Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 03:48
Behavioral task
behavioral1
Sample
e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe
-
Size
332KB
-
MD5
99167023fd809d3a45bb65dec835873a
-
SHA1
119906930935cbe29a24d1bbfd64cd06b578eeda
-
SHA256
e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09
-
SHA512
e381dd99b9b1774fb9727b2262cd162ece30bc93f20fd468c0ca893acdf28421c1cac63e1a5d40eb60218ffc72ddd00b161d658671e83423c51c5253add0d764
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbel:R4wFHoSHYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4504-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/728-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3020-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1464-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3028-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-636-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-746-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4488 dddjd.exe 4372 nthhhn.exe 2372 pdjjd.exe 2060 vpjvp.exe 1336 rrrrlrl.exe 1084 tttbbt.exe 2468 lxxxrxx.exe 2896 dvpjv.exe 680 5frrxfl.exe 3628 nthbtt.exe 4144 lffxllf.exe 1284 hnnnhh.exe 3068 vdvdj.exe 3936 xlxrlll.exe 4876 7vjdd.exe 3688 3rrlxrl.exe 5112 nbhhbb.exe 4008 1ddvj.exe 4004 lffrfxr.exe 4564 jvdjv.exe 3356 vvvdv.exe 4012 rflfxrl.exe 2868 bttnht.exe 1656 rffrfxl.exe 3736 tnthth.exe 3168 jvjdj.exe 2212 fffxrlf.exe 1852 bbtnnh.exe 728 jpdvp.exe 64 vdjjp.exe 4616 nbbnbn.exe 3464 dppvj.exe 3300 rfllfxx.exe 4088 fxlxxrx.exe 1600 1nttnn.exe 5028 djvdd.exe 1296 vppvv.exe 1536 rrrrrrr.exe 5108 tnhbbh.exe 3160 ppjjv.exe 4072 lllfxxr.exe 3020 7fxxrrr.exe 2356 jdddv.exe 676 ppvvj.exe 4132 fllffxr.exe 4600 hbbtnn.exe 1860 5jppv.exe 3564 5vvpd.exe 4948 lrxxxxx.exe 5100 nnhbtn.exe 4692 9pjdv.exe 1532 vvjdd.exe 3608 ffllfll.exe 2700 lrrxxrl.exe 1968 ttbnhb.exe 5072 pjppp.exe 2852 rrrlxxr.exe 8 nbbbbb.exe 1416 thhbtn.exe 4076 pddvp.exe 4412 fxxrlfx.exe 3100 frrflrl.exe 4504 thhbnt.exe 4316 5nnnhn.exe -
resource yara_rule behavioral2/memory/4504-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b53-3.dat upx behavioral2/memory/4504-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4488-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-8.dat upx behavioral2/files/0x000a000000023b7b-11.dat upx behavioral2/files/0x000a000000023b7c-19.dat upx behavioral2/memory/2060-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4372-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2372-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-24.dat upx behavioral2/memory/1336-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2060-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-31.dat upx behavioral2/memory/1084-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b7f-35.dat upx behavioral2/memory/1084-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b80-40.dat upx behavioral2/memory/2468-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b81-45.dat upx behavioral2/memory/680-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-50.dat upx behavioral2/files/0x000a000000023b83-54.dat upx behavioral2/memory/4144-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-59.dat