Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 12:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe
-
Size
378KB
-
MD5
a4619c5fce6e399e53633b69540ffc20
-
SHA1
72bb5b36d02e838f9210df4e26e02ea799bba953
-
SHA256
a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9
-
SHA512
487da1bf65adc4adc6b145a4f5e4d13f18e8feeb369643c61b30d93aaab3fb37ff935e78f12c1916d38760036c9e35f9ff350c35038a5debfbffd99e3bbe563c
-
SSDEEP
3072:8hOm2sI93UufdC67cimD5t251UrRE9TTFw8TCg:8cm7ImGddXmNt251UriZFwGCg
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2908-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-1059-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-1096-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4908 1rrlflf.exe 1004 bhbtnn.exe 4500 frffflf.exe 4872 dvjdd.exe 1036 lxxffxx.exe 4204 dpvvp.exe 2856 lffxllf.exe 3220 dpppj.exe 4896 dpvvp.exe 232 fxxxrrf.exe 244 vpjjj.exe 5084 xrxxffr.exe 4560 ttbtbh.exe 1884 7vppv.exe 2524 vpdvd.exe 3968 nbnnnt.exe 3500 dpvvv.exe 228 nhnhhh.exe 3920 vpppj.exe 1476 rxfxrrl.exe 4792 vpvpp.exe 4996 3lfxrlf.exe 3148 bthhhh.exe 2572 djpdv.exe 1796 xrfxflf.exe 2464 hnhbhn.exe 2012 jjdpj.exe 2560 rlxrrxr.exe 1040 dpdvd.exe 1928 xxrxxxr.exe 1480 lxxrrrx.exe 4788 jddvv.exe 3356 pdjjd.exe 1240 frxrxrr.exe 936 jddjj.exe 3692 1hnhbt.exe 3672 hhhhtt.exe 2220 dddvj.exe 4780 fxxrllf.exe 1900 pvdvv.exe 4864 rrrrxxr.exe 3552 hbbtnn.exe 852 hbtthh.exe 4032 dvpjj.exe 4048 xrrlffx.exe 3884 llffflr.exe 4900 hbttnb.exe 3220 jddvj.exe 1220 rlxrrxr.exe 5016 xxfxxxf.exe 2328 9bbhbt.exe 4672 vpvvp.exe 1328 rfllffx.exe 1396 lllffll.exe 436 nhhbnn.exe 2568 jdpdv.exe 4560 xfrlfxr.exe 2420 hbbtbb.exe 2700 pjdvd.exe 3948 xrxxrrl.exe 1772 frxfffx.exe 3176 nthbtt.exe 4664 nntbth.exe 4304 vjppp.exe -
resource yara_rule behavioral2/memory/2908-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-739-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 4908 2908 a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe 83 PID 2908 wrote to memory of 4908 2908 a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe 83 PID 2908 wrote to memory of 4908 2908 a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe 83 PID 4908 wrote to memory of 1004 4908 1rrlflf.exe 84 PID 4908 wrote to memory of 1004 4908 1rrlflf.exe 84 PID 4908 wrote to memory of 1004 4908 1rrlflf.exe 84 PID 1004 wrote to memory of 4500 1004 bhbtnn.exe 85 PID 1004 wrote to memory of 4500 1004 bhbtnn.exe 85 PID 1004 wrote to memory of 4500 1004 bhbtnn.exe 85 PID 4500 wrote to memory of 4872 4500 frffflf.exe 86 PID 4500 wrote to memory of 4872 4500 frffflf.exe 86 PID 4500 wrote to memory of 4872 4500 frffflf.exe 86 PID 4872 wrote to memory of 1036 4872 dvjdd.exe 88 PID 4872 wrote to memory of 1036 4872 dvjdd.exe 88 PID 4872 wrote to memory of 1036 4872 dvjdd.exe 88 PID 1036 wrote to memory of 4204 1036 lxxffxx.exe 89 PID 1036 wrote to memory of 4204 1036 lxxffxx.exe 89 PID 1036 wrote to memory of 4204 1036 lxxffxx.exe 89 PID 4204 wrote to memory of 2856 4204 dpvvp.exe 91 PID 4204 wrote to memory of 2856 4204 dpvvp.exe 91 PID 4204 wrote to memory of 2856 4204 dpvvp.exe 91 PID 2856 wrote to memory of 3220 2856 lffxllf.exe 