Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe
-
Size
453KB
-
MD5
31c8e480d5e31d9e477e6e0581c07430
-
SHA1
32465c66c8c007e7eca08fb1d6e6ba5310bfbd7e
-
SHA256
17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77
-
SHA512
cf35cbb4a2d5fe66d51a7e9ea17816a01ac510abef994adf734d17fe2eb334e8338ccac71ac83ad5eaa77d2e06cb884495f36022f27da61c496176213b64022f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet/:q7Tc2NYHUrAwfMp3CDt/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-1027-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-1296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4280 rrxlrlr.exe 1240 ddpdd.exe 1756 vpdvp.exe 1872 lfllllr.exe 3892 hnnntb.exe 3280 vpdpp.exe 3600 btbhnb.exe 4688 dddvp.exe 988 ntnbth.exe 3344 fflxrrl.exe 3532 rrlflrx.exe 2732 vpvvv.exe 4460 nhnhnn.exe 2372 pvpjj.exe 3380 tbbbnb.exe 4576 pvvvv.exe 1556 hbttth.exe 3436 vpppv.exe 1532 jvjdj.exe 2544 btbbbh.exe 964 thhhtt.exe 4940 hbbbbb.exe 5088 lrxxxxr.exe 2952 dpvdd.exe 368 rrllflf.exe 1056 bnnttn.exe 2432 7rxrxfx.exe 4720 lrlfxxf.exe 4412 9htthb.exe 4360 ntthnh.exe 4364 vvddd.exe 1716 ntbbbn.exe 3964 pjjdd.exe 776 btbhhn.exe 1728 ddppp.exe 4396 fxrrlll.exe 1500 thtnhh.exe 2980 dpvpp.exe 4424 5dvpj.exe 2276 3lrllll.exe 2600 pdpjd.exe 464 rxfrlrl.exe 4952 5hbbtb.exe 32 dpdvp.exe 1224 xxlfrrf.exe 1480 hhhnth.exe 2388 jjvdd.exe 3560 llfrxfl.exe 4164 3httth.exe 2344 vvppp.exe 2516 lllxxxl.exe 3140 fxffxxx.exe 3116 jpdvj.exe 4044 lfxffff.exe 4908 nnbhhn.exe 1872 vdddd.exe 4936 1llffxr.exe 4404 tnbbbh.exe 1976 hnnntb.exe 4820 djddd.exe 4688 9htttt.exe 1548 vvppp.exe 3344 xxxflrx.exe 1804 nnhntt.exe -
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-774-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4280 5080 17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe 83 PID 5080 wrote to memory of 4280 5080 17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe 83 PID 5080 wrote to memory of 4280 5080 17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe 83 PID 4280 wrote to memory of 1240 4280 rrxlrlr.exe 84 PID 4280 wrote to memory of 1240 4280 rrxlrlr.exe 84 PID 4280 wrote to memory of 1240 4280 rrxlrlr.exe 84 PID 1240 wrote to memory of 1756 1240 ddpdd.exe 85 PID 1240 wrote to memory of 1756 1240 ddpdd.exe 85 PID 1240 wrote to memory of 1756 1240 ddpdd.exe 85 PID 1756 wrote to memory of 1872 1756 vpdvp.exe 86 PID 1756 wrote to memory of 1872 1756 vpdvp.exe 86 PID 1756 wrote to memory of 1872 1756 vpdvp.exe 86 PID 1872 wrote to memory of 3892 1872 lfllllr.exe 87 PID 1872 wrote to memory of 3892 1872 lfllllr.exe 87 PID 1872 wrote to memory of 3892 1872 lfllllr.exe 87 PID 3892 wrote to memory of 3280 3892 hnnntb.exe 88 PID 3892 wrote to memory of 3280 3892 hnnntb.exe 88 PID 3892 wrote to memory of 3280 3892 hnnntb.exe 88 PID 3280 wrote to memory of 3600 3280 vpdpp.exe 89 PID 3280 wrote to memory of 3600 3280 vpdpp.exe 89 PID 3280 wrote to memory of 3600 3280 vpdpp.exe 89 PID 3600 wrote to memory of 4688 3600 btbhnb.exe 90 PID 3600 wrote to memory of 4688 3600 btbhnb.exe 90 PID 3600 wrote to memory of 4688 3600 btbhnb.exe 90 PID 4688 wrote to