Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:57
Behavioral task
behavioral1
Sample
e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe
-
Size
97KB
-
MD5
f8be9eede00e894ac0b580bd1d8295e0
-
SHA1
09bf84677dc31b9513e6d8e3187f74d0e7746717
-
SHA256
e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bd
-
SHA512
a71d2856f5475d5b2d3c02194c002626ce54df61fb60a412317063e9e1757220689600849cb6d6866d70cb34adab2fa72ac4d7339c6ae9fca4fa02d57a7fac97
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgRG:8cm4FmowdHoSgWrXUgU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3996-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/980-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/820-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/784-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/880-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-716-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-823-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-842-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-903-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-1138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3284 5tthbt.exe 2920 7hhbnh.exe 2104 ppjjv.exe 4020 xrxfrxr.exe 4432 btttnn.exe 4476 dvpjv.exe 2396 vjjjv.exe 1120 lxfrrll.exe 1852 nhnbtn.exe 3404 5vpjj.exe 4280 ffxrffx.exe 4360 fllfrrf.exe 4076 hnhhth.exe 3136 pjvpp.exe 980 hhthnn.exe 3844 bnhbhh.exe 3316 jpddv.exe 4460 vddvj.exe 1988 rffrflf.exe 4976 bnnbnb.exe 868 hntbth.exe 1592 jpvpd.exe 532 1jvvj.exe 1056 fxllrrl.exe 2180 9nnbnb.exe 2620 vddvj.exe 3408 jdpdd.exe 2832 xffrffr.exe 4704 xllfxxr.exe 2880 tbbthh.exe 2700 jvvpj.exe 3332 lfxrfll.exe 860 nbhbnh.exe 3980 vpjvv.exe 1584 7dpjv.exe 3684 7llxlff.exe 1604 xllfrlf.exe 3824 1hhnnb.exe 1068 3tnnhb.exe 3176 lxflfrl.exe 2816 rlfxrrl.exe 632 nhbtnn.exe 4244 1ppjd.exe 2752 vdjvp.exe 3840 rlllxrl.exe 820 nttnbt.exe 2216 3bhtnn.exe 940 9ppjd.exe 216 5dvjd.exe 1180 rrlxrlx.exe 3920 flrxrlf.exe 4368 thnhtt.exe 4344 3bhbbb.exe 4556 pjpjv.exe 1008 rrxrffx.exe 4000 1llfxxl.exe 436 btnhbt.exe 2676 thhbnn.exe 784 jdvpv.exe 3060 jppvp.exe 2660 rlflrxr.exe 4540 5frrfrl.exe 1156 9tnnhb.exe 880 nhhbnh.exe -
resource yara_rule behavioral2/memory/3996-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b9a-3.dat upx behavioral2/memory/3996-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b9d-8.dat upx behavioral2/memory/3284-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb7-11.dat upx behavioral2/memory/2104-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2920-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bbc-19.dat upx behavioral2/memory/2104-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bbd-24.dat upx behavioral2/memory/4020-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bbe-29.dat upx behavioral2/memory/4432-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bc2-34.dat upx behavioral2/memory/4476-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc4-39.dat upx behavioral2/memory/2396-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc7-44.dat upx behavioral2/memory/1120-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc8-51.dat upx