92 PID 2856 wrote to memory of 3220 2856 lffxllf.exe 92 PID 2856 wrote to memory of 3220 2856 lffxllf.exe 92 PID 3220 wrote to memory of 4896 3220 dpppj.exe 93 PID 3220 wrote to memory of 4896 3220 dpppj.exe 93 PID 3220 wrote to memory of 4896 3220 dpppj.exe 93 PID 4896 wrote to memory of 232 4896 dpvvp.exe 94 PID 4896 wrote to memory of 232 4896 dpvvp.exe 94 PID 4896 wrote to memory of 232 4896 dpvvp.exe 94 PID 232 wrote to memory of 244 232 fxxxrrf.exe 95 PID 232 wrote to memory of 244 232 fxxxrrf.exe 95 PID 232 wrote to memory of 244 232 fxxxrrf.exe 95 PID 244 wrote to memory of 5084 244 vpjjj.exe 97 PID 244 wrote to memory of 5084 244 vpjjj.exe 97 PID 244 wrote to memory of 5084 244 vpjjj.exe 97 PID 5084 wrote to memory of 4560 5084 xrxxffr.exe 98 PID 5084 wrote to memory of 4560 5084 xrxxffr.exe 98 PID 5084 wrote to memory of 4560 5084 xrxxffr.exe 98 PID 4560 wrote to memory of 1884 4560 ttbtbh.exe 99 PID 4560 wrote to memory of 1884 4560 ttbtbh.exe 99 PID 4560 wrote to memory of 1884 4560 ttbtbh.exe 99 PID 1884 wrote to memory of 2524 1884 7vppv.exe 100 PID 1884 wrote to memory of 2524 1884 7vppv.exe 100 PID 1884 wrote to memory of 2524 1884 7vppv.exe 100 PID 2524 wrote to memory of 3968 2524 vpdvd.exe 101 PID 2524 wrote to memory of 3968 2524 vpdvd.exe 101 PID 2524 wrote to memory of 3968 2524 vpdvd.exe 101 PID 3968 wrote to memory of 3500 3968 nbnnnt.exe 102 PID 3968 wrote to memory of 3500 3968 nbnnnt.exe 102 PID 3968 wrote to memory of 3500 3968 nbnnnt.exe 102 PID 3500 wrote to memory of 228 3500 dpvvv.exe 103 PID 3500 wrote to memory of 228 3500 dpvvv.exe 103 PID 3500 wrote to memory of 228 3500 dpvvv.exe 103 PID 228 wrote to memory of 3920 228 nhnhhh.exe 104 PID 228 wrote to memory of 3920 228 nhnhhh.exe 104 PID 228 wrote to memory of 3920 228 nhnhhh.exe 104 PID 3920 wrote to memory of 1476 3920 vpppj.exe 105 PID 3920 wrote to memory of 1476 3920 vpppj.exe 105 PID 3920 wrote to memory of 1476 3920 vpppj.exe 105 PID 1476 wrote to memory of 4792 1476 rxfxrrl.exe 106 PID 1476 wrote to memory of 4792 1476 rxfxrrl.exe 106 PID 1476 wrote to memory of 4792 1476 rxfxrrl.exe 106 PID 4792 wrote to memory of 4996 4792 vpvpp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe"C:\Users\Admin\AppData\Local\Temp\a03178c0b8e8ae6a941abe7026cc4938a30a0088eb23cd85baea6d58299630f9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\1rrlflf.exec:\1rrlflf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\bhbtnn.exec:\bhbtnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\frffflf.exec:\frffflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\dvjdd.exec:\dvjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\lxxffxx.exec:\lxxffxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\dpvvp.exec:\dpvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\lffxllf.exec:\lffxllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\dpppj.exec:\dpppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\dpvvp.exec:\dpvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\fxxxrrf.exec:\fxxxrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\vpjjj.exec:\vpjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