Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 03:34
Behavioral task
behavioral1
Sample
dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe
-
Size
334KB
-
MD5
164b41a849393e5935e7b9ba189ea346
-
SHA1
1b5c6b50c1898e9567ec876a32d891ab28d72165
-
SHA256
dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9
-
SHA512
9027258e41e7d58bb986ba9435d15a726dcc4b5c4483c3694cb360bdf294385b1f171b083aa0d0fac1ffb78a0c20cdca3144ba7791139dbd103a8b97f02b5514
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tx:94wFHoStJdSjylh2b77BoTMA9gX59sT5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4976-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/180-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1312-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-572-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-730-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3776-800-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-917-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-1116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4276 pjvvj.exe 2184 rlrxrrl.exe 2104 dvppp.exe 1888 tnbbbh.exe 1020 vpvpj.exe 1152 hnttth.exe 180 djppp.exe 2476 ttnbtn.exe 3984 rrxlfxx.exe 4936 3nhbtt.exe 3316 bbnnbb.exe 4340 jpvjv.exe 3208 nbbbtn.exe 232 hthhhh.exe 4716 rllxllf.exe 4376 hnnhbt.exe 4428 5bbbtt.exe 1536 dvjjd.exe 3032 fxxrlxx.exe 4148 fllfxlf.exe 3652 bbbtnn.exe 3472 ffrrxxl.exe 4092 thhbbb.exe 2300 vddvp.exe 768 rflffxx.exe 1680 fffxxrl.exe 2460 bbnhbt.exe 1136 jpvjd.exe 2148 xrxlffl.exe 3880 dvvjv.exe 2360 rlrfxrl.exe 3988 vdjvv.exe 760 dvddd.exe 4160 xxllrll.exe 812 hnttnn.exe 3376 lxrfrll.exe 4156 htbtnh.exe 2108 pjjvp.exe 3976 9rxrffx.exe 1312 7llllrr.exe 3304 bhnbnn.exe 1600 hnttnb.exe 4980 jjddd.exe 2152 xxxfxlr.exe 4184 9fffxlf.exe 1340 nnnbtt.exe 2960 3llfrff.exe 4700 lxrrlll.exe 436 tntnhh.exe 5084 nnbtbb.exe 2948 vvvdp.exe 4012 jdppd.exe 1428 xlrlflf.exe 4616 hbnnhh.exe 3612 pvjdj.exe 4772 dppjv.exe 2336 rrrrlll.exe 2124 llrfxrl.exe 4492 nhtbbb.exe 3048 vvdvj.exe 3728 xxfrllf.exe 4480 lfxxrxr.exe 2780 3hnhnn.exe 964 3djdv.exe -
resource yara_rule behavioral2/memory/4976-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bb1-3.dat upx behavioral2/memory/4276-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4976-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9a-9.dat upx behavioral2/memory/4276-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-14.dat upx behavioral2/memory/2184-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2104-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-21.dat upx behavioral2/files/0x0007000000023c9e-24.dat upx behavioral2/memory/1888-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-29.dat upx behavioral2/files/0x0007000000023ca0-33.dat upx behavioral2/memory/1152-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/180-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-39.dat upx behavioral2/files/0x0007000000023ca2-43.dat upx behavioral2/files/0x0007000000023ca3-48.dat upx behavioral2/memory/4936-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3984-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-54.dat upx behavioral2/memory/3316-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-58.dat