Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 12:19
Behavioral task
behavioral1
Sample
a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe
-
Size
345KB
-
MD5
fc16db9a58f047b6c24e4b5e57db0459
-
SHA1
825077e69798539159620b05a13f51b866605c84
-
SHA256
a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457
-
SHA512
fb121c7f3257d6784cf9130d58fa7480551f20596d9469207e14c46bec99fff9ae9d0dd953aa6384469bfc3491b94d2b5baf1be9b5a75cf41f43ce4206628608
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAZ:R4wFHoS3WXZshJX2VGdZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3648-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1156-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1920-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2088-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-997-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-1042-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-1309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3648 7ntnht.exe 3668 jpvjd.exe 4860 pvddv.exe 5020 lllfxrl.exe 3492 jdjdj.exe 4788 9fxxrrl.exe 4576 rlffrrf.exe 2616 7jppj.exe 3272 rlrrllf.exe 2008 nhhnhh.exe 1224 dddvj.exe 1008 7flfxxr.exe 1596 1nhhhb.exe 232 5bbhbh.exe 1584 9rxfxxr.exe 2364 1llfxrl.exe 1488 3bbbtb.exe 5096 jvdpj.exe 3108 rfllxfx.exe 3312 rrrrxxx.exe 3136 9tnbnn.exe 1704 djpjv.exe 4236 rfxfflr.exe 1748 7hhntb.exe 3652 jvdpv.exe 644 lxrlxrl.exe 4416 hhbttn.exe 4048 7hnbtn.exe 1444 vddvp.exe 3748 fxrffxr.exe 3596 hbthbt.exe 2092 7bnhbb.exe 2012 1pvpd.exe 976 ddjdv.exe 1352 7llxlxr.exe 2228 nnhbnn.exe 2284 thnhht.exe 3592 jvdvd.exe 628 djpjv.exe 4564 ffrffxr.exe 1120 3rrlfll.exe 4488 3tthbt.exe 4588 9bbnbn.exe 1156 dddpj.exe 1576 xrrrrrr.exe 4760 bttnbt.exe 4224 dddpd.exe 3976 htbbnn.exe 1648 tbttnb.exe 2600 5pvpv.exe 4684 fxlfrrf.exe 4896 dpddv.exe 4676 5xrllfx.exe 1708 jdppp.exe 4708 frlxrlx.exe 2356 htnhbt.exe 3460 9ddvj.exe 3800 hhnbnb.exe 4680 9rrrlll.exe 2152 7pjdv.exe 3032 ffxrfxl.exe 4296 nbbhbb.exe 4268 5pjvj.exe 1832 vjdvd.exe -
resource yara_rule behavioral2/memory/4932-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b77-3.dat upx behavioral2/memory/3648-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b7f-9.dat upx behavioral2/memory/3668-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b80-12.dat upx behavioral2/memory/4860-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b81-20.dat upx behavioral2/memory/4932-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-23.dat upx behavioral2/memory/3492-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-30.dat upx behavioral2/memory/4788-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5020-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3492-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-36.dat upx behavioral2/files/0x000a000000023b85-39.dat upx behavioral2/memory/4576-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2616-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-45.dat upx behavioral2/files/0x000a000000023b87-49.dat upx behavioral2/memory/3272-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-54.dat upx behavioral2/memory/2008-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-60.dat upx