\xrxxffr.exec:\xrxxffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\ttbtbh.exec:\ttbtbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\7vppv.exec:\7vppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\vpdvd.exec:\vpdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nbnnnt.exec:\nbnnnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\dpvvv.exec:\dpvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\nhnhhh.exec:\nhnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\vpppj.exec:\vpppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\vpvpp.exec:\vpvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\3lfxrlf.exec:\3lfxrlf.exe23⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bthhhh.exec:\bthhhh.exe24⤵
- Executes dropped EXE
PID:3148 -
\??\c:\djpdv.exec:\djpdv.exe25⤵
- Executes dropped EXE
PID:2572 -
\??\c:\xrfxflf.exec:\xrfxflf.exe26⤵
- Executes dropped EXE
PID:1796 -
\??\c:\hnhbhn.exec:\hnhbhn.exe27⤵
- Executes dropped EXE
PID:2464 -
\??\c:\jjdpj.exec:\jjdpj.exe28⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rlxrrxr.exec:\rlxrrxr.exe29⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dpdvd.exec:\dpdvd.exe30⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xxrxxxr.exec:\xxrxxxr.exe31⤵
- Executes dropped EXE
PID:1928 -
\??\c:\lxxrrrx.exec:\lxxrrrx.exe32⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jddvv.exec:\jddvv.exe33⤵
- Executes dropped EXE
PID:4788 -
\??\c:\pdjjd.exec:\pdjjd.exe34⤵
- Executes dropped EXE
PID:3356 -
\??\c:\frxrxrr.exec:\frxrxrr.exe35⤵
- Executes dropped EXE
PID:1240 -
\??\c:\bntnhh.exec:\bntnhh.exe36⤵PID:4468
-
\??\c:\jddjj.exec:\jddjj.exe37⤵
- Executes dropped EXE
PID:936 -
\??\c:\1hnhbt.exec:\1hnhbt.exe38⤵
- Executes dropped EXE
PID:3692 -
\??\c:\hhhhtt.exec:\hhhhtt.exe39⤵
- Executes dropped EXE
PID:3672 -
\??\c:\dddvj.exec:\dddvj.exe40⤵
- Executes dropped EXE
PID:2220 -
\??\c:\fxxrllf.exec:\fxxrllf.exe41⤵
- Executes dropped EXE
PID:4780 -
\??\c:\pvdvv.exec:\pvdvv.exe42⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rrrrxxr.exec:\rrrrxxr.exe43⤵
- Executes dropped EXE
PID:4864 -
\??\c:\hbbtnn.exec:\hbbtnn.exe44⤵
- Executes dropped EXE
PID:3552 -
\??\c:\hbtthh.exec:\hbtthh.exe45⤵
- Executes dropped EXE
PID:852 -
\??\c:\dvpjj.exec:\dvpjj.exe46⤵
- Executes dropped EXE
PID:4032 -
\??\c:\xrrlffx.exec:\xrrlffx.exe47⤵
- Executes dropped EXE
PID:4048 -
\??\c:\llffflr.exec:\llffflr.exe48⤵
- Executes dropped EXE
PID:3884 -
\??\c:\hbttnb.exec:\hbttnb.exe49⤵
- Executes dropped EXE
PID:4900 -
\??\c:\jddvj.exec:\jddvj.exe50⤵
- Executes dropped EXE
PID:3220 -
\??\c:\rlxrrxr.exec:\rlxrrxr.exe51⤵
- Executes dropped EXE
PID:1220 -
\??\c:\xxfxxxf.exec:\xxfxxxf.exe52⤵
- Executes dropped EXE
PID:5016 -
\??\c:\9bbhbt.exec:\9bbhbt.exe53⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vpvvp.exec:\vpvvp.exe54⤵
- Executes dropped EXE
PID:4672 -
\??\c:\rfllffx.exec:\rfllffx.exe55⤵
- Executes dropped EXE
PID:1328 -
\??\c:\lllffll.exec:\lllffll.exe56⤵
- Executes dropped EXE
PID:1396 -
\??\c:\nhhbnn.exec:\nhhbnn.exe57⤵
- Executes dropped EXE
PID:436 -
\??\c:\jdpdv.exec:\jdpdv.exe58⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe59⤵
