Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 14:40
Behavioral task
behavioral1
Sample
0be6d36383740b348e9dd512fe6e7ae0N.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
General
-
Target
0be6d36383740b348e9dd512fe6e7ae0N.exe
-
Size
152KB
-
MD5
0be6d36383740b348e9dd512fe6e7ae0
-
SHA1
b705c55f1b16ab0fd88f905c4e2aa5d71bf2f0ca
-
SHA256
4f6ee6acc3f10f0da5622a22152e5b41a57aa7a84ad1ba61962846ccefa3249a
-
SHA512
bb18b22fa7568d516fe870ecffc747c9e44700329558268116cb711a82cc5e112d844c3ef9fc4a35e9ebf8d478d588fac599f078ba33b0c402e83724ed2f1766
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH4to1odtckwz2n:kcm4FmowdHoSphraHcpOFltH4to1stce
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4280-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/888-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1864-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3392-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2568-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3832-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-801-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-820-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-848-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-1306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-1392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4860 xlllfff.exe 4200 hbtnhh.exe 724 5nhnhh.exe 392 vpvpp.exe 4020 lfllxxx.exe 888 btttbh.exe 1248 jdvpp.exe 2304 flrllrr.exe 4960 frrrlrf.exe 4972 bnhbnt.exe 3964 dppjj.exe 4844 fffrfxl.exe 3044 tbnnhh.exe 2732 nbhbtt.exe 2384 vvvvp.exe 4644 rxrlrlr.exe 2688 hbbtnn.exe 1496 djdpj.exe 3832 ffxxrrr.exe 4128 hthbtb.exe 4004 pjvvd.exe 1864 rlxrlxx.exe 3296 rrrlfxr.exe 1736 tbnbbt.exe 4652 jjjdv.exe 2492 lrrlxlf.exe 3504 hbnhbh.exe 2280 9djdv.exe 2444 fxfflrx.exe 3928 nhhtnh.exe 1148 bbbbnn.exe 4368 vvvvd.exe 3472 rlfrlfx.exe 4912 tnnhbt.exe 1376 httbnt.exe 2748 dvvvp.exe 3212 pvpjv.exe 4032 nbbtnn.exe 4076 1bnttt.exe 4284 dvdpv.exe 5048 pdpjj.exe 3100 fxrxrfx.exe 1648 xfxfrfx.exe 3596 1tttnn.exe 3632 jjpdd.exe 4140 xlrfxxr.exe 5028 9frrrrx.exe 4020 hnbtnt.exe 4792 dvdvv.exe 1812 pdpvd.exe 4764 rffxrfr.exe 2724 ntbtbh.exe 2156 vpjdv.exe 4972 vpvpj.exe 3392 llfffxx.exe 4060 tnnhbb.exe 3796 djpdv.exe 3416 frlllrf.exe 976 xlxrllr.exe 1136 7hbtnn.exe 1616 djpvj.exe 2568 jvjpp.exe 4420 lflrrxl.exe 2688 1nnhhh.exe -
resource yara_rule behavioral2/memory/4280-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000900000002347b-3.dat upx behavioral2/memory/4280-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234db-9.dat upx behavioral2/memory/4860-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234df-13.dat upx behavioral2/memory/4200-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e0-21.dat upx behavioral2/memory/724-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/392-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e1-27.dat upx behavioral2/files/0x00070000000234e2-32.dat upx behavioral2/files/0x00070000000234e3-37.dat upx behavioral2/memory/1248-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/888-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e4-46.dat upx behavioral2/memory/1248-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e5-49.dat