behavioral2/memory/1852-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3404-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc9-54.dat upx behavioral2/files/0x0008000000023bca-59.dat upx behavioral2/memory/4280-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf9-64.dat upx behavioral2/memory/4360-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfa-69.dat upx behavioral2/files/0x0008000000023bfb-73.dat upx behavioral2/memory/3136-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/980-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfc-78.dat upx behavioral2/files/0x0008000000023bfd-82.dat upx behavioral2/memory/3316-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfe-88.dat upx behavioral2/memory/4460-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c03-93.dat upx behavioral2/files/0x0008000000023c04-97.dat upx behavioral2/memory/1988-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c05-102.dat upx behavioral2/files/0x0008000000023c17-106.dat upx behavioral2/memory/868-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1d-110.dat upx behavioral2/files/0x0008000000023c1e-115.dat upx behavioral2/memory/532-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1f-120.dat upx behavioral2/files/0x0008000000023bfe-124.dat upx behavioral2/memory/2620-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c20-128.dat upx behavioral2/memory/3408-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c21-134.dat upx behavioral2/files/0x000b000000023c37-138.dat upx behavioral2/files/0x0016000000023c38-142.dat upx behavioral2/memory/4704-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2700-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b9e-147.dat upx behavioral2/memory/2880-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c3e-154.dat upx behavioral2/memory/860-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1584-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1604-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3176-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/632-181-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3996 wrote to memory of 3284 3996 e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe 82 PID 3996 wrote to memory of 3284 3996 e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe 82 PID 3996 wrote to memory of 3284 3996 e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe 82 PID 3284 wrote to memory of 2920 3284 5tthbt.exe 83 PID 3284 wrote to memory of 2920 3284 5tthbt.exe 83 PID 3284 wrote to memory of 2920 3284 5tthbt.exe 83 PID 2920 wrote to memory of 2104 2920 7hhbnh.exe 84 PID 2920 wrote to memory of 2104 2920 7hhbnh.exe 84 PID 2920 wrote to memory of 2104 2920 7hhbnh.exe 84 PID 2104 wrote to memory of 4020 2104 ppjjv.exe 85 PID 2104 wrote to memory of 4020 2104 ppjjv.exe 85 PID 2104 wrote to memory of 4020 2104 ppjjv.exe 85 PID 4020 wrote to memory of 4432 4020 xrxfrxr.exe 86 PID 4020 wrote to memory of 4432 4020 xrxfrxr.exe 86 PID 4020 wrote to memory of 4432 4020 xrxfrxr.exe 86 PID 4432 wrote to memory of 4476 4432 btttnn.exe 87 PID 4432 wrote to memory of 4476 4432 btttnn.exe 87 PID 4432 wrote to memory of 4476 4432 btttnn.exe 87 PID 4476 wrote to memory of 2396 4476 dvpjv.exe 88 PID 4476 wrote to memory of 