Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe
-
Size
453KB
-
MD5
c62a7499aca2c54cb3f372c42c28861c
-
SHA1
db514b565f7e4bd8055a0edf90c7f075a51d1952
-
SHA256
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005
-
SHA512
6b1c7856961e5371691605b64b3299663f11e5a7a49d1b2a5d68cff3a9d5bdfb235ad2c795e879d58b74996d44f82f2777c4c04344161076a0b514f3d05b77f3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4488-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-1305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-1373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4488 rlrlffr.exe 4364 9hbthb.exe 916 ppvdp.exe 552 pppjd.exe 1336 frlxrlf.exe 1744 nbtnht.exe 4180 hbhbhh.exe 1152 ddvvp.exe 3424 xxfxrxr.exe 1840 rlllffx.exe 2772 pdvjd.exe 2064 frrfxrl.exe 1076 thtbnn.exe 4876 vvdpd.exe 4444 flrlfxr.exe 5104 hhhbnn.exe 2744 djjpj.exe 228 rflxrlf.exe 4168 7hbthh.exe 3720 3jppj.exe 5016 ffxrrll.exe 4828 frfxxxx.exe 2040 9nnhbb.exe 1700 3rfxrxr.exe 2416 rrfflxf.exe 408 tbtthb.exe 660 vvjjj.exe 3420 tnbhnt.exe 4916 nnttnn.exe 2504 xrxrllf.exe 400 bbhbtn.exe 1172 pdppj.exe 3512 tttnhh.exe 744 bnhthb.exe 1672 ppvdv.exe 3020 rrxrffr.exe 1228 bbbnhb.exe 2688 dpvpj.exe 1628 jjjpv.exe 4896 lrrrfll.exe 1184 hntnhn.exe 1956 ntttnn.exe 3056 jdvpp.exe 4408 lrxrfxf.exe 2864 jddvv.exe 3528 rlxrxrr.exe 3956 hhbnhn.exe 460 9dddv.exe 4540 ffffflr.exe 3716 hnnhht.exe 4956 dpvvp.exe 3384 bnnbnh.exe 4624 ffxxfxl.exe 2636 thhhhh.exe 1988 rrrlffr.exe 3876 vvvjv.exe 4792 pjvpp.exe 336 vjpjv.exe 2812 djvvv.exe 1916 xllxxll.exe 1804 thnnbb.exe 2452 jpdvv.exe 2760 vppjj.exe 3896 nbhbbb.exe -
resource yara_rule behavioral2/memory/4488-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-881-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4488 4504 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 82 PID 4504 wrote to memory of 4488 4504 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 82 PID 4504 wrote to memory of 4488 4504 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 82 PID 4488 wrote to memory of 4364 4488 rlrlffr.exe 83 PID 4488 wrote to memory of 4364 4488 rlrlffr.exe 83 PID 4488 wrote to memory of 4364 4488 rlrlffr.exe 83 PID 4364 wrote to memory of 916 4364 9hbthb.exe 84 PID 4364 wrote to memory of 916 4364 9hbthb.exe 84 PID 4364 wrote to memory of 916 4364 9hbthb.exe 84 PID 916 wrote to memory of 552 916 ppvdp.exe 85 PID 916 wrote to memory of 552 916 ppvdp.exe 85 PID 916 wrote to memory of 552 916 ppvdp.exe 85 PID 552 wrote to memory of 1336 552 pppjd.exe 86 PID 552 wrote to memory of 1336 552 pppjd.exe 86 PID 552 wrote to memory of 1336 552 pppjd.exe 86 PID 1336 wrote to memory of 1744 1336 frlxrlf.exe 87 PID 1336 wrote to memory of 1744 1336 frlxrlf.exe 87 PID 1336 wrote to memory of 1744 1336 frlxrlf.exe 87 PID 1744 wrote to memory of 4180 1744 nbtnht.exe 88 PID 1744 wrote to memory of 4180 1744 nbtnht.exe 88 PID 1744 wrote to memory of 4180 1744 nbtnht.exe 88 PID 4180 wrote to memory of 1152 4180 hbhbhh.exe 89 PID 4180 wrote to memory of 1152 4180 hbhbhh.exe 89 PID 4180 wrote to memory of 1152 4180 hbhbhh.exe 89 PID 1152 wrote to