Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 01:37
Behavioral task
behavioral1
Sample
9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe
-
Size
97KB
-
MD5
014301727aebf8c5af2524178d99c7e2
-
SHA1
2b5ea27c9308c551c3491968bd2bee6d2f314d7e
-
SHA256
9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59
-
SHA512
3b17f8446b02e70b96452a10a56f869891e111607aa94bf3a2c1b7ce73d266481d8e04cd72ab9d0929c221df9dc830d7099752d06e19beb83fc84068523c4b4f
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgr:8cm4FmowdHoSgWrXUgr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/4384-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2872-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3976-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1344-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/716-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1212-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3704-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-569-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-711-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-720-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-1163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pjppp.exerlllllr.exetnttnn.exebtthbn.exeppddd.exelxxrlfx.exetnbtnb.exeddjvp.exerrlfxxr.exellfxrlf.exebbtntn.exepjvvp.exerxrrxrl.exexrrllll.exehnbthn.exejjvvv.exe5ddvv.exerlrllxr.exenttttb.exejjjpp.exedvdvp.exeffrrrrr.exetbbbtt.exejjjdj.exexrllfxr.exelflfrlf.exejdvvj.exelfllffx.exebnnnhb.exejdvvp.exe1xrrlll.exehhhbhn.exepvvvv.exe1xffllf.exerfrfrlf.exe5hhnnn.exe9jdvp.exejdpdj.exe7fllrrx.exebntbbb.exenbnbtb.exeddvvv.exeddjdd.exerrxrxxx.exerflffxr.exe7ntttt.exevdddv.exexffrxff.exehnnhbb.exedppjj.exe5jpjp.exellllffx.exe5btttb.exedjddd.exexlffxff.exeflrlllr.exeppjvp.exerlllflr.exetnnnnn.exeddvvd.exejjddv.exexrrlfll.exehbtbnh.exe7ddvv.exepid Process 4188 pjppp.exe 2760 rlllllr.exe 2036 tnttnn.exe 3604 btthbn.exe 3600 ppddd.exe 3376 lxxrlfx.exe 1624 tnbtnb.exe 4280 ddjvp.exe 4296 rrlfxxr.exe 1040 llfxrlf.exe 1532 bbtntn.exe 628 pjvvp.exe 5004 rxrrxrl.exe 972 xrrllll.exe 2872 hnbthn.exe 4876 jjvvv.exe 3556 5ddvv.exe 3744 rlrllxr.exe 4768 nttttb.exe 4636 jjjpp.exe 2464 dvdvp.exe 112 ffrrrrr.exe 4896 tbbbtt.exe 3084 jjjdj.exe 2736 xrllfxr.exe 2504 lflfrlf.exe 1904 jdvvj.exe 3844 lfllffx.exe 3892 bnnnhb.exe 1700 jdvvp.exe 732 1xrrlll.exe 1604 hhhbhn.exe 3976 pvvvv.exe 436 1xffllf.exe 2380 rfrfrlf.exe 5112 5hhnnn.exe 2624 9jdvp.exe 4712 jdpdj.exe 220 7fllrrx.exe 3060 bntbbb.exe 2756 nbnbtb.exe 1248 ddvvv.exe 1060 ddjdd.exe 3960 rrxrxxx.exe 1484 rflffxr.exe 4396 7ntttt.exe 4540 vdddv.exe 3500 xffrxff.exe 2764 hnnhbb.exe 1344 dppjj.exe 3508 5jpjp.exe 4256 llllffx.exe 3704 5btttb.exe 3412 djddd.exe 116 xlffxff.exe 3376 flrlllr.exe 3024 ppjvp.exe 3268 rlllflr.exe 5000 tnnnnn.exe 2184 ddvvd.exe 1628 jjddv.exe 1196 xrrlfll.exe 1900 hbtbnh.exe 868 7ddvv.exe -
Processes:
resource yara_rule behavioral2/memory/4384-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b38-3.dat upx behavioral2/memory/4384-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b93-8.dat upx behavioral2/memory/4188-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-11.dat upx behavioral2/memory/2760-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2036-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3604-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3604-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-20.dat