Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 02:49
Behavioral task
behavioral1
Sample
0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe
-
Size
97KB
-
MD5
747cc1402be9b0578d1744a1b2b517a0
-
SHA1
f4d1acb86564a0543570088925bc8cfce2a1da5e
-
SHA256
0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295
-
SHA512
9545436bf288832f6187ae545c4bb9eab97e34308f077970d1c55bf06845c80302bd40434615c20a11b6ccb8583db6fd60cfb0f1558b8f2583efcf757c4f095c
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgF:8cm4FmowdHoSgWrXUgF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2436-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2848-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3816-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/752-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-634-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-673-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-696-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-783-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-808-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2500-833-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4816 jddjd.exe 3904 xlrlxll.exe 2848 jjpjp.exe 916 3vjjj.exe 3816 frllxff.exe 4804 pppjv.exe 408 9xffflf.exe 3472 1hhbtn.exe 2144 jdjvd.exe 4244 xflllrl.exe 680 btbtnh.exe 1636 pvppp.exe 4580 jjpjp.exe 116 fxrllll.exe 1860 thnhbn.exe 2512 nnttnt.exe 4028 vvvvp.exe 1520 fxxxrxx.exe 3920 hnttnn.exe 1936 3vvpd.exe 4536 xrlfxrl.exe 1080 xrllrxl.exe 1408 bnnbhh.exe 1708 1pddd.exe 2904 xfrlfxx.exe 1888 lrfrrrx.exe 1328 nhhbbb.exe 3960 tthbtt.exe 856 dpdpj.exe 1220 pjjdv.exe 1608 ntbbtt.exe 3108 nbtttt.exe 4912 7jjdd.exe 4640 dvjdv.exe 3028 9flxrlf.exe 3260 hbbthh.exe 752 nnhtnb.exe 1464 ppddj.exe 428 rfrflff.exe 4716 ddjdd.exe 4232 7lflffx.exe 4844 hhtthh.exe 2912 xxrxrrr.exe 3956 bbbtnn.exe 3056 pjddd.exe 3516 vjvvv.exe 5072 frllllf.exe 4896 7hhhbb.exe 2040 vpjpj.exe 3696 bhnhbb.exe 4532 5ttnhn.exe 224 vppjj.exe 1004 9lrlffx.exe 3100 xrlfxfx.exe 2672 dvpjv.exe 1684 xflfxxx.exe 336 5lxrrll.exe 1532 hnhhhb.exe 2556 1dddv.exe 2160 xxfxlll.exe 3240 fxffxfx.exe 3092 hnnhnt.exe 2444 fflfllr.exe 4732 fxxfxrr.exe -
resource yara_rule behavioral2/memory/2436-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b31-3.dat upx behavioral2/memory/2436-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b88-8.dat upx behavioral2/memory/4816-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-11.dat upx behavioral2/memory/3904-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-18.dat upx behavioral2/memory/2848-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/916-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-24.dat upx behavioral2/memory/916-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-29.dat upx behavioral2/memory/3816-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-34.dat upx behavioral2/memory/4804-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-39.dat upx behavioral2/memory/408-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-44.dat upx behavioral2/memory/3472-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-49.dat