Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe
-
Size
454KB
-
MD5
65824015274c1b8a9a30101fb39553b0
-
SHA1
8b167b069858228508abebfe5ab46380d59b246c
-
SHA256
2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5
-
SHA512
adc3e6c9b7878e5b22ef346dad8c487b55df139313c494427d05fa86b0b16c36bc88cfca9006769537de859a908504a3b2f0a062301ff6c3dafe3487dee215be
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3844-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4616 lfrlrrr.exe 4596 vdjdd.exe 2080 5nbtnn.exe 852 tnhbhb.exe 5040 llxrrfl.exe 3144 9ntnbb.exe 1780 hnnhhb.exe 3168 lflxrrf.exe 2988 btbbbt.exe 2912 pjvvd.exe 2840 3hhhbb.exe 208 jvdvp.exe 1884 fxxrrrr.exe 4336 httnhb.exe 3340 dvjjd.exe 1400 frffxrl.exe 672 vjpdv.exe 5068 rxfxrrl.exe 1348 fflxxff.exe 2320 ttbbhh.exe 1792 vdpdd.exe 3928 jjpjd.exe 3708 5rxfxxx.exe 3696 nnbtth.exe 768 bnbthh.exe 4636 7ppdv.exe 4840 fxxrlfx.exe 2612 lxlrlrx.exe 3132 tbnhbt.exe 5052 3ddvp.exe 2144 vjvpj.exe 2360 lfxxrlf.exe 2720 tnbttt.exe 2804 7bhnnn.exe 648 jddvv.exe 4200 3djdp.exe 1388 fxlfxlf.exe 4168 nbnhbb.exe 4904 hbthnn.exe 4548 pvddv.exe 2372 rrlffxr.exe 2348 xrfrxll.exe 2112 thhbtt.exe 3432 dvvvv.exe 1484 7vpjj.exe 660 5rxxffr.exe 632 nbnhhh.exe 2540 bttnnb.exe 3516 7ppjd.exe 2924 dpvjd.exe 4448 llxrlfx.exe 4160 btnhtt.exe 3952 hbbtnn.exe 4912 dddjd.exe 4804 lxxrlfx.exe 3688 frxfrlf.exe 4580 3tbtbb.exe 4404 jvjjd.exe 3336 pddjj.exe 2412 xxlfxrl.exe 3472 pppjj.exe 1716 xrrlxrl.exe 2364 ffxflff.exe 184 bnnbbt.exe -
resource yara_rule behavioral2/memory/3844-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-917-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 4616 3844 2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe 82 PID 3844 wrote to memory of 4616 3844 2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe 82 PID 3844 wrote to memory of 4616 3844 2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe 82 PID 4616 wrote to memory of 4596 4616 lfrlrrr.exe 83 PID 4616 wrote to memory of 4596 4616 lfrlrrr.exe 83 PID 4616 wrote to memory of 4596 4616 lfrlrrr.exe 83 PID 4596 wrote to memory of 2080 4596 vdjdd.exe 84 PID 4596 wrote to memory of 2080 4596 vdjdd.exe 84 PID 4596 wrote to memory of 2080 4596 vdjdd.exe 84 PID 2080 wrote to memory of 852 2080 5nbtnn.exe 85 PID 2080 wrote to memory of 852 2080 5nbtnn.exe 85 PID 2080 wrote to memory of 852 2080 5nbtnn.exe 85 PID 852 wrote to memory of 5040 852 tnhbhb.exe 86 PID 852 wrote to memory of 5040 852 tnhbhb.exe 86 PID 852 wrote to memory of 5040 852 tnhbhb.exe 86 PID 5040 wrote to memory of 3144 5040 llxrrfl.exe 87 PID 5040 wrote to memory of 3144 5040 llxrrfl.exe 87 PID 5040 wrote to memory of 3144 5040 llxrrfl.exe 87 PID 3144 wrote to memory of 1780 3144 9ntnbb.exe 88 PID 3144 wrote to memory of 1780 3144 9ntnbb.exe 88 PID 3144 wrote to memory of 1780 3144 9ntnbb.exe 88 PID 1780 wrote to memory of 3168 1780 hnnhhb.exe 89 PID 1780 wrote to memory of 3168 1780 hnnhhb.exe 89 PID 1780 wrote to memory of 3168 1780 hnnhhb.exe 89 PID 3168 wrote to memory of 2988 3168 lflxrrf.exe 90 PID 3168 wrote to memory of 2988 