upx behavioral2/memory/4340-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-63.dat upx behavioral2/files/0x0007000000023ca7-67.dat upx behavioral2/memory/3208-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-72.dat upx behavioral2/files/0x0007000000023ca9-78.dat upx behavioral2/files/0x0007000000023caa-83.dat upx behavioral2/memory/4428-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-88.dat upx behavioral2/memory/3032-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c98-92.dat upx behavioral2/memory/232-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4716-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-96.dat upx behavioral2/memory/4148-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-101.dat upx behavioral2/files/0x0007000000023caf-106.dat upx behavioral2/memory/3652-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3472-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-111.dat upx behavioral2/files/0x0007000000023cb1-115.dat upx behavioral2/files/0x0007000000023cb2-119.dat upx behavioral2/memory/768-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-124.dat upx behavioral2/files/0x0007000000023cb4-128.dat upx behavioral2/files/0x0007000000023cb5-132.dat upx behavioral2/files/0x0007000000023cb6-139.dat upx behavioral2/memory/2460-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1136-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-143.dat upx behavioral2/files/0x0007000000023cb8-147.dat upx behavioral2/memory/3880-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-151.dat upx behavioral2/memory/2360-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/760-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2108-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1312-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1600-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4184-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4184-187-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4276 4976 dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe 83 PID 4976 wrote to memory of 4276 4976 dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe 83 PID 4976 wrote to memory of 4276 4976 dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe 83 PID 4276 wrote to memory of 2184 4276 pjvvj.exe 84 PID 4276 wrote to memory of 2184 4276 pjvvj.exe 84 PID 4276 wrote to memory of 2184 4276 pjvvj.exe 84 PID 2184 wrote to memory of 2104 2184 rlrxrrl.exe 85 PID 2184 wrote to memory of 2104 2184 rlrxrrl.exe 85 PID 2184 wrote to memory of 2104 2184 rlrxrrl.exe 85 PID 2104 wrote to memory of 1888 2104 dvppp.exe 86 PID 2104 wrote to memory of 1888 2104 dvppp.exe 86 PID 2104 wrote to memory of 1888 2104 dvppp.exe 86 PID 1888 wrote to memory of 1020 1888 tnbbbh.exe 87 PID 1888 wrote to memory of 1020 1888 tnbbbh.exe 87 PID 1888 wrote to memory of 1020 1888 tnbbbh.exe 87 PID 1020 wrote to memory of 1152 1020 vpvpj.exe 88 PID 1020 wrote to memory of 1152 1020 vpvpj.exe 88 PID 1020 wrote to memory of 1152 1020 vpvpj.exe 88 PID 1152 wrote to memory of 180 1152 hnttth.exe 89 PID 1152 wrote to memory of 180 1152 hnttth.exe 89 PID 1152 wrote to memory of 180 1152 