Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
-
Size
455KB
-
MD5
586844b1b9fedf8945bf698ece5ae46f
-
SHA1
de05dcf23bbfecff202fc078b529cac8ae6eca7a
-
SHA256
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17
-
SHA512
cde0c16ad83d110ae8cb3d9289471af6630a7014e99c6c744edad97e976792002cdb56a310777fded3f65c58aee8c8c6e97a6421dea14b05ea66449eb29e40c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw:q7Tc2NYHUrAwfMp3CDRw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3532-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-1255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1084 ppjjv.exe 4408 flxxlrl.exe 3744 hhtnnn.exe 3268 dppvd.exe 2028 hbbtnn.exe 5052 jjpvv.exe 3168 vjppj.exe 1240 fxxxffx.exe 1672 nntbbh.exe 3712 pjddp.exe 2152 xffflll.exe 764 dpddd.exe 4352 hhnttb.exe 4120 ppppp.exe 2144 frrlllx.exe 1720 thttth.exe 4540 9tnhhb.exe 2740 bhbbbb.exe 2268 vvppj.exe 2540 xxllfll.exe 2876 pdjdp.exe 4212 9frlflf.exe 2956 pdddd.exe 1496 lxrrrrf.exe 3828 xxrrflx.exe 4748 lxfxxxr.exe 1196 xxxxrrr.exe 2840 xxlllrx.exe 4016 9xfrrrr.exe 4068 jdppp.exe 3748 djpdv.exe 884 vvjjj.exe 5084 bthbbb.exe 2356 3jpvv.exe 2512 3rfxxxx.exe 2340 bnttnh.exe 4116 dpjjj.exe 4224 jdddd.exe 3900 llxxrxr.exe 220 nhbhhn.exe 652 vjppd.exe 4376 5llllrr.exe 1740 nnhttb.exe 4408 nnnnnn.exe 4080 7ddjd.exe 1188 flxxrrr.exe 3804 hbnhnb.exe 2652 pvddv.exe 2256 rrllfxr.exe 4780 7btttn.exe 4808 jvpjd.exe 3908 lrrrxff.exe 2120 5bhbbh.exe 1652 ppvpp.exe 3768 ppppj.exe 3424 xrxfxll.exe 4736 btnhhh.exe 4788 dvpjj.exe 4728 xrrrrxf.exe 2584 rrllrxl.exe 1784 btnnhh.exe 1640 vvjvp.exe 1420 rlrrrrf.exe 4956 nnbbhh.exe -
resource yara_rule behavioral2/memory/3532-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-653-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 1084 3532 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 83 PID 3532 wrote to memory of 1084 3532 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 83 PID 3532 wrote to memory of 1084 3532 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 83 PID 1084 wrote to memory of 4408 1084 ppjjv.exe 84 PID 1084 wrote to memory of 4408 1084 ppjjv.exe 84 PID 1084 wrote to memory of 4408 1084 ppjjv.exe 84 PID 4408 wrote to memory of 3744 4408 flxxlrl.exe 85 PID 4408 wrote to memory of 3744 4408 flxxlrl.exe 85 PID 4408 wrote to memory of 3744 4408 flxxlrl.exe 85 PID 3744 wrote to memory of 3268 3744 hhtnnn.exe 86 PID 3744 wrote to memory of 3268 3744 hhtnnn.exe 86 PID 3744 wrote to memory of 3268 3744 hhtnnn.exe 86 PID 3268 wrote to memory of 2028 3268 dppvd.exe 87 PID 3268 wrote to memory of 2028 3268 dppvd.exe 87 PID 3268 wrote to memory of 2028 3268 dppvd.exe 87 PID 2028 wrote to memory of 5052 2028 hbbtnn.exe 88 PID 2028 wrote to memory of 5052 2028 hbbtnn.exe 88 PID 2028 wrote to memory of 5052 2028 hbbtnn.exe 88 PID 5052 wrote to memory of 3168 5052 jjpvv.exe 89 PID 5052 wrote to memory of 3168 5052 jjpvv.exe 89 PID 5052 wrote to memory of 3168 5052 jjpvv.exe 89 PID 3168 wrote to memory of 1240 3168 vjppj.exe 90 PID 3168 wrote to memory of 1240 3168 vjppj.exe 90 PID 3168 wrote to memory of 1240 3168 