Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe
-
Size
454KB
-
MD5
a319505930a36727b0caaf4835f67c4d
-
SHA1
df378a9be4fedd0ba75abc9b0aae4b98eb63a80f
-
SHA256
8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c
-
SHA512
f9ca48fdbb43b1336f9a727ec285950037bcd2294972fe4ae9c07d3f632f7fba374211379f42605b5bae927c54db08cf136d57321c57881fe2def271ae5b3742
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1A:q7Tc2NYHUrAwfMp3CD1A
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2368-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-1195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4792 vppjj.exe 4352 xrrrlll.exe 2360 bhtnht.exe 3344 hbttnt.exe 1456 vddvv.exe 3064 thnhhh.exe 3972 dddvv.exe 4944 9tnnhh.exe 636 vdjdp.exe 3028 fxlxxxr.exe 3044 nthbbb.exe 3136 1lrlfff.exe 4772 nnnhtn.exe 4016 jvvpv.exe 2884 xfllfff.exe 4032 vvdvp.exe 2032 rrxrllr.exe 4420 nhnhbb.exe 1492 vppjd.exe 2820 fxrlffx.exe 2808 jpjjp.exe 4236 xlfxlfr.exe 1436 hnhnbb.exe 2632 lfxrllf.exe 1588 bhhbth.exe 1960 3ppdv.exe 2208 rrrlfff.exe 2400 xlrfrfx.exe 2792 vjjdp.exe 4460 1nbttb.exe 4688 xrlxxxr.exe 1536 hthhtt.exe 1248 5rlfxxl.exe 5092 dvjpp.exe 2232 7vdvp.exe 2356 rlfxrrr.exe 676 btnnbb.exe 3368 3dpjd.exe 1232 xlrfxrx.exe 2164 nthtnh.exe 2464 jddvp.exe 3140 djjdp.exe 4408 3lrlxrf.exe 4588 jjdpj.exe 3608 vjjvj.exe 3956 xflxrlf.exe 460 hbnhtn.exe 3868 1vvpd.exe 5080 rrrffxr.exe 2920 xflfflf.exe 4076 nhnhnh.exe 4388 dpjvv.exe 2636 fflfrrl.exe 2368 tnhbnn.exe 3592 tbbttb.exe 3724 pjdvj.exe 628 ffffxfx.exe 2360 7tnbhh.exe 840 nnhbtt.exe 1792 ppdpv.exe 1804 lxffxlx.exe 3164 3xfxlfl.exe 2304 hbhbnn.exe 2580 pjjdp.exe -
resource yara_rule behavioral2/memory/2368-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-887-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 4792 2368 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 82 PID 2368 wrote to memory of 4792 2368 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 82 PID 2368 wrote to memory of 4792 2368 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 82 PID 4792 wrote to memory of 4352 4792 vppjj.exe 83 PID 4792 wrote to memory of 4352 4792 vppjj.exe 83 PID 4792 wrote to memory of 4352 4792 vppjj.exe 83 PID 4352 wrote to memory of 2360 4352 xrrrlll.exe 84 PID 4352 wrote to memory of 2360 4352 xrrrlll.exe 84 PID 4352 wrote to memory of 2360 4352 xrrrlll.exe 84 PID 2360 wrote to memory of 3344 2360 bhtnht.exe 85 PID 2360 wrote to memory of 3344 2360 bhtnht.exe 85 PID 2360 wrote to memory of 3344 2360 bhtnht.exe 85 PID 3344 wrote to memory of 1456 3344 hbttnt.exe 86 PID 3344 wrote to memory of 1456 3344 hbttnt.exe 86 PID 3344 wrote to memory of 1456 3344 hbttnt.exe 86 PID 1456 wrote to memory of 3064 1456 vddvv.exe 87 PID 1456 wrote to memory of 3064 1456 vddvv.exe 87 PID 1456 wrote to memory of 3064 1456 vddvv.exe 87 PID 3064 wrote to memory of 3972 3064 thnhhh.exe 88 PID 3064 wrote to memory of 3972 3064 thnhhh.exe 88 PID 3064 wrote to memory of 3972 3064 thnhhh.exe 88 PID 3972 wrote to memory of 4944 3972 dddvv.exe 89 PID 3972 wrote to memory of 4944 3972 dddvv.exe 89 PID 3972 wrote to memory of 4944 3972 