Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:32
Behavioral task
behavioral1
Sample
ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe
-
Size
335KB
-
MD5
e4a18e98a4250eb70843b8abe25ca690
-
SHA1
92bd89ea7f7d47c4e4643ed9662ee6fb3301a7f1
-
SHA256
ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656
-
SHA512
4bb6b174f1838ff69bd6549691d33a3bb6319ff52f9e1de0be37de8d90cfdcd9c307f877af88cf633d94ab52d20dc66f8fdb69b54b176c5d14228701ae87d063
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR/:R4wFHoSHYHUrAwfMp3CDR/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3604-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/848-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/804-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-591-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-815-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-970-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2752 vjdpv.exe 4836 ttthnh.exe 4112 dpdvd.exe 4472 pjpdp.exe 1444 frlxlfl.exe 2432 btnbth.exe 4928 3jddj.exe 2560 dpjvj.exe 884 bhhnnt.exe 2060 dddvv.exe 944 xrxlxlf.exe 3192 3pdvj.exe 4140 7fxlllx.exe 5000 7nnbnh.exe 2616 5frlxrl.exe 5056 5nbthb.exe 5092 rxrlxfx.exe 320 pvvpd.exe 2416 dppdj.exe 5012 nhhhtn.exe 1108 5nhthb.exe 2296 bbnhht.exe 4592 vddjv.exe 5088 rrxxrlf.exe 1336 bnbnht.exe 2944 bthtbt.exe 4756 dvjdp.exe 4580 3vdjd.exe 4748 rlxxfrl.exe 3168 3nhbtt.exe 1064 bnnhnh.exe 4644 htbtbh.exe 3948 rllfxrl.exe 3088 tnnhbn.exe 1376 jdpdp.exe 1096 pjvjp.exe 1128 rrrlxrl.exe 1832 nnnhth.exe 4076 jjpjd.exe 1772 lxfxlfx.exe 3884 httnnh.exe 3424 vppjd.exe 3768 rrfrfrf.exe 3152 3bbthb.exe 2652 7djdv.exe 4356 9fxrllx.exe 2556 rxfrlfx.exe 3048 ppdvp.exe 4304 lllllfl.exe 4428 nntthh.exe 1084 hhbtnh.exe 2816 jjddp.exe 4452 rxxrfrr.exe 1396 nntnhb.exe 600 vpjdv.exe 332 xrffxrr.exe 4352 ffffllx.exe 812 tnnnnn.exe 1824 7rxrfrl.exe 852 xrfrlfr.exe 5028 9hbtbt.exe 4112 tnnnnn.exe 3908 dpvvd.exe 4744 ppdvd.exe -
resource yara_rule behavioral2/memory/3604-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023caa-3.dat upx behavioral2/memory/3604-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4836-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cad-10.dat upx behavioral2/files/0x0007000000023cb1-11.dat upx behavioral2/memory/4112-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-19.dat upx behavioral2/files/0x0007000000023cb4-24.dat upx behavioral2/memory/1444-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-29.dat upx behavioral2/memory/4928-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-35.dat upx behavioral2/memory/2432-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2752-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-39.dat upx behavioral2/memory/4928-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2560-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-45.dat upx behavioral2/memory/884-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-50.dat upx behavioral2/files/0x0007000000023cba-55.dat upx behavioral2/files/0x0007000000023cbb-58.dat upx behavioral2/files/0x0007000000023cbc-62.dat upx behavioral2/memory/4140-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-67.dat