Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:31
Behavioral task
behavioral1
Sample
fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe
-
Size
70KB
-
MD5
3f3695f7514ba291fdaa2a70b3e37db7
-
SHA1
55a26f1a7283d5fef987987e368ea9edfbee2590
-
SHA256
fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf
-
SHA512
0a202da9cf109d85d52d414cc41697bf912bd3361c00041078f3526579485105a8bb469f5a1882cbe3515ae229e3868242194b74886fa00699e6d4b58dcd2c36
-
SSDEEP
1536:0vQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7qQhtr+mCaWVzC:0hOmTsF93UYfwC6GIoutX8hUDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1788-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3380-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1256-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/956-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-607-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-718-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-767-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-861-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-1081-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-1779-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-1859-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1824 xlffxxx.exe 4272 9bnnhb.exe 1580 tnnnbb.exe 4996 dvvvv.exe 3780 xrrllff.exe 3488 nhnnnn.exe 1264 tthhnb.exe 5068 dvpjd.exe 4312 xfrlfff.exe 1432 3hbbbb.exe 1724 hbtnnn.exe 2036 jpdpj.exe 2224 rrllrrr.exe 2556 xrfflll.exe 4044 htttnn.exe 2724 nhnhbb.exe 2476 vvdpv.exe 1808 vjjjd.exe 3412 9xrxrrr.exe 768 fxflrrf.exe 2308 tttnnn.exe 4592 dpdvp.exe 4004 lfxxxxx.exe 4548 fxffxxx.exe 548 5nbtbb.exe 3620 jdvpj.exe 4928 xlrrllr.exe 3968 bnnnnn.exe 4284 jvpjd.exe 1676 rrlxllf.exe 2676 flrxxff.exe 4820 bnnnhh.exe 3380 vvppd.exe 4644 fxxrrrl.exe 1368 flxxxxr.exe 1816 xrffrrr.exe 4704 tnttbb.exe 1860 djjdd.exe 3664 jdjdj.exe 736 lrxrffx.exe 1484 tntntt.exe 4460 nntnhh.exe 324 jdppj.exe 3212 fxrlxrl.exe 2600 xlrxxfx.exe 1748 9hbbbb.exe 4344 1hbtnn.exe 1256 jvvvp.exe 1708 lfffxxr.exe 956 frfxrrl.exe 4472 tnnhhh.exe 1788 dvvjp.exe 4564 7lxxlll.exe 1640 9lrrlrr.exe 32 httttt.exe 1360 5vvpj.exe 4996 7vjdj.exe 2332 llffxff.exe 4292 rflffrr.exe 3488 nbbbtb.exe 3812 bbhbnt.exe 4800 lrfxrrl.exe 3368 tntttt.exe 4148 bnnhbb.exe -
resource yara_rule behavioral2/memory/1788-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1788-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c9a-6.dat upx behavioral2/memory/1824-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1824-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9e-13.dat upx behavioral2/files/0x0007000000023ca2-14.dat upx behavioral2/memory/4272-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-22.dat upx behavioral2/files/0x0007000000023ca4-27.dat upx behavioral2/memory/4996-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3780-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-36.dat upx behavioral2/files/0x0007000000023ca6-39.dat upx behavioral2/files/0x0007000000023ca7-44.dat upx behavioral2/memory/1264-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5068-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-53.dat upx behavioral2/files/0x0007000000023ca9-56.dat upx