Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:03
Behavioral task
behavioral1
Sample
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
-
Size
279KB
-
MD5
face18af5f70087e9fbf92c2ee116a20
-
SHA1
39ea6bb8cc8dfab8dc8229b7112765dbc2470ad0
-
SHA256
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bff
-
SHA512
b3e1cc83fbbf7fde920ace2599653336f1de8168a1e408e9ee135335670ea9ff96ad2cd5a664544eb606b7e2e15686418dc97fa7ecc9efb402f0540a1f62cfee
-
SSDEEP
6144:ncm4FmowdHoS6rW3NNTvBu6wo2J4JAgNXkArR/rtXOLtu4J6KvvLp3OKtUuuuTEl:14wFHoSeM/Tpu6w14JAOkIRhOBu4Jhv4
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4428-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4300-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3228-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1272-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4164-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2316-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/936-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4240-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2084-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4756-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2812-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4984-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3948-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1868-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5036-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1876-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2392-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/712-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4300-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2956-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/636-258-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2336-271-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3256-284-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3664-307-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4712-311-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4540-318-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1228-325-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4264-332-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2640-336-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1492-349-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1848-300-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1340-359-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5004-274-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3888-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/384-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/744-241-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3836-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2352-226-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1828-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5088-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2564-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3776-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3776-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2560-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3592-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4360-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4152-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/636-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4120-369-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1032-376-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3956-380-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2124-393-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4264-481-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3436-500-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2704-525-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3504-535-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2444-576-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/632-694-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/936-785-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2652-864-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4412-958-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2140-1178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1112-1256-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4164 