Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 19:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe
-
Size
456KB
-
MD5
21af0bafd2e85431ac6ee58bbf1d20c0
-
SHA1
2fa4bf2b41e3c434275e3e4daf2df1ce372bd384
-
SHA256
de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799
-
SHA512
1cc543b215f5f845f47ae76e4e3f77a5738bccf11f783d3fb5e0ffde1c6f1a17a5448913f89242d4235ae2f2505d30b8d423f93622d28cb078aa244386f13e9e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1336-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-1360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-1594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4440 1rrrrrl.exe 4776 nbbbnn.exe 3316 7nhbhh.exe 3992 dpjjd.exe 1572 thnbtn.exe 4760 rlllffx.exe 2636 xxxrrrl.exe 4040 lxffxfx.exe 2468 jdjdv.exe 4268 fxxrlfx.exe 1892 ntbnhn.exe 1768 fxlxrlx.exe 1908 pddvp.exe 1268 dpppj.exe 4028 5nnhbt.exe 2364 1bbttt.exe 2548 frrlffx.exe 852 dvvpd.exe 2472 lfrxxrl.exe 2380 hhbttb.exe 1932 lrxrrrl.exe 1632 tnnhhb.exe 3012 pjpjp.exe 2604 lrrfrrr.exe 2440 vppjv.exe 692 rlrlfrl.exe 3016 vdddv.exe 1004 pdjjv.exe 1096 rfrflfl.exe 3776 nnnhhb.exe 2292 jdvpp.exe 1456 xrxrrll.exe 1160 frxrlfx.exe 1116 7ppjd.exe 864 rxfflfl.exe 3680 bhnbtt.exe 3252 vvjjj.exe 2948 llrrrll.exe 2220 hhhbhh.exe 4500 9rxrllf.exe 3516 1lfxrxr.exe 2716 hhbbtt.exe 1940 7pvpj.exe 1168 btttnn.exe 1240 pdjdd.exe 4512 rllfrrl.exe 3800 nnbnhb.exe 4832 vpdvd.exe 4384 lrflxrr.exe 4400 ffrlxxr.exe 4784 7btnht.exe 4440 1xxrllx.exe 4420 nttnnn.exe 3752 hhtnnh.exe 4024 jpjdd.exe 2924 rxxrfrl.exe 2456 rlfxllf.exe 3852 htthnh.exe 2764 pddvp.exe 2184 lflfrrl.exe 4872 bnhbbb.exe 4780 bnbnbn.exe 4452 jvpvd.exe 3280 lxxxlfr.exe -
resource yara_rule behavioral2/memory/1336-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-670-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 4440 1336 de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe 84 PID 1336 wrote to memory of 4440 1336 de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe 84 PID 1336 wrote to memory of 4440 1336 de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe 84 PID 4440 wrote to memory of 4776 4440 1rrrrrl.exe 85 PID 4440 wrote to memory of 4776 4440 1rrrrrl.exe 85 PID 4440 wrote to memory of 4776 4440 1rrrrrl.exe 85 PID 4776 wrote to memory of 3316 4776 nbbbnn.exe 86 PID 4776 wrote to memory of 3316 4776 nbbbnn.exe 86 PID 4776 wrote to memory of 3316 4776 nbbbnn.exe 86 PID 3316 wrote to memory of 3992 3316 7nhbhh.exe 87 PID 3316 wrote to memory of 3992 3316 7nhbhh.exe 87 PID 3316 wrote to memory of 3992 3316 7nhbhh.exe 87 PID 3992 wrote to memory of 1572 3992 dpjjd.exe 88 PID 3992 wrote to memory of 1572 3992 dpjjd.exe 88 PID 3992 wrote to memory of 1572 3992 dpjjd.exe 88 PID 1572 wrote to memory of 4760 1572 thnbtn.exe 89 PID 1572 wrote to memory of 4760 1572 thnbtn.exe 89 PID 1572 wrote to memory of 4760 1572 thnbtn.exe 89 PID 4760 wrote to memory of 2636 4760 rlllffx.exe 90 PID 4760 wrote to memory of 2636 4760 rlllffx.exe 90 PID 4760 wrote to memory of 2636 4760 rlllffx.exe 90 PID 2636 wrote to memory of 4040 2636 xxxrrrl.exe 91 PID 2636 wrote to