Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 06:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe
-
Size
333KB
-
MD5
84c3778c521586e189a19d55923d8720
-
SHA1
d9781d0bb595cc85be56d5c3cbf68e17f76713e0
-
SHA256
6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1
-
SHA512
e12a0c612decaf0862041f94697ae8b9a6a7daeffb01ec4c0cde8bc4a5d74a49edca018cecee87ded7b9bb9a09a480d6d344fe4bc7ac6d3ee065e5a2ab42f72a
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhO:F7Tc8JdSjylh2b77BoTMA9gX59sTsuT+
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1500-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-1006-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-1452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4836 9fffxxf.exe 1232 nbhhbb.exe 4272 ddjpj.exe 4164 ppjjd.exe 4744 xxxrlrl.exe 3308 tnnhbb.exe 3396 bthbtb.exe 396 pddpp.exe 1156 dpvvp.exe 4820 rllfxlf.exe 4848 tbnhbn.exe 4008 bhtnnn.exe 5056 djdpd.exe 2932 lxrllrl.exe 4604 7fffffl.exe 1600 5nhhhh.exe 2536 thtnhh.exe 2076 djvpd.exe 4832 9ffxrrr.exe 4440 llffllf.exe 4688 ntbbbb.exe 1076 bntntn.exe 2228 pjjdd.exe 3028 rxlrrrl.exe 3988 7fffffx.exe 1652 nhhbtt.exe 4756 bbthbb.exe 3488 ddjdd.exe 2764 xxfxrrf.exe 548 rllffff.exe 1260 1thbht.exe 3084 bhtnnn.exe 4400 pjdvv.exe 3128 pvddd.exe 644 3llffff.exe 4764 hnbtbb.exe 2116 tnnnhn.exe 4812 dpjdd.exe 2584 5djdd.exe 3700 1rlffll.exe 3076 rfrlrrl.exe 1968 nhntth.exe 4740 ddddj.exe 2124 dpddv.exe 3140 rllfrlr.exe 3724 rfffrxr.exe 1676 hbhhbh.exe 2560 bbhbtt.exe 2440 3pvvj.exe 4328 rxrllll.exe 4068 rfxlffx.exe 3664 hnbtnn.exe 4836 hbttbb.exe 3492 jvjdd.exe 2112 pjpjd.exe 4164 xlxrllf.exe 3440 btnhnh.exe 3064 tthbhn.exe 2148 jdppp.exe 2208 xlxrllf.exe 2088 xrxrlff.exe 4820 9nttbh.exe 1004 tntbtt.exe 5028 jjpvv.exe -
resource yara_rule behavioral2/memory/4836-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 4836 1500 6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe 134 PID 1500 wrote to memory of 4836 1500 6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe 134 PID 1500 wrote to memory of 4836 1500 6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe 134 PID 4836 wrote to memory of 1232 4836 9fffxxf.exe 83 PID 4836 wrote to memory of 1232 4836 9fffxxf.exe 83 PID 4836 wrote to memory of 1232 4836 9fffxxf.exe 83 PID 1232 wrote to memory of 4272 1232 nbhhbb.exe 84 PID 1232 wrote to memory of 4272 1232 nbhhbb.exe 84 PID 1232 wrote to memory of 4272 1232 nbhhbb.exe 84 PID 4272 wrote to memory of 4164 4272 ddjpj.exe 85 PID 4272 wrote to memory of 4164 4272 ddjpj.exe 85 PID 4272 wrote to memory of 4164 4272 ddjpj.exe 85 PID 4164 wrote to memory of 4744 4164 ppjjd.exe 86 PID 4164 wrote to memory of 4744 4164 ppjjd.exe 86 PID 4164 wrote to memory of 4744 4164 ppjjd.exe 86 PID 4744 wrote to memory of 3308 4744 xxxrlrl.exe 87 PID 4744 wrote to memory of 3308 4744 xxxrlrl.exe 87 PID 4744 wrote to memory of 3308 4744 xxxrlrl.exe 87 PID 3308 wrote to memory of 3396 3308 tnnhbb.exe 88 PID 3308 wrote to memory of 3396 3308 tnnhbb.exe 88 PID 3308 wrote to memory of 3396 3308 tnnhbb.exe 88 PID 3396 wrote to memory of 396 3396 bthbtb.exe 89 PID 3396 wrote to memory of 396 3396 bthbtb.exe 89 PID 3396 wrote to