Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:13
Behavioral task
behavioral1
Sample
a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe
-
Size
91KB
-
MD5
2f14b9b31dc69cf4d3a32f8969016030
-
SHA1
8db7899a7a58f0db0cfeeeb135644bf99fca0a35
-
SHA256
a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa
-
SHA512
adb2783aca33c9fb483277a7e0da81be633051a61cf0d61b30faa3a6c134cb69af490596ca1837f666e56c6ad49fdb9d8338ae405de920aba60b53c420574ab9
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8HglWxR9Yii9J01qCxNip:chOmTsF93UYfwC6GIout3xR9nx0p
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/2988-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/824-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-605-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-618-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-767-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-1790-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 nnbbbn.exe 4736 ddjvj.exe 1808 jvvjv.exe 4932 7bnnhh.exe 2356 bbbbbb.exe 3616 dpjjp.exe 1952 jddvd.exe 4300 lffxffx.exe 1612 hnhhtb.exe 1432 ttnhhh.exe 3568 dvdvv.exe 4980 fxffxrl.exe 3724 rrrlllf.exe 4228 btnnhh.exe 2164 9vpvv.exe 824 ffllrxl.exe 3264 lllllll.exe 1076 tbbbbb.exe 1068 pjdvv.exe 3052 lffxffr.exe 3332 rxfxxxx.exe 4588 jdpvp.exe 4480 xrrrrrx.exe 400 xxxxllr.exe 1348 hbbbtb.exe 3196 ppddj.exe 1648 3lrrllx.exe 4636 btbnhh.exe 4552 9btbtt.exe 2408 xlrfllf.exe 884 xxfflxx.exe 3480 hbnhbt.exe 1940 7vppp.exe 680 jpdjp.exe 3528 rxxfffx.exe 2596 bhnnhh.exe 1608 bbbtth.exe 4764 jdpjp.exe 4692 xfxxxrl.exe 208 rfllrfr.exe 5108 nbbnbb.exe 2544 pppjd.exe 3164 vdjdj.exe 1568 xrfxrrf.exe 4400 tbnbtt.exe 556 vpvpp.exe 5028 5vpjv.exe 4188 rfxlxxl.exe 3092 bhnnnt.exe 1604 vvpdv.exe 1320 rrxrfrl.exe 3540 hthnnb.exe 1368 5lrrlrr.exe 740 vvpdv.exe 2344 pvvpj.exe 976 llllllr.exe 3212 9lrrxxx.exe 1340 ppvpd.exe 2180 rllrrxx.exe 3668 rlxxrrl.exe 3444 bthbbb.exe 336 pjvpj.exe 3724 xffxrlr.exe 428 ttttbh.exe -
resource yara_rule behavioral2/memory/2988-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba1-2.dat upx behavioral2/memory/2988-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba8-9.dat upx behavioral2/memory/4188-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb3-13.dat upx behavioral2/memory/4736-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1808-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bba-21.dat upx behavioral2/memory/4932-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc3-28.dat upx behavioral2/memory/4932-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc8-36.dat upx behavioral2/files/0x0009000000023bc9-39.dat upx behavioral2/memory/3616-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bca-45.dat upx behavioral2/memory/1952-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bce-51.dat upx behavioral2/memory/4300-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd0-57.dat upx behavioral2/memory/1612-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd3-63.dat upx behavioral2/memory/1432-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd4-68.dat upx behavioral2/memory/3568-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd5-74.dat