Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe
-
Size
453KB
-
MD5
1430608c5294f0bcc2c142e04e3154e0
-
SHA1
dc1696e4d6442963685abab3472472810d71e358
-
SHA256
69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5b
-
SHA512
38dc6fefdc43885b801af47adce935caf38a74cbdb3f20831fe998420c046a3a407272a457678528e902e29b449a220ee16da16a80cf1c61ba69fbcd8444bbed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/772-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4456 lfllflf.exe 3220 tnnhhh.exe 1032 9pvpv.exe 3396 5xrrllf.exe 1104 dvddd.exe 976 hbhhhn.exe 4100 fflfxxx.exe 2544 dddvv.exe 4364 lrlxffx.exe 4504 dppjp.exe 4808 frxrrrl.exe 2700 vdjdv.exe 2712 lrrlllf.exe 1368 thhbtn.exe 2260 fxxrrll.exe 3772 bttnnn.exe 3512 vddvp.exe 4004 rlfxrll.exe 3264 nhhbbb.exe 1868 ddvdj.exe 220 fxlflfx.exe 3896 tbhtnh.exe 4968 ddppj.exe 2136 pdpjj.exe 3672 rfffxxr.exe 4240 3hnhhn.exe 4700 pjvdv.exe 2096 pjjdv.exe 2320 xlllxlf.exe 3104 9frlfxr.exe 4320 nbttnh.exe 3620 jvdvp.exe 3940 jdjdv.exe 1512 rlrlrlf.exe 2024 fxrfrlx.exe 456 thhtth.exe 1344 jvvjv.exe 2632 ppppj.exe 4596 xllfxrl.exe 4184 fxfrrlx.exe 2740 ththbt.exe 2240 5pjpd.exe 4816 dppdp.exe 4080 llfxrfx.exe 1456 bntnhb.exe 4800 tbnhtn.exe 2296 ppdvd.exe 2372 frlrfrr.exe 4424 llffxxr.exe 4708 btnbnh.exe 2108 pdjdd.exe 3928 vvjvp.exe 4332 9rlxrlf.exe 3044 hhhhhb.exe 4956 pppdv.exe 4532 jpvjd.exe 5012 nhnhbn.exe 2168 llrlxrf.exe 1616 rffrfxl.exe 640 bthbbb.exe 1160 dpjdp.exe 1112 lxrfxlx.exe 4520 xrlflfr.exe 3768 jdvpj.exe -
resource yara_rule behavioral2/memory/772-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-882-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 772 wrote to memory of 4456 772 69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe 81 PID 772 wrote to memory of 4456 772 69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe 81 PID 772 wrote to memory of 4456 772 69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe 81 PID 4456 wrote to memory of 3220 4456 lfllflf.exe 82 PID 4456 wrote to memory of 3220 4456 lfllflf.exe 82 PID 4456 wrote to memory of 3220 4456 lfllflf.exe 82 PID 3220 wrote to memory of 1032 3220 tnnhhh.exe 83 PID 3220 wrote to memory of 1032 3220 tnnhhh.exe 83 PID 3220 wrote to memory of 1032 3220 tnnhhh.exe 83 PID 1032 wrote to memory of 3396 1032 9pvpv.exe 84 PID 1032 wrote to memory of 3396 1032 9pvpv.exe 84 PID 1032 wrote to memory of 3396 1032 9pvpv.exe 84 PID 3396 wrote to memory of 1104 3396 5xrrllf.exe 85 PID 3396 wrote to memory of 1104 3396 5xrrllf.exe 85 PID 3396 wrote to memory of 1104 3396 5xrrllf.exe 85 PID 1104 wrote to memory of 976 1104 dvddd.exe 86 PID 1104 wrote to memory of 976 1104 dvddd.exe 86 PID 1104 wrote to memory of 976 1104 dvddd.exe 86 PID 976 wrote to memory of 4100 976 hbhhhn.exe 87 PID 976 wrote to memory of 4100 976 hbhhhn.exe 87 PID 976 wrote to memory of 4100 976 hbhhhn.exe 87 PID 4100 wrote to memory of 2544 4100 fflfxxx.exe 88 PID 4100 wrote to memory of 2544 4100 fflfxxx.exe 88 PID 4100 wrote to memory of 2544 4100 fflfxxx.exe 88 PID 2544 wrote to memory of 4364 2544 dddvv.exe 89 PID 2544 wrote to memory of 4364 2544 