Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:12
Behavioral task
behavioral1
Sample
66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe
-
Size
335KB
-
MD5
8bdb34ccd778ead5bc39282cfb0c24b0
-
SHA1
244f3049066858971bf5c32329a002eb8b7feb96
-
SHA256
66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968
-
SHA512
31c664d5742c839471df34559b5e36b3c1b9caf0e5dfff6a74f77a473d3f2388f209461dfb328b3d8be126da5b1ca858063f310cdcfd7b689d30b46d5b47b300
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRV:R4wFHoSHYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3964-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3816-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1892-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3380-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2536-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3704-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2536-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3924-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-525-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-649-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-704-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-1444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2732 1bhbtb.exe 3704 djvpj.exe 2220 fxfxxxr.exe 1896 rlrfxxl.exe 1700 bbttnt.exe 1028 vpvpj.exe 1500 fxxrrll.exe 1452 lxfxlll.exe 2536 nhnhhh.exe 5068 jjjdd.exe 216 rflfxll.exe 1448 rflfxrl.exe 4836 thhbtt.exe 1840 dddvp.exe 2920 dvpjp.exe 3380 xfllffx.exe 3636 btbtbt.exe 396 5htttt.exe 4992 pvdvv.exe 3632 3pvvv.exe 1568 fxrlfrl.exe 4708 1bhnnt.exe 4740 nnhbtt.exe 1276 7ppjj.exe 4048 jddvv.exe 3968 5llfxxr.exe 4380 nbnhbt.exe 3772 3hbbnn.exe 1892 dvjpv.exe 4628 dpdvp.exe 4156 rfrlfff.exe 1160 bhhbtt.exe 3816 bttntt.exe 1528 vppjj.exe 4428 vpddd.exe 3176 rflllll.exe 4344 rlxxrrl.exe 3480 1bthbn.exe 5088 5jjdj.exe 1396 vpvpj.exe 1308 xxflfxr.exe 5084 hnhbhb.exe 1776 hhbntb.exe 4944 9jpjd.exe 2240 dvvpj.exe 2020 rrllfxx.exe 704 tntnnn.exe 864 5nttnb.exe 1844 jdvvj.exe 3584 lfllrrx.exe 4452 thnntt.exe 2972 bbhnth.exe 3016 fxrllll.exe 2736 flxxxfr.exe 608 ppvjd.exe 1996 7pvjd.exe 4876 9llfxxr.exe 4024 hhbbtt.exe 3996 ddppp.exe 4808 fxxfxfx.exe 1872 nntthh.exe 4140 vpvvj.exe 1028 1fxrlrr.exe 1500 1ntnnn.exe -
resource yara_rule behavioral2/memory/3964-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c7a-3.dat upx behavioral2/memory/3964-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-8.dat upx behavioral2/files/0x0007000000023c7f-10.dat upx behavioral2/files/0x0007000000023c80-19.dat upx behavioral2/files/0x0007000000023c81-24.dat upx behavioral2/files/0x0007000000023c82-29.dat upx behavioral2/memory/1028-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-34.dat upx behavioral2/files/0x0007000000023c84-39.dat upx behavioral2/files/0x0007000000023c85-44.dat upx behavioral2/files/0x0007000000023c86-49.dat upx behavioral2/files/0x0007000000023c87-54.dat upx behavioral2/files/0x0007000000023c88-58.dat upx behavioral2/files/0x0007000000023c89-63.dat upx behavioral2/files/0x0007000000023c8a-68.dat upx behavioral2/files/0x0007000000023c8c-77.dat upx behavioral2/memory/4992-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-102.dat