memory of 3424 1152 ddvvp.exe 90 PID 1152 wrote to memory of 3424 1152 ddvvp.exe 90 PID 1152 wrote to memory of 3424 1152 ddvvp.exe 90 PID 3424 wrote to memory of 1840 3424 xxfxrxr.exe 91 PID 3424 wrote to memory of 1840 3424 xxfxrxr.exe 91 PID 3424 wrote to memory of 1840 3424 xxfxrxr.exe 91 PID 1840 wrote to memory of 2772 1840 rlllffx.exe 92 PID 1840 wrote to memory of 2772 1840 rlllffx.exe 92 PID 1840 wrote to memory of 2772 1840 rlllffx.exe 92 PID 2772 wrote to memory of 2064 2772 pdvjd.exe 93 PID 2772 wrote to memory of 2064 2772 pdvjd.exe 93 PID 2772 wrote to memory of 2064 2772 pdvjd.exe 93 PID 2064 wrote to memory of 1076 2064 frrfxrl.exe 94 PID 2064 wrote to memory of 1076 2064 frrfxrl.exe 94 PID 2064 wrote to memory of 1076 2064 frrfxrl.exe 94 PID 1076 wrote to memory of 4876 1076 thtbnn.exe 95 PID 1076 wrote to memory of 4876 1076 thtbnn.exe 95 PID 1076 wrote to memory of 4876 1076 thtbnn.exe 95 PID 4876 wrote to memory of 4444 4876 vvdpd.exe 96 PID 4876 wrote to memory of 4444 4876 vvdpd.exe 96 PID 4876 wrote to memory of 4444 4876 vvdpd.exe 96 PID 4444 wrote to memory of 5104 4444 flrlfxr.exe 97 PID 4444 wrote to memory of 5104 4444 flrlfxr.exe 97 PID 4444 wrote to memory of 5104 4444 flrlfxr.exe 97 PID 5104 wrote to memory of 2744 5104 hhhbnn.exe 98 PID 5104 wrote to memory of 2744 5104 hhhbnn.exe 98 PID 5104 wrote to memory of 2744 5104 hhhbnn.exe 98 PID 2744 wrote to memory of 228 2744 djjpj.exe 99 PID 2744 wrote to memory of 228 2744 djjpj.exe 99 PID 2744 wrote to memory of 228 2744 djjpj.exe 99 PID 228 wrote to memory of 4168 228 rflxrlf.exe 100 PID 228 wrote to memory of 4168 228 rflxrlf.exe 100 PID 228 wrote to memory of 4168 228 rflxrlf.exe 100 PID 4168 wrote to memory of 3720 4168 7hbthh.exe 101 PID 4168 wrote to memory of 3720 4168 7hbthh.exe 101 PID 4168 wrote to memory of 3720 4168 7hbthh.exe 101 PID 3720 wrote to memory of 5016 3720 3jppj.exe 102 PID 3720 wrote to memory of 5016 3720 3jppj.exe 102 PID 3720 wrote to memory of 5016 3720 3jppj.exe 102 PID 5016 wrote to memory of 4828 5016 ffxrrll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe"C:\Users\Admin\AppData\Local\Temp\ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rlrlffr.exec:\rlrlffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\9hbthb.exec:\9hbthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\ppvdp.exec:\ppvdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\pppjd.exec:\pppjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\frlxrlf.exec:\frlxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\nbtnht.exec:\nbtnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\hbhbhh.exec:\hbhbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\ddvvp.exec:\ddvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\xxfxrxr.exec:\xxfxrxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\rlllffx.exec:\rlllffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\pdvjd.exec:\pdvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\frrfxrl.exec:\frrfxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\thtbnn.exec:\thtbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