Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe
-
Size
454KB
-
MD5
008682d2ad891bf5af097b90fbff0eec
-
SHA1
e0b8b45795c0e967859e1eb8216d38904e67aa61
-
SHA256
14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0
-
SHA512
1b078251953945835151797773440fa83f4ed7f616372827b56e20a9d797a2657f241dd0ad0cf5ab171a46eae3fe45a90882e56e69dc1f42c9c67a857db1026d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1448-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-1521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4780 5ttnbb.exe 3024 9hnhnh.exe 1380 7lrlfxl.exe 4000 3fxrlxl.exe 4248 tnbtnh.exe 2324 jddpd.exe 3916 9llfffl.exe 4040 djjjp.exe 4420 rxxrxrf.exe 2092 pjddv.exe 3088 rrlllxx.exe 3548 nbbnhn.exe 1436 fflfxxx.exe 1556 9bbtnt.exe 1492 ppdpd.exe 4596 5flffff.exe 1488 nhhbnh.exe 2008 jjdvj.exe 1736 rflrxlr.exe 1884 3tnnbb.exe 64 9llfrrx.exe 4520 3tbnhb.exe 832 3vddj.exe 1236 lfffxxr.exe 2252 pppjp.exe 1028 7xrfllr.exe 4932 hbnbth.exe 2900 5lrlxxl.exe 3048 btnbhn.exe 1580 pdppj.exe 2036 jjjdd.exe 3312 1rlrflx.exe 1952 hbnnbh.exe 2884 dvvdv.exe 4472 rrrllxr.exe 2372 bnnbtn.exe 4344 dvddd.exe 1232 5flflrx.exe 3416 bhtnhn.exe 1428 ddvvv.exe 2784 xrfffff.exe 216 3lrlrff.exe 4392 5nhhbb.exe 2832 jvjdp.exe 3896 lxrlfll.exe 2484 nhbthh.exe 4116 vjpjd.exe 468 lllfxxx.exe 432 bhnbtt.exe 5092 jdddv.exe 2276 frxrxfr.exe 2380 nttnbb.exe 4132 vdpjj.exe 2860 xffxrrl.exe 3628 hnnbnb.exe 1616 dvpvp.exe 3056 tntttb.exe 2816 pjjjv.exe 4420 xxrflxf.exe 3052 hhbhth.exe 2752 ppppd.exe 2408 flfrlxf.exe 2432 nnhnbt.exe 5080 vdvvp.exe -
resource yara_rule behavioral2/memory/1448-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-866-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 4780 1448 14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe 82 PID 1448 wrote to memory of 4780 1448 14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe 82 PID 1448 wrote to memory of 4780 1448 14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe 82 PID 4780 wrote to memory of 3024 4780 5ttnbb.exe 83 PID 4780 wrote to memory of 3024 4780 5ttnbb.exe 83 PID 4780 wrote to memory of 3024 4780 5ttnbb.exe 83 PID 3024 wrote to memory of 1380 3024 9hnhnh.exe 84 PID 3024 wrote to memory of 1380 3024 9hnhnh.exe 84 PID 3024 wrote to memory of 1380 3024 9hnhnh.exe 84 PID 1380 wrote to memory of 4000 1380 7lrlfxl.exe 85 PID 1380 wrote to memory of 4000 1380 7lrlfxl.exe 85 PID 1380 wrote to memory of 4000 1380 7lrlfxl.exe 85 PID 4000 wrote to memory of 4248 4000 3fxrlxl.exe 86 PID 4000 wrote to memory of 4248 4000 3fxrlxl.exe 86 PID 4000 wrote to memory of 4248 4000 3fxrlxl.exe 86 PID 4248 wrote to memory of 2324 4248 tnbtnh.exe 87 PID 4248 wrote to memory of 2324 4248 tnbtnh.exe 87 PID 4248 wrote to memory of 2324 4248 tnbtnh.exe 87 PID 2324 wrote to memory of 3916 2324 jddpd.exe 88 PID 2324 wrote to memory of 3916 2324 jddpd.exe 88 PID 2324 wrote to memory of 3916 2324 jddpd.exe 88 PID 3916 wrote to memory of 4040 3916 9llfffl.exe 89 PID 3916 wrote to memory of 4040 3916 9llfffl.exe 89 PID 3916 wrote to memory of 4040 3916 9llfffl.exe 89 PID 4040 wrote to memory of 4420 4040 djjjp.exe 