Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 05:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe
-
Size
454KB
-
MD5
c6835b55b37f64d046e346494f92da10
-
SHA1
323fbb8ab5f998999bb9023848117425e7fa5e2c
-
SHA256
f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23
-
SHA512
4ff2f78eba394e872661638841867bd507303704abc5730a104c48070c8dd67aa56b8f5cbd080ed94841c019d68ece543ee51a53301bc6530c9dd0faeace281e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2640-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-1367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-1433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2904 xxxrllf.exe 112 xffxrll.exe 1752 hhnhbh.exe 1256 jjjdv.exe 3980 rrrllff.exe 1504 pdppj.exe 1468 xlxxxxf.exe 1344 bnhbtn.exe 4540 flrrllf.exe 2688 pppjj.exe 1332 5hbnhn.exe 4428 vvdvp.exe 4224 9lllfff.exe 3120 hhhnnn.exe 736 vjvpp.exe 1988 lffxxrr.exe 4252 httthh.exe 4676 bbbttn.exe 2740 xlllffx.exe 1156 nhnnnb.exe 2960 jdjdj.exe 3096 jjjjp.exe 2008 xxfxrrl.exe 404 rflflff.exe 1456 tttnhh.exe 3228 jdpjv.exe 4080 xxffxxr.exe 688 hbbttn.exe 2856 xxxrrlf.exe 2784 vjpjj.exe 2764 ddpvp.exe 1940 3rxrxxr.exe 2936 vpvpv.exe 1540 vvdvj.exe 2224 frrlfxx.exe 1044 nttnhh.exe 3712 bntnhh.exe 4620 vpjvj.exe 2172 5xrlxxr.exe 4808 3bhbtt.exe 1236 1jdvp.exe 536 fffxlff.exe 4624 bnnhbb.exe 4528 dpvpp.exe 4736 xfxxrrl.exe 2904 htbtnh.exe 112 htbtnn.exe 4932 vvjdv.exe 1752 dpjpd.exe 2132 7rlffrl.exe 4204 bhnhbt.exe 740 bthbhh.exe 1384 jdvpd.exe 2344 3llxllx.exe 4872 xllfxxr.exe 1468 nhnhbb.exe 3760 bbhbnn.exe 1996 rxllrrf.exe 3212 nbhbtt.exe 220 tnttnh.exe 4164 3ddvd.exe 4844 rllrfrr.exe 1108 lfxxrll.exe 2164 hhnhbb.exe -
resource yara_rule behavioral2/memory/2640-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-780-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2904 2640 f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe 82 PID 2640 wrote to memory of 2904 2640 f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe 82 PID 2640 wrote to memory of 2904 2640 f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe 82 PID 2904 wrote to memory of 112 2904 xxxrllf.exe 83 PID 2904 wrote to memory of 112 2904 xxxrllf.exe 83 PID 2904 wrote to memory of 112 2904 xxxrllf.exe 83 PID 112 wrote to memory of 1752 112 xffxrll.exe 84 PID 112 wrote to memory of 1752 112 xffxrll.exe 84 PID 112 wrote to memory of 1752 112 xffxrll.exe 84 PID 1752 wrote to memory of 1256 1752 hhnhbh.exe 85 PID 1752 wrote to memory of 1256 1752 hhnhbh.exe 85 PID 1752 wrote to memory of 1256 1752 hhnhbh.exe 85 PID 1256 wrote to memory of 3980 1256 jjjdv.exe 86 PID 1256 wrote to memory of 3980 1256 jjjdv.exe 86 PID 1256 wrote to memory of 3980 1256 jjjdv.exe 86 PID 3980 wrote to memory of 1504 3980 rrrllff.exe 87 PID 3980 wrote to memory of 1504 3980 rrrllff.exe 87 PID 3980 wrote to memory of 1504 3980 rrrllff.exe 87 PID 1504 wrote to memory of 1468 1504 pdppj.exe 88 PID 1504 wrote to memory of 1468 1504 pdppj.exe 88 PID 1504 wrote to memory of 1468 1504 pdppj.exe 88 PID 1468 wrote to memory of 1344 1468 xlxxxxf.exe 89 PID 1468 wrote to memory of 1344 1468 xlxxxxf.exe 89 