memory of 988 4688 dddvp.exe 91 PID 4688 wrote to memory of 988 4688 dddvp.exe 91 PID 4688 wrote to memory of 988 4688 dddvp.exe 91 PID 988 wrote to memory of 3344 988 ntnbth.exe 92 PID 988 wrote to memory of 3344 988 ntnbth.exe 92 PID 988 wrote to memory of 3344 988 ntnbth.exe 92 PID 3344 wrote to memory of 3532 3344 fflxrrl.exe 93 PID 3344 wrote to memory of 3532 3344 fflxrrl.exe 93 PID 3344 wrote to memory of 3532 3344 fflxrrl.exe 93 PID 3532 wrote to memory of 2732 3532 rrlflrx.exe 94 PID 3532 wrote to memory of 2732 3532 rrlflrx.exe 94 PID 3532 wrote to memory of 2732 3532 rrlflrx.exe 94 PID 2732 wrote to memory of 4460 2732 vpvvv.exe 95 PID 2732 wrote to memory of 4460 2732 vpvvv.exe 95 PID 2732 wrote to memory of 4460 2732 vpvvv.exe 95 PID 4460 wrote to memory of 2372 4460 nhnhnn.exe 96 PID 4460 wrote to memory of 2372 4460 nhnhnn.exe 96 PID 4460 wrote to memory of 2372 4460 nhnhnn.exe 96 PID 2372 wrote to memory of 3380 2372 pvpjj.exe 97 PID 2372 wrote to memory of 3380 2372 pvpjj.exe 97 PID 2372 wrote to memory of 3380 2372 pvpjj.exe 97 PID 3380 wrote to memory of 4576 3380 tbbbnb.exe 98 PID 3380 wrote to memory of 4576 3380 tbbbnb.exe 98 PID 3380 wrote to memory of 4576 3380 tbbbnb.exe 98 PID 4576 wrote to memory of 1556 4576 pvvvv.exe 99 PID 4576 wrote to memory of 1556 4576 pvvvv.exe 99 PID 4576 wrote to memory of 1556 4576 pvvvv.exe 99 PID 1556 wrote to memory of 3436 1556 hbttth.exe 100 PID 1556 wrote to memory of 3436 1556 hbttth.exe 100 PID 1556 wrote to memory of 3436 1556 hbttth.exe 100 PID 3436 wrote to memory of 1532 3436 vpppv.exe 101 PID 3436 wrote to memory of 1532 3436 vpppv.exe 101 PID 3436 wrote to memory of 1532 3436 vpppv.exe 101 PID 1532 wrote to memory of 2544 1532 jvjdj.exe 102 PID 1532 wrote to memory of 2544 1532 jvjdj.exe 102 PID 1532 wrote to memory of 2544 1532 jvjdj.exe 102 PID 2544 wrote to memory of 964 2544 btbbbh.exe 103 PID 2544 wrote to memory of 964 2544 btbbbh.exe 103 PID 2544 wrote to memory of 964 2544 btbbbh.exe 103 PID 964 wrote to memory of 4940 964 thhhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe"C:\Users\Admin\AppData\Local\Temp\17334528d2d250763094288043b9105ef5cbc1799dce6c8c33a6224acbb81a77N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\rrxlrlr.exec:\rrxlrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\ddpdd.exec:\ddpdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\vpdvp.exec:\vpdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\lfllllr.exec:\lfllllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\hnnntb.exec:\hnnntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\vpdpp.exec:\vpdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\btbhnb.exec:\btbhnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\dddvp.exec:\dddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\ntnbth.exec:\ntnbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\fflxrrl.exec:\fflxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\rrlflrx.exec:\rrlflrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\vpvvv.exec:\vpvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\nhnhnn.exec:\nhnhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\pvpjj.exec:\pvpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\tbbbnb.exec:\tbbbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\pvvvv.exec:\pvvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\hbttth.exec:\hbttth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\vpppv.exec:\vpppv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\jvjdj.exec:\jvjdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\btbbbh.exec:\btbbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\thhhtt.exec:\thhhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\hbbbbb.exec:\hbbbbb.exe23⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lrxxxxr.exec:\lrxxxxr.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5088 -
\??\c:\dpvdd.exec:\dpvdd.exe25⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rrllflf.exec:\rrllflf.exe26⤵
- Executes dropped EXE
PID:368 -
\??\c:\bnnttn.exec:\bnnttn.exe27⤵
- Executes dropped EXE
PID:1056 -
\??\c:\7rxrxfx.exec:\7rxrxfx.exe28⤵
- Executes dropped EXE
PID:2432 -
\??\c:\lrlfxxf.exec:\lrlfxxf.exe29⤵
- Executes dropped EXE
PID:4720 -
\??\c:\9htthb.exec:\9htthb.exe30⤵
- Executes dropped EXE
PID:4412 -
\??\c:\ntthnh.exec:\ntthnh.exe31⤵
- Executes dropped EXE
PID:4360 -
\??\c:\vvddd.exec:\vvddd.exe32⤵
- Executes dropped EXE
PID:4364 -
\??\c:\ntbbbn.exec:\ntbbbn.exe33⤵
- Executes dropped EXE
PID:1716 -
\??\c:\pjjdd.exec:\pjjdd.exe34⤵
- Executes dropped EXE
PID:3964 -
\??\c:\btbhhn.exec:\btbhhn.exe35⤵
- Executes dropped EXE
PID:776 -
\??\c:\ddppp.exec:\ddppp.exe36⤵
- Executes dropped EXE
PID:1728 -
\??\c:\fxrrlll.exec:\fxrrlll.exe37⤵
- Executes dropped EXE
PID:4396 -
\??\c:\thtnhh.exec:\thtnhh.exe38⤵
- Executes dropped EXE
PID:1500 -
\??\c:\dpvpp.exec:\dpvpp.exe39⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5dvpj.exec:\5dvpj.exe40⤵
- Executes dropped EXE
PID:4424 -
\??\c:\3lrllll.exec:\3lrllll.exe41⤵
- Executes dropped EXE
PID:2276 -
\??\c:\pdpjd.exec:\pdpjd.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rxfrlrl.exec:\rxfrlrl.exe43⤵
- Executes dropped EXE
PID:464 -
\??\c:\5hbbtb.exec:\5hbbtb.exe44⤵
- Executes dropped EXE
PID:4952 -
\??\c:\dpdvp.exec:\dpdvp.exe45⤵
- Executes dropped EXE
PID:32 -
\??\c:\xxlfrrf.exec:\xxlfrrf.exe46⤵
- Executes dropped EXE
PID:1224 -
\??\c:\hhhnth.exec:\hhhnth.exe47⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jjvdd.exec:\jjvdd.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\llfrxfl.exec:\llfrxfl.exe49⤵
- Executes dropped EXE
PID:3560 -
\??\c:\3httth.exec:\3httth.exe50⤵
- Executes dropped EXE
PID:4164 -
\??\c:\btnhhh.exec:\btnhhh.exe51⤵PID:4580
-
\??\c:\vvppp.exec:\vvppp.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
\??\c:\lllxxxl.exec:\lllxxxl.exe53⤵
- Executes dropped EXE
PID:2516 -
\??\c:\fxffxxx.exec:\fxffxxx.exe54⤵
- Executes dropped EXE
PID:3140 -
\??\c:\jpdvj.exec:\jpdvj.exe55⤵
- Executes dropped EXE
PID:3116 -
\??\c:\lfxffff.exec:\lfxffff.exe56⤵
- Executes dropped EXE
PID:4044 -
\??\c:\nnbhhn.exec:\nnbhhn.exe57⤵
- Executes dropped EXE
PID:4908 -
\??\c:\vdddd.exec:\vdddd.exe58⤵
