Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe
-
Size
453KB
-
MD5
4e07a4279a8d04d3ceed8e463f1d3a80
-
SHA1
21e9f05e968fa22165076280d4897f76dd7dda06
-
SHA256
c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0
-
SHA512
316e369be5f2f23cb7257b05c83d8c0a90a5af5bf09eeb311bae32b2527378f260df6a5fd688bb4eb4b7d15946d70cae6fe917ee002175db58021d72c2f1117f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3124-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-1142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-1350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-1724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-1794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 456 xrxxrrr.exe 2420 tntnnt.exe 1144 bbhbbh.exe 4048 5dvpd.exe 4484 pjvpv.exe 4904 rrrlxfx.exe 5004 nhhhhn.exe 3948 9bthhh.exe 1800 ddjjp.exe 1376 bttnnn.exe 2940 jjpjd.exe 2064 hbbttn.exe 3100 lflfxxr.exe 3044 7hnhhh.exe 3024 jjvpd.exe 244 5xxrffx.exe 224 tntnhh.exe 3032 3fxfrrl.exe 4944 pjjdv.exe 688 fxlfrxx.exe 3064 hbbbtt.exe 2464 tntnbb.exe 4768 nnhbnt.exe 3524 dvjvv.exe 4764 3jpjd.exe 2256 vdpdv.exe 4576 bnhbnn.exe 2436 jdddd.exe 764 9ffxlll.exe 2280 tttnhb.exe 4080 9jvpd.exe 2388 xlrrlll.exe 3252 tnnnhb.exe 3888 jjjdd.exe 1864 rfrflff.exe 1072 nbbtnn.exe 4740 vppjd.exe 676 3lfxrrr.exe 3440 fllfxxf.exe 2688 nhntnb.exe 4544 dpvpj.exe 2608 1llxxrx.exe 1744 tttnbt.exe 2164 tttnhb.exe 4364 dvdpd.exe 3240 lffxrrl.exe 1984 bnnnbb.exe 3492 htthth.exe 4128 vjjdv.exe 1144 5lllxxr.exe 860 3xxxllf.exe 1964 5ttnbt.exe 4288 pdvdv.exe 4196 fxfrfxr.exe 516 tbnhbb.exe 1172 nnnhtn.exe 1872 vjvpd.exe 4864 ffxlffx.exe 4772 nhhbhb.exe 3700 1bhhhh.exe 2192 5jdvp.exe 3660 lxrlfxx.exe 2140 nthbbb.exe 3508 9bbtbt.exe -
resource yara_rule behavioral2/memory/3124-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-1253-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3124 wrote to memory of 456 3124 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 82 PID 3124 wrote to memory of 456 3124 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 82 PID 3124 wrote to memory of 456 3124 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 82 PID 456 wrote to memory of 2420 456 xrxxrrr.exe 83 PID 456 wrote to memory of 2420 456 xrxxrrr.exe 83 PID 456 wrote to memory of 2420 456 xrxxrrr.exe 83 PID 2420 wrote to memory of 1144 2420 tntnnt.exe 84 PID 2420 wrote to memory of 1144 2420 tntnnt.exe 84 PID 2420 wrote to memory of 1144 2420 tntnnt.exe 84 PID 1144 wrote to memory of 4048 1144 bbhbbh.exe 85 PID 1144 wrote to memory of 4048 1144 bbhbbh.exe 85 PID 1144 wrote to memory of 4048 1144 bbhbbh.exe 85 PID 4048 wrote to memory of 4484 4048 5dvpd.exe 86 PID 4048 wrote to memory of 4484 4048 5dvpd.exe 86 PID 4048 wrote to memory of 4484 4048 5dvpd.exe 86 PID 4484 wrote to memory of 4904 4484 pjvpv.exe 87 PID 4484 wrote to memory of 4904 4484 pjvpv.exe 87 PID 4484 wrote to memory of 4904 4484 pjvpv.exe 87 PID 4904 wrote to memory of 5004 4904 rrrlxfx.exe 88 PID 4904 wrote to memory of 5004 4904 rrrlxfx.exe 88 PID 4904 wrote to memory of 5004 4904 rrrlxfx.exe 88 PID 5004 wrote to memory of 3948 5004 nhhhhn.exe 89 