Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 04:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe
-
Size
454KB
-
MD5
ad077435c8f42a5f0f3e35e24bd734f0
-
SHA1
4f140d3c8bf6a466a6ab6abc0e71e57568752b7c
-
SHA256
ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76
-
SHA512
9a471dde6d36e8cb7fa400f8d81117cc0087ec4f512cee60f7009f794a516b221314a0aa314f59c7b580c9a48db8f19684a6b3de6c3269b0298be0b90273253d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJV:q7Tc2NYHUrAwfMp3CDJV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3920-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2460 rrxxxxf.exe 4260 lfrlrrx.exe 4488 hbtntt.exe 2632 tttttt.exe 3132 jpdpd.exe 2480 rlrxrlr.exe 4232 bnbbtb.exe 3612 dvjdp.exe 4548 ffxfrlr.exe 624 tbhntt.exe 2736 llffffx.exe 2192 bbbbbt.exe 2916 jjjdd.exe 3484 htbtnn.exe 1072 1bnhhh.exe 4640 xxrllff.exe 5016 nhhthh.exe 2360 hhnhhh.exe 1520 3pvvp.exe 1888 hhbhhn.exe 4816 5lrrlfl.exe 5100 bhnhhh.exe 5004 xrrlffx.exe 3236 nhhhbb.exe 3220 5lfrfrl.exe 1640 thbhbb.exe 4484 5dvdd.exe 2924 jpvpj.exe 3160 rxxlxlf.exe 116 pjpdp.exe 4240 7fxlxxf.exe 3972 9tbbbb.exe 1920 7llllll.exe 1796 xrxrlll.exe 1144 bbhnht.exe 4780 pppjv.exe 4212 hnbtbn.exe 392 hnbbth.exe 540 pjjdd.exe 1200 lffxfxr.exe 3912 tnbnhb.exe 4040 fllxlxr.exe 812 thbnhb.exe 544 dvvjd.exe 2404 fllxxrr.exe 620 hhbttt.exe 752 jjpvv.exe 4380 7jpjd.exe 1828 rffxrlf.exe 2348 hbbnhh.exe 3952 vvppj.exe 5064 dvjvp.exe 2832 5lflxrl.exe 388 hbhbhb.exe 2412 pdjdd.exe 5000 9rlfllf.exe 4396 xfxfxrr.exe 3656 jppjp.exe 3192 7jjdj.exe 4776 lxxrxxl.exe 3076 7hhtbb.exe 4432 jpvdd.exe 3364 9pvpv.exe 3020 bthbtb.exe -
resource yara_rule behavioral2/memory/3920-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-743-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 2460 3920 ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe 82 PID 3920 wrote to memory of 2460 3920 ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe 82 PID 3920 wrote to memory of 2460 3920 ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe 82 PID 2460 wrote to memory of 4260 2460 rrxxxxf.exe 83 PID 2460 wrote to memory of 4260 2460 rrxxxxf.exe 83 PID 2460 wrote to memory of 4260 2460 rrxxxxf.exe 83 PID 4260 wrote to memory of 4488 4260 lfrlrrx.exe 84 PID 4260 wrote to memory of 4488 4260 lfrlrrx.exe 84 PID 4260 wrote to memory of 4488 4260 lfrlrrx.exe 84 PID 4488 wrote to memory of 2632 4488 hbtntt.exe 85 PID 4488 wrote to memory of 2632 4488 hbtntt.exe 85 PID 4488 wrote to memory of 2632 4488 hbtntt.exe 85 PID 2632 wrote to memory of 3132 2632 tttttt.exe 86 PID 2632 wrote to memory of 3132 2632 tttttt.exe 86 PID 2632 wrote to memory of 3132 2632 tttttt.exe 86 PID 3132 wrote to memory of 2480 3132 jpdpd.exe 87 PID 3132 wrote to memory of 2480 3132 jpdpd.exe 87 PID 3132 wrote to memory of 2480 3132 jpdpd.exe 87 PID 2480 wrote to memory of 4232 2480 rlrxrlr.exe 88 PID 2480 wrote to memory of 4232 2480 rlrxrlr.exe 88 PID 2480 wrote to memory of 4232 2480 rlrxrlr.exe 88 PID 4232 wrote to memory of 3612 4232 bnbbtb.exe 89 PID 4232 wrote to memory of 3612 4232 bnbbtb.exe 89 PID 4232 wrote to memory of 