- Executes dropped EXE
PID:1872 -
\??\c:\1llffxr.exec:\1llffxr.exe59⤵
- Executes dropped EXE
PID:4936 -
\??\c:\tnbbbh.exec:\tnbbbh.exe60⤵
- Executes dropped EXE
PID:4404 -
\??\c:\hnnntb.exec:\hnnntb.exe61⤵
- Executes dropped EXE
PID:1976 -
\??\c:\djddd.exec:\djddd.exe62⤵
- Executes dropped EXE
PID:4820 -
\??\c:\9htttt.exec:\9htttt.exe63⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vvppp.exec:\vvppp.exe64⤵
- Executes dropped EXE
PID:1548 -
\??\c:\xxxflrx.exec:\xxxflrx.exe65⤵
- Executes dropped EXE
PID:3344 -
\??\c:\nnhntt.exec:\nnhntt.exe66⤵
- Executes dropped EXE
PID:1804 -
\??\c:\5vdvv.exec:\5vdvv.exe67⤵PID:4100
-
\??\c:\fxrxflr.exec:\fxrxflr.exe68⤵PID:4060
-
\??\c:\thtnhh.exec:\thtnhh.exe69⤵PID:2884
-
\??\c:\jjjdv.exec:\jjjdv.exe70⤵PID:3620
-
\??\c:\7rrrllf.exec:\7rrrllf.exe71⤵PID:3164
-
\??\c:\nnhhhh.exec:\nnhhhh.exe72⤵PID:3856
-
\??\c:\pdvjj.exec:\pdvjj.exe73⤵PID:1260
-
\??\c:\vdppp.exec:\vdppp.exe74⤵PID:228
-
\??\c:\rfxfrrf.exec:\rfxfrrf.exe75⤵PID:432
-
\??\c:\jvdjp.exec:\jvdjp.exe76⤵PID:4572
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe77⤵PID:2844
-
\??\c:\tnbbht.exec:\tnbbht.exe78⤵PID:3076
-
\??\c:\dpjjp.exec:\dpjjp.exe79⤵PID:4232
-
\??\c:\tthbbn.exec:\tthbbn.exe80⤵PID:964
-
\??\c:\ttnbhn.exec:\ttnbhn.exe81⤵PID:4016
-
\??\c:\vpjpd.exec:\vpjpd.exe82⤵PID:4064
-
\??\c:\llxxxll.exec:\llxxxll.exe83⤵PID:5088
-
\??\c:\tttttt.exec:\tttttt.exe84⤵PID:2196
-
\??\c:\dpdpj.exec:\dpdpj.exe85⤵PID:4980
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe86⤵PID:368
-
\??\c:\thhbtt.exec:\thhbtt.exe87⤵PID:1384
-
\??\c:\pjjvj.exec:\pjjvj.exe88⤵PID:452
-
\??\c:\llfxlfr.exec:\llfxlfr.exe89⤵PID:1636
-
\??\c:\pvdpp.exec:\pvdpp.exe90⤵PID:4720
-
\??\c:\jvvjv.exec:\jvvjv.exe91⤵PID:1992
-
\??\c:\xlrrrxl.exec:\xlrrrxl.exe92⤵PID:1324
-
\??\c:\hhtbnt.exec:\hhtbnt.exe93⤵PID:4172
-
\??\c:\1jdvp.exec:\1jdvp.exe94⤵PID:4948
-
\??\c:\flflxlf.exec:\flflxlf.exe95⤵PID:3980
-
\??\c:\hhhhth.exec:\hhhhth.exe96⤵PID:2000
-
\??\c:\vpvvp.exec:\vpvvp.exe97⤵PID:3644
-
\??\c:\xxrrlrr.exec:\xxrrlrr.exe98⤵PID:1988
-
\??\c:\nbnnhn.exec:\nbnnhn.exe99⤵PID:2960
-
\??\c:\vvddp.exec:\vvddp.exe100⤵PID:1520
-
\??\c:\xfrrrrr.exec:\xfrrrrr.exe101⤵PID:4192
-
\??\c:\5ttttb.exec:\5ttttb.exe102⤵PID:2336
-
\??\c:\pjppj.exec:\pjppj.exe103⤵PID:3504
-
\??\c:\llfffll.exec:\llfffll.exe104⤵PID:3528
-
\??\c:\nttntt.exec:\nttntt.exe105⤵PID:936
-
\??\c:\pvppp.exec:\pvppp.exe106⤵PID:3568
-
\??\c:\lrfxxrx.exec:\lrfxxrx.exe107⤵PID:2072
-
\??\c:\nntthn.exec:\nntthn.exe108⤵PID:1368
-
\??\c:\lrrffff.exec:\lrrffff.exe109⤵PID:956
-
\??\c:\xlllffx.exec:\xlllffx.exe110⤵PID:396
-
\??\c:\jvjdd.exec:\jvjdd.exe111⤵PID:1832
-
\??\c:\jppdd.exec:\jppdd.exe112⤵PID:1808
-
\??\c:\llrrlrr.exec:\llrrlrr.exe113⤵PID:4196
-
\??\c:\3hhhbb.exec:\3hhhbb.exe114⤵PID:748
-
\??\c:\dpdvv.exec:\dpdvv.exe115⤵PID:3872
-
\??\c:\fflfxrr.exec:\fflfxrr.exe116⤵PID:2080
-
\??\c:\frlllxx.exec:\frlllxx.exe117⤵PID:1756
-
\??\c:\hntttb.exec:\hntttb.exe118⤵PID:3988
-
\??\c:\ppppj.exec:\ppppj.exe119⤵PID:4680
-
\??\c:\lrrlfxx.exec:\lrrlfxx.exe120⤵PID:2076
-
\??\c:\rrlfxxl.exec:\rrlfxxl.exe121⤵PID:1280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-