upx behavioral2/files/0x000a000000023b9c-25.dat upx behavioral2/files/0x000a000000023b9e-29.dat upx behavioral2/memory/3600-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9f-34.dat upx behavioral2/memory/3376-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba0-39.dat upx behavioral2/memory/1624-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba1-44.dat upx behavioral2/memory/4296-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1040-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-51.dat upx behavioral2/memory/4296-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-56.dat upx behavioral2/memory/4280-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023ba4-60.dat upx behavioral2/memory/1532-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba5-65.dat upx behavioral2/memory/5004-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0058000000023ba6-70.dat upx behavioral2/memory/972-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba7-74.dat upx behavioral2/files/0x000a000000023ba8-81.dat upx behavioral2/memory/2872-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-84.dat upx behavioral2/memory/4876-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3556-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-90.dat upx behavioral2/files/0x000a000000023bab-94.dat upx behavioral2/files/0x000a000000023bac-98.dat upx behavioral2/memory/4768-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bad-103.dat upx behavioral2/memory/4636-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2464-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bae-108.dat upx behavioral2/files/0x000a000000023baf-113.dat upx behavioral2/memory/112-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb1-118.dat upx behavioral2/memory/4896-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb2-124.dat upx behavioral2/memory/3084-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2736-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb3-130.dat upx behavioral2/memory/2504-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb4-135.dat upx behavioral2/memory/1904-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b97-139.dat upx behavioral2/memory/3844-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb5-144.dat upx behavioral2/files/0x000a000000023bb6-150.dat upx behavioral2/memory/3892-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1700-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb7-153.dat upx behavioral2/files/0x000a000000023bb8-157.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7lrlfxr.exe1lfrllf.exethbbtt.exexffrxff.exerlfxrll.exennhbtt.exejddjd.exerlrflrf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exepjppp.exerlllllr.exetnttnn.exebtthbn.exeppddd.exelxxrlfx.exetnbtnb.exeddjvp.exerrlfxxr.exellfxrlf.exebbtntn.exepjvvp.exerxrrxrl.exexrrllll.exehnbthn.exejjvvv.exe5ddvv.exerlrllxr.exenttttb.exejjjpp.exedvdvp.exedescription pid Process procid_target PID 4384 wrote to memory of 4188 4384 9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe 83 PID 4384 wrote to memory of 4188 4384 9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe 83 PID 4384 wrote to memory of 4188 4384 9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe 83 PID 4188 wrote to memory of 2760 4188 pjppp.exe 84 PID 4188 wrote to memory of 2760 4188 pjppp.exe 84 PID 4188 wrote to memory of 2760 4188 