upx behavioral2/memory/2304-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e6-55.dat upx behavioral2/memory/4960-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e7-61.dat upx behavioral2/memory/4972-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e8-67.dat upx behavioral2/memory/4844-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3964-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ea-74.dat upx behavioral2/memory/3044-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4844-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234eb-81.dat upx behavioral2/memory/3044-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2732-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ec-89.dat upx behavioral2/memory/2732-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2384-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ed-96.dat upx behavioral2/files/0x00070000000234ee-100.dat upx behavioral2/memory/4644-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ef-106.dat upx behavioral2/memory/1496-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f0-113.dat upx behavioral2/files/0x00070000000234f1-118.dat upx behavioral2/files/0x00070000000234f2-122.dat upx behavioral2/files/0x00070000000234f3-128.dat upx behavioral2/files/0x00070000000234f4-132.dat upx behavioral2/files/0x00070000000234f5-138.dat upx behavioral2/memory/3296-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1864-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f6-145.dat upx behavioral2/files/0x00080000000234dc-151.dat upx behavioral2/memory/4652-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f7-155.dat upx behavioral2/memory/2492-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f8-161.dat upx behavioral2/memory/3504-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f9-167.dat upx behavioral2/memory/2280-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2444-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234fa-175.dat upx behavioral2/files/0x00070000000234fc-180.dat upx behavioral2/files/0x00070000000234fd-185.dat upx behavioral2/memory/4368-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3472-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4912-196-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4860 4280 0be6d36383740b348e9dd512fe6e7ae0N.exe 84 PID 4280 wrote to memory of 4860 4280 0be6d36383740b348e9dd512fe6e7ae0N.exe 84 PID 4280 wrote to memory of 4860 4280 0be6d36383740b348e9dd512fe6e7ae0N.exe 84 PID 4860 wrote to memory of 4200 4860 xlllfff.exe 85 PID 4860 wrote to memory of 4200 4860 xlllfff.exe 85 PID 4860 wrote to memory of 4200 4860 xlllfff.exe 85 PID 4200 wrote to memory of 724 4200 hbtnhh.exe 86 PID 4200 wrote to memory of 724 4200 hbtnhh.exe 86 PID 4200 wrote to memory of 724 4200 hbtnhh.exe 86 PID 724 wrote to memory of 392 724 5nhnhh.exe 87 PID 724 wrote to memory of 392 724 5nhnhh.exe 87 PID 724 wrote to memory of 392 724 5nhnhh.exe 87 PID 392 wrote to memory of 4020 392 vpvpp.exe 88 PID 392 wrote to memory of 4020 392 vpvpp.exe 88 PID 392 wrote to memory of 4020 392 vpvpp.exe 88 PID 4020 wrote to memory of 888 4020 lfllxxx.exe 89 PID 4020 wrote to memory of 888 4020 lfllxxx.exe 89 PID 4020 wrote to memory of 888 4020 lfllxxx.exe 