Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe
-
Size
453KB
-
MD5
9ab5ef1b37376011a74eadf8b3b227ed
-
SHA1
faafa40ee9ef4788a21fdef88eaa5a8788724ef1
-
SHA256
be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2
-
SHA512
ee83a34cbbdcaf92d63d920a7af211132d99b2107b2b7f3e812ce98292ba5da9f8bccb1d9b80588a02e6fe70e8bc2fe90154109f2064ed9091c7f6a95fa3d095
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2660-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2660 rxrrlfx.exe 2628 tnbthb.exe 1608 fxfxffl.exe 3500 btbtnt.exe 1108 vjpjj.exe 1272 9xrflfl.exe 4004 nnbttn.exe 3684 jjvjv.exe 4292 9nhbhh.exe 3356 1pvpp.exe 2936 frrfxxr.exe 4144 xflfflf.exe 1812 hntnhh.exe 4792 vpjvp.exe 700 rfxrlrr.exe 1428 ntbtnh.exe 220 nbthtb.exe 3600 nthttn.exe 3000 pjdvp.exe 1472 hntnhh.exe 4908 pjvjd.exe 3032 rxxrllf.exe 2436 vdpdv.exe 468 xxfxrlf.exe 4276 hhttnb.exe 2324 pvdvp.exe 4544 frllffx.exe 2368 hhbbtn.exe 1092 nnhtbh.exe 888 tnnbnn.exe 1464 3pdvp.exe 856 5lrlrxx.exe 4872 tthbtb.exe 4856 pvvjd.exe 1692 lfflfff.exe 3936 tbthtn.exe 3216 fxfrfxr.exe 2772 lxrxflx.exe 3640 3thtnh.exe 1212 vpjdv.exe 1532 rrfrllf.exe 880 tbnhbt.exe 4660 nnbbtn.exe 5100 5vddp.exe 3488 rfrlfxl.exe 3200 xrfxrrx.exe 2336 tbtnhh.exe 2880 pddpv.exe 3428 fflxrlx.exe 4524 ntnhbt.exe 4600 bhbbth.exe 1484 7dppd.exe 1268 lfllfxx.exe 4924 rlrlfxl.exe 4776 1htttn.exe 4472 ddvvv.exe 1436 lflrrrl.exe 4708 hnhnbh.exe 1116 hbbthb.exe 1192 jjdvp.exe 2276 llrllxr.exe 3648 htthth.exe 872 nnnhbt.exe 4808 thnnnh.exe -
resource yara_rule behavioral2/memory/2660-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-730-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4388 wrote to memory of 2660 4388 be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe 82 PID 4388 wrote to memory of 2660 4388 be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe 82 PID 4388 wrote to memory of 2660 4388 be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe 82 PID 2660 wrote to memory of 2628 2660 rxrrlfx.exe 83 PID 2660 wrote to memory of 2628 2660 rxrrlfx.exe 83 PID 2660 wrote to memory of 2628 2660 rxrrlfx.exe 83 PID 2628 wrote to memory of 1608 2628 tnbthb.exe 84 PID 2628 wrote to memory of 1608 2628 tnbthb.exe 84 PID 2628 wrote to memory of 1608 2628 tnbthb.exe 84 PID 1608 wrote to memory of 3500 1608 fxfxffl.exe 85 PID 1608 wrote to memory of 3500 1608 fxfxffl.exe 85 PID 1608 wrote to memory of 3500 1608 fxfxffl.exe 85 PID 3500 wrote to memory of 1108 3500 btbtnt.exe 86 PID 3500 wrote to memory of 1108 3500 btbtnt.exe 86 PID 3500 wrote to memory of 1108 3500 btbtnt.exe 86 PID 1108 wrote to memory of 1272 1108 vjpjj.exe 87 PID 1108 wrote to memory of 1272 1108 vjpjj.exe 87 PID 1108 wrote to memory of 1272 1108 vjpjj.exe 87 PID 1272 wrote to memory of 4004 1272 9xrflfl.exe 88 PID 1272 wrote to memory of 4004 1272 9xrflfl.exe 88 PID 1272 wrote to memory of 4004 1272 9xrflfl.exe 88 PID 4004 wrote to memory of 3684 4004 nnbttn.exe 89 PID 4004 wrote to memory of 3684 4004 nnbttn.exe 89 PID 4004 wrote to memory of 3684 4004 nnbttn.exe 89 PID 3684 wrote to memory of 4292 3684 jjvjv.exe 90 PID 3684 wrote to