Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe
-
Size
454KB
-
MD5
8843be0004df392bc5c2fd65800648f0
-
SHA1
489e459dbaacfdf5b00c25df2452364b53ddd0a9
-
SHA256
a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889c
-
SHA512
cc81570eebb0d5a161ae2a9e4dadcd0284c1f0a5cc80bab9516eb34042c2e59d884a1a9ec7df43303c953bbd7fcc13d73da58c66db4c7ec97085d3ba9d845266
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3468 lflflfl.exe 2052 rfllrxx.exe 3184 9bbthh.exe 5108 httnhb.exe 1200 5jpjj.exe 1000 bnhbhh.exe 3612 5tbttn.exe 2664 jvvpd.exe 4328 rxfxrrx.exe 3348 pppjd.exe 2028 fxxlffx.exe 3508 9dddv.exe 1904 rxxxxxx.exe 896 htbtnh.exe 2976 lxfrffx.exe 3248 ntbttn.exe 4692 pjdvp.exe 4568 tthbbb.exe 2880 1pdvv.exe 3868 5jdvj.exe 1540 llxrlfx.exe 1828 dddpv.exe 2500 xxxlxlf.exe 2336 thbhth.exe 224 ddpjd.exe 4332 7xrrrxf.exe 956 htbbtt.exe 2128 pppjv.exe 2380 vvddj.exe 2816 lfrfrrx.exe 4032 ppvpd.exe 544 nhhbbb.exe 3148 pjjvv.exe 3492 xflfrrx.exe 3648 hbbnhb.exe 1496 vpvjd.exe 3512 lxfxrlf.exe 4452 xrxlffx.exe 4880 lfllrlr.exe 3040 rflfxxr.exe 2728 htttnn.exe 4276 dppjj.exe 388 rrxlxxr.exe 2464 fxxrlrl.exe 4740 thttnn.exe 2800 pjdvv.exe 4536 3rxlllr.exe 2928 lflllff.exe 5108 bntnnh.exe 4316 vppvp.exe 708 xfflxrf.exe 3448 htnnbb.exe 2396 vppvj.exe 2452 frxlrff.exe 3436 bbnntn.exe 184 7pjvj.exe 5000 pvppj.exe 3260 5xrfrlf.exe 4516 httnhb.exe 3056 vjpvd.exe 2808 5dvpj.exe 2288 xxlrffx.exe 3896 ntnhtn.exe 4976 jdjdv.exe -
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-805-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 3468 4676 a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe 83 PID 4676 wrote to memory of 3468 4676 a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe 83 PID 4676 wrote to memory of 3468 4676 a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe 83 PID 3468 wrote to memory of 2052 3468 lflflfl.exe 84 PID 3468 wrote to memory of 2052 3468 lflflfl.exe 84 PID 3468 wrote to memory of 2052 3468 lflflfl.exe 84 PID 2052 wrote to memory of 3184 2052 rfllrxx.exe 85 PID 2052 wrote to memory of 3184 2052 rfllrxx.exe 85 PID 2052 wrote to memory of 3184 2052 rfllrxx.exe 85 PID 3184 wrote to memory of 5108 3184 9bbthh.exe 86 PID 3184 wrote to memory of 5108 3184 9bbthh.exe 86 PID 3184 wrote to memory of 5108 3184 9bbthh.exe 86 PID 5108 wrote to memory of 1200 5108 httnhb.exe 87 PID 5108 wrote to memory of 1200 5108 httnhb.exe 87 PID 5108 wrote to memory of 1200 5108 httnhb.exe 87 PID 1200 wrote to memory of 1000 1200 5jpjj.exe 88 PID 1200 wrote to memory of 1000 1200 5jpjj.exe 88 PID 1200 wrote to memory of 1000 1200 5jpjj.exe 88 PID 1000 wrote to memory of 3612 1000 bnhbhh.exe 89 PID 1000 wrote to memory of 3612 1000 bnhbhh.exe 89 PID 1000 wrote to memory of 3612 1000 bnhbhh.exe 89 PID 3612 wrote to memory of 2664 3612 5tbttn.exe 90 PID 3612 wrote to memory of 2664 3612 5tbttn.exe 90 PID 3612 wrote to memory of 2664 3612 5tbttn.exe 90 PID 2664 wrote to memory of 4328 2664 jvvpd.exe 91 PID 2664 wrote to memory of 4328 2664 jvvpd.exe 91 PID 2664 wrote to memory of 4328 2664 jvvpd.exe 91 PID 4328 wrote to memory of 3348 4328 rxfxrrx.exe 