memory of 4040 2636 xxxrrrl.exe 91 PID 2636 wrote to memory of 4040 2636 xxxrrrl.exe 91 PID 4040 wrote to memory of 2468 4040 lxffxfx.exe 92 PID 4040 wrote to memory of 2468 4040 lxffxfx.exe 92 PID 4040 wrote to memory of 2468 4040 lxffxfx.exe 92 PID 2468 wrote to memory of 4268 2468 jdjdv.exe 93 PID 2468 wrote to memory of 4268 2468 jdjdv.exe 93 PID 2468 wrote to memory of 4268 2468 jdjdv.exe 93 PID 4268 wrote to memory of 1892 4268 fxxrlfx.exe 94 PID 4268 wrote to memory of 1892 4268 fxxrlfx.exe 94 PID 4268 wrote to memory of 1892 4268 fxxrlfx.exe 94 PID 1892 wrote to memory of 1768 1892 ntbnhn.exe 95 PID 1892 wrote to memory of 1768 1892 ntbnhn.exe 95 PID 1892 wrote to memory of 1768 1892 ntbnhn.exe 95 PID 1768 wrote to memory of 1908 1768 fxlxrlx.exe 96 PID 1768 wrote to memory of 1908 1768 fxlxrlx.exe 96 PID 1768 wrote to memory of 1908 1768 fxlxrlx.exe 96 PID 1908 wrote to memory of 1268 1908 pddvp.exe 97 PID 1908 wrote to memory of 1268 1908 pddvp.exe 97 PID 1908 wrote to memory of 1268 1908 pddvp.exe 97 PID 1268 wrote to memory of 4028 1268 dpppj.exe 98 PID 1268 wrote to memory of 4028 1268 dpppj.exe 98 PID 1268 wrote to memory of 4028 1268 dpppj.exe 98 PID 4028 wrote to memory of 2364 4028 5nnhbt.exe 99 PID 4028 wrote to memory of 2364 4028 5nnhbt.exe 99 PID 4028 wrote to memory of 2364 4028 5nnhbt.exe 99 PID 2364 wrote to memory of 2548 2364 1bbttt.exe 100 PID 2364 wrote to memory of 2548 2364 1bbttt.exe 100 PID 2364 wrote to memory of 2548 2364 1bbttt.exe 100 PID 2548 wrote to memory of 852 2548 frrlffx.exe 101 PID 2548 wrote to memory of 852 2548 frrlffx.exe 101 PID 2548 wrote to memory of 852 2548 frrlffx.exe 101 PID 852 wrote to memory of 2472 852 dvvpd.exe 102 PID 852 wrote to memory of 2472 852 dvvpd.exe 102 PID 852 wrote to memory of 2472 852 dvvpd.exe 102 PID 2472 wrote to memory of 2380 2472 lfrxxrl.exe 103 PID 2472 wrote to memory of 2380 2472 lfrxxrl.exe 103 PID 2472 wrote to memory of 2380 2472 lfrxxrl.exe 103 PID 2380 wrote to memory of 1932 2380 hhbttb.exe 104 PID 2380 wrote to memory of 1932 2380 hhbttb.exe 104 PID 2380 wrote to memory of 1932 2380 hhbttb.exe 104 PID 1932 wrote to memory of 1632 1932 lrxrrrl.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe"C:\Users\Admin\AppData\Local\Temp\de0f55352a8725a046b2a2c5a2a0fd0d67d86dac61f85f07e0a23ad56ec3b799N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\1rrrrrl.exec:\1rrrrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\nbbbnn.exec:\nbbbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\7nhbhh.exec:\7nhbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\dpjjd.exec:\dpjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\thnbtn.exec:\thnbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\rlllffx.exec:\rlllffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\lxffxfx.exec:\lxffxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\jdjdv.exec:\jdjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\ntbnhn.exec:\ntbnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\fxlxrlx.exec:\fxlxrlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\pddvp.exec:\pddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\dpppj.exec:\dpppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\5nnhbt.exec:\5nnhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\1bbttt.exec:\1bbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\frrlffx.exec:\frrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\dvvpd.exec:\dvvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\lfrxxrl.exec:\lfrxxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\hhbttb.exec:\hhbttb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\lrxrrrl.exec:\lrxrrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\tnnhhb.exec:\tnnhhb.exe23⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pjpjp.exec:\pjpjp.exe24⤵
- Executes dropped EXE
PID:3012 -
\??\c:\lrrfrrr.exec:\lrrfrrr.exe25⤵
- Executes dropped EXE
PID:2604 -
\??\c:\vppjv.exec:\vppjv.exe26⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe27⤵
- Executes dropped EXE
PID:692 -
\??\c:\vdddv.exec:\vdddv.exe28⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pdjjv.exec:\pdjjv.exe29⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rfrflfl.exec:\rfrflfl.exe30⤵
- Executes dropped EXE
PID:1096 -
\??\c:\nnnhhb.exec:\nnnhhb.exe31⤵
- Executes dropped EXE
PID:3776 -
\??\c:\jdvpp.exec:\jdvpp.exe32⤵
- Executes dropped EXE
PID:2292 -
\??\c:\xrxrrll.exec:\xrxrrll.exe33⤵
- Executes dropped EXE
PID:1456 -
\??\c:\frxrlfx.exec:\frxrlfx.exe34⤵
- Executes dropped EXE
PID:1160 -
\??\c:\7ppjd.exec:\7ppjd.exe35⤵
- Executes dropped EXE
PID:1116 -
\??\c:\rxfflfl.exec:\rxfflfl.exe36⤵
- Executes dropped EXE
PID:864 -
\??\c:\bhnbtt.exec:\bhnbtt.exe37⤵
- Executes dropped EXE
PID:3680 -
\??\c:\vvjjj.exec:\vvjjj.exe38⤵
- Executes dropped EXE
PID:3252 -
\??\c:\llrrrll.exec:\llrrrll.exe39⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hhhbhh.exec:\hhhbhh.exe40⤵
- Executes dropped EXE
PID:2220 -
\??\c:\9rxrllf.exec:\9rxrllf.exe41⤵
- Executes dropped EXE
PID:4500 -
\??\c:\1lfxrxr.exec:\1lfxrxr.exe42⤵
- Executes dropped EXE
PID:3516 -
\??\c:\hhbbtt.exec:\hhbbtt.exe43⤵
- Executes dropped EXE
PID:2716 -
\??\c:\7pvpj.exec:\7pvpj.exe44⤵
- Executes dropped EXE
PID:1940 -
\??\c:\btttnn.exec:\btttnn.exe45⤵
- Executes dropped EXE
PID:1168 -
\??\c:\pdjdd.exec:\pdjdd.exe46⤵
- Executes dropped EXE
PID:1240 -
\??\c:\rllfrrl.exec:\rllfrrl.exe47⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nnbnhb.exec:\nnbnhb.exe48⤵
- Executes dropped EXE
PID:3800 -
\??\c:\vpdvd.exec:\vpdvd.exe49⤵
- Executes dropped EXE
PID:4832 -
\??\c:\lrflxrr.exec:\lrflxrr.exe50⤵
- Executes dropped EXE
PID:4384 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe51⤵
- Executes dropped EXE
PID:4400 -
\??\c:\7btnht.exec:\7btnht.exe52⤵
- Executes dropped EXE
PID:4784 -
\??\c:\1xxrllx.exec:\1xxrllx.exe53⤵
- Executes dropped EXE
PID:4440 -
\??\c:\nttnnn.exec:\nttnnn.exe54⤵
- Executes dropped EXE
PID:4420 -
\??\c:\hhtnnh.exec:\hhtnnh.exe55⤵
- Executes dropped EXE
PID:3752 -
\??\c:\jpjdd.exec:\jpjdd.exe56⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe57⤵
- Executes dropped EXE
PID:2924 -
\??\c:\rlfxllf.exec:\rlfxllf.exe58⤵
- Executes dropped EXE