2396 4476 dvpjv.exe 88 PID 4476 wrote to memory of 2396 4476 dvpjv.exe 88 PID 2396 wrote to memory of 1120 2396 vjjjv.exe 89 PID 2396 wrote to memory of 1120 2396 vjjjv.exe 89 PID 2396 wrote to memory of 1120 2396 vjjjv.exe 89 PID 1120 wrote to memory of 1852 1120 lxfrrll.exe 90 PID 1120 wrote to memory of 1852 1120 lxfrrll.exe 90 PID 1120 wrote to memory of 1852 1120 lxfrrll.exe 90 PID 1852 wrote to memory of 3404 1852 nhnbtn.exe 91 PID 1852 wrote to memory of 3404 1852 nhnbtn.exe 91 PID 1852 wrote to memory of 3404 1852 nhnbtn.exe 91 PID 3404 wrote to memory of 4280 3404 5vpjj.exe 92 PID 3404 wrote to memory of 4280 3404 5vpjj.exe 92 PID 3404 wrote to memory of 4280 3404 5vpjj.exe 92 PID 4280 wrote to memory of 4360 4280 ffxrffx.exe 93 PID 4280 wrote to memory of 4360 4280 ffxrffx.exe 93 PID 4280 wrote to memory of 4360 4280 ffxrffx.exe 93 PID 4360 wrote to memory of 4076 4360 fllfrrf.exe 94 PID 4360 wrote to memory of 4076 4360 fllfrrf.exe 94 PID 4360 wrote to memory of 4076 4360 fllfrrf.exe 94 PID 4076 wrote to memory of 3136 4076 hnhhth.exe 95 PID 4076 wrote to memory of 3136 4076 hnhhth.exe 95 PID 4076 wrote to memory of 3136 4076 hnhhth.exe 95 PID 3136 wrote to memory of 980 3136 pjvpp.exe 96 PID 3136 wrote to memory of 980 3136 pjvpp.exe 96 PID 3136 wrote to memory of 980 3136 pjvpp.exe 96 PID 980 wrote to memory of 3844 980 hhthnn.exe 97 PID 980 wrote to memory of 3844 980 hhthnn.exe 97 PID 980 wrote to memory of 3844 980 hhthnn.exe 97 PID 3844 wrote to memory of 3316 3844 bnhbhh.exe 98 PID 3844 wrote to memory of 3316 3844 bnhbhh.exe 98 PID 3844 wrote to memory of 3316 3844 bnhbhh.exe 98 PID 3316 wrote to memory of 4460 3316 jpddv.exe 99 PID 3316 wrote to memory of 4460 3316 jpddv.exe 99 PID 3316 wrote to memory of 4460 3316 jpddv.exe 99 PID 4460 wrote to memory of 1988 4460 vddvj.exe 100 PID 4460 wrote to memory of 1988 4460 vddvj.exe 100 PID 4460 wrote to memory of 1988 4460 vddvj.exe 100 PID 1988 wrote to memory of 4976 1988 rffrflf.exe 101 PID 1988 wrote to memory of 4976 1988 rffrflf.exe 101 PID 1988 wrote to memory of 4976 1988 rffrflf.exe 101 PID 4976 wrote to memory of 868 4976 bnnbnb.exe 102 PID 4976 wrote to memory of 868 4976 bnnbnb.exe 102 PID 4976 wrote to memory of 868 4976 bnnbnb.exe 102 PID 868 wrote to memory of 1592 868 hntbth.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe"C:\Users\Admin\AppData\Local\Temp\e61110ee80f39048a0f4fe9c86c9118fb13ecade7dcc816ea34c1587ac7b51bdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\5tthbt.exec:\5tthbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\7hhbnh.exec:\7hhbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\ppjjv.exec:\ppjjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\xrxfrxr.exec:\xrxfrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\btttnn.exec:\btttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\dvpjv.exec:\dvpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\vjjjv.exec:\vjjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\lxfrrll.exec:\lxfrrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\nhnbtn.exec:\nhnbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\5vpjj.exec:\5vpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\ffxrffx.