Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 18:19
Behavioral task
behavioral1
Sample
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe
-
Size
61KB
-
MD5
a9b1f3ca5d3acddd7dde1424ac09bcfe
-
SHA1
8276bd88b686c54884ef5e9a5ae5dd132be0ef4b
-
SHA256
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38
-
SHA512
1f0c7e05152f929b79ae6475cba2b3de35df58d4d411ac84c27fc39ba5f442fd53326b207fb1d6174fbcbf7ec59547829d64c752b9de8b56f98717e103cec02a
-
SSDEEP
1536:kvQBeOGtrYS3srx93UBWfwC6Ggnouy8p5yAXNlIQldWAw:khOmTsF93UYfwC6GIoutpYcvldWAw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2256-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3764-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/708-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-677-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-723-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-841-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-848-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3776-918-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-940-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-1010-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-1062-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-1069-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1112 1fxflrf.exe 2076 9bntbn.exe 4484 nnnnbh.exe 2880 1pvpd.exe 2516 3rxrffx.exe 1036 lffxxrr.exe 2372 9hnhbb.exe 1608 bnnhbt.exe 4796 vvvvv.exe 220 fllfllf.exe 2776 5bhbtt.exe 4608 ppdvj.exe 4584 5flfflr.exe 2612 1bhntt.exe 1736 nbhbhh.exe 3764 dvdvj.exe 4620 9llffxx.exe 3300 tttthh.exe 2172 5tbthh.exe 776 9vddd.exe 2988 rfrlxrl.exe 1096 3tbtnh.exe 3048 7jvpj.exe 4216 3rxrlfx.exe 3456 xxrxrrr.exe 4632 7hbbnn.exe 2680 nhnntt.exe 1720 pvpjd.exe 4392 5rxrlll.exe 3372 thnhbt.exe 1944 7jjdv.exe 1948 pjjdp.exe 2268 5fffrlf.exe 2868 htnnhn.exe 3980 pvddd.exe 2660 3pddd.exe 2188 rfrlffr.exe 708 bbnhbb.exe 1380 nhtttb.exe 4172 vdppj.exe 1192 5vdvv.exe 4168 frxxxxx.exe 2992 tbtnnn.exe 1860 dvdpj.exe 984 pddvp.exe 736 9rxlrll.exe 3080 9hhbbb.exe 1740 bbtnhh.exe 676 pvjdj.exe 2940 jjpjd.exe 1612 lxlfxrx.exe 592 9xxrlrx.exe 2180 nhbbbb.exe 4876 tbnttb.exe 940 dpdvj.exe 1456 vdjdv.exe 1844 9rxrlll.exe 2500 9frlfxf.exe 1880 btnhhh.exe 2836 dvvvv.exe 1568 1vdjj.exe 2776 xrlfxxf.exe 4412 nnhhbh.exe 3272 jdjjd.exe -
resource yara_rule behavioral2/memory/2256-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b30-3.dat upx behavioral2/memory/2256-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1112-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-10.dat upx behavioral2/files/0x000a000000023b93-13.dat upx behavioral2/memory/2076-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-21.dat upx behavioral2/memory/4484-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2880-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-30.dat upx behavioral2/memory/2516-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-36.dat upx behavioral2/files/0x000a000000023b97-39.dat upx behavioral2/memory/1036-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-45.dat upx behavioral2/memory/2372-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-50.dat upx