90 PID 4040 wrote to memory of 4420 4040 djjjp.exe 90 PID 4040 wrote to memory of 4420 4040 djjjp.exe 90 PID 4420 wrote to memory of 2092 4420 rxxrxrf.exe 91 PID 4420 wrote to memory of 2092 4420 rxxrxrf.exe 91 PID 4420 wrote to memory of 2092 4420 rxxrxrf.exe 91 PID 2092 wrote to memory of 3088 2092 pjddv.exe 92 PID 2092 wrote to memory of 3088 2092 pjddv.exe 92 PID 2092 wrote to memory of 3088 2092 pjddv.exe 92 PID 3088 wrote to memory of 3548 3088 rrlllxx.exe 93 PID 3088 wrote to memory of 3548 3088 rrlllxx.exe 93 PID 3088 wrote to memory of 3548 3088 rrlllxx.exe 93 PID 3548 wrote to memory of 1436 3548 nbbnhn.exe 94 PID 3548 wrote to memory of 1436 3548 nbbnhn.exe 94 PID 3548 wrote to memory of 1436 3548 nbbnhn.exe 94 PID 1436 wrote to memory of 1556 1436 fflfxxx.exe 95 PID 1436 wrote to memory of 1556 1436 fflfxxx.exe 95 PID 1436 wrote to memory of 1556 1436 fflfxxx.exe 95 PID 1556 wrote to memory of 1492 1556 9bbtnt.exe 96 PID 1556 wrote to memory of 1492 1556 9bbtnt.exe 96 PID 1556 wrote to memory of 1492 1556 9bbtnt.exe 96 PID 1492 wrote to memory of 4596 1492 ppdpd.exe 97 PID 1492 wrote to memory of 4596 1492 ppdpd.exe 97 PID 1492 wrote to memory of 4596 1492 ppdpd.exe 97 PID 4596 wrote to memory of 1488 4596 5flffff.exe 98 PID 4596 wrote to memory of 1488 4596 5flffff.exe 98 PID 4596 wrote to memory of 1488 4596 5flffff.exe 98 PID 1488 wrote to memory of 2008 1488 nhhbnh.exe 99 PID 1488 wrote to memory of 2008 1488 nhhbnh.exe 99 PID 1488 wrote to memory of 2008 1488 nhhbnh.exe 99 PID 2008 wrote to memory of 1736 2008 jjdvj.exe 100 PID 2008 wrote to memory of 1736 2008 jjdvj.exe 100 PID 2008 wrote to memory of 1736 2008 jjdvj.exe 100 PID 1736 wrote to memory of 1884 1736 rflrxlr.exe 101 PID 1736 wrote to memory of 1884 1736 rflrxlr.exe 101 PID 1736 wrote to memory of 1884 1736 rflrxlr.exe 101 PID 1884 wrote to memory of 64 1884 3tnnbb.exe 102 PID 1884 wrote to memory of 64 1884 3tnnbb.exe 102 PID 1884 wrote to memory of 64 1884 3tnnbb.exe 102 PID 64 wrote to memory of 4520 64 9llfrrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe"C:\Users\Admin\AppData\Local\Temp\14ca581a5e6d1b596c66717e9926f30c1e2d16f1be2531cf28abe2741c7a4ae0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\5ttnbb.exec:\5ttnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\9hnhnh.exec:\9hnhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\7lrlfxl.exec:\7lrlfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\3fxrlxl.exec:\3fxrlxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\tnbtnh.exec:\tnbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\jddpd.exec:\jddpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\9llfffl.exec:\9llfffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\djjjp.exec:\djjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\rxxrxrf.exec:\rxxrxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\pjddv.exec:\pjddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\rrlllxx.exec:\rrlllxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\nbbnhn.exec:\nbbnhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\fflfxxx.exec:\fflfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\9bbtnt.exec:\9bbtnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\ppdpd.exec:\ppdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\5flffff.exec:\5flffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\nhhbnh.exec:\nhhbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\jjdvj.exec:\jjdvj.