Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe
-
Size
453KB
-
MD5
49ffc5ddc1d5920cba2294df033f510a
-
SHA1
73504d05d9a44c5936a7d764ac09f43f33e05916
-
SHA256
0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a
-
SHA512
95ac284fc611f87a1a27ec564d729bef24e6e8f05d3e11342f22526f850f03f4e5d481f303575018d1cfee6642340c0ef14555fde3ad6ff1d91c6f8b52f4f96e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3724-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-1761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4732 1lflfxx.exe 2040 3rrrllf.exe 4836 9nnhbh.exe 3648 3pvpp.exe 2892 lxlfffr.exe 3508 3nhbtt.exe 3448 lffxfff.exe 4408 xfrlffx.exe 1216 hnbthh.exe 1776 9dpjd.exe 208 rlfxrfx.exe 5068 tbhbbb.exe 448 vpjdj.exe 5012 bhnbnt.exe 3864 pjppd.exe 4816 dvdvj.exe 2960 llffxxr.exe 2832 rffxrlf.exe 4204 bbtnnh.exe 1912 9pjdp.exe 4368 rlfxrrl.exe 1324 rflfxxr.exe 3436 5bhbhn.exe 1948 vjvpp.exe 3620 5llfxfx.exe 2776 xrrlffx.exe 1828 9ddvv.exe 916 bbhhnn.exe 3276 jdddv.exe 4868 vvdvp.exe 3852 ntnhbt.exe 3244 jjpvp.exe 3628 rrrfrlf.exe 4236 bnbttt.exe 1208 ffrlflf.exe 2948 tnnhhb.exe 3976 httnhh.exe 1204 jdjvd.exe 3128 3xrlffx.exe 1824 lxffxff.exe 3064 tbhtnn.exe 3500 vpvvp.exe 3916 7flffff.exe 1656 fflfxxx.exe 964 9bhnhb.exe 4936 vvvvd.exe 4220 jdvvv.exe 444 3frlxxr.exe 3580 thhhhh.exe 376 7tttnh.exe 5052 pjjdp.exe 4272 rrxlrlr.exe 1008 lxfxrrl.exe 2224 bthbhh.exe 3600 jdvpv.exe 5020 lxxrlrl.exe 4836 rfrlrrr.exe 4280 nnhtnb.exe 2144 7vdvp.exe 4788 llrlllf.exe 844 bttbtt.exe 1560 dvpjj.exe 4408 xlrlfll.exe 952 nbhbtt.exe -
resource yara_rule behavioral2/memory/3724-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3724 wrote to memory of 4732 3724 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 82 PID 3724 wrote to memory of 4732 3724 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 82 PID 3724 wrote to memory of 4732 3724 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 82 PID 4732 wrote to memory of 2040 4732 1lflfxx.exe 83 PID 4732 wrote to memory of 2040 4732 1lflfxx.exe 83 PID 4732 wrote to memory of 2040 4732 1lflfxx.exe 83 PID 2040 wrote to memory of 4836 2040 3rrrllf.exe 138 PID 2040 wrote to memory of 4836 2040 3rrrllf.exe 138 PID 2040 wrote to memory of 4836 2040 3rrrllf.exe 138 PID 4836 wrote to memory of 3648 4836 9nnhbh.exe 85 PID 4836 wrote to memory of 3648 4836 9nnhbh.exe 85 PID 4836 wrote to memory of 3648 4836 9nnhbh.exe 85 PID 3648 wrote to memory of 2892 3648 3pvpp.exe 86 PID 3648 wrote to memory of 2892 3648 3pvpp.exe 86 PID 3648 wrote to memory of 2892 3648 3pvpp.exe 86 PID 2892 wrote to memory of 3508 2892 lxlfffr.exe 87 PID 2892 wrote to memory of 3508 2892 lxlfffr.exe 87 PID 2892 wrote to memory of 3508 2892 lxlfffr.exe 87 PID 3508 wrote to memory of 3448 3508 3nhbtt.exe 88 PID 3508 wrote to memory of 3448 3508 3nhbtt.exe 88 PID 3508 wrote to memory of 3448 3508 3nhbtt.exe 88 PID 3448 wrote to memory of 4408 3448 lffxfff.exe 89 PID 3448 wrote to memory of 4408 3448 lffxfff.exe 89 PID 3448 wrote to memory of 4408 3448 lffxfff.exe 89 PID 4408 wrote to memory of 1216 4408 xfrlffx.exe 90 PID 4408 wrote to memory of 1216 4408 xfrlffx.exe 90 PID 4408 wrote to memory of 1216 4408 xfrlffx.exe 90 PID 1216 wrote to memory of 1776 1216 hnbthh.exe 91 PID 1216 wrote to memory of 1776 1216 hnbthh.exe 91 PID 1216 wrote to memory of 1776 1216 hnbthh.exe 91 PID 1776 wrote to memory of 208 1776 9dpjd.exe 92 PID 1776 wrote to memory of 208 1776 9dpjd.exe 92 PID 1776 wrote to memory of 208 1776 9dpjd.exe 92 PID 208 wrote to