behavioral2/memory/1608-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-56.dat upx behavioral2/memory/4796-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-62.dat upx behavioral2/memory/220-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-68.dat upx behavioral2/memory/4608-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9f-80.dat upx behavioral2/files/0x000a000000023b9e-75.dat upx behavioral2/memory/2612-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba0-85.dat upx behavioral2/memory/1736-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba1-91.dat upx behavioral2/memory/1736-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-96.dat upx behavioral2/memory/3764-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-102.dat upx behavioral2/files/0x000a000000023ba4-107.dat upx behavioral2/memory/3300-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2172-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba5-115.dat upx behavioral2/files/0x000a000000023ba6-119.dat upx behavioral2/memory/776-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba7-125.dat upx behavioral2/files/0x000a000000023ba8-129.dat upx behavioral2/memory/1096-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-136.dat upx behavioral2/files/0x000a000000023baa-141.dat upx behavioral2/memory/4216-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bab-147.dat upx behavioral2/files/0x000a000000023bac-152.dat upx behavioral2/memory/4632-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bad-160.dat upx behavioral2/memory/2680-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b90-164.dat upx behavioral2/memory/1720-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bae-170.dat upx behavioral2/memory/4392-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3372-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023baf-176.dat upx behavioral2/files/0x000b000000023bb0-184.dat upx behavioral2/memory/1944-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1948-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3980-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2660-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2188-206-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 1112 2256 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 83 PID 2256 wrote to memory of 1112 2256 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 83 PID 2256 wrote to memory of 1112 2256 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 83 PID 1112 wrote to memory of 2076 1112 1fxflrf.exe 84 PID 1112 wrote to memory of 2076 1112 1fxflrf.exe 84 PID 1112 wrote to memory of 2076 1112 1fxflrf.exe 84 PID 2076 wrote to memory of 4484 2076 9bntbn.exe 85 PID 2076 wrote to memory of 4484 2076 9bntbn.exe 85 PID 2076 wrote to memory of 4484 2076 9bntbn.exe 85 PID 4484 wrote to memory of 2880 4484 nnnnbh.exe 86 PID 4484 wrote to memory of 2880 4484 nnnnbh.exe 86 PID 4484 wrote to memory of 2880 4484 nnnnbh.exe 86 PID 2880 wrote to memory of 2516 2880 1pvpd.exe 87 PID 2880 wrote to memory of 2516 2880 1pvpd.exe 87 PID 2880 wrote to memory of 2516 2880 1pvpd.exe 87 PID 2516 wrote to memory of 1036 2516 3rxrffx.exe 88 PID 2516 wrote to memory of 1036 2516 3rxrffx.exe 88 PID 