dddvv.exe 89 PID 4944 wrote to memory of 636 4944 9tnnhh.exe 90 PID 4944 wrote to memory of 636 4944 9tnnhh.exe 90 PID 4944 wrote to memory of 636 4944 9tnnhh.exe 90 PID 636 wrote to memory of 3028 636 vdjdp.exe 91 PID 636 wrote to memory of 3028 636 vdjdp.exe 91 PID 636 wrote to memory of 3028 636 vdjdp.exe 91 PID 3028 wrote to memory of 3044 3028 fxlxxxr.exe 92 PID 3028 wrote to memory of 3044 3028 fxlxxxr.exe 92 PID 3028 wrote to memory of 3044 3028 fxlxxxr.exe 92 PID 3044 wrote to memory of 3136 3044 nthbbb.exe 93 PID 3044 wrote to memory of 3136 3044 nthbbb.exe 93 PID 3044 wrote to memory of 3136 3044 nthbbb.exe 93 PID 3136 wrote to memory of 4772 3136 1lrlfff.exe 94 PID 3136 wrote to memory of 4772 3136 1lrlfff.exe 94 PID 3136 wrote to memory of 4772 3136 1lrlfff.exe 94 PID 4772 wrote to memory of 4016 4772 nnnhtn.exe 95 PID 4772 wrote to memory of 4016 4772 nnnhtn.exe 95 PID 4772 wrote to memory of 4016 4772 nnnhtn.exe 95 PID 4016 wrote to memory of 2884 4016 jvvpv.exe 96 PID 4016 wrote to memory of 2884 4016 jvvpv.exe 96 PID 4016 wrote to memory of 2884 4016 jvvpv.exe 96 PID 2884 wrote to memory of 4032 2884 xfllfff.exe 97 PID 2884 wrote to memory of 4032 2884 xfllfff.exe 97 PID 2884 wrote to memory of 4032 2884 xfllfff.exe 97 PID 4032 wrote to memory of 2032 4032 vvdvp.exe 98 PID 4032 wrote to memory of 2032 4032 vvdvp.exe 98 PID 4032 wrote to memory of 2032 4032 vvdvp.exe 98 PID 2032 wrote to memory of 4420 2032 rrxrllr.exe 99 PID 2032 wrote to memory of 4420 2032 rrxrllr.exe 99 PID 2032 wrote to memory of 4420 2032 rrxrllr.exe 99 PID 4420 wrote to memory of 1492 4420 nhnhbb.exe 100 PID 4420 wrote to memory of 1492 4420 nhnhbb.exe 100 PID 4420 wrote to memory of 1492 4420 nhnhbb.exe 100 PID 1492 wrote to memory of 2820 1492 vppjd.exe 101 PID 1492 wrote to memory of 2820 1492 vppjd.exe 101 PID 1492 wrote to memory of 2820 1492 vppjd.exe 101 PID 2820 wrote to memory of 2808 2820 fxrlffx.exe 102 PID 2820 wrote to memory of 2808 2820 fxrlffx.exe 102 PID 2820 wrote to memory of 2808 2820 fxrlffx.exe 102 PID 2808 wrote to memory of 4236 2808 jpjjp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe"C:\Users\Admin\AppData\Local\Temp\8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\vppjj.exec:\vppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\xrrrlll.exec:\xrrrlll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\bhtnht.exec:\bhtnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\hbttnt.exec:\hbttnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\vddvv.exec:\vddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\thnhhh.exec:\thnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\dddvv.exec:\dddvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\9tnnhh.exec:\9tnnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\vdjdp.exec:\vdjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\fxlxxxr.exec:\fxlxxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\nthbbb.exec:\nthbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\1lrlfff.exec:\1lrlfff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\nnnhtn.exec:\nnnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\jvvpv.exec:\jvvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\xfllfff.exec:\xfllfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\vvdvp.exec:\vvdvp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\rrxrllr.exec:\rrxrllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\nhnhbb.exec:\nhnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\vppjd.exec:\vppjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\fxrlffx.exec:\fxrlffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jpjjp.exec:\jpjjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe23⤵
- Executes dropped EXE
PID:4236 -
\??\c:\hnhnbb.exec:\hnhnbb.exe24⤵
- Executes dropped EXE
PID:1436 -
\??\c:\lfxrllf.exec:\lfxrllf.exe25⤵
- Executes dropped EXE
PID:2632 -
\??\c:\bhhbth.exec:\bhhbth.exe26⤵
- Executes dropped EXE
PID:1588 -
\??\c:\3ppdv.exec:\3ppdv.exe27⤵
- Executes dropped EXE
PID:1960 -
\??\c:\rrrlfff.exec:\rrrlfff.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xlrfrfx.exec:\xlrfrfx.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\vjjdp.exec:\vjjdp.exe30⤵
- Executes dropped EXE
PID:2792 -
\??\c:\1nbttb.exec:\1nbttb.exe31⤵
- Executes dropped EXE
PID:4460 -
\??\c:\xrlxxxr.exec:\xrlxxxr.exe32⤵
- Executes dropped EXE
PID:4688 -
\??\c:\hthhtt.exec:\hthhtt.exe33⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5rlfxxl.exec:\5rlfxxl.exe34⤵
- Executes dropped EXE
PID:1248 -
\??\c:\dvjpp.exec:\dvjpp.exe35⤵
- Executes dropped EXE
PID:5092 -
\??\c:\7vdvp.exec:\7vdvp.exe36⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe37⤵
- Executes dropped EXE
PID:2356 -
\??\c:\btnnbb.exec:\btnnbb.exe38⤵
- Executes dropped EXE
PID:676 -
\??\c:\3dpjd.exec:\3dpjd.exe39⤵
- Executes dropped EXE
PID:3368 -
\??\c:\xlrfxrx.exec:\xlrfxrx.exe40⤵
- Executes dropped EXE
PID:1232 -
\??\c:\nthtnh.exec:\nthtnh.exe41⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jddvp.exec:\jddvp.exe42⤵
- Executes dropped EXE
PID:2464 -
\??\c:\djjdp.exec:\djjdp.exe43⤵
- Executes dropped EXE
PID:3140 -
\??\c:\3lrlxrf.exec:\3lrlxrf.exe44⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jjdpj.exec:\jjdpj.exe45⤵
- Executes dropped EXE
PID:4588 -
\??\c:\vjjvj.exec:\vjjvj.exe46⤵
- Executes dropped EXE
PID:3608 -
\??\c:\xflxrlf.exec:\xflxrlf.exe47⤵
- Executes dropped EXE
PID:3956 -
\??\c:\hbnhtn.exec:\hbnhtn.exe48⤵
- Executes dropped EXE
PID:460 -
\??\c:\1vvpd.exec:\1vvpd.exe49⤵
- Executes dropped EXE
PID:3868 -
\??\c:\rrrffxr.exec:\rrrffxr.exe50⤵
- Executes dropped EXE
PID:5080 -
\??\c:\xflfflf.exec:\xflfflf.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\nhnhnh.exec:\nhnhnh.exe52⤵
- Executes dropped EXE
PID:4076 -
\??\c:\dpjvv.exec:\dpjvv.exe53⤵
- Executes dropped EXE
PID:4388 -
\??\c:\fflfrrl.exec:\fflfrrl.exe54⤵
- Executes dropped EXE
PID:2636 -
\??\c:\tnhbnn.exec:\tnhbnn.exe55⤵
- Executes dropped EXE
PID:2368 -
\??\c:\tbbttb.exec:\tbbttb.exe56⤵
- Executes dropped EXE
PID:3592 -
\??\c:\pjdvj.exec:\pjdvj.exe57⤵
- Executes dropped EXE
PID:3724 -
\??\c:\ffffxfx.exec:\ffffxfx.exe58⤵
- Executes dropped EXE
PID:628 -
\??\c:\7tnbhh.exec:\7tnbhh.exe59⤵