upx behavioral2/memory/2144-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-54.dat upx behavioral2/memory/4244-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-59.dat upx behavioral2/memory/680-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-65.dat upx behavioral2/memory/1636-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-70.dat upx behavioral2/files/0x000a000000023b98-73.dat upx behavioral2/memory/1860-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-79.dat upx behavioral2/memory/2512-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2512-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-85.dat upx behavioral2/memory/116-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-90.dat upx behavioral2/memory/4028-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-96.dat upx behavioral2/memory/3920-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-101.dat upx behavioral2/files/0x000a000000023b9e-104.dat upx behavioral2/memory/1936-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9f-109.dat upx behavioral2/files/0x000a000000023ba1-113.dat upx behavioral2/memory/1080-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-119.dat upx behavioral2/files/0x000b000000023b89-122.dat upx behavioral2/memory/1708-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2904-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-127.dat upx behavioral2/files/0x000a000000023ba4-132.dat upx behavioral2/memory/1328-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3960-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba5-137.dat upx behavioral2/files/0x000a000000023ba6-143.dat upx behavioral2/memory/1220-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba7-147.dat upx behavioral2/files/0x000a000000023ba8-152.dat upx behavioral2/memory/1608-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-157.dat upx behavioral2/memory/752-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/428-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 4816 2436 0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe 83 PID 2436 wrote to memory of 4816 2436 0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe 83 PID 2436 wrote to memory of 4816 2436 0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe 83 PID 4816 wrote to memory of 3904 4816 jddjd.exe 84 PID 4816 wrote to memory of 3904 4816 jddjd.exe 84 PID 4816 wrote to memory of 3904 4816 jddjd.exe 84 PID 3904 wrote to memory of 2848 3904 xlrlxll.exe 85 PID 3904 wrote to memory of 2848 3904 xlrlxll.exe 85 PID 3904 wrote to memory of 2848 3904 xlrlxll.exe 85 PID 2848 wrote to memory of 916 2848 jjpjp.exe 86 PID 2848 wrote to memory of 916 2848 jjpjp.exe 86 PID 2848 wrote to memory of 916 2848 jjpjp.exe 86 PID 916 wrote to memory of 3816 916 3vjjj.exe 87 PID 916 wrote to memory of 3816 916 3vjjj.exe 87 PID 916 wrote to memory of 3816 916 3vjjj.exe 87 PID 3816 wrote to memory of 4804 3816 frllxff.exe 88 PID 3816 wrote to memory of 4804 3816 frllxff.exe 88 PID 3816 wrote to memory of 4804 3816 frllxff.exe 88 PID 4804 wrote to memory of 408 4804 pppjv.exe 89 PID 4804 wrote to memory of 408 4804 pppjv.exe 89 PID 