Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe
-
Size
453KB
-
MD5
9915e153193a3afaeaa444974fd71a50
-
SHA1
fcf8669f70a5a9fe3d5775f308d2a9ef64468980
-
SHA256
30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221d
-
SHA512
b72c3300ee664929347e6e7ade1b1b910d4a28f3e76adea55134625ea046d2a53740211e161b14d33ff974dbaf5c7eb304a44e20f5c9f91b262de8e85bf61c46
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4464-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-1099-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-1172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-1252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-1404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-1897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4644 rxxrrlf.exe 3328 nhnhbh.exe 3616 lflfxrr.exe 3660 jpppj.exe 2704 tttnnh.exe 4692 vpdvd.exe 5024 vjdpj.exe 4840 nththb.exe 1884 nntbnb.exe 2424 bhbtht.exe 876 htthnt.exe 3692 vjpvj.exe 1224 fllxlxx.exe 3524 vpppp.exe 3936 hnntht.exe 4440 djdpv.exe 4760 rxfrfrl.exe 8 vppdj.exe 3704 dddpd.exe 3568 llllfrl.exe 4468 pdjvj.exe 468 xllxrlx.exe 1844 nntnbt.exe 5116 vddpd.exe 4552 3fxlfxl.exe 2960 3rlxlfl.exe 884 jdvjd.exe 3548 rrxrxlf.exe 3984 tbtthh.exe 2152 vjpdd.exe 4124 fflxlxl.exe 4168 nbnbnh.exe 2104 xffrrlx.exe 4472 5thbhb.exe 3848 pjjvd.exe 4988 nbhtnh.exe 1616 nttntn.exe 4456 pdvjd.exe 1152 rfrflfr.exe 4564 bhtbbh.exe 4408 7pvpv.exe 4580 jjjpd.exe 5112 lfxrflx.exe 1004 7bhhnn.exe 1612 jvvjd.exe 2776 jjddd.exe 3476 frxffrx.exe 224 rrrxlfr.exe 2856 5bnbnb.exe 4356 jddpp.exe 408 9lfrfxl.exe 2652 thhhht.exe 3192 3pjvv.exe 4840 9dvjd.exe 4996 lfxllrf.exe 2912 bnhhtn.exe 4296 ntbtbt.exe 3624 3dvjv.exe 2028 5rlflfx.exe 2836 3frxlfl.exe 1752 bnhtbn.exe 4328 5dvjp.exe 4836 flfrfrr.exe 4756 1nhthh.exe -
resource yara_rule behavioral2/memory/4464-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4644 4464 30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe 83 PID 4464 wrote to memory of 4644 4464 30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe 83 PID 4464 wrote to memory of 4644 4464 30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe 83 PID 4644 wrote to memory of 3328 4644 rxxrrlf.exe 84 PID 4644 wrote to memory of 3328 4644 rxxrrlf.exe 84 PID 4644 wrote to memory of 3328 4644 rxxrrlf.exe 84 PID 3328 wrote to memory of 3616 3328 nhnhbh.exe 85 PID 3328 wrote to memory of 3616 3328 nhnhbh.exe 85 PID 3328 wrote to memory of 3616 3328 nhnhbh.exe 85 PID 3616 wrote to memory of 3660 3616 lflfxrr.exe 86 PID 3616 wrote to memory of 3660 3616 lflfxrr.exe 86 PID 3616 wrote to memory of 3660 3616 lflfxrr.exe 86 PID 3660 wrote to memory of 2704 3660 jpppj.exe 87 PID 3660 wrote to memory of 2704 3660 jpppj.exe 87 PID 3660 wrote to memory of 2704 3660 jpppj.exe 87 PID 2704 wrote to memory of 4692 2704 tttnnh.exe 88 PID 2704 wrote to memory of 4692 2704 tttnnh.exe 88 PID 2704 wrote to memory of 4692 2704 tttnnh.exe 88 PID 4692 wrote to memory of 5024 4692 vpdvd.exe 89 PID 4692 wrote to memory of 5024 4692 vpdvd.exe 89 PID 4692 wrote to memory of 5024 4692 vpdvd.exe 89 PID 5024 wrote to memory of 4840 