Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 00:14
Behavioral task
behavioral1
Sample
8767eda49d4a734c63532eafaf610910N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
8767eda49d4a734c63532eafaf610910N.exe
-
Size
489KB
-
MD5
8767eda49d4a734c63532eafaf610910
-
SHA1
2d76e48dc6aca1252f2bb4b932216a9079307d0f
-
SHA256
83a72aa7f397050450f28fbfdf1876a14debd0f99da05644a48031992ed47ae8
-
SHA512
d24d11a3d47af9d4676967c9635d3c600b4078737e737543360becd4310b899fa72dd9664631780cf851fb9ef59d0c44556c3ab6758595e5aacb87e1e4df3c67
-
SSDEEP
6144:xcm4FmowdHoSkhraHcpOFltH4t+IDvSXrh5g8hZTydOAkOCOu0EajNVBZr6y2WXl:74wFHoSceFp3IDvSbh5nP+aiX
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1776-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-1257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-1421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-1449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3876 ffrllfx.exe 4328 hhnhtn.exe 740 xxfxxrr.exe 3928 vjdvv.exe 1448 hthtbh.exe 3488 jvpdp.exe 4672 lxfrrff.exe 4136 hbthtn.exe 2764 rffrfrf.exe 456 bbbbtb.exe 516 5ffrxrx.exe 1744 3nbtnn.exe 4444 djjvp.exe 4772 hntbnh.exe 4900 jvpdp.exe 4060 1xxlfxr.exe 4856 nbbnnb.exe 1700 9xfxfxf.exe 1496 bnnnhh.exe 1184 1jdvd.exe 4928 htnbtt.exe 392 7ppdv.exe 2428 vpvpp.exe 2044 flxrfll.exe 1360 ttbbbb.exe 5104 pdjdp.exe 2248 hhthth.exe 5092 5djvd.exe 1032 lrfxlll.exe 1792 3jjjd.exe 3744 5pvpp.exe 2724 bttnhb.exe 868 rrxlfxl.exe 1256 htbtnn.exe 1428 dvvpd.exe 5068 5djpd.exe 924 rlxlxxf.exe 216 thhnhb.exe 4384 pvjpj.exe 3700 xllfrrl.exe 3476 1tthnn.exe 2896 dpvpj.exe 4980 5flffrl.exe 1280 xxlfxxl.exe 4488 3bhbtt.exe 1272 vjpdv.exe 3188 rffrlff.exe 3488 bnhbbb.exe 1544 9jvvp.exe 1232 9llrllr.exe 1708 htbtnn.exe 456 pjvvv.exe 2092 3ddvd.exe 3424 rrfxxxf.exe 4684 bnnnnh.exe 396 dddjp.exe 4852 fxxxxxx.exe 632 lxflrll.exe 4008 nbbttn.exe 1620 ppdvp.exe 2832 dvvpd.exe 4132 flxxllf.exe 3156 hntbtt.exe 2200 vddpj.exe -
resource yara_rule behavioral2/memory/1776-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0009000000023423-3.dat upx behavioral2/memory/1776-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023483-10.dat upx behavioral2/files/0x0007000000023487-13.dat upx behavioral2/memory/4328-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023488-21.dat upx behavioral2/memory/740-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348a-27.dat upx behavioral2/memory/3928-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348b-35.dat upx behavioral2/memory/1448-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348c-40.dat upx behavioral2/memory/3488-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348d-47.dat upx behavioral2/memory/4136-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348e-52.dat upx behavioral2/memory/2764-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348f-57.dat upx behavioral2/files/0x0007000000023490-63.dat upx behavioral2/files/0x0007000000023491-68.dat upx behavioral2/memory/516-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023492-74.dat upx behavioral2/memory/1744-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023493-80.dat