Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:48
Behavioral task
behavioral1
Sample
de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe
-
Size
97KB
-
MD5
7fc11f9a393772d995dd1d8a098a8a70
-
SHA1
0c2b96bc569ea28cb27c6b5c4c429549d5dd470e
-
SHA256
de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64
-
SHA512
821a02b820aee1a0ef6442126f4d3e6918c24e1437b5e09efc671cafdbf49c94e986c2009816cd938f6bc16935f1b840d27c4ca3428f557e1f26674c2bdc26b2
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgRp:8cm4FmowdHoSgWrXUgP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2236-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1256-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1460-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1652-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-721-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-744-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-880-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 1bbbtn.exe 1256 1nbbnn.exe 2884 7vddd.exe 4020 nnhnnb.exe 452 hthbtb.exe 4448 vvjjd.exe 3192 rllllll.exe 4024 ttttth.exe 3908 ddvpp.exe 3184 xrlfffx.exe 5084 7btnnn.exe 4768 hnhhhb.exe 1844 dpdjd.exe 3188 lxxxrxr.exe 2284 xlxxxxx.exe 3020 jdddd.exe 2072 jjjjd.exe 5036 lrrllfx.exe 3984 xrlfxfx.exe 3096 vdpjp.exe 1152 vvdjd.exe 1460 fxflllx.exe 2684 5llrrrr.exe 3668 htbnhn.exe 4732 jppjv.exe 448 jjdpj.exe 3660 lxxrlfx.exe 4776 nhnhnn.exe 1068 thtbbb.exe 4580 rrlrlll.exe 3500 5rlfrrl.exe 4660 bntttb.exe 4712 thhbhh.exe 3124 vvpjd.exe 4820 frlfrlf.exe 1988 llrxlrl.exe 4640 btntnn.exe 4164 pvvdv.exe 1980 llrrrxl.exe 3980 hnbttn.exe 2368 hbhbhh.exe 4116 jdjjj.exe 2220 1lrlllf.exe 3696 bnttnn.exe 2576 1nnttn.exe 3988 lxlllrl.exe 4896 bnnhhh.exe 4312 5hbbhn.exe 5028 pdjdd.exe 5092 rrrxffr.exe 4488 bhttnt.exe 4208 fllllrr.exe 4300 lrrfxfx.exe 1652 1nbbbb.exe 2352 vppjp.exe 4860 rrxlllx.exe 4292 rllffff.exe 4284 fxxxxfl.exe 3772 3thbbb.exe 1720 vpddj.exe 4108 rfxxrrr.exe 4968 hnbtnt.exe 3888 tnbhnh.exe 2436 ppppp.exe -
resource yara_rule behavioral2/memory/2236-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b54-3.dat upx behavioral2/memory/2236-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000f000000023bbf-8.dat upx behavioral2/files/0x0009000000023bcf-12.dat upx behavioral2/memory/1256-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1720-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2884-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd5-20.dat upx behavioral2/memory/4020-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd8-24.dat upx behavioral2/files/0x0008000000023bd9-28.dat upx behavioral2/memory/452-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bda-33.dat upx behavioral2/memory/4448-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdb-38.dat upx behavioral2/memory/3192-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0a-43.dat upx behavioral2/memory/4024-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0b-48.dat upx behavioral2/memory/3908-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0c-53.dat upx behavioral2/memory/5084-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0d-59.dat upx behavioral2/files/0x0008000000023c0e-63.dat