Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe
-
Size
456KB
-
MD5
ef605d78c631dabd16caf4ab30a2f35b
-
SHA1
70aadb02d97141f354336789fc56b0d44adcd88a
-
SHA256
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6
-
SHA512
fe906cccfa82877760b48a394996fa5c04aaf6f6fef0336ef93d5659b545d22f829dd0d52b7c49445e1cc641324e1ed33359f147da86b9a4b514e5f88eba1a28
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4480-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-1562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1224 xxllrrl.exe 364 hbtnhb.exe 1788 1ppjv.exe 4640 xrrlxxr.exe 3600 htthbb.exe 1140 dvpjv.exe 4428 3xlffff.exe 2996 xxxxxfl.exe 1460 bttntt.exe 4468 vdpjj.exe 2096 fxffxff.exe 3044 frfrrrx.exe 2624 btbttb.exe 2384 xxllxrl.exe 4816 pjjpd.exe 5044 nttnnn.exe 4088 thhnbh.exe 1924 lxlxxxx.exe 3776 fxfffff.exe 4900 hhnhbh.exe 4856 hhtbbn.exe 3244 1vjdp.exe 1588 rrflxrf.exe 2672 rxrrrfx.exe 336 xxxxxxx.exe 4076 ffllflr.exe 3664 vpddd.exe 632 xlfffll.exe 1904 xxllrxx.exe 2364 vpjjj.exe 4400 rfrllff.exe 4596 hhnnnh.exe 3128 nhhthh.exe 1416 pdppj.exe 3288 xxlrrfx.exe 3468 httnhb.exe 1332 dddvp.exe 896 rffxrrl.exe 808 3nbthh.exe 1220 jjvpd.exe 3200 xrlflfx.exe 2044 hbbtnh.exe 3220 vvvvp.exe 828 dpdpj.exe 1256 lffxllf.exe 4144 ttbtnh.exe 4824 vvdjd.exe 2400 xflfrlf.exe 564 5rlfxxx.exe 1068 7ttnnh.exe 4492 jpvpj.exe 776 pvjjd.exe 4756 hbnnbb.exe 3400 dpvvv.exe 4668 ddddd.exe 2340 rllfxxx.exe 2348 htbbbh.exe 4040 vpvdd.exe 1048 pjjdv.exe 3720 lrxrllf.exe 3600 bntnhh.exe 3344 tntnnh.exe 516 vvjjj.exe 556 rfrllff.exe -
resource yara_rule behavioral2/memory/4480-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-597-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 1224 4480 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 82 PID 4480 wrote to memory of 1224 4480 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 82 PID 4480 wrote to memory of 1224 4480 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 82 PID 1224 wrote to memory of 364 1224 xxllrrl.exe 83 PID 1224 wrote to memory of 364 1224 xxllrrl.exe 83 PID 1224 wrote to memory of 364 1224 xxllrrl.exe 83 PID 364 wrote to memory of 1788 364 hbtnhb.exe 84 PID 364 wrote to memory of 1788 364 hbtnhb.exe 84 PID 364 wrote to memory of 1788 364 hbtnhb.exe 84 PID 1788 wrote to memory of 4640 1788 1ppjv.exe 85 PID 1788 wrote to memory of 4640 1788 1ppjv.exe 85 PID 1788 wrote to memory of 4640 1788 1ppjv.exe 85 PID 4640 wrote to memory of 3600 4640 xrrlxxr.exe 86 PID 4640 wrote to memory of 3600 4640 xrrlxxr.exe 86 PID 4640 wrote to memory of 3600 4640 xrrlxxr.exe 86 PID 3600 wrote to memory of 1140 3600 htthbb.exe 87 PID 3600 wrote to memory of 1140 3600 htthbb.exe 87 PID 3600 wrote to memory of 1140 3600 htthbb.exe 87 PID 1140 wrote to memory of 4428 1140 dvpjv.exe 88 PID 1140 wrote to memory of 4428 1140 dvpjv.exe 88 PID 1140 wrote to memory of 4428 1140 dvpjv.exe 88 PID 4428 wrote to memory of 2996 4428 3xlffff.exe 89 PID 4428 wrote to memory of 2996 4428 3xlffff.exe 89 PID 4428 wrote to memory of 2996 4428 3xlffff.exe 89 PID 2996 wrote to memory of 1460 