upx behavioral2/files/0x000700000002348b-86.dat upx behavioral2/memory/4772-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023484-92.dat upx behavioral2/memory/4900-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023494-100.dat upx behavioral2/memory/4060-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023496-104.dat upx behavioral2/memory/4856-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023497-113.dat upx behavioral2/memory/1700-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023498-118.dat upx behavioral2/files/0x0007000000023499-122.dat upx behavioral2/memory/1184-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349a-128.dat upx behavioral2/memory/392-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349b-135.dat upx behavioral2/files/0x000700000002349c-140.dat upx behavioral2/files/0x000700000002349d-145.dat upx behavioral2/memory/1360-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349e-152.dat upx behavioral2/memory/2044-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349f-157.dat upx behavioral2/memory/5104-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a0-162.dat upx behavioral2/memory/5092-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a1-170.dat upx behavioral2/files/0x00070000000234a2-176.dat upx behavioral2/memory/1792-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a3-182.dat upx behavioral2/memory/1032-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a4-186.dat upx behavioral2/memory/3744-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-197-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 3876 1776 8767eda49d4a734c63532eafaf610910N.exe 84 PID 1776 wrote to memory of 3876 1776 8767eda49d4a734c63532eafaf610910N.exe 84 PID 1776 wrote to memory of 3876 1776 8767eda49d4a734c63532eafaf610910N.exe 84 PID 3876 wrote to memory of 4328 3876 ffrllfx.exe 85 PID 3876 wrote to memory of 4328 3876 ffrllfx.exe 85 PID 3876 wrote to memory of 4328 3876 ffrllfx.exe 85 PID 4328 wrote to memory of 740 4328 hhnhtn.exe 86 PID 4328 wrote to memory of 740 4328 hhnhtn.exe 86 PID 4328 wrote to memory of 740 4328 hhnhtn.exe 86 PID 740 wrote to memory of 3928 740 xxfxxrr.exe 87 PID 740 wrote to memory of 3928 740 xxfxxrr.exe 87 PID 740 wrote to memory of 3928 740 xxfxxrr.exe 87 PID 3928 wrote to memory of 1448 3928 vjdvv.exe 88 PID 3928 wrote to memory of 1448 3928 vjdvv.exe 88 PID 3928 wrote to memory of 1448 3928 vjdvv.exe 88 PID 1448 wrote to memory of 3488 1448 hthtbh.exe 89 PID 1448 wrote to memory of 3488 1448 hthtbh.exe 89 PID 1448 wrote to memory of 3488 1448 hthtbh.exe 89 PID 3488 wrote to memory of 4672 3488 jvpdp.exe 90 PID 3488 wrote to memory of 4672 3488 jvpdp.exe 90 PID 3488 wrote to memory of 4672 3488 jvpdp.exe 90 PID 4672 wrote to memory of 4136 4672 lxfrrff.exe 91 PID 4672 wrote to memory of 4136 4672 lxfrrff.exe 91 PID 4672 wrote to memory of 4136 4672 lxfrrff.exe 91 PID 4136 wrote to memory of 2764 4136 hbthtn.exe 92 PID 4136 wrote to memory of 2764 4136 hbthtn.exe 92 PID 4136 wrote to memory of 2764 4136 hbthtn.exe 