3612 4232 bnbbtb.exe 89 PID 3612 wrote to memory of 4548 3612 dvjdp.exe 90 PID 3612 wrote to memory of 4548 3612 dvjdp.exe 90 PID 3612 wrote to memory of 4548 3612 dvjdp.exe 90 PID 4548 wrote to memory of 624 4548 ffxfrlr.exe 91 PID 4548 wrote to memory of 624 4548 ffxfrlr.exe 91 PID 4548 wrote to memory of 624 4548 ffxfrlr.exe 91 PID 624 wrote to memory of 2736 624 tbhntt.exe 92 PID 624 wrote to memory of 2736 624 tbhntt.exe 92 PID 624 wrote to memory of 2736 624 tbhntt.exe 92 PID 2736 wrote to memory of 2192 2736 llffffx.exe 93 PID 2736 wrote to memory of 2192 2736 llffffx.exe 93 PID 2736 wrote to memory of 2192 2736 llffffx.exe 93 PID 2192 wrote to memory of 2916 2192 bbbbbt.exe 94 PID 2192 wrote to memory of 2916 2192 bbbbbt.exe 94 PID 2192 wrote to memory of 2916 2192 bbbbbt.exe 94 PID 2916 wrote to memory of 3484 2916 jjjdd.exe 95 PID 2916 wrote to memory of 3484 2916 jjjdd.exe 95 PID 2916 wrote to memory of 3484 2916 jjjdd.exe 95 PID 3484 wrote to memory of 1072 3484 htbtnn.exe 96 PID 3484 wrote to memory of 1072 3484 htbtnn.exe 96 PID 3484 wrote to memory of 1072 3484 htbtnn.exe 96 PID 1072 wrote to memory of 4640 1072 1bnhhh.exe 97 PID 1072 wrote to memory of 4640 1072 1bnhhh.exe 97 PID 1072 wrote to memory of 4640 1072 1bnhhh.exe 97 PID 4640 wrote to memory of 5016 4640 xxrllff.exe 98 PID 4640 wrote to memory of 5016 4640 xxrllff.exe 98 PID 4640 wrote to memory of 5016 4640 xxrllff.exe 98 PID 5016 wrote to memory of 2360 5016 nhhthh.exe 99 PID 5016 wrote to memory of 2360 5016 nhhthh.exe 99 PID 5016 wrote to memory of 2360 5016 nhhthh.exe 99 PID 2360 wrote to memory of 1520 2360 hhnhhh.exe 100 PID 2360 wrote to memory of 1520 2360 hhnhhh.exe 100 PID 2360 wrote to memory of 1520 2360 hhnhhh.exe 100 PID 1520 wrote to memory of 1888 1520 3pvvp.exe 101 PID 1520 wrote to memory of 1888 1520 3pvvp.exe 101 PID 1520 wrote to memory of 1888 1520 3pvvp.exe 101 PID 1888 wrote to memory of 4816 1888 hhbhhn.exe 102 PID 1888 wrote to memory of 4816 1888 hhbhhn.exe 102 PID 1888 wrote to memory of 4816 1888 hhbhhn.exe 102 PID 4816 wrote to memory of 5100 4816 5lrrlfl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd531eb071147460eb52ac2c30fde2112c6617cc61ffc350e66ec06a5f76N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\hbtntt.exec:\hbtntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\tttttt.exec:\tttttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\jpdpd.exec:\jpdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\rlrxrlr.exec:\rlrxrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\bnbbtb.exec:\bnbbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\dvjdp.exec:\dvjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\ffxfrlr.exec:\ffxfrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\tbhntt.exec:\tbhntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\llffffx.exec:\llffffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\bbbbbt.exec:\bbbbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\jjjdd.exec:\jjjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\htbtnn.exec:\htbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