Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
-
Size
453KB
-
MD5
6f15a998b54aa1da248ae4e9f5881417
-
SHA1
fa2fdacc0902d688f6f7ec88d7d42ab38cde75e6
-
SHA256
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9
-
SHA512
d9ae53aeffb4e018661274b9b7757e6d03782902cebe00bf6dcd2d489fa7b0ed3b6af9210eb6f1aba9c31e660f8ab9af7b09bad1c9f4d78bafc5562c1ff9e62e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3860-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-1056-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-1802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3864 rxrllrl.exe 2168 lrrllff.exe 3820 bntbbh.exe 3184 nntnbh.exe 4704 dpdvd.exe 4664 llrxxll.exe 3112 hhnnnt.exe 652 7jjdd.exe 3936 dvjdv.exe 4944 ntbhnn.exe 2360 frfxrlf.exe 1640 hhbtnn.exe 4576 vjjjj.exe 404 1xxrlxx.exe 3200 nhnbtn.exe 2344 tnnbtn.exe 3484 nnhbbt.exe 4868 fllfffx.exe 1956 djjpp.exe 2740 rrxfffl.exe 4332 nttttt.exe 4960 tntttt.exe 4996 vdpjj.exe 1548 llxxrxr.exe 4820 nnbbbb.exe 5012 9dpdj.exe 3248 jjppp.exe 776 xfxllxf.exe 1080 tbnnhb.exe 4348 nnbttt.exe 5056 7jdvv.exe 1284 fffxffx.exe 3100 llfxlfx.exe 1496 nttnhh.exe 4648 jdpjv.exe 1920 vdppj.exe 544 xlllflf.exe 3524 hhhbbb.exe 668 bhhbtb.exe 4472 vjppp.exe 3612 5fxrlrl.exe 4288 llrxxff.exe 4272 nthhbb.exe 2288 9pppp.exe 1044 flrlrrx.exe 1488 llrllll.exe 2168 3hbbnt.exe 3820 pdjjj.exe 3808 pjjjd.exe 3272 ffffllf.exe 5072 3tbbbh.exe 4976 rxrxrrl.exe 4788 nttbbn.exe 2796 jjpvj.exe 2144 llxlrlx.exe 2156 hbbttt.exe 1444 vvjjd.exe 4384 fllrxxf.exe 1252 hhnhbb.exe 4172 7vdvd.exe 3480 pdjdv.exe 1452 hbttnn.exe 4340 jdjjp.exe 4568 bbbttt.exe -
resource yara_rule behavioral2/memory/3860-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-931-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3860 wrote to memory of 3864 3860 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 83 PID 3860 wrote to memory of 3864 3860 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 83 PID 3860 wrote to memory of 3864 3860 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 83 PID 3864 wrote to memory of 2168 3864 rxrllrl.exe 84 PID 3864 wrote to memory of 2168 3864 rxrllrl.exe 84 PID 3864 wrote to memory of 2168 3864 rxrllrl.exe 84 PID 2168 wrote to memory of 3820 2168 lrrllff.exe 85 PID 2168 wrote to memory of 3820 2168 lrrllff.exe 85 PID 2168 wrote to memory of 3820 2168 lrrllff.exe 85 PID 3820 wrote to memory of 3184 3820 bntbbh.exe 86 PID 3820 wrote to memory of 3184 3820 bntbbh.exe 86 PID 3820 wrote to memory of 3184 3820 bntbbh.exe 86 PID 3184 wrote to memory of 4704 3184 nntnbh.exe 87 PID 3184 wrote to memory of 4704 3184 nntnbh.exe 87 PID 3184 wrote to memory of 4704 3184 nntnbh.exe 87 PID 4704 wrote to memory of 4664 4704 dpdvd.exe 88 PID 4704 wrote to memory of 4664 4704 dpdvd.exe 88 PID 4704 wrote to memory of 4664 4704 dpdvd.exe 88 PID 4664 wrote to memory of 3112 4664 llrxxll.exe 89 PID 4664 wrote to memory of 3112 4664 llrxxll.exe 89 PID 4664 wrote to memory of 3112 4664 llrxxll.exe 89 PID 3112 wrote to memory of 652 3112 hhnnnt.exe 90 PID 3112 wrote to memory of 652 3112 