Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe
-
Size
453KB
-
MD5
4f50929735a11e6c155a98d7ec458aa0
-
SHA1
ba1aa51b2d9a9f128a68693f681375077b932ae4
-
SHA256
826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225
-
SHA512
4b27a70217054ebfa8ab22421f7689a3092e3606ff2b16d80ad8e2f88833dcaf5443236ad166a2849ddf5e033c9c43f512cdf4ef13aaf730ff615060f848f16c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3312-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4276 fxllrxx.exe 1544 3ntttn.exe 3968 vvpvj.exe 4172 xxfflrr.exe 4412 lxlxlrl.exe 1132 3vddd.exe 3932 9rrxllf.exe 3896 tthhnt.exe 2936 tbbtnh.exe 2692 jdpvv.exe 3452 lfxfxxx.exe 4176 vdjdd.exe 2332 rrllfll.exe 5020 nthbbt.exe 4436 9vpjj.exe 3124 fllrxfl.exe 2488 nhnnhh.exe 2800 xflrrrf.exe 2432 9nbttb.exe 1128 pvdvv.exe 3064 bnnhbb.exe 2616 xllllll.exe 4600 dpjjj.exe 1920 bthntt.exe 4668 jjvvd.exe 2352 nhhbht.exe 2876 bnnnhn.exe 1048 fxfxxff.exe 3456 jdjjj.exe 4948 tthhnn.exe 3196 vjpvv.exe 2668 nhbbbb.exe 2720 fffxxrx.exe 1848 hbbtnn.exe 2024 nntnnh.exe 3604 ppppp.exe 2780 xfxrrll.exe 4168 tntttb.exe 1276 9pppp.exe 1020 fxlffxx.exe 1004 hbnhhh.exe 3716 pvpjd.exe 5028 xfxfrxl.exe 4304 9tttnt.exe 3408 djjdd.exe 1320 fxffxxx.exe 456 5bbbtt.exe 4376 pvddd.exe 4388 ffrrlff.exe 5004 xrxrlll.exe 320 nnbbtn.exe 4276 7vddv.exe 384 fxfxxrx.exe 4824 htnhnn.exe 3828 nntnnh.exe 2124 jjpjd.exe 3252 rlxrxxf.exe 2964 1bhbbh.exe 1124 3pjdv.exe 1216 rfrrrrr.exe 4288 htnttt.exe 3656 jdppp.exe 3532 xxxxrrl.exe 3668 9hhhhn.exe -
resource yara_rule behavioral2/memory/3312-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-629-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3312 wrote to memory of 4276 3312 826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe 82 PID 3312 wrote to memory of 4276 3312 826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe 82 PID 3312 wrote to memory of 4276 3312 826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe 82 PID 4276 wrote to memory of 1544 4276 fxllrxx.exe 83 PID 4276 wrote to memory of 1544 4276 fxllrxx.exe 83 PID 4276 wrote to memory of 1544 4276 fxllrxx.exe 83 PID 1544 wrote to memory of 3968 1544 3ntttn.exe 84 PID 1544 wrote to memory of 3968 1544 3ntttn.exe 84 PID 1544 wrote to memory of 3968 1544 3ntttn.exe 84 PID 3968 wrote to memory of 4172 3968 vvpvj.exe 85 PID 3968 wrote to memory of 4172 3968 vvpvj.exe 85 PID 3968 wrote to memory of 4172 3968 vvpvj.exe 85 PID 4172 wrote to memory of 4412 4172 xxfflrr.exe 86 PID 4172 wrote to memory of 4412 4172 xxfflrr.exe 86 PID 4172 wrote to memory of 4412 4172 xxfflrr.exe 86 PID 4412 wrote to memory of 1132 4412 lxlxlrl.exe 87 PID 4412 wrote to memory of 1132 4412 lxlxlrl.exe 87 PID 4412 wrote to memory of 1132 4412 lxlxlrl.exe 87 PID 1132 wrote to memory of 3932 1132 3vddd.exe 88 PID 1132 wrote to memory of 3932 1132 3vddd.exe 88 PID 1132 wrote to memory of 3932 1132 3vddd.exe 88 PID 3932 wrote to memory of 3896 3932 9rrxllf.exe 89 PID 3932 wrote to memory of 3896 3932 9rrxllf.exe 89 PID 3932 wrote to memory of 3896 3932 9rrxllf.exe 89 PID 3896 wrote to memory of 2936 3896 tthhnt.exe 90 PID 3896 wrote to memory