PID 1468 wrote to memory of 1344 1468 xlxxxxf.exe 89 PID 1344 wrote to memory of 4540 1344 bnhbtn.exe 90 PID 1344 wrote to memory of 4540 1344 bnhbtn.exe 90 PID 1344 wrote to memory of 4540 1344 bnhbtn.exe 90 PID 4540 wrote to memory of 2688 4540 flrrllf.exe 91 PID 4540 wrote to memory of 2688 4540 flrrllf.exe 91 PID 4540 wrote to memory of 2688 4540 flrrllf.exe 91 PID 2688 wrote to memory of 1332 2688 pppjj.exe 92 PID 2688 wrote to memory of 1332 2688 pppjj.exe 92 PID 2688 wrote to memory of 1332 2688 pppjj.exe 92 PID 1332 wrote to memory of 4428 1332 5hbnhn.exe 93 PID 1332 wrote to memory of 4428 1332 5hbnhn.exe 93 PID 1332 wrote to memory of 4428 1332 5hbnhn.exe 93 PID 4428 wrote to memory of 4224 4428 vvdvp.exe 94 PID 4428 wrote to memory of 4224 4428 vvdvp.exe 94 PID 4428 wrote to memory of 4224 4428 vvdvp.exe 94 PID 4224 wrote to memory of 3120 4224 9lllfff.exe 95 PID 4224 wrote to memory of 3120 4224 9lllfff.exe 95 PID 4224 wrote to memory of 3120 4224 9lllfff.exe 95 PID 3120 wrote to memory of 736 3120 hhhnnn.exe 96 PID 3120 wrote to memory of 736 3120 hhhnnn.exe 96 PID 3120 wrote to memory of 736 3120 hhhnnn.exe 96 PID 736 wrote to memory of 1988 736 vjvpp.exe 97 PID 736 wrote to memory of 1988 736 vjvpp.exe 97 PID 736 wrote to memory of 1988 736 vjvpp.exe 97 PID 1988 wrote to memory of 4252 1988 lffxxrr.exe 98 PID 1988 wrote to memory of 4252 1988 lffxxrr.exe 98 PID 1988 wrote to memory of 4252 1988 lffxxrr.exe 98 PID 4252 wrote to memory of 4676 4252 httthh.exe 99 PID 4252 wrote to memory of 4676 4252 httthh.exe 99 PID 4252 wrote to memory of 4676 4252 httthh.exe 99 PID 4676 wrote to memory of 2740 4676 bbbttn.exe 100 PID 4676 wrote to memory of 2740 4676 bbbttn.exe 100 PID 4676 wrote to memory of 2740 4676 bbbttn.exe 100 PID 2740 wrote to memory of 1156 2740 xlllffx.exe 101 PID 2740 wrote to memory of 1156 2740 xlllffx.exe 101 PID 2740 wrote to memory of 1156 2740 xlllffx.exe 101 PID 1156 wrote to memory of 2960 1156 nhnnnb.exe 102 PID 1156 wrote to memory of 2960 1156 nhnnnb.exe 102 PID 1156 wrote to memory of 2960 1156 nhnnnb.exe 102 PID 2960 wrote to memory of 3096 2960 jdjdj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe"C:\Users\Admin\AppData\Local\Temp\f072f6654ae3690962b8c0a9729606ed92701d8a944f7d3c0d0f5f5e873afa23N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\xxxrllf.exec:\xxxrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xffxrll.exec:\xffxrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\hhnhbh.exec:\hhnhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\jjjdv.exec:\jjjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\rrrllff.exec:\rrrllff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\pdppj.exec:\pdppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\xlxxxxf.exec:\xlxxxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\bnhbtn.exec:\bnhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\flrrllf.exec:\flrrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\pppjj.exec:\pppjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\5hbnhn.exec:\5hbnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