memory of 396 3396 bthbtb.exe 89 PID 396 wrote to memory of 1156 396 pddpp.exe 90 PID 396 wrote to memory of 1156 396 pddpp.exe 90 PID 396 wrote to memory of 1156 396 pddpp.exe 90 PID 1156 wrote to memory of 4820 1156 dpvvp.exe 91 PID 1156 wrote to memory of 4820 1156 dpvvp.exe 91 PID 1156 wrote to memory of 4820 1156 dpvvp.exe 91 PID 4820 wrote to memory of 4848 4820 rllfxlf.exe 92 PID 4820 wrote to memory of 4848 4820 rllfxlf.exe 92 PID 4820 wrote to memory of 4848 4820 rllfxlf.exe 92 PID 4848 wrote to memory of 4008 4848 tbnhbn.exe 93 PID 4848 wrote to memory of 4008 4848 tbnhbn.exe 93 PID 4848 wrote to memory of 4008 4848 tbnhbn.exe 93 PID 4008 wrote to memory of 5056 4008 bhtnnn.exe 94 PID 4008 wrote to memory of 5056 4008 bhtnnn.exe 94 PID 4008 wrote to memory of 5056 4008 bhtnnn.exe 94 PID 5056 wrote to memory of 2932 5056 djdpd.exe 95 PID 5056 wrote to memory of 2932 5056 djdpd.exe 95 PID 5056 wrote to memory of 2932 5056 djdpd.exe 95 PID 2932 wrote to memory of 4604 2932 lxrllrl.exe 96 PID 2932 wrote to memory of 4604 2932 lxrllrl.exe 96 PID 2932 wrote to memory of 4604 2932 lxrllrl.exe 96 PID 4604 wrote to memory of 1600 4604 7fffffl.exe 97 PID 4604 wrote to memory of 1600 4604 7fffffl.exe 97 PID 4604 wrote to memory of 1600 4604 7fffffl.exe 97 PID 1600 wrote to memory of 2536 1600 5nhhhh.exe 98 PID 1600 wrote to memory of 2536 1600 5nhhhh.exe 98 PID 1600 wrote to memory of 2536 1600 5nhhhh.exe 98 PID 2536 wrote to memory of 2076 2536 thtnhh.exe 99 PID 2536 wrote to memory of 2076 2536 thtnhh.exe 99 PID 2536 wrote to memory of 2076 2536 thtnhh.exe 99 PID 2076 wrote to memory of 4832 2076 djvpd.exe 100 PID 2076 wrote to memory of 4832 2076 djvpd.exe 100 PID 2076 wrote to memory of 4832 2076 djvpd.exe 100 PID 4832 wrote to memory of 4440 4832 9ffxrrr.exe 101 PID 4832 wrote to memory of 4440 4832 9ffxrrr.exe 101 PID 4832 wrote to memory of 4440 4832 9ffxrrr.exe 101 PID 4440 wrote to memory of 4688 4440 llffllf.exe 102 PID 4440 wrote to memory of 4688 4440 llffllf.exe 102 PID 4440 wrote to memory of 4688 4440 llffllf.exe 102 PID 4688 wrote to memory of 1076 4688 ntbbbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe"C:\Users\Admin\AppData\Local\Temp\6165bcc27e21c5ee5a7d23aeec66436bd0111a99aafe77367970972b060d97d1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\9fffxxf.exec:\9fffxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\nbhhbb.exec:\nbhhbb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\ddjpj.exec:\ddjpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\ppjjd.exec:\ppjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\xxxrlrl.exec:\xxxrlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\tnnhbb.exec:\tnnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\bthbtb.exec:\bthbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\pddpp.exec:\pddpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\dpvvp.exec:\dpvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\rllfxlf.exec:\rllfxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\tbnhbn.exec:\tbnhbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\bhtnnn.exec:\bhtnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\djdpd.exec:\djdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\lxrllrl.exec:\lxrllrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\7fffffl.exec:\7fffffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\5nhhhh.exec:\5nhhhh.