memory of 4292 3684 jjvjv.exe 90 PID 3684 wrote to memory of 4292 3684 jjvjv.exe 90 PID 4292 wrote to memory of 3356 4292 9nhbhh.exe 91 PID 4292 wrote to memory of 3356 4292 9nhbhh.exe 91 PID 4292 wrote to memory of 3356 4292 9nhbhh.exe 91 PID 3356 wrote to memory of 2936 3356 1pvpp.exe 92 PID 3356 wrote to memory of 2936 3356 1pvpp.exe 92 PID 3356 wrote to memory of 2936 3356 1pvpp.exe 92 PID 2936 wrote to memory of 4144 2936 frrfxxr.exe 93 PID 2936 wrote to memory of 4144 2936 frrfxxr.exe 93 PID 2936 wrote to memory of 4144 2936 frrfxxr.exe 93 PID 4144 wrote to memory of 1812 4144 xflfflf.exe 94 PID 4144 wrote to memory of 1812 4144 xflfflf.exe 94 PID 4144 wrote to memory of 1812 4144 xflfflf.exe 94 PID 1812 wrote to memory of 4792 1812 hntnhh.exe 95 PID 1812 wrote to memory of 4792 1812 hntnhh.exe 95 PID 1812 wrote to memory of 4792 1812 hntnhh.exe 95 PID 4792 wrote to memory of 700 4792 vpjvp.exe 96 PID 4792 wrote to memory of 700 4792 vpjvp.exe 96 PID 4792 wrote to memory of 700 4792 vpjvp.exe 96 PID 700 wrote to memory of 1428 700 rfxrlrr.exe 97 PID 700 wrote to memory of 1428 700 rfxrlrr.exe 97 PID 700 wrote to memory of 1428 700 rfxrlrr.exe 97 PID 1428 wrote to memory of 220 1428 ntbtnh.exe 98 PID 1428 wrote to memory of 220 1428 ntbtnh.exe 98 PID 1428 wrote to memory of 220 1428 ntbtnh.exe 98 PID 220 wrote to memory of 3600 220 nbthtb.exe 99 PID 220 wrote to memory of 3600 220 nbthtb.exe 99 PID 220 wrote to memory of 3600 220 nbthtb.exe 99 PID 3600 wrote to memory of 3000 3600 nthttn.exe 100 PID 3600 wrote to memory of 3000 3600 nthttn.exe 100 PID 3600 wrote to memory of 3000 3600 nthttn.exe 100 PID 3000 wrote to memory of 1472 3000 pjdvp.exe 101 PID 3000 wrote to memory of 1472 3000 pjdvp.exe 101 PID 3000 wrote to memory of 1472 3000 pjdvp.exe 101 PID 1472 wrote to memory of 4908 1472 hntnhh.exe 102 PID 1472 wrote to memory of 4908 1472 hntnhh.exe 102 PID 1472 wrote to memory of 4908 1472 hntnhh.exe 102 PID 4908 wrote to memory of 3032 4908 pjvjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe"C:\Users\Admin\AppData\Local\Temp\be1df3c186bacfe876d9e8a1d67b45c4df22bdd32851edeb5446aa44b7f31aa2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\rxrrlfx.exec:\rxrrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\tnbthb.exec:\tnbthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\fxfxffl.exec:\fxfxffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\btbtnt.exec:\btbtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\vjpjj.exec:\vjpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\9xrflfl.exec:\9xrflfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\nnbttn.exec:\nnbttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\jjvjv.exec:\jjvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\9nhbhh.exec:\9nhbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\1pvpp.exec:\1pvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\frrfxxr.exec:\frrfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\xflfflf.exec:\xflfflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\hntnhh.exec:\hntnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\vpjvp.exec:\vpjvp.