Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe
-
Size
454KB
-
MD5
37d28ec91bb637c17dcd8658f19098d0
-
SHA1
1b106820cc059c92541d00b6bfc058d17bd54cdd
-
SHA256
c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306c
-
SHA512
ce70ca99e30e08598f93e2f3feef5f3911c4cf83eb2e65be4fb0a843ce864be66dc2d32ebe58537538d41a1c9ee3196b90b612f2cb12a66b4eb595a7ff65d825
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4988-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-1613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4916 1hhbnh.exe 1096 rrfrfxl.exe 3280 bbnhhb.exe 400 thbnbt.exe 4980 vdvjj.exe 112 3fxrfll.exe 1620 lfxlfff.exe 4984 dvdvj.exe 4080 1bbnbb.exe 1916 hbbthb.exe 3652 jppdp.exe 4424 vvvpp.exe 952 5ffxrlx.exe 4552 5hthtn.exe 1664 3ppjj.exe 4408 hbbttn.exe 3584 vjjdv.exe 1080 7lxrffl.exe 2244 ppjjd.exe 4100 nnnnht.exe 3012 rxfxrrr.exe 4604 thhbtn.exe 1500 xxxlxrx.exe 2220 jdddv.exe 2400 hhbnhb.exe 2060 nhhtnh.exe 4072 hnthbn.exe 232 thbnbt.exe 4780 3jjdp.exe 2368 vjdvj.exe 872 vdvjd.exe 3728 5jdpj.exe 1452 ffrllfx.exe 3716 httnbt.exe 1996 3hhhhn.exe 2468 ppvpp.exe 2136 fxxlxrl.exe 3176 7hhbnh.exe 3244 vvvjv.exe 3564 7llxrlx.exe 2036 hhbthb.exe 3656 lrxlxrl.exe 3784 tnnhbt.exe 3744 vppjv.exe 220 1frlfxr.exe 4456 rflfrlf.exe 4924 btbttt.exe 4492 flrfxrf.exe 1972 lxlfrxl.exe 5060 1bnbnh.exe 1084 3pvpj.exe 4152 llxrrrx.exe 4792 5llfxxr.exe 3188 3tnhtt.exe 4960 dvpjv.exe 5064 lrlfxxr.exe 216 nnnbbt.exe 1008 bhbnhb.exe 244 7pjjj.exe 3240 rrllxrf.exe 2064 xlrlxlf.exe 2980 ntnhtn.exe 2248 7vdpp.exe 4080 7lrlxxl.exe -
resource yara_rule behavioral2/memory/4988-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-941-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 4916 4988 c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe 83 PID 4988 wrote to memory of 4916 4988 c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe 83 PID 4988 wrote to memory of 4916 4988 c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe 83 PID 4916 wrote to memory of 1096 4916 1hhbnh.exe 84 PID 4916 wrote to memory of 1096 4916 1hhbnh.exe 84 PID 4916 wrote to memory of 1096 4916 1hhbnh.exe 84 PID 1096 wrote to memory of 3280 1096 rrfrfxl.exe 85 PID 1096 wrote to memory of 3280 1096 rrfrfxl.exe 85 PID 1096 wrote to memory of 3280 1096 rrfrfxl.exe 85 PID 3280 wrote to memory of 400 3280 bbnhhb.exe 86 PID 3280 wrote to memory of 400 3280 bbnhhb.exe 86 PID 3280 wrote to memory of 400 3280 bbnhhb.exe 86 PID 400 wrote to memory of 4980 400 thbnbt.exe 87 PID 400 wrote to memory of 4980 400 thbnbt.exe 87 PID 400 wrote to memory of 4980 400 thbnbt.exe 87 PID 4980 wrote to memory of 112 4980 vdvjj.exe 88 PID 4980 wrote to memory of 112 4980 vdvjj.exe 88 PID 4980 wrote to memory of 112 4980 vdvjj.exe 88 PID 112 wrote to memory of 1620 112 3fxrfll.exe 89 PID 112 wrote to memory of 1620 112 3fxrfll.exe 89 PID 112 wrote to memory of 1620 112 3fxrfll.exe 89 PID 1620 wrote to memory of 4984 1620 lfxlfff.exe 90 PID 1620 wrote to memory of 4984 1620 lfxlfff.exe 90 PID 1620 wrote to memory of 4984 1620 lfxlfff.exe 90 PID 4984 wrote to memory of 4080 4984 