3168 lflxrrf.exe 90 PID 3168 wrote to memory of 2988 3168 lflxrrf.exe 90 PID 2988 wrote to memory of 2912 2988 btbbbt.exe 91 PID 2988 wrote to memory of 2912 2988 btbbbt.exe 91 PID 2988 wrote to memory of 2912 2988 btbbbt.exe 91 PID 2912 wrote to memory of 2840 2912 pjvvd.exe 92 PID 2912 wrote to memory of 2840 2912 pjvvd.exe 92 PID 2912 wrote to memory of 2840 2912 pjvvd.exe 92 PID 2840 wrote to memory of 208 2840 3hhhbb.exe 93 PID 2840 wrote to memory of 208 2840 3hhhbb.exe 93 PID 2840 wrote to memory of 208 2840 3hhhbb.exe 93 PID 208 wrote to memory of 1884 208 jvdvp.exe 94 PID 208 wrote to memory of 1884 208 jvdvp.exe 94 PID 208 wrote to memory of 1884 208 jvdvp.exe 94 PID 1884 wrote to memory of 4336 1884 fxxrrrr.exe 95 PID 1884 wrote to memory of 4336 1884 fxxrrrr.exe 95 PID 1884 wrote to memory of 4336 1884 fxxrrrr.exe 95 PID 4336 wrote to memory of 3340 4336 httnhb.exe 96 PID 4336 wrote to memory of 3340 4336 httnhb.exe 96 PID 4336 wrote to memory of 3340 4336 httnhb.exe 96 PID 3340 wrote to memory of 1400 3340 dvjjd.exe 97 PID 3340 wrote to memory of 1400 3340 dvjjd.exe 97 PID 3340 wrote to memory of 1400 3340 dvjjd.exe 97 PID 1400 wrote to memory of 672 1400 frffxrl.exe 98 PID 1400 wrote to memory of 672 1400 frffxrl.exe 98 PID 1400 wrote to memory of 672 1400 frffxrl.exe 98 PID 672 wrote to memory of 5068 672 vjpdv.exe 99 PID 672 wrote to memory of 5068 672 vjpdv.exe 99 PID 672 wrote to memory of 5068 672 vjpdv.exe 99 PID 5068 wrote to memory of 1348 5068 rxfxrrl.exe 100 PID 5068 wrote to memory of 1348 5068 rxfxrrl.exe 100 PID 5068 wrote to memory of 1348 5068 rxfxrrl.exe 100 PID 1348 wrote to memory of 2320 1348 fflxxff.exe 101 PID 1348 wrote to memory of 2320 1348 fflxxff.exe 101 PID 1348 wrote to memory of 2320 1348 fflxxff.exe 101 PID 2320 wrote to memory of 1792 2320 ttbbhh.exe 102 PID 2320 wrote to memory of 1792 2320 ttbbhh.exe 102 PID 2320 wrote to memory of 1792 2320 ttbbhh.exe 102 PID 1792 wrote to memory of 3928 1792 vdpdd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe"C:\Users\Admin\AppData\Local\Temp\2d4beaa6b5c47faa82534b76f7c012f473a95f242f7ab71023af394d1423d1b5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\lfrlrrr.exec:\lfrlrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\vdjdd.exec:\vdjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\5nbtnn.exec:\5nbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\tnhbhb.exec:\tnhbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\llxrrfl.exec:\llxrrfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\9ntnbb.exec:\9ntnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\hnnhhb.exec:\hnnhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\lflxrrf.exec:\lflxrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\btbbbt.exec:\btbbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\pjvvd.exec:\pjvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\3hhhbb.exec:\3hhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\jvdvp.exec:\jvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\httnhb.exec:\httnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\dvjjd.exec:\dvjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\frffxrl.exec:\frffxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\vjpdv.exec:\vjpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\fflxxff.exec:\fflxxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\ttbbhh.exec:\ttbbhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\vdpdd.exec:\vdpdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\jjpjd.exec:\jjpjd.exe23⤵
- Executes dropped EXE
PID:3928 -
\??\c:\5rxfxxx.exec:\5rxfxxx.exe24⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nnbtth.exec:\nnbtth.exe25⤵
- Executes dropped EXE
PID:3696 -
\??\c:\bnbthh.exec:\bnbthh.exe26⤵
- Executes dropped EXE
PID:768 -
\??\c:\7ppdv.exec:\7ppdv.exe27⤵
- Executes dropped EXE
PID:4636 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe28⤵
- Executes dropped EXE
PID:4840 -
\??\c:\lxlrlrx.exec:\lxlrlrx.exe29⤵
- Executes dropped EXE
PID:2612 -
\??\c:\tbnhbt.exec:\tbnhbt.exe30⤵
- Executes dropped EXE
PID:3132 -
\??\c:\3ddvp.exec:\3ddvp.exe31⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vjvpj.exec:\vjvpj.exe32⤵
- Executes dropped EXE
PID:2144 -
\??\c:\lfxxrlf.exec:\lfxxrlf.exe33⤵
- Executes dropped EXE
PID:2360 -
\??\c:\tnbttt.exec:\tnbttt.exe34⤵
- Executes dropped EXE
PID:2720 -
\??\c:\7bhnnn.exec:\7bhnnn.exe35⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jddvv.exec:\jddvv.exe36⤵
- Executes dropped EXE
PID:648 -
\??\c:\3djdp.exec:\3djdp.exe37⤵
- Executes dropped EXE
PID:4200 -
\??\c:\fxlfxlf.exec:\fxlfxlf.exe38⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nbnhbb.exec:\nbnhbb.exe39⤵
- Executes dropped EXE
PID:4168 -
\??\c:\hbthnn.exec:\hbthnn.exe40⤵
- Executes dropped EXE
PID:4904 -
\??\c:\pvddv.exec:\pvddv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548 -
\??\c:\rrlffxr.exec:\rrlffxr.exe42⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xrfrxll.exec:\xrfrxll.exe43⤵
- Executes dropped EXE
PID:2348 -
\??\c:\thhbtt.exec:\thhbtt.exe44⤵
- Executes dropped EXE
PID:2112 -
\??\c:\dvvvv.exec:\dvvvv.exe45⤵
- Executes dropped EXE
PID:3432 -
\??\c:\7vpjj.exec:\7vpjj.exe46⤵
- Executes dropped EXE
PID:1484 -
\??\c:\5rxxffr.exec:\5rxxffr.exe47⤵
- Executes dropped EXE
PID:660 -
\??\c:\nbnhhh.exec:\nbnhhh.exe48⤵
- Executes dropped EXE
PID:632 -
\??\c:\bttnnb.exec:\bttnnb.exe49⤵
- Executes dropped EXE
PID:2540 -
\??\c:\7ppjd.exec:\7ppjd.exe50⤵
- Executes dropped EXE
PID:3516 -
\??\c:\dpvjd.exec:\dpvjd.exe51⤵
- Executes dropped EXE
PID:2924 -
\??\c:\llxrlfx.exec:\llxrlfx.exe52⤵
- Executes dropped EXE
PID:4448 -
\??\c:\btnhtt.exec:\btnhtt.exe53⤵
- Executes dropped EXE
PID:4160 -
\??\c:\hbbtnn.exec:\hbbtnn.exe54⤵
- Executes dropped EXE
PID:3952 -
\??\c:\dddjd.exec:\dddjd.exe55⤵
- Executes dropped EXE
PID:4912 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe56⤵
- Executes dropped EXE
PID:4804 -
\??\c:\frxfrlf.exec:\frxfrlf.exe57⤵
- Executes dropped EXE
PID:3688 -
\??\c:\3tbtbb.exec:\3tbtbb.exe58⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jvjjd.exec:\jvjjd.exe59⤵
- Executes dropped EXE
PID:4404 -
