Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 14:36
Behavioral task
behavioral1
Sample
503a2012d743dd9348298cd4a6cc4330N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
503a2012d743dd9348298cd4a6cc4330N.exe
-
Size
332KB
-
MD5
503a2012d743dd9348298cd4a6cc4330
-
SHA1
823593367b45c33a899a25926994b017606cea07
-
SHA256
9dbaacefe3e8e2cbe6407394fbb10bbfb18115776dfc5625ee96adf9a11a4e63
-
SHA512
14ef643a348ef9b6921e4bcf1c053f4f2b0518a2ec64ac521971f1dce691d83f10a1cc5325f339650d79b3033e577c6d2163cfee729422a3f50060e7c61b923a
-
SSDEEP
6144:9cm4FmowdHoS4BftapTs8Hoo+6MjTVhRDqzL:/4wFHoS4d0G8HoljTVhRDqzL
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1364-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2856-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/432-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/664-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1620-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-593-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-686-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-740-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-775-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2928-835-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-1007-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-1086-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-1231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-1888-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 444 thhhtt.exe 3024 djvpj.exe 2368 lfxxrrl.exe 1608 nnbthh.exe 2856 jvvvp.exe 3056 1vvjv.exe 1556 xrrlffx.exe 2412 nhbtbn.exe 1292 rxrlflf.exe 2068 btbttn.exe 4616 9lxrlfx.exe 4700 tthbtt.exe 4252 vvdvp.exe 432 xxrlxrx.exe 4932 tthtnn.exe 3476 7djdp.exe 4608 lxrrffl.exe 1152 xffxrlf.exe 3852 hhhbtt.exe 2828 vjvpj.exe 664 5rfxlxl.exe 392 ddjpp.exe 2044 ffflrff.exe 3884 pvdpj.exe 2448 9dddv.exe 760 xllxxrf.exe 2244 ppvpv.exe 1296 hnnnbb.exe 1640 vjdvj.exe 1192 lrxrlfx.exe 3532 vjddd.exe 2252 djjvj.exe 5088 xrrlfxr.exe 4088 bbbtnh.exe 1008 9bbnhh.exe 2704 pjjdp.exe 2780 xlxllfl.exe 3964 bbhnbn.exe 2800 vvjjj.exe 3196 vjjdp.exe 4984 rrlfxrr.exe 1200 nbhbnb.exe 1452 pvpdv.exe 3448 llfxfxf.exe 4680 lfrlrlr.exe 4316 nhhbhb.exe 3936 djvpj.exe 2268 1rrllfx.exe 4972 tbhhhh.exe 112 hbbthh.exe 1276 ddvjd.exe 2660 3flfxxr.exe 4292 hbbnnh.exe 5104 1dpdv.exe 808 ddvpd.exe 1080 xlrlxfx.exe 920 htbhhn.exe 4956 ttbtnn.exe 432 pjjdv.exe 696 lfffrrl.exe 3912 xffrllf.exe 3692 ttbbhb.exe 1620 vpdvd.exe 3960 dvvvp.exe -
resource yara_rule behavioral2/memory/1364-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000233d9-3.dat upx behavioral2/memory/1364-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343d-10.dat upx behavioral2/memory/444-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343e-12.dat upx behavioral2/memory/2368-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343f-21.dat upx behavioral2/files/0x0007000000023440-26.dat upx behavioral2/files/0x0007000000023441-34.dat upx behavioral2/files/0x0007000000023442-40.dat upx behavioral2/memory/1556-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3056-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1608-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2856-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3024-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1556-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023443-45.dat