exec:\ffxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\fllfrrf.exec:\fllfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\hnhhth.exec:\hnhhth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\pjvpp.exec:\pjvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\hhthnn.exec:\hhthnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\bnhbhh.exec:\bnhbhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\jpddv.exec:\jpddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\vddvj.exec:\vddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\rffrflf.exec:\rffrflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\bnnbnb.exec:\bnnbnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\hntbth.exec:\hntbth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\jpvpd.exec:\jpvpd.exe23⤵
- Executes dropped EXE
PID:1592 -
\??\c:\1jvvj.exec:\1jvvj.exe24⤵
- Executes dropped EXE
PID:532 -
\??\c:\fxllrrl.exec:\fxllrrl.exe25⤵
- Executes dropped EXE
PID:1056 -
\??\c:\9nnbnb.exec:\9nnbnb.exe26⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vddvj.exec:\vddvj.exe27⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jdpdd.exec:\jdpdd.exe28⤵
- Executes dropped EXE
PID:3408 -
\??\c:\xffrffr.exec:\xffrffr.exe29⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xllfxxr.exec:\xllfxxr.exe30⤵
- Executes dropped EXE
PID:4704 -
\??\c:\tbbthh.exec:\tbbthh.exe31⤵
- Executes dropped EXE
PID:2880 -
\??\c:\jvvpj.exec:\jvvpj.exe32⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lfxrfll.exec:\lfxrfll.exe33⤵
- Executes dropped EXE
PID:3332 -
\??\c:\nbhbnh.exec:\nbhbnh.exe34⤵
- Executes dropped EXE
PID:860 -
\??\c:\vpjvv.exec:\vpjvv.exe35⤵
- Executes dropped EXE
PID:3980 -
\??\c:\7dpjv.exec:\7dpjv.exe36⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7llxlff.exec:\7llxlff.exe37⤵
- Executes dropped EXE
PID:3684 -
\??\c:\xllfrlf.exec:\xllfrlf.exe38⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1hhnnb.exec:\1hhnnb.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3824 -
\??\c:\3tnnhb.exec:\3tnnhb.exe40⤵
- Executes dropped EXE
PID:1068 -
\??\c:\lxflfrl.exec:\lxflfrl.exe41⤵
- Executes dropped EXE
PID:3176 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe42⤵
- Executes dropped EXE
PID:2816 -
\??\c:\nhbtnn.exec:\nhbtnn.exe43⤵
- Executes dropped EXE
PID:632 -
\??\c:\1ppjd.exec:\1ppjd.exe44⤵
- Executes dropped EXE
PID:4244 -
\??\c:\vdjvp.exec:\vdjvp.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rlllxrl.exec:\rlllxrl.exe46⤵
- Executes dropped EXE
PID:3840 -
\??\c:\nttnbt.exec:\nttnbt.exe47⤵
- Executes dropped EXE
PID:820 -
\??\c:\3bhtnn.exec:\3bhtnn.exe48⤵
- Executes dropped EXE
PID:2216 -
\??\c:\9ppjd.exec:\9ppjd.exe49⤵
- Executes dropped EXE
PID:940 -
\??\c:\5dvjd.exec:\5dvjd.exe50⤵
- Executes dropped EXE
PID:216 -
\??\c:\rrlxrlx.exec:\rrlxrlx.exe51⤵
- Executes dropped EXE
PID:1180 -
\??\c:\flrxrlf.exec:\flrxrlf.exe52⤵
- Executes dropped EXE
PID:3920 -
\??\c:\thnhtt.exec:\thnhtt.exe53⤵
- Executes dropped EXE
PID:4368 -
\??\c:\3bhbbb.exec:\3bhbbb.exe54⤵
- Executes dropped EXE
PID:4344 -
\??\c:\pjpjv.exec:\pjpjv.exe55⤵
- Executes dropped EXE
PID:4556 -
\??\c:\rrxrffx.exec:\rrxrffx.exe56⤵
- Executes dropped EXE
PID:1008 -
\??\c:\1llfxxl.exec:\1llfxxl.exe57⤵