\1bnhhh.exec:\1bnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\xxrllff.exec:\xxrllff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\nhhthh.exec:\nhhthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\hhnhhh.exec:\hhnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\3pvvp.exec:\3pvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\hhbhhn.exec:\hhbhhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\5lrrlfl.exec:\5lrrlfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\bhnhhh.exec:\bhnhhh.exe23⤵
- Executes dropped EXE
PID:5100 -
\??\c:\xrrlffx.exec:\xrrlffx.exe24⤵
- Executes dropped EXE
PID:5004 -
\??\c:\nhhhbb.exec:\nhhhbb.exe25⤵
- Executes dropped EXE
PID:3236 -
\??\c:\5lfrfrl.exec:\5lfrfrl.exe26⤵
- Executes dropped EXE
PID:3220 -
\??\c:\thbhbb.exec:\thbhbb.exe27⤵
- Executes dropped EXE
PID:1640 -
\??\c:\5dvdd.exec:\5dvdd.exe28⤵
- Executes dropped EXE
PID:4484 -
\??\c:\jpvpj.exec:\jpvpj.exe29⤵
- Executes dropped EXE
PID:2924 -
\??\c:\rxxlxlf.exec:\rxxlxlf.exe30⤵
- Executes dropped EXE
PID:3160 -
\??\c:\pjpdp.exec:\pjpdp.exe31⤵
- Executes dropped EXE
PID:116 -
\??\c:\7fxlxxf.exec:\7fxlxxf.exe32⤵
- Executes dropped EXE
PID:4240 -
\??\c:\9tbbbb.exec:\9tbbbb.exe33⤵
- Executes dropped EXE
PID:3972 -
\??\c:\7llllll.exec:\7llllll.exe34⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xrxrlll.exec:\xrxrlll.exe35⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bbhnht.exec:\bbhnht.exe36⤵
- Executes dropped EXE
PID:1144 -
\??\c:\pppjv.exec:\pppjv.exe37⤵
- Executes dropped EXE
PID:4780 -
\??\c:\hnbtbn.exec:\hnbtbn.exe38⤵
- Executes dropped EXE
PID:4212 -
\??\c:\hnbbth.exec:\hnbbth.exe39⤵
- Executes dropped EXE
PID:392 -
\??\c:\pjjdd.exec:\pjjdd.exe40⤵
- Executes dropped EXE
PID:540 -
\??\c:\lffxfxr.exec:\lffxfxr.exe41⤵
- Executes dropped EXE
PID:1200 -
\??\c:\tnbnhb.exec:\tnbnhb.exe42⤵
- Executes dropped EXE
PID:3912 -
\??\c:\fllxlxr.exec:\fllxlxr.exe43⤵
- Executes dropped EXE
PID:4040 -
\??\c:\thbnhb.exec:\thbnhb.exe44⤵
- Executes dropped EXE
PID:812 -
\??\c:\dvvjd.exec:\dvvjd.exe45⤵
- Executes dropped EXE
PID:544 -
\??\c:\fllxxrr.exec:\fllxxrr.exe46⤵
- Executes dropped EXE
PID:2404 -
\??\c:\hhbttt.exec:\hhbttt.exe47⤵
- Executes dropped EXE
PID:620 -
\??\c:\jjpvv.exec:\jjpvv.exe48⤵
- Executes dropped EXE
PID:752 -
\??\c:\7jpjd.exec:\7jpjd.exe49⤵
- Executes dropped EXE
PID:4380 -
\??\c:\rffxrlf.exec:\rffxrlf.exe50⤵
- Executes dropped EXE
PID:1828 -
\??\c:\hbbnhh.exec:\hbbnhh.exe51⤵
- Executes dropped EXE
PID:2348 -
\??\c:\vvppj.exec:\vvppj.exe52⤵
- Executes dropped EXE
PID:3952 -
\??\c:\dvjvp.exec:\dvjvp.exe53⤵
- Executes dropped EXE
PID:5064 -
\??\c:\5lflxrl.exec:\5lflxrl.exe54⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hbhbhb.exec:\hbhbhb.exe55⤵
- Executes dropped EXE
PID:388 -
\??\c:\pdjdd.exec:\pdjdd.exe56⤵
- Executes dropped EXE
PID:2412 -
\??\c:\9rlfllf.exec:\9rlfllf.exe57⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xfxfxrr.exec:\xfxfxrr.exe58⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jppjp.exec:\jppjp.exe59⤵
- Executes dropped EXE
PID:3656 -
\??\c:\7jjdj.exec:\7jjdj.exe60⤵