upx behavioral2/memory/4980-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3724-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c05-80.dat upx behavioral2/files/0x0008000000023c06-85.dat upx behavioral2/memory/2164-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4228-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c07-95.dat upx behavioral2/memory/2164-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/824-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c08-98.dat upx behavioral2/files/0x0008000000023c09-103.dat upx behavioral2/memory/3264-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0a-109.dat upx behavioral2/memory/1076-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0f-115.dat upx behavioral2/files/0x0008000000023c10-120.dat upx behavioral2/memory/3052-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c11-126.dat upx behavioral2/memory/4588-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c23-133.dat upx behavioral2/files/0x0008000000023c29-138.dat upx behavioral2/memory/400-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2a-144.dat upx behavioral2/files/0x0008000000023c2b-148.dat upx behavioral2/memory/1348-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2c-153.dat upx behavioral2/files/0x0008000000023c2d-159.dat upx behavioral2/memory/4636-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1648-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba9-166.dat upx behavioral2/memory/4636-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2e-172.dat upx behavioral2/files/0x000b000000023c43-177.dat upx behavioral2/files/0x0016000000023c44-182.dat upx behavioral2/memory/680-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3528-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4764-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/208-213-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4188 2988 a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe 82 PID 2988 wrote to memory of 4188 2988 a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe 82 PID 2988 wrote to memory of 4188 2988 a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe 82 PID 4188 wrote to memory of 4736 4188 nnbbbn.exe 83 PID 4188 wrote to memory of 4736 4188 nnbbbn.exe 83 PID 4188 wrote to memory of 4736 4188 nnbbbn.exe 83 PID 4736 wrote to memory of 1808 4736 ddjvj.exe 84 PID 4736 wrote to memory of 1808 4736 ddjvj.exe 84 PID 4736 wrote to memory of 1808 4736 ddjvj.exe 84 PID 1808 wrote to memory of 4932 1808 jvvjv.exe 85 PID 1808 wrote to memory of 4932 1808 jvvjv.exe 85 PID 1808 wrote to memory of 4932 1808 jvvjv.exe 85 PID 4932 wrote to memory of 2356 4932 7bnnhh.exe 86 PID 4932 wrote to memory of 2356 4932 7bnnhh.exe 86 PID 4932 wrote to memory of 2356 4932 7bnnhh.exe 86 PID 2356 wrote to memory of 3616 2356 bbbbbb.exe 87 PID 2356 wrote to memory of 3616 2356 bbbbbb.exe 87 PID 2356 wrote to memory of 3616 2356 bbbbbb.exe 87 PID 3616 wrote to memory of 1952 3616 dpjjp.exe 88 PID 3616 wrote to memory of 1952 3616 dpjjp.exe 88 PID 3616 wrote to memory of 1952 3616 dpjjp.exe 88 PID 1952 wrote to memory of 4300 1952 jddvd.exe 89 PID 1952 wrote to memory