Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 21:22
Behavioral task
behavioral1
Sample
dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe
-
Size
454KB
-
MD5
f540cc90da324159c4c2dd482b1b1ae0
-
SHA1
298548ce4a9a99c682698e4ec13b4e91ca3543be
-
SHA256
dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6
-
SHA512
44f72aa592f6265298f8956acf43d08e673205d768d7b7e9674099cab0bac12c3bb06d7335d619ccd2eb4801539dfc6ae3ede374b18e7c0c4caf0281199f5ca8
-
SSDEEP
12288:04wFHoSyd0V3eFp3IDvSbh5nPYERM8mXzplo5:rd0gFp3lz1/uzplo5
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4068-5-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4748-11-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4876-18-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4856-25-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/236-32-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1044-37-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1132-53-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1820-72-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/544-88-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2664-66-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3252-93-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/5100-102-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1092-110-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4500-113-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/272-117-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/32-123-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1696-133-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/796-138-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4676-141-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3580-151-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3828-158-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4292-163-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2472-174-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4540-180-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4492-193-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/228-190-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4964-200-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/756-204-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4120-214-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/772-227-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3008-232-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1620-239-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1480-243-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2344-247-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4384-257-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2152-261-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3748-272-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2300-278-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3296-291-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3732-296-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3716-314-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4676-345-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2660-349-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1188-362-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1108-369-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1040-376-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3744-392-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3624-405-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/660-412-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/5080-422-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/832-450-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1808-457-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3064-494-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4224-498-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/816-520-