5024 vjdpj.exe 90 PID 5024 wrote to memory of 4840 5024 vjdpj.exe 90 PID 5024 wrote to memory of 4840 5024 vjdpj.exe 90 PID 4840 wrote to memory of 1884 4840 nththb.exe 91 PID 4840 wrote to memory of 1884 4840 nththb.exe 91 PID 4840 wrote to memory of 1884 4840 nththb.exe 91 PID 1884 wrote to memory of 2424 1884 nntbnb.exe 92 PID 1884 wrote to memory of 2424 1884 nntbnb.exe 92 PID 1884 wrote to memory of 2424 1884 nntbnb.exe 92 PID 2424 wrote to memory of 876 2424 bhbtht.exe 93 PID 2424 wrote to memory of 876 2424 bhbtht.exe 93 PID 2424 wrote to memory of 876 2424 bhbtht.exe 93 PID 876 wrote to memory of 3692 876 htthnt.exe 94 PID 876 wrote to memory of 3692 876 htthnt.exe 94 PID 876 wrote to memory of 3692 876 htthnt.exe 94 PID 3692 wrote to memory of 1224 3692 vjpvj.exe 95 PID 3692 wrote to memory of 1224 3692 vjpvj.exe 95 PID 3692 wrote to memory of 1224 3692 vjpvj.exe 95 PID 1224 wrote to memory of 3524 1224 fllxlxx.exe 96 PID 1224 wrote to memory of 3524 1224 fllxlxx.exe 96 PID 1224 wrote to memory of 3524 1224 fllxlxx.exe 96 PID 3524 wrote to memory of 3936 3524 vpppp.exe 97 PID 3524 wrote to memory of 3936 3524 vpppp.exe 97 PID 3524 wrote to memory of 3936 3524 vpppp.exe 97 PID 3936 wrote to memory of 4440 3936 hnntht.exe 98 PID 3936 wrote to memory of 4440 3936 hnntht.exe 98 PID 3936 wrote to memory of 4440 3936 hnntht.exe 98 PID 4440 wrote to memory of 4760 4440 djdpv.exe 99 PID 4440 wrote to memory of 4760 4440 djdpv.exe 99 PID 4440 wrote to memory of 4760 4440 djdpv.exe 99 PID 4760 wrote to memory of 8 4760 rxfrfrl.exe 100 PID 4760 wrote to memory of 8 4760 rxfrfrl.exe 100 PID 4760 wrote to memory of 8 4760 rxfrfrl.exe 100 PID 8 wrote to memory of 3704 8 vppdj.exe 101 PID 8 wrote to memory of 3704 8 vppdj.exe 101 PID 8 wrote to memory of 3704 8 vppdj.exe 101 PID 3704 wrote to memory of 3568 3704 dddpd.exe 102 PID 3704 wrote to memory of 3568 3704 dddpd.exe 102 PID 3704 wrote to memory of 3568 3704 dddpd.exe 102 PID 3568 wrote to memory of 4468 3568 llllfrl.exe 103 PID 3568 wrote to memory of 4468 3568 llllfrl.exe 103 PID 3568 wrote to memory of 4468 3568 llllfrl.exe 103 PID 4468 wrote to memory of 468 4468 pdjvj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe"C:\Users\Admin\AppData\Local\Temp\30e330588b6fd81b6b82a343c88798b480e5f2778bfbf7e1f2007a10656d221dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\rxxrrlf.exec:\rxxrrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\nhnhbh.exec:\nhnhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\lflfxrr.exec:\lflfxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\jpppj.exec:\jpppj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\tttnnh.exec:\tttnnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\vpdvd.exec:\vpdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\vjdpj.exec:\vjdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\nththb.exec:\nththb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\nntbnb.exec:\nntbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\bhbtht.exec:\bhbtht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\htthnt.exec:\htthnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\vjpvj.exec:\vjpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\fllxlxx.exec:\fllxlxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\vpppp.exec:\vpppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\hnntht.exec:\hnntht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\djdpv.exec:\djdpv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\vppdj.exec:\vppdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\dddpd.exec:\dddpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\llllfrl.exec:\llllfrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\pdjvj.exec:\pdjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\xllxrlx.exec:\xllxrlx.exe23⤵
- Executes dropped EXE
PID:468 -
\??\c:\nntnbt.exec:\nntnbt.exe24⤵
- Executes dropped EXE
PID:1844 -
\??\c:\vddpd.exec:\vddpd.exe25⤵
- Executes dropped EXE
PID:5116 -
\??\c:\3fxlfxl.exec:\3fxlfxl.exe26⤵
- Executes dropped EXE
PID:4552 -
\??\c:\3rlxlfl.exec:\3rlxlfl.exe27⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jdvjd.exec:\jdvjd.exe28⤵
- Executes dropped EXE
PID:884 -
\??\c:\rrxrxlf.exec:\rrxrxlf.exe29⤵
- Executes dropped EXE
PID:3548 -
\??\c:\tbtthh.exec:\tbtthh.exe30⤵
- Executes dropped EXE
PID:3984 -
\??\c:\vjpdd.exec:\vjpdd.exe31⤵
- Executes dropped EXE
PID:2152 -
\??\c:\fflxlxl.exec:\fflxlxl.exe32⤵
- Executes dropped EXE
PID:4124 -
\??\c:\nbnbnh.exec:\nbnbnh.exe33⤵
- Executes dropped EXE
PID:4168 -
\??\c:\xffrrlx.exec:\xffrrlx.exe34⤵
- Executes dropped EXE
PID:2104 -
\??\c:\5thbhb.exec:\5thbhb.exe35⤵
- Executes dropped EXE
PID:4472 -
\??\c:\pjjvd.exec:\pjjvd.exe36⤵
- Executes dropped EXE
PID:3848 -
\??\c:\nbhtnh.exec:\nbhtnh.exe37⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nttntn.exec:\nttntn.exe38⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pdvjd.exec:\pdvjd.exe39⤵
- Executes dropped EXE
PID:4456 -
\??\c:\rfrflfr.exec:\rfrflfr.exe40⤵
- Executes dropped EXE
PID:1152 -
\??\c:\bhtbbh.exec:\bhtbbh.exe41⤵
- Executes dropped EXE
PID:4564 -
\??\c:\7pvpv.exec:\7pvpv.exe42⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jjjpd.exec:\jjjpd.exe43⤵
- Executes dropped EXE
PID:4580 -
\??\c:\lfxrflx.exec:\lfxrflx.exe44⤵
- Executes dropped EXE
PID:5112 -
\??\c:\7bhhnn.exec:\7bhhnn.exe45⤵
- Executes dropped EXE
PID:1004 -
\??\c:\jvvjd.exec:\jvvjd.exe46⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jjddd.exec:\jjddd.exe47⤵
- Executes dropped EXE
PID:2776 -
\??\c:\frxffrx.exec:\frxffrx.exe48⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rrrxlfr.exec:\rrrxlfr.exe49⤵
- Executes dropped EXE
PID:224 -
\??\c:\5bnbnb.exec:\5bnbnb.exe50⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jddpp.exec:\jddpp.exe51⤵
- Executes dropped EXE
PID:4356 -
\??\c:\9lfrfxl.exec:\9lfrfxl.exe52⤵
- Executes dropped EXE
PID:408 -
\??\c:\thhhht.exec:\thhhht.exe53⤵
- Executes dropped EXE
PID:2652 -
\??\c:\3pjvv.exec:\3pjvv.exe54⤵
- Executes dropped EXE
PID:3192 -
\??\c:\9dvjd.exec:\9dvjd.exe55⤵
- Executes dropped EXE
PID:4840 -
\??\c:\lfxllrf.exec:\lfxllrf.exe56⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bnhhtn.exec:\bnhhtn.exe57⤵