bthhhn.exe 1272 ddjpp.exe 3228 1jpjj.exe 4300 ffllflx.exe 2316 lffffll.exe 936 dpdvv.exe 4240 xxfffll.exe 668 jdjvv.exe 4756 vvjjp.exe 2084 fxxfxll.exe 636 fffxffl.exe 2852 hhhhtb.exe 4152 pjvpj.exe 4468 jjddp.exe 4360 lfrllll.exe 2812 bbnnnn.exe 1480 xxllllr.exe 3592 hnbbbh.exe 1012 bhnhnh.exe 4984 ddjjj.exe 2560 3xfffff.exe 3776 ttnnhh.exe 3948 bbnnnn.exe 2564 vvjjj.exe 1868 ffrxflr.exe 648 hbbtbb.exe 1724 ppvjj.exe 1760 djvpj.exe 5088 xrrrlrr.exe 1828 lxlfffx.exe 4508 1nttnt.exe 5036 vdddv.exe 1876 djddj.exe 2392 thtttt.exe 2140 jdjdv.exe 3656 dvddd.exe 1476 llrrrxx.exe 1856 lxxlxxl.exe 712 bhbhtt.exe 3616 dvjvv.exe 4300 pjvvj.exe 2352 flfflrl.exe 3836 llrfxll.exe 4740 hbntbb.exe 2956 ntnhnn.exe 744 vdpvv.exe 396 djvdd.exe 384 fffffll.exe 2120 xffllff.exe 3888 bbtntb.exe 636 hhhnnt.exe 4020 5pvvj.exe 2012 jdvvv.exe 4956 rrllflf.exe 2336 llxxxff.exe 5004 hthhnb.exe 116 hbhhbb.exe 2892 tbttbh.exe 3256 jpjpv.exe 4248 dvjjj.exe 3592 rxlrrxx.exe 3984 xfxrrll.exe 4292 ttbbtt.exe 1848 hbttbh.exe -
resource yara_rule behavioral2/memory/4428-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4428-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000b000000023b93-10.dat upx behavioral2/files/0x000a000000023b97-12.dat upx behavioral2/files/0x000a000000023b98-23.dat upx behavioral2/memory/4300-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3228-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1272-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023b99-28.dat upx behavioral2/memory/4164-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000c000000023b43-3.dat upx behavioral2/files/0x000a000000023b9b-33.dat upx behavioral2/memory/936-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2316-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023b9c-41.dat upx behavioral2/memory/4240-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/936-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023b9d-50.dat upx behavioral2/memory/4240-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023b9e-53.dat upx behavioral2/files/0x000a000000023b9f-59.dat upx behavioral2/memory/2084-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4756-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023ba0-67.dat upx behavioral2/files/0x000a000000023ba1-71.dat upx behavioral2/files/0x000a000000023ba2-76.dat upx behavioral2/files/0x000a000000023ba3-84.dat upx behavioral2/files/0x000a000000023ba6-102.dat upx behavioral2/memory/2812-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023ba7-105.dat upx behavioral2/files/0x000a000000023ba9-117.dat upx behavioral2/files/0x000a000000023bab-121.dat upx behavioral2/memory/4984-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3948-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1868-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023baf-160.dat upx behavioral2/files/0x000a000000023bb0-164.dat upx behavioral2/memory/1760-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023bb1-170.dat upx behavioral2/files/0x000b000000023bb3-182.dat upx