Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 17:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe
-
Size
453KB
-
MD5
de3acbc071b6f1fb1774a22ac4a64f00
-
SHA1
863005e85752db29acbe6df10fb915ff0ac76057
-
SHA256
90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7
-
SHA512
a397342561eb643445d29c3e2138e4519a090cc5697fd48c705bd3ab09ddbb5b89247ca680e319e25b9226e13e2ffd97a48215888398a16ba970426f20ea07a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3856-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-1030-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-1265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 rllffll.exe 3856 thhbtt.exe 2480 flfxrlf.exe 1820 hbnhbb.exe 4768 frxxllf.exe 388 djdvv.exe 4696 rlrlfff.exe 3452 vppjd.exe 4560 rfrlrrx.exe 4116 frrrlrl.exe 4160 3dvvv.exe 2920 xlllllf.exe 952 tbttnb.exe 3484 7hhhbh.exe 4448 vvjdj.exe 5004 ffrlxxx.exe 2684 nhbbtt.exe 4548 5dvpd.exe 184 lrxrrrr.exe 4272 rfrlrfl.exe 3972 jjvpj.exe 1956 jvvpj.exe 864 lfrlxll.exe 4928 5nnhbt.exe 2428 vpvpd.exe 5028 jvdvj.exe 3132 lfxrlfx.exe 4232 7bhhbb.exe 3392 hbbthh.exe 1728 pjjjv.exe 2552 flrxrrl.exe 1784 9tbbtn.exe 4588 7nnhbb.exe 1516 jvdvd.exe 920 lflffff.exe 2572 lxxrlfx.exe 536 tnnhnh.exe 2748 7jdvj.exe 2644 jvjjd.exe 1100 xrfxllf.exe 4976 bhhbnh.exe 3816 hntnbh.exe 4212 pjdvv.exe 1540 rllllll.exe 5048 frfxrrl.exe 1000 htnhbt.exe 4732 pjppd.exe 2780 vpdjj.exe 4488 1lrlflf.exe 4336 bntnhn.exe 2624 dvjdp.exe 1240 vpvdd.exe 2664 fxfxffl.exe 1508 9httnb.exe 3796 5nhbnn.exe 1164 vjdvv.exe 1640 xxxxrrr.exe 2128 nbhttb.exe 4804 9pvpj.exe 3976 vpvpj.exe 4952 xrrlllf.exe 3244 5tbbtb.exe 2988 lrxrllf.exe 836 frxrffx.exe -
resource yara_rule behavioral2/memory/2100-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-630-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1416 wrote to memory of 2100 1416 90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe 82 PID 1416 wrote to memory of 2100 1416 90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe 82 PID 1416 wrote to memory of 2100 1416 90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe 82 PID 2100 wrote to memory of 3856 2100 rllffll.exe 83 PID 2100 wrote to memory of 3856 2100 rllffll.exe 83 PID 2100 wrote to memory of 3856 2100 rllffll.exe 83 PID 3856 wrote to memory of 2480 3856 thhbtt.exe 84 PID 3856 wrote to memory of 2480 3856 thhbtt.exe 84 PID 3856 wrote to memory of 2480 3856 thhbtt.exe 84 PID 2480 wrote to memory of 1820 2480 flfxrlf.exe 85 PID 2480 wrote to memory of 1820 2480 flfxrlf.exe 85 PID 2480 wrote to memory of 1820 2480 flfxrlf.exe 85 PID 1820 wrote to memory of 4768 1820 hbnhbb.exe 86 PID 1820 wrote to memory of 4768 1820 hbnhbb.exe 86 PID 1820 wrote to memory of 4768 1820 hbnhbb.exe 86 PID 4768 wrote to memory of 388 4768 frxxllf.exe 87 PID 4768 wrote to memory of 388 4768 frxxllf.exe 87 PID 4768 wrote to memory of 388 4768 frxxllf.exe 87 PID 388 wrote to memory of 4696 388 djdvv.exe 88 PID 388 wrote to memory of 4696 388 djdvv.exe 88 PID 388 wrote to memory of 4696 388 djdvv.exe 88 PID 4696 wrote to memory of 3452 4696 rlrlfff.exe 89 PID 4696 wrote