Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe
-
Size
455KB
-
MD5
8d9f18ce52e45149df11a10da21df458
-
SHA1
97428467efb4ea8e9e9d4abdda7c4bb53601dc00
-
SHA256
9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858
-
SHA512
c7ca5f26c7e51bc8c831c148596963b64ed7ca918708c5990b0d1eb6879ea0a27ad61495910cc6d14dbaf1fff8c7b3d1d969722206e55978594b9bb19fa634aa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRn:q7Tc2NYHUrAwfMp3CDRn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1348-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-984-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1072 fxxlxrl.exe 5032 1htntn.exe 452 rfrrfxx.exe 1448 bttbth.exe 3400 pddpd.exe 5036 dpjvp.exe 232 dvvjv.exe 3320 llrfrlx.exe 4560 pdjdd.exe 4516 frrfrfx.exe 1568 xfffrlx.exe 392 thhthn.exe 1188 vppdd.exe 1852 dpjvp.exe 1900 7htnhn.exe 616 dppdv.exe 1844 rxxlxrf.exe 3772 nbbnhh.exe 4648 djdvp.exe 1260 fxfrrll.exe 3724 thnhbt.exe 4372 hhnbth.exe 2592 lxfxrlf.exe 2860 frrlxrr.exe 384 dvpdd.exe 2396 9rrfrlx.exe 3112 nbthbt.exe 2420 ntbhht.exe 932 dvdpp.exe 3372 htthbt.exe 5048 pdjvp.exe 4908 djjvj.exe 2684 rffrlrl.exe 4964 bnhbhb.exe 1604 vjvpj.exe 4188 3vpjj.exe 1864 lfxrrlf.exe 4432 hnbthb.exe 4636 ntthbb.exe 3152 jvjpv.exe 1248 xflfffx.exe 2544 nhhhtt.exe 4128 bhthth.exe 1116 vvpdd.exe 4888 7llrlfr.exe 4416 bttnhh.exe 4716 nbthtn.exe 1244 ddddv.exe 1072 rrxlfrx.exe 5032 xffxrlf.exe 1204 bnnhbt.exe 3080 vpddd.exe 4508 xllfxrl.exe 1972 tbthtb.exe 2828 nbbtnh.exe 3272 jdvpj.exe 3120 lrfffrf.exe 4276 9hnhhh.exe 2768 jdvvp.exe 4192 xxfrrxr.exe 3688 xflffxx.exe 5020 bthbtt.exe 3976 dddvp.exe 2176 7xffxfx.exe -
resource yara_rule behavioral2/memory/1348-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-1434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-1411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-1078-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-133-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1072 1348 9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe 83 PID 1348 wrote to memory of 1072 1348 9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe 83 PID 1348 wrote to memory of 1072 1348 9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe 83 PID 1072 wrote to memory of 5032 1072 fxxlxrl.exe 132 PID 1072 wrote to memory of 5032 1072 fxxlxrl.exe 132 PID 1072 wrote to memory of 5032 1072 fxxlxrl.exe 132 PID 5032 wrote to memory of 452 5032 1htntn.exe 85 PID 5032 wrote to memory of 452 5032 1htntn.exe 85 PID 5032 wrote to memory of 452 5032 1htntn.exe 85 PID 452 wrote to memory of 1448 452 rfrrfxx.exe 86 PID 452 wrote to memory of 1448 452 rfrrfxx.exe 86 PID 452 wrote to memory of 1448 452 rfrrfxx.exe 86 PID 1448 wrote to memory of 3400 1448 bttbth.exe 87 PID 1448 wrote to memory of 3400 1448 bttbth.exe 87 PID 1448 wrote to memory of 3400 1448 bttbth.exe 87 PID 3400 wrote to memory of 5036 3400 pddpd.exe 88 PID 3400 wrote to memory of 5036 3400 pddpd.exe 88 PID 3400 wrote to memory of 5036 3400 pddpd.exe 88 PID 5036 wrote to memory of 232 5036 dpjvp.exe 89 PID 5036 wrote to memory of 232 5036 dpjvp.exe 89 PID 5036 wrote to memory of 232 5036 dpjvp.exe 89 PID 232 wrote