upx behavioral2/memory/1284-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-65.dat upx behavioral2/memory/3068-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-69.dat upx behavioral2/files/0x000a000000023b87-73.dat upx behavioral2/files/0x000a000000023b88-77.dat upx behavioral2/memory/4876-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3688-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-83.dat upx behavioral2/files/0x000a000000023b8a-87.dat upx behavioral2/memory/5112-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b77-92.dat upx behavioral2/memory/4008-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-97.dat upx behavioral2/memory/4564-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-101.dat upx behavioral2/files/0x000a000000023b8d-107.dat upx behavioral2/memory/3356-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-112.dat upx behavioral2/files/0x000a000000023b8f-115.dat upx behavioral2/files/0x000a000000023b90-119.dat upx behavioral2/files/0x000a000000023b91-123.dat upx behavioral2/memory/3736-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-129.dat upx behavioral2/memory/3168-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-134.dat upx behavioral2/memory/2212-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1852-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-140.dat upx behavioral2/files/0x000a000000023b95-143.dat upx behavioral2/memory/64-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/728-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-149.dat upx behavioral2/files/0x000a000000023b98-154.dat upx behavioral2/memory/4616-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1536-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3020-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2356-183-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4488 4504 e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe 82 PID 4504 wrote to memory of 4488 4504 e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe 82 PID 4504 wrote to memory of 4488 4504 e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe 82 PID 4488 wrote to memory of 4372 4488 dddjd.exe 83 PID 4488 wrote to memory of 4372 4488 dddjd.exe 83 PID 4488 wrote to memory of 4372 4488 dddjd.exe 83 PID 4372 wrote to memory of 2372 4372 nthhhn.exe 84 PID 4372 wrote to memory of 2372 4372 nthhhn.exe 84 PID 4372 wrote to memory of 2372 4372 nthhhn.exe 84 PID 2372 wrote to memory of 2060 2372 pdjjd.exe 85 PID 2372 wrote to memory of 2060 2372 pdjjd.exe 85 PID 2372 wrote to memory of 2060 2372 pdjjd.exe 85 PID 2060 wrote to memory of 1336 2060 vpjvp.exe 86 PID 2060 wrote to memory of 1336 2060 vpjvp.exe 86 PID 2060 wrote to memory of 1336 2060 vpjvp.exe 86 PID 1336 wrote to memory of 1084 1336 rrrrlrl.exe 87 PID 1336 wrote to memory of 1084 1336 rrrrlrl.exe 87 PID 1336 wrote to memory of 1084 1336 rrrrlrl.exe 87 PID 1084 wrote to memory of 2468 1084 tttbbt.exe 88 PID 1084 wrote to memory of 2468 1084 tttbbt.exe 88 PID 1084 wrote to memory of 2468 1084 tttbbt.exe 88 PID 2468 wrote to memory of 2896 2468 lxxxrxx.exe 89 PID 2468 wrote to memory