4804 wrote to memory of 408 4804 pppjv.exe 89 PID 408 wrote to memory of 3472 408 9xffflf.exe 90 PID 408 wrote to memory of 3472 408 9xffflf.exe 90 PID 408 wrote to memory of 3472 408 9xffflf.exe 90 PID 3472 wrote to memory of 2144 3472 1hhbtn.exe 91 PID 3472 wrote to memory of 2144 3472 1hhbtn.exe 91 PID 3472 wrote to memory of 2144 3472 1hhbtn.exe 91 PID 2144 wrote to memory of 4244 2144 jdjvd.exe 92 PID 2144 wrote to memory of 4244 2144 jdjvd.exe 92 PID 2144 wrote to memory of 4244 2144 jdjvd.exe 92 PID 4244 wrote to memory of 680 4244 xflllrl.exe 93 PID 4244 wrote to memory of 680 4244 xflllrl.exe 93 PID 4244 wrote to memory of 680 4244 xflllrl.exe 93 PID 680 wrote to memory of 1636 680 btbtnh.exe 94 PID 680 wrote to memory of 1636 680 btbtnh.exe 94 PID 680 wrote to memory of 1636 680 btbtnh.exe 94 PID 1636 wrote to memory of 4580 1636 pvppp.exe 95 PID 1636 wrote to memory of 4580 1636 pvppp.exe 95 PID 1636 wrote to memory of 4580 1636 pvppp.exe 95 PID 4580 wrote to memory of 116 4580 jjpjp.exe 96 PID 4580 wrote to memory of 116 4580 jjpjp.exe 96 PID 4580 wrote to memory of 116 4580 jjpjp.exe 96 PID 116 wrote to memory of 1860 116 fxrllll.exe 97 PID 116 wrote to memory of 1860 116 fxrllll.exe 97 PID 116 wrote to memory of 1860 116 fxrllll.exe 97 PID 1860 wrote to memory of 2512 1860 thnhbn.exe 98 PID 1860 wrote to memory of 2512 1860 thnhbn.exe 98 PID 1860 wrote to memory of 2512 1860 thnhbn.exe 98 PID 2512 wrote to memory of 4028 2512 nnttnt.exe 99 PID 2512 wrote to memory of 4028 2512 nnttnt.exe 99 PID 2512 wrote to memory of 4028 2512 nnttnt.exe 99 PID 4028 wrote to memory of 1520 4028 vvvvp.exe 100 PID 4028 wrote to memory of 1520 4028 vvvvp.exe 100 PID 4028 wrote to memory of 1520 4028 vvvvp.exe 100 PID 1520 wrote to memory of 3920 1520 fxxxrxx.exe 101 PID 1520 wrote to memory of 3920 1520 fxxxrxx.exe 101 PID 1520 wrote to memory of 3920 1520 fxxxrxx.exe 101 PID 3920 wrote to memory of 1936 3920 hnttnn.exe 102 PID 3920 wrote to memory of 1936 3920 hnttnn.exe 102 PID 3920 wrote to memory of 1936 3920 hnttnn.exe 102 PID 1936 wrote to memory of 4536 1936 3vvpd.exe 103 PID 1936 wrote to memory of 4536 1936 3vvpd.exe 103 PID 1936 wrote to memory of 4536 1936 3vvpd.exe 103 PID 4536 wrote to memory of 1080 4536 xrlfxrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe"C:\Users\Admin\AppData\Local\Temp\0ae88a47521e7decbbc43087e1eefddab210a90408de5bbb52775515b1bdd295N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\jddjd.exec:\jddjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\xlrlxll.exec:\xlrlxll.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\jjpjp.exec:\jjpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\3vjjj.exec:\3vjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\frllxff.exec:\frllxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\pppjv.exec:\pppjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\9xffflf.exec:\9xffflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\1hhbtn.exec:\1hhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\jdjvd.exec:\jdjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\xflllrl.exec:\xflllrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\btbtnh.exec:\btbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\pvppp.exec:\pvppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\jjpjp.exec:\jjpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\fxrllll.exec:\fxrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\thnhbn.exec:\thnhbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\nnttnt.exec:\nnttnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\vvvvp.exec:\vvvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\fxxxrxx.exec:\fxxxrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\hnttnn.exec:\hnttnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\3vvpd.exec:\3vvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\xrllrxl.exec:\xrllrxl.exe23⤵
- Executes dropped EXE
PID:1080 -
\??\c:\bnnbhh.exec:\bnnbhh.exe24⤵
- Executes dropped EXE
PID:1408 -
\??\c:\1pddd.exec:\1pddd.exe25⤵
- Executes dropped EXE
PID:1708 -
\??\c:\xfrlfxx.exec:\xfrlfxx.exe26⤵
- Executes dropped EXE
PID:2904 -
\??\c:\lrfrrrx.exec:\lrfrrrx.exe27⤵
- Executes dropped EXE
PID:1888 -
\??\c:\nhhbbb.exec:\nhhbbb.exe28⤵
- Executes dropped EXE
PID:1328 -
\??\c:\tthbtt.exec:\tthbtt.exe29⤵
- Executes dropped EXE
PID:3960 -
\??\c:\dpdpj.exec:\dpdpj.exe30⤵
- Executes dropped EXE
PID:856 -
\??\c:\pjjdv.exec:\pjjdv.exe31⤵
- Executes dropped EXE
PID:1220 -
\??\c:\ntbbtt.exec:\ntbbtt.exe32⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nbtttt.exec:\nbtttt.exe33⤵
- Executes dropped EXE
PID:3108 -
\??\c:\7jjdd.exec:\7jjdd.exe34⤵
- Executes dropped EXE
PID:4912 -
\??\c:\dvjdv.exec:\dvjdv.exe35⤵
- Executes dropped EXE
PID:4640 -
\??\c:\9flxrlf.exec:\9flxrlf.exe36⤵
- Executes dropped EXE
PID:3028 -
\??\c:\hbbthh.exec:\hbbthh.exe37⤵
- Executes dropped EXE
PID:3260 -
\??\c:\nnhtnb.exec:\nnhtnb.exe38⤵
- Executes dropped EXE
PID:752 -
\??\c:\ppddj.exec:\ppddj.exe39⤵
- Executes dropped EXE
PID:1464 -
\??\c:\rfrflff.exec:\rfrflff.exe40⤵
- Executes dropped EXE
PID:428 -
\??\c:\ddjdd.exec:\ddjdd.exe41⤵
- Executes dropped EXE
PID:4716 -
\??\c:\7lflffx.exec:\7lflffx.exe42⤵
- Executes dropped EXE
PID:4232 -
\??\c:\hhtthh.exec:\hhtthh.exe43⤵
- Executes dropped EXE
PID:4844 -
\??\c:\xxrxrrr.exec:\xxrxrrr.exe44⤵
- Executes dropped EXE
PID:2912 -
\??\c:\bbbtnn.exec:\bbbtnn.exe45⤵
- Executes dropped EXE
PID:3956 -
\??\c:\pjddd.exec:\pjddd.exe46⤵
- Executes dropped EXE
PID:3056 -
\??\c:\vjvvv.exec:\vjvvv.exe47⤵
- Executes dropped EXE
PID:3516 -
\??\c:\frllllf.exec:\frllllf.exe48⤵
- Executes dropped EXE
PID:5072 -
\??\c:\7hhhbb.exec:\7hhhbb.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4896 -
\??\c:\vpjpj.exec:\vpjpj.exe50⤵
- Executes dropped EXE
PID:2040 -
\??\c:\bhnhbb.exec:\bhnhbb.exe51⤵
- Executes dropped EXE
PID:3696 -
\??\c:\5ttnhn.exec:\5ttnhn.exe52⤵
- Executes dropped EXE
PID:4532 -
\??\c:\vppjj.exec:\vppjj.exe53⤵
- Executes dropped EXE
PID:224 -
\??\c:\9lrlffx.exec:\9lrlffx.exe54⤵
- Executes dropped EXE
PID:1004 -
\??\c:\xrlfxfx.exec:\xrlfxfx.exe55⤵
- Executes dropped EXE
PID:3100 -
\??\c:\htttnn.exec:\htttnn.exe56⤵PID:1008
-
