Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe
-
Size
454KB
-
MD5
b036505ebf60c8f0230f81975d087120
-
SHA1
1c37276dd747912a29b1e5182633e5d14a02dd8a
-
SHA256
c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17df
-
SHA512
f2f292589e649088d1955158a9b7368435cb1875fa1c5e365f1530105a1aac10f84b116de5653f640ee75e074000d986b539bae76b821fb2a53f744cd364a38c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1684-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-964-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-1223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-1480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1536 9lfrfrr.exe 2244 1hbthh.exe 2664 9pvpp.exe 3348 xxxxffr.exe 3836 llrlxrr.exe 2416 httnbt.exe 4816 vddpd.exe 1812 jvvjv.exe 1112 btnbhb.exe 1432 bttntn.exe 1272 xxxlrrf.exe 2804 djpjd.exe 3708 llfrfrl.exe 404 htnbbn.exe 4372 vdvpd.exe 2380 7nhthb.exe 5108 9rlxfxf.exe 1960 xlflxrf.exe 4980 pvvjd.exe 2876 3jdvp.exe 2596 1bbnnh.exe 2676 7dvjv.exe 3384 5llfrrl.exe 1940 nhnntt.exe 368 vjjdv.exe 2816 fllfxxx.exe 408 btntnn.exe 3436 rlflfff.exe 3368 5pjdv.exe 2856 xrrlffx.exe 904 jdjdd.exe 4588 rfxxrlx.exe 5084 3hnhhh.exe 1088 vppjd.exe 4364 flffxxr.exe 1496 nhbhtb.exe 3180 jjdvp.exe 4684 rfxxlfx.exe 1472 fflfrrl.exe 4304 nbbttn.exe 1848 dpdpj.exe 1684 7rlrfxf.exe 4784 xllxrxl.exe 3516 bnnhbt.exe 1668 vjvpj.exe 4004 frxxxrr.exe 4732 nhthht.exe 2672 jjjdv.exe 2932 xlrfrrx.exe 3996 nbbbtt.exe 520 hhnhtn.exe 880 jdpdv.exe 4036 vvjvd.exe 3156 9ffxllf.exe 2328 5hhhbb.exe 2068 pjpjp.exe 4244 rfllxrx.exe 2436 bntnbb.exe 1400 bbnbnb.exe 3456 dvjpj.exe 4380 rlrrfxl.exe 212 nhhnnh.exe 4372 1vvpd.exe 4488 vjpdv.exe -
resource yara_rule behavioral2/memory/1684-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-964-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-1223-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1536 1684 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 83 PID 1684 wrote to memory of 1536 1684 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 83 PID 1684 wrote to memory of 1536 1684 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 83 PID 1536 wrote to memory of 2244 1536 9lfrfrr.exe 84 PID 1536 wrote to memory of 2244 1536 9lfrfrr.exe 84 PID 1536 wrote to memory of 2244 1536 9lfrfrr.exe 84 PID 2244 wrote to memory of 2664 2244 1hbthh.exe 85 PID 2244 wrote to memory of 2664 2244 1hbthh.exe 85 PID 2244 wrote to memory of 2664 2244 1hbthh.exe 85 PID 2664 wrote to memory of 3348 2664 9pvpp.exe 86 PID 2664 wrote to memory of 3348 2664 9pvpp.exe 86 PID 2664 wrote to memory of 3348 2664 9pvpp.exe 86 PID 3348 wrote to memory of 3836 3348 xxxxffr.exe 87 PID 3348 wrote to memory of 3836 3348 xxxxffr.exe 87 PID 3348 wrote to memory of 3836 3348 xxxxffr.exe 87 PID 3836 wrote to memory of 2416 3836 llrlxrr.exe 88 PID 3836 wrote to memory of 2416 3836 llrlxrr.exe 88 PID 3836 wrote to memory of 2416 3836 llrlxrr.exe 88 PID 2416 wrote to memory of 4816 2416 httnbt.exe 89 PID 2416 wrote to memory of 4816 2416 httnbt.exe 89 PID 2416 wrote to memory of 4816 2416 httnbt.exe 89 PID 4816 wrote to memory of 1812 4816 vddpd.exe 90 PID 4816 