pjppp.exe 84 PID 2760 wrote to memory of 2036 2760 rlllllr.exe 85 PID 2760 wrote to memory of 2036 2760 rlllllr.exe 85 PID 2760 wrote to memory of 2036 2760 rlllllr.exe 85 PID 2036 wrote to memory of 3604 2036 tnttnn.exe 86 PID 2036 wrote to memory of 3604 2036 tnttnn.exe 86 PID 2036 wrote to memory of 3604 2036 tnttnn.exe 86 PID 3604 wrote to memory of 3600 3604 btthbn.exe 87 PID 3604 wrote to memory of 3600 3604 btthbn.exe 87 PID 3604 wrote to memory of 3600 3604 btthbn.exe 87 PID 3600 wrote to memory of 3376 3600 ppddd.exe 88 PID 3600 wrote to memory of 3376 3600 ppddd.exe 88 PID 3600 wrote to memory of 3376 3600 ppddd.exe 88 PID 3376 wrote to memory of 1624 3376 lxxrlfx.exe 89 PID 3376 wrote to memory of 1624 3376 lxxrlfx.exe 89 PID 3376 wrote to memory of 1624 3376 lxxrlfx.exe 89 PID 1624 wrote to memory of 4280 1624 tnbtnb.exe 90 PID 1624 wrote to memory of 4280 1624 tnbtnb.exe 90 PID 1624 wrote to memory of 4280 1624 tnbtnb.exe 90 PID 4280 wrote to memory of 4296 4280 ddjvp.exe 91 PID 4280 wrote to memory of 4296 4280 ddjvp.exe 91 PID 4280 wrote to memory of 4296 4280 ddjvp.exe 91 PID 4296 wrote to memory of 1040 4296 rrlfxxr.exe 92 PID 4296 wrote to memory of 1040 4296 rrlfxxr.exe 92 PID 4296 wrote to memory of 1040 4296 rrlfxxr.exe 92 PID 1040 wrote to memory of 1532 1040 llfxrlf.exe 93 PID 1040 wrote to memory of 1532 1040 llfxrlf.exe 93 PID 1040 wrote to memory of 1532 1040 llfxrlf.exe 93 PID 1532 wrote to memory of 628 1532 bbtntn.exe 94 PID 1532 wrote to memory of 628 1532 bbtntn.exe 94 PID 1532 wrote to memory of 628 1532 bbtntn.exe 94 PID 628 wrote to memory of 5004 628 pjvvp.exe 95 PID 628 wrote to memory of 5004 628 pjvvp.exe 95 PID 628 wrote to memory of 5004 628 pjvvp.exe 95 PID 5004 wrote to memory of 972 5004 rxrrxrl.exe 96 PID 5004 wrote to memory of 972 5004 rxrrxrl.exe 96 PID 5004 wrote to memory of 972 5004 rxrrxrl.exe 96 PID 972 wrote to memory of 2872 972 xrrllll.exe 97 PID 972 wrote to memory of 2872 972 xrrllll.exe 97 PID 972 wrote to memory of 2872 972 xrrllll.exe 97 PID 2872 wrote to memory of 4876 2872 hnbthn.exe 98 PID 2872 wrote to memory of 4876 2872 hnbthn.exe 98 PID 2872 wrote to memory of 4876 2872 hnbthn.exe 98 PID 4876 wrote to memory of 3556 4876 jjvvv.exe 99 PID 4876 wrote to memory of 3556 4876 jjvvv.exe 99 PID 4876 wrote to memory of 3556 4876 jjvvv.exe 99 PID 3556 wrote to memory of 3744 3556 5ddvv.exe 100 PID 3556 wrote to memory of 3744 3556 5ddvv.exe 100 PID 3556 wrote to memory of 3744 3556 5ddvv.exe 100 PID 3744 wrote to memory of 4768 3744 rlrllxr.exe 101 PID 3744 wrote to memory of 4768 3744 rlrllxr.exe 101 PID 3744 wrote to memory of 4768 3744 rlrllxr.exe 101 PID 4768 wrote to memory of 4636 4768 nttttb.exe 102 PID 4768 wrote to memory of 4636 4768 nttttb.exe 102 PID 4768 wrote to memory of 4636 4768 nttttb.exe 102 PID 4636 wrote to memory of 2464 4636 jjjpp.exe 103 PID 4636 wrote to memory of 2464 4636 jjjpp.exe 103 PID 4636 wrote to memory of 2464 4636 jjjpp.exe 103 PID 2464 wrote to memory of 112 2464 dvdvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe"C:\Users\Admin\AppData\Local\Temp\9bb3127dfaac24bdb2913e631a1feb901aa64890a3bc1ec05eabdb0abaa02d59.