behavioral2/memory/5036-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1876-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2392-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/712-215-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4300-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2956-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/636-258-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2336-271-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3256-284-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-307-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4712-311-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4540-318-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1228-325-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4264-332-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2640-336-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1492-349-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1848-300-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1340-359-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5004-274-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3888-255-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/384-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/744-241-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3836-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2352-226-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4428 wrote to memory of 4164 4428 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 84 PID 4428 wrote to memory of 4164 4428 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 84 PID 4428 wrote to memory of 4164 4428 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 84 PID 4164 wrote to memory of 1272 4164 bthhhn.exe 85 PID 4164 wrote to memory of 1272 4164 bthhhn.exe 85 PID 4164 wrote to memory of 1272 4164 bthhhn.exe 85 PID 1272 wrote to memory of 3228 1272 ddjpp.exe 86 PID 1272 wrote to memory of 3228 1272 ddjpp.exe 86 PID 1272 wrote to memory of 3228 1272 ddjpp.exe 86 PID 3228 wrote to memory of 4300 3228 1jpjj.exe 127 PID 3228 wrote to memory of 4300 3228 1jpjj.exe 127 PID 3228 wrote to memory of 4300 3228 1jpjj.exe 127 PID 4300 wrote to memory of 2316 4300 ffllflx.exe 88 PID 4300 wrote to memory of 2316 4300 ffllflx.exe 88 PID 4300 wrote to memory of 2316 4300 ffllflx.exe 88 PID 2316 wrote to memory of 936 2316 lffffll.exe 89 PID 2316 wrote to memory of 936 2316 lffffll.exe 89 PID 2316 wrote to memory of 936 2316 lffffll.exe 89 PID 936 wrote to memory of 4240 936 dpdvv.exe 90 PID 936 wrote to memory of 4240 936 dpdvv.exe 90 PID 936 wrote to memory of 4240 936 dpdvv.exe 90 PID 4240 wrote to memory of 668 4240 xxfffll.exe 92 PID 4240 wrote to memory of 668 4240 xxfffll.exe 92 PID 4240 wrote to memory of 668 4240 xxfffll.exe 92 PID 668 wrote to memory of 4756 668 jdjvv.exe 181 PID 668 wrote to memory of 4756 668 jdjvv.exe 181 PID 668 wrote to memory of 4756 668 jdjvv.exe 181 PID 4756 wrote to memory of 2084 4756 vvjjp.exe 94 PID 4756 wrote to memory of 2084 4756 vvjjp.exe 94 PID 4756 wrote to memory of 2084 4756 vvjjp.exe 94 PID 2084 wrote to memory of 636 2084 fxxfxll.exe 95 PID 2084 wrote to memory of 636 2084 fxxfxll.exe 95 PID 2084 wrote to memory of 636 2084 fxxfxll.exe 95 PID 636 wrote to memory of 2852 636 fffxffl.exe 97 PID 636 wrote to memory of 2852 636 fffxffl.exe 97 PID 636 wrote to memory of 2852 636 fffxffl.exe 97 PID 2852 wrote to memory of 4152 2852 hhhhtb.exe 98 PID 2852 wrote to memory of 4152 2852 hhhhtb.exe 98 PID 2852 wrote to memory of 4152 2852 hhhhtb.exe 98 PID 4152 wrote to memory of 4468 4152 pjvpj.exe 99 PID 4152 wrote to memory of 4468 4152 pjvpj.exe 99 PID 4152 wrote to memory of 4468 4152 pjvpj.exe 99 PID 4468 wrote to memory of 4360 4468 jjddp.exe 100 PID 4468 wrote to memory of 4360 4468 jjddp.exe 100 PID 4468 wrote to memory of 4360 4468 jjddp.exe 100 PID 4360 wrote to memory of 2812 4360 lfrllll.exe 102 PID 4360 wrote to memory of 2812 4360 lfrllll.exe 102 PID 4360 wrote to memory of 2812 4360 lfrllll.exe 102 PID 2812 wrote to memory of 1480 2812 bbnnnn.exe 103 PID 2812 wrote to memory of 1480 2812 bbnnnn.exe 103 PID 2812 wrote to memory of 1480 2812 bbnnnn.exe 103 PID 1480 wrote to memory of 3592 