of 2936 3896 tthhnt.exe 90 PID 3896 wrote to memory of 2936 3896 tthhnt.exe 90 PID 2936 wrote to memory of 2692 2936 tbbtnh.exe 91 PID 2936 wrote to memory of 2692 2936 tbbtnh.exe 91 PID 2936 wrote to memory of 2692 2936 tbbtnh.exe 91 PID 2692 wrote to memory of 3452 2692 jdpvv.exe 92 PID 2692 wrote to memory of 3452 2692 jdpvv.exe 92 PID 2692 wrote to memory of 3452 2692 jdpvv.exe 92 PID 3452 wrote to memory of 4176 3452 lfxfxxx.exe 93 PID 3452 wrote to memory of 4176 3452 lfxfxxx.exe 93 PID 3452 wrote to memory of 4176 3452 lfxfxxx.exe 93 PID 4176 wrote to memory of 2332 4176 vdjdd.exe 94 PID 4176 wrote to memory of 2332 4176 vdjdd.exe 94 PID 4176 wrote to memory of 2332 4176 vdjdd.exe 94 PID 2332 wrote to memory of 5020 2332 rrllfll.exe 95 PID 2332 wrote to memory of 5020 2332 rrllfll.exe 95 PID 2332 wrote to memory of 5020 2332 rrllfll.exe 95 PID 5020 wrote to memory of 4436 5020 nthbbt.exe 96 PID 5020 wrote to memory of 4436 5020 nthbbt.exe 96 PID 5020 wrote to memory of 4436 5020 nthbbt.exe 96 PID 4436 wrote to memory of 3124 4436 9vpjj.exe 97 PID 4436 wrote to memory of 3124 4436 9vpjj.exe 97 PID 4436 wrote to memory of 3124 4436 9vpjj.exe 97 PID 3124 wrote to memory of 2488 3124 fllrxfl.exe 98 PID 3124 wrote to memory of 2488 3124 fllrxfl.exe 98 PID 3124 wrote to memory of 2488 3124 fllrxfl.exe 98 PID 2488 wrote to memory of 2800 2488 nhnnhh.exe 99 PID 2488 wrote to memory of 2800 2488 nhnnhh.exe 99 PID 2488 wrote to memory of 2800 2488 nhnnhh.exe 99 PID 2800 wrote to memory of 2432 2800 xflrrrf.exe 100 PID 2800 wrote to memory of 2432 2800 xflrrrf.exe 100 PID 2800 wrote to memory of 2432 2800 xflrrrf.exe 100 PID 2432 wrote to memory of 1128 2432 9nbttb.exe 101 PID 2432 wrote to memory of 1128 2432 9nbttb.exe 101 PID 2432 wrote to memory of 1128 2432 9nbttb.exe 101 PID 1128 wrote to memory of 3064 1128 pvdvv.exe 102 PID 1128 wrote to memory of 3064 1128 pvdvv.exe 102 PID 1128 wrote to memory of 3064 1128 pvdvv.exe 102 PID 3064 wrote to memory of 2616 3064 bnnhbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe"C:\Users\Admin\AppData\Local\Temp\826bb0be08cb06a9b44f7dc120d5738a3997e14e0a250f1c2274c076ecc3c225N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\fxllrxx.exec:\fxllrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\3ntttn.exec:\3ntttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\vvpvj.exec:\vvpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\xxfflrr.exec:\xxfflrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\lxlxlrl.exec:\lxlxlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\3vddd.exec:\3vddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\9rrxllf.exec:\9rrxllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\tthhnt.exec:\tthhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\tbbtnh.exec:\tbbtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\jdpvv.exec:\jdpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\lfxfxxx.exec:\lfxfxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\vdjdd.exec:\vdjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\rrllfll.exec:\rrllfll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