hhnnnt.exe 90 PID 3112 wrote to memory of 652 3112 hhnnnt.exe 90 PID 652 wrote to memory of 3936 652 7jjdd.exe 91 PID 652 wrote to memory of 3936 652 7jjdd.exe 91 PID 652 wrote to memory of 3936 652 7jjdd.exe 91 PID 3936 wrote to memory of 4944 3936 dvjdv.exe 92 PID 3936 wrote to memory of 4944 3936 dvjdv.exe 92 PID 3936 wrote to memory of 4944 3936 dvjdv.exe 92 PID 4944 wrote to memory of 2360 4944 ntbhnn.exe 93 PID 4944 wrote to memory of 2360 4944 ntbhnn.exe 93 PID 4944 wrote to memory of 2360 4944 ntbhnn.exe 93 PID 2360 wrote to memory of 1640 2360 frfxrlf.exe 94 PID 2360 wrote to memory of 1640 2360 frfxrlf.exe 94 PID 2360 wrote to memory of 1640 2360 frfxrlf.exe 94 PID 1640 wrote to memory of 4576 1640 hhbtnn.exe 95 PID 1640 wrote to memory of 4576 1640 hhbtnn.exe 95 PID 1640 wrote to memory of 4576 1640 hhbtnn.exe 95 PID 4576 wrote to memory of 404 4576 vjjjj.exe 96 PID 4576 wrote to memory of 404 4576 vjjjj.exe 96 PID 4576 wrote to memory of 404 4576 vjjjj.exe 96 PID 404 wrote to memory of 3200 404 1xxrlxx.exe 97 PID 404 wrote to memory of 3200 404 1xxrlxx.exe 97 PID 404 wrote to memory of 3200 404 1xxrlxx.exe 97 PID 3200 wrote to memory of 2344 3200 nhnbtn.exe 98 PID 3200 wrote to memory of 2344 3200 nhnbtn.exe 98 PID 3200 wrote to memory of 2344 3200 nhnbtn.exe 98 PID 2344 wrote to memory of 3484 2344 tnnbtn.exe 99 PID 2344 wrote to memory of 3484 2344 tnnbtn.exe 99 PID 2344 wrote to memory of 3484 2344 tnnbtn.exe 99 PID 3484 wrote to memory of 4868 3484 nnhbbt.exe 100 PID 3484 wrote to memory of 4868 3484 nnhbbt.exe 100 PID 3484 wrote to memory of 4868 3484 nnhbbt.exe 100 PID 4868 wrote to memory of 1956 4868 fllfffx.exe 101 PID 4868 wrote to memory of 1956 4868 fllfffx.exe 101 PID 4868 wrote to memory of 1956 4868 fllfffx.exe 101 PID 1956 wrote to memory of 2740 1956 djjpp.exe 102 PID 1956 wrote to memory of 2740 1956 djjpp.exe 102 PID 1956 wrote to memory of 2740 1956 djjpp.exe 102 PID 2740 wrote to memory of 4332 2740 rrxfffl.exe 103 PID 2740 wrote to memory of 4332 2740 rrxfffl.exe 103 PID 2740 wrote to memory of 4332 2740 rrxfffl.exe 103 PID 4332 wrote to memory of 4960 4332 nttttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\rxrllrl.exec:\rxrllrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\lrrllff.exec:\lrrllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\bntbbh.exec:\bntbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\nntnbh.exec:\nntnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\dpdvd.exec:\dpdvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\llrxxll.exec:\llrxxll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\hhnnnt.exec:\hhnnnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\7jjdd.exec:\7jjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\dvjdv.exec:\dvjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\ntbhnn.exec:\ntbhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\frfxrlf.exec:\frfxrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\hhbtnn.exec:\hhbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\vjjjj.exec:\vjjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\1xxrlxx.exec:\1xxrlxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\nhnbtn.exec:\nhnbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\tnnbtn.exec:\tnnbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\nnhbbt.exec:\nnhbbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\fllfffx.exec:\fllfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\djjpp.exec:\djjpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\rrxfffl.exec:\rrxfffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nttttt.exec:\nttttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\tntttt.exec:\tntttt.exe23⤵
- Executes dropped EXE
PID:4960 -
\??\c:\vdpjj.exec:\vdpjj.exe24⤵
- Executes dropped EXE
PID:4996 -
\??\c:\llxxrxr.exec:\llxxrxr.exe25⤵
- Executes dropped EXE
PID:1548 -
\??\c:\nnbbbb.exec:\nnbbbb.exe26⤵
- Executes dropped EXE
PID:4820 -
\??\c:\9dpdj.exec:\9dpdj.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5012 -
\??\c:\jjppp.exec:\jjppp.exe28⤵
- Executes dropped EXE
PID:3248 -
\??\c:\xfxllxf.exec:\xfxllxf.exe29⤵
- Executes dropped EXE
PID:776 -
\??\c:\tbnnhb.exec:\tbnnhb.exe30⤵
- Executes dropped EXE
PID:1080 -
\??\c:\nnbttt.exec:\nnbttt.exe31⤵
- Executes dropped EXE
PID:4348 -
\??\c:\7jdvv.exec:\7jdvv.exe32⤵
- Executes dropped EXE
PID:5056 -
\??\c:\fffxffx.exec:\fffxffx.exe33⤵
- Executes dropped EXE
PID:1284 -
\??\c:\llfxlfx.exec:\llfxlfx.exe34⤵
- Executes dropped EXE
PID:3100 -
\??\c:\nttnhh.exec:\nttnhh.exe35⤵
- Executes dropped EXE
PID:1496 -
\??\c:\jdpjv.exec:\jdpjv.exe36⤵
- Executes dropped EXE
PID:4648 -
\??\c:\vdppj.exec:\vdppj.exe37⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xlllflf.exec:\xlllflf.exe38⤵
- Executes dropped EXE
PID:544 -
\??\c:\hhhbbb.exec:\hhhbbb.exe39⤵
- Executes dropped EXE
PID:3524 -
\??\c:\bhhbtb.exec:\bhhbtb.exe40⤵
- Executes dropped EXE
PID:668 -
\??\c:\vjppp.exec:\vjppp.exe41⤵
- Executes dropped EXE
PID:4472 -
\??\c:\5fxrlrl.exec:\5fxrlrl.exe42⤵
- Executes dropped EXE
PID:3612 -
\??\c:\llrxxff.exec:\llrxxff.exe43⤵
- Executes dropped EXE
PID:4288 -
\??\c:\nthhbb.exec:\nthhbb.exe44⤵
- Executes dropped EXE
PID:4272 -
\??\c:\9pppp.exec:\9pppp.exe45⤵
- Executes dropped EXE
PID:2288 -
\??\c:\flrlrrx.exec:\flrlrrx.exe46⤵
- Executes dropped EXE
PID:1044 -
\??\c:\llrllll.exec:\llrllll.exe47⤵
- Executes dropped EXE
PID:1488 -
\??\c:\3hbbnt.exec:\3hbbnt.exe48⤵
- Executes dropped EXE
PID:2168 -
\??\c:\pdjjj.exec:\pdjjj.exe49⤵
- Executes dropped EXE
PID:3820 -
\??\c:\pjjjd.exec:\pjjjd.exe50⤵
- Executes dropped EXE
PID:3808 -
\??\c:\ffffllf.exec:\ffffllf.exe51⤵
- Executes dropped EXE
PID:3272 -
\??\c:\3tbbbh.exec:\3tbbbh.exe52⤵
- Executes dropped EXE
PID:5072 -
\??\c:\rxrxrrl.exec:\rxrxrrl.exe53⤵
- Executes dropped EXE
PID:4976 -
\??\c:\nttbbn.exec:\nttbbn.exe54⤵
- Executes dropped EXE
PID:4788 -
\??\c:\jjpvj.exec:\jjpvj.exe55⤵
- Executes dropped EXE
PID:2796 -
\??\c:\llxlrlx.exec:\llxlrlx.exe56⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hbbttt.exec:\hbbttt.exe57⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vvjjd.exec:\vvjjd.exe58⤵
