Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:13
Behavioral task
behavioral1
Sample
1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe
-
Size
345KB
-
MD5
40c5794c0c34e8a9ea2f5836a729cf10
-
SHA1
55fe43f99ae35c6e5758b5ab8e95b49981dcaa38
-
SHA256
1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110
-
SHA512
de433faec03c0a857ebe1e4e76dd387e80fd6177db2d40acf22d6b57c32a185a14deb4cf45812e60ac76ab245c4579625911b4a7213115a475fecd3a3864045d
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAi:R4wFHoS3WXZshJX2VGdi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3316-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/712-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2688-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2872-508-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-1090-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-1218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-1274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-1299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 224 nbhhhb.exe 712 5rllrrr.exe 3376 7jvjp.exe 1424 7lrllll.exe 4192 ddddd.exe 1788 1xfxffr.exe 1408 9ttbtb.exe 3700 3rrllff.exe 3404 bnttnt.exe 2032 pjvvp.exe 3004 lxxfxrx.exe 2208 dppjd.exe 4304 xflxrlx.exe 4940 dvddj.exe 4580 rllfrrr.exe 396 xxrrrrr.exe 5072 9hnntt.exe 4636 bhhhbb.exe 404 vjvpj.exe 2992 xrxfxxx.exe 4612 nhntth.exe 4224 vvvpj.exe 1232 jdvvd.exe 5024 xrrxrll.exe 376 tntttt.exe 4652 5jpjv.exe 1844 ddddv.exe 2524 9xfxlxx.exe 772 xxlfffx.exe 2308 lffxrrl.exe 1960 btnnhh.exe 2444 dvpjd.exe 3492 fllfxxf.exe 3336 nbhtnb.exe 4056 tnnhnn.exe 4524 jjpjj.exe 1972 ffxrlfx.exe 4128 1hhbtt.exe 808 djppj.exe 3044 3xfxfff.exe 392 3nhnhh.exe 1328 rxxxrxx.exe 1672 hhtnnn.exe 5100 5lrrffl.exe 4792 vvvpd.exe 1000 vjjvd.exe 4868 rxllflf.exe 936 bttnbt.exe 2648 bbtbtb.exe 992 jpjvp.exe 4424 fxxlxrf.exe 4012 hbbbbt.exe 2688 hbhbbb.exe 1484 9djdv.exe 3008 7xxfrrl.exe 4512 rlrrlll.exe 2828 hbhhnn.exe 2600 5jjvj.exe 3700 jjvvv.exe 4064 xlllrrl.exe 3948 nnnhbt.exe 1492 hnnhtt.exe 1924 vpvpj.exe 2424 rxrllfx.exe -
resource yara_rule behavioral2/memory/3316-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c6d-3.dat upx behavioral2/memory/3316-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c71-9.dat upx behavioral2/memory/224-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c72-11.dat upx behavioral2/memory/712-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c73-18.dat upx behavioral2/memory/3376-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c74-23.dat upx behavioral2/memory/4192-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1424-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c75-29.dat upx behavioral2/files/0x0007000000023c76-33.dat upx behavioral2/memory/1788-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c77-39.dat upx behavioral2/memory/1408-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-43.dat upx behavioral2/memory/3700-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c79-48.dat upx behavioral2/files/0x0007000000023c7a-52.dat upx behavioral2/memory/2032-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7b-57.dat upx