\vvdpd.exec:\vvdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\flrlfxr.exec:\flrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\hhhbnn.exec:\hhhbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\djjpj.exec:\djjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\rflxrlf.exec:\rflxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\7hbthh.exec:\7hbthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\3jppj.exec:\3jppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\ffxrrll.exec:\ffxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\frfxxxx.exec:\frfxxxx.exe23⤵
- Executes dropped EXE
PID:4828 -
\??\c:\9nnhbb.exec:\9nnhbb.exe24⤵
- Executes dropped EXE
PID:2040 -
\??\c:\3rfxrxr.exec:\3rfxrxr.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rrfflxf.exec:\rrfflxf.exe26⤵
- Executes dropped EXE
PID:2416 -
\??\c:\tbtthb.exec:\tbtthb.exe27⤵
- Executes dropped EXE
PID:408 -
\??\c:\vvjjj.exec:\vvjjj.exe28⤵
- Executes dropped EXE
PID:660 -
\??\c:\tnbhnt.exec:\tnbhnt.exe29⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nnttnn.exec:\nnttnn.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\xrxrllf.exec:\xrxrllf.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\bbhbtn.exec:\bbhbtn.exe32⤵
- Executes dropped EXE
PID:400 -
\??\c:\pdppj.exec:\pdppj.exe33⤵
- Executes dropped EXE
PID:1172 -
\??\c:\tttnhh.exec:\tttnhh.exe34⤵
- Executes dropped EXE
PID:3512 -
\??\c:\bnhthb.exec:\bnhthb.exe35⤵
- Executes dropped EXE
PID:744 -
\??\c:\ppvdv.exec:\ppvdv.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\rrxrffr.exec:\rrxrffr.exe37⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bbbnhb.exec:\bbbnhb.exe38⤵
- Executes dropped EXE
PID:1228 -
\??\c:\dpvpj.exec:\dpvpj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
\??\c:\jjjpv.exec:\jjjpv.exe40⤵
- Executes dropped EXE
PID:1628 -
\??\c:\lrrrfll.exec:\lrrrfll.exe41⤵
- Executes dropped EXE
PID:4896 -
\??\c:\hntnhn.exec:\hntnhn.exe42⤵
- Executes dropped EXE
PID:1184 -
\??\c:\ntttnn.exec:\ntttnn.exe43⤵
- Executes dropped EXE
PID:1956 -
\??\c:\jdvpp.exec:\jdvpp.exe44⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lrxrfxf.exec:\lrxrfxf.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jddvv.exec:\jddvv.exe46⤵
- Executes dropped EXE
PID:2864 -
\??\c:\rlxrxrr.exec:\rlxrxrr.exe47⤵
- Executes dropped EXE
PID:3528 -
\??\c:\hhbnhn.exec:\hhbnhn.exe48⤵
- Executes dropped EXE
PID:3956 -
\??\c:\9dddv.exec:\9dddv.exe49⤵
- Executes dropped EXE
PID:460 -
\??\c:\ffffflr.exec:\ffffflr.exe50⤵
- Executes dropped EXE
PID:4540 -
\??\c:\hnnhht.exec:\hnnhht.exe51⤵
- Executes dropped EXE
PID:3716 -
\??\c:\dpvvp.exec:\dpvvp.exe52⤵
- Executes dropped EXE
PID:4956 -
\??\c:\bnnbnh.exec:\bnnbnh.exe53⤵
- Executes dropped EXE
PID:3384 -
\??\c:\ffxxfxl.exec:\ffxxfxl.exe54⤵
- Executes dropped EXE
PID:4624 -
\??\c:\thhhhh.exec:\thhhhh.exe55⤵
- Executes dropped EXE
PID:2636 -
\??\c:\rrrlffr.exec:\rrrlffr.exe56⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vvvjv.exec:\vvvjv.exe57⤵
- Executes dropped EXE
PID:3876 -
\??\c:\pjvpp.exec:\pjvpp.exe58⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vjpjv.exec:\vjpjv.exe59⤵