to memory of 3320 232 dvvjv.exe 374 PID 232 wrote to memory of 3320 232 dvvjv.exe 374 PID 232 wrote to memory of 3320 232 dvvjv.exe 374 PID 3320 wrote to memory of 4560 3320 llrfrlx.exe 203 PID 3320 wrote to memory of 4560 3320 llrfrlx.exe 203 PID 3320 wrote to memory of 4560 3320 llrfrlx.exe 203 PID 4560 wrote to memory of 4516 4560 pdjdd.exe 431 PID 4560 wrote to memory of 4516 4560 pdjdd.exe 431 PID 4560 wrote to memory of 4516 4560 pdjdd.exe 431 PID 4516 wrote to memory of 1568 4516 frrfrfx.exe 206 PID 4516 wrote to memory of 1568 4516 frrfrfx.exe 206 PID 4516 wrote to memory of 1568 4516 frrfrfx.exe 206 PID 1568 wrote to memory of 392 1568 xfffrlx.exe 94 PID 1568 wrote to memory of 392 1568 xfffrlx.exe 94 PID 1568 wrote to memory of 392 1568 xfffrlx.exe 94 PID 392 wrote to memory of 1188 392 thhthn.exe 95 PID 392 wrote to memory of 1188 392 thhthn.exe 95 PID 392 wrote to memory of 1188 392 thhthn.exe 95 PID 1188 wrote to memory of 1852 1188 vppdd.exe 151 PID 1188 wrote to memory of 1852 1188 vppdd.exe 151 PID 1188 wrote to memory of 1852 1188 vppdd.exe 151 PID 1852 wrote to memory of 1900 1852 dpjvp.exe 97 PID 1852 wrote to memory of 1900 1852 dpjvp.exe 97 PID 1852 wrote to memory of 1900 1852 dpjvp.exe 97 PID 1900 wrote to memory of 616 1900 7htnhn.exe 98 PID 1900 wrote to memory of 616 1900 7htnhn.exe 98 PID 1900 wrote to memory of 616 1900 7htnhn.exe 98 PID 616 wrote to memory of 1844 616 dppdv.exe 329 PID 616 wrote to memory of 1844 616 dppdv.exe 329 PID 616 wrote to memory of 1844 616 dppdv.exe 329 PID 1844 wrote to memory of 3772 1844 rxxlxrf.exe 100 PID 1844 wrote to memory of 3772 1844 rxxlxrf.exe 100 PID 1844 wrote to memory of 3772 1844 rxxlxrf.exe 100 PID 3772 wrote to memory of 4648 3772 nbbnhh.exe 101 PID 3772 wrote to memory of 4648 3772 nbbnhh.exe 101 PID 3772 wrote to memory of 4648 3772 nbbnhh.exe 101 PID 4648 wrote to memory of 1260 4648 djdvp.exe 102 PID 4648 wrote to memory of 1260 4648 djdvp.exe 102 PID 4648 wrote to memory of 1260 4648 djdvp.exe 102 PID 1260 wrote to memory of 3724 1260 fxfrrll.exe 103 PID 1260 wrote to memory of 3724 1260 fxfrrll.exe 103 PID 1260 wrote to memory of 3724 1260 fxfrrll.exe 103 PID 3724 wrote to memory of 4372 3724 thnhbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe"C:\Users\Admin\AppData\Local\Temp\9358281883e52422f109b35b1e3283e40752446d1254e606c25fa0851f902858.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\1htntn.exec:\1htntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\rfrrfxx.exec:\rfrrfxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\bttbth.exec:\bttbth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\pddpd.exec:\pddpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\dpjvp.exec:\dpjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\dvvjv.exec:\dvvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\llrfrlx.exec:\llrfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\pdjdd.exec:\pdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\frrfrfx.exec:\frrfrfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\xfffrlx.exec:\xfffrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\thhthn.exec:\thhthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\vppdd.exec:\vppdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\dpjvp.exec:\dpjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\7htnhn.exec:\7htnhn.