PID:2456 -
\??\c:\htthnh.exec:\htthnh.exe59⤵
- Executes dropped EXE
PID:3852 -
\??\c:\pddvp.exec:\pddvp.exe60⤵
- Executes dropped EXE
PID:2764 -
\??\c:\lflfrrl.exec:\lflfrrl.exe61⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bnhbbb.exec:\bnhbbb.exe62⤵
- Executes dropped EXE
PID:4872 -
\??\c:\bnbnbn.exec:\bnbnbn.exe63⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jvpvd.exec:\jvpvd.exe64⤵
- Executes dropped EXE
PID:4452 -
\??\c:\lxxxlfr.exec:\lxxxlfr.exe65⤵
- Executes dropped EXE
PID:3280 -
\??\c:\hbnbtt.exec:\hbnbtt.exe66⤵PID:4740
-
\??\c:\vjjdp.exec:\vjjdp.exe67⤵PID:4788
-
\??\c:\lffxlll.exec:\lffxlll.exe68⤵PID:804
-
\??\c:\ffxflff.exec:\ffxflff.exe69⤵PID:2448
-
\??\c:\thnhbt.exec:\thnhbt.exe70⤵PID:4164
-
\??\c:\1ddvj.exec:\1ddvj.exe71⤵PID:4712
-
\??\c:\lffxlll.exec:\lffxlll.exe72⤵PID:4900
-
\??\c:\9fxfxrl.exec:\9fxfxrl.exe73⤵PID:3320
-
\??\c:\9nnhbt.exec:\9nnhbt.exe74⤵PID:1884
-
\??\c:\jpvpd.exec:\jpvpd.exe75⤵PID:2668
-
\??\c:\xllfxxr.exec:\xllfxxr.exe76⤵PID:1812
-
\??\c:\1tnnbb.exec:\1tnnbb.exe77⤵PID:3564
-
\??\c:\dvpjd.exec:\dvpjd.exe78⤵PID:2472
-
\??\c:\5rrrrrl.exec:\5rrrrrl.exe79⤵PID:1680
-
\??\c:\thnbnh.exec:\thnbnh.exe80⤵PID:4920
-
\??\c:\bnhtnh.exec:\bnhtnh.exe81⤵PID:1932
-
\??\c:\3jjvj.exec:\3jjvj.exe82⤵PID:2024
-
\??\c:\ffxrffx.exec:\ffxrffx.exe83⤵PID:4152
-
\??\c:\tbnhbb.exec:\tbnhbb.exe84⤵PID:2384
-
\??\c:\vjdpj.exec:\vjdpj.exe85⤵PID:3936
-
\??\c:\7dpdv.exec:\7dpdv.exe86⤵PID:1220
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe87⤵PID:1588
-
\??\c:\1nhttn.exec:\1nhttn.exe88⤵PID:2104
-
\??\c:\pdjpv.exec:\pdjpv.exe89⤵PID:5052
-
\??\c:\dvvjd.exec:\dvvjd.exe90⤵PID:1408
-
\??\c:\rrrllff.exec:\rrrllff.exe91⤵PID:372
-
\??\c:\ntnhtn.exec:\ntnhtn.exe92⤵PID:2872
-
\??\c:\ddpjp.exec:\ddpjp.exe93⤵PID:4588
-
\??\c:\vvjpp.exec:\vvjpp.exe94⤵PID:932
-
\??\c:\xrxlrlr.exec:\xrxlrlr.exe95⤵PID:1456
-
\??\c:\hntttb.exec:\hntttb.exe96⤵PID:4324
-
\??\c:\3pvvp.exec:\3pvvp.exe97⤵PID:3472
-
\??\c:\pjdjv.exec:\pjdjv.exe98⤵PID:3664
-
\??\c:\1frlxrr.exec:\1frlxrr.exe99⤵PID:864
-
\??\c:\bbnbtn.exec:\bbnbtn.exe100⤵PID:4604
-
\??\c:\vvjdj.exec:\vvjdj.exe101⤵PID:1528
-
\??\c:\frlxrll.exec:\frlxrll.exe102⤵PID:2180
-
\??\c:\5tnnhh.exec:\5tnnhh.exe103⤵PID:4012
-
\??\c:\hhtthh.exec:\hhtthh.exe104⤵PID:3648
-
\??\c:\vvdvj.exec:\vvdvj.exe105⤵PID:5116
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe106⤵PID:1920
-
\??\c:\lxlfflf.exec:\lxlfflf.exe107⤵PID:2716
-
\??\c:\1ntttt.exec:\1ntttt.exe108⤵PID:4932
-
\??\c:\pdpvp.exec:\pdpvp.exe109⤵PID:3216
-
\??\c:\9ppvj.exec:\9ppvj.exe110⤵PID:1240
-
\??\c:\1fxxrll.exec:\1fxxrll.exe111⤵PID:4512
-
\??\c:\tbhbtn.exec:\tbhbtn.exe112⤵PID:3800
-
\??\c:\dvvpv.exec:\dvvpv.exe113⤵PID:4148
-
\??\c:\pppjp.exec:\pppjp.exe114⤵PID:4384
-
\??\c:\1bnhhh.exec:\1bnhhh.exe115⤵PID:1336
-
\??\c:\pdvpj.exec:\pdvpj.exe116⤵PID:4784
-
\??\c:\llfxxxx.exec:\llfxxxx.exe117⤵PID:4440
-
\??\c:\hnttnn.exec:\hnttnn.exe118⤵PID:1416
-
\??\c:\vjjvp.exec:\vjjvp.exe119⤵PID:4360
-
\??\c:\pjjvj.exec:\pjjvj.exe120⤵PID:3316
-
\??\c:\7xxrffx.exec:\7xxrffx.exe121⤵PID:4108
-
\??\c:\tbnhtt.exec:\tbnhtt.exe122⤵PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-