- Executes dropped EXE
PID:4560 -
\??\c:\hbbtbb.exec:\hbbtbb.exe60⤵
- Executes dropped EXE
PID:2420 -
\??\c:\pjdvd.exec:\pjdvd.exe61⤵
- Executes dropped EXE
PID:2700 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe62⤵
- Executes dropped EXE
PID:3948 -
\??\c:\frxfffx.exec:\frxfffx.exe63⤵
- Executes dropped EXE
PID:1772 -
\??\c:\nthbtt.exec:\nthbtt.exe64⤵
- Executes dropped EXE
PID:3176 -
\??\c:\nntbth.exec:\nntbth.exe65⤵
- Executes dropped EXE
PID:4664 -
\??\c:\vjppp.exec:\vjppp.exe66⤵
- Executes dropped EXE
PID:4304 -
\??\c:\rrxlxxr.exec:\rrxlxxr.exe67⤵PID:3500
-
\??\c:\xfrlxxx.exec:\xfrlxxx.exe68⤵PID:3896
-
\??\c:\tthbhh.exec:\tthbhh.exe69⤵PID:3920
-
\??\c:\5vjdj.exec:\5vjdj.exe70⤵PID:2808
-
\??\c:\flxrlff.exec:\flxrlff.exe71⤵PID:4416
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe72⤵PID:4792
-
\??\c:\nhbnhh.exec:\nhbnhh.exe73⤵PID:3732
-
\??\c:\vdvpj.exec:\vdvpj.exe74⤵PID:4720
-
\??\c:\vpppv.exec:\vpppv.exe75⤵PID:1216
-
\??\c:\7xfxlff.exec:\7xfxlff.exe76⤵PID:2316
-
\??\c:\bbbttb.exec:\bbbttb.exe77⤵PID:404
-
\??\c:\nnhbbb.exec:\nnhbbb.exe78⤵PID:2936
-
\??\c:\vddjv.exec:\vddjv.exe79⤵PID:1100
-
\??\c:\7vvpp.exec:\7vvpp.exe80⤵PID:2012
-
\??\c:\flfxrrr.exec:\flfxrrr.exe81⤵PID:2092
-
\??\c:\bthbhb.exec:\bthbhb.exe82⤵PID:1368
-
\??\c:\jjddv.exec:\jjddv.exe83⤵PID:3744
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe84⤵PID:4868
-
\??\c:\nhbttt.exec:\nhbttt.exe85⤵PID:4824
-
\??\c:\pdpvd.exec:\pdpvd.exe86⤵PID:3996
-
\??\c:\jjpjv.exec:\jjpjv.exe87⤵PID:3292
-
\??\c:\7rlrlxr.exec:\7rlrlxr.exe88⤵
- System Location Discovery: System Language Discovery
PID:1300 -
\??\c:\1nbhnh.exec:\1nbhnh.exe89⤵PID:716
-
\??\c:\tnbtnn.exec:\tnbtnn.exe90⤵PID:4384
-
\??\c:\dpdvp.exec:\dpdvp.exe91⤵PID:1240
-
\??\c:\9lrlrxf.exec:\9lrlrxf.exe92⤵PID:2908
-
\??\c:\rflrllf.exec:\rflrllf.exe93⤵PID:2256
-
\??\c:\nhbthb.exec:\nhbthb.exe94⤵PID:3540
-
\??\c:\dvppp.exec:\dvppp.exe95⤵PID:1688
-
\??\c:\jvdvv.exec:\jvdvv.exe96⤵PID:2956
-
\??\c:\xfrlllr.exec:\xfrlllr.exe97⤵PID:4276
-
\??\c:\ttnhbb.exec:\ttnhbb.exe98⤵PID:2364
-
\??\c:\nhhbtt.exec:\nhhbtt.exe99⤵PID:1896
-
\??\c:\7dvvj.exec:\7dvvj.exe100⤵PID:2180
-
\??\c:\lffxrrr.exec:\lffxrrr.exe101⤵PID:3552
-
\??\c:\tbhbtt.exec:\tbhbtt.exe102⤵PID:3504
-
\??\c:\nnnhhb.exec:\nnnhhb.exe103⤵PID:3932
-
\??\c:\dpppj.exec:\dpppj.exe104⤵PID:2976
-
\??\c:\vppjv.exec:\vppjv.exe105⤵PID:4064
-
\??\c:\5xfxffl.exec:\5xfxffl.exe106⤵PID:732
-
\??\c:\9xfxffr.exec:\9xfxffr.exe107⤵PID:644
-
\??\c:\nhhbbb.exec:\nhhbbb.exe108⤵PID:5012
-
\??\c:\pvvvd.exec:\pvvvd.exe109⤵PID:2716
-
\??\c:\9ffxllr.exec:\9ffxllr.exe110⤵PID:1296
-
\??\c:\fxrrllf.exec:\fxrrllf.exe111⤵PID:4876
-
\??\c:\thhhbb.exec:\thhhbb.exe112⤵PID:244
-
\??\c:\pjppp.exec:\pjppp.exe113⤵PID:1380
-
\??\c:\ppvjd.exec:\ppvjd.exe114⤵PID:3060
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe115⤵PID:3436
-
\??\c:\bbnhht.exec:\bbnhht.exe116⤵PID:4560
-
\??\c:\bbbtnb.exec:\bbbtnb.exe117⤵PID:2380
-
\??\c:\jpvpp.exec:\jpvpp.exe118⤵PID:2480
-
\??\c:\rlxxrll.exec:\rlxxrll.exe119⤵PID:468
-
\??\c:\nhthtb.exec:\nhthtb.exe120⤵PID:3908
-
\??\c:\nbhbnt.exec:\nbhbnt.exe121⤵PID:3968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-