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\thtnhh.exec:\thtnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\djvpd.exec:\djvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\9ffxrrr.exec:\9ffxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\llffllf.exec:\llffllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\ntbbbb.exec:\ntbbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\bntntn.exec:\bntntn.exe23⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pjjdd.exec:\pjjdd.exe24⤵
- Executes dropped EXE
PID:2228 -
\??\c:\rxlrrrl.exec:\rxlrrrl.exe25⤵
- Executes dropped EXE
PID:3028 -
\??\c:\7fffffx.exec:\7fffffx.exe26⤵
- Executes dropped EXE
PID:3988 -
\??\c:\nhhbtt.exec:\nhhbtt.exe27⤵
- Executes dropped EXE
PID:1652 -
\??\c:\bbthbb.exec:\bbthbb.exe28⤵
- Executes dropped EXE
PID:4756 -
\??\c:\ddjdd.exec:\ddjdd.exe29⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xxfxrrf.exec:\xxfxrrf.exe30⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rllffff.exec:\rllffff.exe31⤵
- Executes dropped EXE
PID:548 -
\??\c:\1thbht.exec:\1thbht.exe32⤵
- Executes dropped EXE
PID:1260 -
\??\c:\bhtnnn.exec:\bhtnnn.exe33⤵
- Executes dropped EXE
PID:3084 -
\??\c:\pjdvv.exec:\pjdvv.exe34⤵
- Executes dropped EXE
PID:4400 -
\??\c:\pvddd.exec:\pvddd.exe35⤵
- Executes dropped EXE
PID:3128 -
\??\c:\3llffff.exec:\3llffff.exe36⤵
- Executes dropped EXE
PID:644 -
\??\c:\hnbtbb.exec:\hnbtbb.exe37⤵
- Executes dropped EXE
PID:4764 -
\??\c:\tnnnhn.exec:\tnnnhn.exe38⤵
- Executes dropped EXE
PID:2116 -
\??\c:\dpjdd.exec:\dpjdd.exe39⤵
- Executes dropped EXE
PID:4812 -
\??\c:\5djdd.exec:\5djdd.exe40⤵
- Executes dropped EXE
PID:2584 -
\??\c:\1rlffll.exec:\1rlffll.exe41⤵
- Executes dropped EXE
PID:3700 -
\??\c:\rfrlrrl.exec:\rfrlrrl.exe42⤵
- Executes dropped EXE
PID:3076 -
\??\c:\nhntth.exec:\nhntth.exe43⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ddddj.exec:\ddddj.exe44⤵
- Executes dropped EXE
PID:4740 -
\??\c:\dpddv.exec:\dpddv.exe45⤵
- Executes dropped EXE
PID:2124 -
\??\c:\rllfrlr.exec:\rllfrlr.exe46⤵
- Executes dropped EXE
PID:3140 -
\??\c:\rfffrxr.exec:\rfffrxr.exe47⤵
- Executes dropped EXE
PID:3724 -
\??\c:\hbhhbh.exec:\hbhhbh.exe48⤵
- Executes dropped EXE
PID:1676 -
\??\c:\bbhbtt.exec:\bbhbtt.exe49⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3pvvj.exec:\3pvvj.exe50⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rxrllll.exec:\rxrllll.exe51⤵
- Executes dropped EXE
PID:4328 -
\??\c:\rfxlffx.exec:\rfxlffx.exe52⤵
- Executes dropped EXE
PID:4068 -
\??\c:\hnbtnn.exec:\hnbtnn.exe53⤵
- Executes dropped EXE
PID:3664 -
\??\c:\hbttbb.exec:\hbttbb.exe54⤵
- Executes dropped EXE
PID:4836 -
\??\c:\jvjdd.exec:\jvjdd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3492 -
\??\c:\pjpjd.exec:\pjpjd.exe56⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xlxrllf.exec:\xlxrllf.exe57⤵
- Executes dropped EXE
PID:4164 -
\??\c:\btnhnh.exec:\btnhnh.exe58⤵
- Executes dropped EXE
PID:3440 -