upx behavioral2/files/0x0008000000023c0f-68.dat upx behavioral2/memory/1844-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c14-73.dat upx behavioral2/memory/2284-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3188-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c15-78.dat upx behavioral2/memory/2284-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c16-83.dat upx behavioral2/files/0x0008000000023c28-87.dat upx behavioral2/memory/2072-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2e-94.dat upx behavioral2/memory/5036-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3984-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2f-97.dat upx behavioral2/files/0x0008000000023c30-102.dat upx behavioral2/memory/1152-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c32-107.dat upx behavioral2/memory/1460-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1152-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c33-113.dat upx behavioral2/files/0x000b000000023c48-117.dat upx behavioral2/memory/2684-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0016000000023c49-123.dat upx behavioral2/memory/4732-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4f-127.dat upx behavioral2/files/0x0008000000023c53-132.dat upx behavioral2/memory/448-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c5f-137.dat upx behavioral2/files/0x0009000000023bc8-140.dat upx behavioral2/files/0x0008000000023c60-144.dat upx behavioral2/memory/1068-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c61-149.dat upx behavioral2/files/0x0008000000023c62-154.dat upx behavioral2/memory/4660-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4712-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4712-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3124-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4820-167-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1720 2236 de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe 83 PID 2236 wrote to memory of 1720 2236 de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe 83 PID 2236 wrote to memory of 1720 2236 de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe 83 PID 1720 wrote to memory of 1256 1720 1bbbtn.exe 84 PID 1720 wrote to memory of 1256 1720 1bbbtn.exe 84 PID 1720 wrote to memory of 1256 1720 1bbbtn.exe 84 PID 1256 wrote to memory of 2884 1256 1nbbnn.exe 85 PID 1256 wrote to memory of 2884 1256 1nbbnn.exe 85 PID 1256 wrote to memory of 2884 1256 1nbbnn.exe 85 PID 2884 wrote to memory of 4020 2884 7vddd.exe 86 PID 2884 wrote to memory of 4020 2884 7vddd.exe 86 PID 2884 wrote to memory of 4020 2884 7vddd.exe 86 PID 4020 wrote to memory of 452 4020 nnhnnb.exe 87 PID 4020 wrote to memory of 452 4020 nnhnnb.exe 87 PID 4020 wrote to memory of 452 4020 nnhnnb.exe 87 PID 452 wrote to memory of 4448 452 hthbtb.exe 88 PID 452 wrote to memory of 4448 452 hthbtb.exe 88 PID 452 wrote to memory of 4448 452 hthbtb.exe 88 PID 4448 wrote to memory of 3192 4448 vvjjd.exe 89 PID 4448 wrote to memory of 3192 4448 vvjjd.exe 89 PID 4448 wrote to memory of 3192 4448 vvjjd.exe 89 PID 3192 wrote to memory of 4024 3192 rllllll.exe 90 PID 3192 wrote to memory of 4024 