89 PID 888 wrote to memory of 1248 888 btttbh.exe 90 PID 888 wrote to memory of 1248 888 btttbh.exe 90 PID 888 wrote to memory of 1248 888 btttbh.exe 90 PID 1248 wrote to memory of 2304 1248 jdvpp.exe 91 PID 1248 wrote to memory of 2304 1248 jdvpp.exe 91 PID 1248 wrote to memory of 2304 1248 jdvpp.exe 91 PID 2304 wrote to memory of 4960 2304 flrllrr.exe 92 PID 2304 wrote to memory of 4960 2304 flrllrr.exe 92 PID 2304 wrote to memory of 4960 2304 flrllrr.exe 92 PID 4960 wrote to memory of 4972 4960 frrrlrf.exe 93 PID 4960 wrote to memory of 4972 4960 frrrlrf.exe 93 PID 4960 wrote to memory of 4972 4960 frrrlrf.exe 93 PID 4972 wrote to memory of 3964 4972 bnhbnt.exe 94 PID 4972 wrote to memory of 3964 4972 bnhbnt.exe 94 PID 4972 wrote to memory of 3964 4972 bnhbnt.exe 94 PID 3964 wrote to memory of 4844 3964 dppjj.exe 95 PID 3964 wrote to memory of 4844 3964 dppjj.exe 95 PID 3964 wrote to memory of 4844 3964 dppjj.exe 95 PID 4844 wrote to memory of 3044 4844 fffrfxl.exe 96 PID 4844 wrote to memory of 3044 4844 fffrfxl.exe 96 PID 4844 wrote to memory of 3044 4844 fffrfxl.exe 96 PID 3044 wrote to memory of 2732 3044 tbnnhh.exe 97 PID 3044 wrote to memory of 2732 3044 tbnnhh.exe 97 PID 3044 wrote to memory of 2732 3044 tbnnhh.exe 97 PID 2732 wrote to memory of 2384 2732 nbhbtt.exe 98 PID 2732 wrote to memory of 2384 2732 nbhbtt.exe 98 PID 2732 wrote to memory of 2384 2732 nbhbtt.exe 98 PID 2384 wrote to memory of 4644 2384 vvvvp.exe 99 PID 2384 wrote to memory of 4644 2384 vvvvp.exe 99 PID 2384 wrote to memory of 4644 2384 vvvvp.exe 99 PID 4644 wrote to memory of 2688 4644 rxrlrlr.exe 101 PID 4644 wrote to memory of 2688 4644 rxrlrlr.exe 101 PID 4644 wrote to memory of 2688 4644 rxrlrlr.exe 101 PID 2688 wrote to memory of 1496 2688 hbbtnn.exe 102 PID 2688 wrote to memory of 1496 2688 hbbtnn.exe 102 PID 2688 wrote to memory of 1496 2688 hbbtnn.exe 102 PID 1496 wrote to memory of 3832 1496 djdpj.exe 103 PID 1496 wrote to memory of 3832 1496 djdpj.exe 103 PID 1496 wrote to memory of 3832 1496 djdpj.exe 103 PID 3832 wrote to memory of 4128 3832 ffxxrrr.exe 104 PID 3832 wrote to memory of 4128 3832 ffxxrrr.exe 104 PID 3832 wrote to memory of 4128 3832 ffxxrrr.exe 104 PID 4128 wrote to memory of 4004 4128 hthbtb.exe 106 PID 4128 wrote to memory of 4004 4128 hthbtb.exe 106 PID 4128 wrote to memory of 4004 4128 hthbtb.exe 106 PID 4004 wrote to memory of 1864 4004 pjvvd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be6d36383740b348e9dd512fe6e7ae0N.exe"C:\Users\Admin\AppData\Local\Temp\0be6d36383740b348e9dd512fe6e7ae0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\xlllfff.exec:\xlllfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\hbtnhh.exec:\hbtnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\5nhnhh.exec:\5nhnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\vpvpp.exec:\vpvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\lfllxxx.exec:\lfllxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\btttbh.exec:\btttbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\jdvpp.exec:\jdvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\flrllrr.exec:\flrllrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\frrrlrf.exec:\frrrlrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