\vvdvp.exec:\vvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\9lllfff.exec:\9lllfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\hhhnnn.exec:\hhhnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\vjvpp.exec:\vjvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\lffxxrr.exec:\lffxxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\httthh.exec:\httthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\bbbttn.exec:\bbbttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\xlllffx.exec:\xlllffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nhnnnb.exec:\nhnnnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\jdjdj.exec:\jdjdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\jjjjp.exec:\jjjjp.exe23⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\rflflff.exec:\rflflff.exe25⤵
- Executes dropped EXE
PID:404 -
\??\c:\tttnhh.exec:\tttnhh.exe26⤵
- Executes dropped EXE
PID:1456 -
\??\c:\jdpjv.exec:\jdpjv.exe27⤵
- Executes dropped EXE
PID:3228 -
\??\c:\xxffxxr.exec:\xxffxxr.exe28⤵
- Executes dropped EXE
PID:4080 -
\??\c:\hbbttn.exec:\hbbttn.exe29⤵
- Executes dropped EXE
PID:688 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe30⤵
- Executes dropped EXE
PID:2856 -
\??\c:\vjpjj.exec:\vjpjj.exe31⤵
- Executes dropped EXE
PID:2784 -
\??\c:\ddpvp.exec:\ddpvp.exe32⤵
- Executes dropped EXE
PID:2764 -
\??\c:\3rxrxxr.exec:\3rxrxxr.exe33⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vpvpv.exec:\vpvpv.exe34⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vvdvj.exec:\vvdvj.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\frrlfxx.exec:\frrlfxx.exe36⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nttnhh.exec:\nttnhh.exe37⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bntnhh.exec:\bntnhh.exe38⤵
- Executes dropped EXE
PID:3712 -
\??\c:\vpjvj.exec:\vpjvj.exe39⤵
- Executes dropped EXE
PID:4620 -
\??\c:\5xrlxxr.exec:\5xrlxxr.exe40⤵
- Executes dropped EXE
PID:2172 -
\??\c:\3bhbtt.exec:\3bhbtt.exe41⤵
- Executes dropped EXE
PID:4808 -
\??\c:\1jdvp.exec:\1jdvp.exe42⤵
- Executes dropped EXE
PID:1236 -
\??\c:\fffxlff.exec:\fffxlff.exe43⤵
- Executes dropped EXE
PID:536 -
\??\c:\bnnhbb.exec:\bnnhbb.exe44⤵
- Executes dropped EXE
PID:4624 -
\??\c:\dpvpp.exec:\dpvpp.exe45⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xfxxrrl.exec:\xfxxrrl.exe46⤵
- Executes dropped EXE
PID:4736 -
\??\c:\htbtnh.exec:\htbtnh.exe47⤵
- Executes dropped EXE
PID:2904 -
\??\c:\htbtnn.exec:\htbtnn.exe48⤵
- Executes dropped EXE
PID:112 -
\??\c:\vvjdv.exec:\vvjdv.exe49⤵
- Executes dropped EXE
PID:4932 -
\??\c:\dpjpd.exec:\dpjpd.exe50⤵
- Executes dropped EXE
PID:1752 -
\??\c:\7rlffrl.exec:\7rlffrl.exe51⤵
- Executes dropped EXE
PID:2132 -
\??\c:\bhnhbt.exec:\bhnhbt.exe52⤵
- Executes dropped EXE
PID:4204 -
\??\c:\bthbhh.exec:\bthbhh.exe53⤵
- Executes dropped EXE
PID:740 -
\??\c:\jdvpd.exec:\jdvpd.exe54⤵
- Executes dropped EXE
PID:1384 -
\??\c:\3llxllx.exec:\3llxllx.exe55⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xllfxxr.exec:\xllfxxr.exe56⤵
- Executes dropped EXE
PID:4872 -
\??\c:\nhnhbb.exec:\nhnhbb.exe57⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bbhbnn.exec:\bbhbnn.exe58⤵