hnttth.exe 89 PID 180 wrote to memory of 2476 180 djppp.exe 90 PID 180 wrote to memory of 2476 180 djppp.exe 90 PID 180 wrote to memory of 2476 180 djppp.exe 90 PID 2476 wrote to memory of 3984 2476 ttnbtn.exe 91 PID 2476 wrote to memory of 3984 2476 ttnbtn.exe 91 PID 2476 wrote to memory of 3984 2476 ttnbtn.exe 91 PID 3984 wrote to memory of 4936 3984 rrxlfxx.exe 92 PID 3984 wrote to memory of 4936 3984 rrxlfxx.exe 92 PID 3984 wrote to memory of 4936 3984 rrxlfxx.exe 92 PID 4936 wrote to memory of 3316 4936 3nhbtt.exe 93 PID 4936 wrote to memory of 3316 4936 3nhbtt.exe 93 PID 4936 wrote to memory of 3316 4936 3nhbtt.exe 93 PID 3316 wrote to memory of 4340 3316 bbnnbb.exe 94 PID 3316 wrote to memory of 4340 3316 bbnnbb.exe 94 PID 3316 wrote to memory of 4340 3316 bbnnbb.exe 94 PID 4340 wrote to memory of 3208 4340 jpvjv.exe 95 PID 4340 wrote to memory of 3208 4340 jpvjv.exe 95 PID 4340 wrote to memory of 3208 4340 jpvjv.exe 95 PID 3208 wrote to memory of 232 3208 nbbbtn.exe 96 PID 3208 wrote to memory of 232 3208 nbbbtn.exe 96 PID 3208 wrote to memory of 232 3208 nbbbtn.exe 96 PID 232 wrote to memory of 4716 232 hthhhh.exe 97 PID 232 wrote to memory of 4716 232 hthhhh.exe 97 PID 232 wrote to memory of 4716 232 hthhhh.exe 97 PID 4716 wrote to memory of 4376 4716 rllxllf.exe 98 PID 4716 wrote to memory of 4376 4716 rllxllf.exe 98 PID 4716 wrote to memory of 4376 4716 rllxllf.exe 98 PID 4376 wrote to memory of 4428 4376 hnnhbt.exe 99 PID 4376 wrote to memory of 4428 4376 hnnhbt.exe 99 PID 4376 wrote to memory of 4428 4376 hnnhbt.exe 99 PID 4428 wrote to memory of 1536 4428 5bbbtt.exe 100 PID 4428 wrote to memory of 1536 4428 5bbbtt.exe 100 PID 4428 wrote to memory of 1536 4428 5bbbtt.exe 100 PID 1536 wrote to memory of 3032 1536 dvjjd.exe 101 PID 1536 wrote to memory of 3032 1536 dvjjd.exe 101 PID 1536 wrote to memory of 3032 1536 dvjjd.exe 101 PID 3032 wrote to memory of 4148 3032 fxxrlxx.exe 102 PID 3032 wrote to memory of 4148 3032 fxxrlxx.exe 102 PID 3032 wrote to memory of 4148 3032 fxxrlxx.exe 102 PID 4148 wrote to memory of 3652 4148 fllfxlf.exe 103 PID 4148 wrote to memory of 3652 4148 fllfxlf.exe 103 PID 4148 wrote to memory of 3652 4148 fllfxlf.exe 103 PID 3652 wrote to memory of 3472 3652 bbbtnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe"C:\Users\Admin\AppData\Local\Temp\dbb7520714957ec7de227fda0f2dcca09fdd3f01ee7417850ca6e4edd0be46d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\pjvvj.exec:\pjvvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\rlrxrrl.exec:\rlrxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\dvppp.exec:\dvppp.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\tnbbbh.exec:\tnbbbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\vpvpj.exec:\vpvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\hnttth.exec:\hnttth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\djppp.exec:\djppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\ttnbtn.exec:\ttnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\rrxlfxx.exec:\rrxlfxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\3nhbtt.exec:\3nhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\bbnnbb.exec:\bbnnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\jpvjv.exec:\jpvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\nbbbtn.exec:\nbbbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\hthhhh.exec:\hthhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\rllxllf.exec:\rllxllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\hnnhbt.exec:\hnnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\5bbbtt.exec:\5bbbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\dvjjd.exec:\dvjjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\fxxrlxx.exec:\fxxrlxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\fllfxlf.exec:\fllfxlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\bbbtnn.exec:\bbbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe23⤵
- Executes dropped EXE
PID:3472 -
\??\c:\thhbbb.exec:\thhbbb.exe24⤵
- Executes dropped EXE
PID:4092 -
\??\c:\vddvp.exec:\vddvp.exe25⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rflffxx.exec:\rflffxx.exe26⤵
- Executes dropped EXE
PID:768 -
\??\c:\fffxxrl.exec:\fffxxrl.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\bbnhbt.exec:\bbnhbt.exe28⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jpvjd.exec:\jpvjd.exe29⤵
- Executes dropped EXE
PID:1136 -
\??\c:\xrxlffl.exec:\xrxlffl.exe30⤵
- Executes dropped EXE
PID:2148 -
\??\c:\dvvjv.exec:\dvvjv.exe31⤵
- Executes dropped EXE
PID:3880 -
\??\c:\rlrfxrl.exec:\rlrfxrl.exe32⤵
- Executes dropped EXE
PID:2360 -
\??\c:\vdjvv.exec:\vdjvv.exe33⤵
- Executes dropped EXE
PID:3988 -
\??\c:\dvddd.exec:\dvddd.exe34⤵
- Executes dropped EXE
PID:760 -
\??\c:\xxllrll.exec:\xxllrll.exe35⤵
- Executes dropped EXE
PID:4160 -
\??\c:\hnttnn.exec:\hnttnn.exe36⤵
- Executes dropped EXE
PID:812 -
\??\c:\lxrfrll.exec:\lxrfrll.exe37⤵
- Executes dropped EXE
PID:3376 -
\??\c:\htbtnh.exec:\htbtnh.exe38⤵
- Executes dropped EXE
PID:4156 -
\??\c:\pjjvp.exec:\pjjvp.exe39⤵
- Executes dropped EXE
PID:2108 -
\??\c:\9rxrffx.exec:\9rxrffx.exe40⤵
- Executes dropped EXE
PID:3976 -
\??\c:\7llllrr.exec:\7llllrr.exe41⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bhnbnn.exec:\bhnbnn.exe42⤵
- Executes dropped EXE
PID:3304 -
\??\c:\hnttnb.exec:\hnttnb.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\jjddd.exec:\jjddd.exe44⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xxxfxlr.exec:\xxxfxlr.exe45⤵
- Executes dropped EXE
PID:2152 -
\??\c:\9fffxlf.exec:\9fffxlf.exe46⤵
- Executes dropped EXE
PID:4184 -
\??\c:\nnnbtt.exec:\nnnbtt.exe47⤵
- Executes dropped EXE
PID:1340 -
\??\c:\3llfrff.exec:\3llfrff.exe48⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lxrrlll.exec:\lxrrlll.exe49⤵
- Executes dropped EXE
PID:4700 -
\??\c:\tntnhh.exec:\tntnhh.exe50⤵
- Executes dropped EXE
PID:436 -
\??\c:\nnbtbb.exec:\nnbtbb.exe51⤵
- Executes dropped EXE
PID:5084 -
\??\c:\vvvdp.exec:\vvvdp.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jdppd.exec:\jdppd.exe53⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xlrlflf.exec:\xlrlflf.exe54⤵
- Executes dropped EXE
PID:1428 -
\??\c:\hbnnhh.exec:\hbnnhh.exe55⤵
- Executes dropped EXE
PID:4616 -
\??\c:\pvjdj.exec:\pvjdj.exe56⤵
- Executes dropped EXE
PID:3612 -
\??\c:\dppjv.exec:\dppjv.exe57⤵
- Executes dropped EXE
PID:4772 -
\??\c:\rrrrlll.exec:\rrrrlll.exe58⤵