3192 rllllll.exe 90 PID 3192 wrote to memory of 4024 3192 rllllll.exe 90 PID 4024 wrote to memory of 3908 4024 ttttth.exe 91 PID 4024 wrote to memory of 3908 4024 ttttth.exe 91 PID 4024 wrote to memory of 3908 4024 ttttth.exe 91 PID 3908 wrote to memory of 3184 3908 ddvpp.exe 92 PID 3908 wrote to memory of 3184 3908 ddvpp.exe 92 PID 3908 wrote to memory of 3184 3908 ddvpp.exe 92 PID 3184 wrote to memory of 5084 3184 xrlfffx.exe 93 PID 3184 wrote to memory of 5084 3184 xrlfffx.exe 93 PID 3184 wrote to memory of 5084 3184 xrlfffx.exe 93 PID 5084 wrote to memory of 4768 5084 7btnnn.exe 94 PID 5084 wrote to memory of 4768 5084 7btnnn.exe 94 PID 5084 wrote to memory of 4768 5084 7btnnn.exe 94 PID 4768 wrote to memory of 1844 4768 hnhhhb.exe 95 PID 4768 wrote to memory of 1844 4768 hnhhhb.exe 95 PID 4768 wrote to memory of 1844 4768 hnhhhb.exe 95 PID 1844 wrote to memory of 3188 1844 dpdjd.exe 96 PID 1844 wrote to memory of 3188 1844 dpdjd.exe 96 PID 1844 wrote to memory of 3188 1844 dpdjd.exe 96 PID 3188 wrote to memory of 2284 3188 lxxxrxr.exe 97 PID 3188 wrote to memory of 2284 3188 lxxxrxr.exe 97 PID 3188 wrote to memory of 2284 3188 lxxxrxr.exe 97 PID 2284 wrote to memory of 3020 2284 xlxxxxx.exe 98 PID 2284 wrote to memory of 3020 2284 xlxxxxx.exe 98 PID 2284 wrote to memory of 3020 2284 xlxxxxx.exe 98 PID 3020 wrote to memory of 2072 3020 jdddd.exe 99 PID 3020 wrote to memory of 2072 3020 jdddd.exe 99 PID 3020 wrote to memory of 2072 3020 jdddd.exe 99 PID 2072 wrote to memory of 5036 2072 jjjjd.exe 100 PID 2072 wrote to memory of 5036 2072 jjjjd.exe 100 PID 2072 wrote to memory of 5036 2072 jjjjd.exe 100 PID 5036 wrote to memory of 3984 5036 lrrllfx.exe 101 PID 5036 wrote to memory of 3984 5036 lrrllfx.exe 101 PID 5036 wrote to memory of 3984 5036 lrrllfx.exe 101 PID 3984 wrote to memory of 3096 3984 xrlfxfx.exe 102 PID 3984 wrote to memory of 3096 3984 xrlfxfx.exe 102 PID 3984 wrote to memory of 3096 3984 xrlfxfx.exe 102 PID 3096 wrote to memory of 1152 3096 vdpjp.exe 103 PID 3096 wrote to memory of 1152 3096 vdpjp.exe 103 PID 3096 wrote to memory of 1152 3096 vdpjp.exe 103 PID 1152 wrote to memory of 1460 1152 vvdjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe"C:\Users\Admin\AppData\Local\Temp\de9056406ea61d63475af2721e749fb6580a0aacb903d0af985c796c903d7d64N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\1bbbtn.exec:\1bbbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\1nbbnn.exec:\1nbbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\7vddd.exec:\7vddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\nnhnnb.exec:\nnhnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\hthbtb.exec:\hthbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\vvjjd.exec:\vvjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\rllllll.exec:\rllllll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\ttttth.exec:\ttttth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\ddvpp.exec:\ddvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\xrlfffx.exec:\xrlfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\7btnnn.exec:\7btnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\hnhhhb.exec:\hnhhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