\??\c:\dvpjv.exec:\dvpjv.exe57⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xflfxxx.exec:\xflfxxx.exe58⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5lxrrll.exec:\5lxrrll.exe59⤵
- Executes dropped EXE
PID:336 -
\??\c:\hnhhhb.exec:\hnhhhb.exe60⤵
- Executes dropped EXE
PID:1532 -
\??\c:\1dddv.exec:\1dddv.exe61⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xxfxlll.exec:\xxfxlll.exe62⤵
- Executes dropped EXE
PID:2160 -
\??\c:\fxffxfx.exec:\fxffxfx.exe63⤵
- Executes dropped EXE
PID:3240 -
\??\c:\hnnhnt.exec:\hnnhnt.exe64⤵
- Executes dropped EXE
PID:3092 -
\??\c:\fflfllr.exec:\fflfllr.exe65⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fxxfxrr.exec:\fxxfxrr.exe66⤵
- Executes dropped EXE
PID:4732 -
\??\c:\9nbbhh.exec:\9nbbhh.exe67⤵PID:4556
-
\??\c:\9nbbnn.exec:\9nbbnn.exe68⤵PID:2676
-
\??\c:\7vvpj.exec:\7vvpj.exe69⤵PID:2016
-
\??\c:\3llfxrr.exec:\3llfxrr.exe70⤵PID:4612
-
\??\c:\xxlllll.exec:\xxlllll.exe71⤵PID:3476
-
\??\c:\bhttbb.exec:\bhttbb.exe72⤵PID:2036
-
\??\c:\jvddd.exec:\jvddd.exe73⤵PID:4420
-
\??\c:\vjjjv.exec:\vjjjv.exe74⤵PID:4888
-
\??\c:\3rfxfff.exec:\3rfxfff.exe75⤵PID:1676
-
\??\c:\rllfffx.exec:\rllfffx.exe76⤵PID:4092
-
\??\c:\5nbbbn.exec:\5nbbbn.exe77⤵PID:2244
-
\??\c:\thntnn.exec:\thntnn.exe78⤵PID:2700
-
\??\c:\thtnhb.exec:\thtnhb.exe79⤵PID:1456
-
\??\c:\pdvjd.exec:\pdvjd.exe80⤵PID:3392
-
\??\c:\xlrxrrl.exec:\xlrxrrl.exe81⤵PID:1176
-
\??\c:\frrrrrr.exec:\frrrrrr.exe82⤵PID:3600
-
\??\c:\5vvjd.exec:\5vvjd.exe83⤵PID:5028
-
\??\c:\3rffxxr.exec:\3rffxxr.exe84⤵PID:4028
-
\??\c:\lfrrllf.exec:\lfrrllf.exe85⤵PID:1520
-
\??\c:\3tbbbb.exec:\3tbbbb.exe86⤵PID:3900
-
\??\c:\hnbhbn.exec:\hnbhbn.exe87⤵PID:2272
-
\??\c:\dvjdd.exec:\dvjdd.exe88⤵PID:2516
-
\??\c:\7rxrfff.exec:\7rxrfff.exe89⤵PID:1560
-
\??\c:\bbbbbb.exec:\bbbbbb.exe90⤵PID:636
-
\??\c:\bbbbbb.exec:\bbbbbb.exe91⤵PID:1080
-
\??\c:\jjppv.exec:\jjppv.exe92⤵PID:432
-
\??\c:\dvvpj.exec:\dvvpj.exe93⤵PID:3124
-
\??\c:\lffrllf.exec:\lffrllf.exe94⤵PID:3824
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe95⤵PID:1516
-
\??\c:\7tbbhh.exec:\7tbbhh.exe96⤵PID:2360
-
\??\c:\ppppj.exec:\ppppj.exe97⤵PID:1584
-
\??\c:\vpjjd.exec:\vpjjd.exe98⤵PID:4760
-
\??\c:\rxlxrlf.exec:\rxlxrlf.exe99⤵PID:756
-
\??\c:\nttnhh.exec:\nttnhh.exe100⤵PID:3852
-
\??\c:\nnbtnh.exec:\nnbtnh.exe101⤵PID:856
-
\??\c:\pjppp.exec:\pjppp.exe102⤵PID:4600
-
\??\c:\lffxxfx.exec:\lffxxfx.exe103⤵PID:1608
-
\??\c:\xllrlll.exec:\xllrlll.exe104⤵PID:528
-
\??\c:\bbbbnh.exec:\bbbbnh.exe105⤵PID:4060
-
\??\c:\dpdvd.exec:\dpdvd.exe106⤵PID:4920
-
\??\c:\pdjjv.exec:\pdjjv.exe107⤵PID:4400
-
\??\c:\rxxxllf.exec:\rxxxllf.exe108⤵PID:2224
-
\??\c:\xlrlfff.exec:\xlrlfff.exe109⤵PID:2308
-
\??\c:\tbbbhb.exec:\tbbbhb.exe110⤵PID:752
-
\??\c:\bbbhhh.exec:\bbbhhh.exe111⤵PID:5076
-
\??\c:\5jdvv.exec:\5jdvv.exe112⤵PID:2760
-
\??\c:\7fllllr.exec:\7fllllr.exe113⤵PID:364
-
\??\c:\7lxxllf.exec:\7lxxllf.exe114⤵PID:2480
-
\??\c:\nhbtnn.exec:\nhbtnn.exe115⤵PID:3576
-
\??\c:\dpddd.exec:\dpddd.exe116⤵PID:3236
-
\??\c:\xrrlffl.exec:\xrrlffl.exe117⤵PID:1064
-
\??\c:\fxrxfll.exec:\fxrxfll.exe118⤵PID:1624
-
\??\c:\nbbbtt.exec:\nbbbtt.exe119⤵PID:2784
-
\??\c:\5bbhtt.exec:\5bbhtt.exe120⤵PID:3312
-
\??\c:\pjdjj.exec:\pjdjj.exe121⤵PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-