Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe
-
Size
453KB
-
MD5
4acc2022623063c9e94a68ce0a853284
-
SHA1
08fca9da56af8208e83745322f24152eed9409a0
-
SHA256
e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008
-
SHA512
fbc9103af675cd9d22094b16a3ddd67e29f305e31db78420f997f4c506262408f810b9436c735f64483231e255b3ec4f6e051cf086dad16aaf56bd6ec829335a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1752-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-1104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-1295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-1909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 hbtttb.exe 5012 ddpdv.exe 4428 rlfxlfx.exe 3684 lxflfxr.exe 3768 bttnhb.exe 3212 3nthbt.exe 1608 tbhttn.exe 3656 tbtbth.exe 4344 jvjdd.exe 2820 nbnhhb.exe 1268 hhbttn.exe 872 pvdvp.exe 4444 ttbntt.exe 708 tnhhnn.exe 4536 bntnhh.exe 3712 ppjjj.exe 4648 rlrlllf.exe 444 nhhbth.exe 3692 7dddv.exe 2220 llxxlrx.exe 4900 tntnhn.exe 1952 bhttnn.exe 4404 rrfffff.exe 524 5jpvp.exe 3112 bntnnh.exe 2424 dvdjj.exe 2096 dpjdd.exe 1400 rfllllf.exe 3020 bbnhhh.exe 3756 pvvpj.exe 4400 xxxrlff.exe 2388 fllrlrr.exe 4964 jdpjj.exe 2580 rrlffxx.exe 1912 ntbttt.exe 2524 dvdvv.exe 3068 lfffxxx.exe 4060 hhbbbt.exe 3016 vpppj.exe 416 xxfxxfr.exe 244 xxlxxfl.exe 3400 hhtttb.exe 3092 nhnhbh.exe 2600 rlxlrlf.exe 1412 lrlfxxr.exe 4380 3bnnnt.exe 1240 pjpdv.exe 5052 xxfxffl.exe 5056 bhhnht.exe 4640 pjjdp.exe 3604 rlflflf.exe 556 ttbbtb.exe 32 vpddv.exe 3440 pdjvp.exe 2472 xllflfx.exe 456 nbbtnn.exe 3288 djddd.exe 1608 xfrrfff.exe 1460 9ttbbh.exe 2992 rxfffff.exe 2324 xxlfrrx.exe 2812 hthhhn.exe 1904 5vddv.exe 3652 dvjjp.exe -
resource yara_rule behavioral2/memory/4544-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-697-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4544 1752 e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe 84 PID 1752 wrote to memory of 4544 1752 e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe 84 PID 1752 wrote to memory of 4544 1752 e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe 84 PID 4544 wrote to memory of 5012 4544 hbtttb.exe 85 PID 4544 wrote to memory of 5012 4544 hbtttb.exe 85 PID 4544 wrote to memory of 5012 4544 hbtttb.exe 85 PID 5012 wrote to memory of 4428 5012 ddpdv.exe 86 PID 5012 wrote to memory of 4428 5012 ddpdv.exe 86 PID 5012 wrote to memory of 4428 5012 ddpdv.exe 86 PID 4428 wrote to memory of 3684 4428 rlfxlfx.exe 87 PID 4428 wrote to memory of 3684 4428 rlfxlfx.exe 87 PID 4428 wrote to memory of 3684 4428 rlfxlfx.exe 87 PID 3684 wrote to memory of 3768 3684 lxflfxr.exe 88 PID 3684 wrote to memory of 3768 3684 lxflfxr.exe 88 PID 3684 wrote to memory of 3768 3684 lxflfxr.exe 88 PID 3768 wrote to memory of 3212 3768 bttnhb.exe 89 PID 3768 wrote to memory of 3212 3768 bttnhb.exe 89 PID 3768 wrote to memory of 3212 3768 bttnhb.exe 89 PID 3212 wrote to memory of 1608 3212 3nthbt.exe 90 PID 3212 wrote to memory of 1608 3212 3nthbt.exe 90 PID 3212 wrote to memory of 1608 3212 3nthbt.exe 90 PID 1608 wrote to memory of 3656 1608 tbhttn.exe 91 PID 1608 wrote to memory of 3656 1608 tbhttn.exe 91 