Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 22:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe
-
Size
453KB
-
MD5
c5635b363b4ae0ae521742f05336de72
-
SHA1
e730427e712324952ca17a53fea9a5ff176b43b3
-
SHA256
56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7
-
SHA512
08f0671c25e0bddbe4b69e2532975ecdc30b599862c25694bff2504b9e7644a15e26b8f107fff79e5e18fd3731286ce9e6bc2e05773cebbfbf3db1b39f16245c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1788-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-1601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1984 xrlllrl.exe 4928 5hnhbb.exe 4240 pdjdp.exe 3960 3lxrrlf.exe 3080 9xxrlll.exe 216 tnbbhh.exe 3812 vpddj.exe 2652 9rxrrxx.exe 3640 xxlfxxr.exe 2608 ttntbb.exe 2656 9vdvd.exe 3356 9xxrllf.exe 1844 bthbtt.exe 2540 vjvpj.exe 2020 vpvjj.exe 1400 bnbtnn.exe 2316 dvddj.exe 2124 bnbttt.exe 4700 fxxxrrr.exe 3528 pvppj.exe 4320 tnhbbt.exe 4252 jpppj.exe 444 rllxrrl.exe 1800 xlrllff.exe 4228 ntbhhh.exe 716 rllfxxr.exe 3060 fxxxrxr.exe 2080 9jpjj.exe 2860 frlfrrr.exe 4612 fxxrllx.exe 2140 jddjd.exe 2240 tthhtt.exe 3348 rlfxrrl.exe 1276 9lxffrx.exe 532 tntnnh.exe 1680 rfllffx.exe 3012 jjjjj.exe 1508 lxlflll.exe 3968 nhnnnn.exe 1600 nnbbnh.exe 1676 pjjdj.exe 4808 ffxrlfx.exe 3116 rllfxrl.exe 4956 thnhbb.exe 4012 dpvvp.exe 4552 rflxrrl.exe 2332 bntbtn.exe 636 tbhhbb.exe 208 9vjdj.exe 2136 fxfllfx.exe 1292 xfxxrlf.exe 2324 nhbttt.exe 5076 7bbhbb.exe 4496 vvppp.exe 668 rllfxxf.exe 3212 nnttnn.exe 3960 jvdjj.exe 1724 xrxlxlf.exe 3812 hhhhbb.exe 3388 nthbtt.exe 3440 vppjd.exe 3912 lllflll.exe 3136 9xfxxxr.exe 512 hbbhhh.exe -
resource yara_rule behavioral2/memory/1788-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-1165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-1211-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1984 1788 56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe 82 PID 1788 wrote to memory of 1984 1788 56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe 82 PID 1788 wrote to memory of 1984 1788 56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe 82 PID 1984 wrote to memory of 4928 1984 xrlllrl.exe 83 PID 1984 wrote to memory of 4928 1984 xrlllrl.exe 83 PID 1984 wrote to memory of 4928 1984 xrlllrl.exe 83 PID 4928 wrote to memory of 4240 4928 5hnhbb.exe 84 PID 4928 wrote to memory of 4240 4928 5hnhbb.exe 84 PID 4928 wrote to memory of 4240 4928 5hnhbb.exe 84 PID 4240 wrote to memory of 3960 4240 pdjdp.exe 85 PID 4240 wrote to memory of 3960 4240 pdjdp.exe 85 PID 4240 wrote to memory of 3960 4240 pdjdp.exe 85 PID 3960 wrote to memory of 3080 3960 3lxrrlf.exe 86 PID 3960 wrote to memory of 3080 3960 3lxrrlf.exe 86 PID 3960 wrote to memory of 3080 3960 3lxrrlf.exe 86 PID 3080 wrote to memory of 216 3080 9xxrlll.exe 87 PID 3080 wrote to memory of 216 3080 9xxrlll.exe 87 PID 3080 wrote to memory of 216 3080 9xxrlll.exe 87 PID 216 wrote to memory of 3812 216 tnbbhh.exe 88 PID 216 wrote to memory of 3812 216 tnbbhh.exe 88 PID 216 wrote to memory of 3812 216 tnbbhh.exe 88 PID 3812 wrote to memory of 2652 3812 vpddj.exe 89 PID 3812 wrote to memory