2996 xxxxxfl.exe 90 PID 2996 wrote to memory of 1460 2996 xxxxxfl.exe 90 PID 2996 wrote to memory of 1460 2996 xxxxxfl.exe 90 PID 1460 wrote to memory of 4468 1460 bttntt.exe 91 PID 1460 wrote to memory of 4468 1460 bttntt.exe 91 PID 1460 wrote to memory of 4468 1460 bttntt.exe 91 PID 4468 wrote to memory of 2096 4468 vdpjj.exe 92 PID 4468 wrote to memory of 2096 4468 vdpjj.exe 92 PID 4468 wrote to memory of 2096 4468 vdpjj.exe 92 PID 2096 wrote to memory of 3044 2096 fxffxff.exe 93 PID 2096 wrote to memory of 3044 2096 fxffxff.exe 93 PID 2096 wrote to memory of 3044 2096 fxffxff.exe 93 PID 3044 wrote to memory of 2624 3044 frfrrrx.exe 94 PID 3044 wrote to memory of 2624 3044 frfrrrx.exe 94 PID 3044 wrote to memory of 2624 3044 frfrrrx.exe 94 PID 2624 wrote to memory of 2384 2624 btbttb.exe 95 PID 2624 wrote to memory of 2384 2624 btbttb.exe 95 PID 2624 wrote to memory of 2384 2624 btbttb.exe 95 PID 2384 wrote to memory of 4816 2384 xxllxrl.exe 96 PID 2384 wrote to memory of 4816 2384 xxllxrl.exe 96 PID 2384 wrote to memory of 4816 2384 xxllxrl.exe 96 PID 4816 wrote to memory of 5044 4816 pjjpd.exe 97 PID 4816 wrote to memory of 5044 4816 pjjpd.exe 97 PID 4816 wrote to memory of 5044 4816 pjjpd.exe 97 PID 5044 wrote to memory of 4088 5044 nttnnn.exe 98 PID 5044 wrote to memory of 4088 5044 nttnnn.exe 98 PID 5044 wrote to memory of 4088 5044 nttnnn.exe 98 PID 4088 wrote to memory of 1924 4088 thhnbh.exe 99 PID 4088 wrote to memory of 1924 4088 thhnbh.exe 99 PID 4088 wrote to memory of 1924 4088 thhnbh.exe 99 PID 1924 wrote to memory of 3776 1924 lxlxxxx.exe 100 PID 1924 wrote to memory of 3776 1924 lxlxxxx.exe 100 PID 1924 wrote to memory of 3776 1924 lxlxxxx.exe 100 PID 3776 wrote to memory of 4900 3776 fxfffff.exe 101 PID 3776 wrote to memory of 4900 3776 fxfffff.exe 101 PID 3776 wrote to memory of 4900 3776 fxfffff.exe 101 PID 4900 wrote to memory of 4856 4900 hhnhbh.exe 102 PID 4900 wrote to memory of 4856 4900 hhnhbh.exe 102 PID 4900 wrote to memory of 4856 4900 hhnhbh.exe 102 PID 4856 wrote to memory of 3244 4856 hhtbbn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe"C:\Users\Admin\AppData\Local\Temp\06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\xxllrrl.exec:\xxllrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\hbtnhb.exec:\hbtnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\1ppjv.exec:\1ppjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\htthbb.exec:\htthbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\dvpjv.exec:\dvpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\3xlffff.exec:\3xlffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\xxxxxfl.exec:\xxxxxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\bttntt.exec:\bttntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\vdpjj.exec:\vdpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\fxffxff.exec:\fxffxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\frfrrrx.exec:\frfrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\btbttb.exec:\btbttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\xxllxrl.exec:\xxllxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\pjjpd.exec:\pjjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\nttnnn.exec:\nttnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\thhnbh.exec:\thhnbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\lxlxxxx.exec:\lxlxxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\fxfffff.exec:\fxfffff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\hhnhbh.exec:\hhnhbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\hhtbbn.exec:\hhtbbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\1vjdp.exec:\1vjdp.exe23⤵
- Executes dropped EXE
PID:3244 -
\??\c:\rrflxrf.exec:\rrflxrf.exe24⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rxrrrfx.exec:\rxrrrfx.exe25⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe26⤵
- Executes dropped EXE
PID:336 -
\??\c:\ffllflr.exec:\ffllflr.exe27⤵
- Executes dropped EXE
PID:4076 -
\??\c:\vpddd.exec:\vpddd.exe28⤵
- Executes dropped EXE
PID:3664 -
\??\c:\xlfffll.exec:\xlfffll.exe29⤵
- Executes dropped EXE
PID:632 -
\??\c:\xxllrxx.exec:\xxllrxx.exe30⤵
- Executes dropped EXE
PID:1904 -
\??\c:\vpjjj.exec:\vpjjj.exe31⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rfrllff.exec:\rfrllff.exe32⤵
- Executes dropped EXE
PID:4400 -
\??\c:\hhnnnh.exec:\hhnnnh.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596 -
\??\c:\nhhthh.exec:\nhhthh.exe34⤵
- Executes dropped EXE
PID:3128 -
\??\c:\pdppj.exec:\pdppj.exe35⤵
- Executes dropped EXE
PID:1416 -
\??\c:\xxlrrfx.exec:\xxlrrfx.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\httnhb.exec:\httnhb.exe37⤵
- Executes dropped EXE
PID:3468 -
\??\c:\dddvp.exec:\dddvp.exe38⤵
- Executes dropped EXE
PID:1332 -
\??\c:\rffxrrl.exec:\rffxrrl.exe39⤵
- Executes dropped EXE
PID:896 -
\??\c:\3nbthh.exec:\3nbthh.exe40⤵
- Executes dropped EXE
PID:808 -
\??\c:\jjvpd.exec:\jjvpd.exe41⤵
- Executes dropped EXE
PID:1220 -
\??\c:\xrlflfx.exec:\xrlflfx.exe42⤵
- Executes dropped EXE
PID:3200 -
\??\c:\hbbtnh.exec:\hbbtnh.exe43⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vvvvp.exec:\vvvvp.exe44⤵
- Executes dropped EXE
PID:3220 -
\??\c:\dpdpj.exec:\dpdpj.exe45⤵
- Executes dropped EXE
PID:828 -
\??\c:\lffxllf.exec:\lffxllf.exe46⤵
- Executes dropped EXE
PID:1256 -
\??\c:\ttbtnh.exec:\ttbtnh.exe47⤵
- Executes dropped EXE
PID:4144 -
\??\c:\vvdjd.exec:\vvdjd.exe48⤵
- Executes dropped EXE
PID:4824 -
\??\c:\xflfrlf.exec:\xflfrlf.exe49⤵
- Executes dropped EXE
PID:2400 -
\??\c:\5rlfxxx.exec:\5rlfxxx.exe50⤵
- Executes dropped EXE
PID:564 -
\??\c:\7ttnnh.exec:\7ttnnh.exe51⤵
- Executes dropped EXE
PID:1068 -
\??\c:\jpvpj.exec:\jpvpj.exe52⤵
- Executes dropped EXE
PID:4492 -
\??\c:\pvjjd.exec:\pvjjd.exe53⤵
- Executes dropped EXE
PID:776 -
\??\c:\hbnnbb.exec:\hbnnbb.exe54⤵
- Executes dropped EXE
PID:4756 -
\??\c:\dpvvv.exec:\dpvvv.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3400 -
\??\c:\ddddd.exec:\ddddd.exe56⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rllfxxx.exec:\rllfxxx.exe57⤵
- Executes dropped EXE
PID:2340 -
\??\c:\htbbbh.exec:\htbbbh.exe58⤵
- Executes dropped EXE
PID:2348 -