PID 1608 wrote to memory of 3656 1608 tbhttn.exe 91 PID 3656 wrote to memory of 4344 3656 tbtbth.exe 92 PID 3656 wrote to memory of 4344 3656 tbtbth.exe 92 PID 3656 wrote to memory of 4344 3656 tbtbth.exe 92 PID 4344 wrote to memory of 2820 4344 jvjdd.exe 93 PID 4344 wrote to memory of 2820 4344 jvjdd.exe 93 PID 4344 wrote to memory of 2820 4344 jvjdd.exe 93 PID 2820 wrote to memory of 1268 2820 nbnhhb.exe 94 PID 2820 wrote to memory of 1268 2820 nbnhhb.exe 94 PID 2820 wrote to memory of 1268 2820 nbnhhb.exe 94 PID 1268 wrote to memory of 872 1268 hhbttn.exe 95 PID 1268 wrote to memory of 872 1268 hhbttn.exe 95 PID 1268 wrote to memory of 872 1268 hhbttn.exe 95 PID 872 wrote to memory of 4444 872 pvdvp.exe 96 PID 872 wrote to memory of 4444 872 pvdvp.exe 96 PID 872 wrote to memory of 4444 872 pvdvp.exe 96 PID 4444 wrote to memory of 708 4444 ttbntt.exe 97 PID 4444 wrote to memory of 708 4444 ttbntt.exe 97 PID 4444 wrote to memory of 708 4444 ttbntt.exe 97 PID 708 wrote to memory of 4536 708 tnhhnn.exe 98 PID 708 wrote to memory of 4536 708 tnhhnn.exe 98 PID 708 wrote to memory of 4536 708 tnhhnn.exe 98 PID 4536 wrote to memory of 3712 4536 bntnhh.exe 99 PID 4536 wrote to memory of 3712 4536 bntnhh.exe 99 PID 4536 wrote to memory of 3712 4536 bntnhh.exe 99 PID 3712 wrote to memory of 4648 3712 ppjjj.exe 100 PID 3712 wrote to memory of 4648 3712 ppjjj.exe 100 PID 3712 wrote to memory of 4648 3712 ppjjj.exe 100 PID 4648 wrote to memory of 444 4648 rlrlllf.exe 101 PID 4648 wrote to memory of 444 4648 rlrlllf.exe 101 PID 4648 wrote to memory of 444 4648 rlrlllf.exe 101 PID 444 wrote to memory of 3692 444 nhhbth.exe 102 PID 444 wrote to memory of 3692 444 nhhbth.exe 102 PID 444 wrote to memory of 3692 444 nhhbth.exe 102 PID 3692 wrote to memory of 2220 3692 7dddv.exe 103 PID 3692 wrote to memory of 2220 3692 7dddv.exe 103 PID 3692 wrote to memory of 2220 3692 7dddv.exe 103 PID 2220 wrote to memory of 4900 2220 llxxlrx.exe 104 PID 2220 wrote to memory of 4900 2220 llxxlrx.exe 104 PID 2220 wrote to memory of 4900 2220 llxxlrx.exe 104 PID 4900 wrote to memory of 1952 4900 tntnhn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe"C:\Users\Admin\AppData\Local\Temp\e40afca84df337bc64e2ee7fa0f769b5924b77c5882fd1a7726532752c885008.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\hbtttb.exec:\hbtttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\ddpdv.exec:\ddpdv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\lxflfxr.exec:\lxflfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\bttnhb.exec:\bttnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\3nthbt.exec:\3nthbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\tbhttn.exec:\tbhttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\tbtbth.exec:\tbtbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\jvjdd.exec:\jvjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\nbnhhb.exec:\nbnhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\hhbttn.exec:\hhbttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\pvdvp.exec:\pvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\ttbntt.exec:\ttbntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\tnhhnn.exec:\tnhhnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\bntnhh.exec:\bntnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\ppjjj.exec:\ppjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\rlrlllf.exec:\rlrlllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\nhhbth.exec:\nhhbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\7dddv.exec:\7dddv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\llxxlrx.exec:\llxxlrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\tntnhn.exec:\tntnhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\bhttnn.exec:\bhttnn.exe23⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rrfffff.exec:\rrfffff.exe24⤵
- Executes dropped EXE
PID:4404 -
\??\c:\5jpvp.exec:\5jpvp.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:524 -
\??\c:\bntnnh.exec:\bntnnh.exe26⤵
- Executes dropped EXE
PID:3112 -
\??\c:\dvdjj.exec:\dvdjj.exe27⤵
- Executes dropped EXE
PID:2424 -
\??\c:\dpjdd.exec:\dpjdd.exe28⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rfllllf.exec:\rfllllf.exe29⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bbnhhh.exec:\bbnhhh.exe30⤵
- Executes dropped EXE
PID:3020 -
\??\c:\pvvpj.exec:\pvvpj.exe31⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xxxrlff.exec:\xxxrlff.exe32⤵
- Executes dropped EXE
PID:4400 -
\??\c:\fllrlrr.exec:\fllrlrr.exe33⤵
- Executes dropped EXE
PID:2388 -
\??\c:\jdpjj.exec:\jdpjj.exe34⤵
- Executes dropped EXE
PID:4964 -
\??\c:\rrlffxx.exec:\rrlffxx.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\ntbttt.exec:\ntbttt.exe36⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dvdvv.exec:\dvdvv.exe37⤵
- Executes dropped EXE
PID:2524 -
\??\c:\lfffxxx.exec:\lfffxxx.exe38⤵
- Executes dropped EXE
PID:3068 -
\??\c:\hhbbbt.exec:\hhbbbt.exe39⤵
- Executes dropped EXE
PID:4060 -
\??\c:\vpppj.exec:\vpppj.exe40⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xxfxxfr.exec:\xxfxxfr.exe41⤵
- Executes dropped EXE
PID:416 -
\??\c:\xxlxxfl.exec:\xxlxxfl.exe42⤵
- Executes dropped EXE
PID:244 -
\??\c:\hhtttb.exec:\hhtttb.exe43⤵
- Executes dropped EXE
PID:3400 -
\??\c:\nhnhbh.exec:\nhnhbh.exe44⤵
- Executes dropped EXE
PID:3092 -
\??\c:\rlxlrlf.exec:\rlxlrlf.exe45⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lrlfxxr.exec:\lrlfxxr.exe46⤵
- Executes dropped EXE
PID:1412 -
\??\c:\3bnnnt.exec:\3bnnnt.exe47⤵
- Executes dropped EXE
PID:4380 -
\??\c:\pjpdv.exec:\pjpdv.exe48⤵
- Executes dropped EXE
PID:1240 -
\??\c:\xxfxffl.exec:\xxfxffl.exe49⤵
- Executes dropped EXE
PID:5052 -
\??\c:\bhhnht.exec:\bhhnht.exe50⤵
- Executes dropped EXE
PID:5056 -
\??\c:\pjjdp.exec:\pjjdp.exe51⤵
- Executes dropped EXE
PID:4640 -
\??\c:\rlflflf.exec:\rlflflf.exe52⤵
- Executes dropped EXE
PID:3604 -
\??\c:\ttbbtb.exec:\ttbbtb.exe53⤵
- Executes dropped EXE
PID:556 -
\??\c:\vpddv.exec:\vpddv.exe54⤵
- Executes dropped EXE
PID:32 -
\??\c:\pdjvp.exec:\pdjvp.exe55⤵
- Executes dropped EXE
PID:3440 -
\??\c:\xllflfx.exec:\xllflfx.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
\??\c:\nbbtnn.exec:\nbbtnn.exe57⤵
- Executes dropped EXE
PID:456 -