\dpdjd.exec:\dpdjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\lxxxrxr.exec:\lxxxrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\xlxxxxx.exec:\xlxxxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\jdddd.exec:\jdddd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\jjjjd.exec:\jjjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\lrrllfx.exec:\lrrllfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\xrlfxfx.exec:\xrlfxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\vdpjp.exec:\vdpjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\vvdjd.exec:\vvdjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\fxflllx.exec:\fxflllx.exe23⤵
- Executes dropped EXE
PID:1460 -
\??\c:\5llrrrr.exec:\5llrrrr.exe24⤵
- Executes dropped EXE
PID:2684 -
\??\c:\htbnhn.exec:\htbnhn.exe25⤵
- Executes dropped EXE
PID:3668 -
\??\c:\jppjv.exec:\jppjv.exe26⤵
- Executes dropped EXE
PID:4732 -
\??\c:\jjdpj.exec:\jjdpj.exe27⤵
- Executes dropped EXE
PID:448 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe28⤵
- Executes dropped EXE
PID:3660 -
\??\c:\nhnhnn.exec:\nhnhnn.exe29⤵
- Executes dropped EXE
PID:4776 -
\??\c:\thtbbb.exec:\thtbbb.exe30⤵
- Executes dropped EXE
PID:1068 -
\??\c:\rrlrlll.exec:\rrlrlll.exe31⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5rlfrrl.exec:\5rlfrrl.exe32⤵
- Executes dropped EXE
PID:3500 -
\??\c:\bntttb.exec:\bntttb.exe33⤵
- Executes dropped EXE
PID:4660 -
\??\c:\thhbhh.exec:\thhbhh.exe34⤵
- Executes dropped EXE
PID:4712 -
\??\c:\vvpjd.exec:\vvpjd.exe35⤵
- Executes dropped EXE
PID:3124 -
\??\c:\frlfrlf.exec:\frlfrlf.exe36⤵
- Executes dropped EXE
PID:4820 -
\??\c:\llrxlrl.exec:\llrxlrl.exe37⤵
- Executes dropped EXE
PID:1988 -
\??\c:\btntnn.exec:\btntnn.exe38⤵
- Executes dropped EXE
PID:4640 -
\??\c:\pvvdv.exec:\pvvdv.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4164 -
\??\c:\llrrrxl.exec:\llrrrxl.exe40⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hnbttn.exec:\hnbttn.exe41⤵
- Executes dropped EXE
PID:3980 -
\??\c:\hbhbhh.exec:\hbhbhh.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
\??\c:\jdjjj.exec:\jdjjj.exe43⤵
- Executes dropped EXE
PID:4116 -
\??\c:\1lrlllf.exec:\1lrlllf.exe44⤵
- Executes dropped EXE
PID:2220 -
\??\c:\bnttnn.exec:\bnttnn.exe45⤵
- Executes dropped EXE
PID:3696 -
\??\c:\1nnttn.exec:\1nnttn.exe46⤵
- Executes dropped EXE
PID:2576 -
\??\c:\lxlllrl.exec:\lxlllrl.exe47⤵
- Executes dropped EXE
PID:3988 -
\??\c:\bnnhhh.exec:\bnnhhh.exe48⤵
- Executes dropped EXE
PID:4896 -
\??\c:\5hbbhn.exec:\5hbbhn.exe49⤵
- Executes dropped EXE
PID:4312 -
\??\c:\pdjdd.exec:\pdjdd.exe50⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rrrxffr.exec:\rrrxffr.exe51⤵
- Executes dropped EXE
PID:5092 -
\??\c:\bhttnt.exec:\bhttnt.exe52⤵
- Executes dropped EXE
PID:4488 -
\??\c:\fllllrr.exec:\fllllrr.exe53⤵
- Executes dropped EXE
PID:4208 -
\??\c:\lrrfxfx.exec:\lrrfxfx.exe54⤵
- Executes dropped EXE
PID:4300 -
\??\c:\1nbbbb.exec:\1nbbbb.exe55⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vppjp.exec:\vppjp.exe56⤵
- Executes dropped EXE
PID:2352 -
\??\c:\rrxlllx.exec:\rrxlllx.exe57⤵
- Executes dropped EXE
PID:4860 -
\??\c:\rllffff.exec:\rllffff.exe58⤵
- Executes dropped EXE