- Executes dropped EXE
PID:2336 -
\??\c:\llrfxrl.exec:\llrfxrl.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\nhtbbb.exec:\nhtbbb.exe60⤵
- Executes dropped EXE
PID:4492 -
\??\c:\vvdvj.exec:\vvdvj.exe61⤵
- Executes dropped EXE
PID:3048 -
\??\c:\xxfrllf.exec:\xxfrllf.exe62⤵
- Executes dropped EXE
PID:3728 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe63⤵
- Executes dropped EXE
PID:4480 -
\??\c:\3hnhnn.exec:\3hnhnn.exe64⤵
- Executes dropped EXE
PID:2780 -
\??\c:\3djdv.exec:\3djdv.exe65⤵
- Executes dropped EXE
PID:964 -
\??\c:\dpdvp.exec:\dpdvp.exe66⤵PID:2104
-
\??\c:\flxrrll.exec:\flxrrll.exe67⤵PID:4664
-
\??\c:\bnhhbt.exec:\bnhhbt.exe68⤵PID:2296
-
\??\c:\dvvpd.exec:\dvvpd.exe69⤵PID:1996
-
\??\c:\pjpjv.exec:\pjpjv.exe70⤵PID:2524
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe71⤵PID:4452
-
\??\c:\flrrrrr.exec:\flrrrrr.exe72⤵PID:2440
-
\??\c:\3tbbtt.exec:\3tbbtt.exe73⤵PID:4420
-
\??\c:\jdvpd.exec:\jdvpd.exe74⤵PID:5060
-
\??\c:\vppdp.exec:\vppdp.exe75⤵PID:2476
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe76⤵PID:4928
-
\??\c:\fxrxllf.exec:\fxrxllf.exe77⤵PID:4940
-
\??\c:\hbhhbn.exec:\hbhhbn.exe78⤵PID:4252
-
\??\c:\dvpdv.exec:\dvpdv.exe79⤵PID:4892
-
\??\c:\lxffrlf.exec:\lxffrlf.exe80⤵PID:212
-
\??\c:\bthhhh.exec:\bthhhh.exe81⤵PID:228
-
\??\c:\tnhbhh.exec:\tnhbhh.exe82⤵PID:2976
-
\??\c:\5vvpj.exec:\5vvpj.exe83⤵PID:5044
-
\??\c:\frlfxxr.exec:\frlfxxr.exe84⤵PID:1048
-
\??\c:\llxxrlf.exec:\llxxrlf.exe85⤵PID:3816
-
\??\c:\nbnnbb.exec:\nbnnbb.exe86⤵PID:3240
-
\??\c:\tnttnn.exec:\tnttnn.exe87⤵PID:4628
-
\??\c:\xlflflx.exec:\xlflflx.exe88⤵PID:1992
-
\??\c:\xlxxxxx.exec:\xlxxxxx.exe89⤵PID:3592
-
\??\c:\thnbth.exec:\thnbth.exe90⤵PID:2680
-
\??\c:\ppjdv.exec:\ppjdv.exe91⤵PID:3584
-
\??\c:\rxlfrrf.exec:\rxlfrrf.exe92⤵PID:2196
-
\??\c:\5rrrlll.exec:\5rrrlll.exe93⤵PID:4836
-
\??\c:\nhbnnn.exec:\nhbnnn.exe94⤵PID:3472
-
\??\c:\thnnnn.exec:\thnnnn.exe95⤵PID:1944
-
\??\c:\pvdvp.exec:\pvdvp.exe96⤵PID:312
-
\??\c:\9llrlfl.exec:\9llrlfl.exe97⤵PID:324
-
\??\c:\rxfxllf.exec:\rxfxllf.exe98⤵PID:2056
-
\??\c:\7httbb.exec:\7httbb.exe99⤵PID:5108
-
\??\c:\vvdpj.exec:\vvdpj.exe100⤵PID:5000
-
\??\c:\llrlrxf.exec:\llrlrxf.exe101⤵PID:3688
-
\??\c:\xfrxxff.exec:\xfrxxff.exe102⤵PID:2100
-
\??\c:\bbttbb.exec:\bbttbb.exe103⤵PID:948
-
\??\c:\jpvvj.exec:\jpvvj.exe104⤵PID:4164
-
\??\c:\pddvp.exec:\pddvp.exe105⤵PID:3012
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe106⤵PID:2112
-
\??\c:\hhnhbb.exec:\hhnhbb.exe107⤵PID:3460
-
\??\c:\thtnhh.exec:\thtnhh.exe108⤵PID:3872
-
\??\c:\pddvj.exec:\pddvj.exe109⤵PID:3044
-
\??\c:\xrxxrrx.exec:\xrxxrrx.exe110⤵PID:4592
-
\??\c:\nnntnh.exec:\nnntnh.exe111⤵PID:4160
-
\??\c:\nhhbnh.exec:\nhhbnh.exe112⤵PID:4152
-
\??\c:\pdjjd.exec:\pdjjd.exe113⤵PID:3376
-
\??\c:\ppvpd.exec:\ppvpd.exe114⤵PID:4000
-
\??\c:\frfrrrr.exec:\frfrrrr.exe115⤵PID:4624
-
\??\c:\hbbtnh.exec:\hbbtnh.exe116⤵PID:644
-
\??\c:\hhbtbb.exec:\hhbtbb.exe117⤵PID:616
-
\??\c:\7jvpj.exec:\7jvpj.exe118⤵
- System Location Discovery: System Language Discovery
PID:1936 -
\??\c:\rfxrllf.exec:\rfxrllf.exe119⤵PID:1564
-
\??\c:\bhnnhn.exec:\bhnnhn.exe120⤵PID:2260
-
\??\c:\3tbtbt.exec:\3tbtbt.exe121⤵PID:512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-