to memory of 3452 4696 rlrlfff.exe 89 PID 4696 wrote to memory of 3452 4696 rlrlfff.exe 89 PID 3452 wrote to memory of 4560 3452 vppjd.exe 90 PID 3452 wrote to memory of 4560 3452 vppjd.exe 90 PID 3452 wrote to memory of 4560 3452 vppjd.exe 90 PID 4560 wrote to memory of 4116 4560 rfrlrrx.exe 91 PID 4560 wrote to memory of 4116 4560 rfrlrrx.exe 91 PID 4560 wrote to memory of 4116 4560 rfrlrrx.exe 91 PID 4116 wrote to memory of 4160 4116 frrrlrl.exe 92 PID 4116 wrote to memory of 4160 4116 frrrlrl.exe 92 PID 4116 wrote to memory of 4160 4116 frrrlrl.exe 92 PID 4160 wrote to memory of 2920 4160 3dvvv.exe 93 PID 4160 wrote to memory of 2920 4160 3dvvv.exe 93 PID 4160 wrote to memory of 2920 4160 3dvvv.exe 93 PID 2920 wrote to memory of 952 2920 xlllllf.exe 94 PID 2920 wrote to memory of 952 2920 xlllllf.exe 94 PID 2920 wrote to memory of 952 2920 xlllllf.exe 94 PID 952 wrote to memory of 3484 952 tbttnb.exe 95 PID 952 wrote to memory of 3484 952 tbttnb.exe 95 PID 952 wrote to memory of 3484 952 tbttnb.exe 95 PID 3484 wrote to memory of 4448 3484 7hhhbh.exe 96 PID 3484 wrote to memory of 4448 3484 7hhhbh.exe 96 PID 3484 wrote to memory of 4448 3484 7hhhbh.exe 96 PID 4448 wrote to memory of 5004 4448 vvjdj.exe 97 PID 4448 wrote to memory of 5004 4448 vvjdj.exe 97 PID 4448 wrote to memory of 5004 4448 vvjdj.exe 97 PID 5004 wrote to memory of 2684 5004 ffrlxxx.exe 98 PID 5004 wrote to memory of 2684 5004 ffrlxxx.exe 98 PID 5004 wrote to memory of 2684 5004 ffrlxxx.exe 98 PID 2684 wrote to memory of 4548 2684 nhbbtt.exe 99 PID 2684 wrote to memory of 4548 2684 nhbbtt.exe 99 PID 2684 wrote to memory of 4548 2684 nhbbtt.exe 99 PID 4548 wrote to memory of 184 4548 5dvpd.exe 100 PID 4548 wrote to memory of 184 4548 5dvpd.exe 100 PID 4548 wrote to memory of 184 4548 5dvpd.exe 100 PID 184 wrote to memory of 4272 184 lrxrrrr.exe 101 PID 184 wrote to memory of 4272 184 lrxrrrr.exe 101 PID 184 wrote to memory of 4272 184 lrxrrrr.exe 101 PID 4272 wrote to memory of 3972 4272 rfrlrfl.exe 102 PID 4272 wrote to memory of 3972 4272 rfrlrfl.exe 102 PID 4272 wrote to memory of 3972 4272 rfrlrfl.exe 102 PID 3972 wrote to memory of 1956 3972 jjvpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe"C:\Users\Admin\AppData\Local\Temp\90b3dd7326e7e1493d863d2f80f18e5e5dc0758a2a8f60fba1642c214bd3b2a7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\rllffll.exec:\rllffll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\thhbtt.exec:\thhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\flfxrlf.exec:\flfxrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\hbnhbb.exec:\hbnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\frxxllf.exec:\frxxllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\djdvv.exec:\djdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\rlrlfff.exec:\rlrlfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\vppjd.exec:\vppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\frrrlrl.exec:\frrrlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\3dvvv.exec:\3dvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\xlllllf.exec:\xlllllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\tbttnb.exec:\tbttnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\7hhhbh.exec:\7hhhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\vvjdj.exec:\vvjdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\ffrlxxx.exec:\ffrlxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\nhbbtt.exec:\nhbbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\5dvpd.exec:\5dvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\rfrlrfl.exec:\rfrlrfl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\jjvpj.exec:\jjvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\jvvpj.exec:\jvvpj.exe23⤵
- Executes dropped EXE
PID:1956 -
\??\c:\lfrlxll.exec:\lfrlxll.exe24⤵
- Executes dropped EXE
PID:864 -
\??\c:\5nnhbt.exec:\5nnhbt.exe25⤵
- Executes dropped EXE
PID:4928 -
\??\c:\vpvpd.exec:\vpvpd.exe26⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jvdvj.exec:\jvdvj.exe27⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe28⤵
- Executes dropped EXE
PID:3132 -
\??\c:\7bhhbb.exec:\7bhhbb.exe29⤵
- Executes dropped EXE
PID:4232 -
\??\c:\hbbthh.exec:\hbbthh.exe30⤵
- Executes dropped EXE
PID:3392 -
\??\c:\pjjjv.exec:\pjjjv.exe31⤵
- Executes dropped EXE
PID:1728 -
\??\c:\flrxrrl.exec:\flrxrrl.exe32⤵
- Executes dropped EXE
PID:2552 -
\??\c:\9tbbtn.exec:\9tbbtn.exe33⤵
- Executes dropped EXE
PID:1784 -
\??\c:\7nnhbb.exec:\7nnhbb.exe34⤵
- Executes dropped EXE
PID:4588 -
\??\c:\jvdvd.exec:\jvdvd.exe35⤵
- Executes dropped EXE
PID:1516 -
\??\c:\lflffff.exec:\lflffff.exe36⤵
- Executes dropped EXE
PID:920 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\tnnhnh.exec:\tnnhnh.exe38⤵
- Executes dropped EXE
PID:536 -
\??\c:\7jdvj.exec:\7jdvj.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\jvjjd.exec:\jvjjd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
\??\c:\xrfxllf.exec:\xrfxllf.exe41⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bhhbnh.exec:\bhhbnh.exe42⤵
- Executes dropped EXE
PID:4976 -
\??\c:\hntnbh.exec:\hntnbh.exe43⤵
- Executes dropped EXE
PID:3816 -
\??\c:\pjdvv.exec:\pjdvv.exe44⤵
- Executes dropped EXE
PID:4212 -
\??\c:\rllllll.exec:\rllllll.exe45⤵
- Executes dropped EXE
PID:1540 -
\??\c:\frfxrrl.exec:\frfxrrl.exe46⤵
- Executes dropped EXE
PID:5048 -
\??\c:\htnhbt.exec:\htnhbt.exe47⤵
- Executes dropped EXE
PID:1000 -
\??\c:\pjppd.exec:\pjppd.exe48⤵
- Executes dropped EXE
PID:4732 -
\??\c:\vpdjj.exec:\vpdjj.exe49⤵
- Executes dropped EXE
PID:2780 -
\??\c:\1lrlflf.exec:\1lrlflf.exe50⤵
- Executes dropped EXE
PID:4488 -
\??\c:\bntnhn.exec:\bntnhn.exe51⤵
- Executes dropped EXE
PID:4336 -
\??\c:\dvjdp.exec:\dvjdp.exe52⤵
- Executes dropped EXE
PID:2624 -
\??\c:\vpvdd.exec:\vpvdd.exe53⤵
- Executes dropped EXE
PID:1240 -
\??\c:\fxfxffl.exec:\fxfxffl.exe54⤵
- Executes dropped EXE
PID:2664 -
\??\c:\9httnb.exec:\9httnb.exe55⤵
- Executes dropped EXE
PID:1508 -
\??\c:\5nhbnn.exec:\5nhbnn.exe56⤵
- Executes dropped EXE
PID:3796 -
\??\c:\vjdvv.exec:\vjdvv.exe57⤵
- Executes dropped EXE
PID:1164 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe58⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nbhttb.exec:\nbhttb.exe59⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9pvpj.exec:\9pvpj.exe60⤵