92 PID 2764 wrote to memory of 456 2764 rffrfrf.exe 94 PID 2764 wrote to memory of 456 2764 rffrfrf.exe 94 PID 2764 wrote to memory of 456 2764 rffrfrf.exe 94 PID 456 wrote to memory of 516 456 bbbbtb.exe 95 PID 456 wrote to memory of 516 456 bbbbtb.exe 95 PID 456 wrote to memory of 516 456 bbbbtb.exe 95 PID 516 wrote to memory of 1744 516 5ffrxrx.exe 96 PID 516 wrote to memory of 1744 516 5ffrxrx.exe 96 PID 516 wrote to memory of 1744 516 5ffrxrx.exe 96 PID 1744 wrote to memory of 4444 1744 3nbtnn.exe 98 PID 1744 wrote to memory of 4444 1744 3nbtnn.exe 98 PID 1744 wrote to memory of 4444 1744 3nbtnn.exe 98 PID 4444 wrote to memory of 4772 4444 djjvp.exe 99 PID 4444 wrote to memory of 4772 4444 djjvp.exe 99 PID 4444 wrote to memory of 4772 4444 djjvp.exe 99 PID 4772 wrote to memory of 4900 4772 hntbnh.exe 100 PID 4772 wrote to memory of 4900 4772 hntbnh.exe 100 PID 4772 wrote to memory of 4900 4772 hntbnh.exe 100 PID 4900 wrote to memory of 4060 4900 jvpdp.exe 101 PID 4900 wrote to memory of 4060 4900 jvpdp.exe 101 PID 4900 wrote to memory of 4060 4900 jvpdp.exe 101 PID 4060 wrote to memory of 4856 4060 1xxlfxr.exe 103 PID 4060 wrote to memory of 4856 4060 1xxlfxr.exe 103 PID 4060 wrote to memory of 4856 4060 1xxlfxr.exe 103 PID 4856 wrote to memory of 1700 4856 nbbnnb.exe 104 PID 4856 wrote to memory of 1700 4856 nbbnnb.exe 104 PID 4856 wrote to memory of 1700 4856 nbbnnb.exe 104 PID 1700 wrote to memory of 1496 1700 9xfxfxf.exe 105 PID 1700 wrote to memory of 1496 1700 9xfxfxf.exe 105 PID 1700 wrote to memory of 1496 1700 9xfxfxf.exe 105 PID 1496 wrote to memory of 1184 1496 bnnnhh.exe 106 PID 1496 wrote to memory of 1184 1496 bnnnhh.exe 106 PID 1496 wrote to memory of 1184 1496 bnnnhh.exe 106 PID 1184 wrote to memory of 4928 1184 1jdvd.exe 107 PID 1184 wrote to memory of 4928 1184 1jdvd.exe 107 PID 1184 wrote to memory of 4928 1184 1jdvd.exe 107 PID 4928 wrote to memory of 392 4928 htnbtt.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\8767eda49d4a734c63532eafaf610910N.exe"C:\Users\Admin\AppData\Local\Temp\8767eda49d4a734c63532eafaf610910N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\ffrllfx.exec:\ffrllfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\hhnhtn.exec:\hhnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\xxfxxrr.exec:\xxfxxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\vjdvv.exec:\vjdvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\hthtbh.exec:\hthtbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\jvpdp.exec:\jvpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\lxfrrff.exec:\lxfrrff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\hbthtn.exec:\hbthtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\rffrfrf.exec:\rffrfrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\bbbbtb.exec:\bbbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\5ffrxrx.exec:\5ffrxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\3nbtnn.exec:\3nbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\djjvp.exec:\djjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\hntbnh.exec:\hntbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\jvpdp.exec:\jvpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\1xxlfxr.exec:\1xxlfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\nbbnnb.exec:\nbbnnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\9xfxfxf.exec:\9xfxfxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\bnnnhh.exec:\bnnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\1jdvd.exec:\1jdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\htnbtt.exec:\htnbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\7ppdv.exec:\7ppdv.exe23⤵
- Executes dropped EXE
PID:392 -
\??\c:\vpvpp.exec:\vpvpp.exe24⤵
- Executes dropped EXE
PID:2428 -
\??\c:\flxrfll.exec:\flxrfll.exe25⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ttbbbb.exec:\ttbbbb.exe26⤵
- Executes dropped EXE
PID:1360 -
\??\c:\pdjdp.exec:\pdjdp.exe27⤵
- Executes dropped EXE
PID:5104 -
\??\c:\hhthth.exec:\hhthth.exe28⤵
- Executes dropped EXE
PID:2248 -
\??\c:\5djvd.exec:\5djvd.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092 -
\??\c:\lrfxlll.exec:\lrfxlll.exe30⤵
- Executes dropped EXE
PID:1032 -
\??\c:\3jjjd.exec:\3jjjd.exe31⤵
- Executes dropped EXE
PID:1792 -
\??\c:\5pvpp.exec:\5pvpp.exe32⤵
- Executes dropped EXE
PID:3744 -
\??\c:\bttnhb.exec:\bttnhb.exe33⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rrxlfxl.exec:\rrxlfxl.exe34⤵
- Executes dropped EXE
PID:868 -
\??\c:\htbtnn.exec:\htbtnn.exe35⤵
- Executes dropped EXE
PID:1256 -
\??\c:\dvvpd.exec:\dvvpd.exe36⤵
- Executes dropped EXE
PID:1428 -
\??\c:\5djpd.exec:\5djpd.exe37⤵
- Executes dropped EXE
PID:5068 -
\??\c:\rlxlxxf.exec:\rlxlxxf.exe38⤵
- Executes dropped EXE
PID:924 -
\??\c:\thhnhb.exec:\thhnhb.exe39⤵
- Executes dropped EXE
PID:216 -
\??\c:\pvjpj.exec:\pvjpj.exe40⤵
- Executes dropped EXE
PID:4384 -
\??\c:\xllfrrl.exec:\xllfrrl.exe41⤵
- Executes dropped EXE
PID:3700 -
\??\c:\1tthnn.exec:\1tthnn.exe42⤵
- Executes dropped EXE
PID:3476 -
\??\c:\dpvpj.exec:\dpvpj.exe43⤵
- Executes dropped EXE
PID:2896 -
\??\c:\5flffrl.exec:\5flffrl.exe44⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xxlfxxl.exec:\xxlfxxl.exe45⤵
- Executes dropped EXE
PID:1280 -
\??\c:\3bhbtt.exec:\3bhbtt.exe46⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vjpdv.exec:\vjpdv.exe47⤵
- Executes dropped EXE
PID:1272 -
\??\c:\rffrlff.exec:\rffrlff.exe48⤵
- Executes dropped EXE
PID:3188 -
\??\c:\bnhbbb.exec:\bnhbbb.exe49⤵
- Executes dropped EXE
PID:3488 -
\??\c:\9jvvp.exec:\9jvvp.exe50⤵
- Executes dropped EXE
PID:1544 -
\??\c:\9llrllr.exec:\9llrllr.exe51⤵
- Executes dropped EXE
PID:1232 -
\??\c:\htbtnn.exec:\htbtnn.exe52⤵
- Executes dropped EXE
PID:1708 -
\??\c:\pjvvv.exec:\pjvvv.exe53⤵
- Executes dropped EXE
PID:456 -
\??\c:\3ddvd.exec:\3ddvd.exe54⤵
- Executes dropped EXE
PID:2092 -
\??\c:\rrfxxxf.exec:\rrfxxxf.exe55⤵
- Executes dropped EXE
PID:3424 -
\??\c:\bnnnnh.exec:\bnnnnh.exe56⤵
- Executes dropped EXE
PID:4684 -
\??\c:\dddjp.exec:\dddjp.exe57⤵
- Executes dropped EXE
PID:396 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe58⤵
- Executes dropped EXE
PID:4852 -
\??\c:\lxflrll.exec:\lxflrll.exe59⤵