vjppj.exe 90 PID 1240 wrote to memory of 1672 1240 fxxxffx.exe 91 PID 1240 wrote to memory of 1672 1240 fxxxffx.exe 91 PID 1240 wrote to memory of 1672 1240 fxxxffx.exe 91 PID 1672 wrote to memory of 3712 1672 nntbbh.exe 92 PID 1672 wrote to memory of 3712 1672 nntbbh.exe 92 PID 1672 wrote to memory of 3712 1672 nntbbh.exe 92 PID 3712 wrote to memory of 2152 3712 pjddp.exe 93 PID 3712 wrote to memory of 2152 3712 pjddp.exe 93 PID 3712 wrote to memory of 2152 3712 pjddp.exe 93 PID 2152 wrote to memory of 764 2152 xffflll.exe 94 PID 2152 wrote to memory of 764 2152 xffflll.exe 94 PID 2152 wrote to memory of 764 2152 xffflll.exe 94 PID 764 wrote to memory of 4352 764 dpddd.exe 95 PID 764 wrote to memory of 4352 764 dpddd.exe 95 PID 764 wrote to memory of 4352 764 dpddd.exe 95 PID 4352 wrote to memory of 4120 4352 hhnttb.exe 96 PID 4352 wrote to memory of 4120 4352 hhnttb.exe 96 PID 4352 wrote to memory of 4120 4352 hhnttb.exe 96 PID 4120 wrote to memory of 2144 4120 ppppp.exe 97 PID 4120 wrote to memory of 2144 4120 ppppp.exe 97 PID 4120 wrote to memory of 2144 4120 ppppp.exe 97 PID 2144 wrote to memory of 1720 2144 frrlllx.exe 98 PID 2144 wrote to memory of 1720 2144 frrlllx.exe 98 PID 2144 wrote to memory of 1720 2144 frrlllx.exe 98 PID 1720 wrote to memory of 4540 1720 thttth.exe 99 PID 1720 wrote to memory of 4540 1720 thttth.exe 99 PID 1720 wrote to memory of 4540 1720 thttth.exe 99 PID 4540 wrote to memory of 2740 4540 9tnhhb.exe 100 PID 4540 wrote to memory of 2740 4540 9tnhhb.exe 100 PID 4540 wrote to memory of 2740 4540 9tnhhb.exe 100 PID 2740 wrote to memory of 2268 2740 bhbbbb.exe 101 PID 2740 wrote to memory of 2268 2740 bhbbbb.exe 101 PID 2740 wrote to memory of 2268 2740 bhbbbb.exe 101 PID 2268 wrote to memory of 2540 2268 vvppj.exe 102 PID 2268 wrote to memory of 2540 2268 vvppj.exe 102 PID 2268 wrote to memory of 2540 2268 vvppj.exe 102 PID 2540 wrote to memory of 2876 2540 xxllfll.exe 103 PID 2540 wrote to memory of 2876 2540 xxllfll.exe 103 PID 2540 wrote to memory of 2876 2540 xxllfll.exe 103 PID 2876 wrote to memory of 4212 2876 pdjdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\ppjjv.exec:\ppjjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\flxxlrl.exec:\flxxlrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\hhtnnn.exec:\hhtnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\dppvd.exec:\dppvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\hbbtnn.exec:\hbbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\jjpvv.exec:\jjpvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\vjppj.exec:\vjppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\fxxxffx.exec:\fxxxffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\nntbbh.exec:\nntbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\pjddp.exec:\pjddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\xffflll.exec:\xffflll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\dpddd.exec:\dpddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\hhnttb.exec:\hhnttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\ppppp.exec:\ppppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\frrlllx.exec:\frrlllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\thttth.exec:\thttth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\9tnhhb.exec:\9tnhhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\bhbbbb.exec:\bhbbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vvppj.exec:\vvppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\xxllfll.exec:\xxllfll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\pdjdp.exec:\pdjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\9frlflf.exec:\9frlflf.exe23⤵
- Executes dropped EXE
PID:4212 -
\??\c:\pdddd.exec:\pdddd.exe24⤵
- Executes dropped EXE
PID:2956 -
\??\c:\lxrrrrf.exec:\lxrrrrf.exe25⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xxrrflx.exec:\xxrrflx.exe26⤵
- Executes dropped EXE
PID:3828 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe27⤵
- Executes dropped EXE
PID:4748 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe28⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xxlllrx.exec:\xxlllrx.exe29⤵
- Executes dropped EXE
PID:2840 -
\??\c:\9xfrrrr.exec:\9xfrrrr.exe30⤵
- Executes dropped EXE
PID:4016 -
\??\c:\jdppp.exec:\jdppp.exe31⤵
- Executes dropped EXE
PID:4068 -
\??\c:\djpdv.exec:\djpdv.exe32⤵
- Executes dropped EXE
PID:3748 -
\??\c:\vvjjj.exec:\vvjjj.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\bthbbb.exec:\bthbbb.exe34⤵
- Executes dropped EXE
PID:5084 -
\??\c:\3jpvv.exec:\3jpvv.exe35⤵
- Executes dropped EXE
PID:2356 -
\??\c:\3rfxxxx.exec:\3rfxxxx.exe36⤵
- Executes dropped EXE
PID:2512 -
\??\c:\bnttnh.exec:\bnttnh.exe37⤵
- Executes dropped EXE
PID:2340 -
\??\c:\dpjjj.exec:\dpjjj.exe38⤵
- Executes dropped EXE
PID:4116 -
\??\c:\jdddd.exec:\jdddd.exe39⤵
- Executes dropped EXE
PID:4224 -
\??\c:\llxxrxr.exec:\llxxrxr.exe40⤵
- Executes dropped EXE
PID:3900 -
\??\c:\nhbhhn.exec:\nhbhhn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\vjppd.exec:\vjppd.exe42⤵
- Executes dropped EXE
PID:652 -
\??\c:\5llllrr.exec:\5llllrr.exe43⤵
- Executes dropped EXE
PID:4376 -
\??\c:\nnhttb.exec:\nnhttb.exe44⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nnnnnn.exec:\nnnnnn.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\7ddjd.exec:\7ddjd.exe46⤵
- Executes dropped EXE
PID:4080 -
\??\c:\flxxrrr.exec:\flxxrrr.exe47⤵
- Executes dropped EXE
PID:1188 -
\??\c:\hbnhnb.exec:\hbnhnb.exe48⤵
- Executes dropped EXE
PID:3804 -
\??\c:\pvddv.exec:\pvddv.exe49⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rrllfxr.exec:\rrllfxr.exe50⤵
- Executes dropped EXE
PID:2256 -
\??\c:\7btttn.exec:\7btttn.exe51⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jvpjd.exec:\jvpjd.exe52⤵
- Executes dropped EXE
PID:4808 -
\??\c:\lrrrxff.exec:\lrrrxff.exe53⤵
- Executes dropped EXE
PID:3908 -
\??\c:\5bhbbh.exec:\5bhbbh.exe54⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ppvpp.exec:\ppvpp.exe55⤵
- Executes dropped EXE
PID:1652 -
\??\c:\ppppj.exec:\ppppj.exe56⤵
- Executes dropped EXE
PID:3768 -
\??\c:\xrxfxll.exec:\xrxfxll.exe57⤵
- Executes dropped EXE
PID:3424 -