2516 wrote to memory of 1036 2516 3rxrffx.exe 88 PID 1036 wrote to memory of 2372 1036 lffxxrr.exe 89 PID 1036 wrote to memory of 2372 1036 lffxxrr.exe 89 PID 1036 wrote to memory of 2372 1036 lffxxrr.exe 89 PID 2372 wrote to memory of 1608 2372 9hnhbb.exe 90 PID 2372 wrote to memory of 1608 2372 9hnhbb.exe 90 PID 2372 wrote to memory of 1608 2372 9hnhbb.exe 90 PID 1608 wrote to memory of 4796 1608 bnnhbt.exe 91 PID 1608 wrote to memory of 4796 1608 bnnhbt.exe 91 PID 1608 wrote to memory of 4796 1608 bnnhbt.exe 91 PID 4796 wrote to memory of 220 4796 vvvvv.exe 92 PID 4796 wrote to memory of 220 4796 vvvvv.exe 92 PID 4796 wrote to memory of 220 4796 vvvvv.exe 92 PID 220 wrote to memory of 2776 220 fllfllf.exe 93 PID 220 wrote to memory of 2776 220 fllfllf.exe 93 PID 220 wrote to memory of 2776 220 fllfllf.exe 93 PID 2776 wrote to memory of 4608 2776 5bhbtt.exe 94 PID 2776 wrote to memory of 4608 2776 5bhbtt.exe 94 PID 2776 wrote to memory of 4608 2776 5bhbtt.exe 94 PID 4608 wrote to memory of 4584 4608 ppdvj.exe 95 PID 4608 wrote to memory of 4584 4608 ppdvj.exe 95 PID 4608 wrote to memory of 4584 4608 ppdvj.exe 95 PID 4584 wrote to memory of 2612 4584 5flfflr.exe 96 PID 4584 wrote to memory of 2612 4584 5flfflr.exe 96 PID 4584 wrote to memory of 2612 4584 5flfflr.exe 96 PID 2612 wrote to memory of 1736 2612 1bhntt.exe 97 PID 2612 wrote to memory of 1736 2612 1bhntt.exe 97 PID 2612 wrote to memory of 1736 2612 1bhntt.exe 97 PID 1736 wrote to memory of 3764 1736 nbhbhh.exe 98 PID 1736 wrote to memory of 3764 1736 nbhbhh.exe 98 PID 1736 wrote to memory of 3764 1736 nbhbhh.exe 98 PID 3764 wrote to memory of 4620 3764 dvdvj.exe 99 PID 3764 wrote to memory of 4620 3764 dvdvj.exe 99 PID 3764 wrote to memory of 4620 3764 dvdvj.exe 99 PID 4620 wrote to memory of 3300 4620 9llffxx.exe 100 PID 4620 wrote to memory of 3300 4620 9llffxx.exe 100 PID 4620 wrote to memory of 3300 4620 9llffxx.exe 100 PID 3300 wrote to memory of 2172 3300 tttthh.exe 101 PID 3300 wrote to memory of 2172 3300 tttthh.exe 101 PID 3300 wrote to memory of 2172 3300 tttthh.exe 101 PID 2172 wrote to memory of 776 2172 5tbthh.exe 102 PID 2172 wrote to memory of 776 2172 5tbthh.exe 102 PID 2172 wrote to memory of 776 2172 5tbthh.exe 102 PID 776 wrote to memory of 2988 776 9vddd.exe 103 PID 776 wrote to memory of 2988 776 9vddd.exe 103 PID 776 wrote to memory of 2988 776 9vddd.exe 103 PID 2988 wrote to memory of 1096 2988 rfrlxrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe"C:\Users\Admin\AppData\Local\Temp\375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\1fxflrf.exec:\1fxflrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\9bntbn.exec:\9bntbn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\nnnnbh.exec:\nnnnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\1pvpd.exec:\1pvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\3rxrffx.exec:\3rxrffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\lffxxrr.exec:\lffxxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\9hnhbb.exec:\9hnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\bnnhbt.exec:\bnnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\vvvvv.exec:\vvvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