upx behavioral2/files/0x0007000000023cbe-72.dat upx behavioral2/memory/5000-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-76.dat upx behavioral2/memory/2616-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5056-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cae-82.dat upx behavioral2/files/0x0007000000023cc0-86.dat upx behavioral2/memory/5092-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-91.dat upx behavioral2/memory/320-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-97.dat upx behavioral2/files/0x0007000000023cc3-100.dat upx behavioral2/files/0x0007000000023cc4-104.dat upx behavioral2/memory/2296-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-109.dat upx behavioral2/files/0x0007000000023cc6-113.dat upx behavioral2/memory/4592-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-119.dat upx behavioral2/files/0x0007000000023cc8-123.dat upx behavioral2/files/0x0007000000023cc9-128.dat upx behavioral2/files/0x0007000000023ccb-137.dat upx behavioral2/memory/4748-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-143.dat upx behavioral2/files/0x0007000000023cca-133.dat upx behavioral2/memory/4580-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2944-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3168-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-146.dat upx behavioral2/memory/1064-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-152.dat upx behavioral2/memory/3088-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1096-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1128-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1832-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4076-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1772-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rllxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 2752 3604 ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe 83 PID 3604 wrote to memory of 2752 3604 ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe 83 PID 3604 wrote to memory of 2752 3604 ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe 83 PID 2752 wrote to memory of 4836 2752 vjdpv.exe 84 PID 2752 wrote to memory of 4836 2752 vjdpv.exe 84 PID 2752 wrote to memory of 4836 2752 vjdpv.exe 84 PID 4836 wrote to memory of 4112 4836 ttthnh.exe 85 PID 4836 wrote to memory of 4112 4836 ttthnh.exe 85 PID 4836 wrote to memory of 4112 4836 ttthnh.exe 85 PID 4112 wrote to memory of 4472 4112 dpdvd.exe 86 PID 4112 wrote to memory of 4472 4112 dpdvd.exe 86 PID 4112 wrote to memory of 4472 4112 dpdvd.exe 86 PID 4472 wrote to memory of 1444 4472 pjpdp.exe 87 PID 4472 wrote to memory of 1444 4472 pjpdp.exe 87 PID 4472 wrote to memory of 1444 4472 pjpdp.exe 87 PID 1444 wrote to memory of 2432 1444 frlxlfl.exe 88 PID 1444 wrote to memory of 2432 1444 frlxlfl.exe 88 PID 1444 wrote to memory of 2432 1444 frlxlfl.exe 88 PID 2432 wrote to memory of 4928 2432 btnbth.exe 89 PID 2432 wrote to memory of 4928 2432 btnbth.exe 89 PID 2432 wrote to memory of 4928 2432 btnbth.exe 89 PID 4928 wrote to memory of 2560 4928 3jddj.exe 90 PID 4928 wrote to memory