upx behavioral2/files/0x0007000000023c97-131.dat upx behavioral2/memory/3176-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1396-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/864-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4944-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1776-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3480-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4428-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3816-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1160-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-154.dat upx behavioral2/files/0x0007000000023c9b-150.dat upx behavioral2/memory/4628-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-145.dat upx behavioral2/memory/1892-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-140.dat upx behavioral2/memory/3772-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-135.dat upx behavioral2/files/0x0007000000023c96-127.dat upx behavioral2/memory/4048-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-122.dat upx behavioral2/memory/1276-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-117.dat upx behavioral2/memory/4740-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-112.dat upx behavioral2/memory/4708-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-107.dat upx behavioral2/memory/1568-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3632-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-97.dat upx behavioral2/files/0x0007000000023c8f-92.dat upx behavioral2/memory/396-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-87.dat upx behavioral2/memory/3636-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-82.dat upx behavioral2/memory/3380-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2920-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-72.dat upx behavioral2/memory/4836-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1448-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5068-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3996-222-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3964 wrote to memory of 2732 3964 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 82 PID 3964 wrote to memory of 2732 3964 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 82 PID 3964 wrote to memory of 2732 3964 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 82 PID 2732 wrote to memory of 3704 2732 1bhbtb.exe 83 PID 2732 wrote to memory of 3704 2732 1bhbtb.exe 83 PID 2732 wrote to memory of 3704 2732 1bhbtb.exe 83 PID 3704 wrote to memory of 2220 3704 djvpj.exe 84 PID 3704 wrote to memory of 2220 3704 djvpj.exe 84 PID 3704 wrote to memory of 2220 3704 djvpj.exe 84 PID 2220 wrote to memory of 1896 2220 fxfxxxr.exe 85 PID 2220 wrote to memory of 1896 2220 fxfxxxr.exe 85 PID 2220 wrote to memory of 1896 2220 fxfxxxr.exe 85 PID 1896 wrote to memory of 1700 1896 rlrfxxl.exe 86 PID 1896 wrote to memory of 1700 1896 rlrfxxl.exe 86 PID 1896 wrote to memory of 1700 1896 rlrfxxl.exe 86 PID 1700 wrote to memory of 1028 1700 bbttnt.exe 144 PID 1700 wrote to memory of 1028 1700 bbttnt.exe 144 PID 1700 wrote to memory of 1028 1700 bbttnt.exe 144 PID 1028 