Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe
-
Size
453KB
-
MD5
1e2b62573b80ea2cd28e47c275b4b134
-
SHA1
bbeb5fb820a5483617467bd176e69b0f5f7b0834
-
SHA256
b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2
-
SHA512
b924fd7b30cdde181b37343dcf14ea251d15279b67c7cd3132668d0a2a0c58a70620040b88d801a0e9a03242d3383e94e6a6769dece56e02d60e5a7876ee4bb9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb0:q7Tc2NYHUrAwfMp3CDb0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-1124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-1175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-1323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 836 9llllll.exe 2764 vvjjv.exe 1744 ffxrxxf.exe 2664 bnnnnt.exe 1272 hhnhhh.exe 2960 fxxfxrl.exe 1692 vvvvv.exe 3904 tttntb.exe 1668 dvvvp.exe 2748 rfrrrrl.exe 3508 jvdvj.exe 2140 nthbtt.exe 2076 rlxxfff.exe 560 bhnntt.exe 3272 vvdpv.exe 808 lfxxrrl.exe 5052 lfffxfx.exe 4456 tnnbhh.exe 3948 5bbtnn.exe 4740 vpdvv.exe 3032 pjppj.exe 3844 xxfxxrr.exe 1176 vpvvp.exe 4732 tnhnbt.exe 2996 7ddvp.exe 3128 3rffffl.exe 1648 ttbtbh.exe 3808 tttthh.exe 3004 3thhnn.exe 3000 rllfxrr.exe 3380 flrllff.exe 2752 lffxrxr.exe 3408 vjppj.exe 1540 3jdvv.exe 1672 1lrrlxr.exe 3872 nhnnhh.exe 2912 pdjpv.exe 4760 xrrfxxx.exe 4804 xrfxxrr.exe 1568 btbnnn.exe 4316 dvjvj.exe 4304 jdjvv.exe 4860 rfxxlll.exe 3124 ttbhnn.exe 5016 vpdvd.exe 4532 lflffff.exe 1264 xfxfllr.exe 4340 tbnttt.exe 4840 ppvvv.exe 5028 pjpjj.exe 3016 rfxrxxx.exe 1616 1tbtnt.exe 1508 3jppj.exe 3020 rxlfxxx.exe 4432 hbnnhh.exe 1108 dvdvp.exe 1008 lfxrxxf.exe 3052 fxfxxxx.exe 1964 ttttnn.exe 2368 jdjjp.exe 3060 lfrrxfl.exe 3572 bnttnn.exe 1596 djjjd.exe 2600 rxfrxrl.exe -
resource yara_rule behavioral2/memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-890-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 836 4860 b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe 83 PID 4860 wrote to memory of 836 4860 b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe 83 PID 4860 wrote to memory of 836 4860 b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe 83 PID 836 wrote to memory of 2764 836 9llllll.exe 84 PID 836 wrote to memory of 2764 836 9llllll.exe 84 PID 836 wrote to memory of 2764 836 9llllll.exe 84 PID 2764 wrote to memory of 1744 2764 vvjjv.exe 85 PID 2764 wrote to memory of 1744 2764 vvjjv.exe 85 PID 2764 wrote to memory of 1744 2764 vvjjv.exe 85 PID 1744 wrote to memory of 2664 1744 ffxrxxf.exe 86 PID 1744 wrote to memory of 2664 1744 ffxrxxf.exe 86 PID 1744 wrote to memory of 2664 1744 ffxrxxf.exe 86 PID 2664 wrote to memory of 1272 2664 bnnnnt.exe 87 PID 2664 wrote to memory of 1272 2664 bnnnnt.exe 87 PID 2664 wrote to memory of 1272 2664 bnnnnt.exe 87 PID 1272 wrote to memory of 2960 1272 hhnhhh.exe 88 PID 1272 wrote to memory of 2960 1272 hhnhhh.exe 88 PID 1272 wrote to memory of 2960 1272 hhnhhh.exe 88 PID 2960 wrote to memory of 1692 2960 fxxfxrl.exe 89 PID 2960 wrote to memory of 1692 2960 fxxfxrl.exe 89 PID 2960 wrote to memory of 1692 2960 fxxfxrl.exe 89 PID 1692 wrote to memory of 3904 1692 vvvvv.exe 90 PID 1692 wrote to memory of 3904 1692 