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\rfxrlrr.exec:\rfxrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\ntbtnh.exec:\ntbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\nbthtb.exec:\nbthtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\nthttn.exec:\nthttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\pjdvp.exec:\pjdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\hntnhh.exec:\hntnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\pjvjd.exec:\pjvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\rxxrllf.exec:\rxxrllf.exe23⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vdpdv.exec:\vdpdv.exe24⤵
- Executes dropped EXE
PID:2436 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe25⤵
- Executes dropped EXE
PID:468 -
\??\c:\hhttnb.exec:\hhttnb.exe26⤵
- Executes dropped EXE
PID:4276 -
\??\c:\pvdvp.exec:\pvdvp.exe27⤵
- Executes dropped EXE
PID:2324 -
\??\c:\frllffx.exec:\frllffx.exe28⤵
- Executes dropped EXE
PID:4544 -
\??\c:\hhbbtn.exec:\hhbbtn.exe29⤵
- Executes dropped EXE
PID:2368 -
\??\c:\nnhtbh.exec:\nnhtbh.exe30⤵
- Executes dropped EXE
PID:1092 -
\??\c:\tnnbnn.exec:\tnnbnn.exe31⤵
- Executes dropped EXE
PID:888 -
\??\c:\3pdvp.exec:\3pdvp.exe32⤵
- Executes dropped EXE
PID:1464 -
\??\c:\5lrlrxx.exec:\5lrlrxx.exe33⤵
- Executes dropped EXE
PID:856 -
\??\c:\tthbtb.exec:\tthbtb.exe34⤵
- Executes dropped EXE
PID:4872 -
\??\c:\pvvjd.exec:\pvvjd.exe35⤵
- Executes dropped EXE
PID:4856 -
\??\c:\lfflfff.exec:\lfflfff.exe36⤵
- Executes dropped EXE
PID:1692 -
\??\c:\tbthtn.exec:\tbthtn.exe37⤵
- Executes dropped EXE
PID:3936 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe38⤵
- Executes dropped EXE
PID:3216 -
\??\c:\lxrxflx.exec:\lxrxflx.exe39⤵
- Executes dropped EXE
PID:2772 -
\??\c:\3thtnh.exec:\3thtnh.exe40⤵
- Executes dropped EXE
PID:3640 -
\??\c:\vpjdv.exec:\vpjdv.exe41⤵
- Executes dropped EXE
PID:1212 -
\??\c:\rrfrllf.exec:\rrfrllf.exe42⤵
- Executes dropped EXE
PID:1532 -
\??\c:\tbnhbt.exec:\tbnhbt.exe43⤵
- Executes dropped EXE
PID:880 -
\??\c:\nnbbtn.exec:\nnbbtn.exe44⤵
- Executes dropped EXE
PID:4660 -
\??\c:\5vddp.exec:\5vddp.exe45⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rfrlfxl.exec:\rfrlfxl.exe46⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xrfxrrx.exec:\xrfxrrx.exe47⤵
- Executes dropped EXE
PID:3200 -
\??\c:\tbtnhh.exec:\tbtnhh.exe48⤵
- Executes dropped EXE
PID:2336 -
\??\c:\pddpv.exec:\pddpv.exe49⤵
- Executes dropped EXE
PID:2880 -
\??\c:\fflxrlx.exec:\fflxrlx.exe50⤵
- Executes dropped EXE
PID:3428 -
\??\c:\ntnhbt.exec:\ntnhbt.exe51⤵
- Executes dropped EXE
PID:4524 -
\??\c:\bhbbth.exec:\bhbbth.exe52⤵
- Executes dropped EXE
PID:4600 -
\??\c:\7dppd.exec:\7dppd.exe53⤵
- Executes dropped EXE
PID:1484 -
\??\c:\lfllfxx.exec:\lfllfxx.exe54⤵
- Executes dropped EXE
PID:1268 -
\??\c:\rlrlfxl.exec:\rlrlfxl.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924 -
\??\c:\1htttn.exec:\1htttn.exe56⤵
- Executes dropped EXE
PID:4776 -
\??\c:\ddvvv.exec:\ddvvv.exe57⤵
- Executes dropped EXE
PID:4472 -