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\dppdv.exec:\dppdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\nbbnhh.exec:\nbbnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\djdvp.exec:\djdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\fxfrrll.exec:\fxfrrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\thnhbt.exec:\thnhbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\hhnbth.exec:\hhnbth.exe23⤵
- Executes dropped EXE
PID:4372 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe24⤵
- Executes dropped EXE
PID:2592 -
\??\c:\frrlxrr.exec:\frrlxrr.exe25⤵
- Executes dropped EXE
PID:2860 -
\??\c:\dvpdd.exec:\dvpdd.exe26⤵
- Executes dropped EXE
PID:384 -
\??\c:\9rrfrlx.exec:\9rrfrlx.exe27⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nbthbt.exec:\nbthbt.exe28⤵
- Executes dropped EXE
PID:3112 -
\??\c:\ntbhht.exec:\ntbhht.exe29⤵
- Executes dropped EXE
PID:2420 -
\??\c:\dvdpp.exec:\dvdpp.exe30⤵
- Executes dropped EXE
PID:932 -
\??\c:\htthbt.exec:\htthbt.exe31⤵
- Executes dropped EXE
PID:3372 -
\??\c:\pdjvp.exec:\pdjvp.exe32⤵
- Executes dropped EXE
PID:5048 -
\??\c:\djjvj.exec:\djjvj.exe33⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rffrlrl.exec:\rffrlrl.exe34⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bnhbhb.exec:\bnhbhb.exe35⤵
- Executes dropped EXE
PID:4964 -
\??\c:\vjvpj.exec:\vjvpj.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\3vpjj.exec:\3vpjj.exe37⤵
- Executes dropped EXE
PID:4188 -
\??\c:\lfxrrlf.exec:\lfxrrlf.exe38⤵
- Executes dropped EXE
PID:1864 -
\??\c:\hnbthb.exec:\hnbthb.exe39⤵
- Executes dropped EXE
PID:4432 -
\??\c:\ntthbb.exec:\ntthbb.exe40⤵
- Executes dropped EXE
PID:4636 -
\??\c:\jvjpv.exec:\jvjpv.exe41⤵
- Executes dropped EXE
PID:3152 -
\??\c:\xflfffx.exec:\xflfffx.exe42⤵
- Executes dropped EXE
PID:1248 -
\??\c:\nhhhtt.exec:\nhhhtt.exe43⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bhthth.exec:\bhthth.exe44⤵
- Executes dropped EXE
PID:4128 -
\??\c:\vvpdd.exec:\vvpdd.exe45⤵
- Executes dropped EXE
PID:1116 -
\??\c:\7llrlfr.exec:\7llrlfr.exe46⤵
- Executes dropped EXE
PID:4888 -
\??\c:\bttnhh.exec:\bttnhh.exe47⤵
- Executes dropped EXE
PID:4416 -
\??\c:\nbthtn.exec:\nbthtn.exe48⤵
- Executes dropped EXE
PID:4716 -
\??\c:\ddddv.exec:\ddddv.exe49⤵
- Executes dropped EXE
PID:1244 -
\??\c:\rrxlfrx.exec:\rrxlfrx.exe50⤵
- Executes dropped EXE
PID:1072 -
\??\c:\xffxrlf.exec:\xffxrlf.exe51⤵
- Executes dropped EXE
PID:5032 -
\??\c:\bnnhbt.exec:\bnnhbt.exe52⤵
- Executes dropped EXE
PID:1204 -
\??\c:\vpddd.exec:\vpddd.exe53⤵
- Executes dropped EXE
PID:3080 -
\??\c:\xllfxrl.exec:\xllfxrl.exe54⤵
- Executes dropped EXE
PID:4508 -
\??\c:\tbthtb.exec:\tbthtb.exe55⤵
- Executes dropped EXE
PID:1972 -
\??\c:\nbbtnh.exec:\nbbtnh.exe56⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jdvpj.exec:\jdvpj.exe57⤵
- Executes dropped EXE
PID:3272 -
\??\c:\lrfffrf.exec:\lrfffrf.exe58⤵
- Executes dropped EXE
PID:3120 -
\??\c:\9hnhhh.exec:\9hnhhh.exe59⤵