behavioral2/memory/4312-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-61.dat upx behavioral2/memory/1432-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-69.dat upx behavioral2/memory/2036-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-73.dat upx behavioral2/memory/2224-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-79.dat upx behavioral2/memory/2556-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-86.dat upx behavioral2/files/0x0007000000023cb0-90.dat upx behavioral2/files/0x0007000000023cb1-95.dat upx behavioral2/memory/2724-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-101.dat upx behavioral2/memory/2476-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1808-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-108.dat upx behavioral2/memory/3412-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-114.dat upx behavioral2/files/0x0007000000023cb5-119.dat upx behavioral2/files/0x0007000000023cb6-124.dat upx behavioral2/files/0x0007000000023cb7-129.dat upx behavioral2/files/0x0007000000023cb8-134.dat upx behavioral2/files/0x0007000000023cb9-139.dat upx behavioral2/memory/4548-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/548-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-147.dat upx behavioral2/files/0x0007000000023cbb-150.dat upx behavioral2/memory/3620-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-159.dat upx behavioral2/memory/4928-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3968-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-164.dat upx behavioral2/files/0x0007000000023cbe-169.dat upx behavioral2/memory/4284-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1676-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9f-176.dat upx behavioral2/files/0x0007000000023cbf-181.dat upx behavioral2/memory/2676-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4820-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3380-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1368-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4704-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1816-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-210-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1824 1788 fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe 83 PID 1788 wrote to memory of 1824 1788 fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe 83 PID 1788 wrote to memory of 1824 1788 fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe 83 PID 1824 wrote to memory of 4272 1824 xlffxxx.exe 84 PID 1824 wrote to memory of 4272 1824 xlffxxx.exe 84 PID 1824 wrote to memory of 4272 1824 xlffxxx.exe 84 PID 4272 wrote to memory of 1580 4272 9bnnhb.exe 85 PID 4272 wrote to memory of 1580 4272 9bnnhb.exe 85 PID 4272 wrote to memory of 1580 4272 9bnnhb.exe 85 PID 1580 wrote to memory of 4996 1580 tnnnbb.exe 86 PID 1580 wrote to memory of 4996 1580 tnnnbb.exe 86 PID 1580 wrote to memory of 4996 1580 tnnnbb.exe 86 PID 4996 wrote to memory of 3780 4996 dvvvv.exe 87 PID 4996 wrote to memory of 3780 4996 dvvvv.exe 87 PID 4996 wrote to memory of 3780 4996 dvvvv.exe 87 PID 3780 wrote to memory of 3488 3780 xrrllff.exe 88 PID 3780 wrote to memory of 3488 3780 xrrllff.exe 88 PID 3780 wrote to memory of 