Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 02:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
General
-
Target
d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe
-
Size
452KB
-
MD5
6b3bde61621b4d94bdd7c13bbbcfe400
-
SHA1
a0929f33476cb5df9fdc24df04e1cb587c131758
-
SHA256
d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7a
-
SHA512
e3d7fcff6b73762c29877eb9230a24b4b9a10fc0d2b8ecaec5ed225db4deea5bec5daee6fbcb427de869a69b4c3a0efbe0afd783b5b38d06f927aaee71bf9351
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2084-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-1459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2860 xxxrrrf.exe 2104 nhtbnt.exe 1408 ddvvp.exe 3656 vvjjj.exe 3292 7hbtnn.exe 1104 dvpjv.exe 2108 pjjdv.exe 4948 xxfrrll.exe 2628 9tbthh.exe 2636 jpdvd.exe 3756 nhtntt.exe 3084 dpjjd.exe 232 fffrrlx.exe 4828 tthhtb.exe 5080 ddpvv.exe 4000 lxrrrxr.exe 1832 xlrrxxf.exe 3044 tttntn.exe 4152 dvppd.exe 716 ffxxllr.exe 2576 hhbtnh.exe 1328 3hbtnt.exe 1224 vvvjd.exe 5096 rlrllll.exe 1916 xxfxffx.exe 1972 nhtnhn.exe 3664 vjvpj.exe 4372 bhhbtn.exe 1600 5xxlxxr.exe 4656 fllfxxr.exe 2248 3tbbhb.exe 3828 pjpjp.exe 4164 lxxrffx.exe 1236 9bhnnn.exe 1940 nhtnbt.exe 2056 vjpdd.exe 1540 rrfxfxl.exe 5052 xrrlfrl.exe 4820 thbbhh.exe 1900 jppjv.exe 3376 1rrfxll.exe 2512 hbhbtt.exe 4428 5dpdj.exe 3668 vdjjj.exe 4448 fffffll.exe 4880 1btnhh.exe 1776 1nbbth.exe 4228 djddp.exe 2104 frfrrrl.exe 1800 tbbnbb.exe 1588 tttnhh.exe 2252 7dvpj.exe 3452 pjddp.exe 536 xrllxxr.exe 4364 7nbtnn.exe 2108 1tbthh.exe 2556 xrlrllx.exe 3364 bbbbtb.exe 2632 1nthbb.exe 2636 5jvpj.exe 3756 rfllffx.exe 2916 nbhhhn.exe 1668 hhtntt.exe 3580 ppddj.exe -
resource yara_rule behavioral2/memory/2084-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2860 2084 d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe 82 PID 2084 wrote to memory of 2860 2084 d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe 82 PID 2084 wrote to memory of 2860 2084 d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe 82 PID 2860 wrote to memory of 2104 2860 xxxrrrf.exe 83 PID 2860 wrote to memory of 2104 2860 xxxrrrf.exe 83 PID 2860 wrote to memory of 2104 2860 xxxrrrf.exe 83 PID 2104 wrote to memory of 1408 2104 nhtbnt.exe 84 PID 2104 wrote to memory of 1408 2104 nhtbnt.exe 84 PID 2104 wrote to memory of 1408 2104 nhtbnt.exe 84 PID 1408 wrote to memory of 3656 1408 ddvvp.exe 85 PID 1408 wrote to memory of 3656 1408 ddvvp.exe 85 PID 1408 wrote to memory of 3656 1408 ddvvp.exe 85 PID 3656 wrote to memory of 3292 3656 vvjjj.exe 86 PID 3656 wrote to memory of 3292 3656 vvjjj.exe 86 PID 3656 wrote to memory of 3292 3656 vvjjj.exe 86 PID 3292 wrote to memory of 1104 3292 7hbtnn.exe 253 PID 3292 wrote to memory of 1104 3292 7hbtnn.exe 253 PID 3292 wrote to memory of 1104 3292 7hbtnn.exe 253 PID 1104 wrote to memory of 2108 1104 dvpjv.exe 88 PID 1104 wrote to memory of 2108 1104 dvpjv.exe 88 PID 1104 wrote to memory of 2108 1104 dvpjv.exe 88 PID 2108 wrote to memory of 4948 2108 pjjdv.exe 89 PID 2108 wrote to memory of 4948 2108 pjjdv.exe 89 PID 2108 wrote to memory of 4948 2108 pjjdv.exe 89 PID 4948 