\bnhbnt.exec:\bnhbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\dppjj.exec:\dppjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\fffrfxl.exec:\fffrfxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\tbnnhh.exec:\tbnnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nbhbtt.exec:\nbhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\vvvvp.exec:\vvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\rxrlrlr.exec:\rxrlrlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\hbbtnn.exec:\hbbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\djdpj.exec:\djdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\hthbtb.exec:\hthbtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\pjvvd.exec:\pjvvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\rlxrlxx.exec:\rlxrlxx.exe23⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe24⤵
- Executes dropped EXE
PID:3296 -
\??\c:\tbnbbt.exec:\tbnbbt.exe25⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jjjdv.exec:\jjjdv.exe26⤵
- Executes dropped EXE
PID:4652 -
\??\c:\lrrlxlf.exec:\lrrlxlf.exe27⤵
- Executes dropped EXE
PID:2492 -
\??\c:\hbnhbh.exec:\hbnhbh.exe28⤵
- Executes dropped EXE
PID:3504 -
\??\c:\9djdv.exec:\9djdv.exe29⤵
- Executes dropped EXE
PID:2280 -
\??\c:\fxfflrx.exec:\fxfflrx.exe30⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nhhtnh.exec:\nhhtnh.exe31⤵
- Executes dropped EXE
PID:3928 -
\??\c:\bbbbnn.exec:\bbbbnn.exe32⤵
- Executes dropped EXE
PID:1148 -
\??\c:\vvvvd.exec:\vvvvd.exe33⤵
- Executes dropped EXE
PID:4368 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe34⤵
- Executes dropped EXE
PID:3472 -
\??\c:\tnnhbt.exec:\tnnhbt.exe35⤵
- Executes dropped EXE
PID:4912 -
\??\c:\httbnt.exec:\httbnt.exe36⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dvvvp.exec:\dvvvp.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\pvpjv.exec:\pvpjv.exe38⤵
- Executes dropped EXE
PID:3212 -
\??\c:\nbbtnn.exec:\nbbtnn.exe39⤵
- Executes dropped EXE
PID:4032 -
\??\c:\1bnttt.exec:\1bnttt.exe40⤵
- Executes dropped EXE
PID:4076 -
\??\c:\dvdpv.exec:\dvdpv.exe41⤵
- Executes dropped EXE
PID:4284 -
\??\c:\pdpjj.exec:\pdpjj.exe42⤵
- Executes dropped EXE
PID:5048 -
\??\c:\fxrxrfx.exec:\fxrxrfx.exe43⤵
- Executes dropped EXE
PID:3100 -
\??\c:\xfxfrfx.exec:\xfxfrfx.exe44⤵
- Executes dropped EXE
PID:1648 -
\??\c:\1tttnn.exec:\1tttnn.exe45⤵
- Executes dropped EXE
PID:3596 -
\??\c:\jjpdd.exec:\jjpdd.exe46⤵
- Executes dropped EXE
PID:3632 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe47⤵
- Executes dropped EXE
PID:4140 -
\??\c:\9frrrrx.exec:\9frrrrx.exe48⤵
- Executes dropped EXE
PID:5028 -
\??\c:\hnbtnt.exec:\hnbtnt.exe49⤵
- Executes dropped EXE
PID:4020 -
\??\c:\dvdvv.exec:\dvdvv.exe50⤵
- Executes dropped EXE
PID:4792 -
\??\c:\pdpvd.exec:\pdpvd.exe51⤵
- Executes dropped EXE
PID:1812 -
\??\c:\rffxrfr.exec:\rffxrfr.exe52⤵
- Executes dropped EXE
PID:4764 -
\??\c:\ntbtbh.exec:\ntbtbh.exe53⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vpjdv.exec:\vpjdv.exe54⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vpvpj.exec:\vpvpj.exe55⤵
- Executes dropped EXE
PID:4972 -
\??\c:\llfffxx.exec:\llfffxx.exe56⤵
- Executes dropped EXE
PID:3392 -
\??\c:\tnnhbb.exec:\tnnhbb.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4060 -