of 2652 3812 vpddj.exe 89 PID 3812 wrote to memory of 2652 3812 vpddj.exe 89 PID 2652 wrote to memory of 3640 2652 9rxrrxx.exe 90 PID 2652 wrote to memory of 3640 2652 9rxrrxx.exe 90 PID 2652 wrote to memory of 3640 2652 9rxrrxx.exe 90 PID 3640 wrote to memory of 2608 3640 xxlfxxr.exe 91 PID 3640 wrote to memory of 2608 3640 xxlfxxr.exe 91 PID 3640 wrote to memory of 2608 3640 xxlfxxr.exe 91 PID 2608 wrote to memory of 2656 2608 ttntbb.exe 92 PID 2608 wrote to memory of 2656 2608 ttntbb.exe 92 PID 2608 wrote to memory of 2656 2608 ttntbb.exe 92 PID 2656 wrote to memory of 3356 2656 9vdvd.exe 93 PID 2656 wrote to memory of 3356 2656 9vdvd.exe 93 PID 2656 wrote to memory of 3356 2656 9vdvd.exe 93 PID 3356 wrote to memory of 1844 3356 9xxrllf.exe 94 PID 3356 wrote to memory of 1844 3356 9xxrllf.exe 94 PID 3356 wrote to memory of 1844 3356 9xxrllf.exe 94 PID 1844 wrote to memory of 2540 1844 bthbtt.exe 95 PID 1844 wrote to memory of 2540 1844 bthbtt.exe 95 PID 1844 wrote to memory of 2540 1844 bthbtt.exe 95 PID 2540 wrote to memory of 2020 2540 vjvpj.exe 96 PID 2540 wrote to memory of 2020 2540 vjvpj.exe 96 PID 2540 wrote to memory of 2020 2540 vjvpj.exe 96 PID 2020 wrote to memory of 1400 2020 vpvjj.exe 97 PID 2020 wrote to memory of 1400 2020 vpvjj.exe 97 PID 2020 wrote to memory of 1400 2020 vpvjj.exe 97 PID 1400 wrote to memory of 2316 1400 bnbtnn.exe 98 PID 1400 wrote to memory of 2316 1400 bnbtnn.exe 98 PID 1400 wrote to memory of 2316 1400 bnbtnn.exe 98 PID 2316 wrote to memory of 2124 2316 dvddj.exe 99 PID 2316 wrote to memory of 2124 2316 dvddj.exe 99 PID 2316 wrote to memory of 2124 2316 dvddj.exe 99 PID 2124 wrote to memory of 4700 2124 bnbttt.exe 100 PID 2124 wrote to memory of 4700 2124 bnbttt.exe 100 PID 2124 wrote to memory of 4700 2124 bnbttt.exe 100 PID 4700 wrote to memory of 3528 4700 fxxxrrr.exe 101 PID 4700 wrote to memory of 3528 4700 fxxxrrr.exe 101 PID 4700 wrote to memory of 3528 4700 fxxxrrr.exe 101 PID 3528 wrote to memory of 4320 3528 pvppj.exe 102 PID 3528 wrote to memory of 4320 3528 pvppj.exe 102 PID 3528 wrote to memory of 4320 3528 pvppj.exe 102 PID 4320 wrote to memory of 4252 4320 tnhbbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe"C:\Users\Admin\AppData\Local\Temp\56eddd9a026683d3b3bca08f8d8190284182fbd169938726263824e21359b0c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xrlllrl.exec:\xrlllrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\5hnhbb.exec:\5hnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\pdjdp.exec:\pdjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\3lxrrlf.exec:\3lxrrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\9xxrlll.exec:\9xxrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\tnbbhh.exec:\tnbbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\vpddj.exec:\vpddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\9rxrrxx.exec:\9rxrrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\ttntbb.exec:\ttntbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\9vdvd.exec:\9vdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\9xxrllf.exec:\9xxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\bthbtt.exec:\bthbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\vjvpj.exec:\vjvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vpvjj.exec:\vpvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\bnbtnn.exec:\bnbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\dvddj.exec:\dvddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\bnbttt.exec:\bnbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\pvppj.exec:\pvppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\tnhbbt.exec:\tnhbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\jpppj.exec:\jpppj.exe23⤵
- Executes dropped EXE
PID:4252 -
\??\c:\rllxrrl.exec:\rllxrrl.exe24⤵
- Executes dropped EXE
PID:444 -
\??\c:\xlrllff.exec:\xlrllff.exe25⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ntbhhh.exec:\ntbhhh.exe26⤵
- Executes dropped EXE
PID:4228 -
\??\c:\rllfxxr.exec:\rllfxxr.exe27⤵
- Executes dropped EXE
PID:716 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe28⤵
- Executes dropped EXE
PID:3060 -
\??\c:\9jpjj.exec:\9jpjj.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
\??\c:\frlfrrr.exec:\frlfrrr.exe30⤵
- Executes dropped EXE
PID:2860 -
\??\c:\fxxrllx.exec:\fxxrllx.exe31⤵
- Executes dropped EXE
PID:4612 -
\??\c:\jddjd.exec:\jddjd.exe32⤵
- Executes dropped EXE
PID:2140 -
\??\c:\tthhtt.exec:\tthhtt.exe33⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe34⤵
- Executes dropped EXE
PID:3348 -
\??\c:\9lxffrx.exec:\9lxffrx.exe35⤵
- Executes dropped EXE
PID:1276 -
\??\c:\tntnnh.exec:\tntnnh.exe36⤵
- Executes dropped EXE
PID:532 -
\??\c:\rfllffx.exec:\rfllffx.exe37⤵
- Executes dropped EXE
PID:1680 -
\??\c:\jjjjj.exec:\jjjjj.exe38⤵
- Executes dropped EXE
PID:3012 -
\??\c:\lxlflll.exec:\lxlflll.exe39⤵
- Executes dropped EXE
PID:1508 -
\??\c:\nhnnnn.exec:\nhnnnn.exe40⤵
- Executes dropped EXE
PID:3968 -
\??\c:\nnbbnh.exec:\nnbbnh.exe41⤵
- Executes dropped EXE
PID:1600 -
\??\c:\pjjdj.exec:\pjjdj.exe42⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe43⤵
- Executes dropped EXE
PID:4808 -
\??\c:\rllfxrl.exec:\rllfxrl.exe44⤵
- Executes dropped EXE
PID:3116 -
\??\c:\thnhbb.exec:\thnhbb.exe45⤵
- Executes dropped EXE
PID:4956 -
\??\c:\dpvvp.exec:\dpvvp.exe46⤵
- Executes dropped EXE
PID:4012 -
\??\c:\rflxrrl.exec:\rflxrrl.exe47⤵
- Executes dropped EXE
PID:4552 -
\??\c:\bntbtn.exec:\bntbtn.exe48⤵
- Executes dropped EXE
PID:2332 -
\??\c:\tbhhbb.exec:\tbhhbb.exe49⤵
- Executes dropped EXE
PID:636 -
\??\c:\9vjdj.exec:\9vjdj.exe50⤵
- Executes dropped EXE
PID:208 -
\??\c:\fxfllfx.exec:\fxfllfx.exe51⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xfxxrlf.exec:\xfxxrlf.exe52⤵
- Executes dropped EXE
PID:1292 -
\??\c:\nhbttt.exec:\nhbttt.exe53⤵
- Executes dropped EXE
PID:2324 -
\??\c:\7bbhbb.exec:\7bbhbb.exe54⤵
- Executes dropped EXE
PID:5076 -
\??\c:\vvppp.exec:\vvppp.exe55⤵
- Executes dropped EXE
PID:4496 -
\??\c:\rllfxxf.exec:\rllfxxf.exe56⤵
- Executes dropped EXE
PID:668 -
\??\c:\nnttnn.exec:\nnttnn.exe57⤵
- Executes dropped EXE
PID:3212 -
\??\c:\jvdjj.exec:\jvdjj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3960 -