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2944-524-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3652-552-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1452-616-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4064-624-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2780-688-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3800-752-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/544-819-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4632-907-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4172-1100-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4748 rrfxrlx.exe 4876 3xfxxrl.exe 4968 xxxlllr.exe 4856 1llfxfx.exe 236 1tbtnn.exe 1044 thntnn.exe 3628 jjjdd.exe 1132 llfxrrl.exe 2084 1bnnnn.exe 3600 vpvvj.exe 2664 rxlflxf.exe 1820 9ffxrxr.exe 880 nnhbtt.exe 544 vjjjd.exe 332 fxfxrfx.exe 3252 hhhbtn.exe 5100 3bhbnh.exe 4500 jddvj.exe 1092 frxrrrl.exe 272 1nthnn.exe 32 xrfrllf.exe 1696 frrlffx.exe 796 btbhnh.exe 4676 1dpjj.exe 3580 5lrfffx.exe 3828 hhbtnt.exe 4292 9frrfff.exe 4936 bntnhb.exe 2472 lrffrlr.exe 4540 jjjdv.exe 3328 dpvpp.exe 228 llxxxxr.exe 4492 lrrllll.exe 4240 tnhbtt.exe 4964 htbtnh.exe 756 jpddd.exe 3500 lxlfffx.exe 4604 nttnnb.exe 4120 dddvd.exe 1996 3xrlffx.exe 4592 9llfffx.exe 2332 nnthth.exe 772 vpppv.exe 3008 xrxxrxx.exe 2024 fxxxxxx.exe 1620 bbnbtn.exe 1480 vvppv.exe 2344 1lxrffl.exe 4560 xxlffff.exe 1096 1ntnhh.exe 4384 pjpdj.exe 2152 ffxfrff.exe 5116 btbtnn.exe 4060 ddjpp.exe 5048 bntnhh.exe 3748 5thhnh.exe 2300 jdvpj.exe 1564 dvjdj.exe 2356 jvdvp.exe 4088 rxflfxx.exe 3296 nnhhbh.exe 3732 vppjj.exe 3768 lrxxrll.exe 3088 lllffxl.exe -
resource yara_rule behavioral2/memory/4068-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x00090000000234a6-3.dat upx behavioral2/memory/4068-5-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0008000000023500-9.dat upx behavioral2/memory/4748-11-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023504-13.dat upx behavioral2/memory/4968-19-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4876-18-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023505-22.dat upx behavioral2/memory/4856-25-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023506-28.dat upx behavioral2/memory/236-32-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023507-34.dat upx behavioral2/files/0x0007000000023508-41.dat upx behavioral2/memory/1044-37-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023509-46.dat upx behavioral2/memory/1132-47-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002350a-51.dat upx behavioral2/memory/1132-53-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002350b-57.dat upx behavioral2/files/0x000700000002350d-62.dat upx behavioral2/files/0x000700000002350e-68.dat upx behavioral2/memory/1820-72-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002350f-75.dat upx behavioral2/files/0x0007000000023510-79.dat upx behavioral2/files/0x0008000000023501-84.dat upx behavioral2/memory/544-88-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2664-66-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023511-90.dat upx behavioral2/memory/3252-93-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023513-96.dat upx behavioral2/files/0x0007000000023514-103.dat upx behavioral2/memory/5100-102-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023515-107.dat upx behavioral2/memory/1092-110-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023516-116.dat upx behavioral2/memory/4500-113-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023517-121.dat upx behavioral2/memory/272-117-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/32-123-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023518-128.dat upx behavioral2/files/0x0007000000023519-131.dat upx behavioral2/memory/1696-133-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002351a-140.dat upx behavioral2/memory/796-138-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002351b-144.dat