3488 3780 xrrllff.exe 88 PID 3488 wrote to memory of 1264 3488 nhnnnn.exe 89 PID 3488 wrote to memory of 1264 3488 nhnnnn.exe 89 PID 3488 wrote to memory of 1264 3488 nhnnnn.exe 89 PID 1264 wrote to memory of 5068 1264 tthhnb.exe 90 PID 1264 wrote to memory of 5068 1264 tthhnb.exe 90 PID 1264 wrote to memory of 5068 1264 tthhnb.exe 90 PID 5068 wrote to memory of 4312 5068 dvpjd.exe 91 PID 5068 wrote to memory of 4312 5068 dvpjd.exe 91 PID 5068 wrote to memory of 4312 5068 dvpjd.exe 91 PID 4312 wrote to memory of 1432 4312 xfrlfff.exe 92 PID 4312 wrote to memory of 1432 4312 xfrlfff.exe 92 PID 4312 wrote to memory of 1432 4312 xfrlfff.exe 92 PID 1432 wrote to memory of 1724 1432 3hbbbb.exe 93 PID 1432 wrote to memory of 1724 1432 3hbbbb.exe 93 PID 1432 wrote to memory of 1724 1432 3hbbbb.exe 93 PID 1724 wrote to memory of 2036 1724 hbtnnn.exe 94 PID 1724 wrote to memory of 2036 1724 hbtnnn.exe 94 PID 1724 wrote to memory of 2036 1724 hbtnnn.exe 94 PID 2036 wrote to memory of 2224 2036 jpdpj.exe 95 PID 2036 wrote to memory of 2224 2036 jpdpj.exe 95 PID 2036 wrote to memory of 2224 2036 jpdpj.exe 95 PID 2224 wrote to memory of 2556 2224 rrllrrr.exe 96 PID 2224 wrote to memory of 2556 2224 rrllrrr.exe 96 PID 2224 wrote to memory of 2556 2224 rrllrrr.exe 96 PID 2556 wrote to memory of 4044 2556 xrfflll.exe 97 PID 2556 wrote to memory of 4044 2556 xrfflll.exe 97 PID 2556 wrote to memory of 4044 2556 xrfflll.exe 97 PID 4044 wrote to memory of 2724 4044 htttnn.exe 98 PID 4044 wrote to memory of 2724 4044 htttnn.exe 98 PID 4044 wrote to memory of 2724 4044 htttnn.exe 98 PID 2724 wrote to memory of 2476 2724 nhnhbb.exe 99 PID 2724 wrote to memory of 2476 2724 nhnhbb.exe 99 PID 2724 wrote to memory of 2476 2724 nhnhbb.exe 99 PID 2476 wrote to memory of 1808 2476 vvdpv.exe 100 PID 2476 wrote to memory of 1808 2476 vvdpv.exe 100 PID 2476 wrote to memory of 1808 2476 vvdpv.exe 100 PID 1808 wrote to memory of 3412 1808 vjjjd.exe 101 PID 1808 wrote to memory of 3412 1808 vjjjd.exe 101 PID 1808 wrote to memory of 3412 1808 vjjjd.exe 101 PID 3412 wrote to memory of 768 3412 9xrxrrr.exe 102 PID 3412 wrote to memory of 768 3412 9xrxrrr.exe 102 PID 3412 wrote to memory of 768 3412 9xrxrrr.exe 102 PID 768 wrote to memory of 2308 768 fxflrrf.exe 103 PID 768 wrote to memory of 2308 768 fxflrrf.exe 103 PID 768 wrote to memory of 2308 768 fxflrrf.exe 103 PID 2308 wrote to memory of 4592 2308 tttnnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe"C:\Users\Admin\AppData\Local\Temp\fd515df48333b61e1c5654b37577276bb0e3f608cf27e1313ba8ae8433040fbf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xlffxxx.exec:\xlffxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\9bnnhb.exec:\9bnnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\tnnnbb.exec:\tnnnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\dvvvv.exec:\dvvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\xrrllff.exec:\xrrllff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\nhnnnn.exec:\nhnnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\tthhnb.exec:\tthhnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\dvpjd.exec:\dvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\xfrlfff.exec:\xfrlfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\3hbbbb.exec:\3hbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\hbtnnn.exec:\hbtnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\jpdpj.exec:\jpdpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\rrllrrr.exec:\rrllrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\xrfflll.exec:\xrfflll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\htttnn.exec:\htttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\nhnhbb.exec:\nhnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\vvdpv.exec:\vvdpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\vjjjd.exec:\vjjjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\9xrxrrr.exec:\9xrxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\fxflrrf.exec:\fxflrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\tttnnn.exec:\tttnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\dpdvp.exec:\dpdvp.exe23⤵
- Executes dropped EXE
PID:4592 -
\??\c:\lfxxxxx.exec:\lfxxxxx.exe24⤵
- Executes dropped EXE
PID:4004 -
\??\c:\fxffxxx.exec:\fxffxxx.exe25⤵
- Executes dropped EXE
PID:4548 -
\??\c:\5nbtbb.exec:\5nbtbb.exe26⤵
- Executes dropped EXE
PID:548 -
\??\c:\jdvpj.exec:\jdvpj.exe27⤵
- Executes dropped EXE
PID:3620 -
\??\c:\xlrrllr.exec:\xlrrllr.exe28⤵
- Executes dropped EXE
PID:4928 -
\??\c:\bnnnnn.exec:\bnnnnn.exe29⤵
- Executes dropped EXE
PID:3968 -
\??\c:\jvpjd.exec:\jvpjd.exe30⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rrlxllf.exec:\rrlxllf.exe31⤵
- Executes dropped EXE
PID:1676 -
\??\c:\flrxxff.exec:\flrxxff.exe32⤵
- Executes dropped EXE
PID:2676 -
\??\c:\bnnnhh.exec:\bnnnhh.exe33⤵
- Executes dropped EXE
PID:4820 -
\??\c:\vvppd.exec:\vvppd.exe34⤵
- Executes dropped EXE
PID:3380 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe35⤵
- Executes dropped EXE
PID:4644 -
\??\c:\flxxxxr.exec:\flxxxxr.exe36⤵
- Executes dropped EXE
PID:1368 -
\??\c:\xrffrrr.exec:\xrffrrr.exe37⤵
- Executes dropped EXE
PID:1816 -
\??\c:\tnttbb.exec:\tnttbb.exe38⤵
- Executes dropped EXE
PID:4704 -
\??\c:\djjdd.exec:\djjdd.exe39⤵
- Executes dropped EXE
PID:1860 -
\??\c:\jdjdj.exec:\jdjdj.exe40⤵
- Executes dropped EXE
PID:3664 -
\??\c:\lrxrffx.exec:\lrxrffx.exe41⤵
- Executes dropped EXE
PID:736 -
\??\c:\tntntt.exec:\tntntt.exe42⤵
- Executes dropped EXE
PID:1484 -
\??\c:\nntnhh.exec:\nntnhh.exe43⤵
- Executes dropped EXE
PID:4460 -
\??\c:\jdppj.exec:\jdppj.exe44⤵
- Executes dropped EXE
PID:324 -
\??\c:\fxrlxrl.exec:\fxrlxrl.exe45⤵
- Executes dropped EXE
PID:3212 -
\??\c:\xlrxxfx.exec:\xlrxxfx.exe46⤵
- Executes dropped EXE
PID:2600 -
\??\c:\9hbbbb.exec:\9hbbbb.exe47⤵
- Executes dropped EXE
PID:1748 -
\??\c:\1hbtnn.exec:\1hbtnn.exe48⤵
- Executes dropped EXE
PID:4344 -
\??\c:\jvvvp.exec:\jvvvp.exe49⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lfffxxr.exec:\lfffxxr.exe50⤵
- Executes dropped EXE
PID:1708 -
\??\c:\frfxrrl.exec:\frfxrrl.exe51⤵
- Executes dropped EXE
PID:956 -
\??\c:\tnnhhh.exec:\tnnhhh.exe52⤵
- Executes dropped EXE
PID:4472 -
\??\c:\dvvjp.exec:\dvvjp.exe53⤵
- Executes dropped EXE
PID:1788 -
\??\c:\7lxxlll.exec:\7lxxlll.exe54⤵
- Executes dropped EXE
PID:4564 -
\??\c:\9lrrlrr.exec:\9lrrlrr.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\httttt.exec:\httttt.exe56⤵
- Executes dropped EXE
