Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 08:36
Behavioral task
behavioral1
Sample
35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe
-
Size
332KB
-
MD5
7be9780dc159b05bd74ac0c88b7a0be0
-
SHA1
14e51fc66b79863d1f6036472a4752e0c1ea1c98
-
SHA256
35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703
-
SHA512
650139f16e9dee129c8af31b9a6b2939c2f58cd671c3d8ea74ee3c2fa30526853c2b3814a130463e941a33355480a56f0389fd08ac9a2edad9312a2e3061172b
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe1:R4wFHoSHYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2324-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-601-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-865-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-1134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-1241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 884 lrxfrfl.exe 1612 5btnnh.exe 2604 9dddv.exe 3608 7flflrf.exe 1076 bhhhhn.exe 4788 5ttbbh.exe 3416 9pddv.exe 2108 5rxxrxr.exe 2888 nnttnt.exe 548 rrfxfxx.exe 3808 tbhbbb.exe 2920 3rrrlrl.exe 768 nbhbbb.exe 3656 pdvpd.exe 1056 hbnhbb.exe 640 lxlflll.exe 4396 vjjjd.exe 3616 jdddv.exe 1900 rlrrlxr.exe 1548 1bbhbb.exe 4992 tntttt.exe 2924 dpvpj.exe 624 5ffxrlf.exe 3544 ttnnhn.exe 4004 xlxrlll.exe 1116 btbttt.exe 1808 bntnht.exe 3660 lxflxxx.exe 2856 bthbbb.exe 5116 dvppj.exe 3168 nnnnhh.exe 4996 nhnhnn.exe 4112 hhtnbh.exe 892 tnnhbb.exe 1348 vdvvv.exe 1804 xflffff.exe 1936 ddpjd.exe 780 lxlllll.exe 1868 7llxrrr.exe 4136 vjvvp.exe 3932 jvddj.exe 2320 1xffxxx.exe 2900 vpdjp.exe 320 lrxxflf.exe 3964 nttttb.exe 4076 tnnnhh.exe 3864 jvjjj.exe 1640 xrlrxlx.exe 2548 nhhhbh.exe 2712 nhhbbb.exe 1372 jpppp.exe 840 7flllrl.exe 1396 xxxxxff.exe 2876 jvjjj.exe 3352 vpjpp.exe 2736 7rlllrr.exe 3036 9tbtnn.exe 1120 jjvpv.exe 4436 dvjvp.exe 2524 lflrfff.exe 2472 tttttt.exe 4632 btbttt.exe 1796 pjjdv.exe 3552 jdpjd.exe -
resource yara_rule behavioral2/memory/2324-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b26-3.dat upx behavioral2/memory/2324-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0032000000023b77-8.dat upx behavioral2/memory/884-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-11.dat upx behavioral2/memory/2604-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1612-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-25.dat upx behavioral2/memory/1076-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-30.dat upx behavioral2/memory/4788-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3416-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-35.dat upx behavioral2/memory/3608-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-20.dat upx behavioral2/files/0x000a000000023b81-39.dat upx behavioral2/files/0x000a000000023b82-43.dat upx behavioral2/memory/2108-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-48.dat upx behavioral2/memory/2888-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-53.dat upx behavioral2/memory/548-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-58.dat upx behavioral2/memory/3808-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-63.dat upx