\??\c:\djpdv.exec:\djpdv.exe58⤵
- Executes dropped EXE
PID:3796 -
\??\c:\frlllrf.exec:\frlllrf.exe59⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xlxrllr.exec:\xlxrllr.exe60⤵
- Executes dropped EXE
PID:976 -
\??\c:\7hbtnn.exec:\7hbtnn.exe61⤵
- Executes dropped EXE
PID:1136 -
\??\c:\djpvj.exec:\djpvj.exe62⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jvjpp.exec:\jvjpp.exe63⤵
- Executes dropped EXE
PID:2568 -
\??\c:\lflrrxl.exec:\lflrrxl.exe64⤵
- Executes dropped EXE
PID:4420 -
\??\c:\1nnhhh.exec:\1nnhhh.exe65⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hhhbtt.exec:\hhhbtt.exe66⤵PID:1836
-
\??\c:\vpvdd.exec:\vpvdd.exe67⤵PID:3832
-
\??\c:\vjpjp.exec:\vjpjp.exe68⤵PID:3996
-
\??\c:\llffxxr.exec:\llffxxr.exe69⤵PID:1300
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe70⤵PID:728
-
\??\c:\httttn.exec:\httttn.exe71⤵PID:4512
-
\??\c:\vdjjd.exec:\vdjjd.exe72⤵PID:4212
-
\??\c:\fffffrf.exec:\fffffrf.exe73⤵PID:456
-
\??\c:\lrxrlll.exec:\lrxrlll.exe74⤵PID:4396
-
\??\c:\tthhbn.exec:\tthhbn.exe75⤵PID:2556
-
\??\c:\nhnntn.exec:\nhnntn.exe76⤵PID:3292
-
\??\c:\7pvpp.exec:\7pvpp.exe77⤵PID:4852
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe78⤵PID:1640
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe79⤵PID:1636
-
\??\c:\bbnhbb.exec:\bbnhbb.exe80⤵PID:4456
-
\??\c:\nnnbbb.exec:\nnnbbb.exe81⤵PID:4316
-
\??\c:\vdvjd.exec:\vdvjd.exe82⤵PID:404
-
\??\c:\dpvjd.exec:\dpvjd.exe83⤵
- System Location Discovery: System Language Discovery
PID:4840 -
\??\c:\1pvvv.exec:\1pvvv.exe84⤵PID:1748
-
\??\c:\lrfxrlr.exec:\lrfxrlr.exe85⤵PID:2232
-
\??\c:\nnttbb.exec:\nnttbb.exe86⤵PID:3124
-
\??\c:\vvppp.exec:\vvppp.exe87⤵PID:3140
-
\??\c:\djjdd.exec:\djjdd.exe88⤵PID:1840
-
\??\c:\fxxxxxr.exec:\fxxxxxr.exe89⤵PID:1376
-
\??\c:\btnhtn.exec:\btnhtn.exe90⤵PID:4120
-
\??\c:\jvvpd.exec:\jvvpd.exe91⤵PID:4116
-
\??\c:\pjpjj.exec:\pjpjj.exe92⤵PID:4740
-
\??\c:\lllrlll.exec:\lllrlll.exe93⤵PID:4076
-
\??\c:\7flxxxx.exec:\7flxxxx.exe94⤵PID:3304
-
\??\c:\nnhbhh.exec:\nnhbhh.exe95⤵PID:3612
-
\??\c:\nthbbb.exec:\nthbbb.exe96⤵PID:4416
-
\??\c:\9ppjd.exec:\9ppjd.exe97⤵PID:4656
-
\??\c:\jpvpj.exec:\jpvpj.exe98⤵PID:3596
-
\??\c:\rrrlffl.exec:\rrrlffl.exe99⤵PID:3632
-
\??\c:\7thhbh.exec:\7thhbh.exe100⤵PID:952
-
\??\c:\3vvpj.exec:\3vvpj.exe101⤵PID:3460
-
\??\c:\jvjdj.exec:\jvjdj.exe102⤵PID:4020
-
\??\c:\9rrlfll.exec:\9rrlfll.exe103⤵PID:2320
-
\??\c:\lrfxrll.exec:\lrfxrll.exe104⤵PID:2304
-
\??\c:\nhhbhh.exec:\nhhbhh.exe105⤵PID:3228
-
\??\c:\btbnbt.exec:\btbnbt.exe106⤵PID:2332
-
\??\c:\vdjjd.exec:\vdjjd.exe107⤵PID:1832
-
\??\c:\ddddv.exec:\ddddv.exe108⤵PID:592
-
\??\c:\llffxff.exec:\llffxff.exe109⤵PID:3044
-
\??\c:\rrlfffx.exec:\rrlfffx.exe110⤵PID:3792
-
\??\c:\bbbbtt.exec:\bbbbtt.exe111⤵PID:2216
-
\??\c:\nnbbnn.exec:\nnbbnn.exe112⤵PID:868
-
\??\c:\ppjdd.exec:\ppjdd.exe113⤵PID:4088
-
\??\c:\fffxrff.exec:\fffxrff.exe114⤵PID:3264
-
\??\c:\xflffff.exec:\xflffff.exe115⤵PID:4172
-
\??\c:\hbbttn.exec:\hbbttn.exe116⤵PID:3196
-
\??\c:\nbbtnt.exec:\nbbtnt.exe117⤵PID:1496
-
\??\c:\jdjdj.exec:\jdjdj.exe118⤵PID:4264
-
\??\c:\pvpjj.exec:\pvpjj.exe119⤵PID:3832
-
\??\c:\lrlxrrl.exec:\lrlxrrl.exe120⤵PID:3104
-
\??\c:\1xxrlff.exec:\1xxrlff.exe121⤵PID:3516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-