\nthbbt.exec:\nthbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\9vpjj.exec:\9vpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\fllrxfl.exec:\fllrxfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\nhnnhh.exec:\nhnnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\xflrrrf.exec:\xflrrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\9nbttb.exec:\9nbttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\pvdvv.exec:\pvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\bnnhbb.exec:\bnnhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\xllllll.exec:\xllllll.exe23⤵
- Executes dropped EXE
PID:2616 -
\??\c:\dpjjj.exec:\dpjjj.exe24⤵
- Executes dropped EXE
PID:4600 -
\??\c:\bthntt.exec:\bthntt.exe25⤵
- Executes dropped EXE
PID:1920 -
\??\c:\jjvvd.exec:\jjvvd.exe26⤵
- Executes dropped EXE
PID:4668 -
\??\c:\nhhbht.exec:\nhhbht.exe27⤵
- Executes dropped EXE
PID:2352 -
\??\c:\bnnnhn.exec:\bnnnhn.exe28⤵
- Executes dropped EXE
PID:2876 -
\??\c:\fxfxxff.exec:\fxfxxff.exe29⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jdjjj.exec:\jdjjj.exe30⤵
- Executes dropped EXE
PID:3456 -
\??\c:\tthhnn.exec:\tthhnn.exe31⤵
- Executes dropped EXE
PID:4948 -
\??\c:\vjpvv.exec:\vjpvv.exe32⤵
- Executes dropped EXE
PID:3196 -
\??\c:\nhbbbb.exec:\nhbbbb.exe33⤵
- Executes dropped EXE
PID:2668 -
\??\c:\fffxxrx.exec:\fffxxrx.exe34⤵
- Executes dropped EXE
PID:2720 -
\??\c:\hbbtnn.exec:\hbbtnn.exe35⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nntnnh.exec:\nntnnh.exe36⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ppppp.exec:\ppppp.exe37⤵
- Executes dropped EXE
PID:3604 -
\??\c:\xfxrrll.exec:\xfxrrll.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\tntttb.exec:\tntttb.exe39⤵
- Executes dropped EXE
PID:4168 -
\??\c:\9pppp.exec:\9pppp.exe40⤵
- Executes dropped EXE
PID:1276 -
\??\c:\fxlffxx.exec:\fxlffxx.exe41⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hbnhhh.exec:\hbnhhh.exe42⤵
- Executes dropped EXE
PID:1004 -
\??\c:\pvpjd.exec:\pvpjd.exe43⤵
- Executes dropped EXE
PID:3716 -
\??\c:\xfxfrxl.exec:\xfxfrxl.exe44⤵
- Executes dropped EXE
PID:5028 -
\??\c:\9tttnt.exec:\9tttnt.exe45⤵
- Executes dropped EXE
PID:4304 -
\??\c:\djjdd.exec:\djjdd.exe46⤵
- Executes dropped EXE
PID:3408 -
\??\c:\fxffxxx.exec:\fxffxxx.exe47⤵
- Executes dropped EXE
PID:1320 -
\??\c:\5bbbtt.exec:\5bbbtt.exe48⤵
- Executes dropped EXE
PID:456 -
\??\c:\pvddd.exec:\pvddd.exe49⤵
- Executes dropped EXE
PID:4376 -
\??\c:\ffrrlff.exec:\ffrrlff.exe50⤵
- Executes dropped EXE
PID:4388 -
\??\c:\xrxrlll.exec:\xrxrlll.exe51⤵
- Executes dropped EXE
PID:5004 -
\??\c:\nnbbtn.exec:\nnbbtn.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\7vddv.exec:\7vddv.exe53⤵
- Executes dropped EXE
PID:4276 -
\??\c:\fxfxxrx.exec:\fxfxxrx.exe54⤵
- Executes dropped EXE
PID:384 -
\??\c:\htnhnn.exec:\htnhnn.exe55⤵
- Executes dropped EXE
PID:4824 -
\??\c:\nntnnh.exec:\nntnnh.exe56⤵
- Executes dropped EXE
PID:3828 -
\??\c:\jjpjd.exec:\jjpjd.exe57⤵
- Executes dropped EXE
PID:2124 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe58⤵
- Executes dropped EXE
PID:3252 -