behavioral2/memory/2920-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-69.dat upx behavioral2/memory/768-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-74.dat upx behavioral2/memory/3656-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b78-78.dat upx behavioral2/memory/640-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4396-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-94.dat upx behavioral2/memory/1900-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3616-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-88.dat upx behavioral2/files/0x000a000000023b8a-83.dat upx behavioral2/files/0x000a000000023b8d-98.dat upx behavioral2/files/0x000a000000023b8e-102.dat upx behavioral2/files/0x000a000000023b8f-106.dat upx behavioral2/memory/4992-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-111.dat upx behavioral2/files/0x000a000000023b91-116.dat upx behavioral2/memory/624-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-120.dat upx behavioral2/files/0x000a000000023b93-124.dat upx behavioral2/memory/1116-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-129.dat upx behavioral2/files/0x000a000000023b95-133.dat upx behavioral2/memory/3660-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-137.dat upx behavioral2/files/0x000a000000023b97-142.dat upx behavioral2/files/0x000a000000023b98-147.dat upx behavioral2/files/0x000a000000023b99-150.dat upx behavioral2/memory/4996-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4112-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1348-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1804-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1936-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/780-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3932-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2320-181-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 884 2324 35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe 83 PID 2324 wrote to memory of 884 2324 35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe 83 PID 2324 wrote to memory of 884 2324 35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe 83 PID 884 wrote to memory of 1612 884 lrxfrfl.exe 84 PID 884 wrote to memory of 1612 884 lrxfrfl.exe 84 PID 884 wrote to memory of 1612 884 lrxfrfl.exe 84 PID 1612 wrote to memory of 2604 1612 5btnnh.exe 85 PID 1612 wrote to memory of 2604 1612 5btnnh.exe 85 PID 1612 wrote to memory of 2604 1612 5btnnh.exe 85 PID 2604 wrote to memory of 3608 2604 9dddv.exe 86 PID 2604 wrote to memory of 3608 2604 9dddv.exe 86 PID 2604 wrote to memory of 3608 2604 9dddv.exe 86 PID 3608 wrote to memory of 1076 3608 7flflrf.exe 87 PID 3608 wrote to memory of 1076 3608 7flflrf.exe 87 PID 3608 wrote to memory of 1076 3608 7flflrf.exe 87 PID 1076 wrote to memory of 4788 1076 bhhhhn.exe 88 PID 1076 wrote to memory of 4788 1076 bhhhhn.exe 88 PID 1076 wrote to memory of 4788 1076 bhhhhn.exe 88 PID 4788 wrote to memory of 3416 4788 5ttbbh.exe 89 PID 4788 wrote to memory of 3416 4788 5ttbbh.exe 89 PID 4788 wrote to memory of 3416 4788 5ttbbh.exe 89 PID 3416 wrote to memory of 2108 3416 9pddv.exe 90 PID 3416 wrote to memory of 2108 