\??\c:\pddjj.exec:\pddjj.exe60⤵
- Executes dropped EXE
PID:3336 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe61⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pppjj.exec:\pppjj.exe62⤵
- Executes dropped EXE
PID:3472 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe63⤵
- Executes dropped EXE
PID:1716 -
\??\c:\ffxflff.exec:\ffxflff.exe64⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bnnbbt.exec:\bnnbbt.exe65⤵
- Executes dropped EXE
PID:184 -
\??\c:\djpjd.exec:\djpjd.exe66⤵PID:1144
-
\??\c:\hbbhtb.exec:\hbbhtb.exe67⤵PID:920
-
\??\c:\frrlxrl.exec:\frrlxrl.exe68⤵PID:3188
-
\??\c:\1fflllf.exec:\1fflllf.exe69⤵PID:4540
-
\??\c:\xrrlllf.exec:\xrrlllf.exe70⤵PID:4116
-
\??\c:\ttbbtt.exec:\ttbbtt.exe71⤵PID:2844
-
\??\c:\ppvvp.exec:\ppvvp.exe72⤵PID:4612
-
\??\c:\lffffff.exec:\lffffff.exe73⤵PID:2936
-
\??\c:\ttbtnt.exec:\ttbtnt.exe74⤵PID:3836
-
\??\c:\rfrllll.exec:\rfrllll.exe75⤵PID:2436
-
\??\c:\tntthh.exec:\tntthh.exe76⤵PID:3232
-
\??\c:\vjjdd.exec:\vjjdd.exe77⤵PID:1400
-
\??\c:\dpdjd.exec:\dpdjd.exe78⤵PID:3164
-
\??\c:\7tnnhn.exec:\7tnnhn.exe79⤵PID:4008
-
\??\c:\pvvpd.exec:\pvvpd.exe80⤵PID:1900
-
\??\c:\rxxrllf.exec:\rxxrllf.exe81⤵PID:4824
-
\??\c:\bttnhh.exec:\bttnhh.exe82⤵PID:4960
-
\??\c:\pvjvp.exec:\pvjvp.exe83⤵PID:4752
-
\??\c:\rllfxxl.exec:\rllfxxl.exe84⤵PID:5084
-
\??\c:\xrlfllx.exec:\xrlfllx.exe85⤵PID:2212
-
\??\c:\xlrlfrr.exec:\xlrlfrr.exe86⤵PID:408
-
\??\c:\vpvpp.exec:\vpvpp.exe87⤵
- System Location Discovery: System Language Discovery
PID:4240 -
\??\c:\1xxrlrl.exec:\1xxrlrl.exe88⤵PID:2740
-
\??\c:\lrfxrlr.exec:\lrfxrlr.exe89⤵PID:2260
-
\??\c:\rflxrrr.exec:\rflxrrr.exe90⤵PID:452
-
\??\c:\tttthh.exec:\tttthh.exe91⤵PID:5052
-
\??\c:\ddjvv.exec:\ddjvv.exe92⤵PID:316
-
\??\c:\5rxlffx.exec:\5rxlffx.exe93⤵PID:3776
-
\??\c:\frxrlfx.exec:\frxrlfx.exe94⤵PID:4216
-
\??\c:\9ttnnn.exec:\9ttnnn.exe95⤵PID:2388
-
\??\c:\3vvvp.exec:\3vvvp.exe96⤵PID:4200
-
\??\c:\1llfxrl.exec:\1llfxrl.exe97⤵PID:1388
-
\??\c:\5xffxfx.exec:\5xffxfx.exe98⤵PID:3672
-
\??\c:\3tnhtb.exec:\3tnhtb.exe99⤵PID:1796
-
\??\c:\nbbbnh.exec:\nbbbnh.exe100⤵PID:888
-
\??\c:\jvvjp.exec:\jvvjp.exe101⤵PID:3768
-
\??\c:\xfxlfxx.exec:\xfxlfxx.exe102⤵PID:3116
-
\??\c:\bthbbh.exec:\bthbbh.exe103⤵PID:1312
-
\??\c:\pddpd.exec:\pddpd.exe104⤵PID:4884
-
\??\c:\lrfrllf.exec:\lrfrllf.exe105⤵PID:3432
-
\??\c:\xlxlffx.exec:\xlxlffx.exe106⤵PID:4696
-
\??\c:\9bnhhh.exec:\9bnhhh.exe107⤵PID:3028
-
\??\c:\pvjdp.exec:\pvjdp.exe108⤵PID:840
-
\??\c:\lllxllf.exec:\lllxllf.exe109⤵PID:3416
-
\??\c:\tnnhbb.exec:\tnnhbb.exe110⤵PID:1556
-
\??\c:\ddjvj.exec:\ddjvj.exe111⤵PID:1036
-
\??\c:\rlrlxrf.exec:\rlrlxrf.exe112⤵PID:2924
-
\??\c:\btbtnn.exec:\btbtnn.exe113⤵PID:2368
-
\??\c:\ppdvj.exec:\ppdvj.exe114⤵PID:1284
-
\??\c:\7djjd.exec:\7djjd.exe115⤵PID:1680
-
\??\c:\frrfrrl.exec:\frrfrrl.exe116⤵PID:3544
-
\??\c:\nhnhbn.exec:\nhnhbn.exe117⤵PID:3264
-
\??\c:\pdpjv.exec:\pdpjv.exe118⤵PID:4144
-
\??\c:\5jdvp.exec:\5jdvp.exe119⤵PID:1276
-
\??\c:\9xffxfx.exec:\9xffxfx.exe120⤵PID:4820
-
\??\c:\xfllrlr.exec:\xfllrlr.exe121⤵PID:1080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-