upx behavioral2/memory/4676-141-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002351c-149.dat upx behavioral2/memory/3580-151-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002351d-155.dat upx behavioral2/memory/3828-158-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002351e-164.dat upx behavioral2/memory/4292-163-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000700000002351f-169.dat upx behavioral2/files/0x0007000000023520-175.dat upx behavioral2/memory/2472-174-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023521-181.dat upx behavioral2/memory/4540-180-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0007000000023522-186.dat upx behavioral2/memory/4492-193-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/228-190-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4964-200-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/756-204-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4120-214-0x0000000000400000-0x0000000000438000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4068 wrote to memory of 4748 4068 dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe 82 PID 4068 wrote to memory of 4748 4068 dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe 82 PID 4068 wrote to memory of 4748 4068 dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe 82 PID 4748 wrote to memory of 4876 4748 rrfxrlx.exe 83 PID 4748 wrote to memory of 4876 4748 rrfxrlx.exe 83 PID 4748 wrote to memory of 4876 4748 rrfxrlx.exe 83 PID 4876 wrote to memory of 4968 4876 3xfxxrl.exe 84 PID 4876 wrote to memory of 4968 4876 3xfxxrl.exe 84 PID 4876 wrote to memory of 4968 4876 3xfxxrl.exe 84 PID 4968 wrote to memory of 4856 4968 xxxlllr.exe 85 PID 4968 wrote to memory of 4856 4968 xxxlllr.exe 85 PID 4968 wrote to memory of 4856 4968 xxxlllr.exe 85 PID 4856 wrote to memory of 236 4856 1llfxfx.exe 86 PID 4856 wrote to memory of 236 4856 1llfxfx.exe 86 PID 4856 wrote to memory of 236 4856 1llfxfx.exe 86 PID 236 wrote to memory of 1044 236 1tbtnn.exe 87 PID 236 wrote to memory of 1044 236 1tbtnn.exe 87 PID 236 wrote to memory of 1044 236 1tbtnn.exe 87 PID 1044 wrote to memory of 3628 1044 thntnn.exe 88 PID 1044 wrote to memory of 3628 1044 thntnn.exe 88 PID 1044 wrote to memory of 3628 1044 thntnn.exe 88 PID 3628 wrote to memory of 1132 3628 jjjdd.exe 89 PID 3628 wrote to memory of 1132 3628 jjjdd.exe 89 PID 3628 wrote to memory of 1132 3628 jjjdd.exe 89 PID 1132 wrote to memory of 2084 1132 llfxrrl.exe 90 PID 1132 wrote to memory of 2084 1132 llfxrrl.exe 90 PID 1132 wrote to memory of 2084 1132 llfxrrl.exe 90 PID 2084 wrote to memory of 3600 2084 1bnnnn.exe 91 PID 2084 wrote to memory of 3600 2084 1bnnnn.exe 91 PID 2084 wrote to memory of 3600 2084 1bnnnn.exe 91 PID 3600 wrote to memory of 2664 3600 vpvvj.exe 92 PID 3600 wrote to memory of 2664 3600 vpvvj.exe 92 PID 3600 wrote to memory of 2664 3600 vpvvj.exe 92 PID 2664 wrote to memory of 1820 2664 rxlflxf.exe 93 PID 2664 wrote to memory of 1820 2664 rxlflxf.exe 93 PID 2664 wrote to memory of 1820 2664 rxlflxf.exe 93 PID 1820 wrote to memory of 880 1820 9ffxrxr.exe 94 PID 1820 wrote to memory of 880 1820 9ffxrxr.exe 94 PID 1820 wrote to memory of 880 1820 9ffxrxr.exe 94 PID 880 wrote to memory of 544 880 nnhbtt.exe 95 PID 880 wrote to memory of 544 880 nnhbtt.exe 95 PID 880 wrote to memory of 544 880 nnhbtt.exe 95 PID 544 wrote to memory of 332 544 vjjjd.exe 96 PID 544 wrote to memory of 332 544 vjjjd.exe 96 PID 544 wrote to memory of 332 544 vjjjd.exe 96 PID 332 wrote to memory of 3252 332 fxfxrfx.exe 97 PID 332 wrote to memory of 3252 332 fxfxrfx.exe 97 PID 332 wrote to memory of 3252 332 fxfxrfx.exe 97 PID 3252 wrote to memory of 5100 3252 hhhbtn.exe 98 PID 3252 wrote to memory of 5100 3252 hhhbtn.exe 98 PID 3252 wrote to memory of 5100 3252 hhhbtn.exe 98 PID 5100 wrote to memory of 4500 5100 3bhbnh.exe 99 PID 5100 wrote to memory of 4500 5100 3bhbnh.exe 99 PID 5100 wrote to memory of 4500 5100 