PID 5004 wrote to memory of 3948 5004 nhhhhn.exe 89 PID 5004 wrote to memory of 3948 5004 nhhhhn.exe 89 PID 3948 wrote to memory of 1800 3948 9bthhh.exe 90 PID 3948 wrote to memory of 1800 3948 9bthhh.exe 90 PID 3948 wrote to memory of 1800 3948 9bthhh.exe 90 PID 1800 wrote to memory of 1376 1800 ddjjp.exe 91 PID 1800 wrote to memory of 1376 1800 ddjjp.exe 91 PID 1800 wrote to memory of 1376 1800 ddjjp.exe 91 PID 1376 wrote to memory of 2940 1376 bttnnn.exe 92 PID 1376 wrote to memory of 2940 1376 bttnnn.exe 92 PID 1376 wrote to memory of 2940 1376 bttnnn.exe 92 PID 2940 wrote to memory of 2064 2940 jjpjd.exe 93 PID 2940 wrote to memory of 2064 2940 jjpjd.exe 93 PID 2940 wrote to memory of 2064 2940 jjpjd.exe 93 PID 2064 wrote to memory of 3100 2064 hbbttn.exe 94 PID 2064 wrote to memory of 3100 2064 hbbttn.exe 94 PID 2064 wrote to memory of 3100 2064 hbbttn.exe 94 PID 3100 wrote to memory of 3044 3100 lflfxxr.exe 95 PID 3100 wrote to memory of 3044 3100 lflfxxr.exe 95 PID 3100 wrote to memory of 3044 3100 lflfxxr.exe 95 PID 3044 wrote to memory of 3024 3044 7hnhhh.exe 96 PID 3044 wrote to memory of 3024 3044 7hnhhh.exe 96 PID 3044 wrote to memory of 3024 3044 7hnhhh.exe 96 PID 3024 wrote to memory of 244 3024 jjvpd.exe 97 PID 3024 wrote to memory of 244 3024 jjvpd.exe 97 PID 3024 wrote to memory of 244 3024 jjvpd.exe 97 PID 244 wrote to memory of 224 244 5xxrffx.exe 98 PID 244 wrote to memory of 224 244 5xxrffx.exe 98 PID 244 wrote to memory of 224 244 5xxrffx.exe 98 PID 224 wrote to memory of 3032 224 tntnhh.exe 99 PID 224 wrote to memory of 3032 224 tntnhh.exe 99 PID 224 wrote to memory of 3032 224 tntnhh.exe 99 PID 3032 wrote to memory of 4944 3032 3fxfrrl.exe 100 PID 3032 wrote to memory of 4944 3032 3fxfrrl.exe 100 PID 3032 wrote to memory of 4944 3032 3fxfrrl.exe 100 PID 4944 wrote to memory of 688 4944 pjjdv.exe 101 PID 4944 wrote to memory of 688 4944 pjjdv.exe 101 PID 4944 wrote to memory of 688 4944 pjjdv.exe 101 PID 688 wrote to memory of 3064 688 fxlfrxx.exe 102 PID 688 wrote to memory of 3064 688 fxlfrxx.exe 102 PID 688 wrote to memory of 3064 688 fxlfrxx.exe 102 PID 3064 wrote to memory of 2464 3064 hbbbtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe"C:\Users\Admin\AppData\Local\Temp\c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\tntnnt.exec:\tntnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\bbhbbh.exec:\bbhbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\5dvpd.exec:\5dvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\pjvpv.exec:\pjvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\rrrlxfx.exec:\rrrlxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\nhhhhn.exec:\nhhhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\9bthhh.exec:\9bthhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\ddjjp.exec:\ddjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\bttnnn.exec:\bttnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\jjpjd.exec:\jjpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\hbbttn.exec:\hbbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\lflfxxr.exec:\lflfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\7hnhhh.exec:\7hnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\jjvpd.exec:\jjvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\5xxrffx.exec:\5xxrffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\tntnhh.exec:\tntnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\3fxfrrl.exec:\3fxfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\pjjdv.exec:\pjjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\fxlfrxx.exec:\fxlfrxx.