\??\c:\tthbhn.exec:\tthbhn.exe59⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jdppp.exec:\jdppp.exe60⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xlxrllf.exec:\xlxrllf.exe61⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xrxrlff.exec:\xrxrlff.exe62⤵
- Executes dropped EXE
PID:2088 -
\??\c:\9nttbh.exec:\9nttbh.exe63⤵
- Executes dropped EXE
PID:4820 -
\??\c:\tntbtt.exec:\tntbtt.exe64⤵
- Executes dropped EXE
PID:1004 -
\??\c:\jjpvv.exec:\jjpvv.exe65⤵
- Executes dropped EXE
PID:5028 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe66⤵PID:1152
-
\??\c:\rxlfflf.exec:\rxlfflf.exe67⤵PID:3552
-
\??\c:\nhnnhn.exec:\nhnnhn.exe68⤵PID:1588
-
\??\c:\hhbtbb.exec:\hhbtbb.exe69⤵PID:4244
-
\??\c:\dpdvp.exec:\dpdvp.exe70⤵PID:3320
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe71⤵PID:4704
-
\??\c:\rlrllll.exec:\rlrllll.exe72⤵PID:2784
-
\??\c:\nbhbtn.exec:\nbhbtn.exe73⤵PID:2140
-
\??\c:\ppppp.exec:\ppppp.exe74⤵PID:4076
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe75⤵PID:4488
-
\??\c:\bbhbbb.exec:\bbhbbb.exe76⤵PID:3512
-
\??\c:\dvjvv.exec:\dvjvv.exe77⤵PID:4212
-
\??\c:\ppddv.exec:\ppddv.exe78⤵PID:5084
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe79⤵PID:2284
-
\??\c:\xfrlrrr.exec:\xfrlrrr.exe80⤵PID:3476
-
\??\c:\hhtnnt.exec:\hhtnnt.exe81⤵PID:4028
-
\??\c:\dpjvp.exec:\dpjvp.exe82⤵PID:1116
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe83⤵PID:4020
-
\??\c:\htnnnh.exec:\htnnnh.exe84⤵PID:1008
-
\??\c:\vpdvv.exec:\vpdvv.exe85⤵PID:5112
-
\??\c:\rrrllll.exec:\rrrllll.exe86⤵PID:644
-
\??\c:\hbbttn.exec:\hbbttn.exe87⤵PID:3452
-
\??\c:\vpdvd.exec:\vpdvd.exe88⤵PID:2756
-
\??\c:\pdppv.exec:\pdppv.exe89⤵PID:4680
-
\??\c:\xrfrllf.exec:\xrfrllf.exe90⤵PID:2584
-
\??\c:\hhnntn.exec:\hhnntn.exe91⤵PID:4888
-
\??\c:\5pdvv.exec:\5pdvv.exe92⤵PID:536
-
\??\c:\fxfrllf.exec:\fxfrllf.exe93⤵PID:3092
-
\??\c:\xrxrlll.exec:\xrxrlll.exe94⤵PID:2964
-
\??\c:\pjjdd.exec:\pjjdd.exe95⤵PID:5040
-
\??\c:\rrrlrrx.exec:\rrrlrrx.exe96⤵PID:3984
-
\??\c:\hbnhbh.exec:\hbnhbh.exe97⤵PID:1612
-
\??\c:\vpddj.exec:\vpddj.exe98⤵PID:2080
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe99⤵PID:4372
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe100⤵PID:4388
-
\??\c:\bhttnn.exec:\bhttnn.exe101⤵PID:1176
-
\??\c:\dvddp.exec:\dvddp.exe102⤵PID:4068
-
\??\c:\jdvvp.exec:\jdvvp.exe103⤵PID:924
-
\??\c:\xlxrlll.exec:\xlxrlll.exe104⤵PID:1132
-
\??\c:\jvjjj.exec:\jvjjj.exe105⤵PID:1232
-
\??\c:\vvvvj.exec:\vvvvj.exe106⤵PID:4772
-
\??\c:\hbhbtt.exec:\hbhbtt.exe107⤵PID:4972
-
\??\c:\dpvjd.exec:\dpvjd.exe108⤵PID:4428
-
\??\c:\xrrlffx.exec:\xrrlffx.exe109⤵PID:4800
-
\??\c:\9nbtbn.exec:\9nbtbn.exe110⤵PID:4528
-
\??\c:\dpdvj.exec:\dpdvj.exe111⤵PID:3916
-
\??\c:\lffrfxr.exec:\lffrfxr.exe112⤵PID:4904
-
\??\c:\5pjpp.exec:\5pjpp.exe113⤵PID:4380
-
\??\c:\jddvj.exec:\jddvj.exe114⤵PID:2568
-
\??\c:\xfrlfff.exec:\xfrlfff.exe115⤵PID:4820
-
\??\c:\5jjjj.exec:\5jjjj.exe116⤵PID:4908
-
\??\c:\llffllf.exec:\llffllf.exe117⤵PID:3176
-
\??\c:\rxffrfx.exec:\rxffrfx.exe118⤵PID:1156
-
\??\c:\vdvjd.exec:\vdvjd.exe119⤵PID:1496
-
\??\c:\jdpjp.exec:\jdpjp.exe120⤵PID:3688
-
\??\c:\lffrlfx.exec:\lffrlfx.exe121⤵PID:4848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-