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\pjppp.exec:\pjppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\rlllllr.exec:\rlllllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\tnttnn.exec:\tnttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\btthbn.exec:\btthbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\ppddd.exec:\ppddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\tnbtnb.exec:\tnbtnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\ddjvp.exec:\ddjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\llfxrlf.exec:\llfxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\bbtntn.exec:\bbtntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\pjvvp.exec:\pjvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\rxrrxrl.exec:\rxrrxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\xrrllll.exec:\xrrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\hnbthn.exec:\hnbthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\jjvvv.exec:\jjvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\5ddvv.exec:\5ddvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\rlrllxr.exec:\rlrllxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\nttttb.exec:\nttttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\jjjpp.exec:\jjjpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\dvdvp.exec:\dvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe23⤵
- Executes dropped EXE
PID:112 -
\??\c:\tbbbtt.exec:\tbbbtt.exe24⤵
- Executes dropped EXE
PID:4896 -
\??\c:\jjjdj.exec:\jjjdj.exe25⤵
- Executes dropped EXE
PID:3084 -
\??\c:\xrllfxr.exec:\xrllfxr.exe26⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lflfrlf.exec:\lflfrlf.exe27⤵
- Executes dropped EXE
PID:2504 -
\??\c:\jdvvj.exec:\jdvvj.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\lfllffx.exec:\lfllffx.exe29⤵
- Executes dropped EXE
PID:3844 -
\??\c:\bnnnhb.exec:\bnnnhb.exe30⤵
- Executes dropped EXE
PID:3892 -
\??\c:\jdvvp.exec:\jdvvp.exe31⤵
- Executes dropped EXE
PID:1700 -
\??\c:\1xrrlll.exec:\1xrrlll.exe32⤵
- Executes dropped EXE
PID:732 -
\??\c:\hhhbhn.exec:\hhhbhn.exe33⤵
- Executes dropped EXE
PID:1604 -
\??\c:\pvvvv.exec:\pvvvv.exe34⤵
- Executes dropped EXE
PID:3976 -
\??\c:\1xffllf.exec:\1xffllf.exe35⤵
- Executes dropped EXE
PID:436 -
\??\c:\rfrfrlf.exec:\rfrfrlf.exe36⤵
- Executes dropped EXE
PID:2380 -
\??\c:\5hhnnn.exec:\5hhnnn.exe37⤵
- Executes dropped EXE
PID:5112 -
\??\c:\9jdvp.exec:\9jdvp.exe38⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jdpdj.exec:\jdpdj.exe39⤵
- Executes dropped EXE
PID:4712 -
\??\c:\7fllrrx.exec:\7fllrrx.exe40⤵
- Executes dropped EXE
PID:220 -
\??\c:\bntbbb.exec:\bntbbb.exe41⤵
- Executes dropped EXE
PID:3060 -
\??\c:\nbnbtb.exec:\nbnbtb.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ddvvv.exec:\ddvvv.exe43⤵
- Executes dropped EXE
PID:1248 -
\??\c:\ddjdd.exec:\ddjdd.exe44⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rrxrxxx.exec:\rrxrxxx.exe45⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rflffxr.exec:\rflffxr.exe46⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7ntttt.exec:\7ntttt.exe47⤵
- Executes dropped EXE
PID:4396 -
\??\c:\tbbbtb.exec:\tbbbtb.exe48⤵PID:4480
-
\??\c:\vdddv.exec:\vdddv.exe49⤵
- Executes dropped EXE
PID:4540 -
\??\c:\xffrxff.exec:\xffrxff.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3500 -
\??\c:\hnnhbb.exec:\hnnhbb.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\dppjj.exec:\dppjj.exe52⤵
- Executes dropped EXE
PID:1344 -
\??\c:\5jpjp.exec:\5jpjp.exe53⤵
- Executes dropped EXE
PID:3508 -
\??\c:\llllffx.exec:\llllffx.exe54⤵
- Executes dropped EXE
PID:4256 -
\??\c:\5btttb.exec:\5btttb.exe55⤵
- Executes dropped EXE