upx behavioral2/files/0x0007000000023444-50.dat upx behavioral2/memory/2412-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023445-55.dat upx behavioral2/memory/1292-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023446-60.dat upx behavioral2/memory/2068-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023447-66.dat upx behavioral2/memory/4616-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023448-74.dat upx behavioral2/memory/4700-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023449-78.dat upx behavioral2/memory/4252-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344a-84.dat upx behavioral2/memory/432-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344b-91.dat upx behavioral2/files/0x000700000002344c-97.dat upx behavioral2/memory/4608-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4932-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000800000002343a-102.dat upx behavioral2/memory/4608-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344d-108.dat upx behavioral2/files/0x000700000002344f-119.dat upx behavioral2/memory/2828-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344e-115.dat upx behavioral2/files/0x0007000000023450-125.dat upx behavioral2/memory/664-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/392-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023451-131.dat upx behavioral2/files/0x0007000000023452-137.dat upx behavioral2/files/0x0007000000023453-143.dat upx behavioral2/memory/2448-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2044-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023454-148.dat upx behavioral2/files/0x0007000000023455-153.dat upx behavioral2/memory/760-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2244-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023456-161.dat upx behavioral2/files/0x0007000000023457-166.dat upx behavioral2/files/0x0007000000023458-171.dat upx behavioral2/files/0x0007000000023459-176.dat upx behavioral2/memory/2252-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3532-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4088-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002345a-181.dat upx behavioral2/memory/2704-202-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 444 1364 503a2012d743dd9348298cd4a6cc4330N.exe 84 PID 1364 wrote to memory of 444 1364 503a2012d743dd9348298cd4a6cc4330N.exe 84 PID 1364 wrote to memory of 444 1364 503a2012d743dd9348298cd4a6cc4330N.exe 84 PID 444 wrote to memory of 3024 444 thhhtt.exe 85 PID 444 wrote to memory of 3024 444 thhhtt.exe 85 PID 444 wrote to memory of 3024 444 thhhtt.exe 85 PID 3024 wrote to memory of 2368 3024 djvpj.exe 86 PID 3024 wrote to memory of 2368 3024 djvpj.exe 86 PID 3024 wrote to memory of 2368 3024 djvpj.exe 86 PID 2368 wrote to memory of 1608 2368 lfxxrrl.exe 87 PID 2368 wrote to memory of 1608 2368 lfxxrrl.exe 87 PID 2368 wrote to memory of 1608 2368 lfxxrrl.exe 87 PID 1608 wrote to memory of 2856 1608 nnbthh.exe 88 PID 1608 wrote to memory of 2856 1608 nnbthh.exe 88 PID 1608 wrote to memory of 2856 1608 nnbthh.exe 88 PID 2856 wrote to memory of 3056 2856 