behavioral2/memory/3004-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-62.dat upx behavioral2/memory/2208-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-66.dat upx behavioral2/memory/4304-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-72.dat upx behavioral2/memory/4940-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-77.dat upx behavioral2/files/0x0007000000023c80-82.dat upx behavioral2/memory/4580-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5072-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-87.dat upx behavioral2/memory/4636-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c6e-93.dat upx behavioral2/memory/404-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-98.dat upx behavioral2/memory/2992-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c84-102.dat upx behavioral2/files/0x0007000000023c85-107.dat upx behavioral2/memory/4224-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c86-112.dat upx behavioral2/files/0x0007000000023c87-115.dat upx behavioral2/memory/376-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-125.dat upx behavioral2/memory/4652-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-133.dat upx behavioral2/memory/2524-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-139.dat upx behavioral2/memory/772-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-130.dat upx behavioral2/files/0x0007000000023c88-120.dat upx behavioral2/files/0x0007000000023c8d-144.dat upx behavioral2/files/0x0007000000023c8e-147.dat upx behavioral2/memory/2308-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-152.dat upx behavioral2/memory/1960-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3492-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3336-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1972-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4128-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2640-183-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3316 wrote to memory of 224 3316 1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe 84 PID 3316 wrote to memory of 224 3316 1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe 84 PID 3316 wrote to memory of 224 3316 1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe 84 PID 224 wrote to memory of 712 224 nbhhhb.exe 85 PID 224 wrote to memory of 712 224 nbhhhb.exe 85 PID 224 wrote to memory of 712 224 nbhhhb.exe 85 PID 712 wrote to memory of 3376 712 5rllrrr.exe 86 PID 712 wrote to memory of 3376 712 5rllrrr.exe 86 PID 712 wrote to memory of 3376 712 5rllrrr.exe 86 PID 3376 wrote to memory of 1424 3376 7jvjp.exe 87 PID 3376 wrote to memory of 1424 3376 7jvjp.exe 87 PID 3376 wrote to memory of 1424 3376 7jvjp.exe 87 PID 1424 wrote to memory of 4192 1424 7lrllll.exe 88 PID 1424 wrote to memory of 4192 1424 7lrllll.exe 88 PID 1424 wrote to memory of 4192 1424 7lrllll.exe 88 PID 4192 wrote to memory of 1788 4192 ddddd.exe 89 PID 4192 wrote to memory of 1788 4192 ddddd.exe 89 PID 4192 wrote to memory of 1788 4192 ddddd.exe 89 PID 1788 wrote to memory of 1408 1788 1xfxffr.exe 90 PID 1788 wrote to memory of 1408 1788 1xfxffr.exe 90 PID 1788 wrote to memory of 1408 1788 1xfxffr.exe 