of 4300 1952 jddvd.exe 89 PID 1952 wrote to memory of 4300 1952 jddvd.exe 89 PID 4300 wrote to memory of 1612 4300 lffxffx.exe 90 PID 4300 wrote to memory of 1612 4300 lffxffx.exe 90 PID 4300 wrote to memory of 1612 4300 lffxffx.exe 90 PID 1612 wrote to memory of 1432 1612 hnhhtb.exe 91 PID 1612 wrote to memory of 1432 1612 hnhhtb.exe 91 PID 1612 wrote to memory of 1432 1612 hnhhtb.exe 91 PID 1432 wrote to memory of 3568 1432 ttnhhh.exe 92 PID 1432 wrote to memory of 3568 1432 ttnhhh.exe 92 PID 1432 wrote to memory of 3568 1432 ttnhhh.exe 92 PID 3568 wrote to memory of 4980 3568 dvdvv.exe 93 PID 3568 wrote to memory of 4980 3568 dvdvv.exe 93 PID 3568 wrote to memory of 4980 3568 dvdvv.exe 93 PID 4980 wrote to memory of 3724 4980 fxffxrl.exe 94 PID 4980 wrote to memory of 3724 4980 fxffxrl.exe 94 PID 4980 wrote to memory of 3724 4980 fxffxrl.exe 94 PID 3724 wrote to memory of 4228 3724 rrrlllf.exe 95 PID 3724 wrote to memory of 4228 3724 rrrlllf.exe 95 PID 3724 wrote to memory of 4228 3724 rrrlllf.exe 95 PID 4228 wrote to memory of 2164 4228 btnnhh.exe 96 PID 4228 wrote to memory of 2164 4228 btnnhh.exe 96 PID 4228 wrote to memory of 2164 4228 btnnhh.exe 96 PID 2164 wrote to memory of 824 2164 9vpvv.exe 97 PID 2164 wrote to memory of 824 2164 9vpvv.exe 97 PID 2164 wrote to memory of 824 2164 9vpvv.exe 97 PID 824 wrote to memory of 3264 824 ffllrxl.exe 98 PID 824 wrote to memory of 3264 824 ffllrxl.exe 98 PID 824 wrote to memory of 3264 824 ffllrxl.exe 98 PID 3264 wrote to memory of 1076 3264 lllllll.exe 99 PID 3264 wrote to memory of 1076 3264 lllllll.exe 99 PID 3264 wrote to memory of 1076 3264 lllllll.exe 99 PID 1076 wrote to memory of 1068 1076 tbbbbb.exe 100 PID 1076 wrote to memory of 1068 1076 tbbbbb.exe 100 PID 1076 wrote to memory of 1068 1076 tbbbbb.exe 100 PID 1068 wrote to memory of 3052 1068 pjdvv.exe 101 PID 1068 wrote to memory of 3052 1068 pjdvv.exe 101 PID 1068 wrote to memory of 3052 1068 pjdvv.exe 101 PID 3052 wrote to memory of 3332 3052 lffxffr.exe 102 PID 3052 wrote to memory of 3332 3052 lffxffr.exe 102 PID 3052 wrote to memory of 3332 3052 lffxffr.exe 102 PID 3332 wrote to memory of 4588 3332 rxfxxxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe"C:\Users\Admin\AppData\Local\Temp\a94f17ccb7ad4206bead0f878f3953bc204e2f620b7bf6af7897f0e89f6f73aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\nnbbbn.exec:\nnbbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\ddjvj.exec:\ddjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\jvvjv.exec:\jvvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\7bnnhh.exec:\7bnnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\bbbbbb.exec:\bbbbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\dpjjp.exec:\dpjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\jddvd.exec:\jddvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lffxffx.exec:\lffxffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\hnhhtb.exec:\hnhhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ttnhhh.exec:\ttnhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\dvdvv.exec:\dvdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\fxffxrl.exec:\fxffxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\rrrlllf.exec:\rrrlllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\btnnhh.exec:\btnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\9vpvv.exec:\9vpvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\ffllrxl.exec:\ffllrxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\lllllll.exec:\lllllll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\tbbbbb.exec:\tbbbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\pjdvv.exec:\pjdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\lffxffr.exec:\lffxffr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\rxfxxxx.exec:\rxfxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\jdpvp.exec:\jdpvp.exe23⤵
- Executes dropped EXE
PID:4588 -
\??\c:\xrrrrrx.exec:\xrrrrrx.exe24⤵
- Executes dropped EXE
PID:4480 -
\??\c:\xxxxllr.exec:\xxxxllr.exe25⤵
- Executes dropped EXE
PID:400 -
\??\c:\hbbbtb.exec:\hbbbtb.exe26⤵
- Executes dropped EXE
PID:1348 -
\??\c:\ppddj.exec:\ppddj.exe27⤵
- Executes dropped EXE
PID:3196 -
\??\c:\3lrrllx.exec:\3lrrllx.exe28⤵
- Executes dropped EXE
PID:1648 -
\??\c:\btbnhh.exec:\btbnhh.exe29⤵
- Executes dropped EXE
PID:4636 -
\??\c:\9btbtt.exec:\9btbtt.exe30⤵
- Executes dropped EXE
PID:4552 -
\??\c:\xlrfllf.exec:\xlrfllf.exe31⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xxfflxx.exec:\xxfflxx.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\hbnhbt.exec:\hbnhbt.exe33⤵
- Executes dropped EXE
PID:3480 -
\??\c:\7vppp.exec:\7vppp.exe34⤵
- Executes dropped EXE
PID:1940 -
\??\c:\jpdjp.exec:\jpdjp.exe35⤵
- Executes dropped EXE
PID:680 -
\??\c:\rxxfffx.exec:\rxxfffx.exe36⤵
- Executes dropped EXE
PID:3528 -
\??\c:\bhnnhh.exec:\bhnnhh.exe37⤵
- Executes dropped EXE
PID:2596 -
\??\c:\bbbtth.exec:\bbbtth.exe38⤵
- Executes dropped EXE
PID:1608 -
\??\c:\jdpjp.exec:\jdpjp.exe39⤵
- Executes dropped EXE
PID:4764 -
\??\c:\xfxxxrl.exec:\xfxxxrl.exe40⤵
- Executes dropped EXE
PID:4692 -
\??\c:\rfllrfr.exec:\rfllrfr.exe41⤵
- Executes dropped EXE
PID:208 -
\??\c:\nbbnbb.exec:\nbbnbb.exe42⤵
- Executes dropped EXE
PID:5108 -
\??\c:\pppjd.exec:\pppjd.exe43⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vdjdj.exec:\vdjdj.exe44⤵
- Executes dropped EXE
PID:3164 -
\??\c:\xrfxrrf.exec:\xrfxrrf.exe45⤵
- Executes dropped EXE
PID:1568 -
\??\c:\tbnbtt.exec:\tbnbtt.exe46⤵
- Executes dropped EXE
PID:4400 -
\??\c:\vpvpp.exec:\vpvpp.exe47⤵
- Executes dropped EXE
PID:556 -
\??\c:\5vpjv.exec:\5vpjv.exe48⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rfxlxxl.exec:\rfxlxxl.exe49⤵
- Executes dropped EXE
PID:4188 -
\??\c:\bhnnnt.exec:\bhnnnt.exe50⤵
- Executes dropped EXE
PID:3092 -
\??\c:\vvpdv.exec:\vvpdv.exe51⤵
- Executes dropped EXE
PID:1604 -
\??\c:\rrxrfrl.exec:\rrxrfrl.exe52⤵
- Executes dropped EXE
PID:1320 -
\??\c:\hthnnb.exec:\hthnnb.exe53⤵
- Executes dropped EXE
PID:3540 -
\??\c:\5lrrlrr.exec:\5lrrlrr.exe54⤵
- Executes dropped EXE
PID:1368 -
\??\c:\vvpdv.exec:\vvpdv.exe55⤵
- Executes dropped EXE
PID:740 -
\??\c:\pvvpj.exec:\pvvpj.exe56⤵
- Executes dropped EXE
PID:2344 -
\??\c:\llllllr.exec:\llllllr.exe57⤵
- Executes dropped EXE
PID:976 -
\??\c:\9lrrxxx.exec:\9lrrxxx.exe58⤵
- Executes dropped EXE
PID:3212 -