\??\c:\btnhhh.exec:\btnhhh.exe58⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dvpjj.exec:\dvpjj.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788 -
\??\c:\xrrrrxf.exec:\xrrrrxf.exe60⤵
- Executes dropped EXE
PID:4728 -
\??\c:\rrllrxl.exec:\rrllrxl.exe61⤵
- Executes dropped EXE
PID:2584 -
\??\c:\btnnhh.exec:\btnnhh.exe62⤵
- Executes dropped EXE
PID:1784 -
\??\c:\vvjvp.exec:\vvjvp.exe63⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rlrrrrf.exec:\rlrrrrf.exe64⤵
- Executes dropped EXE
PID:1420 -
\??\c:\nnbbhh.exec:\nnbbhh.exe65⤵
- Executes dropped EXE
PID:4956 -
\??\c:\vjvvv.exec:\vjvvv.exe66⤵PID:3860
-
\??\c:\llrrxfr.exec:\llrrxfr.exe67⤵PID:3620
-
\??\c:\thnnnt.exec:\thnnnt.exe68⤵PID:1560
-
\??\c:\hhbtbb.exec:\hhbtbb.exe69⤵PID:4320
-
\??\c:\pjpjj.exec:\pjpjj.exe70⤵PID:3800
-
\??\c:\xfllrxf.exec:\xfllrxf.exe71⤵PID:1724
-
\??\c:\tthhhn.exec:\tthhhn.exe72⤵PID:4928
-
\??\c:\htbbtt.exec:\htbbtt.exe73⤵PID:840
-
\??\c:\pdjdd.exec:\pdjdd.exe74⤵PID:4212
-
\??\c:\9xxllff.exec:\9xxllff.exe75⤵PID:5080
-
\??\c:\hhbtnt.exec:\hhbtnt.exe76⤵PID:3520
-
\??\c:\ppppp.exec:\ppppp.exe77⤵PID:4364
-
\??\c:\jpvdd.exec:\jpvdd.exe78⤵PID:3828
-
\??\c:\lfxrllr.exec:\lfxrllr.exe79⤵PID:2504
-
\??\c:\hnbbbb.exec:\hnbbbb.exe80⤵PID:3360
-
\??\c:\pvppv.exec:\pvppv.exe81⤵PID:1196
-
\??\c:\5xxxrrr.exec:\5xxxrrr.exe82⤵PID:4536
-
\??\c:\bnbbbb.exec:\bnbbbb.exe83⤵PID:4380
-
\??\c:\nbnhhh.exec:\nbnhhh.exe84⤵PID:1736
-
\??\c:\ppjdv.exec:\ppjdv.exe85⤵PID:4656
-
\??\c:\ffllfll.exec:\ffllfll.exe86⤵PID:2096
-
\??\c:\3ttttb.exec:\3ttttb.exe87⤵PID:4308
-
\??\c:\ddpdd.exec:\ddpdd.exe88⤵PID:4504
-
\??\c:\ppdvj.exec:\ppdvj.exe89⤵PID:3312
-
\??\c:\fxllxff.exec:\fxllxff.exe90⤵PID:1596
-
\??\c:\thbbtt.exec:\thbbtt.exe91⤵PID:2312
-
\??\c:\dvddj.exec:\dvddj.exe92⤵PID:784
-
\??\c:\xrxrrll.exec:\xrxrrll.exe93⤵PID:616
-
\??\c:\nnttnt.exec:\nnttnt.exe94⤵PID:5112
-
\??\c:\bnbbtt.exec:\bnbbtt.exe95⤵PID:2004
-
\??\c:\jjvvd.exec:\jjvvd.exe96⤵PID:1636
-
\??\c:\xrlfllr.exec:\xrlfllr.exe97⤵PID:4292
-
\??\c:\5tnnhn.exec:\5tnnhn.exe98⤵PID:3760
-
\??\c:\nnnnnh.exec:\nnnnnh.exe99⤵PID:4856
-
\??\c:\vvpdd.exec:\vvpdd.exe100⤵PID:3532
-
\??\c:\xffxfll.exec:\xffxfll.exe101⤵PID:3832
-
\??\c:\bntnnn.exec:\bntnnn.exe102⤵
- System Location Discovery: System Language Discovery
PID:4712 -
\??\c:\vpvvv.exec:\vpvvv.exe103⤵PID:3444
-
\??\c:\llrrlrr.exec:\llrrlrr.exe104⤵PID:4080
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe105⤵PID:3500
-
\??\c:\nnttbh.exec:\nnttbh.exe106⤵PID:3804
-
\??\c:\pdjdd.exec:\pdjdd.exe107⤵PID:2652
-
\??\c:\flxfflr.exec:\flxfflr.exe108⤵PID:2988
-
\??\c:\hhtttt.exec:\hhtttt.exe109⤵PID:5052
-
\??\c:\vpvvp.exec:\vpvvp.exe110⤵PID:2020
-
\??\c:\pjvvv.exec:\pjvvv.exe111⤵PID:544
-
\??\c:\fxllxxf.exec:\fxllxxf.exe112⤵PID:2324
-
\??\c:\nhtntt.exec:\nhtntt.exe113⤵PID:464
-
\??\c:\5dppd.exec:\5dppd.exe114⤵PID:5012
-
\??\c:\pdppv.exec:\pdppv.exe115⤵PID:4624
-
\??\c:\xxlrlxr.exec:\xxlrlxr.exe116⤵PID:5024
-
\??\c:\thbtht.exec:\thbtht.exe117⤵PID:2152
-
\??\c:\xxfxxff.exec:\xxfxxff.exe118⤵PID:2516
-
\??\c:\llllrxr.exec:\llllrxr.exe119⤵PID:324
-
\??\c:\nbtthn.exec:\nbtthn.exe120⤵PID:4352
-
\??\c:\jvpdd.exec:\jvpdd.exe121⤵PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-