- Executes dropped EXE
PID:1444 -
\??\c:\fllrxxf.exec:\fllrxxf.exe59⤵
- Executes dropped EXE
PID:4384 -
\??\c:\hhnhbb.exec:\hhnhbb.exe60⤵
- Executes dropped EXE
PID:1252 -
\??\c:\7vdvd.exec:\7vdvd.exe61⤵
- Executes dropped EXE
PID:4172 -
\??\c:\pdjdv.exec:\pdjdv.exe62⤵
- Executes dropped EXE
PID:3480 -
\??\c:\hbttnn.exec:\hbttnn.exe63⤵
- Executes dropped EXE
PID:1452 -
\??\c:\jdjjp.exec:\jdjjp.exe64⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bbbttt.exec:\bbbttt.exe65⤵
- Executes dropped EXE
PID:4568 -
\??\c:\3hnhbn.exec:\3hnhbn.exe66⤵PID:3872
-
\??\c:\1jpjd.exec:\1jpjd.exe67⤵PID:2344
-
\??\c:\lxxrffr.exec:\lxxrffr.exe68⤵PID:4676
-
\??\c:\nttbbn.exec:\nttbbn.exe69⤵PID:4516
-
\??\c:\xflrxfx.exec:\xflrxfx.exe70⤵PID:4452
-
\??\c:\bhbhtn.exec:\bhbhtn.exe71⤵PID:4432
-
\??\c:\jppjj.exec:\jppjj.exe72⤵PID:4652
-
\??\c:\xxffxxf.exec:\xxffxxf.exe73⤵PID:4924
-
\??\c:\hhbbtt.exec:\hhbbtt.exe74⤵PID:2356
-
\??\c:\3nhbhn.exec:\3nhbhn.exe75⤵PID:208
-
\??\c:\jpvvv.exec:\jpvvv.exe76⤵PID:2648
-
\??\c:\lfrlrrl.exec:\lfrlrrl.exe77⤵PID:3812
-
\??\c:\vppjj.exec:\vppjj.exe78⤵PID:2640
-
\??\c:\lfxrllf.exec:\lfxrllf.exe79⤵PID:2612
-
\??\c:\hhbtnn.exec:\hhbtnn.exe80⤵PID:4792
-
\??\c:\7lllffx.exec:\7lllffx.exe81⤵PID:2464
-
\??\c:\tntbbh.exec:\tntbbh.exe82⤵PID:2120
-
\??\c:\3pppp.exec:\3pppp.exe83⤵PID:932
-
\??\c:\pjpjd.exec:\pjpjd.exe84⤵PID:748
-
\??\c:\fxffllx.exec:\fxffllx.exe85⤵PID:4644
-
\??\c:\bhtnnn.exec:\bhtnnn.exe86⤵PID:3076
-
\??\c:\vjvdp.exec:\vjvdp.exe87⤵PID:380
-
\??\c:\xxlllll.exec:\xxlllll.exe88⤵PID:1780
-
\??\c:\djjjj.exec:\djjjj.exe89⤵PID:1204
-
\??\c:\5vdjj.exec:\5vdjj.exe90⤵PID:960
-
\??\c:\ffrrlfr.exec:\ffrrlfr.exe91⤵PID:2368
-
\??\c:\3frxxxr.exec:\3frxxxr.exe92⤵PID:2928
-
\??\c:\nttttb.exec:\nttttb.exe93⤵PID:2324
-
\??\c:\pjjjd.exec:\pjjjd.exe94⤵PID:3016
-
\??\c:\7flfxxr.exec:\7flfxxr.exe95⤵PID:1872
-
\??\c:\nhntbt.exec:\nhntbt.exe96⤵PID:3864
-
\??\c:\jpjdv.exec:\jpjdv.exe97⤵PID:760
-
\??\c:\lfrflxr.exec:\lfrflxr.exe98⤵PID:4456
-
\??\c:\tttbbt.exec:\tttbbt.exe99⤵PID:3808
-
\??\c:\ttbtnn.exec:\ttbtnn.exe100⤵PID:1236
-
\??\c:\jjjdj.exec:\jjjdj.exe101⤵PID:2052
-
\??\c:\7xllxxr.exec:\7xllxxr.exe102⤵PID:3504
-
\??\c:\llrfrxl.exec:\llrfrxl.exe103⤵PID:2408
-
\??\c:\bbttnn.exec:\bbttnn.exe104⤵PID:3716
-
\??\c:\pdpjj.exec:\pdpjj.exe105⤵PID:2752
-
\??\c:\rrrxrxf.exec:\rrrxrxf.exe106⤵PID:3652
-
\??\c:\3rlrrlr.exec:\3rlrrlr.exe107⤵PID:1248
-
\??\c:\1bhhhb.exec:\1bhhhb.exe108⤵PID:1944
-
\??\c:\vvppd.exec:\vvppd.exe109⤵PID:652
-
\??\c:\vvjdd.exec:\vvjdd.exe110⤵PID:3428
-
\??\c:\rrrfffr.exec:\rrrfffr.exe111⤵PID:4388
-
\??\c:\hhnhnn.exec:\hhnhnn.exe112⤵PID:324
-
\??\c:\bhbbbh.exec:\bhbbbh.exe113⤵PID:4264
-
\??\c:\3jjjd.exec:\3jjjd.exe114⤵PID:4384
-
\??\c:\lffxrrr.exec:\lffxrrr.exe115⤵PID:2744
-
\??\c:\htbtnh.exec:\htbtnh.exe116⤵PID:400
-
\??\c:\nbnnhh.exec:\nbnnhh.exe117⤵PID:2820
-
\??\c:\vdddv.exec:\vdddv.exe118⤵PID:5108
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe119⤵PID:3488
-
\??\c:\1hbbtt.exec:\1hbbtt.exe120⤵PID:1468
-
\??\c:\bbbnhb.exec:\bbbnhb.exe121⤵PID:756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-