- Executes dropped EXE
PID:3760 -
\??\c:\rxllrrf.exec:\rxllrrf.exe59⤵
- Executes dropped EXE
PID:1996 -
\??\c:\nbhbtt.exec:\nbhbtt.exe60⤵
- Executes dropped EXE
PID:3212 -
\??\c:\tnttnh.exec:\tnttnh.exe61⤵
- Executes dropped EXE
PID:220 -
\??\c:\3ddvd.exec:\3ddvd.exe62⤵
- Executes dropped EXE
PID:4164 -
\??\c:\rllrfrr.exec:\rllrfrr.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\lfxxrll.exec:\lfxxrll.exe64⤵
- Executes dropped EXE
PID:1108 -
\??\c:\hhnhbb.exec:\hhnhbb.exe65⤵
- Executes dropped EXE
PID:2164 -
\??\c:\ttbthb.exec:\ttbthb.exe66⤵PID:1232
-
\??\c:\jdddv.exec:\jdddv.exe67⤵PID:2084
-
\??\c:\lrrrffx.exec:\lrrrffx.exe68⤵PID:1616
-
\??\c:\bnnhhb.exec:\bnnhhb.exe69⤵PID:4028
-
\??\c:\3dvvv.exec:\3dvvv.exe70⤵PID:4252
-
\??\c:\vdvpd.exec:\vdvpd.exe71⤵PID:3264
-
\??\c:\fffxrrl.exec:\fffxrrl.exe72⤵PID:3088
-
\??\c:\1bnhbh.exec:\1bnhbh.exe73⤵PID:1972
-
\??\c:\jvjdv.exec:\jvjdv.exe74⤵PID:4260
-
\??\c:\rfffxxr.exec:\rfffxxr.exe75⤵PID:2960
-
\??\c:\lxfllll.exec:\lxfllll.exe76⤵PID:5024
-
\??\c:\bbhbtt.exec:\bbhbtt.exe77⤵PID:2240
-
\??\c:\7dvpj.exec:\7dvpj.exe78⤵PID:4868
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe79⤵PID:4116
-
\??\c:\hntnhb.exec:\hntnhb.exe80⤵PID:2932
-
\??\c:\tttnhh.exec:\tttnhh.exe81⤵PID:1348
-
\??\c:\dpppj.exec:\dpppj.exe82⤵PID:4816
-
\??\c:\lxlxfrf.exec:\lxlxfrf.exe83⤵PID:4636
-
\??\c:\xllfxxr.exec:\xllfxxr.exe84⤵PID:4716
-
\??\c:\bttnhh.exec:\bttnhh.exe85⤵PID:468
-
\??\c:\djpvv.exec:\djpvv.exe86⤵PID:5064
-
\??\c:\lllxllf.exec:\lllxllf.exe87⤵PID:3480
-
\??\c:\bbbhtt.exec:\bbbhtt.exe88⤵PID:2440
-
\??\c:\vvpjd.exec:\vvpjd.exe89⤵PID:2764
-
\??\c:\3vdpp.exec:\3vdpp.exe90⤵PID:680
-
\??\c:\flrlfff.exec:\flrlfff.exe91⤵PID:4088
-
\??\c:\9ttntt.exec:\9ttntt.exe92⤵PID:3384
-
\??\c:\pjpjj.exec:\pjpjj.exe93⤵PID:1452
-
\??\c:\9lfxllf.exec:\9lfxllf.exe94⤵PID:3716
-
\??\c:\xflrlfx.exec:\xflrlfx.exe95⤵PID:1044
-
\??\c:\nttnhb.exec:\nttnhb.exe96⤵PID:2012
-
\??\c:\vjpjv.exec:\vjpjv.exe97⤵PID:2728
-
\??\c:\fxrlxxx.exec:\fxrlxxx.exe98⤵PID:2140
-
\??\c:\1tbtnh.exec:\1tbtnh.exe99⤵PID:1528
-
\??\c:\bhhbtn.exec:\bhhbtn.exe100⤵PID:4640
-
\??\c:\3ddvj.exec:\3ddvj.exe101⤵PID:3164
-
\??\c:\lxxrfxx.exec:\lxxrfxx.exe102⤵PID:4876
-
\??\c:\bnhbtt.exec:\bnhbtt.exe103⤵PID:2996
-
\??\c:\5pdvp.exec:\5pdvp.exe104⤵PID:1276
-
\??\c:\vvvjd.exec:\vvvjd.exe105⤵PID:4060
-
\??\c:\lxfxllr.exec:\lxfxllr.exe106⤵PID:2904
-
\??\c:\3btnbb.exec:\3btnbb.exe107⤵PID:112
-
\??\c:\tttnhb.exec:\tttnhb.exe108⤵PID:2368
-
\??\c:\7jpjp.exec:\7jpjp.exe109⤵PID:1536
-
\??\c:\rllfxrr.exec:\rllfxrr.exe110⤵PID:552
-
\??\c:\fxrllff.exec:\fxrllff.exe111⤵PID:3520
-
\??\c:\hnttnt.exec:\hnttnt.exe112⤵PID:3540
-
\??\c:\djpdp.exec:\djpdp.exe113⤵PID:1952
-
\??\c:\7dvpd.exec:\7dvpd.exe114⤵PID:4748
-
\??\c:\lfrrrxx.exec:\lfrrrxx.exe115⤵PID:4368
-
\??\c:\bntnhb.exec:\bntnhb.exe116⤵PID:384
-
\??\c:\tbhbnh.exec:\tbhbnh.exe117⤵PID:1676
-
\??\c:\1jvpd.exec:\1jvpd.exe118⤵PID:3668
-
\??\c:\3xxrllf.exec:\3xxrllf.exe119⤵PID:892
-
\??\c:\thnhbt.exec:\thnhbt.exe120⤵PID:3212
-
\??\c:\vvvdj.exec:\vvvdj.exe121⤵PID:440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-