\fllfllf.exec:\fllfllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\5bhbtt.exec:\5bhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\ppdvj.exec:\ppdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\5flfflr.exec:\5flfflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\1bhntt.exec:\1bhntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\nbhbhh.exec:\nbhbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\dvdvj.exec:\dvdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\9llffxx.exec:\9llffxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\tttthh.exec:\tttthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\5tbthh.exec:\5tbthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\9vddd.exec:\9vddd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\rfrlxrl.exec:\rfrlxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\3tbtnh.exec:\3tbtnh.exe23⤵
- Executes dropped EXE
PID:1096 -
\??\c:\7jvpj.exec:\7jvpj.exe24⤵
- Executes dropped EXE
PID:3048 -
\??\c:\3rxrlfx.exec:\3rxrlfx.exe25⤵
- Executes dropped EXE
PID:4216 -
\??\c:\xxrxrrr.exec:\xxrxrrr.exe26⤵
- Executes dropped EXE
PID:3456 -
\??\c:\7hbbnn.exec:\7hbbnn.exe27⤵
- Executes dropped EXE
PID:4632 -
\??\c:\nhnntt.exec:\nhnntt.exe28⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pvpjd.exec:\pvpjd.exe29⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5rxrlll.exec:\5rxrlll.exe30⤵
- Executes dropped EXE
PID:4392 -
\??\c:\thnhbt.exec:\thnhbt.exe31⤵
- Executes dropped EXE
PID:3372 -
\??\c:\7jjdv.exec:\7jjdv.exe32⤵
- Executes dropped EXE
PID:1944 -
\??\c:\pjjdp.exec:\pjjdp.exe33⤵
- Executes dropped EXE
PID:1948 -
\??\c:\5fffrlf.exec:\5fffrlf.exe34⤵
- Executes dropped EXE
PID:2268 -
\??\c:\htnnhn.exec:\htnnhn.exe35⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pvddd.exec:\pvddd.exe36⤵
- Executes dropped EXE
PID:3980 -
\??\c:\3pddd.exec:\3pddd.exe37⤵
- Executes dropped EXE
PID:2660 -
\??\c:\rfrlffr.exec:\rfrlffr.exe38⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bbnhbb.exec:\bbnhbb.exe39⤵
- Executes dropped EXE
PID:708 -
\??\c:\nhtttb.exec:\nhtttb.exe40⤵
- Executes dropped EXE
PID:1380 -
\??\c:\vdppj.exec:\vdppj.exe41⤵
- Executes dropped EXE
PID:4172 -
\??\c:\5vdvv.exec:\5vdvv.exe42⤵
- Executes dropped EXE
PID:1192 -
\??\c:\frxxxxx.exec:\frxxxxx.exe43⤵
- Executes dropped EXE
PID:4168 -
\??\c:\tbtnnn.exec:\tbtnnn.exe44⤵
- Executes dropped EXE
PID:2992 -
\??\c:\9thbbn.exec:\9thbbn.exe45⤵PID:4440
-
\??\c:\dvdpj.exec:\dvdpj.exe46⤵
- Executes dropped EXE
PID:1860 -
\??\c:\pddvp.exec:\pddvp.exe47⤵
- Executes dropped EXE
PID:984 -
\??\c:\9rxlrll.exec:\9rxlrll.exe48⤵
- Executes dropped EXE
PID:736 -
\??\c:\9hhbbb.exec:\9hhbbb.exe49⤵
- Executes dropped EXE
PID:3080 -
\??\c:\bbtnhh.exec:\bbtnhh.exe50⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pvjdj.exec:\pvjdj.exe51⤵
- Executes dropped EXE
PID:676 -
\??\c:\jjpjd.exec:\jjpjd.exe52⤵
- Executes dropped EXE
PID:2940 -
\??\c:\lxlfxrx.exec:\lxlfxrx.exe53⤵
- Executes dropped EXE
PID:1612 -
\??\c:\9xxrlrx.exec:\9xxrlrx.exe54⤵
- Executes dropped EXE
PID:592 -
\??\c:\nhbbbb.exec:\nhbbbb.exe55⤵
- Executes dropped EXE
PID:2180 -
\??\c:\tbnttb.exec:\tbnttb.exe56⤵
- Executes dropped EXE
PID:4876 -