1480 xxllllr.exe 104 PID 1480 wrote to memory of 3592 1480 xxllllr.exe 104 PID 1480 wrote to memory of 3592 1480 xxllllr.exe 104 PID 3592 wrote to memory of 1012 3592 hnbbbh.exe 105 PID 3592 wrote to memory of 1012 3592 hnbbbh.exe 105 PID 3592 wrote to memory of 1012 3592 hnbbbh.exe 105 PID 1012 wrote to memory of 4984 1012 bhnhnh.exe 106 PID 1012 wrote to memory of 4984 1012 bhnhnh.exe 106 PID 1012 wrote to memory of 4984 1012 bhnhnh.exe 106 PID 4984 wrote to memory of 2560 4984 ddjjj.exe 107 PID 4984 wrote to memory of 2560 4984 ddjjj.exe 107 PID 4984 wrote to memory of 2560 4984 ddjjj.exe 107 PID 2560 wrote to memory of 3776 2560 3xfffff.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\bthhhn.exec:\bthhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\ddjpp.exec:\ddjpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\1jpjj.exec:\1jpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\ffllflx.exec:\ffllflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\lffffll.exec:\lffffll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\dpdvv.exec:\dpdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\xxfffll.exec:\xxfffll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\jdjvv.exec:\jdjvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\vvjjp.exec:\vvjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\fxxfxll.exec:\fxxfxll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\fffxffl.exec:\fffxffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\hhhhtb.exec:\hhhhtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\pjvpj.exec:\pjvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\jjddp.exec:\jjddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\lfrllll.exec:\lfrllll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\bbnnnn.exec:\bbnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xxllllr.exec:\xxllllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\hnbbbh.exec:\hnbbbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bhnhnh.exec:\bhnhnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\ddjjj.exec:\ddjjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\3xfffff.exec:\3xfffff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\ttnnhh.exec:\ttnnhh.exe23⤵
- Executes dropped EXE
PID:3776 -
\??\c:\bbnnnn.exec:\bbnnnn.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948 -
\??\c:\vvjjj.exec:\vvjjj.exe25⤵
- Executes dropped EXE
PID:2564 -
\??\c:\ffrxflr.exec:\ffrxflr.exe26⤵
- Executes dropped EXE
PID:1868 -
\??\c:\hbbtbb.exec:\hbbtbb.exe27⤵
- Executes dropped EXE
PID:648 -
\??\c:\ppvjj.exec:\ppvjj.exe28⤵
- Executes dropped EXE
PID:1724 -
\??\c:\djvpj.exec:\djvpj.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
\??\c:\xrrrlrr.exec:\xrrrlrr.exe30⤵
- Executes dropped EXE
PID:5088 -
\??\c:\lxlfffx.exec:\lxlfffx.exe31⤵
- Executes dropped EXE
PID:1828 -
\??\c:\1nttnt.exec:\1nttnt.exe32⤵
- Executes dropped EXE
PID:4508 -
\??\c:\vdddv.exec:\vdddv.exe33⤵
- Executes dropped EXE
PID:5036 -
\??\c:\djddj.exec:\djddj.exe34⤵
- Executes dropped EXE
PID:1876 -
\??\c:\thtttt.exec:\thtttt.exe35⤵
- Executes dropped EXE
PID:2392 -
\??\c:\jdjdv.exec:\jdjdv.exe36⤵
- Executes dropped EXE
PID:2140 -
\??\c:\dvddd.exec:\dvddd.exe37⤵
- Executes dropped EXE
PID:3656 -
\??\c:\llrrrxx.exec:\llrrrxx.exe38⤵
- Executes dropped EXE
PID:1476 -
\??\c:\lxxlxxl.exec:\lxxlxxl.exe39⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bhbhtt.exec:\bhbhtt.exe40⤵
- Executes dropped EXE
PID:712 -
\??\c:\dvjvv.exec:\dvjvv.exe41⤵
- Executes dropped EXE
PID:3616 -
\??\c:\pjvvj.exec:\pjvvj.exe42⤵
- Executes dropped EXE
PID:4300 -
\??\c:\flfflrl.exec:\flfflrl.exe43⤵
- Executes dropped EXE
PID:2352 -
\??\c:\llrfxll.exec:\llrfxll.exe44⤵
- Executes dropped EXE
PID:3836 -
\??\c:\hbntbb.exec:\hbntbb.exe45⤵
- Executes dropped EXE
PID:4740 -
\??\c:\ntnhnn.exec:\ntnhnn.exe46⤵
- Executes dropped EXE
PID:2956 -
\??\c:\vdpvv.exec:\vdpvv.exe47⤵