- Executes dropped EXE
PID:3192 -
\??\c:\lxxrxxl.exec:\lxxrxxl.exe61⤵
- Executes dropped EXE
PID:4776 -
\??\c:\7hhtbb.exec:\7hhtbb.exe62⤵
- Executes dropped EXE
PID:3076 -
\??\c:\jpvdd.exec:\jpvdd.exe63⤵
- Executes dropped EXE
PID:4432 -
\??\c:\9pvpv.exec:\9pvpv.exe64⤵
- Executes dropped EXE
PID:3364 -
\??\c:\bthbtb.exec:\bthbtb.exe65⤵
- Executes dropped EXE
PID:3020 -
\??\c:\1nnbnh.exec:\1nnbnh.exe66⤵PID:732
-
\??\c:\pvdvp.exec:\pvdvp.exe67⤵PID:1076
-
\??\c:\xfrlxrr.exec:\xfrlxrr.exe68⤵PID:3768
-
\??\c:\rfrllfr.exec:\rfrllfr.exe69⤵PID:5092
-
\??\c:\7hthth.exec:\7hthth.exe70⤵PID:228
-
\??\c:\7pjdp.exec:\7pjdp.exe71⤵PID:2916
-
\??\c:\9xrfxrf.exec:\9xrfxrf.exe72⤵PID:3088
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe73⤵PID:4728
-
\??\c:\tthbhb.exec:\tthbhb.exe74⤵PID:2468
-
\??\c:\djpvv.exec:\djpvv.exe75⤵PID:1204
-
\??\c:\ffxlffx.exec:\ffxlffx.exe76⤵PID:5016
-
\??\c:\fllfrlx.exec:\fllfrlx.exe77⤵PID:3328
-
\??\c:\htthbb.exec:\htthbb.exe78⤵PID:2360
-
\??\c:\dvpjd.exec:\dvpjd.exe79⤵PID:1612
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe80⤵PID:3616
-
\??\c:\5fffxrl.exec:\5fffxrl.exe81⤵PID:2352
-
\??\c:\nhnhhb.exec:\nhnhhb.exe82⤵PID:4204
-
\??\c:\1jdvj.exec:\1jdvj.exe83⤵PID:5044
-
\??\c:\rrfflrx.exec:\rrfflrx.exe84⤵PID:4364
-
\??\c:\xrxfxfx.exec:\xrxfxfx.exe85⤵PID:856
-
\??\c:\nhnbbt.exec:\nhnbbt.exe86⤵PID:4244
-
\??\c:\dpdpd.exec:\dpdpd.exe87⤵PID:1596
-
\??\c:\lxxlfxx.exec:\lxxlfxx.exe88⤵PID:536
-
\??\c:\ffxlffx.exec:\ffxlffx.exe89⤵
- System Location Discovery: System Language Discovery
PID:3452 -
\??\c:\tnnnbb.exec:\tnnnbb.exe90⤵PID:3672
-
\??\c:\jdvpd.exec:\jdvpd.exe91⤵PID:888
-
\??\c:\rrlxfrx.exec:\rrlxfrx.exe92⤵PID:728
-
\??\c:\rlxlfxr.exec:\rlxlfxr.exe93⤵PID:3600
-
\??\c:\bnnhbt.exec:\bnnhbt.exe94⤵PID:3728
-
\??\c:\pjdvp.exec:\pjdvp.exe95⤵PID:3968
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe96⤵PID:4132
-
\??\c:\lrxfxxx.exec:\lrxfxxx.exe97⤵PID:3724
-
\??\c:\btbnhn.exec:\btbnhn.exe98⤵PID:4240
-
\??\c:\vdjvj.exec:\vdjvj.exe99⤵PID:3360
-
\??\c:\5llxrlf.exec:\5llxrlf.exe100⤵PID:4268
-
\??\c:\frrrllf.exec:\frrrllf.exe101⤵PID:4552
-
\??\c:\btnhtt.exec:\btnhtt.exe102⤵PID:760
-
\??\c:\pjvpv.exec:\pjvpv.exe103⤵PID:1016
-
\??\c:\flxlffl.exec:\flxlffl.exe104⤵PID:2036
-
\??\c:\tntntt.exec:\tntntt.exe105⤵PID:1108
-
\??\c:\hbnhtt.exec:\hbnhtt.exe106⤵PID:1700
-
\??\c:\vvdpj.exec:\vvdpj.exe107⤵PID:4900
-
\??\c:\xrllrfr.exec:\xrllrfr.exe108⤵PID:1200
-
\??\c:\hbtttb.exec:\hbtttb.exe109⤵PID:1616
-
\??\c:\pppjj.exec:\pppjj.exe110⤵PID:4344
-
\??\c:\flrlxxr.exec:\flrlxxr.exe111⤵PID:4716
-
\??\c:\rxfxllf.exec:\rxfxllf.exe112⤵PID:1964
-
\??\c:\7bhthb.exec:\7bhthb.exe113⤵
- System Location Discovery: System Language Discovery
PID:3896 -
\??\c:\pjpjv.exec:\pjpjv.exe114⤵PID:1244
-
\??\c:\xlfrxff.exec:\xlfrxff.exe115⤵PID:4308
-
\??\c:\nhnnnn.exec:\nhnnnn.exe116⤵PID:5008
-
\??\c:\nhnhth.exec:\nhnhth.exe117⤵PID:2628
-
\??\c:\jpppp.exec:\jpppp.exe118⤵PID:2460
-
\??\c:\flxrllf.exec:\flxrllf.exe119⤵PID:3048
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe120⤵PID:1308
-
\??\c:\btthbb.exec:\btthbb.exe121⤵PID:5064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-