\??\c:\1bhbbh.exec:\1bhbbh.exe59⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3pjdv.exec:\3pjdv.exe60⤵
- Executes dropped EXE
PID:1124 -
\??\c:\rfrrrrr.exec:\rfrrrrr.exe61⤵
- Executes dropped EXE
PID:1216 -
\??\c:\htnttt.exec:\htnttt.exe62⤵
- Executes dropped EXE
PID:4288 -
\??\c:\jdppp.exec:\jdppp.exe63⤵
- Executes dropped EXE
PID:3656 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe64⤵
- Executes dropped EXE
PID:3532 -
\??\c:\9hhhhn.exec:\9hhhhn.exe65⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bbhhhn.exec:\bbhhhn.exe66⤵PID:228
-
\??\c:\7vjdd.exec:\7vjdd.exe67⤵PID:3428
-
\??\c:\lffxrff.exec:\lffxrff.exe68⤵PID:2712
-
\??\c:\bhbbtt.exec:\bhbbtt.exe69⤵PID:2328
-
\??\c:\1dppp.exec:\1dppp.exe70⤵PID:4176
-
\??\c:\lrrrllf.exec:\lrrrllf.exe71⤵PID:2332
-
\??\c:\tthhnt.exec:\tthhnt.exe72⤵PID:4616
-
\??\c:\pjpjd.exec:\pjpjd.exe73⤵PID:3672
-
\??\c:\frrrlff.exec:\frrrlff.exe74⤵PID:2628
-
\??\c:\tththb.exec:\tththb.exe75⤵PID:4704
-
\??\c:\hnbhhn.exec:\hnbhhn.exe76⤵PID:1452
-
\??\c:\ddppp.exec:\ddppp.exe77⤵PID:1100
-
\??\c:\lxrxfll.exec:\lxrxfll.exe78⤵
- System Location Discovery: System Language Discovery
PID:2412 -
\??\c:\bbtbnt.exec:\bbtbnt.exe79⤵PID:2756
-
\??\c:\9pdvv.exec:\9pdvv.exe80⤵PID:2164
-
\??\c:\frrllrl.exec:\frrllrl.exe81⤵PID:1528
-
\??\c:\nhnttt.exec:\nhnttt.exe82⤵PID:4128
-
\??\c:\dvvjd.exec:\dvvjd.exe83⤵PID:2804
-
\??\c:\5ffllrl.exec:\5ffllrl.exe84⤵PID:2996
-
\??\c:\ffflxxx.exec:\ffflxxx.exe85⤵PID:4600
-
\??\c:\3thhhn.exec:\3thhhn.exe86⤵PID:4892
-
\??\c:\pppdd.exec:\pppdd.exe87⤵PID:888
-
\??\c:\flxxxfl.exec:\flxxxfl.exe88⤵PID:4668
-
\??\c:\hhbbbb.exec:\hhbbbb.exe89⤵PID:4064
-
\??\c:\bbnnhh.exec:\bbnnhh.exe90⤵PID:4928
-
\??\c:\rfllrrf.exec:\rfllrrf.exe91⤵PID:4108
-
\??\c:\rxlffff.exec:\rxlffff.exe92⤵PID:4292
-
\??\c:\nhnnnn.exec:\nhnnnn.exe93⤵PID:2108
-
\??\c:\jjjdv.exec:\jjjdv.exe94⤵PID:1084
-
\??\c:\rxfffll.exec:\rxfffll.exe95⤵PID:4444
-
\??\c:\nnbhhh.exec:\nnbhhh.exe96⤵PID:1480
-
\??\c:\dpvpj.exec:\dpvpj.exe97⤵PID:4720
-
\??\c:\pdjpp.exec:\pdjpp.exe98⤵PID:4608
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe99⤵PID:3984
-
\??\c:\nnbtht.exec:\nnbtht.exe100⤵PID:2716
-
\??\c:\vjppv.exec:\vjppv.exe101⤵PID:3048
-
\??\c:\ddddv.exec:\ddddv.exe102⤵PID:3268
-
\??\c:\llxxlxx.exec:\llxxlxx.exe103⤵PID:4168
-
\??\c:\thttnn.exec:\thttnn.exe104⤵PID:1276
-
\??\c:\jjppp.exec:\jjppp.exe105⤵PID:1020
-
\??\c:\fffrlll.exec:\fffrlll.exe106⤵PID:2340
-
\??\c:\xffxfll.exec:\xffxfll.exe107⤵PID:1076
-
\??\c:\thhhhh.exec:\thhhhh.exe108⤵PID:3432
-
\??\c:\jvddv.exec:\jvddv.exe109⤵PID:3924
-
\??\c:\llrlrxx.exec:\llrlrxx.exe110⤵PID:3172
-
\??\c:\nthttt.exec:\nthttt.exe111⤵PID:1212
-
\??\c:\5jppv.exec:\5jppv.exe112⤵PID:4716
-
\??\c:\lfrrlll.exec:\lfrrlll.exe113⤵PID:1864
-
\??\c:\llxlxrf.exec:\llxlxrf.exe114⤵PID:3472
-
\??\c:\tnnntt.exec:\tnnntt.exe115⤵PID:4504
-
\??\c:\pjjjd.exec:\pjjjd.exe116⤵PID:4456
-
\??\c:\7xfflrx.exec:\7xfflrx.exe117⤵PID:1692
-
\??\c:\hbhtbt.exec:\hbhtbt.exe118⤵PID:1096
-
\??\c:\vjppj.exec:\vjppj.exe119⤵PID:5092
-
\??\c:\xlxxxxx.exec:\xlxxxxx.exe120⤵PID:3860
-
\??\c:\3ttbbh.exec:\3ttbbh.exe121⤵PID:4744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-