dvdvj.exe 91 PID 4984 wrote to memory of 4080 4984 dvdvj.exe 91 PID 4984 wrote to memory of 4080 4984 dvdvj.exe 91 PID 4080 wrote to memory of 1916 4080 1bbnbb.exe 92 PID 4080 wrote to memory of 1916 4080 1bbnbb.exe 92 PID 4080 wrote to memory of 1916 4080 1bbnbb.exe 92 PID 1916 wrote to memory of 3652 1916 hbbthb.exe 93 PID 1916 wrote to memory of 3652 1916 hbbthb.exe 93 PID 1916 wrote to memory of 3652 1916 hbbthb.exe 93 PID 3652 wrote to memory of 4424 3652 jppdp.exe 94 PID 3652 wrote to memory of 4424 3652 jppdp.exe 94 PID 3652 wrote to memory of 4424 3652 jppdp.exe 94 PID 4424 wrote to memory of 952 4424 vvvpp.exe 95 PID 4424 wrote to memory of 952 4424 vvvpp.exe 95 PID 4424 wrote to memory of 952 4424 vvvpp.exe 95 PID 952 wrote to memory of 4552 952 5ffxrlx.exe 96 PID 952 wrote to memory of 4552 952 5ffxrlx.exe 96 PID 952 wrote to memory of 4552 952 5ffxrlx.exe 96 PID 4552 wrote to memory of 1664 4552 5hthtn.exe 97 PID 4552 wrote to memory of 1664 4552 5hthtn.exe 97 PID 4552 wrote to memory of 1664 4552 5hthtn.exe 97 PID 1664 wrote to memory of 4408 1664 3ppjj.exe 98 PID 1664 wrote to memory of 4408 1664 3ppjj.exe 98 PID 1664 wrote to memory of 4408 1664 3ppjj.exe 98 PID 4408 wrote to memory of 3584 4408 hbbttn.exe 99 PID 4408 wrote to memory of 3584 4408 hbbttn.exe 99 PID 4408 wrote to memory of 3584 4408 hbbttn.exe 99 PID 3584 wrote to memory of 1080 3584 vjjdv.exe 100 PID 3584 wrote to memory of 1080 3584 vjjdv.exe 100 PID 3584 wrote to memory of 1080 3584 vjjdv.exe 100 PID 1080 wrote to memory of 2244 1080 7lxrffl.exe 101 PID 1080 wrote to memory of 2244 1080 7lxrffl.exe 101 PID 1080 wrote to memory of 2244 1080 7lxrffl.exe 101 PID 2244 wrote to memory of 4100 2244 ppjjd.exe 102 PID 2244 wrote to memory of 4100 2244 ppjjd.exe 102 PID 2244 wrote to memory of 4100 2244 ppjjd.exe 102 PID 4100 wrote to memory of 3012 4100 nnnnht.exe 103 PID 4100 wrote to memory of 3012 4100 nnnnht.exe 103 PID 4100 wrote to memory of 3012 4100 nnnnht.exe 103 PID 3012 wrote to memory of 4604 3012 rxfxrrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe"C:\Users\Admin\AppData\Local\Temp\c3d27e9a9d5420bd426760bc08abab77c59a501a7be73542516668bf94e9306cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\1hhbnh.exec:\1hhbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\rrfrfxl.exec:\rrfrfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\bbnhhb.exec:\bbnhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\thbnbt.exec:\thbnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\vdvjj.exec:\vdvjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\3fxrfll.exec:\3fxrfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\lfxlfff.exec:\lfxlfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\dvdvj.exec:\dvdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\1bbnbb.exec:\1bbnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\hbbthb.exec:\hbbthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\jppdp.exec:\jppdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\vvvpp.exec:\vvvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\5ffxrlx.exec:\5ffxrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\5hthtn.exec:\5hthtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\3ppjj.exec:\3ppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\hbbttn.exec:\hbbttn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\vjjdv.exec:\vjjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\7lxrffl.exec:\7lxrffl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\ppjjd.exec:\ppjjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\nnnnht.exec:\nnnnht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\thhbtn.exec:\thhbtn.exe23⤵
- Executes dropped EXE
PID:4604 -
\??\c:\xxxlxrx.exec:\xxxlxrx.exe24⤵
- Executes dropped EXE
PID:1500 -
\??\c:\jdddv.exec:\jdddv.exe25⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hhbnhb.exec:\hhbnhb.exe26⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nhhtnh.exec:\nhhtnh.exe27⤵
- Executes dropped EXE
PID:2060 -
\??\c:\hnthbn.exec:\hnthbn.exe28⤵
- Executes dropped EXE
PID:4072 -
\??\c:\thbnbt.exec:\thbnbt.exe29⤵
- Executes dropped EXE
PID:232 -
\??\c:\3jjdp.exec:\3jjdp.exe30⤵
- Executes dropped EXE
PID:4780 -
\??\c:\vjdvj.exec:\vjdvj.exe31⤵
- Executes dropped EXE
PID:2368 -
\??\c:\vdvjd.exec:\vdvjd.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\5jdpj.exec:\5jdpj.exe33⤵
- Executes dropped EXE
PID:3728 -
\??\c:\ffrllfx.exec:\ffrllfx.exe34⤵
- Executes dropped EXE
PID:1452 -
\??\c:\httnbt.exec:\httnbt.exe35⤵
- Executes dropped EXE
PID:3716 -
\??\c:\3hhhhn.exec:\3hhhhn.exe36⤵
- Executes dropped EXE
PID:1996 -
\??\c:\ppvpp.exec:\ppvpp.exe37⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe38⤵
- Executes dropped EXE
PID:2136 -
\??\c:\7hhbnh.exec:\7hhbnh.exe39⤵
- Executes dropped EXE
PID:3176 -
\??\c:\vvvjv.exec:\vvvjv.exe40⤵
- Executes dropped EXE
PID:3244 -
\??\c:\7llxrlx.exec:\7llxrlx.exe41⤵
- Executes dropped EXE
PID:3564 -
\??\c:\hhbthb.exec:\hhbthb.exe42⤵
- Executes dropped EXE
PID:2036 -
\??\c:\lrxlxrl.exec:\lrxlxrl.exe43⤵
- Executes dropped EXE
PID:3656 -
\??\c:\tnnhbt.exec:\tnnhbt.exe44⤵
- Executes dropped EXE
PID:3784 -
\??\c:\vppjv.exec:\vppjv.exe45⤵
- Executes dropped EXE
PID:3744 -
\??\c:\1frlfxr.exec:\1frlfxr.exe46⤵
- Executes dropped EXE
PID:220 -
\??\c:\rflfrlf.exec:\rflfrlf.exe47⤵
- Executes dropped EXE
PID:4456 -
\??\c:\btbttt.exec:\btbttt.exe48⤵
- Executes dropped EXE
PID:4924 -
\??\c:\flrfxrf.exec:\flrfxrf.exe49⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lxlfrxl.exec:\lxlfrxl.exe50⤵
- Executes dropped EXE
PID:1972 -
\??\c:\1bnbnh.exec:\1bnbnh.exe51⤵
- Executes dropped EXE
PID:5060 -
\??\c:\3pvpj.exec:\3pvpj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
\??\c:\llxrrrx.exec:\llxrrrx.exe53⤵
- Executes dropped EXE
PID:4152 -
\??\c:\5llfxxr.exec:\5llfxxr.exe54⤵
- Executes dropped EXE
PID:4792 -
\??\c:\3tnhtt.exec:\3tnhtt.exe55⤵
- Executes dropped EXE
PID:3188 -
\??\c:\dvpjv.exec:\dvpjv.exe56⤵
- Executes dropped EXE
PID:4960 -
\??\c:\lrlfxxr.exec:\lrlfxxr.exe57⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nnnbbt.exec:\nnnbbt.exe58⤵
- Executes dropped EXE
PID:216 -
\??\c:\bhbnhb.exec:\bhbnhb.exe59⤵