vvvvv.exe 90 PID 1692 wrote to memory of 3904 1692 vvvvv.exe 90 PID 3904 wrote to memory of 1668 3904 tttntb.exe 91 PID 3904 wrote to memory of 1668 3904 tttntb.exe 91 PID 3904 wrote to memory of 1668 3904 tttntb.exe 91 PID 1668 wrote to memory of 2748 1668 dvvvp.exe 92 PID 1668 wrote to memory of 2748 1668 dvvvp.exe 92 PID 1668 wrote to memory of 2748 1668 dvvvp.exe 92 PID 2748 wrote to memory of 3508 2748 rfrrrrl.exe 93 PID 2748 wrote to memory of 3508 2748 rfrrrrl.exe 93 PID 2748 wrote to memory of 3508 2748 rfrrrrl.exe 93 PID 3508 wrote to memory of 2140 3508 jvdvj.exe 94 PID 3508 wrote to memory of 2140 3508 jvdvj.exe 94 PID 3508 wrote to memory of 2140 3508 jvdvj.exe 94 PID 2140 wrote to memory of 2076 2140 nthbtt.exe 95 PID 2140 wrote to memory of 2076 2140 nthbtt.exe 95 PID 2140 wrote to memory of 2076 2140 nthbtt.exe 95 PID 2076 wrote to memory of 560 2076 rlxxfff.exe 96 PID 2076 wrote to memory of 560 2076 rlxxfff.exe 96 PID 2076 wrote to memory of 560 2076 rlxxfff.exe 96 PID 560 wrote to memory of 3272 560 bhnntt.exe 97 PID 560 wrote to memory of 3272 560 bhnntt.exe 97 PID 560 wrote to memory of 3272 560 bhnntt.exe 97 PID 3272 wrote to memory of 808 3272 vvdpv.exe 98 PID 3272 wrote to memory of 808 3272 vvdpv.exe 98 PID 3272 wrote to memory of 808 3272 vvdpv.exe 98 PID 808 wrote to memory of 5052 808 lfxxrrl.exe 99 PID 808 wrote to memory of 5052 808 lfxxrrl.exe 99 PID 808 wrote to memory of 5052 808 lfxxrrl.exe 99 PID 5052 wrote to memory of 4456 5052 lfffxfx.exe 100 PID 5052 wrote to memory of 4456 5052 lfffxfx.exe 100 PID 5052 wrote to memory of 4456 5052 lfffxfx.exe 100 PID 4456 wrote to memory of 3948 4456 tnnbhh.exe 101 PID 4456 wrote to memory of 3948 4456 tnnbhh.exe 101 PID 4456 wrote to memory of 3948 4456 tnnbhh.exe 101 PID 3948 wrote to memory of 4740 3948 5bbtnn.exe 102 PID 3948 wrote to memory of 4740 3948 5bbtnn.exe 102 PID 3948 wrote to memory of 4740 3948 5bbtnn.exe 102 PID 4740 wrote to memory of 3032 4740 vpdvv.exe 103 PID 4740 wrote to memory of 3032 4740 vpdvv.exe 103 PID 4740 wrote to memory of 3032 4740 vpdvv.exe 103 PID 3032 wrote to memory of 3844 3032 pjppj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe"C:\Users\Admin\AppData\Local\Temp\b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\9llllll.exec:\9llllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\vvjjv.exec:\vvjjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\ffxrxxf.exec:\ffxrxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\bnnnnt.exec:\bnnnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\hhnhhh.exec:\hhnhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\fxxfxrl.exec:\fxxfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\vvvvv.exec:\vvvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\tttntb.exec:\tttntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\dvvvp.exec:\dvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\rfrrrrl.exec:\rfrrrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\jvdvj.exec:\jvdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\nthbtt.exec:\nthbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