\??\c:\djddd.exec:\djddd.exe58⤵
- Executes dropped EXE
PID:3288 -
\??\c:\xfrrfff.exec:\xfrrfff.exe59⤵
- Executes dropped EXE
PID:1608 -
\??\c:\9ttbbh.exec:\9ttbbh.exe60⤵
- Executes dropped EXE
PID:1460 -
\??\c:\rxfffff.exec:\rxfffff.exe61⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xxlfrrx.exec:\xxlfrrx.exe62⤵
- Executes dropped EXE
PID:2324 -
\??\c:\hthhhn.exec:\hthhhn.exe63⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5vddv.exec:\5vddv.exe64⤵
- Executes dropped EXE
PID:1904 -
\??\c:\dvjjp.exec:\dvjjp.exe65⤵
- Executes dropped EXE
PID:3652 -
\??\c:\fxlllrr.exec:\fxlllrr.exe66⤵PID:2936
-
\??\c:\httnnn.exec:\httnnn.exe67⤵PID:100
-
\??\c:\1vvpp.exec:\1vvpp.exe68⤵PID:1584
-
\??\c:\flrlfff.exec:\flrlfff.exe69⤵PID:3940
-
\??\c:\bnttnn.exec:\bnttnn.exe70⤵PID:4508
-
\??\c:\3vjdp.exec:\3vjdp.exe71⤵PID:1328
-
\??\c:\jdjdv.exec:\jdjdv.exe72⤵PID:4112
-
\??\c:\rxxllll.exec:\rxxllll.exe73⤵PID:4756
-
\??\c:\nnhhnt.exec:\nnhhnt.exe74⤵PID:3576
-
\??\c:\7jvvd.exec:\7jvvd.exe75⤵PID:3916
-
\??\c:\jvvvp.exec:\jvvvp.exe76⤵PID:5048
-
\??\c:\xlfllrl.exec:\xlfllrl.exe77⤵PID:836
-
\??\c:\tnbbhh.exec:\tnbbhh.exe78⤵PID:1176
-
\??\c:\7djdv.exec:\7djdv.exe79⤵PID:2068
-
\??\c:\rlxxrxx.exec:\rlxxrxx.exe80⤵PID:1636
-
\??\c:\rlrlflf.exec:\rlrlflf.exe81⤵PID:1668
-
\??\c:\bnbbtt.exec:\bnbbtt.exe82⤵PID:3828
-
\??\c:\pjjjd.exec:\pjjjd.exe83⤵PID:1524
-
\??\c:\dvddp.exec:\dvddp.exe84⤵PID:1072
-
\??\c:\3xfxflr.exec:\3xfxflr.exe85⤵PID:1100
-
\??\c:\bbttnt.exec:\bbttnt.exe86⤵PID:2360
-
\??\c:\1jdvp.exec:\1jdvp.exe87⤵PID:2556
-
\??\c:\fxlfxff.exec:\fxlfxff.exe88⤵PID:4340
-
\??\c:\rlllrrr.exec:\rlllrrr.exe89⤵PID:1192
-
\??\c:\nbbtnn.exec:\nbbtnn.exe90⤵PID:4984
-
\??\c:\vjvvv.exec:\vjvvv.exe91⤵PID:372
-
\??\c:\ffrlrrr.exec:\ffrlrrr.exe92⤵PID:1924
-
\??\c:\bhhhbb.exec:\bhhhbb.exe93⤵PID:1020
-
\??\c:\5nhbbt.exec:\5nhbbt.exe94⤵PID:1556
-
\??\c:\vvdvv.exec:\vvdvv.exe95⤵PID:4520
-
\??\c:\xlrrlrr.exec:\xlrrlrr.exe96⤵PID:4720
-
\??\c:\bbhbtt.exec:\bbhbtt.exe97⤵PID:4748
-
\??\c:\thtnnn.exec:\thtnnn.exe98⤵PID:1660
-
\??\c:\djjjd.exec:\djjjd.exe99⤵PID:2256
-
\??\c:\5xllffx.exec:\5xllffx.exe100⤵PID:4024
-
\??\c:\lffxrll.exec:\lffxrll.exe101⤵PID:2008
-
\??\c:\nbnbtt.exec:\nbnbtt.exe102⤵PID:3004
-
\??\c:\djvvv.exec:\djvvv.exe103⤵PID:792
-
\??\c:\lfffxxf.exec:\lfffxxf.exe104⤵PID:4772
-
\??\c:\bthtnh.exec:\bthtnh.exe105⤵PID:4368
-
\??\c:\pjdjd.exec:\pjdjd.exe106⤵PID:3600
-
\??\c:\5xxrlrl.exec:\5xxrlrl.exe107⤵PID:1128
-
\??\c:\thtnhh.exec:\thtnhh.exe108⤵PID:408
-
\??\c:\nnnnhn.exec:\nnnnhn.exe109⤵PID:4812
-
\??\c:\jdjdv.exec:\jdjdv.exe110⤵PID:2328
-
\??\c:\rrlxrrl.exec:\rrlxrrl.exe111⤵PID:4552
-
\??\c:\ttbbnn.exec:\ttbbnn.exe112⤵PID:2248
-
\??\c:\7vddd.exec:\7vddd.exe113⤵PID:3408
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe114⤵PID:4768
-
\??\c:\bnnbtt.exec:\bnnbtt.exe115⤵PID:3888
-
\??\c:\3vpjd.exec:\3vpjd.exe116⤵PID:1840
-
\??\c:\rxrlxff.exec:\rxrlxff.exe117⤵PID:3212
-
\??\c:\nbtttb.exec:\nbtttb.exe118⤵PID:2996
-
\??\c:\jjjvp.exec:\jjjvp.exe119⤵PID:3116
-
\??\c:\xlrrfll.exec:\xlrrfll.exe120⤵PID:4816
-
\??\c:\tnbbbb.exec:\tnbbbb.exe121⤵PID:3984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-