- Executes dropped EXE
PID:4804 -
\??\c:\vpvpj.exec:\vpvpj.exe61⤵
- Executes dropped EXE
PID:3976 -
\??\c:\xrrlllf.exec:\xrrlllf.exe62⤵
- Executes dropped EXE
PID:4952 -
\??\c:\5tbbtb.exec:\5tbbtb.exe63⤵
- Executes dropped EXE
PID:3244 -
\??\c:\lrxrllf.exec:\lrxrllf.exe64⤵
- Executes dropped EXE
PID:2988 -
\??\c:\frxrffx.exec:\frxrffx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
\??\c:\7hbtnh.exec:\7hbtnh.exe66⤵PID:4744
-
\??\c:\vpdpp.exec:\vpdpp.exe67⤵PID:3764
-
\??\c:\pjjdd.exec:\pjjdd.exe68⤵PID:3080
-
\??\c:\llrrffr.exec:\llrrffr.exe69⤵PID:3596
-
\??\c:\llfrlfx.exec:\llfrlfx.exe70⤵PID:1648
-
\??\c:\nhhbtn.exec:\nhhbtn.exe71⤵PID:4700
-
\??\c:\bttnhb.exec:\bttnhb.exe72⤵PID:3096
-
\??\c:\pjdvv.exec:\pjdvv.exe73⤵PID:884
-
\??\c:\vvjpj.exec:\vvjpj.exe74⤵PID:3696
-
\??\c:\9xxlffx.exec:\9xxlffx.exe75⤵PID:3352
-
\??\c:\jjvpj.exec:\jjvpj.exe76⤵PID:3444
-
\??\c:\nhnnth.exec:\nhnnth.exe77⤵PID:4008
-
\??\c:\dpvjd.exec:\dpvjd.exe78⤵PID:5004
-
\??\c:\1rxlllr.exec:\1rxlllr.exe79⤵PID:2096
-
\??\c:\rxlfxxf.exec:\rxlfxxf.exe80⤵PID:4568
-
\??\c:\tnbtnn.exec:\tnbtnn.exe81⤵PID:4548
-
\??\c:\bbnnhh.exec:\bbnnhh.exe82⤵PID:1556
-
\??\c:\hnnhtt.exec:\hnnhtt.exe83⤵PID:4216
-
\??\c:\ppvpd.exec:\ppvpd.exe84⤵PID:3120
-
\??\c:\jdjjp.exec:\jdjjp.exe85⤵PID:112
-
\??\c:\lfrrxlx.exec:\lfrrxlx.exe86⤵PID:1500
-
\??\c:\bthhnn.exec:\bthhnn.exe87⤵PID:1692
-
\??\c:\3vjvv.exec:\3vjvv.exe88⤵PID:4928
-
\??\c:\rlrllll.exec:\rlrllll.exe89⤵PID:3948
-
\??\c:\hnntnh.exec:\hnntnh.exe90⤵PID:5028
-
\??\c:\5ntnhh.exec:\5ntnhh.exe91⤵PID:4108
-
\??\c:\ppdvp.exec:\ppdvp.exe92⤵PID:3628
-
\??\c:\lrxrffx.exec:\lrxrffx.exe93⤵PID:3140
-
\??\c:\btthbt.exec:\btthbt.exe94⤵PID:3732
-
\??\c:\pvdvj.exec:\pvdvj.exe95⤵
- System Location Discovery: System Language Discovery
PID:4024 -
\??\c:\pdjvp.exec:\pdjvp.exe96⤵PID:2700
-
\??\c:\9rrfxxr.exec:\9rrfxxr.exe97⤵PID:1596
-
\??\c:\tnbtbb.exec:\tnbtbb.exe98⤵PID:3524
-
\??\c:\vppjv.exec:\vppjv.exe99⤵PID:2748
-
\??\c:\xflfrrf.exec:\xflfrrf.exe100⤵PID:1412
-
\??\c:\hthbbt.exec:\hthbbt.exe101⤵PID:1100
-
\??\c:\bbnhtt.exec:\bbnhtt.exe102⤵PID:4660
-
\??\c:\7jjdp.exec:\7jjdp.exe103⤵PID:1868
-
\??\c:\rxxlfxl.exec:\rxxlfxl.exe104⤵PID:3416
-
\??\c:\htbbnn.exec:\htbbnn.exe105⤵PID:1356
-
\??\c:\vdjdp.exec:\vdjdp.exe106⤵PID:3000
-
\??\c:\1dvpj.exec:\1dvpj.exe107⤵PID:5048
-
\??\c:\ntthtt.exec:\ntthtt.exe108⤵PID:2612
-
\??\c:\jpvjv.exec:\jpvjv.exe109⤵PID:4732
-
\??\c:\pdjvp.exec:\pdjvp.exe110⤵PID:1440
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe111⤵PID:1020
-
\??\c:\1hnhnn.exec:\1hnhnn.exe112⤵PID:4336
-
\??\c:\tttnbb.exec:\tttnbb.exe113⤵PID:5068
-
\??\c:\vjjdv.exec:\vjjdv.exe114⤵PID:2624
-
\??\c:\frxrrrx.exec:\frxrrrx.exe115⤵PID:3584
-
\??\c:\lrrlffx.exec:\lrrlffx.exe116⤵PID:4612
-
\??\c:\ttbtnn.exec:\ttbtnn.exe117⤵PID:3392
-
\??\c:\dpvpj.exec:\dpvpj.exe118⤵PID:1736
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe119⤵PID:3368
-
\??\c:\1nnhtt.exec:\1nnhtt.exe120⤵PID:3796
-
\??\c:\vppjv.exec:\vppjv.exe121⤵PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-