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\hbbbtt.exec:\hbbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\tntnbb.exec:\tntnbb.exe23⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nnhbnt.exec:\nnhbnt.exe24⤵
- Executes dropped EXE
PID:4768 -
\??\c:\dvjvv.exec:\dvjvv.exe25⤵
- Executes dropped EXE
PID:3524 -
\??\c:\3jpjd.exec:\3jpjd.exe26⤵
- Executes dropped EXE
PID:4764 -
\??\c:\vdpdv.exec:\vdpdv.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
\??\c:\bnhbnn.exec:\bnhbnn.exe28⤵
- Executes dropped EXE
PID:4576 -
\??\c:\jdddd.exec:\jdddd.exe29⤵
- Executes dropped EXE
PID:2436 -
\??\c:\9ffxlll.exec:\9ffxlll.exe30⤵
- Executes dropped EXE
PID:764 -
\??\c:\tttnhb.exec:\tttnhb.exe31⤵
- Executes dropped EXE
PID:2280 -
\??\c:\9jvpd.exec:\9jvpd.exe32⤵
- Executes dropped EXE
PID:4080 -
\??\c:\xlrrlll.exec:\xlrrlll.exe33⤵
- Executes dropped EXE
PID:2388 -
\??\c:\tnnnhb.exec:\tnnnhb.exe34⤵
- Executes dropped EXE
PID:3252 -
\??\c:\jjjdd.exec:\jjjdd.exe35⤵
- Executes dropped EXE
PID:3888 -
\??\c:\rfrflff.exec:\rfrflff.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\nbbtnn.exec:\nbbtnn.exe37⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vppjd.exec:\vppjd.exe38⤵
- Executes dropped EXE
PID:4740 -
\??\c:\3lfxrrr.exec:\3lfxrrr.exe39⤵
- Executes dropped EXE
PID:676 -
\??\c:\fllfxxf.exec:\fllfxxf.exe40⤵
- Executes dropped EXE
PID:3440 -
\??\c:\nhntnb.exec:\nhntnb.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\dpvpj.exec:\dpvpj.exe42⤵
- Executes dropped EXE
PID:4544 -
\??\c:\1llxxrx.exec:\1llxxrx.exe43⤵
- Executes dropped EXE
PID:2608 -
\??\c:\tttnbt.exec:\tttnbt.exe44⤵
- Executes dropped EXE
PID:1744 -
\??\c:\tttnhb.exec:\tttnhb.exe45⤵
- Executes dropped EXE
PID:2164 -
\??\c:\dvdpd.exec:\dvdpd.exe46⤵
- Executes dropped EXE
PID:4364 -
\??\c:\lffxrrl.exec:\lffxrrl.exe47⤵
- Executes dropped EXE
PID:3240 -
\??\c:\bnnnbb.exec:\bnnnbb.exe48⤵
- Executes dropped EXE
PID:1984 -
\??\c:\htthth.exec:\htthth.exe49⤵
- Executes dropped EXE
PID:3492 -
\??\c:\vjjdv.exec:\vjjdv.exe50⤵
- Executes dropped EXE
PID:4128 -
\??\c:\5lllxxr.exec:\5lllxxr.exe51⤵
- Executes dropped EXE
PID:1144 -
\??\c:\3xxxllf.exec:\3xxxllf.exe52⤵
- Executes dropped EXE
PID:860 -
\??\c:\5ttnbt.exec:\5ttnbt.exe53⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdvdv.exec:\pdvdv.exe54⤵
- Executes dropped EXE
PID:4288 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe55⤵
- Executes dropped EXE
PID:4196 -
\??\c:\tbnhbb.exec:\tbnhbb.exe56⤵
- Executes dropped EXE
PID:516 -
\??\c:\nnnhtn.exec:\nnnhtn.exe57⤵
- Executes dropped EXE
PID:1172 -
\??\c:\vjvpd.exec:\vjvpd.exe58⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ffxlffx.exec:\ffxlffx.exe59⤵