\rlxxfff.exec:\rlxxfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\bhnntt.exec:\bhnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\vvdpv.exec:\vvdpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\lfffxfx.exec:\lfffxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\tnnbhh.exec:\tnnbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\5bbtnn.exec:\5bbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\vpdvv.exec:\vpdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\pjppj.exec:\pjppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\xxfxxrr.exec:\xxfxxrr.exe23⤵
- Executes dropped EXE
PID:3844 -
\??\c:\vpvvp.exec:\vpvvp.exe24⤵
- Executes dropped EXE
PID:1176 -
\??\c:\tnhnbt.exec:\tnhnbt.exe25⤵
- Executes dropped EXE
PID:4732 -
\??\c:\7ddvp.exec:\7ddvp.exe26⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3rffffl.exec:\3rffffl.exe27⤵
- Executes dropped EXE
PID:3128 -
\??\c:\ttbtbh.exec:\ttbtbh.exe28⤵
- Executes dropped EXE
PID:1648 -
\??\c:\tttthh.exec:\tttthh.exe29⤵
- Executes dropped EXE
PID:3808 -
\??\c:\3thhnn.exec:\3thhnn.exe30⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rllfxrr.exec:\rllfxrr.exe31⤵
- Executes dropped EXE
PID:3000 -
\??\c:\flrllff.exec:\flrllff.exe32⤵
- Executes dropped EXE
PID:3380 -
\??\c:\lffxrxr.exec:\lffxrxr.exe33⤵
- Executes dropped EXE
PID:2752 -
\??\c:\vjppj.exec:\vjppj.exe34⤵
- Executes dropped EXE
PID:3408 -
\??\c:\3jdvv.exec:\3jdvv.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1lrrlxr.exec:\1lrrlxr.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nhnnhh.exec:\nhnnhh.exe37⤵
- Executes dropped EXE
PID:3872 -
\??\c:\pdjpv.exec:\pdjpv.exe38⤵
- Executes dropped EXE
PID:2912 -
\??\c:\xrrfxxx.exec:\xrrfxxx.exe39⤵
- Executes dropped EXE
PID:4760 -
\??\c:\xrfxxrr.exec:\xrfxxrr.exe40⤵
- Executes dropped EXE
PID:4804 -
\??\c:\btbnnn.exec:\btbnnn.exe41⤵
- Executes dropped EXE
PID:1568 -
\??\c:\dvjvj.exec:\dvjvj.exe42⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jdjvv.exec:\jdjvv.exe43⤵
- Executes dropped EXE
PID:4304 -
\??\c:\rfxxlll.exec:\rfxxlll.exe44⤵
- Executes dropped EXE
PID:4860 -
\??\c:\ttbhnn.exec:\ttbhnn.exe45⤵
- Executes dropped EXE
PID:3124 -
\??\c:\vpdvd.exec:\vpdvd.exe46⤵
- Executes dropped EXE
PID:5016 -
\??\c:\lflffff.exec:\lflffff.exe47⤵
- Executes dropped EXE
PID:4532 -
\??\c:\xfxfllr.exec:\xfxfllr.exe48⤵
- Executes dropped EXE
PID:1264 -
\??\c:\tbnttt.exec:\tbnttt.exe49⤵
- Executes dropped EXE
PID:4340 -
\??\c:\ppvvv.exec:\ppvvv.exe50⤵
- Executes dropped EXE
PID:4840 -
\??\c:\pjpjj.exec:\pjpjj.exe51⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rfxrxxx.exec:\rfxrxxx.exe52⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1tbtnt.exec:\1tbtnt.exe53⤵
- Executes dropped EXE
PID:1616 -
\??\c:\3jppj.exec:\3jppj.exe54⤵
- Executes dropped EXE
PID:1508 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe55⤵
- Executes dropped EXE
PID:3020 -
\??\c:\hbnnhh.exec:\hbnnhh.exe56⤵
- Executes dropped EXE
PID:4432 -
\??\c:\dvdvp.exec:\dvdvp.exe57⤵
- Executes dropped EXE
PID:1108 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe58⤵
- Executes dropped EXE