3bhbnh.exe 99 PID 4500 wrote to memory of 1092 4500 jddvj.exe 100 PID 4500 wrote to memory of 1092 4500 jddvj.exe 100 PID 4500 wrote to memory of 1092 4500 jddvj.exe 100 PID 1092 wrote to memory of 272 1092 frxrrrl.exe 101 PID 1092 wrote to memory of 272 1092 frxrrrl.exe 101 PID 1092 wrote to memory of 272 1092 frxrrrl.exe 101 PID 272 wrote to memory of 32 272 1nthnn.exe 102 PID 272 wrote to memory of 32 272 1nthnn.exe 102 PID 272 wrote to memory of 32 272 1nthnn.exe 102 PID 32 wrote to memory of 1696 32 xrfrllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe"C:\Users\Admin\AppData\Local\Temp\dca215016b4b0aa98faca380d505dc20655d7becd7b2834971d6874b37005cf6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\rrfxrlx.exec:\rrfxrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\3xfxxrl.exec:\3xfxxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\xxxlllr.exec:\xxxlllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\1llfxfx.exec:\1llfxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\1tbtnn.exec:\1tbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:236 -
\??\c:\thntnn.exec:\thntnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\jjjdd.exec:\jjjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\llfxrrl.exec:\llfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\1bnnnn.exec:\1bnnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\vpvvj.exec:\vpvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\rxlflxf.exec:\rxlflxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\9ffxrxr.exec:\9ffxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\nnhbtt.exec:\nnhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\vjjjd.exec:\vjjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\fxfxrfx.exec:\fxfxrfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\hhhbtn.exec:\hhhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\3bhbnh.exec:\3bhbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\jddvj.exec:\jddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\frxrrrl.exec:\frxrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\1nthnn.exec:\1nthnn.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
\??\c:\xrfrllf.exec:\xrfrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\frrlffx.exec:\frrlffx.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\btbhnh.exec:\btbhnh.exe24⤵
- Executes dropped EXE
PID:796 -
\??\c:\1dpjj.exec:\1dpjj.exe25⤵
- Executes dropped EXE
PID:4676 -
\??\c:\5lrfffx.exec:\5lrfffx.exe26⤵
- Executes dropped EXE
PID:3580 -
\??\c:\hhbtnt.exec:\hhbtnt.exe27⤵
- Executes dropped EXE
PID:3828 -
\??\c:\9frrfff.exec:\9frrfff.exe28⤵
- Executes dropped EXE
PID:4292 -
\??\c:\bntnhb.exec:\bntnhb.exe29⤵
- Executes dropped EXE
PID:4936 -
\??\c:\lrffrlr.exec:\lrffrlr.exe30⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jjjdv.exec:\jjjdv.exe31⤵
- Executes dropped EXE
PID:4540 -
\??\c:\dpvpp.exec:\dpvpp.exe32⤵
- Executes dropped EXE
PID:3328 -
\??\c:\llxxxxr.exec:\llxxxxr.exe33⤵
- Executes dropped EXE
PID:228 -
\??\c:\lrrllll.exec:\lrrllll.exe34⤵
- Executes dropped EXE
PID:4492 -
\??\c:\tnhbtt.exec:\tnhbtt.exe35⤵
- Executes dropped EXE
PID:4240 -
\??\c:\htbtnh.exec:\htbtnh.exe36⤵
- Executes dropped EXE
PID:4964 -
\??\c:\jpddd.exec:\jpddd.exe37⤵
- Executes dropped EXE
PID:756 -
\??\c:\lxlfffx.exec:\lxlfffx.exe38⤵
- Executes dropped EXE
PID:3500 -
\??\c:\nttnnb.exec:\nttnnb.exe39⤵
- Executes dropped EXE
PID:4604 -
\??\c:\dddvd.exec:\dddvd.exe40⤵
- Executes dropped EXE
PID:4120 -
\??\c:\3xrlffx.exec:\3xrlffx.exe41⤵
- Executes dropped EXE
PID:1996 -
\??\c:\9llfffx.exec:\9llfffx.exe42⤵
- Executes dropped EXE
PID:4592 -
\??\c:\nnthth.exec:\nnthth.exe43⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vpppv.exec:\vpppv.exe44⤵
- Executes dropped EXE
PID:772 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe45⤵
- Executes dropped EXE
PID:3008 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe46⤵
- Executes dropped EXE
PID:2024 -