\??\c:\vpvdd.exec:\vpvdd.exe59⤵
- Executes dropped EXE
PID:4040 -
\??\c:\pjjdv.exec:\pjjdv.exe60⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lrxrllf.exec:\lrxrllf.exe61⤵
- Executes dropped EXE
PID:3720 -
\??\c:\bntnhh.exec:\bntnhh.exe62⤵
- Executes dropped EXE
PID:3600 -
\??\c:\tntnnh.exec:\tntnnh.exe63⤵
- Executes dropped EXE
PID:3344 -
\??\c:\vvjjj.exec:\vvjjj.exe64⤵
- Executes dropped EXE
PID:516 -
\??\c:\rfrllff.exec:\rfrllff.exe65⤵
- Executes dropped EXE
PID:556 -
\??\c:\bbhttt.exec:\bbhttt.exe66⤵PID:1984
-
\??\c:\vpjjd.exec:\vpjjd.exe67⤵PID:1436
-
\??\c:\xfxrllf.exec:\xfxrllf.exe68⤵PID:2564
-
\??\c:\htnnbb.exec:\htnnbb.exe69⤵PID:3808
-
\??\c:\hhhhbb.exec:\hhhhbb.exe70⤵PID:4980
-
\??\c:\vvvpj.exec:\vvvpj.exe71⤵PID:3020
-
\??\c:\flrlxfx.exec:\flrlxfx.exe72⤵PID:1784
-
\??\c:\nnnhbb.exec:\nnnhbb.exe73⤵PID:3752
-
\??\c:\vjjdp.exec:\vjjdp.exe74⤵PID:2624
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe75⤵PID:2384
-
\??\c:\rllflll.exec:\rllflll.exe76⤵PID:5052
-
\??\c:\vvdvv.exec:\vvdvv.exe77⤵PID:5008
-
\??\c:\xfrlllr.exec:\xfrlllr.exe78⤵PID:4796
-
\??\c:\rlrrlll.exec:\rlrrlll.exe79⤵PID:3160
-
\??\c:\bttnhb.exec:\bttnhb.exe80⤵PID:4488
-
\??\c:\jdvvv.exec:\jdvvv.exe81⤵PID:1244
-
\??\c:\vdjdp.exec:\vdjdp.exe82⤵PID:4056
-
\??\c:\nhtbbh.exec:\nhtbbh.exe83⤵PID:3628
-
\??\c:\thnhtt.exec:\thnhtt.exe84⤵PID:1444
-
\??\c:\pvdvp.exec:\pvdvp.exe85⤵PID:1956
-
\??\c:\rfllxff.exec:\rfllxff.exe86⤵PID:1688
-
\??\c:\xrrlffr.exec:\xrrlffr.exe87⤵PID:1720
-
\??\c:\tttnnb.exec:\tttnnb.exe88⤵PID:1920
-
\??\c:\jjpjj.exec:\jjpjj.exe89⤵PID:3552
-
\??\c:\vpddv.exec:\vpddv.exe90⤵PID:336
-
\??\c:\rlxlfxr.exec:\rlxlfxr.exe91⤵PID:2412
-
\??\c:\nnnnhh.exec:\nnnnhh.exe92⤵PID:2056
-
\??\c:\3djdv.exec:\3djdv.exe93⤵PID:2716
-
\??\c:\7dvpp.exec:\7dvpp.exe94⤵PID:1724
-
\??\c:\xflfrrl.exec:\xflfrrl.exe95⤵PID:3992
-
\??\c:\5bnbbb.exec:\5bnbbb.exe96⤵PID:2080
-
\??\c:\btnhnn.exec:\btnhnn.exe97⤵PID:4768
-
\??\c:\pddvd.exec:\pddvd.exe98⤵PID:4400
-
\??\c:\frxlfxl.exec:\frxlfxl.exe99⤵PID:4504
-
\??\c:\nhhhbb.exec:\nhhhbb.exe100⤵PID:2576
-
\??\c:\btbhbn.exec:\btbhbn.exe101⤵PID:4236
-
\??\c:\pddvp.exec:\pddvp.exe102⤵PID:3372
-
\??\c:\lfrlflf.exec:\lfrlflf.exe103⤵PID:3496
-
\??\c:\bthhtb.exec:\bthhtb.exe104⤵PID:2852
-
\??\c:\vpvjp.exec:\vpvjp.exe105⤵PID:4476
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe106⤵PID:2236
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe107⤵PID:320
-
\??\c:\bthbtt.exec:\bthbtt.exe108⤵PID:1896
-
\??\c:\jpddv.exec:\jpddv.exe109⤵PID:4592
-
\??\c:\jdppp.exec:\jdppp.exe110⤵PID:2724
-
\??\c:\5rrrllf.exec:\5rrrllf.exe111⤵PID:3220
-
\??\c:\bnnhbt.exec:\bnnhbt.exe112⤵PID:1388
-
\??\c:\7jdvp.exec:\7jdvp.exe113⤵PID:4084
-
\??\c:\xxrrrrl.exec:\xxrrrrl.exe114⤵PID:4660
-
\??\c:\xrrlffx.exec:\xrrlffx.exe115⤵PID:4388
-
\??\c:\bntnhb.exec:\bntnhb.exe116⤵PID:4420
-
\??\c:\djpdv.exec:\djpdv.exe117⤵PID:4004
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe118⤵PID:3812
-
\??\c:\hhnnnn.exec:\hhnnnn.exe119⤵PID:4868
-
\??\c:\tbnhbb.exec:\tbnhbb.exe120⤵PID:4756
-
\??\c:\dppjv.exec:\dppjv.exe121⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-