- Executes dropped EXE
PID:1008 -
\??\c:\7pjjj.exec:\7pjjj.exe60⤵
- Executes dropped EXE
PID:244 -
\??\c:\rrllxrf.exec:\rrllxrf.exe61⤵
- Executes dropped EXE
PID:3240 -
\??\c:\xlrlxlf.exec:\xlrlxlf.exe62⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ntnhtn.exec:\ntnhtn.exe63⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7vdpp.exec:\7vdpp.exe64⤵
- Executes dropped EXE
PID:2248 -
\??\c:\7lrlxxl.exec:\7lrlxxl.exe65⤵
- Executes dropped EXE
PID:4080 -
\??\c:\nnbnhb.exec:\nnbnhb.exe66⤵PID:4888
-
\??\c:\hbnbtb.exec:\hbnbtb.exe67⤵PID:320
-
\??\c:\7vjdp.exec:\7vjdp.exe68⤵PID:612
-
\??\c:\3rxfrxl.exec:\3rxfrxl.exe69⤵PID:3652
-
\??\c:\ttbtnn.exec:\ttbtnn.exe70⤵PID:1016
-
\??\c:\dddpd.exec:\dddpd.exe71⤵PID:4340
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe72⤵PID:1728
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe73⤵PID:396
-
\??\c:\bhhhtn.exec:\bhhhtn.exe74⤵PID:4444
-
\??\c:\1jpjd.exec:\1jpjd.exe75⤵PID:2568
-
\??\c:\rrrrlff.exec:\rrrrlff.exe76⤵PID:2008
-
\??\c:\bbtnhb.exec:\bbtnhb.exe77⤵PID:1600
-
\??\c:\7bbnbt.exec:\7bbnbt.exe78⤵PID:3532
-
\??\c:\jjvvj.exec:\jjvvj.exe79⤵PID:2632
-
\??\c:\5lrllff.exec:\5lrllff.exe80⤵PID:2580
-
\??\c:\7frrflf.exec:\7frrflf.exe81⤵PID:4100
-
\??\c:\nhhbtn.exec:\nhhbtn.exe82⤵PID:1308
-
\??\c:\3pvjv.exec:\3pvjv.exe83⤵PID:2356
-
\??\c:\xrrllrl.exec:\xrrllrl.exe84⤵
- System Location Discovery: System Language Discovery
PID:4604 -
\??\c:\lxrfrlf.exec:\lxrfrlf.exe85⤵PID:4460
-
\??\c:\thhbtt.exec:\thhbtt.exe86⤵PID:1752
-
\??\c:\pvppp.exec:\pvppp.exe87⤵PID:3348
-
\??\c:\vjvpp.exec:\vjvpp.exe88⤵PID:1780
-
\??\c:\1xrrffx.exec:\1xrrffx.exe89⤵PID:4076
-
\??\c:\7bbnhb.exec:\7bbnhb.exe90⤵PID:2956
-
\??\c:\djvpj.exec:\djvpj.exe91⤵PID:232
-
\??\c:\dvpdv.exec:\dvpdv.exe92⤵PID:1076
-
\??\c:\lflrlxl.exec:\lflrlxl.exe93⤵PID:920
-
\??\c:\hhnhhb.exec:\hhnhhb.exe94⤵PID:4296
-
\??\c:\vppvj.exec:\vppvj.exe95⤵PID:392
-
\??\c:\fffxrfx.exec:\fffxrfx.exe96⤵PID:3728
-
\??\c:\1nhnbb.exec:\1nhnbb.exe97⤵PID:1656
-
\??\c:\bbbtnh.exec:\bbbtnh.exe98⤵PID:2572
-
\??\c:\jpddp.exec:\jpddp.exe99⤵PID:1272
-
\??\c:\xfxlfxl.exec:\xfxlfxl.exe100⤵PID:3224
-
\??\c:\bhhhtt.exec:\bhhhtt.exe101⤵PID:1892
-
\??\c:\5nbttn.exec:\5nbttn.exe102⤵PID:3956
-
\??\c:\jddvj.exec:\jddvj.exe103⤵PID:2132
-
\??\c:\xlrlfff.exec:\xlrlfff.exe104⤵PID:3244
-
\??\c:\xxlrllx.exec:\xxlrllx.exe105⤵PID:3564
-
\??\c:\ntthhb.exec:\ntthhb.exe106⤵PID:4348
-
\??\c:\vvpjv.exec:\vvpjv.exe107⤵PID:1516
-
\??\c:\rflrxrf.exec:\rflrxrf.exe108⤵PID:972
-
\??\c:\ffrlxrf.exec:\ffrlxrf.exe109⤵PID:5052
-
\??\c:\nbtnbt.exec:\nbtnbt.exe110⤵PID:2508
-
\??\c:\djvvp.exec:\djvvp.exe111⤵PID:4804
-
\??\c:\rllxlfx.exec:\rllxlfx.exe112⤵PID:2380
-
\??\c:\fxffrxr.exec:\fxffrxr.exe113⤵PID:536
-
\??\c:\bbbbnn.exec:\bbbbnn.exe114⤵PID:1512
-
\??\c:\vdjjd.exec:\vdjjd.exe115⤵PID:3192
-
\??\c:\jdvvj.exec:\jdvvj.exe116⤵PID:540
-
\??\c:\9ffxlfr.exec:\9ffxlfr.exe117⤵PID:2968
-
\??\c:\7bntnn.exec:\7bntnn.exe118⤵PID:3288
-
\??\c:\7vpdp.exec:\7vpdp.exe119⤵PID:2816
-
\??\c:\dppjd.exec:\dppjd.exe120⤵PID:264
-
\??\c:\lfxrffx.exec:\lfxrffx.exe121⤵PID:4936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-