\??\c:\lflrrrl.exec:\lflrrrl.exe58⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hnhnbh.exec:\hnhnbh.exe59⤵
- Executes dropped EXE
PID:4708 -
\??\c:\hbbthb.exec:\hbbthb.exe60⤵
- Executes dropped EXE
PID:1116 -
\??\c:\jjdvp.exec:\jjdvp.exe61⤵
- Executes dropped EXE
PID:1192 -
\??\c:\llrllxr.exec:\llrllxr.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\htthth.exec:\htthth.exe63⤵
- Executes dropped EXE
PID:3648 -
\??\c:\nnnhbt.exec:\nnnhbt.exe64⤵
- Executes dropped EXE
PID:872 -
\??\c:\thnnnh.exec:\thnnnh.exe65⤵
- Executes dropped EXE
PID:4808 -
\??\c:\pddjj.exec:\pddjj.exe66⤵PID:4564
-
\??\c:\bttnhb.exec:\bttnhb.exe67⤵PID:5076
-
\??\c:\jdjvv.exec:\jdjvv.exe68⤵PID:3356
-
\??\c:\tnnhbb.exec:\tnnhbb.exe69⤵PID:3360
-
\??\c:\jddvv.exec:\jddvv.exe70⤵PID:4068
-
\??\c:\xlrrllx.exec:\xlrrllx.exe71⤵PID:972
-
\??\c:\ttbtnn.exec:\ttbtnn.exe72⤵PID:2928
-
\??\c:\3dpjd.exec:\3dpjd.exe73⤵PID:4180
-
\??\c:\xxrlfrl.exec:\xxrlfrl.exe74⤵PID:1644
-
\??\c:\nhbntn.exec:\nhbntn.exe75⤵PID:4892
-
\??\c:\3vdvd.exec:\3vdvd.exe76⤵PID:1732
-
\??\c:\lrrllxr.exec:\lrrllxr.exe77⤵PID:4048
-
\??\c:\xxrrflr.exec:\xxrrflr.exe78⤵PID:4824
-
\??\c:\hhtnhb.exec:\hhtnhb.exe79⤵PID:3108
-
\??\c:\5jjjd.exec:\5jjjd.exe80⤵PID:3600
-
\??\c:\rfxlflf.exec:\rfxlflf.exe81⤵PID:3800
-
\??\c:\9rfflrx.exec:\9rfflrx.exe82⤵PID:4604
-
\??\c:\5vvjd.exec:\5vvjd.exe83⤵PID:4016
-
\??\c:\fxflrrl.exec:\fxflrrl.exe84⤵PID:3608
-
\??\c:\bnnhhb.exec:\bnnhhb.exe85⤵PID:3864
-
\??\c:\5ppjp.exec:\5ppjp.exe86⤵PID:3032
-
\??\c:\xxrffxx.exec:\xxrffxx.exe87⤵PID:816
-
\??\c:\9tnhtt.exec:\9tnhtt.exe88⤵PID:2360
-
\??\c:\pjvpj.exec:\pjvpj.exe89⤵PID:4116
-
\??\c:\hhhbtt.exec:\hhhbtt.exe90⤵PID:3680
-
\??\c:\pdddj.exec:\pdddj.exe91⤵PID:1640
-
\??\c:\lfrlfrr.exec:\lfrlfrr.exe92⤵PID:3932
-
\??\c:\vpvpj.exec:\vpvpj.exe93⤵PID:1180
-
\??\c:\1ddvd.exec:\1ddvd.exe94⤵PID:4136
-
\??\c:\httttt.exec:\httttt.exe95⤵PID:4100
-
\??\c:\thnhhb.exec:\thnhhb.exe96⤵
- System Location Discovery: System Language Discovery
PID:4392 -
\??\c:\ppdvv.exec:\ppdvv.exe97⤵PID:4520
-
\??\c:\lfrlfxx.exec:\lfrlfxx.exe98⤵PID:1148
-
\??\c:\hhbttb.exec:\hhbttb.exe99⤵PID:4724
-
\??\c:\vpjvj.exec:\vpjvj.exe100⤵PID:4280
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe101⤵PID:1772
-
\??\c:\9fllrrr.exec:\9fllrrr.exe102⤵PID:1388
-
\??\c:\tnbbht.exec:\tnbbht.exe103⤵PID:1728
-
\??\c:\ppdvd.exec:\ppdvd.exe104⤵PID:3988
-
\??\c:\lrxxllf.exec:\lrxxllf.exe105⤵PID:4716
-
\??\c:\hntttt.exec:\hntttt.exe106⤵PID:4904
-
\??\c:\thnbbt.exec:\thnbbt.exe107⤵PID:1560
-
\??\c:\7pjdv.exec:\7pjdv.exe108⤵PID:2472
-
\??\c:\xrxxffl.exec:\xrxxffl.exe109⤵PID:1784
-
\??\c:\bhhbtn.exec:\bhhbtn.exe110⤵PID:1476
-
\??\c:\vdjdp.exec:\vdjdp.exe111⤵PID:548
-
\??\c:\fxlfrrr.exec:\fxlfrrr.exe112⤵PID:5032
-
\??\c:\tthhtb.exec:\tthhtb.exe113⤵PID:5100
-
\??\c:\hhtnbb.exec:\hhtnbb.exe114⤵PID:3488
-
\??\c:\jdjjv.exec:\jdjjv.exe115⤵PID:1448
-
\??\c:\lrfflfx.exec:\lrfflfx.exe116⤵PID:2828
-
\??\c:\ttttnn.exec:\ttttnn.exe117⤵PID:4488
-
\??\c:\5ttnnn.exec:\5ttnnn.exe118⤵PID:4360
-
\??\c:\dppjj.exec:\dppjj.exe119⤵PID:4356
-
\??\c:\fllfrll.exec:\fllfrll.exe120⤵PID:2504
-
\??\c:\nhhhnt.exec:\nhhhnt.exe121⤵PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-