wrote to memory of 2628 4948 xxfrrll.exe 90 PID 4948 wrote to memory of 2628 4948 xxfrrll.exe 90 PID 4948 wrote to memory of 2628 4948 xxfrrll.exe 90 PID 2628 wrote to memory of 2636 2628 9tbthh.exe 91 PID 2628 wrote to memory of 2636 2628 9tbthh.exe 91 PID 2628 wrote to memory of 2636 2628 9tbthh.exe 91 PID 2636 wrote to memory of 3756 2636 jpdvd.exe 92 PID 2636 wrote to memory of 3756 2636 jpdvd.exe 92 PID 2636 wrote to memory of 3756 2636 jpdvd.exe 92 PID 3756 wrote to memory of 3084 3756 nhtntt.exe 93 PID 3756 wrote to memory of 3084 3756 nhtntt.exe 93 PID 3756 wrote to memory of 3084 3756 nhtntt.exe 93 PID 3084 wrote to memory of 232 3084 dpjjd.exe 94 PID 3084 wrote to memory of 232 3084 dpjjd.exe 94 PID 3084 wrote to memory of 232 3084 dpjjd.exe 94 PID 232 wrote to memory of 4828 232 fffrrlx.exe 95 PID 232 wrote to memory of 4828 232 fffrrlx.exe 95 PID 232 wrote to memory of 4828 232 fffrrlx.exe 95 PID 4828 wrote to memory of 5080 4828 tthhtb.exe 96 PID 4828 wrote to memory of 5080 4828 tthhtb.exe 96 PID 4828 wrote to memory of 5080 4828 tthhtb.exe 96 PID 5080 wrote to memory of 4000 5080 ddpvv.exe 97 PID 5080 wrote to memory of 4000 5080 ddpvv.exe 97 PID 5080 wrote to memory of 4000 5080 ddpvv.exe 97 PID 4000 wrote to memory of 1832 4000 lxrrrxr.exe 98 PID 4000 wrote to memory of 1832 4000 lxrrrxr.exe 98 PID 4000 wrote to memory of 1832 4000 lxrrrxr.exe 98 PID 1832 wrote to memory of 3044 1832 xlrrxxf.exe 99 PID 1832 wrote to memory of 3044 1832 xlrrxxf.exe 99 PID 1832 wrote to memory of 3044 1832 xlrrxxf.exe 99 PID 3044 wrote to memory of 4152 3044 tttntn.exe 100 PID 3044 wrote to memory of 4152 3044 tttntn.exe 100 PID 3044 wrote to memory of 4152 3044 tttntn.exe 100 PID 4152 wrote to memory of 716 4152 dvppd.exe 101 PID 4152 wrote to memory of 716 4152 dvppd.exe 101 PID 4152 wrote to memory of 716 4152 dvppd.exe 101 PID 716 wrote to memory of 2576 716 ffxxllr.exe 102 PID 716 wrote to memory of 2576 716 ffxxllr.exe 102 PID 716 wrote to memory of 2576 716 ffxxllr.exe 102 PID 2576 wrote to memory of 1328 2576 hhbtnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe"C:\Users\Admin\AppData\Local\Temp\d04a7d6a013f85ff818557b5fe153de9fce375cb3035c2334a04cdc144a78f7aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\xxxrrrf.exec:\xxxrrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\nhtbnt.exec:\nhtbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\ddvvp.exec:\ddvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\vvjjj.exec:\vvjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\7hbtnn.exec:\7hbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\dvpjv.exec:\dvpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\pjjdv.exec:\pjjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\xxfrrll.exec:\xxfrrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\9tbthh.exec:\9tbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\jpdvd.exec:\jpdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\nhtntt.exec:\nhtntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\dpjjd.exec:\dpjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\fffrrlx.exec:\fffrrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\tthhtb.exec:\tthhtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\ddpvv.exec:\ddpvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\lxrrrxr.exec:\lxrrrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\xlrrxxf.exec:\xlrrxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\tttntn.exec:\tttntn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\dvppd.exec:\dvppd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\ffxxllr.exec:\ffxxllr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\hhbtnh.exec:\hhbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\3hbtnt.exec:\3hbtnt.exe23⤵
- Executes dropped EXE
PID:1328 -
\??\c:\vvvjd.exec:\vvvjd.exe24⤵
- Executes dropped EXE
PID:1224 -
\??\c:\rlrllll.exec:\rlrllll.exe25⤵
- Executes dropped EXE
PID:5096 -
\??\c:\xxfxffx.exec:\xxfxffx.exe26⤵
- Executes dropped EXE
PID:1916 -
\??\c:\nhtnhn.exec:\nhtnhn.exe27⤵
- Executes dropped EXE
PID:1972 -
\??\c:\vjvpj.exec:\vjvpj.exe28⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bhhbtn.exec:\bhhbtn.exe29⤵
- Executes dropped EXE
PID:4372 -
\??\c:\5xxlxxr.exec:\5xxlxxr.exe30⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fllfxxr.exec:\fllfxxr.exe31⤵
- Executes dropped EXE
PID:4656 -
\??\c:\3tbbhb.exec:\3tbbhb.exe32⤵
- Executes dropped EXE
PID:2248 -
\??\c:\pjpjp.exec:\pjpjp.exe33⤵
- Executes dropped EXE
PID:3828 -
\??\c:\lxxrffx.exec:\lxxrffx.exe34⤵
- Executes dropped EXE
PID:4164 -
\??\c:\9bhnnn.exec:\9bhnnn.exe35⤵
- Executes dropped EXE
PID:1236 -
\??\c:\nhtnbt.exec:\nhtnbt.exe36⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vjpdd.exec:\vjpdd.exe37⤵
- Executes dropped EXE
PID:2056 -
\??\c:\rrfxfxl.exec:\rrfxfxl.exe38⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xrrlfrl.exec:\xrrlfrl.exe39⤵
- Executes dropped EXE
PID:5052 -
\??\c:\thbbhh.exec:\thbbhh.exe40⤵
- Executes dropped EXE
PID:4820 -
\??\c:\jppjv.exec:\jppjv.exe41⤵
- Executes dropped EXE
PID:1900 -
\??\c:\1rrfxll.exec:\1rrfxll.exe42⤵
- Executes dropped EXE
PID:3376 -
\??\c:\hbhbtt.exec:\hbhbtt.exe43⤵
- Executes dropped EXE
PID:2512 -
\??\c:\5dpdj.exec:\5dpdj.exe44⤵
- Executes dropped EXE
PID:4428 -
\??\c:\vdjjj.exec:\vdjjj.exe45⤵
- Executes dropped EXE
PID:3668 -
\??\c:\fffffll.exec:\fffffll.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\1btnhh.exec:\1btnhh.exe47⤵
- Executes dropped EXE
PID:4880 -
\??\c:\1nbbth.exec:\1nbbth.exe48⤵
- Executes dropped EXE
PID:1776 -
\??\c:\djddp.exec:\djddp.exe49⤵
- Executes dropped EXE
PID:4228 -
\??\c:\frfrrrl.exec:\frfrrrl.exe50⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tbbnbb.exec:\tbbnbb.exe51⤵
- Executes dropped EXE
PID:1800 -
\??\c:\tttnhh.exec:\tttnhh.exe52⤵
- Executes dropped EXE
PID:1588 -
\??\c:\7dvpj.exec:\7dvpj.exe53⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pjddp.exec:\pjddp.exe54⤵
- Executes dropped EXE
PID:3452 -
\??\c:\xrllxxr.exec:\xrllxxr.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\7nbtnn.exec:\7nbtnn.exe56⤵
- Executes dropped EXE
PID:4364 -
\??\c:\1tbthh.exec:\1tbthh.exe57⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xrlrllx.exec:\xrlrllx.exe58⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bbbbtb.exec:\bbbbtb.exe59⤵