wrote to memory of 1500 1028 vpvpj.exe 145 PID 1028 wrote to memory of 1500 1028 vpvpj.exe 145 PID 1028 wrote to memory of 1500 1028 vpvpj.exe 145 PID 1500 wrote to memory of 1452 1500 fxxrrll.exe 89 PID 1500 wrote to memory of 1452 1500 fxxrrll.exe 89 PID 1500 wrote to memory of 1452 1500 fxxrrll.exe 89 PID 1452 wrote to memory of 2536 1452 lxfxlll.exe 147 PID 1452 wrote to memory of 2536 1452 lxfxlll.exe 147 PID 1452 wrote to memory of 2536 1452 lxfxlll.exe 147 PID 2536 wrote to memory of 5068 2536 nhnhhh.exe 91 PID 2536 wrote to memory of 5068 2536 nhnhhh.exe 91 PID 2536 wrote to memory of 5068 2536 nhnhhh.exe 91 PID 5068 wrote to memory of 216 5068 jjjdd.exe 92 PID 5068 wrote to memory of 216 5068 jjjdd.exe 92 PID 5068 wrote to memory of 216 5068 jjjdd.exe 92 PID 216 wrote to memory of 1448 216 rflfxll.exe 93 PID 216 wrote to memory of 1448 216 rflfxll.exe 93 PID 216 wrote to memory of 1448 216 rflfxll.exe 93 PID 1448 wrote to memory of 4836 1448 rflfxrl.exe 94 PID 1448 wrote to memory of 4836 1448 rflfxrl.exe 94 PID 1448 wrote to memory of 4836 1448 rflfxrl.exe 94 PID 4836 wrote to memory of 1840 4836 thhbtt.exe 95 PID 4836 wrote to memory of 1840 4836 thhbtt.exe 95 PID 4836 wrote to memory of 1840 4836 thhbtt.exe 95 PID 1840 wrote to memory of 2920 1840 dddvp.exe 154 PID 1840 wrote to memory of 2920 1840 dddvp.exe 154 PID 1840 wrote to memory of 2920 1840 dddvp.exe 154 PID 2920 wrote to memory of 3380 2920 dvpjp.exe 97 PID 2920 wrote to memory of 3380 2920 dvpjp.exe 97 PID 2920 wrote to memory of 3380 2920 dvpjp.exe 97 PID 3380 wrote to memory of 3636 3380 xfllffx.exe 98 PID 3380 wrote to memory of 3636 3380 xfllffx.exe 98 PID 3380 wrote to memory of 3636 3380 xfllffx.exe 98 PID 3636 wrote to memory of 396 3636 btbtbt.exe 99 PID 3636 wrote to memory of 396 3636 btbtbt.exe 99 PID 3636 wrote to memory of 396 3636 btbtbt.exe 99 PID 396 wrote to memory of 4992 396 5htttt.exe 100 PID 396 wrote to memory of 4992 396 5htttt.exe 100 PID 396 wrote to memory of 4992 396 5htttt.exe 100 PID 4992 wrote to memory of 3632 4992 pvdvv.exe 101 PID 4992 wrote to memory of 3632 4992 pvdvv.exe 101 PID 4992 wrote to memory of 3632 4992 pvdvv.exe 101 PID 3632 wrote to memory of 1568 3632 3pvvv.exe 102 PID 3632 wrote to memory of 1568 3632 3pvvv.exe 102 PID 3632 wrote to memory of 1568 3632 3pvvv.exe 102 PID 1568 wrote to memory of 4708 1568 fxrlfrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe"C:\Users\Admin\AppData\Local\Temp\66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\1bhbtb.exec:\1bhbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\djvpj.exec:\djvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\rlrfxxl.exec:\rlrfxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\bbttnt.exec:\bbttnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\vpvpj.exec:\vpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\fxxrrll.exec:\fxxrrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\lxfxlll.exec:\lxfxlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\nhnhhh.exec:\nhnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\jjjdd.exec:\jjjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\rflfxll.exec:\rflfxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