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\rflrxlr.exec:\rflrxlr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\3tnnbb.exec:\3tnnbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\9llfrrx.exec:\9llfrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\3tbnhb.exec:\3tbnhb.exe23⤵
- Executes dropped EXE
PID:4520 -
\??\c:\3vddj.exec:\3vddj.exe24⤵
- Executes dropped EXE
PID:832 -
\??\c:\lfffxxr.exec:\lfffxxr.exe25⤵
- Executes dropped EXE
PID:1236 -
\??\c:\pppjp.exec:\pppjp.exe26⤵
- Executes dropped EXE
PID:2252 -
\??\c:\7xrfllr.exec:\7xrfllr.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hbnbth.exec:\hbnbth.exe28⤵
- Executes dropped EXE
PID:4932 -
\??\c:\5lrlxxl.exec:\5lrlxxl.exe29⤵
- Executes dropped EXE
PID:2900 -
\??\c:\btnbhn.exec:\btnbhn.exe30⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pdppj.exec:\pdppj.exe31⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jjjdd.exec:\jjjdd.exe32⤵
- Executes dropped EXE
PID:2036 -
\??\c:\1rlrflx.exec:\1rlrflx.exe33⤵
- Executes dropped EXE
PID:3312 -
\??\c:\hbnnbh.exec:\hbnnbh.exe34⤵
- Executes dropped EXE
PID:1952 -
\??\c:\dvvdv.exec:\dvvdv.exe35⤵
- Executes dropped EXE
PID:2884 -
\??\c:\rrrllxr.exec:\rrrllxr.exe36⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bnnbtn.exec:\bnnbtn.exe37⤵
- Executes dropped EXE
PID:2372 -
\??\c:\dvddd.exec:\dvddd.exe38⤵
- Executes dropped EXE
PID:4344 -
\??\c:\5flflrx.exec:\5flflrx.exe39⤵
- Executes dropped EXE
PID:1232 -
\??\c:\bhtnhn.exec:\bhtnhn.exe40⤵
- Executes dropped EXE
PID:3416 -
\??\c:\ddvvv.exec:\ddvvv.exe41⤵
- Executes dropped EXE
PID:1428 -
\??\c:\xrfffff.exec:\xrfffff.exe42⤵
- Executes dropped EXE
PID:2784 -
\??\c:\3lrlrff.exec:\3lrlrff.exe43⤵
- Executes dropped EXE
PID:216 -
\??\c:\5nhhbb.exec:\5nhhbb.exe44⤵
- Executes dropped EXE
PID:4392 -
\??\c:\jvjdp.exec:\jvjdp.exe45⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lxrlfll.exec:\lxrlfll.exe46⤵
- Executes dropped EXE
PID:3896 -
\??\c:\nhbthh.exec:\nhbthh.exe47⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vjpjd.exec:\vjpjd.exe48⤵
- Executes dropped EXE
PID:4116 -
\??\c:\lllfxxx.exec:\lllfxxx.exe49⤵
- Executes dropped EXE
PID:468 -
\??\c:\bhnbtt.exec:\bhnbtt.exe50⤵
- Executes dropped EXE
PID:432 -
\??\c:\jdddv.exec:\jdddv.exe51⤵
- Executes dropped EXE
PID:5092 -
\??\c:\frxrxfr.exec:\frxrxfr.exe52⤵
- Executes dropped EXE
PID:2276 -
\??\c:\nttnbb.exec:\nttnbb.exe53⤵
- Executes dropped EXE
PID:2380 -
\??\c:\vdpjj.exec:\vdpjj.exe54⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xffxrrl.exec:\xffxrrl.exe55⤵
- Executes dropped EXE
PID:2860 -
\??\c:\hnnbnb.exec:\hnnbnb.exe56⤵
- Executes dropped EXE
PID:3628 -
\??\c:\dvpvp.exec:\dvpvp.exe57⤵
- Executes dropped EXE
PID:1616 -
\??\c:\tntttb.exec:\tntttb.exe58⤵