\??\c:\dpdvj.exec:\dpdvj.exe57⤵
- Executes dropped EXE
PID:940 -
\??\c:\vdjdv.exec:\vdjdv.exe58⤵
- Executes dropped EXE
PID:1456 -
\??\c:\9rxrlll.exec:\9rxrlll.exe59⤵
- Executes dropped EXE
PID:1844 -
\??\c:\9frlfxf.exec:\9frlfxf.exe60⤵
- Executes dropped EXE
PID:2500 -
\??\c:\btnhhh.exec:\btnhhh.exe61⤵
- Executes dropped EXE
PID:1880 -
\??\c:\dvvvv.exec:\dvvvv.exe62⤵
- Executes dropped EXE
PID:2836 -
\??\c:\1vdjj.exec:\1vdjj.exe63⤵
- Executes dropped EXE
PID:1568 -
\??\c:\xrlfxxf.exec:\xrlfxxf.exe64⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nnhhbh.exec:\nnhhbh.exe65⤵
- Executes dropped EXE
PID:4412 -
\??\c:\jdjjd.exec:\jdjjd.exe66⤵
- Executes dropped EXE
PID:3272 -
\??\c:\7lrrllf.exec:\7lrrllf.exe67⤵PID:4908
-
\??\c:\bbtbtt.exec:\bbtbtt.exe68⤵PID:2352
-
\??\c:\tttttt.exec:\tttttt.exe69⤵PID:5084
-
\??\c:\jvjjj.exec:\jvjjj.exe70⤵PID:3504
-
\??\c:\3dpjp.exec:\3dpjp.exe71⤵PID:2904
-
\??\c:\xflxxfl.exec:\xflxxfl.exe72⤵PID:3240
-
\??\c:\5rrrlll.exec:\5rrrlll.exe73⤵PID:3300
-
\??\c:\btbnnn.exec:\btbnnn.exe74⤵PID:4428
-
\??\c:\vddvp.exec:\vddvp.exe75⤵PID:3348
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe76⤵PID:1496
-
\??\c:\lfflrrf.exec:\lfflrrf.exe77⤵PID:3268
-
\??\c:\ttntnb.exec:\ttntnb.exe78⤵PID:4820
-
\??\c:\vjdjd.exec:\vjdjd.exe79⤵PID:2356
-
\??\c:\jjddj.exec:\jjddj.exe80⤵PID:1508
-
\??\c:\dvvpj.exec:\dvvpj.exe81⤵PID:3728
-
\??\c:\jjpjd.exec:\jjpjd.exe82⤵PID:4588
-
\??\c:\3xffllf.exec:\3xffllf.exe83⤵PID:2436
-
\??\c:\bhhhnb.exec:\bhhhnb.exe84⤵PID:5112
-
\??\c:\3jjjd.exec:\3jjjd.exe85⤵PID:4928
-
\??\c:\ppvvp.exec:\ppvvp.exe86⤵PID:2972
-
\??\c:\rlxfxxx.exec:\rlxfxxx.exe87⤵PID:2428
-
\??\c:\lflxxfx.exec:\lflxxfx.exe88⤵PID:3488
-
\??\c:\tntbbh.exec:\tntbbh.exe89⤵PID:3720
-
\??\c:\xrxrrxx.exec:\xrxrrxx.exe90⤵PID:3852
-
\??\c:\nhnhbb.exec:\nhnhbb.exe91⤵PID:4808
-
\??\c:\1vvvp.exec:\1vvvp.exe92⤵PID:5064
-
\??\c:\xfxxxxx.exec:\xfxxxxx.exe93⤵PID:4340
-
\??\c:\7xllrlr.exec:\7xllrlr.exe94⤵PID:4740
-
\??\c:\btbnnn.exec:\btbnnn.exe95⤵PID:2224
-
\??\c:\1jvvp.exec:\1jvvp.exe96⤵PID:2864
-
\??\c:\dpjdd.exec:\dpjdd.exe97⤵PID:832
-
\??\c:\rrfllff.exec:\rrfllff.exe98⤵PID:396
-
\??\c:\rxrlffx.exec:\rxrlffx.exe99⤵PID:4024
-
\??\c:\1tbhbh.exec:\1tbhbh.exe100⤵PID:4156
-
\??\c:\pjpjd.exec:\pjpjd.exe101⤵PID:1816
-
\??\c:\vvpjj.exec:\vvpjj.exe102⤵PID:1120
-
\??\c:\vpppv.exec:\vpppv.exe103⤵PID:3532
-
\??\c:\rlffffl.exec:\rlffffl.exe104⤵PID:3748
-
\??\c:\7rrrrrr.exec:\7rrrrrr.exe105⤵PID:2292
-
\??\c:\bhbbbb.exec:\bhbbbb.exe106⤵PID:2008
-
\??\c:\bnhhtt.exec:\bnhhtt.exe107⤵PID:5032
-
\??\c:\pdvvv.exec:\pdvvv.exe108⤵PID:2256
-
\??\c:\1vvvj.exec:\1vvvj.exe109⤵PID:4716
-
\??\c:\rrfxrxr.exec:\rrfxrxr.exe110⤵PID:376
-
\??\c:\rxrrfxf.exec:\rxrrfxf.exe111⤵PID:4324
-
\??\c:\nnbbbh.exec:\nnbbbh.exe112⤵PID:4420
-
\??\c:\thttnn.exec:\thttnn.exe113⤵PID:4484
-
\??\c:\7ddvp.exec:\7ddvp.exe114⤵PID:5008
-
\??\c:\pjdpv.exec:\pjdpv.exe115⤵PID:1612
-
\??\c:\frllrxx.exec:\frllrxx.exe116⤵PID:2088
-
\??\c:\hbbbbb.exec:\hbbbbb.exe117⤵PID:388
-
\??\c:\hbbbtt.exec:\hbbbtt.exe118⤵PID:1244
-
\??\c:\vvvvv.exec:\vvvvv.exe119⤵PID:1544
-
\??\c:\lfrlrfx.exec:\lfrlrfx.exe120⤵PID:1456
-
\??\c:\tthhnn.exec:\tthhnn.exe121⤵PID:1908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-