\rflfxrl.exec:\rflfxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\thhbtt.exec:\thhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\dddvp.exec:\dddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\dvpjp.exec:\dvpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\xfllffx.exec:\xfllffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\btbtbt.exec:\btbtbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\5htttt.exec:\5htttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\pvdvv.exec:\pvdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\3pvvv.exec:\3pvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\fxrlfrl.exec:\fxrlfrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\1bhnnt.exec:\1bhnnt.exe23⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nnhbtt.exec:\nnhbtt.exe24⤵
- Executes dropped EXE
PID:4740 -
\??\c:\7ppjj.exec:\7ppjj.exe25⤵
- Executes dropped EXE
PID:1276 -
\??\c:\jddvv.exec:\jddvv.exe26⤵
- Executes dropped EXE
PID:4048 -
\??\c:\5llfxxr.exec:\5llfxxr.exe27⤵
- Executes dropped EXE
PID:3968 -
\??\c:\nbnhbt.exec:\nbnhbt.exe28⤵
- Executes dropped EXE
PID:4380 -
\??\c:\3hbbnn.exec:\3hbbnn.exe29⤵
- Executes dropped EXE
PID:3772 -
\??\c:\dvjpv.exec:\dvjpv.exe30⤵
- Executes dropped EXE
PID:1892 -
\??\c:\dpdvp.exec:\dpdvp.exe31⤵
- Executes dropped EXE
PID:4628 -
\??\c:\rfrlfff.exec:\rfrlfff.exe32⤵
- Executes dropped EXE
PID:4156 -
\??\c:\bhhbtt.exec:\bhhbtt.exe33⤵
- Executes dropped EXE
PID:1160 -
\??\c:\bttntt.exec:\bttntt.exe34⤵
- Executes dropped EXE
PID:3816 -
\??\c:\vppjj.exec:\vppjj.exe35⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vpddd.exec:\vpddd.exe36⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rflllll.exec:\rflllll.exe37⤵
- Executes dropped EXE
PID:3176 -
\??\c:\rlxxrrl.exec:\rlxxrrl.exe38⤵
- Executes dropped EXE
PID:4344 -
\??\c:\1bthbn.exec:\1bthbn.exe39⤵
- Executes dropped EXE
PID:3480 -
\??\c:\5jjdj.exec:\5jjdj.exe40⤵
- Executes dropped EXE
PID:5088 -
\??\c:\vpvpj.exec:\vpvpj.exe41⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xxflfxr.exec:\xxflfxr.exe42⤵
- Executes dropped EXE
PID:1308 -
\??\c:\hnhbhb.exec:\hnhbhb.exe43⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hhbntb.exec:\hhbntb.exe44⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9jpjd.exec:\9jpjd.exe45⤵
- Executes dropped EXE
PID:4944 -
\??\c:\dvvpj.exec:\dvvpj.exe46⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rrllfxx.exec:\rrllfxx.exe47⤵
- Executes dropped EXE
PID:2020 -
\??\c:\tntnnn.exec:\tntnnn.exe48⤵
- Executes dropped EXE
PID:704 -
\??\c:\5nttnb.exec:\5nttnb.exe49⤵
- Executes dropped EXE
PID:864 -
\??\c:\jdvvj.exec:\jdvvj.exe50⤵
- Executes dropped EXE
PID:1844 -
\??\c:\lfllrrx.exec:\lfllrrx.exe51⤵
- Executes dropped EXE
PID:3584 -
\??\c:\thnntt.exec:\thnntt.exe52⤵
- Executes dropped EXE
PID:4452 -
\??\c:\bbhnth.exec:\bbhnth.exe53⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fxrllll.exec:\fxrllll.exe54⤵
- Executes dropped EXE
PID:3016 -
\??\c:\flxxxfr.exec:\flxxxfr.exe55⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ppvjd.exec:\ppvjd.exe56⤵
- Executes dropped EXE
PID:608 -
\??\c:\7pvjd.exec:\7pvjd.exe57⤵
- Executes dropped EXE
PID:1996 -