90 PID 1408 wrote to memory of 3700 1408 9ttbtb.exe 91 PID 1408 wrote to memory of 3700 1408 9ttbtb.exe 91 PID 1408 wrote to memory of 3700 1408 9ttbtb.exe 91 PID 3700 wrote to memory of 3404 3700 3rrllff.exe 92 PID 3700 wrote to memory of 3404 3700 3rrllff.exe 92 PID 3700 wrote to memory of 3404 3700 3rrllff.exe 92 PID 3404 wrote to memory of 2032 3404 bnttnt.exe 93 PID 3404 wrote to memory of 2032 3404 bnttnt.exe 93 PID 3404 wrote to memory of 2032 3404 bnttnt.exe 93 PID 2032 wrote to memory of 3004 2032 pjvvp.exe 94 PID 2032 wrote to memory of 3004 2032 pjvvp.exe 94 PID 2032 wrote to memory of 3004 2032 pjvvp.exe 94 PID 3004 wrote to memory of 2208 3004 lxxfxrx.exe 95 PID 3004 wrote to memory of 2208 3004 lxxfxrx.exe 95 PID 3004 wrote to memory of 2208 3004 lxxfxrx.exe 95 PID 2208 wrote to memory of 4304 2208 dppjd.exe 96 PID 2208 wrote to memory of 4304 2208 dppjd.exe 96 PID 2208 wrote to memory of 4304 2208 dppjd.exe 96 PID 4304 wrote to memory of 4940 4304 xflxrlx.exe 97 PID 4304 wrote to memory of 4940 4304 xflxrlx.exe 97 PID 4304 wrote to memory of 4940 4304 xflxrlx.exe 97 PID 4940 wrote to memory of 4580 4940 dvddj.exe 98 PID 4940 wrote to memory of 4580 4940 dvddj.exe 98 PID 4940 wrote to memory of 4580 4940 dvddj.exe 98 PID 4580 wrote to memory of 396 4580 rllfrrr.exe 99 PID 4580 wrote to memory of 396 4580 rllfrrr.exe 99 PID 4580 wrote to memory of 396 4580 rllfrrr.exe 99 PID 396 wrote to memory of 5072 396 xxrrrrr.exe 100 PID 396 wrote to memory of 5072 396 xxrrrrr.exe 100 PID 396 wrote to memory of 5072 396 xxrrrrr.exe 100 PID 5072 wrote to memory of 4636 5072 9hnntt.exe 101 PID 5072 wrote to memory of 4636 5072 9hnntt.exe 101 PID 5072 wrote to memory of 4636 5072 9hnntt.exe 101 PID 4636 wrote to memory of 404 4636 bhhhbb.exe 102 PID 4636 wrote to memory of 404 4636 bhhhbb.exe 102 PID 4636 wrote to memory of 404 4636 bhhhbb.exe 102 PID 404 wrote to memory of 2992 404 vjvpj.exe 103 PID 404 wrote to memory of 2992 404 vjvpj.exe 103 PID 404 wrote to memory of 2992 404 vjvpj.exe 103 PID 2992 wrote to memory of 4612 2992 xrxfxxx.exe 104 PID 2992 wrote to memory of 4612 2992 xrxfxxx.exe 104 PID 2992 wrote to memory of 4612 2992 xrxfxxx.exe 104 PID 4612 wrote to memory of 4224 4612 nhntth.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe"C:\Users\Admin\AppData\Local\Temp\1e8bee5220906b2ff8c01eeaa81e03eac5d9e8facf3476cce8ef96a0c3ddb110N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\nbhhhb.exec:\nbhhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\5rllrrr.exec:\5rllrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\7jvjp.exec:\7jvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\7lrllll.exec:\7lrllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\ddddd.exec:\ddddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\1xfxffr.exec:\1xfxffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\9ttbtb.exec:\9ttbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\3rrllff.exec:\3rrllff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\bnttnt.exec:\bnttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\pjvvp.exec:\pjvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\lxxfxrx.exec:\lxxfxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\dppjd.exec:\dppjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\xflxrlx.exec:\xflxrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\dvddj.exec:\dvddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\rllfrrr.exec:\rllfrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\9hnntt.exec:\9hnntt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\bhhhbb.exec:\bhhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\vjvpj.exec:\vjvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\xrxfxxx.exec:\xrxfxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\nhntth.exec:\nhntth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\vvvpj.exec:\vvvpj.exe23⤵
- Executes dropped EXE
PID:4224 -
\??\c:\jdvvd.exec:\jdvvd.exe24⤵
- Executes dropped EXE
PID:1232 -
\??\c:\xrrxrll.exec:\xrrxrll.exe25⤵
- Executes dropped EXE
PID:5024 -
\??\c:\tntttt.exec:\tntttt.exe26⤵
- Executes dropped EXE
PID:376 -
\??\c:\5jpjv.exec:\5jpjv.exe27⤵
- Executes dropped EXE
PID:4652 -
\??\c:\ddddv.exec:\ddddv.exe28⤵
- Executes dropped EXE
PID:1844 -
\??\c:\9xfxlxx.exec:\9xfxlxx.exe29⤵
- Executes dropped EXE
PID:2524 -
\??\c:\xxlfffx.exec:\xxlfffx.exe30⤵
- Executes dropped EXE
PID:772 -
\??\c:\lffxrrl.exec:\lffxrrl.exe31⤵
- Executes dropped EXE
PID:2308 -
\??\c:\btnnhh.exec:\btnnhh.exe32⤵
- Executes dropped EXE
PID:1960 -
\??\c:\dvpjd.exec:\dvpjd.exe33⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fllfxxf.exec:\fllfxxf.exe34⤵
- Executes dropped EXE
PID:3492 -
\??\c:\nbhtnb.exec:\nbhtnb.exe35⤵
- Executes dropped EXE
PID:3336 -
\??\c:\tnnhnn.exec:\tnnhnn.exe36⤵
- Executes dropped EXE
PID:4056 -
\??\c:\jjpjj.exec:\jjpjj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe38⤵
- Executes dropped EXE
PID:1972 -
\??\c:\1hhbtt.exec:\1hhbtt.exe39⤵
- Executes dropped EXE
PID:4128 -
\??\c:\djppj.exec:\djppj.exe40⤵
- Executes dropped EXE
PID:808 -
\??\c:\3xfxfff.exec:\3xfxfff.exe41⤵
- Executes dropped EXE
PID:3044 -
\??\c:\3nhnhh.exec:\3nhnhh.exe42⤵
- Executes dropped EXE
PID:392 -
\??\c:\rxxxrxx.exec:\rxxxrxx.exe43⤵
- Executes dropped EXE
PID:1328 -
\??\c:\hhtnnn.exec:\hhtnnn.exe44⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xlxrrff.exec:\xlxrrff.exe45⤵PID:2640
-
\??\c:\5lrrffl.exec:\5lrrffl.exe46⤵
- Executes dropped EXE
PID:5100 -
\??\c:\vvvpd.exec:\vvvpd.exe47⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vjjvd.exec:\vjjvd.exe48⤵
- Executes dropped EXE
PID:1000 -
\??\c:\rxllflf.exec:\rxllflf.exe49⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bttnbt.exec:\bttnbt.exe50⤵
- Executes dropped EXE
PID:936 -
\??\c:\bbtbtb.exec:\bbtbtb.exe51⤵
- Executes dropped EXE
PID:2648 -
\??\c:\jpjvp.exec:\jpjvp.exe52⤵
- Executes dropped EXE
PID:992 -
\??\c:\fxxlxrf.exec:\fxxlxrf.exe53⤵
- Executes dropped EXE
PID:4424 -
\??\c:\hbbbbt.exec:\hbbbbt.exe54⤵
- Executes dropped EXE
PID:4012 -
\??\c:\hbhbbb.exec:\hbhbbb.exe55⤵
- Executes dropped EXE
PID:2688 -
\??\c:\9djdv.exec:\9djdv.exe56⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7xxfrrl.exec:\7xxfrrl.exe57⤵
- Executes dropped EXE
PID:3008 -
\??\c:\rlrrlll.exec:\rlrrlll.exe58⤵
- Executes dropped EXE
PID:4512 -