of 2896 2468 lxxxrxx.exe 89 PID 2468 wrote to memory of 2896 2468 lxxxrxx.exe 89 PID 2896 wrote to memory of 680 2896 dvpjv.exe 90 PID 2896 wrote to memory of 680 2896 dvpjv.exe 90 PID 2896 wrote to memory of 680 2896 dvpjv.exe 90 PID 680 wrote to memory of 3628 680 5frrxfl.exe 91 PID 680 wrote to memory of 3628 680 5frrxfl.exe 91 PID 680 wrote to memory of 3628 680 5frrxfl.exe 91 PID 3628 wrote to memory of 4144 3628 nthbtt.exe 92 PID 3628 wrote to memory of 4144 3628 nthbtt.exe 92 PID 3628 wrote to memory of 4144 3628 nthbtt.exe 92 PID 4144 wrote to memory of 1284 4144 lffxllf.exe 93 PID 4144 wrote to memory of 1284 4144 lffxllf.exe 93 PID 4144 wrote to memory of 1284 4144 lffxllf.exe 93 PID 1284 wrote to memory of 3068 1284 hnnnhh.exe 94 PID 1284 wrote to memory of 3068 1284 hnnnhh.exe 94 PID 1284 wrote to memory of 3068 1284 hnnnhh.exe 94 PID 3068 wrote to memory of 3936 3068 vdvdj.exe 95 PID 3068 wrote to memory of 3936 3068 vdvdj.exe 95 PID 3068 wrote to memory of 3936 3068 vdvdj.exe 95 PID 3936 wrote to memory of 4876 3936 xlxrlll.exe 96 PID 3936 wrote to memory of 4876 3936 xlxrlll.exe 96 PID 3936 wrote to memory of 4876 3936 xlxrlll.exe 96 PID 4876 wrote to memory of 3688 4876 7vjdd.exe 97 PID 4876 wrote to memory of 3688 4876 7vjdd.exe 97 PID 4876 wrote to memory of 3688 4876 7vjdd.exe 97 PID 3688 wrote to memory of 5112 3688 3rrlxrl.exe 98 PID 3688 wrote to memory of 5112 3688 3rrlxrl.exe 98 PID 3688 wrote to memory of 5112 3688 3rrlxrl.exe 98 PID 5112 wrote to memory of 4008 5112 nbhhbb.exe 99 PID 5112 wrote to memory of 4008 5112 nbhhbb.exe 99 PID 5112 wrote to memory of 4008 5112 nbhhbb.exe 99 PID 4008 wrote to memory of 4004 4008 1ddvj.exe 100 PID 4008 wrote to memory of 4004 4008 1ddvj.exe 100 PID 4008 wrote to memory of 4004 4008 1ddvj.exe 100 PID 4004 wrote to memory of 4564 4004 lffrfxr.exe 101 PID 4004 wrote to memory of 4564 4004 lffrfxr.exe 101 PID 4004 wrote to memory of 4564 4004 lffrfxr.exe 101 PID 4564 wrote to memory of 3356 4564 jvdjv.exe 102 PID 4564 wrote to memory of 3356 4564 jvdjv.exe 102 PID 4564 wrote to memory of 3356 4564 jvdjv.exe 102 PID 3356 wrote to memory of 4012 3356 vvvdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe"C:\Users\Admin\AppData\Local\Temp\e6274c8a0616b59303163293275e61d9beaf9f94e642957a303bcdd219c0bf09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\dddjd.exec:\dddjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\nthhhn.exec:\nthhhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\pdjjd.exec:\pdjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\vpjvp.exec:\vpjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\rrrrlrl.exec:\rrrrlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\tttbbt.exec:\tttbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\lxxxrxx.exec:\lxxxrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\dvpjv.exec:\dvpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\5frrxfl.exec:\5frrxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\nthbtt.exec:\nthbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\lffxllf.exec:\lffxllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\hnnnhh.exec:\hnnnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\vdvdj.exec:\vdvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\xlxrlll.exec:\xlxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\7vjdd.exec:\7vjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\3rrlxrl.exec:\3rrlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\nbhhbb.exec:\nbhhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\1ddvj.exec:\1ddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\lffrfxr.exec:\lffrfxr.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\jvdjv.exec:\jvdjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\vvvdv.exec:\vvvdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\rflfxrl.exec:\rflfxrl.exe23⤵
- Executes dropped EXE
PID:4012 -
\??\c:\bttnht.exec:\bttnht.exe24⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rffrfxl.exec:\rffrfxl.exe25⤵
- Executes dropped EXE
PID:1656 -
\??\c:\tnthth.exec:\tnthth.exe26⤵
- Executes dropped EXE
PID:3736 -
\??\c:\jvjdj.exec:\jvjdj.exe27⤵
- Executes dropped EXE
PID:3168 -
\??\c:\fffxrlf.exec:\fffxrlf.exe28⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bbtnnh.exec:\bbtnnh.exe29⤵
- Executes dropped EXE
PID:1852 -
\??\c:\jpdvp.exec:\jpdvp.exe30⤵
- Executes dropped EXE
PID:728 -
\??\c:\vdjjp.exec:\vdjjp.exe31⤵
- Executes dropped EXE
PID:64 -
\??\c:\nbbnbn.exec:\nbbnbn.exe32⤵
- Executes dropped EXE
PID:4616 -
\??\c:\dppvj.exec:\dppvj.exe33⤵
- Executes dropped EXE
PID:3464 -
\??\c:\rfllfxx.exec:\rfllfxx.exe34⤵
- Executes dropped EXE
PID:3300 -
\??\c:\fxlxxrx.exec:\fxlxxrx.exe35⤵
- Executes dropped EXE
PID:4088 -
\??\c:\1nttnn.exec:\1nttnn.exe36⤵
- Executes dropped EXE
PID:1600 -
\??\c:\djvdd.exec:\djvdd.exe37⤵
- Executes dropped EXE
PID:5028 -
\??\c:\vppvv.exec:\vppvv.exe38⤵
- Executes dropped EXE
PID:1296 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe39⤵
- Executes dropped EXE
PID:1536 -
\??\c:\tnhbbh.exec:\tnhbbh.exe40⤵
- Executes dropped EXE
PID:5108 -
\??\c:\ppjjv.exec:\ppjjv.exe41⤵
- Executes dropped EXE
PID:3160 -
\??\c:\lllfxxr.exec:\lllfxxr.exe42⤵
- Executes dropped EXE
PID:4072 -
\??\c:\7fxxrrr.exec:\7fxxrrr.exe43⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jdddv.exec:\jdddv.exe44⤵
- Executes dropped EXE
PID:2356 -
\??\c:\ppvvj.exec:\ppvvj.exe45⤵
- Executes dropped EXE
PID:676 -
\??\c:\fllffxr.exec:\fllffxr.exe46⤵
- Executes dropped EXE
PID:4132 -
\??\c:\hbbtnn.exec:\hbbtnn.exe47⤵
- Executes dropped EXE
PID:4600 -
\??\c:\5jppv.exec:\5jppv.exe48⤵
- Executes dropped EXE
PID:1860 -
\??\c:\5vvpd.exec:\5vvpd.exe49⤵
- Executes dropped EXE
PID:3564 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe50⤵
- Executes dropped EXE
PID:4948 -
\??\c:\nnhbtn.exec:\nnhbtn.exe51⤵
- Executes dropped EXE
PID:5100 -
\??\c:\9pjdv.exec:\9pjdv.exe52⤵
- Executes dropped EXE
PID:4692 -
\??\c:\vvjdd.exec:\vvjdd.exe53⤵
- Executes dropped EXE
PID:1532 -
\??\c:\ffllfll.exec:\ffllfll.exe54⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lrrxxrl.exec:\lrrxxrl.exe55⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ttbnhb.exec:\ttbnhb.exe56⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pjppp.exec:\pjppp.exe57⤵
- Executes dropped EXE
PID:5072 -