wrote to memory of 1812 4816 vddpd.exe 90 PID 4816 wrote to memory of 1812 4816 vddpd.exe 90 PID 1812 wrote to memory of 1112 1812 jvvjv.exe 91 PID 1812 wrote to memory of 1112 1812 jvvjv.exe 91 PID 1812 wrote to memory of 1112 1812 jvvjv.exe 91 PID 1112 wrote to memory of 1432 1112 btnbhb.exe 92 PID 1112 wrote to memory of 1432 1112 btnbhb.exe 92 PID 1112 wrote to memory of 1432 1112 btnbhb.exe 92 PID 1432 wrote to memory of 1272 1432 bttntn.exe 93 PID 1432 wrote to memory of 1272 1432 bttntn.exe 93 PID 1432 wrote to memory of 1272 1432 bttntn.exe 93 PID 1272 wrote to memory of 2804 1272 xxxlrrf.exe 94 PID 1272 wrote to memory of 2804 1272 xxxlrrf.exe 94 PID 1272 wrote to memory of 2804 1272 xxxlrrf.exe 94 PID 2804 wrote to memory of 3708 2804 djpjd.exe 95 PID 2804 wrote to memory of 3708 2804 djpjd.exe 95 PID 2804 wrote to memory of 3708 2804 djpjd.exe 95 PID 3708 wrote to memory of 404 3708 llfrfrl.exe 96 PID 3708 wrote to memory of 404 3708 llfrfrl.exe 96 PID 3708 wrote to memory of 404 3708 llfrfrl.exe 96 PID 404 wrote to memory of 4372 404 htnbbn.exe 97 PID 404 wrote to memory of 4372 404 htnbbn.exe 97 PID 404 wrote to memory of 4372 404 htnbbn.exe 97 PID 4372 wrote to memory of 2380 4372 vdvpd.exe 98 PID 4372 wrote to memory of 2380 4372 vdvpd.exe 98 PID 4372 wrote to memory of 2380 4372 vdvpd.exe 98 PID 2380 wrote to memory of 5108 2380 7nhthb.exe 99 PID 2380 wrote to memory of 5108 2380 7nhthb.exe 99 PID 2380 wrote to memory of 5108 2380 7nhthb.exe 99 PID 5108 wrote to memory of 1960 5108 9rlxfxf.exe 100 PID 5108 wrote to memory of 1960 5108 9rlxfxf.exe 100 PID 5108 wrote to memory of 1960 5108 9rlxfxf.exe 100 PID 1960 wrote to memory of 4980 1960 xlflxrf.exe 101 PID 1960 wrote to memory of 4980 1960 xlflxrf.exe 101 PID 1960 wrote to memory of 4980 1960 xlflxrf.exe 101 PID 4980 wrote to memory of 2876 4980 pvvjd.exe 102 PID 4980 wrote to memory of 2876 4980 pvvjd.exe 102 PID 4980 wrote to memory of 2876 4980 pvvjd.exe 102 PID 2876 wrote to memory of 2596 2876 3jdvp.exe 103 PID 2876 wrote to memory of 2596 2876 3jdvp.exe 103 PID 2876 wrote to memory of 2596 2876 3jdvp.exe 103 PID 2596 wrote to memory of 2676 2596 1bbnnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe"C:\Users\Admin\AppData\Local\Temp\c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\9lfrfrr.exec:\9lfrfrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\1hbthh.exec:\1hbthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\9pvpp.exec:\9pvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\xxxxffr.exec:\xxxxffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\llrlxrr.exec:\llrlxrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\httnbt.exec:\httnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\vddpd.exec:\vddpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\jvvjv.exec:\jvvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\btnbhb.exec:\btnbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\bttntn.exec:\bttntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\xxxlrrf.exec:\xxxlrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\djpjd.exec:\djpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\llfrfrl.exec:\llfrfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\htnbbn.exec:\htnbbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\vdvpd.exec:\vdvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\7nhthb.exec:\7nhthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\9rlxfxf.exec:\9rlxfxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\xlflxrf.exec:\xlflxrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\pvvjd.exec:\pvvjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\3jdvp.exec:\3jdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\1bbnnh.exec:\1bbnnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7dvjv.exec:\7dvjv.exe23⤵
- Executes dropped EXE
PID:2676 -
\??\c:\5llfrrl.exec:\5llfrrl.exe24⤵
- Executes dropped EXE
PID:3384 -
\??\c:\nhnntt.exec:\nhnntt.exe25⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vjjdv.exec:\vjjdv.exe26⤵
- Executes dropped EXE
PID:368 -
\??\c:\fllfxxx.exec:\fllfxxx.exe27⤵
- Executes dropped EXE
PID:2816 -
\??\c:\btntnn.exec:\btntnn.exe28⤵
- Executes dropped EXE
PID:408 -
\??\c:\rlflfff.exec:\rlflfff.exe29⤵
- Executes dropped EXE
PID:3436 -
\??\c:\5pjdv.exec:\5pjdv.exe30⤵
- Executes dropped EXE
PID:3368 -
\??\c:\xrrlffx.exec:\xrrlffx.exe31⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jdjdd.exec:\jdjdd.exe32⤵
- Executes dropped EXE
PID:904 -
\??\c:\rfxxrlx.exec:\rfxxrlx.exe33⤵
- Executes dropped EXE
PID:4588 -
\??\c:\3hnhhh.exec:\3hnhhh.exe34⤵
- Executes dropped EXE
PID:5084 -
\??\c:\vppjd.exec:\vppjd.exe35⤵
- Executes dropped EXE
PID:1088 -
\??\c:\flffxxr.exec:\flffxxr.exe36⤵
- Executes dropped EXE
PID:4364 -
\??\c:\nhbhtb.exec:\nhbhtb.exe37⤵
- Executes dropped EXE
PID:1496 -
\??\c:\jjdvp.exec:\jjdvp.exe38⤵
- Executes dropped EXE
PID:3180 -
\??\c:\rfxxlfx.exec:\rfxxlfx.exe39⤵
- Executes dropped EXE
PID:4684 -
\??\c:\fflfrrl.exec:\fflfrrl.exe40⤵
- Executes dropped EXE
PID:1472 -
\??\c:\nbbttn.exec:\nbbttn.exe41⤵
- Executes dropped EXE
PID:4304 -
\??\c:\dpdpj.exec:\dpdpj.exe42⤵
- Executes dropped EXE
PID:1848 -
\??\c:\7rlrfxf.exec:\7rlrfxf.exe43⤵
- Executes dropped EXE
PID:1684 -
\??\c:\xllxrxl.exec:\xllxrxl.exe44⤵
- Executes dropped EXE
PID:4784 -
\??\c:\bnnhbt.exec:\bnnhbt.exe45⤵
- Executes dropped EXE
PID:3516 -
\??\c:\vjvpj.exec:\vjvpj.exe46⤵
- Executes dropped EXE
PID:1668 -
\??\c:\frxxxrr.exec:\frxxxrr.exe47⤵
- Executes dropped EXE
PID:4004 -
\??\c:\nhthht.exec:\nhthht.exe48⤵
- Executes dropped EXE
PID:4732 -
\??\c:\jjjdv.exec:\jjjdv.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xlrfrrx.exec:\xlrfrrx.exe50⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nbbbtt.exec:\nbbbtt.exe51⤵
- Executes dropped EXE
PID:3996 -
\??\c:\hhnhtn.exec:\hhnhtn.exe52⤵
- Executes dropped EXE
PID:520 -
\??\c:\jdpdv.exec:\jdpdv.exe53⤵
- Executes dropped EXE
PID:880 -
\??\c:\vvjvd.exec:\vvjvd.exe54⤵
- Executes dropped EXE
PID:4036 -
\??\c:\9ffxllf.exec:\9ffxllf.exe55⤵
- Executes dropped EXE
PID:3156 -
\??\c:\5hhhbb.exec:\5hhhbb.exe56⤵
- Executes dropped EXE
PID:2328 -
\??\c:\pjpjp.exec:\pjpjp.exe57⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rfllxrx.exec:\rfllxrx.exe58⤵