- Executes dropped EXE
PID:4864 -
\??\c:\nhhbhb.exec:\nhhbhb.exe60⤵
- Executes dropped EXE
PID:4772 -
\??\c:\1bhhhh.exec:\1bhhhh.exe61⤵
- Executes dropped EXE
PID:3700 -
\??\c:\5jdvp.exec:\5jdvp.exe62⤵
- Executes dropped EXE
PID:2192 -
\??\c:\lxrlfxx.exec:\lxrlfxx.exe63⤵
- Executes dropped EXE
PID:3660 -
\??\c:\nthbbb.exec:\nthbbb.exe64⤵
- Executes dropped EXE
PID:2140 -
\??\c:\9bbtbt.exec:\9bbtbt.exe65⤵
- Executes dropped EXE
PID:3508 -
\??\c:\5dvjd.exec:\5dvjd.exe66⤵PID:3204
-
\??\c:\lfrrfxx.exec:\lfrrfxx.exe67⤵PID:216
-
\??\c:\hnnbnh.exec:\hnnbnh.exe68⤵PID:1196
-
\??\c:\5vpdp.exec:\5vpdp.exe69⤵PID:4924
-
\??\c:\3dpvj.exec:\3dpvj.exe70⤵PID:244
-
\??\c:\rlrfllf.exec:\rlrfllf.exe71⤵PID:1136
-
\??\c:\nbhbtt.exec:\nbhbtt.exe72⤵PID:4872
-
\??\c:\3ppjv.exec:\3ppjv.exe73⤵PID:2936
-
\??\c:\llrfxrl.exec:\llrfxrl.exe74⤵PID:1960
-
\??\c:\5rrfrfr.exec:\5rrfrfr.exe75⤵PID:3720
-
\??\c:\bnthth.exec:\bnthth.exe76⤵PID:544
-
\??\c:\vjjdp.exec:\vjjdp.exe77⤵PID:5092
-
\??\c:\fllxlxl.exec:\fllxlxl.exe78⤵PID:2628
-
\??\c:\5bhbbt.exec:\5bhbbt.exe79⤵PID:3460
-
\??\c:\bttnnn.exec:\bttnnn.exe80⤵PID:4824
-
\??\c:\3pdvv.exec:\3pdvv.exe81⤵PID:1260
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe82⤵PID:1488
-
\??\c:\1hnhbb.exec:\1hnhbb.exe83⤵PID:2144
-
\??\c:\1bbthn.exec:\1bbthn.exe84⤵PID:1328
-
\??\c:\5djdd.exec:\5djdd.exe85⤵
- System Location Discovery: System Language Discovery
PID:3320 -
\??\c:\fffxlff.exec:\fffxlff.exe86⤵PID:808
-
\??\c:\btnhtn.exec:\btnhtn.exe87⤵PID:5108
-
\??\c:\hhhbnh.exec:\hhhbnh.exe88⤵PID:3968
-
\??\c:\pdjdp.exec:\pdjdp.exe89⤵PID:1588
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe90⤵PID:1080
-
\??\c:\tnbnnh.exec:\tnbnnh.exe91⤵PID:1684
-
\??\c:\jddpd.exec:\jddpd.exe92⤵PID:3596
-
\??\c:\7vdvj.exec:\7vdvj.exe93⤵
- System Location Discovery: System Language Discovery
PID:3216 -
\??\c:\frxrxxx.exec:\frxrxxx.exe94⤵PID:3956
-
\??\c:\3thhtn.exec:\3thhtn.exe95⤵PID:3960
-
\??\c:\9dvdp.exec:\9dvdp.exe96⤵PID:1876
-
\??\c:\flrlllr.exec:\flrlllr.exe97⤵PID:1440
-
\??\c:\5flxlfr.exec:\5flxlfr.exe98⤵PID:3052
-
\??\c:\tnthtn.exec:\tnthtn.exe99⤵PID:4408
-
\??\c:\pjjdp.exec:\pjjdp.exe100⤵PID:5112
-
\??\c:\9frrxxl.exec:\9frrxxl.exe101⤵PID:4912
-
\??\c:\tnnbnb.exec:\tnnbnb.exe102⤵PID:3208
-
\??\c:\hntnhh.exec:\hntnhh.exe103⤵PID:1180
-
\??\c:\1jpjv.exec:\1jpjv.exe104⤵PID:3644
-
\??\c:\xlrxlxx.exec:\xlrxlxx.exe105⤵PID:4348
-
\??\c:\tbbnbt.exec:\tbbnbt.exe106⤵PID:2228
-
\??\c:\bbtthh.exec:\bbtthh.exe107⤵PID:3124
-
\??\c:\pvddd.exec:\pvddd.exe108⤵PID:4036
-
\??\c:\rrrfffl.exec:\rrrfffl.exe109⤵PID:2396
-
\??\c:\fxxlfxl.exec:\fxxlfxl.exe110⤵PID:4728
-
\??\c:\7bhbth.exec:\7bhbth.exe111⤵PID:1480
-
\??\c:\nbhbtt.exec:\nbhbtt.exe112⤵PID:1144
-
\??\c:\vpvjp.exec:\vpvjp.exe113⤵PID:860
-
\??\c:\1fxrxrl.exec:\1fxrxrl.exe114⤵PID:1452
-
\??\c:\hbbbhn.exec:\hbbbhn.exe115⤵PID:2372
-
\??\c:\pdvpj.exec:\pdvpj.exe116⤵PID:1652
-
\??\c:\jpjvj.exec:\jpjvj.exe117⤵PID:5028
-
\??\c:\fxllrlr.exec:\fxllrlr.exe118⤵PID:1172
-
\??\c:\bbhbhn.exec:\bbhbhn.exe119⤵PID:1872
-
\??\c:\pjdvp.exec:\pjdvp.exe120⤵PID:1704
-
\??\c:\xxfrfrf.exec:\xxfrfrf.exe121⤵PID:3464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-