103⤵PID:3540
-
\??\c:\5jdvp.exec:\5jdvp.exe104⤵PID:1548
-
\??\c:\xfllrrx.exec:\xfllrrx.exe105⤵PID:2288
-
\??\c:\9xrlfff.exec:\9xrlfff.exe106⤵PID:3688
-
\??\c:\hhtnnn.exec:\hhtnnn.exe107⤵PID:3416
-
\??\c:\1djdd.exec:\1djdd.exe108⤵PID:2532
-
\??\c:\xrxlfxx.exec:\xrxlfxx.exe109⤵PID:2020
-
\??\c:\3ffllrr.exec:\3ffllrr.exe110⤵PID:4284
-
\??\c:\7hhnhh.exec:\7hhnhh.exe111⤵PID:1988
-
\??\c:\pjvdp.exec:\pjvdp.exe112⤵PID:2488
-
\??\c:\pvvdv.exec:\pvvdv.exe113⤵PID:1468
-
\??\c:\xfrlfff.exec:\xfrlfff.exe114⤵PID:60
-
\??\c:\bntnnh.exec:\bntnnh.exe115⤵PID:2652
-
\??\c:\vpdvp.exec:\vpdvp.exe116⤵PID:464
-
\??\c:\dvjjj.exec:\dvjjj.exe117⤵PID:3108
-
\??\c:\5xxrlff.exec:\5xxrlff.exe118⤵PID:4856
-
\??\c:\tnbttn.exec:\tnbttn.exe119⤵PID:3340
-
\??\c:\hnbttt.exec:\hnbttt.exe120⤵PID:4444
-
\??\c:\vpdvv.exec:\vpdvv.exe121⤵PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-