of 2560 4928 3jddj.exe 90 PID 4928 wrote to memory of 2560 4928 3jddj.exe 90 PID 2560 wrote to memory of 884 2560 dpjvj.exe 91 PID 2560 wrote to memory of 884 2560 dpjvj.exe 91 PID 2560 wrote to memory of 884 2560 dpjvj.exe 91 PID 884 wrote to memory of 2060 884 bhhnnt.exe 92 PID 884 wrote to memory of 2060 884 bhhnnt.exe 92 PID 884 wrote to memory of 2060 884 bhhnnt.exe 92 PID 2060 wrote to memory of 944 2060 dddvv.exe 93 PID 2060 wrote to memory of 944 2060 dddvv.exe 93 PID 2060 wrote to memory of 944 2060 dddvv.exe 93 PID 944 wrote to memory of 3192 944 xrxlxlf.exe 94 PID 944 wrote to memory of 3192 944 xrxlxlf.exe 94 PID 944 wrote to memory of 3192 944 xrxlxlf.exe 94 PID 3192 wrote to memory of 4140 3192 3pdvj.exe 95 PID 3192 wrote to memory of 4140 3192 3pdvj.exe 95 PID 3192 wrote to memory of 4140 3192 3pdvj.exe 95 PID 4140 wrote to memory of 5000 4140 7fxlllx.exe 96 PID 4140 wrote to memory of 5000 4140 7fxlllx.exe 96 PID 4140 wrote to memory of 5000 4140 7fxlllx.exe 96 PID 5000 wrote to memory of 2616 5000 7nnbnh.exe 97 PID 5000 wrote to memory of 2616 5000 7nnbnh.exe 97 PID 5000 wrote to memory of 2616 5000 7nnbnh.exe 97 PID 2616 wrote to memory of 5056 2616 5frlxrl.exe 98 PID 2616 wrote to memory of 5056 2616 5frlxrl.exe 98 PID 2616 wrote to memory of 5056 2616 5frlxrl.exe 98 PID 5056 wrote to memory of 5092 5056 5nbthb.exe 99 PID 5056 wrote to memory of 5092 5056 5nbthb.exe 99 PID 5056 wrote to memory of 5092 5056 5nbthb.exe 99 PID 5092 wrote to memory of 320 5092 rxrlxfx.exe 100 PID 5092 wrote to memory of 320 5092 rxrlxfx.exe 100 PID 5092 wrote to memory of 320 5092 rxrlxfx.exe 100 PID 320 wrote to memory of 2416 320 pvvpd.exe 101 PID 320 wrote to memory of 2416 320 pvvpd.exe 101 PID 320 wrote to memory of 2416 320 pvvpd.exe 101 PID 2416 wrote to memory of 5012 2416 dppdj.exe 102 PID 2416 wrote to memory of 5012 2416 dppdj.exe 102 PID 2416 wrote to memory of 5012 2416 dppdj.exe 102 PID 5012 wrote to memory of 1108 5012 nhhhtn.exe 103 PID 5012 wrote to memory of 1108 5012 nhhhtn.exe 103 PID 5012 wrote to memory of 1108 5012 nhhhtn.exe 103 PID 1108 wrote to memory of 2296 1108 5nhthb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe"C:\Users\Admin\AppData\Local\Temp\ee0866533d2cb617b6b053cdb25128640ee3c0cf5950522ca3389790773e2656N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\vjdpv.exec:\vjdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\ttthnh.exec:\ttthnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\dpdvd.exec:\dpdvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\pjpdp.exec:\pjpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\frlxlfl.exec:\frlxlfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\btnbth.exec:\btnbth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\3jddj.exec:\3jddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\dpjvj.exec:\dpjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\bhhnnt.exec:\bhhnnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\dddvv.exec:\dddvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\xrxlxlf.exec:\xrxlxlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\3pdvj.exec:\3pdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\7fxlllx.exec:\7fxlllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\7nnbnh.exec:\7nnbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\5frlxrl.exec:\5frlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\5nbthb.exec:\5nbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\rxrlxfx.exec:\rxrlxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\pvvpd.exec:\pvvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\dppdj.exec:\dppdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\nhhhtn.exec:\nhhhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\5nhthb.exec:\5nhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\bbnhht.exec:\bbnhht.exe23⤵
- Executes dropped EXE
PID:2296 -
\??\c:\vddjv.exec:\vddjv.exe24⤵
- Executes dropped EXE
PID:4592 -
\??\c:\rrxxrlf.exec:\rrxxrlf.exe25⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bnbnht.exec:\bnbnht.exe26⤵
- Executes dropped EXE
PID:1336 -
\??\c:\bthtbt.exec:\bthtbt.exe27⤵
- Executes dropped EXE
PID:2944 -
\??\c:\dvjdp.exec:\dvjdp.exe28⤵
- Executes dropped EXE
PID:4756 -
\??\c:\3vdjd.exec:\3vdjd.exe29⤵
- Executes dropped EXE
PID:4580 -
\??\c:\rlxxfrl.exec:\rlxxfrl.exe30⤵
- Executes dropped EXE
PID:4748 -
\??\c:\3nhbtt.exec:\3nhbtt.exe31⤵
- Executes dropped EXE
PID:3168 -
\??\c:\bnnhnh.exec:\bnnhnh.exe32⤵
- Executes dropped EXE
PID:1064 -
\??\c:\htbtbh.exec:\htbtbh.exe33⤵
- Executes dropped EXE
PID:4644 -
\??\c:\rllfxrl.exec:\rllfxrl.exe34⤵
- Executes dropped EXE
PID:3948 -
\??\c:\tnnhbn.exec:\tnnhbn.exe35⤵
- Executes dropped EXE
PID:3088 -
\??\c:\jdpdp.exec:\jdpdp.exe36⤵
- Executes dropped EXE
PID:1376 -
\??\c:\pjvjp.exec:\pjvjp.exe37⤵
- Executes dropped EXE
PID:1096 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe38⤵
- Executes dropped EXE
PID:1128 -
\??\c:\nnnhth.exec:\nnnhth.exe39⤵
- Executes dropped EXE
PID:1832 -
\??\c:\jjpjd.exec:\jjpjd.exe40⤵
- Executes dropped EXE
PID:4076 -
\??\c:\lxfxlfx.exec:\lxfxlfx.exe41⤵
- Executes dropped EXE
PID:1772 -
\??\c:\httnnh.exec:\httnnh.exe42⤵
- Executes dropped EXE
PID:3884 -
\??\c:\vppjd.exec:\vppjd.exe43⤵
- Executes dropped EXE
PID:3424 -
\??\c:\rrfrfrf.exec:\rrfrfrf.exe44⤵
- Executes dropped EXE
PID:3768 -
\??\c:\3bbthb.exec:\3bbthb.exe45⤵
- Executes dropped EXE
PID:3152 -
\??\c:\7djdv.exec:\7djdv.exe46⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9fxrllx.exec:\9fxrllx.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe48⤵
- Executes dropped EXE
PID:2556 -
\??\c:\ppdvp.exec:\ppdvp.exe49⤵
- Executes dropped EXE
PID:3048 -
\??\c:\lllllfl.exec:\lllllfl.exe50⤵
- Executes dropped EXE
PID:4304 -
\??\c:\nntthh.exec:\nntthh.exe51⤵
- Executes dropped EXE
PID:4428 -
\??\c:\hhbtnh.exec:\hhbtnh.exe52⤵
- Executes dropped EXE
PID:1084 -
\??\c:\jjddp.exec:\jjddp.exe53⤵
- Executes dropped EXE
PID:2816 -
\??\c:\rxxrfrr.exec:\rxxrfrr.exe54⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nntnhb.exec:\nntnhb.exe55⤵
- Executes dropped EXE
PID:1396 -
\??\c:\vpjdv.exec:\vpjdv.exe56⤵
- Executes dropped EXE
PID:600 -
\??\c:\xrffxrr.exec:\xrffxrr.exe57⤵
- Executes dropped EXE
PID:332 -
\??\c:\ffffllx.exec:\ffffllx.exe58⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tnnnnn.exec:\tnnnnn.exe59⤵