PID:4292 -
\??\c:\fxxxxfl.exec:\fxxxxfl.exe59⤵
- Executes dropped EXE
PID:4284 -
\??\c:\3thbbb.exec:\3thbbb.exe60⤵
- Executes dropped EXE
PID:3772 -
\??\c:\vpddj.exec:\vpddj.exe61⤵
- Executes dropped EXE
PID:1720 -
\??\c:\rfxxrrr.exec:\rfxxrrr.exe62⤵
- Executes dropped EXE
PID:4108 -
\??\c:\hnbtnt.exec:\hnbtnt.exe63⤵
- Executes dropped EXE
PID:4968 -
\??\c:\tnbhnh.exec:\tnbhnh.exe64⤵
- Executes dropped EXE
PID:3888 -
\??\c:\ppppp.exec:\ppppp.exe65⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rlrxrrr.exec:\rlrxrrr.exe66⤵PID:4840
-
\??\c:\btnhnn.exec:\btnhnn.exe67⤵PID:4428
-
\??\c:\7djpd.exec:\7djpd.exe68⤵PID:1376
-
\??\c:\rlrllll.exec:\rlrllll.exe69⤵PID:4448
-
\??\c:\7nttbb.exec:\7nttbb.exe70⤵PID:4080
-
\??\c:\nnhhhh.exec:\nnhhhh.exe71⤵PID:320
-
\??\c:\dvvvp.exec:\dvvvp.exe72⤵PID:2704
-
\??\c:\vvjjd.exec:\vvjjd.exe73⤵PID:3608
-
\??\c:\xxrllrx.exec:\xxrllrx.exe74⤵PID:3908
-
\??\c:\nhnhhh.exec:\nhnhhh.exe75⤵PID:3148
-
\??\c:\jjppp.exec:\jjppp.exe76⤵PID:220
-
\??\c:\rflllrr.exec:\rflllrr.exe77⤵PID:8
-
\??\c:\jvdjj.exec:\jvdjj.exe78⤵PID:1576
-
\??\c:\vjjjd.exec:\vjjjd.exe79⤵PID:3412
-
\??\c:\lffxrrr.exec:\lffxrrr.exe80⤵PID:3188
-
\??\c:\fxfflrr.exec:\fxfflrr.exe81⤵PID:4316
-
\??\c:\9bhnhh.exec:\9bhnhh.exe82⤵PID:3616
-
\??\c:\tttttb.exec:\tttttb.exe83⤵PID:3092
-
\??\c:\vpvvv.exec:\vpvvv.exe84⤵PID:4704
-
\??\c:\1llxrlf.exec:\1llxrlf.exe85⤵PID:3172
-
\??\c:\ppvvp.exec:\ppvvp.exe86⤵PID:2332
-
\??\c:\dvdvv.exec:\dvdvv.exe87⤵PID:228
-
\??\c:\llllfff.exec:\llllfff.exe88⤵PID:3984
-
\??\c:\9jjdd.exec:\9jjdd.exe89⤵PID:4220
-
\??\c:\fxlfffl.exec:\fxlfffl.exe90⤵PID:3436
-
\??\c:\tnhbbt.exec:\tnhbbt.exe91⤵PID:1152
-
\??\c:\tnnnnn.exec:\tnnnnn.exe92⤵PID:1460
-
\??\c:\jdddv.exec:\jdddv.exe93⤵PID:2712
-
\??\c:\jpjvp.exec:\jpjvp.exe94⤵PID:5012
-
\??\c:\7xlfxxx.exec:\7xlfxxx.exe95⤵PID:4816
-
\??\c:\nhnnbt.exec:\nhnnbt.exe96⤵PID:1528
-
\??\c:\vvppj.exec:\vvppj.exe97⤵PID:2508
-
\??\c:\jjdpj.exec:\jjdpj.exe98⤵PID:1248
-
\??\c:\llrxrrx.exec:\llrxrrx.exe99⤵PID:1564
-
\??\c:\5llffll.exec:\5llffll.exe100⤵PID:4616
-
\??\c:\bhbbnn.exec:\bhbbnn.exe101⤵PID:4232
-
\??\c:\pvddv.exec:\pvddv.exe102⤵PID:540
-
\??\c:\jpvpj.exec:\jpvpj.exe103⤵
- System Location Discovery: System Language Discovery
PID:3552 -
\??\c:\vvvpp.exec:\vvvpp.exe104⤵PID:4940
-
\??\c:\rxfrxfl.exec:\rxfrxfl.exe105⤵PID:4440
-
\??\c:\3bhbtt.exec:\3bhbtt.exe106⤵PID:2944
-
\??\c:\vvjvd.exec:\vvjvd.exe107⤵PID:3664
-
\??\c:\fffxxxx.exec:\fffxxxx.exe108⤵PID:4416
-
\??\c:\tbtnhh.exec:\tbtnhh.exe109⤵PID:4192
-
\??\c:\nhnhbh.exec:\nhnhbh.exe110⤵PID:1872
-
\??\c:\jpdvp.exec:\jpdvp.exe111⤵PID:1044
-
\??\c:\llrlxxr.exec:\llrlxxr.exe112⤵PID:888
-
\??\c:\hhhhhn.exec:\hhhhhn.exe113⤵PID:3652
-
\??\c:\nhttbb.exec:\nhttbb.exe114⤵PID:1676
-
\??\c:\pjvpp.exec:\pjvpp.exe115⤵PID:3344
-
\??\c:\xxfflrr.exec:\xxfflrr.exe116⤵PID:4144
-
\??\c:\ffffrrf.exec:\ffffrrf.exe117⤵PID:2020
-
\??\c:\9bthbb.exec:\9bthbb.exe118⤵
- System Location Discovery: System Language Discovery
PID:2392 -
\??\c:\thtnhh.exec:\thtnhh.exe119⤵
- System Location Discovery: System Language Discovery
PID:4084 -
\??\c:\pjppj.exec:\pjppj.exe120⤵PID:3804
-
\??\c:\flffllr.exec:\flffllr.exe121⤵PID:400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-