- Executes dropped EXE
PID:2360 -
\??\c:\nnhbtt.exec:\nnhbtt.exe60⤵
- Executes dropped EXE
PID:840 -
\??\c:\ppdpv.exec:\ppdpv.exe61⤵
- Executes dropped EXE
PID:1792 -
\??\c:\lxffxlx.exec:\lxffxlx.exe62⤵
- Executes dropped EXE
PID:1804 -
\??\c:\3xfxlfl.exec:\3xfxlfl.exe63⤵
- Executes dropped EXE
PID:3164 -
\??\c:\hbhbnn.exec:\hbhbnn.exe64⤵
- Executes dropped EXE
PID:2304 -
\??\c:\pjjdp.exec:\pjjdp.exe65⤵
- Executes dropped EXE
PID:2580 -
\??\c:\fllfrlf.exec:\fllfrlf.exe66⤵PID:3896
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe67⤵PID:3000
-
\??\c:\hbnhbt.exec:\hbnhbt.exe68⤵PID:1840
-
\??\c:\pdjdp.exec:\pdjdp.exe69⤵PID:956
-
\??\c:\xlrfxxx.exec:\xlrfxxx.exe70⤵PID:1076
-
\??\c:\llrrlll.exec:\llrrlll.exe71⤵PID:3484
-
\??\c:\nttthb.exec:\nttthb.exe72⤵PID:4748
-
\??\c:\5ppjd.exec:\5ppjd.exe73⤵PID:3136
-
\??\c:\1rxrffr.exec:\1rxrffr.exe74⤵PID:1332
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe75⤵PID:5112
-
\??\c:\9ntnth.exec:\9ntnth.exe76⤵PID:2684
-
\??\c:\dvvpj.exec:\dvvpj.exe77⤵PID:3520
-
\??\c:\fxrrrrl.exec:\fxrrrrl.exe78⤵PID:224
-
\??\c:\nttttt.exec:\nttttt.exe79⤵PID:1428
-
\??\c:\dvvpv.exec:\dvvpv.exe80⤵PID:4168
-
\??\c:\jjvpj.exec:\jjvpj.exe81⤵PID:4420
-
\??\c:\lllrxll.exec:\lllrxll.exe82⤵PID:3012
-
\??\c:\9nhbtb.exec:\9nhbtb.exe83⤵PID:5016
-
\??\c:\jvvdv.exec:\jvvdv.exe84⤵PID:5020
-
\??\c:\rxxrffx.exec:\rxxrffx.exe85⤵
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\tnhbtt.exec:\tnhbtt.exe86⤵PID:4840
-
\??\c:\jjddd.exec:\jjddd.exe87⤵PID:1700
-
\??\c:\7jvvp.exec:\7jvvp.exe88⤵PID:1448
-
\??\c:\llrrxxr.exec:\llrrxxr.exe89⤵PID:5052
-
\??\c:\tbtnnn.exec:\tbtnnn.exe90⤵PID:1016
-
\??\c:\pvdvv.exec:\pvdvv.exe91⤵PID:1576
-
\??\c:\rrxrxxl.exec:\rrxrxxl.exe92⤵PID:3420
-
\??\c:\lfrrrrl.exec:\lfrrrrl.exe93⤵PID:660
-
\??\c:\tthbhn.exec:\tthbhn.exe94⤵PID:2652
-
\??\c:\pvdvv.exec:\pvdvv.exe95⤵PID:4916
-
\??\c:\djjvv.exec:\djjvv.exe96⤵PID:3968
-
\??\c:\fflffff.exec:\fflffff.exe97⤵PID:4448
-
\??\c:\tbhbbh.exec:\tbhbbh.exe98⤵PID:4912
-
\??\c:\pvpdj.exec:\pvpdj.exe99⤵PID:3904
-
\??\c:\vdpjj.exec:\vdpjj.exe100⤵PID:1264
-
\??\c:\xfxrrrx.exec:\xfxrrrx.exe101⤵PID:3572
-
\??\c:\thhbtn.exec:\thhbtn.exe102⤵PID:3468
-
\??\c:\pjjjd.exec:\pjjjd.exe103⤵PID:540
-
\??\c:\vdppp.exec:\vdppp.exe104⤵PID:4268
-
\??\c:\frxrlrl.exec:\frxrlrl.exe105⤵PID:2688
-
\??\c:\nbhhbb.exec:\nbhhbb.exe106⤵PID:3640
-
\??\c:\btnhhb.exec:\btnhhb.exe107⤵PID:4896
-
\??\c:\vjvdp.exec:\vjvdp.exe108⤵PID:1684
-
\??\c:\xrrlffx.exec:\xrrlffx.exe109⤵PID:1956
-
\??\c:\hbttnh.exec:\hbttnh.exe110⤵PID:2288
-
\??\c:\nhbbhh.exec:\nhbbhh.exe111⤵PID:2908
-
\??\c:\9jjdd.exec:\9jjdd.exe112⤵PID:2864
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe113⤵PID:2876
-
\??\c:\btbttt.exec:\btbttt.exe114⤵PID:3528
-
\??\c:\vppjd.exec:\vppjd.exe115⤵PID:2700
-
\??\c:\jjvpd.exec:\jjvpd.exe116⤵PID:468
-
\??\c:\lffxxxr.exec:\lffxxxr.exe117⤵PID:4932
-
\??\c:\bbbttt.exec:\bbbttt.exe118⤵PID:2888
-
\??\c:\ppvpp.exec:\ppvpp.exe119⤵PID:2176
-
\??\c:\fxxrlrl.exec:\fxxrlrl.exe120⤵PID:4608
-
\??\c:\7bnhbb.exec:\7bnhbb.exe121⤵PID:4404
-
\??\c:\3ddvp.exec:\3ddvp.exe122⤵PID:4372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-