- Executes dropped EXE
PID:744 -
\??\c:\djvdd.exec:\djvdd.exe48⤵
- Executes dropped EXE
PID:396 -
\??\c:\fffffll.exec:\fffffll.exe49⤵
- Executes dropped EXE
PID:384 -
\??\c:\xffllff.exec:\xffllff.exe50⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bbtntb.exec:\bbtntb.exe51⤵
- Executes dropped EXE
PID:3888 -
\??\c:\hhhnnt.exec:\hhhnnt.exe52⤵
- Executes dropped EXE
PID:636 -
\??\c:\5pvvj.exec:\5pvvj.exe53⤵
- Executes dropped EXE
PID:4020 -
\??\c:\jdvvv.exec:\jdvvv.exe54⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rrllflf.exec:\rrllflf.exe55⤵
- Executes dropped EXE
PID:4956 -
\??\c:\llxxxff.exec:\llxxxff.exe56⤵
- Executes dropped EXE
PID:2336 -
\??\c:\hthhnb.exec:\hthhnb.exe57⤵
- Executes dropped EXE
PID:5004 -
\??\c:\hbhhbb.exec:\hbhhbb.exe58⤵
- Executes dropped EXE
PID:116 -
\??\c:\tbttbh.exec:\tbttbh.exe59⤵
- Executes dropped EXE
PID:2892 -
\??\c:\jpjpv.exec:\jpjpv.exe60⤵
- Executes dropped EXE
PID:3256 -
\??\c:\dvjjj.exec:\dvjjj.exe61⤵
- Executes dropped EXE
PID:4248 -
\??\c:\rxlrrxx.exec:\rxlrrxx.exe62⤵
- Executes dropped EXE
PID:3592 -
\??\c:\xfxrrll.exec:\xfxrrll.exe63⤵
- Executes dropped EXE
PID:3984 -
\??\c:\ttbbtt.exec:\ttbbtt.exe64⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hbttbh.exec:\hbttbh.exe65⤵
- Executes dropped EXE
PID:1848 -
\??\c:\jvjjd.exec:\jvjjd.exe66⤵PID:1368
-
\??\c:\9pdvv.exec:\9pdvv.exe67⤵PID:3664
-
\??\c:\xrffxff.exec:\xrffxff.exe68⤵PID:4712
-
\??\c:\lxffflr.exec:\lxffflr.exe69⤵PID:1648
-
\??\c:\xflllll.exec:\xflllll.exe70⤵PID:4540
-
\??\c:\ntttbh.exec:\ntttbh.exe71⤵PID:916
-
\??\c:\ddddv.exec:\ddddv.exe72⤵PID:1228
-
\??\c:\ffxffxr.exec:\ffxffxr.exe73⤵PID:1892
-
\??\c:\xxrrrrx.exec:\xxrrrrx.exe74⤵PID:4264
-
\??\c:\bhnhhh.exec:\bhnhhh.exe75⤵PID:2640
-
\??\c:\1nttnb.exec:\1nttnb.exe76⤵PID:1164
-
\??\c:\pjjvp.exec:\pjjvp.exe77⤵PID:2652
-
\??\c:\vvvdd.exec:\vvvdd.exe78⤵PID:4924
-
\??\c:\ddjjj.exec:\ddjjj.exe79⤵PID:1492
-
\??\c:\fflxfrl.exec:\fflxfrl.exe80⤵PID:1876
-
\??\c:\bbhhhh.exec:\bbhhhh.exe81⤵PID:1196
-
\??\c:\bnhhnt.exec:\bnhhnt.exe82⤵PID:1340
-
\??\c:\hhhhtt.exec:\hhhhtt.exe83⤵PID:2140
-
\??\c:\vvddd.exec:\vvddd.exe84⤵PID:4776
-
\??\c:\dvjjd.exec:\dvjjd.exe85⤵PID:4120
-
\??\c:\rxfffll.exec:\rxfffll.exe86⤵PID:2980
-
\??\c:\htbhhn.exec:\htbhhn.exe87⤵PID:1032
-
\??\c:\dpddd.exec:\dpddd.exe88⤵PID:3956
-
\??\c:\ffxxrxx.exec:\ffxxrxx.exe89⤵PID:3672
-
\??\c:\xfrxxxf.exec:\xfrxxxf.exe90⤵PID:4804
-
\??\c:\3tnnnt.exec:\3tnnnt.exe91⤵PID:3504
-
\??\c:\9pppv.exec:\9pppv.exe92⤵PID:2124
-
\??\c:\frfxrrl.exec:\frfxrrl.exe93⤵PID:2896
-
\??\c:\bhhbnn.exec:\bhhbnn.exe94⤵PID:2956
-
\??\c:\vvdjv.exec:\vvdjv.exe95⤵PID:2964
-
\??\c:\dppvj.exec:\dppvj.exe96⤵PID:4756
-
\??\c:\htbtnn.exec:\htbtnn.exe97⤵PID:3996
-
\??\c:\1jpjj.exec:\1jpjj.exe98⤵PID:1668
-
\??\c:\3ppdd.exec:\3ppdd.exe99⤵PID:3888
-
\??\c:\1lrlxrl.exec:\1lrlxrl.exe100⤵PID:4072
-
\??\c:\3bbtht.exec:\3bbtht.exe101⤵PID:2068
-
\??\c:\dvppj.exec:\dvppj.exe102⤵PID:4152
-
\??\c:\fxfxlll.exec:\fxfxlll.exe103⤵PID:1944
-
\??\c:\bnbnnh.exec:\bnbnnh.exe104⤵PID:1404
-
\??\c:\bntnhh.exec:\bntnhh.exe105⤵PID:3632
-
\??\c:\djppv.exec:\djppv.exe106⤵PID:1192
-
\??\c:\bbnnnn.exec:\bbnnnn.exe107⤵PID:4904
-
\??\c:\7pjjj.exec:\7pjjj.exe108⤵PID:4248
-
\??\c:\llrrrxx.exec:\llrrrxx.exe109⤵PID:2432
-
\??\c:\bbbttt.exec:\bbbttt.exe110⤵PID:3988
-
\??\c:\1ttnbt.exec:\1ttnbt.exe111⤵PID:2212
-
\??\c:\ddddv.exec:\ddddv.exe112⤵PID:3872
-
\??\c:\vddvd.exec:\vddvd.exe113⤵
- System Location Discovery: System Language Discovery
PID:2548 -
\??\c:\llrllrl.exec:\llrllrl.exe114⤵PID:2564
-
\??\c:\xrfxlll.exec:\xrfxlll.exe115⤵PID:2928
-
\??\c:\hnhhbh.exec:\hnhhbh.exe116⤵PID:4512
-
\??\c:\bntttt.exec:\bntttt.exe117⤵PID:648
-
\??\c:\pdpvp.exec:\pdpvp.exe118⤵PID:436
-
\??\c:\lrxlxfl.exec:\lrxlxfl.exe119⤵PID:2540
-
\??\c:\hthhhn.exec:\hthhhn.exe120⤵PID:1892
-
\??\c:\bnhbbh.exec:\bnhbbh.exe121⤵PID:4264
-
\??\c:\jvjjj.exec:\jvjjj.exe122⤵PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-