- Executes dropped EXE
PID:812 -
\??\c:\7rxrfrl.exec:\7rxrfrl.exe60⤵
- Executes dropped EXE
PID:1824 -
\??\c:\xrfrlfr.exec:\xrfrlfr.exe61⤵
- Executes dropped EXE
PID:852 -
\??\c:\9hbtbt.exec:\9hbtbt.exe62⤵
- Executes dropped EXE
PID:5028 -
\??\c:\tnnnnn.exec:\tnnnnn.exe63⤵
- Executes dropped EXE
PID:4112 -
\??\c:\dpvvd.exec:\dpvvd.exe64⤵
- Executes dropped EXE
PID:3908 -
\??\c:\ppdvd.exec:\ppdvd.exe65⤵
- Executes dropped EXE
PID:4744 -
\??\c:\lrxlrlx.exec:\lrxlrlx.exe66⤵PID:2232
-
\??\c:\nnnhhh.exec:\nnnhhh.exe67⤵PID:4960
-
\??\c:\thbtnb.exec:\thbtnb.exe68⤵PID:2144
-
\??\c:\jpdvj.exec:\jpdvj.exe69⤵PID:4940
-
\??\c:\vpvpd.exec:\vpvpd.exe70⤵PID:5072
-
\??\c:\ntttnt.exec:\ntttnt.exe71⤵PID:4224
-
\??\c:\btbttn.exec:\btbttn.exe72⤵PID:5064
-
\??\c:\jjjjd.exec:\jjjjd.exe73⤵PID:1208
-
\??\c:\lxxxlrr.exec:\lxxxlrr.exe74⤵PID:848
-
\??\c:\frllfrr.exec:\frllfrr.exe75⤵PID:3092
-
\??\c:\nhhbtt.exec:\nhhbtt.exe76⤵PID:1592
-
\??\c:\7pvpp.exec:\7pvpp.exe77⤵PID:2516
-
\??\c:\pjjjv.exec:\pjjjv.exe78⤵PID:3936
-
\??\c:\1llfllf.exec:\1llfllf.exe79⤵PID:804
-
\??\c:\7xllffl.exec:\7xllffl.exe80⤵PID:4688
-
\??\c:\tnthtt.exec:\tnthtt.exe81⤵PID:4784
-
\??\c:\bnnhbb.exec:\bnnhbb.exe82⤵PID:2352
-
\??\c:\jvvvp.exec:\jvvvp.exe83⤵PID:2884
-
\??\c:\lrllffx.exec:\lrllffx.exe84⤵PID:2772
-
\??\c:\rlrrxrx.exec:\rlrrxrx.exe85⤵PID:216
-
\??\c:\hbhtbt.exec:\hbhtbt.exe86⤵PID:4240
-
\??\c:\3tbthb.exec:\3tbthb.exe87⤵PID:3640
-
\??\c:\jjjjd.exec:\jjjjd.exe88⤵PID:3672
-
\??\c:\ffllrxf.exec:\ffllrxf.exe89⤵PID:5112
-
\??\c:\htbthh.exec:\htbthh.exe90⤵PID:3440
-
\??\c:\5pjjj.exec:\5pjjj.exe91⤵PID:4728
-
\??\c:\xfxxxfx.exec:\xfxxxfx.exe92⤵PID:4160
-
\??\c:\9flxrlx.exec:\9flxrlx.exe93⤵PID:3184
-
\??\c:\btbttn.exec:\btbttn.exe94⤵PID:1336
-
\??\c:\htttbb.exec:\htttbb.exe95⤵PID:2692
-
\??\c:\pjvdv.exec:\pjvdv.exe96⤵PID:2160
-
\??\c:\lffxrrl.exec:\lffxrrl.exe97⤵PID:456
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe98⤵PID:1140
-
\??\c:\hhnnhn.exec:\hhnnhn.exe99⤵PID:912
-
\??\c:\7jjvp.exec:\7jjvp.exe100⤵PID:1616
-
\??\c:\jjdpd.exec:\jjdpd.exe101⤵PID:3168
-
\??\c:\lfllffx.exec:\lfllffx.exe102⤵PID:1064
-
\??\c:\xlllxxr.exec:\xlllxxr.exe103⤵PID:4196
-
\??\c:\tbbtnh.exec:\tbbtnh.exe104⤵PID:2212
-
\??\c:\bnnhtt.exec:\bnnhtt.exe105⤵PID:2640
-
\??\c:\ddjpj.exec:\ddjpj.exe106⤵PID:2736
-
\??\c:\1fflfrr.exec:\1fflfrr.exe107⤵PID:1028
-
\??\c:\nnnnbh.exec:\nnnnbh.exe108⤵PID:3232
-
\??\c:\nnnhbt.exec:\nnnhbt.exe109⤵PID:4568
-
\??\c:\vpjdv.exec:\vpjdv.exe110⤵PID:2176
-
\??\c:\7ffllxr.exec:\7ffllxr.exe111⤵PID:4076
-
\??\c:\bnnnhh.exec:\bnnnhh.exe112⤵PID:3432
-
\??\c:\bhbttn.exec:\bhbttn.exe113⤵PID:2992
-
\??\c:\9vjdv.exec:\9vjdv.exe114⤵PID:2728
-
\??\c:\xxrfxrl.exec:\xxrfxrl.exe115⤵PID:3424
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe116⤵PID:3768
-
\??\c:\bhhbtn.exec:\bhhbtn.exe117⤵PID:3152
-
\??\c:\tntnhb.exec:\tntnhb.exe118⤵PID:2652
-
\??\c:\jdddv.exec:\jdddv.exe119⤵PID:4356
-
\??\c:\pddvj.exec:\pddvj.exe120⤵
- System Location Discovery: System Language Discovery
PID:3064 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe121⤵PID:3620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-