3416 9pddv.exe 90 PID 3416 wrote to memory of 2108 3416 9pddv.exe 90 PID 2108 wrote to memory of 2888 2108 5rxxrxr.exe 91 PID 2108 wrote to memory of 2888 2108 5rxxrxr.exe 91 PID 2108 wrote to memory of 2888 2108 5rxxrxr.exe 91 PID 2888 wrote to memory of 548 2888 nnttnt.exe 92 PID 2888 wrote to memory of 548 2888 nnttnt.exe 92 PID 2888 wrote to memory of 548 2888 nnttnt.exe 92 PID 548 wrote to memory of 3808 548 rrfxfxx.exe 93 PID 548 wrote to memory of 3808 548 rrfxfxx.exe 93 PID 548 wrote to memory of 3808 548 rrfxfxx.exe 93 PID 3808 wrote to memory of 2920 3808 tbhbbb.exe 94 PID 3808 wrote to memory of 2920 3808 tbhbbb.exe 94 PID 3808 wrote to memory of 2920 3808 tbhbbb.exe 94 PID 2920 wrote to memory of 768 2920 3rrrlrl.exe 95 PID 2920 wrote to memory of 768 2920 3rrrlrl.exe 95 PID 2920 wrote to memory of 768 2920 3rrrlrl.exe 95 PID 768 wrote to memory of 3656 768 nbhbbb.exe 96 PID 768 wrote to memory of 3656 768 nbhbbb.exe 96 PID 768 wrote to memory of 3656 768 nbhbbb.exe 96 PID 3656 wrote to memory of 1056 3656 pdvpd.exe 97 PID 3656 wrote to memory of 1056 3656 pdvpd.exe 97 PID 3656 wrote to memory of 1056 3656 pdvpd.exe 97 PID 1056 wrote to memory of 640 1056 hbnhbb.exe 98 PID 1056 wrote to memory of 640 1056 hbnhbb.exe 98 PID 1056 wrote to memory of 640 1056 hbnhbb.exe 98 PID 640 wrote to memory of 4396 640 lxlflll.exe 99 PID 640 wrote to memory of 4396 640 lxlflll.exe 99 PID 640 wrote to memory of 4396 640 lxlflll.exe 99 PID 4396 wrote to memory of 3616 4396 vjjjd.exe 100 PID 4396 wrote to memory of 3616 4396 vjjjd.exe 100 PID 4396 wrote to memory of 3616 4396 vjjjd.exe 100 PID 3616 wrote to memory of 1900 3616 jdddv.exe 101 PID 3616 wrote to memory of 1900 3616 jdddv.exe 101 PID 3616 wrote to memory of 1900 3616 jdddv.exe 101 PID 1900 wrote to memory of 1548 1900 rlrrlxr.exe 102 PID 1900 wrote to memory of 1548 1900 rlrrlxr.exe 102 PID 1900 wrote to memory of 1548 1900 rlrrlxr.exe 102 PID 1548 wrote to memory of 4992 1548 1bbhbb.exe 103 PID 1548 wrote to memory of 4992 1548 1bbhbb.exe 103 PID 1548 wrote to memory of 4992 1548 1bbhbb.exe 103 PID 4992 wrote to memory of 2924 4992 tntttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe"C:\Users\Admin\AppData\Local\Temp\35ab5a997a03f0446dc635d4986165768ca0b98f36e24958a52eaf21a7ade703N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\lrxfrfl.exec:\lrxfrfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\5btnnh.exec:\5btnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\9dddv.exec:\9dddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\7flflrf.exec:\7flflrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\bhhhhn.exec:\bhhhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\5ttbbh.exec:\5ttbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\9pddv.exec:\9pddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\5rxxrxr.exec:\5rxxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\nnttnt.exec:\nnttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\rrfxfxx.exec:\rrfxfxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\tbhbbb.exec:\tbhbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\3rrrlrl.exec:\3rrrlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\nbhbbb.exec:\nbhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\pdvpd.exec:\pdvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\hbnhbb.exec:\hbnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\lxlflll.exec:\lxlflll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\vjjjd.exec:\vjjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\jdddv.exec:\jdddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\rlrrlxr.exec:\rlrrlxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\1bbhbb.exec:\1bbhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\tntttt.exec:\tntttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\dpvpj.exec:\dpvpj.exe23⤵
- Executes dropped EXE
PID:2924 -
\??\c:\5ffxrlf.exec:\5ffxrlf.exe24⤵
- Executes dropped EXE
PID:624 -
\??\c:\ttnnhn.exec:\ttnnhn.exe25⤵
- Executes dropped EXE
PID:3544 -
\??\c:\xlxrlll.exec:\xlxrlll.exe26⤵
- Executes dropped EXE
PID:4004 -
\??\c:\btbttt.exec:\btbttt.exe27⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bntnht.exec:\bntnht.exe28⤵
- Executes dropped EXE
PID:1808 -
\??\c:\lxflxxx.exec:\lxflxxx.exe29⤵
- Executes dropped EXE
PID:3660 -
\??\c:\bthbbb.exec:\bthbbb.exe30⤵
- Executes dropped EXE
PID:2856 -
\??\c:\dvppj.exec:\dvppj.exe31⤵
- Executes dropped EXE
PID:5116 -
\??\c:\nnnnhh.exec:\nnnnhh.exe32⤵
- Executes dropped EXE
PID:3168 -
\??\c:\nhnhnn.exec:\nhnhnn.exe33⤵
- Executes dropped EXE
PID:4996 -
\??\c:\hhtnbh.exec:\hhtnbh.exe34⤵
- Executes dropped EXE
PID:4112 -
\??\c:\tnnhbb.exec:\tnnhbb.exe35⤵
- Executes dropped EXE
PID:892 -
\??\c:\vdvvv.exec:\vdvvv.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348 -
\??\c:\xflffff.exec:\xflffff.exe37⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ddpjd.exec:\ddpjd.exe38⤵
- Executes dropped EXE
PID:1936 -
\??\c:\lxlllll.exec:\lxlllll.exe39⤵
- Executes dropped EXE
PID:780 -
\??\c:\7llxrrr.exec:\7llxrrr.exe40⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vjvvp.exec:\vjvvp.exe41⤵
- Executes dropped EXE
PID:4136 -
\??\c:\jvddj.exec:\jvddj.exe42⤵
- Executes dropped EXE
PID:3932 -
\??\c:\1xffxxx.exec:\1xffxxx.exe43⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vpdjp.exec:\vpdjp.exe44⤵
- Executes dropped EXE
PID:2900 -
\??\c:\lrxxflf.exec:\lrxxflf.exe45⤵
- Executes dropped EXE
PID:320 -
\??\c:\nttttb.exec:\nttttb.exe46⤵
- Executes dropped EXE
PID:3964 -
\??\c:\tnnnhh.exec:\tnnnhh.exe47⤵
- Executes dropped EXE
PID:4076 -
\??\c:\jvjjj.exec:\jvjjj.exe48⤵
- Executes dropped EXE
PID:3864 -
\??\c:\xrlrxlx.exec:\xrlrxlx.exe49⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nhhhbh.exec:\nhhhbh.exe50⤵
- Executes dropped EXE
PID:2548 -
\??\c:\nhhbbb.exec:\nhhbbb.exe51⤵
- Executes dropped EXE
PID:2712 -
\??\c:\jpppp.exec:\jpppp.exe52⤵
- Executes dropped EXE
PID:1372 -
\??\c:\7flllrl.exec:\7flllrl.exe53⤵
- Executes dropped EXE
PID:840 -
\??\c:\xxxxxff.exec:\xxxxxff.exe54⤵
- Executes dropped EXE
PID:1396 -
\??\c:\ttbbnt.exec:\ttbbnt.exe55⤵PID:4440
-
\??\c:\jvjjj.exec:\jvjjj.exe56⤵
- Executes dropped EXE
PID:2876 -
\??\c:\vpjpp.exec:\vpjpp.exe57⤵
- Executes dropped EXE
PID:3352 -
\??\c:\7rlllrr.exec:\7rlllrr.exe58⤵