- Executes dropped EXE
PID:632 -
\??\c:\nbbttn.exec:\nbbttn.exe60⤵
- Executes dropped EXE
PID:4008 -
\??\c:\ppdvp.exec:\ppdvp.exe61⤵
- Executes dropped EXE
PID:1620 -
\??\c:\dvvpd.exec:\dvvpd.exe62⤵
- Executes dropped EXE
PID:2832 -
\??\c:\flxxllf.exec:\flxxllf.exe63⤵
- Executes dropped EXE
PID:4132 -
\??\c:\hntbtt.exec:\hntbtt.exe64⤵
- Executes dropped EXE
PID:3156 -
\??\c:\vddpj.exec:\vddpj.exe65⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ppvjd.exec:\ppvjd.exe66⤵PID:2416
-
\??\c:\frfxllr.exec:\frfxllr.exe67⤵PID:4636
-
\??\c:\thnnhn.exec:\thnnhn.exe68⤵PID:4664
-
\??\c:\5jdvp.exec:\5jdvp.exe69⤵PID:1100
-
\??\c:\ppvpp.exec:\ppvpp.exe70⤵PID:3436
-
\??\c:\lllfxxx.exec:\lllfxxx.exe71⤵PID:4804
-
\??\c:\xfxrffx.exec:\xfxrffx.exe72⤵PID:2068
-
\??\c:\tbnhnh.exec:\tbnhnh.exe73⤵PID:1652
-
\??\c:\vvjjd.exec:\vvjjd.exe74⤵PID:4596
-
\??\c:\3rlxrlf.exec:\3rlxrlf.exe75⤵PID:1044
-
\??\c:\xfffrrl.exec:\xfffrrl.exe76⤵PID:1800
-
\??\c:\tnbntb.exec:\tnbntb.exe77⤵PID:1692
-
\??\c:\1ddvp.exec:\1ddvp.exe78⤵PID:1912
-
\??\c:\rfxllll.exec:\rfxllll.exe79⤵PID:3492
-
\??\c:\nnnnhh.exec:\nnnnhh.exe80⤵PID:4724
-
\??\c:\hhbttt.exec:\hhbttt.exe81⤵PID:2148
-
\??\c:\jddjp.exec:\jddjp.exe82⤵PID:444
-
\??\c:\rllfrxx.exec:\rllfrxx.exe83⤵PID:3756
-
\??\c:\httnbb.exec:\httnbb.exe84⤵
- System Location Discovery: System Language Discovery
PID:1216 -
\??\c:\nhbttt.exec:\nhbttt.exe85⤵PID:2468
-
\??\c:\hntnhn.exec:\hntnhn.exe86⤵PID:2956
-
\??\c:\5vvpj.exec:\5vvpj.exe87⤵PID:2088
-
\??\c:\fxllflf.exec:\fxllflf.exe88⤵PID:3068
-
\??\c:\7fxlxrf.exec:\7fxlxrf.exe89⤵PID:3260
-
\??\c:\nntttn.exec:\nntttn.exe90⤵PID:3532
-
\??\c:\pddpd.exec:\pddpd.exe91⤵PID:3992
-
\??\c:\llrflfr.exec:\llrflfr.exe92⤵PID:408
-
\??\c:\bttnhh.exec:\bttnhh.exe93⤵PID:4328
-
\??\c:\bbbnbt.exec:\bbbnbt.exe94⤵PID:4980
-
\??\c:\jpvdp.exec:\jpvdp.exe95⤵PID:4488
-
\??\c:\3rlxrlx.exec:\3rlxrlx.exe96⤵PID:4888
-
\??\c:\bnhtht.exec:\bnhtht.exe97⤵PID:3488
-
\??\c:\5bnhtt.exec:\5bnhtt.exe98⤵PID:180
-
\??\c:\dpjdv.exec:\dpjdv.exe99⤵PID:3160
-
\??\c:\dvvjv.exec:\dvvjv.exe100⤵PID:2512
-
\??\c:\lllxrlx.exec:\lllxrlx.exe101⤵PID:1180
-
\??\c:\bnhthb.exec:\bnhthb.exe102⤵PID:1080
-
\??\c:\jjdpd.exec:\jjdpd.exe103⤵PID:4156
-
\??\c:\jppdp.exec:\jppdp.exe104⤵PID:4128
-
\??\c:\flxlxrf.exec:\flxlxrf.exe105⤵PID:1680
-
\??\c:\tnhthb.exec:\tnhthb.exe106⤵PID:4084
-
\??\c:\vvvpv.exec:\vvvpv.exe107⤵PID:3728
-
\??\c:\xllfxxr.exec:\xllfxxr.exe108⤵
- System Location Discovery: System Language Discovery
PID:4060 -
\??\c:\7nnhtn.exec:\7nnhtn.exe109⤵PID:1228
-
\??\c:\hhbtnn.exec:\hhbtnn.exe110⤵PID:4576
-
\??\c:\pdvpp.exec:\pdvpp.exe111⤵PID:3584
-
\??\c:\lfrffrr.exec:\lfrffrr.exe112⤵PID:400
-
\??\c:\btbhtn.exec:\btbhtn.exe113⤵PID:1348
-
\??\c:\ppppj.exec:\ppppj.exe114⤵PID:4920
-
\??\c:\7xrlffr.exec:\7xrlffr.exe115⤵PID:1356
-
\??\c:\nbhbhb.exec:\nbhbhb.exe116⤵PID:744
-
\??\c:\5tthtt.exec:\5tthtt.exe117⤵PID:3224
-
\??\c:\lxxxfxr.exec:\lxxxfxr.exe118⤵PID:1360
-
\??\c:\rflffff.exec:\rflffff.exe119⤵PID:1608
-
\??\c:\nhnhbb.exec:\nhnhbb.exe120⤵PID:4252
-
\??\c:\3jdvj.exec:\3jdvj.exe121⤵PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-