- Executes dropped EXE
PID:4244 -
\??\c:\bntnbb.exec:\bntnbb.exe59⤵
- Executes dropped EXE
PID:2436 -
\??\c:\bbnbnb.exec:\bbnbnb.exe60⤵
- Executes dropped EXE
PID:1400 -
\??\c:\dvjpj.exec:\dvjpj.exe61⤵
- Executes dropped EXE
PID:3456 -
\??\c:\rlrrfxl.exec:\rlrrfxl.exe62⤵
- Executes dropped EXE
PID:4380 -
\??\c:\nhhnnh.exec:\nhhnnh.exe63⤵
- Executes dropped EXE
PID:212 -
\??\c:\1vvpd.exec:\1vvpd.exe64⤵
- Executes dropped EXE
PID:4372 -
\??\c:\vjpdv.exec:\vjpdv.exe65⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hhhhhb.exec:\hhhhhb.exe66⤵PID:4976
-
\??\c:\httnbt.exec:\httnbt.exe67⤵PID:996
-
\??\c:\dvjdp.exec:\dvjdp.exe68⤵PID:4980
-
\??\c:\lrlxlxl.exec:\lrlxlxl.exe69⤵PID:232
-
\??\c:\3tnhbn.exec:\3tnhbn.exe70⤵PID:4328
-
\??\c:\vdpvj.exec:\vdpvj.exe71⤵PID:1524
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe72⤵PID:1852
-
\??\c:\nhhbbb.exec:\nhhbbb.exe73⤵PID:1816
-
\??\c:\pjppj.exec:\pjppj.exe74⤵PID:3904
-
\??\c:\djjvp.exec:\djjvp.exe75⤵PID:644
-
\??\c:\lflfrrl.exec:\lflfrrl.exe76⤵PID:1892
-
\??\c:\nbhbtt.exec:\nbhbtt.exe77⤵PID:2320
-
\??\c:\djppd.exec:\djppd.exe78⤵PID:3008
-
\??\c:\flrlxrl.exec:\flrlxrl.exe79⤵PID:2588
-
\??\c:\hbbnhh.exec:\hbbnhh.exe80⤵PID:3884
-
\??\c:\tnttnn.exec:\tnttnn.exe81⤵PID:64
-
\??\c:\vppdp.exec:\vppdp.exe82⤵PID:944
-
\??\c:\rffxlfx.exec:\rffxlfx.exe83⤵PID:1324
-
\??\c:\nhtttt.exec:\nhtttt.exe84⤵PID:5008
-
\??\c:\bbbbnn.exec:\bbbbnn.exe85⤵PID:4108
-
\??\c:\dvpdp.exec:\dvpdp.exe86⤵PID:2808
-
\??\c:\3lfxlff.exec:\3lfxlff.exe87⤵PID:3368
-
\??\c:\btnhth.exec:\btnhth.exe88⤵PID:4428
-
\??\c:\htnbnn.exec:\htnbnn.exe89⤵PID:3780
-
\??\c:\djpdp.exec:\djpdp.exe90⤵PID:4768
-
\??\c:\lxrflrl.exec:\lxrflrl.exe91⤵PID:2384
-
\??\c:\5nhnbt.exec:\5nhnbt.exe92⤵PID:5084
-
\??\c:\pvpjd.exec:\pvpjd.exe93⤵PID:1088
-
\??\c:\lrlxrrr.exec:\lrlxrrr.exe94⤵PID:1908
-
\??\c:\xlrffxr.exec:\xlrffxr.exe95⤵PID:1288
-
\??\c:\nbhbnh.exec:\nbhbnh.exe96⤵PID:8
-
\??\c:\vjdvj.exec:\vjdvj.exe97⤵PID:4368
-
\??\c:\lflfrrf.exec:\lflfrrf.exe98⤵PID:4288
-
\??\c:\nbhbnn.exec:\nbhbnn.exe99⤵PID:4176
-
\??\c:\bbhbbb.exec:\bbhbbb.exe100⤵PID:3268
-
\??\c:\vppdp.exec:\vppdp.exe101⤵PID:1560
-
\??\c:\vvjvp.exec:\vvjvp.exe102⤵PID:4512
-
\??\c:\rfxxllf.exec:\rfxxllf.exe103⤵PID:1536
-
\??\c:\5tbtnh.exec:\5tbtnh.exe104⤵PID:3592
-
\??\c:\vpvpp.exec:\vpvpp.exe105⤵PID:2796
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe106⤵PID:1428
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe107⤵PID:1456
-
\??\c:\thttnh.exec:\thttnh.exe108⤵PID:4004
-
\??\c:\jvvpv.exec:\jvvpv.exe109⤵PID:1124
-
\??\c:\dvdpp.exec:\dvdpp.exe110⤵PID:736
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe111⤵PID:4728
-
\??\c:\tbnhbb.exec:\tbnhbb.exe112⤵PID:4560
-
\??\c:\vpdpp.exec:\vpdpp.exe113⤵PID:628
-
\??\c:\rlrlxrr.exec:\rlrlxrr.exe114⤵PID:3112
-
\??\c:\lfrlrrl.exec:\lfrlrrl.exe115⤵PID:4392
-
\??\c:\hbtnhh.exec:\hbtnhh.exe116⤵PID:4828
-
\??\c:\vddvp.exec:\vddvp.exe117⤵PID:772
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe118⤵PID:2328
-
\??\c:\nhhtnh.exec:\nhhtnh.exe119⤵PID:2068
-
\??\c:\dvvdd.exec:\dvvdd.exe120⤵PID:220
-
\??\c:\xlllxrr.exec:\xlllxrr.exe121⤵PID:2104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-