92 PID 4328 wrote to memory of 3348 4328 rxfxrrx.exe 92 PID 4328 wrote to memory of 3348 4328 rxfxrrx.exe 92 PID 3348 wrote to memory of 2028 3348 pppjd.exe 93 PID 3348 wrote to memory of 2028 3348 pppjd.exe 93 PID 3348 wrote to memory of 2028 3348 pppjd.exe 93 PID 2028 wrote to memory of 3508 2028 fxxlffx.exe 94 PID 2028 wrote to memory of 3508 2028 fxxlffx.exe 94 PID 2028 wrote to memory of 3508 2028 fxxlffx.exe 94 PID 3508 wrote to memory of 1904 3508 9dddv.exe 95 PID 3508 wrote to memory of 1904 3508 9dddv.exe 95 PID 3508 wrote to memory of 1904 3508 9dddv.exe 95 PID 1904 wrote to memory of 896 1904 rxxxxxx.exe 96 PID 1904 wrote to memory of 896 1904 rxxxxxx.exe 96 PID 1904 wrote to memory of 896 1904 rxxxxxx.exe 96 PID 896 wrote to memory of 2976 896 htbtnh.exe 97 PID 896 wrote to memory of 2976 896 htbtnh.exe 97 PID 896 wrote to memory of 2976 896 htbtnh.exe 97 PID 2976 wrote to memory of 3248 2976 lxfrffx.exe 98 PID 2976 wrote to memory of 3248 2976 lxfrffx.exe 98 PID 2976 wrote to memory of 3248 2976 lxfrffx.exe 98 PID 3248 wrote to memory of 4692 3248 ntbttn.exe 99 PID 3248 wrote to memory of 4692 3248 ntbttn.exe 99 PID 3248 wrote to memory of 4692 3248 ntbttn.exe 99 PID 4692 wrote to memory of 4568 4692 pjdvp.exe 100 PID 4692 wrote to memory of 4568 4692 pjdvp.exe 100 PID 4692 wrote to memory of 4568 4692 pjdvp.exe 100 PID 4568 wrote to memory of 2880 4568 tthbbb.exe 101 PID 4568 wrote to memory of 2880 4568 tthbbb.exe 101 PID 4568 wrote to memory of 2880 4568 tthbbb.exe 101 PID 2880 wrote to memory of 3868 2880 1pdvv.exe 102 PID 2880 wrote to memory of 3868 2880 1pdvv.exe 102 PID 2880 wrote to memory of 3868 2880 1pdvv.exe 102 PID 3868 wrote to memory of 1540 3868 5jdvj.exe 103 PID 3868 wrote to memory of 1540 3868 5jdvj.exe 103 PID 3868 wrote to memory of 1540 3868 5jdvj.exe 103 PID 1540 wrote to memory of 1828 1540 llxrlfx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe"C:\Users\Admin\AppData\Local\Temp\a5b1b4b14970fb2a5ea5170e2318763d5c3c0c316f4847b1b2984e0b8c99889cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\lflflfl.exec:\lflflfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\rfllrxx.exec:\rfllrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\9bbthh.exec:\9bbthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\httnhb.exec:\httnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\5jpjj.exec:\5jpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\bnhbhh.exec:\bnhbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\5tbttn.exec:\5tbttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\jvvpd.exec:\jvvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\rxfxrrx.exec:\rxfxrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\pppjd.exec:\pppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\fxxlffx.exec:\fxxlffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\9dddv.exec:\9dddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\rxxxxxx.exec:\rxxxxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\htbtnh.exec:\htbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\lxfrffx.exec:\lxfrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\ntbttn.exec:\ntbttn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\pjdvp.exec:\pjdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\tthbbb.exec:\tthbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\1pdvv.exec:\1pdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\5jdvj.exec:\5jdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\llxrlfx.exec:\llxrlfx.