- Executes dropped EXE
PID:3056 -
\??\c:\pjjjv.exec:\pjjjv.exe59⤵
- Executes dropped EXE
PID:2816 -
\??\c:\xxrflxf.exec:\xxrflxf.exe60⤵
- Executes dropped EXE
PID:4420 -
\??\c:\hhbhth.exec:\hhbhth.exe61⤵
- Executes dropped EXE
PID:3052 -
\??\c:\ppppd.exec:\ppppd.exe62⤵
- Executes dropped EXE
PID:2752 -
\??\c:\flfrlxf.exec:\flfrlxf.exe63⤵
- Executes dropped EXE
PID:2408 -
\??\c:\nnhnbt.exec:\nnhnbt.exe64⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vdvvp.exec:\vdvvp.exe65⤵
- Executes dropped EXE
PID:5080 -
\??\c:\xxllrfl.exec:\xxllrfl.exe66⤵PID:4924
-
\??\c:\1ttnbb.exec:\1ttnbb.exe67⤵PID:4992
-
\??\c:\fxxfrlf.exec:\fxxfrlf.exe68⤵PID:3164
-
\??\c:\fxllffr.exec:\fxllffr.exe69⤵PID:4596
-
\??\c:\tntntn.exec:\tntntn.exe70⤵PID:4772
-
\??\c:\rfflfxr.exec:\rfflfxr.exe71⤵PID:2612
-
\??\c:\lrffrxf.exec:\lrffrxf.exe72⤵PID:1896
-
\??\c:\pddvp.exec:\pddvp.exe73⤵PID:5072
-
\??\c:\fxfffll.exec:\fxfffll.exe74⤵PID:4624
-
\??\c:\xfrrrxx.exec:\xfrrrxx.exe75⤵PID:1828
-
\??\c:\thtttb.exec:\thtttb.exe76⤵PID:1968
-
\??\c:\jddvp.exec:\jddvp.exe77⤵PID:212
-
\??\c:\xfxfxlr.exec:\xfxfxlr.exe78⤵PID:3484
-
\??\c:\bhnnnt.exec:\bhnnnt.exe79⤵PID:1244
-
\??\c:\jpvvv.exec:\jpvvv.exe80⤵PID:1236
-
\??\c:\xlxlfff.exec:\xlxlfff.exe81⤵PID:1900
-
\??\c:\bnbtbb.exec:\bnbtbb.exe82⤵PID:3596
-
\??\c:\ppvvv.exec:\ppvvv.exe83⤵PID:744
-
\??\c:\5lrlrrx.exec:\5lrlrrx.exe84⤵PID:2840
-
\??\c:\9bhtbt.exec:\9bhtbt.exe85⤵PID:4864
-
\??\c:\vdpjj.exec:\vdpjj.exe86⤵PID:4516
-
\??\c:\3xlffxx.exec:\3xlffxx.exe87⤵PID:4004
-
\??\c:\tnttht.exec:\tnttht.exe88⤵PID:1580
-
\??\c:\jjppp.exec:\jjppp.exe89⤵PID:2036
-
\??\c:\rxrrllx.exec:\rxrrllx.exe90⤵PID:2500
-
\??\c:\hntnhb.exec:\hntnhb.exe91⤵PID:3392
-
\??\c:\jpdpj.exec:\jpdpj.exe92⤵PID:3652
-
\??\c:\fxfxlff.exec:\fxfxlff.exe93⤵PID:624
-
\??\c:\ttbbbb.exec:\ttbbbb.exe94⤵PID:4472
-
\??\c:\3dvvp.exec:\3dvvp.exe95⤵PID:1420
-
\??\c:\pvpjv.exec:\pvpjv.exe96⤵PID:3064
-
\??\c:\xxxxxrl.exec:\xxxxxrl.exe97⤵PID:1232
-
\??\c:\btbhbh.exec:\btbhbh.exe98⤵PID:3212
-
\??\c:\jjvpp.exec:\jjvpp.exe99⤵PID:1688
-
\??\c:\flxxxxx.exec:\flxxxxx.exe100⤵PID:3664
-
\??\c:\xfllxlx.exec:\xfllxlx.exe101⤵PID:3640
-
\??\c:\tbhbbh.exec:\tbhbbh.exe102⤵PID:4376
-
\??\c:\vpddd.exec:\vpddd.exe103⤵PID:3116
-
\??\c:\xrrrlll.exec:\xrrrlll.exe104⤵
- System Location Discovery: System Language Discovery
PID:3232 -
\??\c:\htttnn.exec:\htttnn.exe105⤵PID:4912
-
\??\c:\5djpp.exec:\5djpp.exe106⤵PID:4504
-
\??\c:\5lllfxx.exec:\5lllfxx.exe107⤵PID:4264
-
\??\c:\9flllrr.exec:\9flllrr.exe108⤵PID:1380
-
\??\c:\1ttttn.exec:\1ttttn.exe109⤵PID:1992
-
\??\c:\vvjdd.exec:\vvjdd.exe110⤵PID:4968
-
\??\c:\ffrllll.exec:\ffrllll.exe111⤵PID:764
-
\??\c:\hthbtb.exec:\hthbtb.exe112⤵PID:5088
-
\??\c:\tbhbtb.exec:\tbhbtb.exe113⤵PID:3004
-
\??\c:\vdjdv.exec:\vdjdv.exe114⤵PID:4804
-
\??\c:\1xxxxff.exec:\1xxxxff.exe115⤵PID:4808
-
\??\c:\hbnhtt.exec:\hbnhtt.exe116⤵PID:1616
-
\??\c:\tnbttb.exec:\tnbttb.exe117⤵PID:4048
-
\??\c:\vjppj.exec:\vjppj.exe118⤵PID:2816
-
\??\c:\rrxrrxr.exec:\rrxrrxr.exe119⤵PID:1748
-
\??\c:\tthhhn.exec:\tthhhn.exe120⤵PID:1832
-
\??\c:\jdppp.exec:\jdppp.exe121⤵PID:1228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-