PID:1008 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe59⤵
- Executes dropped EXE
PID:3052 -
\??\c:\ttttnn.exec:\ttttnn.exe60⤵
- Executes dropped EXE
PID:1964 -
\??\c:\jdjjp.exec:\jdjjp.exe61⤵
- Executes dropped EXE
PID:2368 -
\??\c:\lfrrxfl.exec:\lfrrxfl.exe62⤵
- Executes dropped EXE
PID:3060 -
\??\c:\bnttnn.exec:\bnttnn.exe63⤵
- Executes dropped EXE
PID:3572 -
\??\c:\djjjd.exec:\djjjd.exe64⤵
- Executes dropped EXE
PID:1596 -
\??\c:\rxfrxrl.exec:\rxfrxrl.exe65⤵
- Executes dropped EXE
PID:2600 -
\??\c:\flrfxrl.exec:\flrfxrl.exe66⤵PID:4700
-
\??\c:\thtttt.exec:\thtttt.exe67⤵PID:4160
-
\??\c:\jdddp.exec:\jdddp.exe68⤵PID:4276
-
\??\c:\jddvp.exec:\jddvp.exe69⤵PID:4848
-
\??\c:\rxfxrrf.exec:\rxfxrrf.exe70⤵PID:848
-
\??\c:\thnhbb.exec:\thnhbb.exe71⤵PID:3948
-
\??\c:\pvvvp.exec:\pvvvp.exe72⤵PID:2760
-
\??\c:\xxfrfrl.exec:\xxfrfrl.exe73⤵PID:4892
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe74⤵PID:2484
-
\??\c:\nhhbtn.exec:\nhhbtn.exe75⤵PID:1760
-
\??\c:\jpvjj.exec:\jpvjj.exe76⤵PID:1104
-
\??\c:\fxxrffx.exec:\fxxrffx.exe77⤵PID:2976
-
\??\c:\rlrlfff.exec:\rlrlfff.exe78⤵PID:1468
-
\??\c:\tttnnn.exec:\tttnnn.exe79⤵PID:2892
-
\??\c:\jdpjp.exec:\jdpjp.exe80⤵PID:2380
-
\??\c:\jpjvp.exec:\jpjvp.exe81⤵PID:4996
-
\??\c:\fxfxlll.exec:\fxfxlll.exe82⤵PID:4944
-
\??\c:\nnttbb.exec:\nnttbb.exe83⤵PID:1492
-
\??\c:\dvdvp.exec:\dvdvp.exe84⤵PID:3492
-
\??\c:\jppjj.exec:\jppjj.exe85⤵PID:3584
-
\??\c:\nnntth.exec:\nnntth.exe86⤵PID:1500
-
\??\c:\nhhbtb.exec:\nhhbtb.exe87⤵PID:2820
-
\??\c:\3pvpj.exec:\3pvpj.exe88⤵PID:4904
-
\??\c:\pjpvp.exec:\pjpvp.exe89⤵PID:916
-
\??\c:\fxxrllr.exec:\fxxrllr.exe90⤵PID:2612
-
\??\c:\thhbbh.exec:\thhbbh.exe91⤵PID:1824
-
\??\c:\thnthh.exec:\thnthh.exe92⤵PID:972
-
\??\c:\dppdp.exec:\dppdp.exe93⤵PID:212
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe94⤵PID:920
-
\??\c:\rrrrlff.exec:\rrrrlff.exe95⤵PID:4516
-
\??\c:\5nhtbn.exec:\5nhtbn.exe96⤵PID:64
-
\??\c:\jvdvv.exec:\jvdvv.exe97⤵PID:4916
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe98⤵PID:316
-
\??\c:\1bhbhh.exec:\1bhbhh.exe99⤵PID:3624
-
\??\c:\3jdpd.exec:\3jdpd.exe100⤵PID:2364
-
\??\c:\rffrfrr.exec:\rffrfrr.exe101⤵PID:2000
-
\??\c:\9ttnhn.exec:\9ttnhn.exe102⤵PID:996
-
\??\c:\7hnbtn.exec:\7hnbtn.exe103⤵PID:1076
-
\??\c:\3xfxllf.exec:\3xfxllf.exe104⤵PID:2664
-
\??\c:\1llfxxr.exec:\1llfxxr.exe105⤵PID:1420
-
\??\c:\hhbbtt.exec:\hhbbtt.exe106⤵PID:4840
-
\??\c:\dvjpj.exec:\dvjpj.exe107⤵PID:1180
-
\??\c:\rffrfxr.exec:\rffrfxr.exe108⤵PID:1984
-
\??\c:\nhhttn.exec:\nhhttn.exe109⤵PID:1716
-
\??\c:\ttbthb.exec:\ttbthb.exe110⤵PID:1644
-
\??\c:\pvdpj.exec:\pvdpj.exe111⤵PID:5080
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe112⤵PID:1668
-
\??\c:\hntnhh.exec:\hntnhh.exe113⤵PID:3020
-
\??\c:\vdjvv.exec:\vdjvv.exe114⤵PID:4432
-
\??\c:\dpvpd.exec:\dpvpd.exe115⤵PID:1108
-
\??\c:\frrlxrl.exec:\frrlxrl.exe116⤵PID:3340
-
\??\c:\tbbtnh.exec:\tbbtnh.exe117⤵PID:2124
-
\??\c:\jdvpd.exec:\jdvpd.exe118⤵PID:3052
-
\??\c:\dpdvp.exec:\dpdvp.exe119⤵PID:1964
-
\??\c:\xrxrllf.exec:\xrxrllf.exe120⤵PID:4900
-
\??\c:\httnbb.exec:\httnbb.exe121⤵PID:3608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-