- Executes dropped EXE
PID:2912 -
\??\c:\ntbtbt.exec:\ntbtbt.exe58⤵
- Executes dropped EXE
PID:4296 -
\??\c:\3dvjv.exec:\3dvjv.exe59⤵
- Executes dropped EXE
PID:3624 -
\??\c:\5rlflfx.exec:\5rlflfx.exe60⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3frxlfl.exec:\3frxlfl.exe61⤵
- Executes dropped EXE
PID:2836 -
\??\c:\bnhtbn.exec:\bnhtbn.exe62⤵
- Executes dropped EXE
PID:1752 -
\??\c:\5dvjp.exec:\5dvjp.exe63⤵
- Executes dropped EXE
PID:4328 -
\??\c:\flfrfrr.exec:\flfrfrr.exe64⤵
- Executes dropped EXE
PID:4836 -
\??\c:\1nhthh.exec:\1nhthh.exe65⤵
- Executes dropped EXE
PID:4756 -
\??\c:\pppvj.exec:\pppvj.exe66⤵PID:3968
-
\??\c:\rfxlxfr.exec:\rfxlxfr.exe67⤵PID:2380
-
\??\c:\nhhhnh.exec:\nhhhnh.exe68⤵PID:8
-
\??\c:\ppjvd.exec:\ppjvd.exe69⤵PID:4848
-
\??\c:\7jvjp.exec:\7jvjp.exe70⤵PID:3628
-
\??\c:\flfrfxl.exec:\flfrfxl.exe71⤵PID:3136
-
\??\c:\1hbntn.exec:\1hbntn.exe72⤵PID:4468
-
\??\c:\vjvjv.exec:\vjvjv.exe73⤵PID:3924
-
\??\c:\rrlxfrf.exec:\rrlxfrf.exe74⤵PID:4888
-
\??\c:\xllxlxl.exec:\xllxlxl.exe75⤵PID:5048
-
\??\c:\bbbnbn.exec:\bbbnbn.exe76⤵PID:5116
-
\??\c:\djjvd.exec:\djjvd.exe77⤵PID:372
-
\??\c:\vjpjv.exec:\vjpjv.exe78⤵PID:1456
-
\??\c:\rxfrfxx.exec:\rxfrfxx.exe79⤵PID:4868
-
\??\c:\1bbbtt.exec:\1bbbtt.exe80⤵PID:3000
-
\??\c:\dvvpj.exec:\dvvpj.exe81⤵PID:5032
-
\??\c:\frrxlxl.exec:\frrxlxl.exe82⤵PID:3928
-
\??\c:\xlrlllf.exec:\xlrlllf.exe83⤵PID:2548
-
\??\c:\thhbnn.exec:\thhbnn.exe84⤵PID:2628
-
\??\c:\pjjdp.exec:\pjjdp.exe85⤵PID:700
-
\??\c:\rlfrrlf.exec:\rlfrrlf.exe86⤵PID:4392
-
\??\c:\bbhtnb.exec:\bbhtnb.exe87⤵PID:4844
-
\??\c:\vjpjp.exec:\vjpjp.exe88⤵PID:2692
-
\??\c:\xrrlfff.exec:\xrrlfff.exe89⤵PID:4920
-
\??\c:\ntthtn.exec:\ntthtn.exe90⤵PID:3932
-
\??\c:\nhhbnn.exec:\nhhbnn.exe91⤵PID:608
-
\??\c:\jjpdv.exec:\jjpdv.exe92⤵PID:900
-
\??\c:\5fxrfff.exec:\5fxrfff.exe93⤵PID:2448
-
\??\c:\7nnbbh.exec:\7nnbbh.exe94⤵PID:3432
-
\??\c:\jdjjv.exec:\jdjjv.exe95⤵PID:2184
-
\??\c:\pdvpj.exec:\pdvpj.exe96⤵PID:2592
-
\??\c:\rrxrxrf.exec:\rrxrxrf.exe97⤵PID:2368
-
\??\c:\tnnhtt.exec:\tnnhtt.exe98⤵PID:1732
-
\??\c:\3nthhh.exec:\3nthhh.exe99⤵PID:1580
-
\??\c:\5ppdv.exec:\5ppdv.exe100⤵PID:2600
-
\??\c:\5rlxlff.exec:\5rlxlff.exe101⤵PID:2640
-
\??\c:\9bhbbh.exec:\9bhbbh.exe102⤵PID:2864
-
\??\c:\3nntbt.exec:\3nntbt.exe103⤵PID:2772
-
\??\c:\jjvpd.exec:\jjvpd.exe104⤵PID:1112
-
\??\c:\1llrfrf.exec:\1llrfrf.exe105⤵PID:2856
-
\??\c:\lrrrllf.exec:\lrrrllf.exe106⤵PID:4692
-
\??\c:\hhbbtt.exec:\hhbbtt.exe107⤵PID:2348
-
\??\c:\dvpvv.exec:\dvpvv.exe108⤵PID:4608
-
\??\c:\3xfxfxr.exec:\3xfxfxr.exe109⤵PID:748
-
\??\c:\lxxxrfx.exec:\lxxxrfx.exe110⤵PID:1884
-
\??\c:\tbnnhh.exec:\tbnnhh.exe111⤵PID:4916
-
\??\c:\vjjdp.exec:\vjjdp.exe112⤵PID:2128
-
\??\c:\pjpjd.exec:\pjpjd.exe113⤵PID:2912
-
\??\c:\xffxrrl.exec:\xffxrrl.exe114⤵PID:4492
-
\??\c:\bbbnbn.exec:\bbbnbn.exe115⤵PID:2764
-
\??\c:\bnnntt.exec:\bnnntt.exe116⤵PID:2436
-
\??\c:\dvvjv.exec:\dvvjv.exe117⤵PID:184
-
\??\c:\lflrlll.exec:\lflrlll.exe118⤵PID:3356
-
\??\c:\nbhhbb.exec:\nbhhbb.exe119⤵PID:3724
-
\??\c:\1nhhbb.exec:\1nhhbb.exe120⤵PID:4932
-
\??\c:\pppjv.exec:\pppjv.exe121⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-