jvvvp.exe 89 PID 2856 wrote to memory of 3056 2856 jvvvp.exe 89 PID 2856 wrote to memory of 3056 2856 jvvvp.exe 89 PID 3056 wrote to memory of 1556 3056 1vvjv.exe 90 PID 3056 wrote to memory of 1556 3056 1vvjv.exe 90 PID 3056 wrote to memory of 1556 3056 1vvjv.exe 90 PID 1556 wrote to memory of 2412 1556 xrrlffx.exe 91 PID 1556 wrote to memory of 2412 1556 xrrlffx.exe 91 PID 1556 wrote to memory of 2412 1556 xrrlffx.exe 91 PID 2412 wrote to memory of 1292 2412 nhbtbn.exe 92 PID 2412 wrote to memory of 1292 2412 nhbtbn.exe 92 PID 2412 wrote to memory of 1292 2412 nhbtbn.exe 92 PID 1292 wrote to memory of 2068 1292 rxrlflf.exe 94 PID 1292 wrote to memory of 2068 1292 rxrlflf.exe 94 PID 1292 wrote to memory of 2068 1292 rxrlflf.exe 94 PID 2068 wrote to memory of 4616 2068 btbttn.exe 95 PID 2068 wrote to memory of 4616 2068 btbttn.exe 95 PID 2068 wrote to memory of 4616 2068 btbttn.exe 95 PID 4616 wrote to memory of 4700 4616 9lxrlfx.exe 96 PID 4616 wrote to memory of 4700 4616 9lxrlfx.exe 96 PID 4616 wrote to memory of 4700 4616 9lxrlfx.exe 96 PID 4700 wrote to memory of 4252 4700 tthbtt.exe 97 PID 4700 wrote to memory of 4252 4700 tthbtt.exe 97 PID 4700 wrote to memory of 4252 4700 tthbtt.exe 97 PID 4252 wrote to memory of 432 4252 vvdvp.exe 99 PID 4252 wrote to memory of 432 4252 vvdvp.exe 99 PID 4252 wrote to memory of 432 4252 vvdvp.exe 99 PID 432 wrote to memory of 4932 432 xxrlxrx.exe 100 PID 432 wrote to memory of 4932 432 xxrlxrx.exe 100 PID 432 wrote to memory of 4932 432 xxrlxrx.exe 100 PID 4932 wrote to memory of 3476 4932 tthtnn.exe 101 PID 4932 wrote to memory of 3476 4932 tthtnn.exe 101 PID 4932 wrote to memory of 3476 4932 tthtnn.exe 101 PID 3476 wrote to memory of 4608 3476 7djdp.exe 102 PID 3476 wrote to memory of 4608 3476 7djdp.exe 102 PID 3476 wrote to memory of 4608 3476 7djdp.exe 102 PID 4608 wrote to memory of 1152 4608 lxrrffl.exe 103 PID 4608 wrote to memory of 1152 4608 lxrrffl.exe 103 PID 4608 wrote to memory of 1152 4608 lxrrffl.exe 103 PID 1152 wrote to memory of 3852 1152 xffxrlf.exe 104 PID 1152 wrote to memory of 3852 1152 xffxrlf.exe 104 PID 1152 wrote to memory of 3852 1152 xffxrlf.exe 104 PID 3852 wrote to memory of 2828 3852 hhhbtt.exe 105 PID 3852 wrote to memory of 2828 3852 hhhbtt.exe 105 PID 3852 wrote to memory of 2828 3852 hhhbtt.exe 105 PID 2828 wrote to memory of 664 2828 vjvpj.exe 107 PID 2828 wrote to memory of 664 2828 vjvpj.exe 107 PID 2828 wrote to memory of 664 2828 vjvpj.exe 107 PID 664 wrote to memory of 392 664 5rfxlxl.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\503a2012d743dd9348298cd4a6cc4330N.exe"C:\Users\Admin\AppData\Local\Temp\503a2012d743dd9348298cd4a6cc4330N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\thhhtt.exec:\thhhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\djvpj.exec:\djvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\nnbthh.exec:\nnbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\jvvvp.exec:\jvvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\1vvjv.exec:\1vvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\xrrlffx.exec:\xrrlffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\nhbtbn.exec:\nhbtbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\rxrlflf.exec:\rxrlflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