\??\c:\hbhhnn.exec:\hbhhnn.exe59⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5jjvj.exec:\5jjvj.exe60⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jjvvv.exec:\jjvvv.exe61⤵
- Executes dropped EXE
PID:3700 -
\??\c:\xlllrrl.exec:\xlllrrl.exe62⤵
- Executes dropped EXE
PID:4064 -
\??\c:\nnnhbt.exec:\nnnhbt.exe63⤵
- Executes dropped EXE
PID:3948 -
\??\c:\hnnhtt.exec:\hnnhtt.exe64⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vpvpj.exec:\vpvpj.exe65⤵
- Executes dropped EXE
PID:1924 -
\??\c:\rxrllfx.exec:\rxrllfx.exe66⤵
- Executes dropped EXE
PID:2424 -
\??\c:\tnnnhh.exec:\tnnnhh.exe67⤵PID:1856
-
\??\c:\bbhbtb.exec:\bbhbtb.exe68⤵PID:1036
-
\??\c:\vpjdp.exec:\vpjdp.exe69⤵PID:4836
-
\??\c:\flrfrlx.exec:\flrfrlx.exe70⤵PID:2996
-
\??\c:\btbttn.exec:\btbttn.exe71⤵PID:428
-
\??\c:\hbhbtt.exec:\hbhbtt.exe72⤵PID:2260
-
\??\c:\1jjdp.exec:\1jjdp.exe73⤵PID:1896
-
\??\c:\xlrrfxr.exec:\xlrrfxr.exe74⤵PID:816
-
\??\c:\9ttnhh.exec:\9ttnhh.exe75⤵PID:1888
-
\??\c:\thnttn.exec:\thnttn.exe76⤵PID:5080
-
\??\c:\jvppv.exec:\jvppv.exe77⤵PID:5076
-
\??\c:\lrfrllf.exec:\lrfrllf.exe78⤵PID:2548
-
\??\c:\nhnttn.exec:\nhnttn.exe79⤵PID:2200
-
\??\c:\vpjdp.exec:\vpjdp.exe80⤵PID:2244
-
\??\c:\vpvvp.exec:\vpvvp.exe81⤵PID:1032
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe82⤵
- System Location Discovery: System Language Discovery
PID:1840 -
\??\c:\bttnhh.exec:\bttnhh.exe83⤵PID:4532
-
\??\c:\7tnhtb.exec:\7tnhtb.exe84⤵PID:740
-
\??\c:\jdddp.exec:\jdddp.exe85⤵PID:4648
-
\??\c:\xrrlffx.exec:\xrrlffx.exe86⤵PID:4548
-
\??\c:\xrrfrlx.exec:\xrrfrlx.exe87⤵PID:4432
-
\??\c:\tbbnhh.exec:\tbbnhh.exe88⤵PID:2836
-
\??\c:\jddvj.exec:\jddvj.exe89⤵PID:3108
-
\??\c:\frfrxlx.exec:\frfrxlx.exe90⤵PID:3548
-
\??\c:\bnbtnn.exec:\bnbtnn.exe91⤵PID:3572
-
\??\c:\ttbbnh.exec:\ttbbnh.exe92⤵PID:3580
-
\??\c:\9vdvj.exec:\9vdvj.exe93⤵PID:1376
-
\??\c:\rlrlflf.exec:\rlrlflf.exe94⤵PID:1428
-
\??\c:\3rrlflf.exec:\3rrlflf.exe95⤵PID:3076
-
\??\c:\nnnbtt.exec:\nnnbtt.exe96⤵PID:4488
-
\??\c:\vdddj.exec:\vdddj.exe97⤵PID:220
-
\??\c:\9xlfxrr.exec:\9xlfxrr.exe98⤵PID:2108
-
\??\c:\xxxlllf.exec:\xxxlllf.exe99⤵PID:4376
-
\??\c:\1bbnhh.exec:\1bbnhh.exe100⤵PID:2332
-
\??\c:\pvdpj.exec:\pvdpj.exe101⤵PID:2488
-
\??\c:\lllfxrr.exec:\lllfxrr.exe102⤵PID:1308
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe103⤵PID:1192
-
\??\c:\bhbbtn.exec:\bhbbtn.exe104⤵PID:4712
-
\??\c:\pjvpv.exec:\pjvpv.exe105⤵PID:1268
-
\??\c:\lfrlfrr.exec:\lfrlfrr.exe106⤵PID:912
-
\??\c:\lfllflf.exec:\lfllflf.exe107⤵PID:1356
-
\??\c:\3bbthb.exec:\3bbthb.exe108⤵PID:4356
-
\??\c:\vpvpp.exec:\vpvpp.exe109⤵PID:2052
-
\??\c:\xfllrff.exec:\xfllrff.exe110⤵PID:3252
-
\??\c:\bnbbbh.exec:\bnbbbh.exe111⤵PID:1540
-
\??\c:\bhtnbb.exec:\bhtnbb.exe112⤵PID:1552
-
\??\c:\vvddv.exec:\vvddv.exe113⤵PID:4416
-
\??\c:\lflxffl.exec:\lflxffl.exe114⤵PID:1016
-
\??\c:\bhnthh.exec:\bhnthh.exe115⤵PID:5100
-
\??\c:\tthhbh.exec:\tthhbh.exe116⤵PID:5108
-
\??\c:\vjppj.exec:\vjppj.exe117⤵PID:3680
-
\??\c:\9xllffx.exec:\9xllffx.exe118⤵PID:3380
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe119⤵PID:3116
-
\??\c:\hthbtt.exec:\hthbtt.exe120⤵PID:4592
-
\??\c:\1hnhbb.exec:\1hnhbb.exe121⤵PID:3376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-