- Executes dropped EXE
PID:2736 -
\??\c:\9tbtnn.exec:\9tbtnn.exe59⤵
- Executes dropped EXE
PID:3036 -
\??\c:\jjvpv.exec:\jjvpv.exe60⤵
- Executes dropped EXE
PID:1120 -
\??\c:\dvjvp.exec:\dvjvp.exe61⤵
- Executes dropped EXE
PID:4436 -
\??\c:\lflrfff.exec:\lflrfff.exe62⤵
- Executes dropped EXE
PID:2524 -
\??\c:\tttttt.exec:\tttttt.exe63⤵
- Executes dropped EXE
PID:2472 -
\??\c:\btbttt.exec:\btbttt.exe64⤵
- Executes dropped EXE
PID:4632 -
\??\c:\pjjdv.exec:\pjjdv.exe65⤵
- Executes dropped EXE
PID:1796 -
\??\c:\jdpjd.exec:\jdpjd.exe66⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xfflxxx.exec:\xfflxxx.exe67⤵PID:116
-
\??\c:\3tbttn.exec:\3tbttn.exe68⤵PID:1176
-
\??\c:\nbttht.exec:\nbttht.exe69⤵PID:2248
-
\??\c:\jdjdj.exec:\jdjdj.exe70⤵PID:2440
-
\??\c:\rlllffx.exec:\rlllffx.exe71⤵PID:3292
-
\??\c:\7xffxfx.exec:\7xffxfx.exe72⤵PID:4500
-
\??\c:\nhbttn.exec:\nhbttn.exe73⤵PID:3276
-
\??\c:\jpvvp.exec:\jpvvp.exe74⤵PID:3960
-
\??\c:\5jjdd.exec:\5jjdd.exe75⤵PID:3668
-
\??\c:\3lrlllr.exec:\3lrlllr.exe76⤵PID:3632
-
\??\c:\3httnt.exec:\3httnt.exe77⤵PID:1224
-
\??\c:\7hhhbh.exec:\7hhhbh.exe78⤵PID:1912
-
\??\c:\pjjjd.exec:\pjjjd.exe79⤵PID:1728
-
\??\c:\dvjdd.exec:\dvjdd.exe80⤵PID:4884
-
\??\c:\9lffxfx.exec:\9lffxfx.exe81⤵PID:2212
-
\??\c:\lxffxfx.exec:\lxffxfx.exe82⤵PID:4708
-
\??\c:\bthnhn.exec:\bthnhn.exe83⤵PID:1864
-
\??\c:\frrlfff.exec:\frrlfff.exe84⤵PID:4328
-
\??\c:\flrlfff.exec:\flrlfff.exe85⤵PID:2732
-
\??\c:\btntnh.exec:\btntnh.exe86⤵PID:2388
-
\??\c:\5djdd.exec:\5djdd.exe87⤵PID:4920
-
\??\c:\9vddj.exec:\9vddj.exe88⤵PID:3844
-
\??\c:\xlllfff.exec:\xlllfff.exe89⤵PID:4844
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe90⤵PID:1596
-
\??\c:\ttttbb.exec:\ttttbb.exe91⤵PID:1808
-
\??\c:\tnhtnh.exec:\tnhtnh.exe92⤵PID:2476
-
\??\c:\vpdvd.exec:\vpdvd.exe93⤵PID:4444
-
\??\c:\3vdpj.exec:\3vdpj.exe94⤵PID:4400
-
\??\c:\rrxxllx.exec:\rrxxllx.exe95⤵PID:924
-
\??\c:\9nbbtt.exec:\9nbbtt.exe96⤵PID:2944
-
\??\c:\hbbtnh.exec:\hbbtnh.exe97⤵PID:1096
-
\??\c:\jdjpp.exec:\jdjpp.exe98⤵PID:64
-
\??\c:\xxlllrr.exec:\xxlllrr.exe99⤵PID:4064
-
\??\c:\rlrllxx.exec:\rlrllxx.exe100⤵PID:100
-
\??\c:\dddvp.exec:\dddvp.exe101⤵PID:2848
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe102⤵PID:4416
-
\??\c:\nnbbhh.exec:\nnbbhh.exe103⤵PID:2032
-
\??\c:\bbttbn.exec:\bbttbn.exe104⤵PID:3932
-
\??\c:\pjvpj.exec:\pjvpj.exe105⤵PID:4368
-
\??\c:\fflfffx.exec:\fflfffx.exe106⤵PID:4132
-
\??\c:\5hhbtb.exec:\5hhbtb.exe107⤵PID:1904
-
\??\c:\ttbtnn.exec:\ttbtnn.exe108⤵PID:1876
-
\??\c:\pddjd.exec:\pddjd.exe109⤵PID:2780
-
\??\c:\vjdvp.exec:\vjdvp.exe110⤵PID:212
-
\??\c:\llxrlll.exec:\llxrlll.exe111⤵PID:2052
-
\??\c:\lrrllrl.exec:\lrrllrl.exe112⤵PID:1640
-
\??\c:\nhbtbb.exec:\nhbtbb.exe113⤵PID:1600
-
\??\c:\ddvdv.exec:\ddvdv.exe114⤵PID:4876
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe115⤵PID:2200
-
\??\c:\lfrfllr.exec:\lfrfllr.exe116⤵PID:2372
-
\??\c:\nbnhhn.exec:\nbnhhn.exe117⤵PID:4300
-
\??\c:\9vvvp.exec:\9vvvp.exe118⤵PID:1972
-
\??\c:\rrxxlrr.exec:\rrxxlrr.exe119⤵PID:3464
-
\??\c:\xrffflr.exec:\xrffflr.exe120⤵PID:5040
-
\??\c:\nhbttb.exec:\nhbttb.exe121⤵PID:380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-