\??\c:\9llfxxr.exec:\9llfxxr.exe58⤵
- Executes dropped EXE
PID:4876 -
\??\c:\hhbbtt.exec:\hhbbtt.exe59⤵
- Executes dropped EXE
PID:4024 -
\??\c:\ddppp.exec:\ddppp.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996 -
\??\c:\fxxfxfx.exec:\fxxfxfx.exe61⤵
- Executes dropped EXE
PID:4808 -
\??\c:\nntthh.exec:\nntthh.exe62⤵
- Executes dropped EXE
PID:1872 -
\??\c:\vpvvj.exec:\vpvvj.exe63⤵
- Executes dropped EXE
PID:4140 -
\??\c:\1fxrlrr.exec:\1fxrlrr.exe64⤵
- Executes dropped EXE
PID:1028 -
\??\c:\1ntnnn.exec:\1ntnnn.exe65⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nhbthb.exec:\nhbthb.exe66⤵PID:2296
-
\??\c:\dvjjp.exec:\dvjjp.exe67⤵PID:2536
-
\??\c:\5lxllrr.exec:\5lxllrr.exe68⤵PID:3432
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe69⤵PID:2636
-
\??\c:\nhhnnt.exec:\nhhnnt.exe70⤵PID:4632
-
\??\c:\3fxrllf.exec:\3fxrllf.exe71⤵PID:2336
-
\??\c:\rxlfxlf.exec:\rxlfxlf.exe72⤵PID:4564
-
\??\c:\bnbbtt.exec:\bnbbtt.exe73⤵PID:1792
-
\??\c:\pppjv.exec:\pppjv.exe74⤵PID:2920
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe75⤵PID:2424
-
\??\c:\5tbbhh.exec:\5tbbhh.exe76⤵PID:1116
-
\??\c:\frfxrlf.exec:\frfxrlf.exe77⤵PID:4368
-
\??\c:\vjpjd.exec:\vjpjd.exe78⤵PID:4992
-
\??\c:\bnthbt.exec:\bnthbt.exe79⤵PID:1168
-
\??\c:\lffrlfr.exec:\lffrlfr.exe80⤵PID:1588
-
\??\c:\pvvvd.exec:\pvvvd.exe81⤵PID:1276
-
\??\c:\pdvvj.exec:\pdvvj.exe82⤵PID:428
-
\??\c:\thnhbt.exec:\thnhbt.exe83⤵PID:664
-
\??\c:\lrxrllf.exec:\lrxrllf.exe84⤵PID:2900
-
\??\c:\nbhbtb.exec:\nbhbtb.exe85⤵PID:696
-
\??\c:\rflrxlx.exec:\rflrxlx.exe86⤵PID:5108
-
\??\c:\9hhbth.exec:\9hhbth.exe87⤵PID:2728
-
\??\c:\dvjdd.exec:\dvjdd.exe88⤵
- System Location Discovery: System Language Discovery
PID:3272 -
\??\c:\rfxfxrx.exec:\rfxfxrx.exe89⤵
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\9bbttn.exec:\9bbttn.exe90⤵PID:208
-
\??\c:\9dddv.exec:\9dddv.exe91⤵PID:960
-
\??\c:\7lrlxxx.exec:\7lrlxxx.exe92⤵PID:3536
-
\??\c:\bbhbnh.exec:\bbhbnh.exe93⤵PID:4972
-
\??\c:\vjpdv.exec:\vjpdv.exe94⤵PID:4816
-
\??\c:\flxlffx.exec:\flxlffx.exe95⤵PID:1144
-
\??\c:\nhbtnn.exec:\nhbtnn.exe96⤵PID:1396
-
\??\c:\rfxxrlf.exec:\rfxxrlf.exe97⤵PID:8
-
\??\c:\pdjjd.exec:\pdjjd.exe98⤵PID:3252
-
\??\c:\5lrlllf.exec:\5lrlllf.exe99⤵PID:2056
-
\??\c:\3tnhbb.exec:\3tnhbb.exe100⤵PID:316
-
\??\c:\djvvj.exec:\djvvj.exe101⤵PID:4944
-
\??\c:\rffxllx.exec:\rffxllx.exe102⤵PID:3616
-
\??\c:\jvpjd.exec:\jvpjd.exe103⤵PID:2944
-
\??\c:\jvvpd.exec:\jvvpd.exe104⤵PID:2020
-
\??\c:\7bnhhh.exec:\7bnhhh.exe105⤵PID:3972
-
\??\c:\vjpjd.exec:\vjpjd.exe106⤵PID:1720
-
\??\c:\ffrxxff.exec:\ffrxxff.exe107⤵PID:2172
-
\??\c:\nnhbtt.exec:\nnhbtt.exe108⤵PID:3584
-
\??\c:\ddppv.exec:\ddppv.exe109⤵PID:700
-
\??\c:\htbnhh.exec:\htbnhh.exe110⤵PID:4436
-
\??\c:\thhbhb.exec:\thhbhb.exe111⤵PID:1460
-
\??\c:\5jpjj.exec:\5jpjj.exe112⤵PID:3888
-
\??\c:\llxrxxf.exec:\llxrxxf.exe113⤵PID:3052
-
\??\c:\xflfrlf.exec:\xflfrlf.exe114⤵PID:3640
-
\??\c:\5hhnhn.exec:\5hhnhn.exe115⤵PID:620
-
\??\c:\vvvvp.exec:\vvvvp.exe116⤵PID:1372
-
\??\c:\pdpjd.exec:\pdpjd.exe117⤵PID:4456
-
\??\c:\xrffxxl.exec:\xrffxxl.exe118⤵PID:1072
-
\??\c:\nnhbtn.exec:\nnhbtn.exe119⤵PID:4712
-
\??\c:\hhthnh.exec:\hhthnh.exe120⤵PID:1472
-
\??\c:\ddjvj.exec:\ddjvj.exe121⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-