memory of 5068 208 rlfxrfx.exe 93 PID 208 wrote to memory of 5068 208 rlfxrfx.exe 93 PID 208 wrote to memory of 5068 208 rlfxrfx.exe 93 PID 5068 wrote to memory of 448 5068 tbhbbb.exe 94 PID 5068 wrote to memory of 448 5068 tbhbbb.exe 94 PID 5068 wrote to memory of 448 5068 tbhbbb.exe 94 PID 448 wrote to memory of 5012 448 vpjdj.exe 95 PID 448 wrote to memory of 5012 448 vpjdj.exe 95 PID 448 wrote to memory of 5012 448 vpjdj.exe 95 PID 5012 wrote to memory of 3864 5012 bhnbnt.exe 96 PID 5012 wrote to memory of 3864 5012 bhnbnt.exe 96 PID 5012 wrote to memory of 3864 5012 bhnbnt.exe 96 PID 3864 wrote to memory of 4816 3864 pjppd.exe 97 PID 3864 wrote to memory of 4816 3864 pjppd.exe 97 PID 3864 wrote to memory of 4816 3864 pjppd.exe 97 PID 4816 wrote to memory of 2960 4816 dvdvj.exe 98 PID 4816 wrote to memory of 2960 4816 dvdvj.exe 98 PID 4816 wrote to memory of 2960 4816 dvdvj.exe 98 PID 2960 wrote to memory of 2832 2960 llffxxr.exe 99 PID 2960 wrote to memory of 2832 2960 llffxxr.exe 99 PID 2960 wrote to memory of 2832 2960 llffxxr.exe 99 PID 2832 wrote to memory of 4204 2832 rffxrlf.exe 100 PID 2832 wrote to memory of 4204 2832 rffxrlf.exe 100 PID 2832 wrote to memory of 4204 2832 rffxrlf.exe 100 PID 4204 wrote to memory of 1912 4204 bbtnnh.exe 101 PID 4204 wrote to memory of 1912 4204 bbtnnh.exe 101 PID 4204 wrote to memory of 1912 4204 bbtnnh.exe 101 PID 1912 wrote to memory of 4368 1912 9pjdp.exe 102 PID 1912 wrote to memory of 4368 1912 9pjdp.exe 102 PID 1912 wrote to memory of 4368 1912 9pjdp.exe 102 PID 4368 wrote to memory of 1324 4368 rlfxrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe"C:\Users\Admin\AppData\Local\Temp\0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\1lflfxx.exec:\1lflfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\3rrrllf.exec:\3rrrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\9nnhbh.exec:\9nnhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\3pvpp.exec:\3pvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\lxlfffr.exec:\lxlfffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\3nhbtt.exec:\3nhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\lffxfff.exec:\lffxfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\xfrlffx.exec:\xfrlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\hnbthh.exec:\hnbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\9dpjd.exec:\9dpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\rlfxrfx.exec:\rlfxrfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\tbhbbb.exec:\tbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\vpjdj.exec:\vpjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\bhnbnt.exec:\bhnbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\pjppd.exec:\pjppd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\dvdvj.exec:\dvdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\llffxxr.exec:\llffxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\rffxrlf.exec:\rffxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\bbtnnh.exec:\bbtnnh.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\9pjdp.exec:\9pjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\rflfxxr.exec:\rflfxxr.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\5bhbhn.exec:\5bhbhn.exe24⤵
- Executes dropped EXE
PID:3436 -
\??\c:\vjvpp.exec:\vjvpp.exe25⤵
- Executes dropped EXE
PID:1948 -
\??\c:\5llfxfx.exec:\5llfxfx.exe26⤵
- Executes dropped EXE
PID:3620 -
\??\c:\xrrlffx.exec:\xrrlffx.exe27⤵
- Executes dropped EXE
PID:2776 -
\??\c:\9ddvv.exec:\9ddvv.exe28⤵