\btbttn.exec:\btbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\9lxrlfx.exec:\9lxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\tthbtt.exec:\tthbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\vvdvp.exec:\vvdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\xxrlxrx.exec:\xxrlxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\tthtnn.exec:\tthtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\7djdp.exec:\7djdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\lxrrffl.exec:\lxrrffl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\xffxrlf.exec:\xffxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\hhhbtt.exec:\hhhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\vjvpj.exec:\vjvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\5rfxlxl.exec:\5rfxlxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\ddjpp.exec:\ddjpp.exe23⤵
- Executes dropped EXE
PID:392 -
\??\c:\ffflrff.exec:\ffflrff.exe24⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pvdpj.exec:\pvdpj.exe25⤵
- Executes dropped EXE
PID:3884 -
\??\c:\9dddv.exec:\9dddv.exe26⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xllxxrf.exec:\xllxxrf.exe27⤵
- Executes dropped EXE
PID:760 -
\??\c:\ppvpv.exec:\ppvpv.exe28⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hnnnbb.exec:\hnnnbb.exe29⤵
- Executes dropped EXE
PID:1296 -
\??\c:\vjdvj.exec:\vjdvj.exe30⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe31⤵
- Executes dropped EXE
PID:1192 -
\??\c:\vjddd.exec:\vjddd.exe32⤵
- Executes dropped EXE
PID:3532 -
\??\c:\djjvj.exec:\djjvj.exe33⤵
- Executes dropped EXE
PID:2252 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe34⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bbbtnh.exec:\bbbtnh.exe35⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9bbnhh.exec:\9bbnhh.exe36⤵
- Executes dropped EXE
PID:1008 -
\??\c:\pjjdp.exec:\pjjdp.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xlxllfl.exec:\xlxllfl.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\bbhnbn.exec:\bbhnbn.exe39⤵
- Executes dropped EXE
PID:3964 -
\??\c:\vvjjj.exec:\vvjjj.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vjjdp.exec:\vjjdp.exe41⤵
- Executes dropped EXE
PID:3196 -
\??\c:\rrlfxrr.exec:\rrlfxrr.exe42⤵
- Executes dropped EXE
PID:4984 -
\??\c:\nbhbnb.exec:\nbhbnb.exe43⤵
- Executes dropped EXE
PID:1200 -
\??\c:\pvpdv.exec:\pvpdv.exe44⤵
- Executes dropped EXE
PID:1452 -
\??\c:\llfxfxf.exec:\llfxfxf.exe45⤵
- Executes dropped EXE
PID:3448 -
\??\c:\lfrlrlr.exec:\lfrlrlr.exe46⤵
- Executes dropped EXE
PID:4680 -
\??\c:\nhhbhb.exec:\nhhbhb.exe47⤵
- Executes dropped EXE
PID:4316 -
\??\c:\djvpj.exec:\djvpj.exe48⤵
- Executes dropped EXE
PID:3936 -
\??\c:\1rrllfx.exec:\1rrllfx.exe49⤵
- Executes dropped EXE
PID:2268 -
\??\c:\tbhhhh.exec:\tbhhhh.exe50⤵
- Executes dropped EXE
PID:4972 -
\??\c:\hbbthh.exec:\hbbthh.exe51⤵
- Executes dropped EXE
PID:112 -
\??\c:\ddvjd.exec:\ddvjd.exe52⤵
- Executes dropped EXE
PID:1276 -
\??\c:\3flfxxr.exec:\3flfxxr.exe53⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hbbnnh.exec:\hbbnnh.exe54⤵
- Executes dropped EXE
PID:4292 -
\??\c:\1dpdv.exec:\1dpdv.exe55⤵
- Executes dropped EXE
PID:5104 -
\??\c:\ddvpd.exec:\ddvpd.exe56⤵
- Executes dropped EXE
PID:808 -