\??\c:\rrrlxxr.exec:\rrrlxxr.exe58⤵
- Executes dropped EXE
PID:2852 -
\??\c:\nbbbbb.exec:\nbbbbb.exe59⤵
- Executes dropped EXE
PID:8 -
\??\c:\thhbtn.exec:\thhbtn.exe60⤵
- Executes dropped EXE
PID:1416 -
\??\c:\pddvp.exec:\pddvp.exe61⤵
- Executes dropped EXE
PID:4076 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe62⤵
- Executes dropped EXE
PID:4412 -
\??\c:\frrflrl.exec:\frrflrl.exe63⤵
- Executes dropped EXE
PID:3100 -
\??\c:\thhbnt.exec:\thhbnt.exe64⤵
- Executes dropped EXE
PID:4504 -
\??\c:\5nnnhn.exec:\5nnnhn.exe65⤵
- Executes dropped EXE
PID:4316 -
\??\c:\1ppdv.exec:\1ppdv.exe66⤵PID:552
-
\??\c:\xlrffxx.exec:\xlrffxx.exe67⤵PID:4352
-
\??\c:\9flfllr.exec:\9flfllr.exe68⤵PID:3592
-
\??\c:\bhnbtn.exec:\bhnbtn.exe69⤵PID:4596
-
\??\c:\bbhnhb.exec:\bbhnhb.exe70⤵PID:3876
-
\??\c:\vdjdp.exec:\vdjdp.exe71⤵PID:1376
-
\??\c:\jdvpd.exec:\jdvpd.exe72⤵PID:4808
-
\??\c:\1lxrffx.exec:\1lxrffx.exe73⤵PID:876
-
\??\c:\tbbbtt.exec:\tbbbtt.exe74⤵PID:4180
-
\??\c:\jpppj.exec:\jpppj.exe75⤵PID:4800
-
\??\c:\vdjdp.exec:\vdjdp.exe76⤵PID:4308
-
\??\c:\lffrlfx.exec:\lffrlfx.exe77⤵PID:4952
-
\??\c:\bttnbb.exec:\bttnbb.exe78⤵PID:1840
-
\??\c:\7nnhtb.exec:\7nnhtb.exe79⤵PID:2996
-
\??\c:\ddjpj.exec:\ddjpj.exe80⤵PID:3880
-
\??\c:\xrfxxrr.exec:\xrfxxrr.exe81⤵PID:956
-
\??\c:\9rlfrlf.exec:\9rlfrlf.exe82⤵PID:832
-
\??\c:\tnhbbt.exec:\tnhbbt.exe83⤵PID:388
-
\??\c:\7jppd.exec:\7jppd.exe84⤵PID:1076
-
\??\c:\vjjvj.exec:\vjjvj.exe85⤵PID:4748
-
\??\c:\xlrlrlx.exec:\xlrlrlx.exe86⤵PID:3596
-
\??\c:\btnnhh.exec:\btnnhh.exe87⤵PID:4444
-
\??\c:\hnnhnh.exec:\hnnhnh.exe88⤵PID:2684
-
\??\c:\vjjvv.exec:\vjjvv.exe89⤵PID:3520
-
\??\c:\frxlxrr.exec:\frxlxrr.exe90⤵PID:2680
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe91⤵PID:4188
-
\??\c:\hbttnt.exec:\hbttnt.exe92⤵PID:4008
-
\??\c:\tnnntn.exec:\tnnntn.exe93⤵PID:4172
-
\??\c:\vdvpp.exec:\vdvpp.exe94⤵PID:712
-
\??\c:\pdvvp.exec:\pdvvp.exe95⤵PID:1352
-
\??\c:\rrllffx.exec:\rrllffx.exe96⤵PID:3456
-
\??\c:\thhbtt.exec:\thhbtt.exe97⤵PID:3692
-
\??\c:\jdvjv.exec:\jdvjv.exe98⤵PID:4012
-
\??\c:\pjvjj.exec:\pjvjj.exe99⤵PID:3248
-
\??\c:\lflllll.exec:\lflllll.exe100⤵PID:4988
-
\??\c:\lflffff.exec:\lflffff.exe101⤵PID:1224
-
\??\c:\nbbnbt.exec:\nbbnbt.exe102⤵PID:4028
-
\??\c:\3vpjd.exec:\3vpjd.exe103⤵PID:2972
-
\??\c:\thnnbt.exec:\thnnbt.exe104⤵
- System Location Discovery: System Language Discovery
PID:2212 -
\??\c:\hhnnnn.exec:\hhnnnn.exe105⤵PID:1960
-
\??\c:\jjjvj.exec:\jjjvj.exe106⤵PID:660
-
\??\c:\dvpjd.exec:\dvpjd.exe107⤵PID:728
-
\??\c:\rfxxfrl.exec:\rfxxfrl.exe108⤵PID:4636
-
\??\c:\htnthb.exec:\htnthb.exe109⤵PID:3480
-
\??\c:\ddddv.exec:\ddddv.exe110⤵PID:2652
-
\??\c:\jpvvv.exec:\jpvvv.exe111⤵PID:5032
-
\??\c:\rflffll.exec:\rflffll.exe112⤵PID:2792
-
\??\c:\xxfxrff.exec:\xxfxrff.exe113⤵PID:4044
-
\??\c:\9nbtbh.exec:\9nbtbh.exe114⤵PID:400
-
\??\c:\dvjdj.exec:\dvjdj.exe115⤵PID:4912
-
\??\c:\pddpd.exec:\pddpd.exe116⤵PID:1464
-
\??\c:\lflfxxr.exec:\lflfxxr.exe117⤵PID:2324
-
\??\c:\bttnhb.exec:\bttnhb.exe118⤵PID:3512
-
\??\c:\nhtnbb.exec:\nhtnbb.exe119⤵PID:5092
-
\??\c:\hnbbbb.exec:\hnbbbb.exe120⤵PID:1980
-
\??\c:\frlfrll.exec:\frlfrll.exe121⤵PID:4072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-