- Executes dropped EXE
PID:4276 -
\??\c:\jdvvp.exec:\jdvvp.exe60⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xxfrrxr.exec:\xxfrrxr.exe61⤵
- Executes dropped EXE
PID:4192 -
\??\c:\xflffxx.exec:\xflffxx.exe62⤵
- Executes dropped EXE
PID:3688 -
\??\c:\bthbtt.exec:\bthbtt.exe63⤵
- Executes dropped EXE
PID:5020 -
\??\c:\dddvp.exec:\dddvp.exe64⤵
- Executes dropped EXE
PID:3976 -
\??\c:\7xffxfx.exec:\7xffxfx.exe65⤵
- Executes dropped EXE
PID:2176 -
\??\c:\frxxrll.exec:\frxxrll.exe66⤵PID:1732
-
\??\c:\tbbtbn.exec:\tbbtbn.exe67⤵PID:4976
-
\??\c:\hnthtn.exec:\hnthtn.exe68⤵PID:3052
-
\??\c:\pppdv.exec:\pppdv.exe69⤵PID:2704
-
\??\c:\lfrlffx.exec:\lfrlffx.exe70⤵PID:1852
-
\??\c:\hhbbtt.exec:\hhbbtt.exe71⤵PID:3920
-
\??\c:\bnnnnn.exec:\bnnnnn.exe72⤵PID:2840
-
\??\c:\ppddv.exec:\ppddv.exe73⤵PID:3388
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe74⤵PID:1572
-
\??\c:\ttbthh.exec:\ttbthh.exe75⤵PID:1760
-
\??\c:\1pjdd.exec:\1pjdd.exe76⤵PID:2384
-
\??\c:\pjjdd.exec:\pjjdd.exe77⤵
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\xrxrllf.exec:\xrxrllf.exe78⤵PID:4988
-
\??\c:\ttbbnn.exec:\ttbbnn.exe79⤵PID:408
-
\??\c:\htthbt.exec:\htthbt.exe80⤵PID:3128
-
\??\c:\djjvj.exec:\djjvj.exe81⤵PID:3328
-
\??\c:\lflfxrr.exec:\lflfxrr.exe82⤵PID:3616
-
\??\c:\lxxrllf.exec:\lxxrllf.exe83⤵PID:904
-
\??\c:\ntntnb.exec:\ntntnb.exe84⤵PID:3592
-
\??\c:\jjddd.exec:\jjddd.exe85⤵PID:372
-
\??\c:\pdpjd.exec:\pdpjd.exe86⤵PID:908
-
\??\c:\rflfxrl.exec:\rflfxrl.exe87⤵PID:3668
-
\??\c:\5nbnhb.exec:\5nbnhb.exe88⤵PID:1620
-
\??\c:\tnbhht.exec:\tnbhht.exe89⤵PID:4440
-
\??\c:\9pvjj.exec:\9pvjj.exe90⤵PID:1676
-
\??\c:\xllfrfx.exec:\xllfrfx.exe91⤵PID:1148
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe92⤵PID:860
-
\??\c:\hbbtnh.exec:\hbbtnh.exe93⤵PID:1856
-
\??\c:\jvpjp.exec:\jvpjp.exe94⤵PID:2604
-
\??\c:\vpvpj.exec:\vpvpj.exe95⤵PID:4664
-
\??\c:\flxrlfx.exec:\flxrlfx.exe96⤵PID:1060
-
\??\c:\ntnbbn.exec:\ntnbbn.exe97⤵PID:4072
-
\??\c:\pjpjv.exec:\pjpjv.exe98⤵PID:4284
-
\??\c:\rfrxflr.exec:\rfrxflr.exe99⤵PID:4308
-
\??\c:\5lrlfxx.exec:\5lrlfxx.exe100⤵
- System Location Discovery: System Language Discovery
PID:4744 -
\??\c:\hntnhh.exec:\hntnhh.exe101⤵PID:3684
-
\??\c:\btttht.exec:\btttht.exe102⤵PID:1984
-
\??\c:\jjppp.exec:\jjppp.exe103⤵PID:1196
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe104⤵PID:1116
-
\??\c:\bththb.exec:\bththb.exe105⤵PID:3268
-
\??\c:\5hbnhb.exec:\5hbnhb.exe106⤵PID:2264
-
\??\c:\1jvvp.exec:\1jvvp.exe107⤵PID:1488
-
\??\c:\5xfxrrf.exec:\5xfxrrf.exe108⤵PID:3172
-
\??\c:\hhttbb.exec:\hhttbb.exe109⤵PID:4752
-
\??\c:\nbnhbt.exec:\nbnhbt.exe110⤵PID:4356
-
\??\c:\pvvpj.exec:\pvvpj.exe111⤵PID:4324
-
\??\c:\llrfrlx.exec:\llrfrlx.exe112⤵PID:3120
-
\??\c:\lllxrrl.exec:\lllxrrl.exe113⤵PID:2908
-
\??\c:\bnthbb.exec:\bnthbb.exe114⤵PID:3916
-
\??\c:\vpjpd.exec:\vpjpd.exe115⤵PID:3584
-
\??\c:\3flfrrl.exec:\3flfrrl.exe116⤵PID:4560
-
\??\c:\htbbbt.exec:\htbbbt.exe117⤵PID:2920
-
\??\c:\thbnhb.exec:\thbnhb.exe118⤵PID:952
-
\??\c:\vvjpd.exec:\vvjpd.exe119⤵PID:1568
-
\??\c:\pjvjp.exec:\pjvjp.exe120⤵PID:2864
-
\??\c:\lllfxrl.exec:\lllfxrl.exe121⤵PID:4180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-