\??\c:\xlrlxfx.exec:\xlrlxfx.exe57⤵
- Executes dropped EXE
PID:1080 -
\??\c:\htbhhn.exec:\htbhhn.exe58⤵
- Executes dropped EXE
PID:920 -
\??\c:\ttbtnn.exec:\ttbtnn.exe59⤵
- Executes dropped EXE
PID:4956 -
\??\c:\pjjdv.exec:\pjjdv.exe60⤵
- Executes dropped EXE
PID:432 -
\??\c:\lfffrrl.exec:\lfffrrl.exe61⤵
- Executes dropped EXE
PID:696 -
\??\c:\xffrllf.exec:\xffrllf.exe62⤵
- Executes dropped EXE
PID:3912 -
\??\c:\ttbbhb.exec:\ttbbhb.exe63⤵
- Executes dropped EXE
PID:3692 -
\??\c:\vpdvd.exec:\vpdvd.exe64⤵
- Executes dropped EXE
PID:1620 -
\??\c:\dvvvp.exec:\dvvvp.exe65⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lrlfrlx.exec:\lrlfrlx.exe66⤵PID:4564
-
\??\c:\nnttnb.exec:\nnttnb.exe67⤵PID:4456
-
\??\c:\vpvvp.exec:\vpvvp.exe68⤵PID:2292
-
\??\c:\vvddv.exec:\vvddv.exe69⤵PID:2492
-
\??\c:\7rlfrlf.exec:\7rlfrlf.exe70⤵PID:3932
-
\??\c:\fxlfffl.exec:\fxlfffl.exe71⤵PID:1432
-
\??\c:\nhhbtt.exec:\nhhbtt.exe72⤵PID:4844
-
\??\c:\5bhnbb.exec:\5bhnbb.exe73⤵PID:2132
-
\??\c:\pdpdv.exec:\pdpdv.exe74⤵PID:3972
-
\??\c:\frxrrff.exec:\frxrrff.exe75⤵PID:2460
-
\??\c:\1rrlfxr.exec:\1rrlfxr.exe76⤵PID:4992
-
\??\c:\7tbbbt.exec:\7tbbbt.exe77⤵PID:1288
-
\??\c:\hbnhnn.exec:\hbnhnn.exe78⤵PID:1304
-
\??\c:\vppjd.exec:\vppjd.exe79⤵PID:4916
-
\??\c:\3lrfrlx.exec:\3lrfrlx.exe80⤵PID:2608
-
\??\c:\tnbtnn.exec:\tnbtnn.exe81⤵PID:904
-
\??\c:\jjdpj.exec:\jjdpj.exe82⤵PID:3484
-
\??\c:\pvdpj.exec:\pvdpj.exe83⤵PID:1648
-
\??\c:\3xxrlrl.exec:\3xxrlrl.exe84⤵PID:3032
-
\??\c:\lrrrlff.exec:\lrrrlff.exe85⤵PID:5012
-
\??\c:\nbbttt.exec:\nbbttt.exe86⤵PID:2704
-
\??\c:\nbhbtn.exec:\nbhbtn.exe87⤵
- System Location Discovery: System Language Discovery
PID:1748 -
\??\c:\9jpjj.exec:\9jpjj.exe88⤵PID:3964
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe89⤵PID:2800
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe90⤵PID:4380
-
\??\c:\nhnbtt.exec:\nhnbtt.exe91⤵PID:2056
-
\??\c:\7pvpp.exec:\7pvpp.exe92⤵PID:4468
-
\??\c:\xlxrxfx.exec:\xlxrxfx.exe93⤵PID:4260
-
\??\c:\bhbbht.exec:\bhbbht.exe94⤵PID:4168
-
\??\c:\btthbb.exec:\btthbb.exe95⤵PID:3896
-
\??\c:\pvdvp.exec:\pvdvp.exe96⤵PID:4940
-
\??\c:\jjvpj.exec:\jjvpj.exe97⤵PID:2856
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe98⤵PID:4312
-
\??\c:\lflrllr.exec:\lflrllr.exe99⤵PID:3236
-
\??\c:\hhbtbb.exec:\hhbtbb.exe100⤵PID:5100
-
\??\c:\jpjdd.exec:\jpjdd.exe101⤵PID:1096
-
\??\c:\1ddvj.exec:\1ddvj.exe102⤵PID:2200
-
\??\c:\xxxxxrx.exec:\xxxxxrx.exe103⤵PID:4596
-
\??\c:\5ttnhh.exec:\5ttnhh.exe104⤵PID:3548
-
\??\c:\dpdvp.exec:\dpdvp.exe105⤵PID:1828
-
\??\c:\fffxxxr.exec:\fffxxxr.exe106⤵PID:2672
-
\??\c:\tbhbtn.exec:\tbhbtn.exe107⤵PID:3132
-
\??\c:\bbhhbb.exec:\bbhhbb.exe108⤵PID:3444
-
\??\c:\vpjvp.exec:\vpjvp.exe109⤵PID:920
-
\??\c:\frrlffx.exec:\frrlffx.exe110⤵PID:4956
-
\??\c:\xlxrlrx.exec:\xlxrlrx.exe111⤵PID:432
-
\??\c:\3ntnht.exec:\3ntnht.exe112⤵PID:3520
-
\??\c:\dpvjv.exec:\dpvjv.exe113⤵PID:948
-
\??\c:\dpvpj.exec:\dpvpj.exe114⤵PID:388
-
\??\c:\xxrllff.exec:\xxrllff.exe115⤵PID:2208
-
\??\c:\flrlxxr.exec:\flrlxxr.exe116⤵PID:3960
-
\??\c:\tnthnh.exec:\tnthnh.exe117⤵PID:2984
-
\??\c:\ntbbnn.exec:\ntbbnn.exe118⤵PID:4724
-
\??\c:\jjjdv.exec:\jjjdv.exe119⤵PID:3616
-
\??\c:\9djdp.exec:\9djdp.exe120⤵PID:2492
-
\??\c:\rlrlrll.exec:\rlrlrll.exe121⤵PID:4244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-