\??\c:\bbnbtn.exec:\bbnbtn.exe47⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vvppv.exec:\vvppv.exe48⤵
- Executes dropped EXE
PID:1480 -
\??\c:\1lxrffl.exec:\1lxrffl.exe49⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xxlffff.exec:\xxlffff.exe50⤵
- Executes dropped EXE
PID:4560 -
\??\c:\1ntnhh.exec:\1ntnhh.exe51⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pjpdj.exec:\pjpdj.exe52⤵
- Executes dropped EXE
PID:4384 -
\??\c:\ffxfrff.exec:\ffxfrff.exe53⤵
- Executes dropped EXE
PID:2152 -
\??\c:\btbtnn.exec:\btbtnn.exe54⤵
- Executes dropped EXE
PID:5116 -
\??\c:\ddjpp.exec:\ddjpp.exe55⤵
- Executes dropped EXE
PID:4060 -
\??\c:\bntnhh.exec:\bntnhh.exe56⤵
- Executes dropped EXE
PID:5048 -
\??\c:\5thhnh.exec:\5thhnh.exe57⤵
- Executes dropped EXE
PID:3748 -
\??\c:\jdvpj.exec:\jdvpj.exe58⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dvjdj.exec:\dvjdj.exe59⤵
- Executes dropped EXE
PID:1564 -
\??\c:\jvdvp.exec:\jvdvp.exe60⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rxflfxx.exec:\rxflfxx.exe61⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nnhhbh.exec:\nnhhbh.exe62⤵
- Executes dropped EXE
PID:3296 -
\??\c:\vppjj.exec:\vppjj.exe63⤵
- Executes dropped EXE
PID:3732 -
\??\c:\lrxxrll.exec:\lrxxrll.exe64⤵
- Executes dropped EXE
PID:3768 -
\??\c:\lllffxl.exec:\lllffxl.exe65⤵
- Executes dropped EXE
PID:3088 -
\??\c:\htbttn.exec:\htbttn.exe66⤵PID:2972
-
\??\c:\pjvvd.exec:\pjvvd.exe67⤵PID:3280
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe68⤵PID:2260
-
\??\c:\1httbh.exec:\1httbh.exe69⤵PID:3716
-
\??\c:\bttnhh.exec:\bttnhh.exe70⤵PID:3712
-
\??\c:\pdvvd.exec:\pdvvd.exe71⤵PID:1092
-
\??\c:\lrxxrxf.exec:\lrxxrxf.exe72⤵PID:4272
-
\??\c:\lflfffl.exec:\lflfffl.exe73⤵PID:32
-
\??\c:\1ntttt.exec:\1ntttt.exe74⤵PID:5060
-
\??\c:\ddvvp.exec:\ddvvp.exe75⤵PID:440
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe76⤵PID:1840
-
\??\c:\9rfxrlf.exec:\9rfxrlf.exe77⤵PID:1872
-
\??\c:\djppj.exec:\djppj.exe78⤵PID:1928
-
\??\c:\jpvdv.exec:\jpvdv.exe79⤵PID:4676
-
\??\c:\9bhbtt.exec:\9bhbtt.exe80⤵PID:2660
-
\??\c:\1pvvp.exec:\1pvvp.exe81⤵PID:3580
-
\??\c:\lrxrllf.exec:\lrxrllf.exe82⤵PID:1444
-
\??\c:\htbtnh.exec:\htbtnh.exe83⤵PID:2864
-
\??\c:\bbbnbn.exec:\bbbnbn.exe84⤵PID:1188
-
\??\c:\1rxrxxl.exec:\1rxrxxl.exe85⤵PID:2172
-
\??\c:\1xxrrrr.exec:\1xxrrrr.exe86⤵PID:1108
-
\??\c:\nnttbh.exec:\nnttbh.exe87⤵PID:3948
-
\??\c:\pdvpj.exec:\pdvpj.exe88⤵PID:1040
-
\??\c:\flxrlfx.exec:\flxrlfx.exe89⤵PID:1392
-
\??\c:\3nhhhh.exec:\3nhhhh.exe90⤵PID:1104
-
\??\c:\pjdvp.exec:\pjdvp.exe91⤵PID:4492
-
\??\c:\5rxlfxl.exec:\5rxlfxl.exe92⤵PID:4240
-
\??\c:\nhhbtt.exec:\nhhbtt.exe93⤵PID:3744
-
\??\c:\5dvvp.exec:\5dvvp.exe94⤵PID:3800
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe95⤵PID:5052
-
\??\c:\5nhbtn.exec:\5nhbtn.exe96⤵PID:4416
-
\??\c:\dddvj.exec:\dddvj.exe97⤵PID:3624
-
\??\c:\pjjjj.exec:\pjjjj.exe98⤵PID:2836
-
\??\c:\thntbt.exec:\thntbt.exe99⤵PID:660
-
\??\c:\ppddp.exec:\ppddp.exe100⤵PID:1424
-
\??\c:\rxlxrrr.exec:\rxlxrrr.exe101⤵PID:4800
-
\??\c:\hhnhbt.exec:\hhnhbt.exe102⤵PID:5080
-
\??\c:\nhbttn.exec:\nhbttn.exe103⤵PID:1028
-
\??\c:\jvvpp.exec:\jvvpp.exe104⤵PID:116
-
\??\c:\xflfxxl.exec:\xflfxxl.exe105⤵PID:4412
-
\??\c:\tbbttt.exec:\tbbttt.exe106⤵PID:4068
-
\??\c:\ppvpd.exec:\ppvpd.exe107⤵PID:928
-
\??\c:\fxfxxrf.exec:\fxfxxrf.exe108⤵PID:560
-
\??\c:\rlffxxr.exec:\rlffxxr.exe109⤵PID:4476
-
\??\c:\ttttbb.exec:\ttttbb.exe110⤵PID:4876
-
\??\c:\pjjjd.exec:\pjjjd.exe111⤵PID:832
-
\??\c:\rffxxrx.exec:\rffxxrx.exe112⤵PID:4048
-
\??\c:\5ttnnn.exec:\5ttnnn.exe113⤵PID:1808
-
\??\c:\tnnhtt.exec:\tnnhtt.exe114⤵PID:5048
-
\??\c:\vpvvd.exec:\vpvvd.exe115⤵PID:3276
-
\??\c:\rllfxrl.exec:\rllfxrl.exe116⤵PID:4720
-
\??\c:\nnhbtn.exec:\nnhbtn.exe117⤵PID:3812
-
\??\c:\9vvpd.exec:\9vvpd.exe118⤵PID:1472
-
\??\c:\5jjdv.exec:\5jjdv.exe119⤵PID:640
-
\??\c:\9llfxxx.exec:\9llfxxx.exe120⤵PID:444
-
\??\c:\hhhnnn.exec:\hhhnnn.exe121⤵PID:216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-