behavioral2/files/0x000a000000023b8a-63.dat upx behavioral2/memory/1008-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-69.dat upx behavioral2/files/0x000a000000023b8c-74.dat upx behavioral2/files/0x000a000000023b8d-77.dat upx behavioral2/memory/2364-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/232-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2364-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-83.dat upx behavioral2/files/0x000a000000023b8f-88.dat upx behavioral2/files/0x000a000000023b90-91.dat upx behavioral2/files/0x000a000000023b91-95.dat upx behavioral2/files/0x000a000000023b92-100.dat upx behavioral2/memory/3108-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-104.dat upx behavioral2/files/0x000a000000023b96-115.dat upx behavioral2/memory/1596-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1704-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-119.dat upx behavioral2/files/0x000a000000023b98-127.dat upx behavioral2/memory/644-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-131.dat upx behavioral2/memory/1444-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4048-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-138.dat upx behavioral2/files/0x000a000000023b9b-143.dat upx behavioral2/files/0x000a000000023b9d-151.dat upx behavioral2/memory/2012-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/976-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2228-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/628-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3592-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4564-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2284-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1352-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3596-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2092-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3596-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-147.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3648 4932 a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe 82 PID 4932 wrote to memory of 3648 4932 a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe 82 PID 4932 wrote to memory of 3648 4932 a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe 82 PID 3648 wrote to memory of 3668 3648 7ntnht.exe 83 PID 3648 wrote to memory of 3668 3648 7ntnht.exe 83 PID 3648 wrote to memory of 3668 3648 7ntnht.exe 83 PID 3668 wrote to memory of 4860 3668 jpvjd.exe 84 PID 3668 wrote to memory of 4860 3668 jpvjd.exe 84 PID 3668 wrote to memory of 4860 3668 jpvjd.exe 84 PID 4860 wrote to memory of 5020 4860 pvddv.exe 85 PID 4860 wrote to memory of 5020 4860 pvddv.exe 85 PID 4860 wrote to memory of 5020 4860 pvddv.exe 85 PID 5020 wrote to memory of 3492 5020 lllfxrl.exe 86 PID 5020 wrote to memory of 3492 5020 lllfxrl.exe 86 PID 5020 wrote to memory of 3492 5020 lllfxrl.exe 86 PID 3492 wrote to memory of 4788 3492 jdjdj.exe 87 PID 3492 wrote to memory of 4788 3492 jdjdj.exe 87 PID 3492 wrote to memory of 4788 3492 jdjdj.exe 87 PID 4788 wrote to memory of 4576 4788 9fxxrrl.exe 88 PID 4788 wrote to memory of 4576 4788 9fxxrrl.exe 88 PID 4788 wrote to memory of 4576 4788 9fxxrrl.exe 