dddvv.exe 89 PID 2544 wrote to memory of 4364 2544 dddvv.exe 89 PID 4364 wrote to memory of 4504 4364 lrlxffx.exe 90 PID 4364 wrote to memory of 4504 4364 lrlxffx.exe 90 PID 4364 wrote to memory of 4504 4364 lrlxffx.exe 90 PID 4504 wrote to memory of 4808 4504 dppjp.exe 91 PID 4504 wrote to memory of 4808 4504 dppjp.exe 91 PID 4504 wrote to memory of 4808 4504 dppjp.exe 91 PID 4808 wrote to memory of 2700 4808 frxrrrl.exe 92 PID 4808 wrote to memory of 2700 4808 frxrrrl.exe 92 PID 4808 wrote to memory of 2700 4808 frxrrrl.exe 92 PID 2700 wrote to memory of 2712 2700 vdjdv.exe 93 PID 2700 wrote to memory of 2712 2700 vdjdv.exe 93 PID 2700 wrote to memory of 2712 2700 vdjdv.exe 93 PID 2712 wrote to memory of 1368 2712 lrrlllf.exe 94 PID 2712 wrote to memory of 1368 2712 lrrlllf.exe 94 PID 2712 wrote to memory of 1368 2712 lrrlllf.exe 94 PID 1368 wrote to memory of 2260 1368 thhbtn.exe 95 PID 1368 wrote to memory of 2260 1368 thhbtn.exe 95 PID 1368 wrote to memory of 2260 1368 thhbtn.exe 95 PID 2260 wrote to memory of 3772 2260 fxxrrll.exe 96 PID 2260 wrote to memory of 3772 2260 fxxrrll.exe 96 PID 2260 wrote to memory of 3772 2260 fxxrrll.exe 96 PID 3772 wrote to memory of 3512 3772 bttnnn.exe 97 PID 3772 wrote to memory of 3512 3772 bttnnn.exe 97 PID 3772 wrote to memory of 3512 3772 bttnnn.exe 97 PID 3512 wrote to memory of 4004 3512 vddvp.exe 98 PID 3512 wrote to memory of 4004 3512 vddvp.exe 98 PID 3512 wrote to memory of 4004 3512 vddvp.exe 98 PID 4004 wrote to memory of 3264 4004 rlfxrll.exe 99 PID 4004 wrote to memory of 3264 4004 rlfxrll.exe 99 PID 4004 wrote to memory of 3264 4004 rlfxrll.exe 99 PID 3264 wrote to memory of 1868 3264 nhhbbb.exe 100 PID 3264 wrote to memory of 1868 3264 nhhbbb.exe 100 PID 3264 wrote to memory of 1868 3264 nhhbbb.exe 100 PID 1868 wrote to memory of 220 1868 ddvdj.exe 101 PID 1868 wrote to memory of 220 1868 ddvdj.exe 101 PID 1868 wrote to memory of 220 1868 ddvdj.exe 101 PID 220 wrote to memory of 3896 220 fxlflfx.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe"C:\Users\Admin\AppData\Local\Temp\69ed042324b4c2b34b6265cb5158f6b9d72041f8261663186077af672c038f5bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\lfllflf.exec:\lfllflf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\tnnhhh.exec:\tnnhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\9pvpv.exec:\9pvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\5xrrllf.exec:\5xrrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\dvddd.exec:\dvddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\hbhhhn.exec:\hbhhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\fflfxxx.exec:\fflfxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\dddvv.exec:\dddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\lrlxffx.exec:\lrlxffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\dppjp.exec:\dppjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\frxrrrl.exec:\frxrrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\vdjdv.exec:\vdjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\lrrlllf.exec:\lrrlllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