- Executes dropped EXE
PID:336 -
\??\c:\djvvv.exec:\djvvv.exe60⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xllxxll.exec:\xllxxll.exe61⤵
- Executes dropped EXE
PID:1916 -
\??\c:\thnnbb.exec:\thnnbb.exe62⤵
- Executes dropped EXE
PID:1804 -
\??\c:\jpdvv.exec:\jpdvv.exe63⤵
- Executes dropped EXE
PID:2452 -
\??\c:\vppjj.exec:\vppjj.exe64⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nbhbbb.exec:\nbhbbb.exe65⤵
- Executes dropped EXE
PID:3896 -
\??\c:\djddv.exec:\djddv.exe66⤵PID:636
-
\??\c:\rxxrxfr.exec:\rxxrxfr.exe67⤵PID:1284
-
\??\c:\9hhbbt.exec:\9hhbbt.exe68⤵PID:1840
-
\??\c:\jdjvd.exec:\jdjvd.exe69⤵PID:1004
-
\??\c:\frxlffx.exec:\frxlffx.exe70⤵PID:2064
-
\??\c:\5xllfxx.exec:\5xllfxx.exe71⤵PID:3004
-
\??\c:\nhhbnt.exec:\nhhbnt.exe72⤵PID:2192
-
\??\c:\vjpjj.exec:\vjpjj.exe73⤵PID:1316
-
\??\c:\rlllffl.exec:\rlllffl.exe74⤵PID:3892
-
\??\c:\bbbtnn.exec:\bbbtnn.exe75⤵PID:5112
-
\??\c:\pvppj.exec:\pvppj.exe76⤵PID:224
-
\??\c:\1jpjd.exec:\1jpjd.exe77⤵PID:4748
-
\??\c:\lffxrrf.exec:\lffxrrf.exe78⤵PID:220
-
\??\c:\tnhhnh.exec:\tnhhnh.exe79⤵PID:4420
-
\??\c:\bbtttt.exec:\bbtttt.exe80⤵PID:1504
-
\??\c:\vvvpj.exec:\vvvpj.exe81⤵PID:216
-
\??\c:\lrrlxlx.exec:\lrrlxlx.exe82⤵PID:3720
-
\??\c:\3tbnhh.exec:\3tbnhh.exe83⤵PID:4292
-
\??\c:\jjvdj.exec:\jjvdj.exe84⤵PID:2560
-
\??\c:\xrxfrrl.exec:\xrxfrrl.exe85⤵PID:1224
-
\??\c:\lxrrlxr.exec:\lxrrlxr.exe86⤵PID:2788
-
\??\c:\1nntnn.exec:\1nntnn.exe87⤵PID:1700
-
\??\c:\pdpvv.exec:\pdpvv.exe88⤵PID:4684
-
\??\c:\3llfrrf.exec:\3llfrrf.exe89⤵PID:3676
-
\??\c:\nnnhhn.exec:\nnnhhn.exe90⤵PID:408
-
\??\c:\hbbtnn.exec:\hbbtnn.exe91⤵PID:2932
-
\??\c:\9xlfxxr.exec:\9xlfxxr.exe92⤵PID:2652
-
\??\c:\lflfrrr.exec:\lflfrrr.exe93⤵PID:2208
-
\??\c:\tbhbbn.exec:\tbhbbn.exe94⤵PID:3968
-
\??\c:\pdjvd.exec:\pdjvd.exe95⤵PID:2212
-
\??\c:\xrllrlr.exec:\xrllrlr.exe96⤵PID:728
-
\??\c:\bnttnn.exec:\bnttnn.exe97⤵PID:1464
-
\??\c:\btnhbt.exec:\btnhbt.exe98⤵PID:920
-
\??\c:\3jdvd.exec:\3jdvd.exe99⤵PID:1172
-
\??\c:\1lrfffx.exec:\1lrfffx.exe100⤵PID:1248
-
\??\c:\1hnhhh.exec:\1hnhhh.exe101⤵PID:744
-
\??\c:\nnbbtt.exec:\nnbbtt.exe102⤵PID:708
-
\??\c:\dvvpj.exec:\dvvpj.exe103⤵PID:2444
-
\??\c:\frxrrrx.exec:\frxrrrx.exe104⤵PID:1688
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe105⤵PID:976
-
\??\c:\hbbhbb.exec:\hbbhbb.exe106⤵PID:4132
-
\??\c:\dvdvv.exec:\dvdvv.exe107⤵PID:4320
-
\??\c:\vjjdv.exec:\vjjdv.exe108⤵PID:4040
-
\??\c:\rfflffl.exec:\rfflffl.exe109⤵PID:2288
-
\??\c:\1htnnn.exec:\1htnnn.exe110⤵PID:5100
-
\??\c:\bbhbhh.exec:\bbhbhh.exe111⤵PID:4692
-
\??\c:\pjjdv.exec:\pjjdv.exe112⤵PID:3124
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe113⤵PID:3636
-
\??\c:\tntntt.exec:\tntntt.exe114⤵PID:3960
-
\??\c:\jddvp.exec:\jddvp.exe115⤵PID:4816
-
\??\c:\5vdvv.exec:\5vdvv.exe116⤵PID:2132
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe117⤵PID:3668
-
\??\c:\nntbth.exec:\nntbth.exe118⤵PID:2976
-
\??\c:\vjjdp.exec:\vjjdp.exe119⤵PID:4076
-
\??\c:\xrlxrrl.exec:\xrlxrrl.exe120⤵PID:4552
-
\??\c:\rlrlfff.exec:\rlrlfff.exe121⤵PID:3156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-