\??\c:\ppvpd.exec:\ppvpd.exe59⤵
- Executes dropped EXE
PID:1340 -
\??\c:\rllrrxx.exec:\rllrrxx.exe60⤵
- Executes dropped EXE
PID:2180 -
\??\c:\rlxxrrl.exec:\rlxxrrl.exe61⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bthbbb.exec:\bthbbb.exe62⤵
- Executes dropped EXE
PID:3444 -
\??\c:\pjvpj.exec:\pjvpj.exe63⤵
- Executes dropped EXE
PID:336 -
\??\c:\xffxrlr.exec:\xffxrlr.exe64⤵
- Executes dropped EXE
PID:3724 -
\??\c:\ttttbh.exec:\ttttbh.exe65⤵
- Executes dropped EXE
PID:428 -
\??\c:\5tnhbn.exec:\5tnhbn.exe66⤵PID:3488
-
\??\c:\jdjjd.exec:\jdjjd.exe67⤵
- System Location Discovery: System Language Discovery
PID:2260 -
\??\c:\dpjdv.exec:\dpjdv.exe68⤵PID:824
-
\??\c:\fffxxrl.exec:\fffxxrl.exe69⤵PID:1484
-
\??\c:\xxxrrxr.exec:\xxxrrxr.exe70⤵PID:4612
-
\??\c:\nhhtbh.exec:\nhhtbh.exe71⤵PID:4676
-
\??\c:\pvvvv.exec:\pvvvv.exe72⤵PID:2628
-
\??\c:\rxfffll.exec:\rxfffll.exe73⤵PID:1972
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe74⤵PID:1224
-
\??\c:\5ttbtt.exec:\5ttbtt.exe75⤵PID:3680
-
\??\c:\pjppj.exec:\pjppj.exe76⤵PID:2644
-
\??\c:\vppjd.exec:\vppjd.exe77⤵PID:1372
-
\??\c:\fxfflrr.exec:\fxfflrr.exe78⤵PID:2016
-
\??\c:\nhnnnt.exec:\nhnnnt.exe79⤵PID:4984
-
\??\c:\hbnnnt.exec:\hbnnnt.exe80⤵PID:4988
-
\??\c:\jpjpp.exec:\jpjpp.exe81⤵PID:1348
-
\??\c:\xrrrxxr.exec:\xrrrxxr.exe82⤵PID:4816
-
\??\c:\tnbbbh.exec:\tnbbbh.exe83⤵PID:2024
-
\??\c:\nhhnnt.exec:\nhhnnt.exe84⤵PID:1560
-
\??\c:\dpjpp.exec:\dpjpp.exe85⤵PID:4636
-
\??\c:\lxlffrr.exec:\lxlffrr.exe86⤵PID:1908
-
\??\c:\xlxfrfr.exec:\xlxfrfr.exe87⤵PID:3448
-
\??\c:\tnbhhn.exec:\tnbhhn.exe88⤵PID:2976
-
\??\c:\pdppp.exec:\pdppp.exe89⤵PID:4032
-
\??\c:\xlxffxf.exec:\xlxffxf.exe90⤵PID:2648
-
\??\c:\ntbbbb.exec:\ntbbbb.exe91⤵PID:1940
-
\??\c:\bnnnhh.exec:\bnnnhh.exe92⤵PID:392
-
\??\c:\dvppv.exec:\dvppv.exe93⤵PID:4596
-
\??\c:\fllfrrl.exec:\fllfrrl.exe94⤵PID:4176
-
\??\c:\xllxfrr.exec:\xllxfrr.exe95⤵PID:1608
-
\??\c:\ntthhb.exec:\ntthhb.exe96⤵PID:4012
-
\??\c:\vjvvp.exec:\vjvvp.exe97⤵PID:4692
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe98⤵PID:208
-
\??\c:\rflrxff.exec:\rflrxff.exe99⤵PID:1376
-
\??\c:\ntbttt.exec:\ntbttt.exe100⤵PID:1060
-
\??\c:\1bnhtb.exec:\1bnhtb.exe101⤵PID:3596
-
\??\c:\vjjpp.exec:\vjjpp.exe102⤵PID:4436
-
\??\c:\rflfffx.exec:\rflfffx.exe103⤵PID:4528
-
\??\c:\7hbbhn.exec:\7hbbhn.exe104⤵
- System Location Discovery: System Language Discovery
PID:1276 -
\??\c:\bnbttt.exec:\bnbttt.exe105⤵PID:2996
-
\??\c:\7ddjd.exec:\7ddjd.exe106⤵PID:2988
-
\??\c:\rxfxffl.exec:\rxfxffl.exe107⤵PID:4212
-
\??\c:\lfrrllf.exec:\lfrrllf.exe108⤵PID:2352
-
\??\c:\ddvvj.exec:\ddvvj.exe109⤵PID:2584
-
\??\c:\fxfrllx.exec:\fxfrllx.exe110⤵PID:1320
-
\??\c:\tbtbnt.exec:\tbtbnt.exe111⤵PID:2356
-
\??\c:\jvpjj.exec:\jvpjj.exe112⤵PID:1368
-
\??\c:\1ddvp.exec:\1ddvp.exe113⤵PID:312
-
\??\c:\3lxrlff.exec:\3lxrlff.exe114⤵PID:2312
-
\??\c:\1bhnhn.exec:\1bhnhn.exe115⤵PID:4216
-
\??\c:\tttbnn.exec:\tttbnn.exe116⤵PID:2804
-
\??\c:\ppppj.exec:\ppppj.exe117⤵PID:3060
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe118⤵PID:216
-
\??\c:\rrfflrl.exec:\rrfflrl.exe119⤵PID:3668
-
\??\c:\5thhnt.exec:\5thhnt.exe120⤵PID:3568
-
\??\c:\ddddd.exec:\ddddd.exe121⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-