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\dddpv.exec:\dddpv.exe23⤵
- Executes dropped EXE
PID:1828 -
\??\c:\xxxlxlf.exec:\xxxlxlf.exe24⤵
- Executes dropped EXE
PID:2500 -
\??\c:\thbhth.exec:\thbhth.exe25⤵
- Executes dropped EXE
PID:2336 -
\??\c:\ddpjd.exec:\ddpjd.exe26⤵
- Executes dropped EXE
PID:224 -
\??\c:\7xrrrxf.exec:\7xrrrxf.exe27⤵
- Executes dropped EXE
PID:4332 -
\??\c:\htbbtt.exec:\htbbtt.exe28⤵
- Executes dropped EXE
PID:956 -
\??\c:\pppjv.exec:\pppjv.exe29⤵
- Executes dropped EXE
PID:2128 -
\??\c:\vvddj.exec:\vvddj.exe30⤵
- Executes dropped EXE
PID:2380 -
\??\c:\lfrfrrx.exec:\lfrfrrx.exe31⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ppvpd.exec:\ppvpd.exe32⤵
- Executes dropped EXE
PID:4032 -
\??\c:\nhhbbb.exec:\nhhbbb.exe33⤵
- Executes dropped EXE
PID:544 -
\??\c:\pjjvv.exec:\pjjvv.exe34⤵
- Executes dropped EXE
PID:3148 -
\??\c:\xflfrrx.exec:\xflfrrx.exe35⤵
- Executes dropped EXE
PID:3492 -
\??\c:\hbbnhb.exec:\hbbnhb.exe36⤵
- Executes dropped EXE
PID:3648 -
\??\c:\vpvjd.exec:\vpvjd.exe37⤵
- Executes dropped EXE
PID:1496 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe38⤵
- Executes dropped EXE
PID:3512 -
\??\c:\xrxlffx.exec:\xrxlffx.exe39⤵
- Executes dropped EXE
PID:4452 -
\??\c:\lfllrlr.exec:\lfllrlr.exe40⤵
- Executes dropped EXE
PID:4880 -
\??\c:\rflfxxr.exec:\rflfxxr.exe41⤵
- Executes dropped EXE
PID:3040 -
\??\c:\htttnn.exec:\htttnn.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\dppjj.exec:\dppjj.exe43⤵
- Executes dropped EXE
PID:4276 -
\??\c:\rrxlxxr.exec:\rrxlxxr.exe44⤵
- Executes dropped EXE
PID:388 -
\??\c:\fxxrlrl.exec:\fxxrlrl.exe45⤵
- Executes dropped EXE
PID:2464 -
\??\c:\thttnn.exec:\thttnn.exe46⤵
- Executes dropped EXE
PID:4740 -
\??\c:\pjdvv.exec:\pjdvv.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\3rxlllr.exec:\3rxlllr.exe48⤵
- Executes dropped EXE
PID:4536 -
\??\c:\lflllff.exec:\lflllff.exe49⤵
- Executes dropped EXE
PID:2928 -
\??\c:\bntnnh.exec:\bntnnh.exe50⤵
- Executes dropped EXE
PID:5108 -
\??\c:\vppvp.exec:\vppvp.exe51⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xfflxrf.exec:\xfflxrf.exe52⤵
- Executes dropped EXE
PID:708 -
\??\c:\htnnbb.exec:\htnnbb.exe53⤵
- Executes dropped EXE
PID:3448 -
\??\c:\vppvj.exec:\vppvj.exe54⤵
- Executes dropped EXE
PID:2396 -
\??\c:\frxlrff.exec:\frxlrff.exe55⤵
- Executes dropped EXE
PID:2452 -
\??\c:\bbnntn.exec:\bbnntn.exe56⤵
- Executes dropped EXE
PID:3436 -
\??\c:\7pjvj.exec:\7pjvj.exe57⤵
- Executes dropped EXE
PID:184 -
\??\c:\pvppj.exec:\pvppj.exe58⤵
- Executes dropped EXE
PID:5000 -
\??\c:\5xrfrlf.exec:\5xrfrlf.exe59⤵
- Executes dropped EXE
PID:3260 -
\??\c:\httnhb.exec:\httnhb.exe60⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vjpvd.exec:\vjpvd.exe61⤵