- Executes dropped EXE
PID:3364 -
\??\c:\1nthbb.exec:\1nthbb.exe60⤵
- Executes dropped EXE
PID:2632 -
\??\c:\5jvpj.exec:\5jvpj.exe61⤵
- Executes dropped EXE
PID:2636 -
\??\c:\rfllffx.exec:\rfllffx.exe62⤵
- Executes dropped EXE
PID:3756 -
\??\c:\nbhhhn.exec:\nbhhhn.exe63⤵
- Executes dropped EXE
PID:2916 -
\??\c:\hhtntt.exec:\hhtntt.exe64⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ppddj.exec:\ppddj.exe65⤵
- Executes dropped EXE
PID:3580 -
\??\c:\ffrlfxl.exec:\ffrlfxl.exe66⤵PID:4132
-
\??\c:\flrfrlx.exec:\flrfrlx.exe67⤵PID:2140
-
\??\c:\1ttttb.exec:\1ttttb.exe68⤵PID:5032
-
\??\c:\dpppp.exec:\dpppp.exe69⤵PID:2668
-
\??\c:\7jvvv.exec:\7jvvv.exe70⤵PID:4864
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe71⤵PID:960
-
\??\c:\ffllrrr.exec:\ffllrrr.exe72⤵PID:428
-
\??\c:\htbnhh.exec:\htbnhh.exe73⤵PID:1624
-
\??\c:\1djdd.exec:\1djdd.exe74⤵PID:5068
-
\??\c:\jvjjj.exec:\jvjjj.exe75⤵PID:2072
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe76⤵PID:4540
-
\??\c:\3rxrrrx.exec:\3rxrrrx.exe77⤵PID:1280
-
\??\c:\bbnnhh.exec:\bbnnhh.exe78⤵PID:1428
-
\??\c:\dpdvd.exec:\dpdvd.exe79⤵PID:1972
-
\??\c:\jvdjd.exec:\jvdjd.exe80⤵PID:1268
-
\??\c:\lrllxrl.exec:\lrllxrl.exe81⤵PID:3076
-
\??\c:\bbbbbb.exec:\bbbbbb.exe82⤵PID:3420
-
\??\c:\9btnbn.exec:\9btnbn.exe83⤵PID:3108
-
\??\c:\jpjdp.exec:\jpjdp.exe84⤵PID:3220
-
\??\c:\5xxrllf.exec:\5xxrllf.exe85⤵PID:1892
-
\??\c:\lrxlffl.exec:\lrxlffl.exe86⤵PID:2228
-
\??\c:\9hhbbn.exec:\9hhbbn.exe87⤵PID:3132
-
\??\c:\3djjv.exec:\3djjv.exe88⤵PID:3192
-
\??\c:\jpppp.exec:\jpppp.exe89⤵PID:1888
-
\??\c:\frrrrrr.exec:\frrrrrr.exe90⤵PID:2952
-
\??\c:\nhtttb.exec:\nhtttb.exe91⤵PID:632
-
\??\c:\5ttttn.exec:\5ttttn.exe92⤵PID:912
-
\??\c:\9pvjp.exec:\9pvjp.exe93⤵PID:5028
-
\??\c:\3vpdv.exec:\3vpdv.exe94⤵PID:4976
-
\??\c:\fxxxlff.exec:\fxxxlff.exe95⤵PID:1096
-
\??\c:\5bhbtt.exec:\5bhbtt.exe96⤵PID:4988
-
\??\c:\bntnnn.exec:\bntnnn.exe97⤵PID:4660
-
\??\c:\jvvpj.exec:\jvvpj.exe98⤵PID:2120
-
\??\c:\fxlfrrx.exec:\fxlfrrx.exe99⤵PID:3824
-
\??\c:\thhbtn.exec:\thhbtn.exe100⤵PID:3020
-
\??\c:\ttbbbb.exec:\ttbbbb.exe101⤵PID:4564
-
\??\c:\pdjjj.exec:\pdjjj.exe102⤵PID:2616
-
\??\c:\dppdp.exec:\dppdp.exe103⤵PID:4676
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe104⤵PID:2064
-
\??\c:\ffxxxfx.exec:\ffxxxfx.exe105⤵PID:4296
-
\??\c:\nbbbtn.exec:\nbbbtn.exe106⤵PID:620
-
\??\c:\ppppj.exec:\ppppj.exe107⤵PID:4008
-
\??\c:\3jjdv.exec:\3jjdv.exe108⤵PID:2412
-
\??\c:\xfxfxfx.exec:\xfxfxfx.exe109⤵PID:3896
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe110⤵PID:4492
-
\??\c:\9nnhbb.exec:\9nnhbb.exe111⤵PID:4248
-
\??\c:\vdjdd.exec:\vdjdd.exe112⤵PID:3396
-
\??\c:\1jdvp.exec:\1jdvp.exe113⤵PID:3452
-
\??\c:\rfffxfl.exec:\rfffxfl.exe114⤵PID:4752
-
\??\c:\htthtn.exec:\htthtn.exe115⤵PID:3816
-
\??\c:\5hhtnn.exec:\5hhtnn.exe116⤵PID:2728
-
\??\c:\vpjdv.exec:\vpjdv.exe117⤵PID:2556
-
\??\c:\pjvvd.exec:\pjvvd.exe118⤵PID:3364
-
\??\c:\5rlxrlx.exec:\5rlxrlx.exe119⤵PID:3844
-
\??\c:\3hhtnt.exec:\3hhtnt.exe120⤵PID:2636
-
\??\c:\bbtnhh.exec:\bbtnhh.exe121⤵PID:2096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-