\thhbtn.exec:\thhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\fxxrrll.exec:\fxxrrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\bttnnn.exec:\bttnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\vddvp.exec:\vddvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\rlfxrll.exec:\rlfxrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\nhhbbb.exec:\nhhbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\ddvdj.exec:\ddvdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\fxlflfx.exec:\fxlflfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\tbhtnh.exec:\tbhtnh.exe23⤵
- Executes dropped EXE
PID:3896 -
\??\c:\ddppj.exec:\ddppj.exe24⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pdpjj.exec:\pdpjj.exe25⤵
- Executes dropped EXE
PID:2136 -
\??\c:\rfffxxr.exec:\rfffxxr.exe26⤵
- Executes dropped EXE
PID:3672 -
\??\c:\3hnhhn.exec:\3hnhhn.exe27⤵
- Executes dropped EXE
PID:4240 -
\??\c:\pjvdv.exec:\pjvdv.exe28⤵
- Executes dropped EXE
PID:4700 -
\??\c:\pjjdv.exec:\pjjdv.exe29⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xlllxlf.exec:\xlllxlf.exe30⤵
- Executes dropped EXE
PID:2320 -
\??\c:\9frlfxr.exec:\9frlfxr.exe31⤵
- Executes dropped EXE
PID:3104 -
\??\c:\nbttnh.exec:\nbttnh.exe32⤵
- Executes dropped EXE
PID:4320 -
\??\c:\jvdvp.exec:\jvdvp.exe33⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jdjdv.exec:\jdjdv.exe34⤵
- Executes dropped EXE
PID:3940 -
\??\c:\rlrlrlf.exec:\rlrlrlf.exe35⤵
- Executes dropped EXE
PID:1512 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe36⤵
- Executes dropped EXE
PID:2024 -
\??\c:\thhtth.exec:\thhtth.exe37⤵
- Executes dropped EXE
PID:456 -
\??\c:\jvvjv.exec:\jvvjv.exe38⤵
- Executes dropped EXE
PID:1344 -
\??\c:\ppppj.exec:\ppppj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
\??\c:\xllfxrl.exec:\xllfxrl.exe40⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fxfrrlx.exec:\fxfrrlx.exe41⤵
- Executes dropped EXE
PID:4184 -
\??\c:\ththbt.exec:\ththbt.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\5pjpd.exec:\5pjpd.exe43⤵
- Executes dropped EXE
PID:2240 -
\??\c:\dppdp.exec:\dppdp.exe44⤵
- Executes dropped EXE
PID:4816 -
\??\c:\llfxrfx.exec:\llfxrfx.exe45⤵
- Executes dropped EXE
PID:4080 -
\??\c:\bntnhb.exec:\bntnhb.exe46⤵
- Executes dropped EXE
PID:1456 -
\??\c:\tbnhtn.exec:\tbnhtn.exe47⤵
- Executes dropped EXE
PID:4800 -
\??\c:\ppdvd.exec:\ppdvd.exe48⤵
- Executes dropped EXE
PID:2296 -
\??\c:\frlrfrr.exec:\frlrfrr.exe49⤵
- Executes dropped EXE
PID:2372 -
\??\c:\llffxxr.exec:\llffxxr.exe50⤵
- Executes dropped EXE
PID:4424 -
\??\c:\btnbnh.exec:\btnbnh.exe51⤵
- Executes dropped EXE
PID:4708 -
\??\c:\pdjdd.exec:\pdjdd.exe52⤵
- Executes dropped EXE
PID:2108 -
\??\c:\vvjvp.exec:\vvjvp.exe53⤵
- Executes dropped EXE
PID:3928 -
\??\c:\9rlxrlf.exec:\9rlxrlf.exe54⤵
- Executes dropped EXE
PID:4332 -
\??\c:\hhhhhb.exec:\hhhhhb.exe55⤵
- Executes dropped EXE
PID:3044 -
\??\c:\pppdv.exec:\pppdv.exe56⤵
- Executes dropped EXE
PID:4956 -
\??\c:\jpvjd.exec:\jpvjd.exe57⤵
- Executes dropped EXE
PID:4532 -
\??\c:\nhnhbn.exec:\nhnhbn.exe58⤵
- Executes dropped EXE
PID:5012 -