\??\c:\xrxlxlf.exec:\xrxlxlf.exe59⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhhhbb.exec:\hhhhbb.exe60⤵
- Executes dropped EXE
PID:3812 -
\??\c:\nthbtt.exec:\nthbtt.exe61⤵
- Executes dropped EXE
PID:3388 -
\??\c:\vppjd.exec:\vppjd.exe62⤵
- Executes dropped EXE
PID:3440 -
\??\c:\lllflll.exec:\lllflll.exe63⤵
- Executes dropped EXE
PID:3912 -
\??\c:\9xfxxxr.exec:\9xfxxxr.exe64⤵
- Executes dropped EXE
PID:3136 -
\??\c:\hbbhhh.exec:\hbbhhh.exe65⤵
- Executes dropped EXE
PID:512 -
\??\c:\5pjjv.exec:\5pjjv.exe66⤵PID:3416
-
\??\c:\llxrlfx.exec:\llxrlfx.exe67⤵PID:3132
-
\??\c:\hhnhhh.exec:\hhnhhh.exe68⤵PID:4608
-
\??\c:\tthttn.exec:\tthttn.exe69⤵PID:2088
-
\??\c:\jjpjd.exec:\jjpjd.exe70⤵PID:1084
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe71⤵PID:1844
-
\??\c:\htbbtt.exec:\htbbtt.exe72⤵PID:2540
-
\??\c:\jvjjv.exec:\jvjjv.exe73⤵PID:1916
-
\??\c:\jddvp.exec:\jddvp.exe74⤵PID:2020
-
\??\c:\fxlllll.exec:\fxlllll.exe75⤵PID:4716
-
\??\c:\tbnbth.exec:\tbnbth.exe76⤵PID:552
-
\??\c:\jdvpj.exec:\jdvpj.exe77⤵PID:2100
-
\??\c:\9jjvd.exec:\9jjvd.exe78⤵PID:4080
-
\??\c:\lfffxrl.exec:\lfffxrl.exe79⤵PID:392
-
\??\c:\hhhhhh.exec:\hhhhhh.exe80⤵PID:1924
-
\??\c:\jvjvp.exec:\jvjvp.exe81⤵PID:3336
-
\??\c:\rlrrlfx.exec:\rlrrlfx.exe82⤵PID:3528
-
\??\c:\bhtnhh.exec:\bhtnhh.exe83⤵PID:1148
-
\??\c:\bbnhhh.exec:\bbnhhh.exe84⤵PID:3088
-
\??\c:\jvdvp.exec:\jvdvp.exe85⤵PID:4068
-
\??\c:\lfrrrxr.exec:\lfrrrxr.exe86⤵PID:4228
-
\??\c:\rflffxx.exec:\rflffxx.exe87⤵PID:2680
-
\??\c:\tthbtt.exec:\tthbtt.exe88⤵PID:4428
-
\??\c:\5djdp.exec:\5djdp.exe89⤵PID:2400
-
\??\c:\frrrrrr.exec:\frrrrrr.exe90⤵PID:2768
-
\??\c:\btttnn.exec:\btttnn.exe91⤵PID:4904
-
\??\c:\vvjjp.exec:\vvjjp.exe92⤵PID:2688
-
\??\c:\xlrxfff.exec:\xlrxfff.exe93⤵PID:1188
-
\??\c:\7hhbbb.exec:\7hhbbb.exe94⤵PID:4160
-
\??\c:\thnnhb.exec:\thnnhb.exe95⤵PID:1752
-
\??\c:\dvjjp.exec:\dvjjp.exe96⤵PID:3672
-
\??\c:\9xlffrx.exec:\9xlffrx.exe97⤵PID:3468
-
\??\c:\3lxxrrl.exec:\3lxxrrl.exe98⤵PID:3036
-
\??\c:\hnnhnb.exec:\hnnhnb.exe99⤵PID:1276
-
\??\c:\1dddd.exec:\1dddd.exe100⤵PID:2144
-
\??\c:\9rxrxff.exec:\9rxrxff.exe101⤵PID:2940
-
\??\c:\xxffrxf.exec:\xxffrxf.exe102⤵PID:960
-
\??\c:\nntnnn.exec:\nntnnn.exe103⤵PID:1508
-
\??\c:\3vvvp.exec:\3vvvp.exe104⤵PID:3968
-
\??\c:\5xxllrf.exec:\5xxllrf.exe105⤵PID:1600
-
\??\c:\3nnttt.exec:\3nnttt.exe106⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\7bhttt.exec:\7bhttt.exe107⤵PID:3260
-
\??\c:\1jjpp.exec:\1jjpp.exe108⤵PID:4092
-
\??\c:\rrxffrr.exec:\rrxffrr.exe109⤵PID:1904
-
\??\c:\xxfxfff.exec:\xxfxfff.exe110⤵PID:5060
-
\??\c:\nnnnnh.exec:\nnnnnh.exe111⤵PID:4552
-
\??\c:\vddpj.exec:\vddpj.exe112⤵PID:2332
-
\??\c:\5xrrlrl.exec:\5xrrlrl.exe113⤵PID:636
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe114⤵PID:208
-
\??\c:\tntnhh.exec:\tntnhh.exe115⤵PID:4300
-
\??\c:\9jjjd.exec:\9jjjd.exe116⤵PID:1292
-
\??\c:\lxlfffx.exec:\lxlfffx.exe117⤵PID:3404
-
\??\c:\xxllxrl.exec:\xxllxrl.exe118⤵PID:3204
-
\??\c:\htbbtt.exec:\htbbtt.exe119⤵PID:2228
-
\??\c:\ppvvp.exec:\ppvvp.exe120⤵PID:3700
-
\??\c:\9flfxrx.exec:\9flfxrx.exe121⤵PID:3852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-