- Executes dropped EXE
PID:4000 -
\??\c:\btnhbt.exec:\btnhbt.exe58⤵
- Executes dropped EXE
PID:436 -
\??\c:\thhbnn.exec:\thhbnn.exe59⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jdvpv.exec:\jdvpv.exe60⤵
- Executes dropped EXE
PID:784 -
\??\c:\jppvp.exec:\jppvp.exe61⤵
- Executes dropped EXE
PID:3060 -
\??\c:\rlflrxr.exec:\rlflrxr.exe62⤵
- Executes dropped EXE
PID:2660 -
\??\c:\5frrfrl.exec:\5frrfrl.exe63⤵
- Executes dropped EXE
PID:4540 -
\??\c:\9tnnhb.exec:\9tnnhb.exe64⤵
- Executes dropped EXE
PID:1156 -
\??\c:\nhhbnh.exec:\nhhbnh.exe65⤵
- Executes dropped EXE
PID:880 -
\??\c:\dvjvj.exec:\dvjvj.exe66⤵PID:2436
-
\??\c:\9fxrxrf.exec:\9fxrxrf.exe67⤵PID:2512
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe68⤵PID:3744
-
\??\c:\xlfrrlr.exec:\xlfrrlr.exe69⤵PID:4832
-
\??\c:\tthttt.exec:\tthttt.exe70⤵PID:4896
-
\??\c:\htnhtn.exec:\htnhtn.exe71⤵PID:4488
-
\??\c:\jpvpd.exec:\jpvpd.exe72⤵PID:4356
-
\??\c:\frrflfx.exec:\frrflfx.exe73⤵PID:4360
-
\??\c:\bnbtht.exec:\bnbtht.exe74⤵PID:3496
-
\??\c:\bnbnnh.exec:\bnbnnh.exe75⤵PID:2280
-
\??\c:\7bbnbt.exec:\7bbnbt.exe76⤵PID:1352
-
\??\c:\jvvjd.exec:\jvvjd.exe77⤵PID:2084
-
\??\c:\9llfrlx.exec:\9llfrlx.exe78⤵PID:2004
-
\??\c:\frrlxrl.exec:\frrlxrl.exe79⤵PID:2420
-
\??\c:\5tnhtt.exec:\5tnhtt.exe80⤵PID:1776
-
\??\c:\hbbhtt.exec:\hbbhtt.exe81⤵PID:3420
-
\??\c:\9dvvj.exec:\9dvvj.exe82⤵PID:4548
-
\??\c:\vdjjj.exec:\vdjjj.exe83⤵PID:1988
-
\??\c:\thnbnh.exec:\thnbnh.exe84⤵PID:4976
-
\??\c:\djvvp.exec:\djvvp.exe85⤵PID:4136
-
\??\c:\1pppj.exec:\1pppj.exe86⤵PID:3944
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe87⤵PID:1304
-
\??\c:\hntnbh.exec:\hntnbh.exe88⤵PID:532
-
\??\c:\hnnhtn.exec:\hnnhtn.exe89⤵PID:1056
-
\??\c:\djvjv.exec:\djvjv.exe90⤵PID:4884
-
\??\c:\vjdpv.exec:\vjdpv.exe91⤵PID:4752
-
\??\c:\flffllr.exec:\flffllr.exe92⤵PID:2620
-
\??\c:\xrrxllx.exec:\xrrxllx.exe93⤵PID:3408
-
\??\c:\tntnhh.exec:\tntnhh.exe94⤵PID:1544
-
\??\c:\htnbnn.exec:\htnbnn.exe95⤵PID:2472
-
\??\c:\1djvd.exec:\1djvd.exe96⤵PID:2028
-
\??\c:\rxfrlxr.exec:\rxfrlxr.exe97⤵PID:2632
-
\??\c:\llxrfff.exec:\llxrfff.exe98⤵PID:2408
-
\??\c:\nhbtnt.exec:\nhbtnt.exe99⤵PID:4816
-
\??\c:\vjjdj.exec:\vjjdj.exe100⤵PID:2700
-
\??\c:\jvjdj.exec:\jvjdj.exe101⤵PID:1176
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe102⤵PID:3240
-
\??\c:\lllfxxx.exec:\lllfxxx.exe103⤵PID:3980
-
\??\c:\hhnhtt.exec:\hhnhtt.exe104⤵PID:1584
-
\??\c:\tnhtnh.exec:\tnhtnh.exe105⤵PID:3684
-
\??\c:\9vpdp.exec:\9vpdp.exe106⤵PID:1228
-
\??\c:\ddjjd.exec:\ddjjd.exe107⤵PID:2708
-
\??\c:\rrrffxr.exec:\rrrffxr.exe108⤵PID:3140
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe109⤵PID:3272
-
\??\c:\9hnhbn.exec:\9hnhbn.exe110⤵PID:3608
-
\??\c:\htnhtn.exec:\htnhtn.exe111⤵PID:3732
-
\??\c:\dvjvp.exec:\dvjvp.exe112⤵PID:3428
-
\??\c:\xffxlfr.exec:\xffxlfr.exe113⤵PID:4864
-
\??\c:\5rlfxxl.exec:\5rlfxxl.exe114⤵PID:2312
-
\??\c:\bhhtbh.exec:\bhhtbh.exe115⤵PID:1632
-
\??\c:\htnhbb.exec:\htnhbb.exe116⤵PID:2672
-
\??\c:\pdvjv.exec:\pdvjv.exe117⤵PID:3564
-
\??\c:\pjvjp.exec:\pjvjp.exe118⤵PID:2352
-
\??\c:\xlfrlxr.exec:\xlfrlxr.exe119⤵PID:4968
-
\??\c:\lxrfffx.exec:\lxrfffx.exe120⤵PID:1180
-
\??\c:\htnhtt.exec:\htnhtt.exe121⤵PID:3920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-