88 PID 4576 wrote to memory of 2616 4576 rlffrrf.exe 89 PID 4576 wrote to memory of 2616 4576 rlffrrf.exe 89 PID 4576 wrote to memory of 2616 4576 rlffrrf.exe 89 PID 2616 wrote to memory of 3272 2616 7jppj.exe 90 PID 2616 wrote to memory of 3272 2616 7jppj.exe 90 PID 2616 wrote to memory of 3272 2616 7jppj.exe 90 PID 3272 wrote to memory of 2008 3272 rlrrllf.exe 91 PID 3272 wrote to memory of 2008 3272 rlrrllf.exe 91 PID 3272 wrote to memory of 2008 3272 rlrrllf.exe 91 PID 2008 wrote to memory of 1224 2008 nhhnhh.exe 92 PID 2008 wrote to memory of 1224 2008 nhhnhh.exe 92 PID 2008 wrote to memory of 1224 2008 nhhnhh.exe 92 PID 1224 wrote to memory of 1008 1224 dddvj.exe 93 PID 1224 wrote to memory of 1008 1224 dddvj.exe 93 PID 1224 wrote to memory of 1008 1224 dddvj.exe 93 PID 1008 wrote to memory of 1596 1008 7flfxxr.exe 94 PID 1008 wrote to memory of 1596 1008 7flfxxr.exe 94 PID 1008 wrote to memory of 1596 1008 7flfxxr.exe 94 PID 1596 wrote to memory of 232 1596 1nhhhb.exe 95 PID 1596 wrote to memory of 232 1596 1nhhhb.exe 95 PID 1596 wrote to memory of 232 1596 1nhhhb.exe 95 PID 232 wrote to memory of 1584 232 5bbhbh.exe 96 PID 232 wrote to memory of 1584 232 5bbhbh.exe 96 PID 232 wrote to memory of 1584 232 5bbhbh.exe 96 PID 1584 wrote to memory of 2364 1584 9rxfxxr.exe 97 PID 1584 wrote to memory of 2364 1584 9rxfxxr.exe 97 PID 1584 wrote to memory of 2364 1584 9rxfxxr.exe 97 PID 2364 wrote to memory of 1488 2364 1llfxrl.exe 98 PID 2364 wrote to memory of 1488 2364 1llfxrl.exe 98 PID 2364 wrote to memory of 1488 2364 1llfxrl.exe 98 PID 1488 wrote to memory of 5096 1488 3bbbtb.exe 99 PID 1488 wrote to memory of 5096 1488 3bbbtb.exe 99 PID 1488 wrote to memory of 5096 1488 3bbbtb.exe 99 PID 5096 wrote to memory of 3108 5096 jvdpj.exe 100 PID 5096 wrote to memory of 3108 5096 jvdpj.exe 100 PID 5096 wrote to memory of 3108 5096 jvdpj.exe 100 PID 3108 wrote to memory of 3312 3108 rfllxfx.exe 101 PID 3108 wrote to memory of 3312 3108 rfllxfx.exe 101 PID 3108 wrote to memory of 3312 3108 rfllxfx.exe 101 PID 3312 wrote to memory of 3136 3312 rrrrxxx.exe 102 PID 3312 wrote to memory of 3136 3312 rrrrxxx.exe 102 PID 3312 wrote to memory of 3136 3312 rrrrxxx.exe 102 PID 3136 wrote to memory of 1704 3136 9tnbnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe"C:\Users\Admin\AppData\Local\Temp\a4f6f24c9ec428bfe87cc2c19841b88160f90c594716f20f777c186cf78ec457.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\7ntnht.exec:\7ntnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\jpvjd.exec:\jpvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\pvddv.exec:\pvddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\lllfxrl.exec:\lllfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\jdjdj.exec:\jdjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\9fxxrrl.exec:\9fxxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\rlffrrf.exec:\rlffrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\7jppj.exec:\7jppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\rlrrllf.exec:\rlrrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\nhhnhh.exec:\nhhnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\dddvj.exec:\dddvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\7flfxxr.exec:\7flfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\1nhhhb.exec:\1nhhhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\5bbhbh.exec:\5bbhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\9rxfxxr.exec:\9rxfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\1llfxrl.exec:\1llfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\3bbbtb.exec:\3bbbtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\jvdpj.exec:\jvdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\rfllxfx.exec:\rfllxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\rrrrxxx.exec:\rrrrxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\9tnbnn.exec:\9tnbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\djpjv.exec:\djpjv.exe23⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rfxfflr.exec:\rfxfflr.exe24⤵
- Executes dropped EXE
PID:4236 -
\??\c:\7hhntb.exec:\7hhntb.exe25⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jvdpv.exec:\jvdpv.exe26⤵
- Executes dropped EXE
PID:3652 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe27⤵
- Executes dropped EXE
PID:644 -
\??\c:\hhbttn.exec:\hhbttn.exe28⤵
- Executes dropped EXE
PID:4416 -
\??\c:\7hnbtn.exec:\7hnbtn.exe29⤵
- Executes dropped EXE
PID:4048 -
\??\c:\vddvp.exec:\vddvp.exe30⤵
- Executes dropped EXE
PID:1444 -
\??\c:\fxrffxr.exec:\fxrffxr.exe31⤵
- Executes dropped EXE
PID:3748 -
\??\c:\hbthbt.exec:\hbthbt.exe32⤵
- Executes dropped EXE
PID:3596 -
\??\c:\7bnhbb.exec:\7bnhbb.exe33⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1pvpd.exec:\1pvpd.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
\??\c:\ddjdv.exec:\ddjdv.exe35⤵
- Executes dropped EXE
PID:976 -
\??\c:\7llxlxr.exec:\7llxlxr.exe36⤵
- Executes dropped EXE
PID:1352 -
\??\c:\nnhbnn.exec:\nnhbnn.exe37⤵
- Executes dropped EXE
PID:2228 -
\??\c:\thnhht.exec:\thnhht.exe38⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jvdvd.exec:\jvdvd.exe39⤵
- Executes dropped EXE
PID:3592 -
\??\c:\djpjv.exec:\djpjv.exe40⤵
- Executes dropped EXE
PID:628 -
\??\c:\ffrffxr.exec:\ffrffxr.exe41⤵
- Executes dropped EXE
PID:4564 -
\??\c:\3rrlfll.exec:\3rrlfll.exe42⤵
- Executes dropped EXE
PID:1120 -
\??\c:\3tthbt.exec:\3tthbt.exe43⤵
- Executes dropped EXE
PID:4488 -
\??\c:\9bbnbn.exec:\9bbnbn.exe44⤵
- Executes dropped EXE
PID:4588 -
\??\c:\dddpj.exec:\dddpj.exe45⤵
- Executes dropped EXE
PID:1156 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe46⤵
- Executes dropped EXE
PID:1576 -
\??\c:\bttnbt.exec:\bttnbt.exe47⤵
- Executes dropped EXE
PID:4760 -
\??\c:\dddpd.exec:\dddpd.exe48⤵
- Executes dropped EXE
PID:4224 -
\??\c:\htbbnn.exec:\htbbnn.exe49⤵
- Executes dropped EXE
PID:3976 -
\??\c:\tbttnb.exec:\tbttnb.exe50⤵
- Executes dropped EXE
PID:1648 -
\??\c:\5pvpv.exec:\5pvpv.exe51⤵
- Executes dropped EXE
PID:2600 -
\??\c:\fxlfrrf.exec:\fxlfrrf.exe52⤵
- Executes dropped EXE
PID:4684 -
\??\c:\dpddv.exec:\dpddv.exe53⤵
- Executes dropped EXE
PID:4896 -
\??\c:\5xrllfx.exec:\5xrllfx.exe54⤵
- Executes dropped EXE
PID:4676 -
\??\c:\jdppp.exec:\jdppp.exe55⤵
- Executes dropped EXE
PID:1708 -
\??\c:\frlxrlx.exec:\frlxrlx.exe56⤵
- Executes dropped EXE
PID:4708 -
\??\c:\htnhbt.exec:\htnhbt.exe57⤵
- Executes dropped EXE