- Executes dropped EXE
PID:3056 -
\??\c:\5dvpj.exec:\5dvpj.exe62⤵
- Executes dropped EXE
PID:2808 -
\??\c:\xxlrffx.exec:\xxlrffx.exe63⤵
- Executes dropped EXE
PID:2288 -
\??\c:\ntnhtn.exec:\ntnhtn.exe64⤵
- Executes dropped EXE
PID:3896 -
\??\c:\jdjdv.exec:\jdjdv.exe65⤵
- Executes dropped EXE
PID:4976 -
\??\c:\lrxrffx.exec:\lrxrffx.exe66⤵
- System Location Discovery: System Language Discovery
PID:1396 -
\??\c:\1bnhnh.exec:\1bnhnh.exe67⤵PID:4672
-
\??\c:\nttnhb.exec:\nttnhb.exe68⤵PID:2036
-
\??\c:\3vvpp.exec:\3vvpp.exe69⤵PID:4132
-
\??\c:\frxlflf.exec:\frxlflf.exe70⤵PID:3080
-
\??\c:\ththhb.exec:\ththhb.exe71⤵PID:4868
-
\??\c:\pvpvj.exec:\pvpvj.exe72⤵PID:3668
-
\??\c:\fxrlfxx.exec:\fxrlfxx.exe73⤵PID:1540
-
\??\c:\lllfxxr.exec:\lllfxxr.exe74⤵PID:4956
-
\??\c:\3bthnn.exec:\3bthnn.exe75⤵PID:1828
-
\??\c:\dvpjj.exec:\dvpjj.exe76⤵PID:2500
-
\??\c:\frlxxrx.exec:\frlxxrx.exe77⤵PID:2848
-
\??\c:\nbhnhh.exec:\nbhnhh.exe78⤵PID:3136
-
\??\c:\1jdjd.exec:\1jdjd.exe79⤵PID:1492
-
\??\c:\xrfrrlx.exec:\xrfrrlx.exe80⤵PID:1140
-
\??\c:\5xrrllf.exec:\5xrrllf.exe81⤵
- System Location Discovery: System Language Discovery
PID:2984 -
\??\c:\nbntnh.exec:\nbntnh.exe82⤵PID:3300
-
\??\c:\hnbthb.exec:\hnbthb.exe83⤵PID:4984
-
\??\c:\1pdvd.exec:\1pdvd.exe84⤵PID:5104
-
\??\c:\xrlfxrf.exec:\xrlfxrf.exe85⤵PID:2684
-
\??\c:\nbnhbt.exec:\nbnhbt.exe86⤵PID:4936
-
\??\c:\pdvjv.exec:\pdvjv.exe87⤵PID:3888
-
\??\c:\jjpvp.exec:\jjpvp.exe88⤵PID:3584
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe89⤵PID:1420
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe90⤵PID:508
-
\??\c:\1nbnhh.exec:\1nbnhh.exe91⤵PID:1736
-
\??\c:\jvvvj.exec:\jvvvj.exe92⤵PID:4932
-
\??\c:\3llfllf.exec:\3llfllf.exe93⤵PID:3512
-
\??\c:\lxlrllx.exec:\lxlrllx.exe94⤵PID:4452
-
\??\c:\httbnh.exec:\httbnh.exe95⤵PID:4880
-
\??\c:\9pvjv.exec:\9pvjv.exe96⤵PID:4288
-
\??\c:\7rxrffx.exec:\7rxrffx.exe97⤵PID:4428
-
\??\c:\3bbnhb.exec:\3bbnhb.exe98⤵PID:3564
-
\??\c:\9ththb.exec:\9ththb.exe99⤵PID:4676
-
\??\c:\dddvp.exec:\dddvp.exe100⤵PID:724
-
\??\c:\5xxrlfl.exec:\5xxrlfl.exe101⤵PID:2052
-
\??\c:\bbbtnn.exec:\bbbtnn.exe102⤵
- System Location Discovery: System Language Discovery
PID:4820 -
\??\c:\3bhthb.exec:\3bhthb.exe103⤵PID:1660
-
\??\c:\jvdpd.exec:\jvdpd.exe104⤵PID:548
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe105⤵PID:1912
-
\??\c:\nhhbbb.exec:\nhhbbb.exe106⤵PID:1228
-
\??\c:\bhnntn.exec:\bhnntn.exe107⤵PID:2056
-
\??\c:\ppvjv.exec:\ppvjv.exe108⤵PID:4344
-
\??\c:\lrxlrlx.exec:\lrxlrlx.exe109⤵PID:1108
-
\??\c:\btthbt.exec:\btthbt.exe110⤵PID:3228
-
\??\c:\dppjp.exec:\dppjp.exe111⤵PID:4240
-
\??\c:\vppjd.exec:\vppjd.exe112⤵PID:4964
-
\??\c:\3lfrfxr.exec:\3lfrfxr.exe113⤵PID:4696
-
\??\c:\ntnbtn.exec:\ntnbtn.exe114⤵PID:1476
-
\??\c:\9jjvv.exec:\9jjvv.exe115⤵PID:1040
-
\??\c:\frxlrlx.exec:\frxlrlx.exe116⤵PID:5084
-
\??\c:\bhbnbt.exec:\bhbnbt.exe117⤵PID:3268
-
\??\c:\7tnthb.exec:\7tnthb.exe118⤵PID:2540
-
\??\c:\jvpdv.exec:\jvpdv.exe119⤵PID:2288
-
\??\c:\frlxlxl.exec:\frlxlxl.exe120⤵PID:1184
-
\??\c:\lxxlxrf.exec:\lxxlxrf.exe121⤵PID:4160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-