PID:32 -
\??\c:\5vvpj.exec:\5vvpj.exe57⤵
- Executes dropped EXE
PID:1360 -
\??\c:\7vjdj.exec:\7vjdj.exe58⤵
- Executes dropped EXE
PID:4996 -
\??\c:\llffxff.exec:\llffxff.exe59⤵
- Executes dropped EXE
PID:2332 -
\??\c:\rflffrr.exec:\rflffrr.exe60⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nbbbtb.exec:\nbbbtb.exe61⤵
- Executes dropped EXE
PID:3488 -
\??\c:\bbhbnt.exec:\bbhbnt.exe62⤵
- Executes dropped EXE
PID:3812 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe63⤵
- Executes dropped EXE
PID:4800 -
\??\c:\tntttt.exec:\tntttt.exe64⤵
- Executes dropped EXE
PID:3368 -
\??\c:\bnnhbb.exec:\bnnhbb.exe65⤵
- Executes dropped EXE
PID:4148 -
\??\c:\9jvvj.exec:\9jvvj.exe66⤵PID:3120
-
\??\c:\rfxxrrr.exec:\rfxxrrr.exe67⤵PID:3016
-
\??\c:\1xlfxxx.exec:\1xlfxxx.exe68⤵PID:1424
-
\??\c:\rlrllll.exec:\rlrllll.exe69⤵PID:3032
-
\??\c:\thhhbb.exec:\thhhbb.exe70⤵PID:1240
-
\??\c:\dvvpj.exec:\dvvpj.exe71⤵PID:2224
-
\??\c:\vdjjd.exec:\vdjjd.exe72⤵PID:3096
-
\??\c:\frllxff.exec:\frllxff.exe73⤵PID:4488
-
\??\c:\bnnnhn.exec:\bnnnhn.exe74⤵PID:4368
-
\??\c:\pddpj.exec:\pddpj.exe75⤵PID:3984
-
\??\c:\jddvv.exec:\jddvv.exe76⤵PID:2476
-
\??\c:\frrlfrr.exec:\frrlfrr.exe77⤵PID:2132
-
\??\c:\3tbbtn.exec:\3tbbtn.exe78⤵PID:2492
-
\??\c:\bnthnn.exec:\bnthnn.exe79⤵PID:1628
-
\??\c:\xxrlffx.exec:\xxrlffx.exe80⤵PID:2296
-
\??\c:\nhnnth.exec:\nhnnth.exe81⤵PID:1268
-
\??\c:\vdddj.exec:\vdddj.exe82⤵PID:4676
-
\??\c:\lffxxxx.exec:\lffxxxx.exe83⤵PID:216
-
\??\c:\xfllflf.exec:\xfllflf.exe84⤵PID:540
-
\??\c:\hhbbbb.exec:\hhbbbb.exe85⤵PID:3500
-
\??\c:\3jppj.exec:\3jppj.exe86⤵PID:876
-
\??\c:\ddppp.exec:\ddppp.exe87⤵PID:3620
-
\??\c:\rfllxxx.exec:\rfllxxx.exe88⤵PID:3704
-
\??\c:\hbhhbb.exec:\hbhhbb.exe89⤵PID:4688
-
\??\c:\7jppd.exec:\7jppd.exe90⤵PID:4260
-
\??\c:\ppppd.exec:\ppppd.exe91⤵PID:4580
-
\??\c:\xxxlfxl.exec:\xxxlfxl.exe92⤵PID:880
-
\??\c:\hbnbnh.exec:\hbnbnh.exe93⤵PID:3964
-
\??\c:\ddjdj.exec:\ddjdj.exe94⤵PID:4516
-
\??\c:\xxllfff.exec:\xxllfff.exe95⤵PID:1312
-
\??\c:\flllxxr.exec:\flllxxr.exe96⤵PID:1460
-
\??\c:\tnbbtn.exec:\tnbbtn.exe97⤵PID:4632
-
\??\c:\pjdvp.exec:\pjdvp.exe98⤵PID:4492
-
\??\c:\9rxrrrr.exec:\9rxrrrr.exe99⤵PID:2696
-
\??\c:\nbbtnn.exec:\nbbtnn.exe100⤵PID:3124
-
\??\c:\9thhbb.exec:\9thhbb.exe101⤵PID:4980
-
\??\c:\dpjdv.exec:\dpjdv.exe102⤵PID:3216
-
\??\c:\pvpjp.exec:\pvpjp.exe103⤵PID:4440
-
\??\c:\pdvpj.exec:\pdvpj.exe104⤵PID:3628
-
\??\c:\fxrlffx.exec:\fxrlffx.exe105⤵PID:2680
-
\??\c:\fflfxlf.exec:\fflfxlf.exe106⤵PID:2392
-
\??\c:\bttnnn.exec:\bttnnn.exe107⤵PID:2368
-
\??\c:\5ddvj.exec:\5ddvj.exe108⤵PID:1872
-
\??\c:\ppjjp.exec:\ppjjp.exe109⤵PID:3548
-
\??\c:\rllfrlf.exec:\rllfrlf.exe110⤵PID:3696
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe111⤵PID:4224
-
\??\c:\tbbhhh.exec:\tbbhhh.exe112⤵PID:3940
-
\??\c:\ntbtht.exec:\ntbtht.exe113⤵PID:5056
-
\??\c:\dppdv.exec:\dppdv.exe114⤵PID:4908
-
\??\c:\7lffxxr.exec:\7lffxxr.exe115⤵PID:4864
-
\??\c:\lrrrlfl.exec:\lrrrlfl.exe116⤵PID:1156
-
\??\c:\tnnntn.exec:\tnnntn.exe117⤵PID:4596
-
\??\c:\hbbttn.exec:\hbbttn.exe118⤵PID:1264
-
\??\c:\vjpjv.exec:\vjpjv.exe119⤵PID:8
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe120⤵PID:2252
-
\??\c:\fllrllf.exec:\fllrllf.exe121⤵PID:4168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-