\??\c:\llrlxrf.exec:\llrlxrf.exe59⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rffrfxl.exec:\rffrfxl.exe60⤵
- Executes dropped EXE
PID:1616 -
\??\c:\bthbbb.exec:\bthbbb.exe61⤵
- Executes dropped EXE
PID:640 -
\??\c:\dpjdp.exec:\dpjdp.exe62⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lxrfxlx.exec:\lxrfxlx.exe63⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xrlflfr.exec:\xrlflfr.exe64⤵
- Executes dropped EXE
PID:4520 -
\??\c:\jdvpj.exec:\jdvpj.exe65⤵
- Executes dropped EXE
PID:3768 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe66⤵PID:2148
-
\??\c:\dpjvv.exec:\dpjvv.exe67⤵PID:928
-
\??\c:\hbbnbt.exec:\hbbnbt.exe68⤵PID:4760
-
\??\c:\7vpjd.exec:\7vpjd.exe69⤵PID:1968
-
\??\c:\1hhnhb.exec:\1hhnhb.exe70⤵PID:4128
-
\??\c:\dvdpp.exec:\dvdpp.exe71⤵PID:1780
-
\??\c:\rfxllfr.exec:\rfxllfr.exe72⤵PID:3824
-
\??\c:\3fxrlff.exec:\3fxrlff.exe73⤵PID:4368
-
\??\c:\pdvvp.exec:\pdvvp.exe74⤵PID:4012
-
\??\c:\lrrlxrf.exec:\lrrlxrf.exe75⤵PID:940
-
\??\c:\lxfxlxx.exec:\lxfxlxx.exe76⤵PID:3236
-
\??\c:\bnnhhb.exec:\bnnhhb.exe77⤵PID:2400
-
\??\c:\jppdj.exec:\jppdj.exe78⤵PID:4960
-
\??\c:\vjdpj.exec:\vjdpj.exe79⤵PID:4004
-
\??\c:\xrlxxlf.exec:\xrlxxlf.exe80⤵PID:3704
-
\??\c:\nbthtn.exec:\nbthtn.exe81⤵PID:1816
-
\??\c:\ttthbt.exec:\ttthbt.exe82⤵PID:180
-
\??\c:\5djvp.exec:\5djvp.exe83⤵PID:1764
-
\??\c:\rxfrlxr.exec:\rxfrlxr.exe84⤵PID:840
-
\??\c:\nbtnbb.exec:\nbtnbb.exe85⤵PID:2648
-
\??\c:\ntbnbt.exec:\ntbnbt.exe86⤵PID:3092
-
\??\c:\vjdvp.exec:\vjdvp.exe87⤵PID:3864
-
\??\c:\vjjdp.exec:\vjjdp.exe88⤵PID:1532
-
\??\c:\frxlfxx.exec:\frxlfxx.exe89⤵PID:3592
-
\??\c:\fllfxrf.exec:\fllfxrf.exe90⤵PID:2204
-
\??\c:\thhnbt.exec:\thhnbt.exe91⤵PID:3104
-
\??\c:\djpdp.exec:\djpdp.exe92⤵PID:4320
-
\??\c:\5rfrfxr.exec:\5rfrfxr.exe93⤵PID:3620
-
\??\c:\flrlffr.exec:\flrlffr.exe94⤵PID:3940
-
\??\c:\3tnhbh.exec:\3tnhbh.exe95⤵PID:4904
-
\??\c:\1vpjv.exec:\1vpjv.exe96⤵PID:4124
-
\??\c:\fflxlfx.exec:\fflxlfx.exe97⤵PID:456
-
\??\c:\rlxrllf.exec:\rlxrllf.exe98⤵PID:2196
-
\??\c:\tntnnt.exec:\tntnnt.exe99⤵PID:4372
-
\??\c:\vdjvj.exec:\vdjvj.exe100⤵PID:3272
-
\??\c:\xrxlfff.exec:\xrxlfff.exe101⤵PID:2432
-
\??\c:\hbhnhh.exec:\hbhnhh.exe102⤵PID:5088
-
\??\c:\1btthb.exec:\1btthb.exe103⤵PID:2240
-
\??\c:\jdjdp.exec:\jdjdp.exe104⤵PID:1688
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe105⤵PID:1832
-
\??\c:\ntthtn.exec:\ntthtn.exe106⤵PID:1980
-
\??\c:\dvppv.exec:\dvppv.exe107⤵PID:472
-
\??\c:\pddpd.exec:\pddpd.exe108⤵PID:1828
-
\??\c:\xrxxxff.exec:\xrxxxff.exe109⤵PID:2212
-
\??\c:\thhbtn.exec:\thhbtn.exe110⤵PID:3204
-
\??\c:\pdppj.exec:\pdppj.exe111⤵PID:2896
-
\??\c:\lxxxrxr.exec:\lxxxrxr.exe112⤵PID:3636
-
\??\c:\rxlflfx.exec:\rxlflfx.exe113⤵PID:3976
-
\??\c:\htthtn.exec:\htthtn.exe114⤵PID:1332
-
\??\c:\jpvvj.exec:\jpvvj.exe115⤵PID:3900
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe116⤵PID:4472
-
\??\c:\bbhhbh.exec:\bbhhbh.exe117⤵PID:4328
-
\??\c:\nbbbnn.exec:\nbbbnn.exe118⤵PID:2192
-
\??\c:\dvddp.exec:\dvddp.exe119⤵PID:4212
-
\??\c:\llfrlfx.exec:\llfrlfx.exe120⤵PID:1016
-
\??\c:\3xxlfrl.exec:\3xxlfrl.exe121⤵PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-