PID:3704 -
\??\c:\djddd.exec:\djddd.exe56⤵
- Executes dropped EXE
PID:3412 -
\??\c:\xlffxff.exec:\xlffxff.exe57⤵
- Executes dropped EXE
PID:116 -
\??\c:\flrlllr.exec:\flrlllr.exe58⤵
- Executes dropped EXE
PID:3376 -
\??\c:\ppjvp.exec:\ppjvp.exe59⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rlllflr.exec:\rlllflr.exe60⤵
- Executes dropped EXE
PID:3268 -
\??\c:\tnnnnn.exec:\tnnnnn.exe61⤵
- Executes dropped EXE
PID:5000 -
\??\c:\ddvvd.exec:\ddvvd.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\jjddv.exec:\jjddv.exe63⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xrrlfll.exec:\xrrlfll.exe64⤵
- Executes dropped EXE
PID:1196 -
\??\c:\hbtbnh.exec:\hbtbnh.exe65⤵
- Executes dropped EXE
PID:1900 -
\??\c:\7ddvv.exec:\7ddvv.exe66⤵
- Executes dropped EXE
PID:868 -
\??\c:\jjdpj.exec:\jjdpj.exe67⤵PID:628
-
\??\c:\lffxrrr.exec:\lffxrrr.exe68⤵PID:716
-
\??\c:\pvpjd.exec:\pvpjd.exe69⤵PID:3196
-
\??\c:\lfffxrx.exec:\lfffxrx.exe70⤵PID:2536
-
\??\c:\5fxrllf.exec:\5fxrllf.exe71⤵PID:2872
-
\??\c:\bbbtnn.exec:\bbbtnn.exe72⤵PID:3596
-
\??\c:\jdpdp.exec:\jdpdp.exe73⤵PID:4092
-
\??\c:\vppvj.exec:\vppvj.exe74⤵PID:1452
-
\??\c:\lrlrffr.exec:\lrlrffr.exe75⤵PID:3276
-
\??\c:\frrrllf.exec:\frrrllf.exe76⤵PID:2188
-
\??\c:\bnhbnh.exec:\bnhbnh.exe77⤵PID:624
-
\??\c:\3jjjv.exec:\3jjjv.exe78⤵PID:4952
-
\??\c:\pvppd.exec:\pvppd.exe79⤵PID:1200
-
\??\c:\1rflxrf.exec:\1rflxrf.exe80⤵PID:3956
-
\??\c:\xxxrrlr.exec:\xxxrrlr.exe81⤵PID:1400
-
\??\c:\7thbth.exec:\7thbth.exe82⤵PID:3020
-
\??\c:\hhtbth.exec:\hhtbth.exe83⤵PID:2060
-
\??\c:\3dpjd.exec:\3dpjd.exe84⤵PID:4644
-
\??\c:\9jdvj.exec:\9jdvj.exe85⤵PID:1192
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe86⤵PID:4632
-
\??\c:\bbbtnb.exec:\bbbtnb.exe87⤵PID:4164
-
\??\c:\ntthtn.exec:\ntthtn.exe88⤵PID:3008
-
\??\c:\pvvpd.exec:\pvvpd.exe89⤵PID:3696
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe90⤵PID:4720
-
\??\c:\llxlfxr.exec:\llxlfxr.exe91⤵PID:3788
-
\??\c:\bthbnh.exec:\bthbnh.exe92⤵PID:1212
-
\??\c:\nhbthh.exec:\nhbthh.exe93⤵PID:1536
-
\??\c:\7jdvj.exec:\7jdvj.exe94⤵PID:1660
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe95⤵PID:3676
-
\??\c:\7xxlxxl.exec:\7xxlxxl.exe96⤵PID:4956
-
\??\c:\htnbtn.exec:\htnbtn.exe97⤵PID:2332
-
\??\c:\htbttn.exec:\htbttn.exe98⤵PID:4668
-
\??\c:\pvpjv.exec:\pvpjv.exe99⤵PID:4472
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe100⤵PID:3232
-
\??\c:\nhbthh.exec:\nhbthh.exe101⤵PID:920
-
\??\c:\bbnnnn.exec:\bbnnnn.exe102⤵PID:768
-
\??\c:\djdvp.exec:\djdvp.exe103⤵PID:4392
-
\??\c:\7lrlfxr.exec:\7lrlfxr.exe104⤵
- System Location Discovery: System Language Discovery
PID:464 -
\??\c:\5xrfrrf.exec:\5xrfrrf.exe105⤵PID:1248
-
\??\c:\btnhbt.exec:\btnhbt.exe106⤵PID:1020
-
\??\c:\bnnhnh.exec:\bnnhnh.exe107⤵PID:3960
-
\??\c:\vpvpj.exec:\vpvpj.exe108⤵PID:1484
-
\??\c:\1ddpj.exec:\1ddpj.exe109⤵PID:3888
-
\??\c:\3xrrlfx.exec:\3xrrlfx.exe110⤵PID:4964
-
\??\c:\bttthh.exec:\bttthh.exe111⤵PID:3692
-
\??\c:\nnhbnn.exec:\nnhbnn.exe112⤵PID:2912
-
\??\c:\pjjdd.exec:\pjjdd.exe113⤵PID:3512
-
\??\c:\ppjdd.exec:\ppjdd.exe114⤵PID:1344
-
\??\c:\1rlfxrl.exec:\1rlfxrl.exe115⤵PID:3508
-
\??\c:\hhbtnh.exec:\hhbtnh.exe116⤵PID:3980
-
\??\c:\nhbtnn.exec:\nhbtnn.exe117⤵PID:3480
-
\??\c:\vjjvp.exec:\vjjvp.exe118⤵PID:4804
-
\??\c:\llrrrll.exec:\llrrrll.exe119⤵PID:2212
-
\??\c:\5rrxrrl.exec:\5rrxrrl.exe120⤵PID:2612
-
\??\c:\bttbhn.exec:\bttbhn.exe121⤵PID:1624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-