PID:2356 -
\??\c:\9ddvj.exec:\9ddvj.exe58⤵
- Executes dropped EXE
PID:3460 -
\??\c:\hhnbnb.exec:\hhnbnb.exe59⤵
- Executes dropped EXE
PID:3800 -
\??\c:\9rrrlll.exec:\9rrrlll.exe60⤵
- Executes dropped EXE
PID:4680 -
\??\c:\7pjdv.exec:\7pjdv.exe61⤵
- Executes dropped EXE
PID:2152 -
\??\c:\ffxrfxl.exec:\ffxrfxl.exe62⤵
- Executes dropped EXE
PID:3032 -
\??\c:\nbbhbb.exec:\nbbhbb.exe63⤵
- Executes dropped EXE
PID:4296 -
\??\c:\5pjvj.exec:\5pjvj.exe64⤵
- Executes dropped EXE
PID:4268 -
\??\c:\vjdvd.exec:\vjdvd.exe65⤵
- Executes dropped EXE
PID:1832 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe66⤵PID:2064
-
\??\c:\llxxlfx.exec:\llxxlfx.exe67⤵PID:4328
-
\??\c:\nbntnt.exec:\nbntnt.exe68⤵PID:4860
-
\??\c:\tbbtht.exec:\tbbtht.exe69⤵PID:2732
-
\??\c:\jdjdp.exec:\jdjdp.exe70⤵PID:4952
-
\??\c:\3xfxxrr.exec:\3xfxxrr.exe71⤵PID:912
-
\??\c:\btthbt.exec:\btthbt.exe72⤵PID:4596
-
\??\c:\ttntht.exec:\ttntht.exe73⤵PID:3164
-
\??\c:\dvvdd.exec:\dvvdd.exe74⤵
- System Location Discovery: System Language Discovery
PID:4300 -
\??\c:\xfrfxrf.exec:\xfrfxrf.exe75⤵PID:4576
-
\??\c:\nhnhhb.exec:\nhnhhb.exe76⤵PID:3672
-
\??\c:\dvdvj.exec:\dvdvj.exe77⤵PID:3892
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe78⤵PID:3272
-
\??\c:\xfxlxff.exec:\xfxlxff.exe79⤵PID:4352
-
\??\c:\nbhtbt.exec:\nbhtbt.exe80⤵PID:4040
-
\??\c:\jppvd.exec:\jppvd.exe81⤵PID:3524
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe82⤵PID:1968
-
\??\c:\fxllxxr.exec:\fxllxxr.exe83⤵PID:5116
-
\??\c:\1btnhn.exec:\1btnhn.exe84⤵PID:2560
-
\??\c:\nnbnhb.exec:\nnbnhb.exe85⤵PID:2184
-
\??\c:\jvpjv.exec:\jvpjv.exe86⤵PID:112
-
\??\c:\flrrxrx.exec:\flrrxrx.exe87⤵PID:1364
-
\??\c:\xfxrfxr.exec:\xfxrfxr.exe88⤵PID:2364
-
\??\c:\nbnhnn.exec:\nbnhnn.exe89⤵PID:4956
-
\??\c:\pjdvj.exec:\pjdvj.exe90⤵PID:1904
-
\??\c:\pjdvj.exec:\pjdvj.exe91⤵PID:5104
-
\??\c:\fxfrxxx.exec:\fxfrxxx.exe92⤵PID:2016
-
\??\c:\7bbthh.exec:\7bbthh.exe93⤵PID:2760
-
\??\c:\hbtnhb.exec:\hbtnhb.exe94⤵PID:1688
-
\??\c:\dvvvv.exec:\dvvvv.exe95⤵PID:1908
-
\??\c:\5ddpv.exec:\5ddpv.exe96⤵PID:936
-
\??\c:\lfxrxxr.exec:\lfxrxxr.exe97⤵PID:3504
-
\??\c:\1htthb.exec:\1htthb.exe98⤵PID:5068
-
\??\c:\5pjdv.exec:\5pjdv.exe99⤵PID:2224
-
\??\c:\dvdvd.exec:\dvdvd.exe100⤵PID:4316
-
\??\c:\lffxlfx.exec:\lffxlfx.exe101⤵PID:1676
-
\??\c:\nnhnnn.exec:\nnhnnn.exe102⤵PID:2192
-
\??\c:\jvdvd.exec:\jvdvd.exe103⤵PID:224
-
\??\c:\dpdpp.exec:\dpdpp.exe104⤵PID:1220
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe105⤵PID:4252
-
\??\c:\7nbbtt.exec:\7nbbtt.exe106⤵PID:4448
-
\??\c:\pppjp.exec:\pppjp.exe107⤵PID:1396
-
\??\c:\vjpjd.exec:\vjpjd.exe108⤵PID:2116
-
\??\c:\rrfffxx.exec:\rrfffxx.exe109⤵PID:3660
-
\??\c:\7thbtn.exec:\7thbtn.exe110⤵PID:4284
-
\??\c:\vjjdv.exec:\vjjdv.exe111⤵PID:1448
-
\??\c:\jvppj.exec:\jvppj.exe112⤵PID:2860
-
\??\c:\fxlflfl.exec:\fxlflfl.exe113⤵PID:1996
-
\??\c:\nhntnn.exec:\nhntnn.exe114⤵PID:4400
-
\??\c:\tbhbnh.exec:\tbhbnh.exe115⤵PID:3160
-
\??\c:\7jjpj.exec:\7jjpj.exe116⤵PID:1348
-
\??\c:\7djjj.exec:\7djjj.exe117⤵PID:3084
-
\??\c:\5xrlfff.exec:\5xrlfff.exe118⤵PID:4176
-
\??\c:\3bbbtt.exec:\3bbbtt.exe119⤵PID:1564
-
\??\c:\jvdvp.exec:\jvdvp.exe120⤵PID:1296
-
\??\c:\lflfrll.exec:\lflfrll.exe121⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-