- Executes dropped EXE
PID:1828 -
\??\c:\bbhhnn.exec:\bbhhnn.exe29⤵
- Executes dropped EXE
PID:916 -
\??\c:\jdddv.exec:\jdddv.exe30⤵
- Executes dropped EXE
PID:3276 -
\??\c:\vvdvp.exec:\vvdvp.exe31⤵
- Executes dropped EXE
PID:4868 -
\??\c:\ntnhbt.exec:\ntnhbt.exe32⤵
- Executes dropped EXE
PID:3852 -
\??\c:\jjpvp.exec:\jjpvp.exe33⤵
- Executes dropped EXE
PID:3244 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe34⤵
- Executes dropped EXE
PID:3628 -
\??\c:\bnbttt.exec:\bnbttt.exe35⤵
- Executes dropped EXE
PID:4236 -
\??\c:\ffrlflf.exec:\ffrlflf.exe36⤵
- Executes dropped EXE
PID:1208 -
\??\c:\tnnhhb.exec:\tnnhhb.exe37⤵
- Executes dropped EXE
PID:2948 -
\??\c:\httnhh.exec:\httnhh.exe38⤵
- Executes dropped EXE
PID:3976 -
\??\c:\jdjvd.exec:\jdjvd.exe39⤵
- Executes dropped EXE
PID:1204 -
\??\c:\3xrlffx.exec:\3xrlffx.exe40⤵
- Executes dropped EXE
PID:3128 -
\??\c:\lxffxff.exec:\lxffxff.exe41⤵
- Executes dropped EXE
PID:1824 -
\??\c:\tbhtnn.exec:\tbhtnn.exe42⤵
- Executes dropped EXE
PID:3064 -
\??\c:\vpvvp.exec:\vpvvp.exe43⤵
- Executes dropped EXE
PID:3500 -
\??\c:\7flffff.exec:\7flffff.exe44⤵
- Executes dropped EXE
PID:3916 -
\??\c:\fflfxxx.exec:\fflfxxx.exe45⤵
- Executes dropped EXE
PID:1656 -
\??\c:\9bhnhb.exec:\9bhnhb.exe46⤵
- Executes dropped EXE
PID:964 -
\??\c:\vvvvd.exec:\vvvvd.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4936 -
\??\c:\jdvvv.exec:\jdvvv.exe48⤵
- Executes dropped EXE
PID:4220 -
\??\c:\3frlxxr.exec:\3frlxxr.exe49⤵
- Executes dropped EXE
PID:444 -
\??\c:\thhhhh.exec:\thhhhh.exe50⤵
- Executes dropped EXE
PID:3580 -
\??\c:\7tttnh.exec:\7tttnh.exe51⤵
- Executes dropped EXE
PID:376 -
\??\c:\pjjdp.exec:\pjjdp.exe52⤵
- Executes dropped EXE
PID:5052 -
\??\c:\rrxlrlr.exec:\rrxlrlr.exe53⤵
- Executes dropped EXE
PID:4272 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe54⤵
- Executes dropped EXE
PID:1008 -
\??\c:\bthbhh.exec:\bthbhh.exe55⤵
- Executes dropped EXE
PID:2224 -
\??\c:\jdvpv.exec:\jdvpv.exe56⤵
- Executes dropped EXE
PID:3600 -
\??\c:\lxxrlrl.exec:\lxxrlrl.exe57⤵
- Executes dropped EXE
PID:5020 -
\??\c:\rfrlrrr.exec:\rfrlrrr.exe58⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nnhtnb.exec:\nnhtnb.exe59⤵
- Executes dropped EXE
PID:4280 -
\??\c:\7vdvp.exec:\7vdvp.exe60⤵
- Executes dropped EXE
PID:2144 -
\??\c:\llrlllf.exec:\llrlllf.exe61⤵
- Executes dropped EXE
PID:4788 -
\??\c:\bttbtt.exec:\bttbtt.exe62⤵
- Executes dropped EXE
PID:844 -
\??\c:\dvpjj.exec:\dvpjj.exe63⤵
- Executes dropped EXE
PID:1560 -
\??\c:\xlrlfll.exec:\xlrlfll.exe64⤵
- Executes dropped EXE
PID:4408 -
\??\c:\nbhbtt.exec:\nbhbtt.exe65⤵
- Executes dropped EXE
PID:952 -
\??\c:\dddvp.exec:\dddvp.exe66⤵PID:2268
-
\??\c:\rlffxxr.exec:\rlffxxr.exe67⤵PID:2140
-
\??\c:\tttnnn.exec:\tttnnn.exe68⤵PID:2104
-
\??\c:\flllrrx.exec:\flllrrx.exe69⤵PID:208
-
\??\c:\hnttnn.exec:\hnttnn.exe70⤵PID:5040
-
\??\c:\pjjdd.exec:\pjjdd.exe71⤵PID:4420
-
\??\c:\9nthhn.exec:\9nthhn.exe72⤵PID:3416
-
\??\c:\vppjv.exec:\vppjv.exe73⤵PID:4652
-
\??\c:\hthbtt.exec:\hthbtt.exe74⤵PID:996
-
\??\c:\7bnhhh.exec:\7bnhhh.exe75⤵PID:2836
-
\??\c:\pddvp.exec:\pddvp.exe76⤵PID:2120
-
\??\c:\fxfrllf.exec:\fxfrllf.exe77⤵PID:2456
-
\??\c:\rllfffx.exec:\rllfffx.exe78⤵PID:2520
-
\??\c:\lrfxxxx.exec:\lrfxxxx.exe79⤵PID:5044
-
\??\c:\hbtnhh.exec:\hbtnhh.exe80⤵PID:1912
-
\??\c:\tttttt.exec:\tttttt.exe81⤵PID:1308
-
\??\c:\dpdpj.exec:\dpdpj.exe82⤵PID:1764
-
\??\c:\lfxrlll.exec:\lfxrlll.exe83⤵PID:3652
-
\??\c:\nhtnhh.exec:\nhtnhh.exe84⤵PID:1072
-
\??\c:\9pddp.exec:\9pddp.exe85⤵PID:3364
-
\??\c:\pjpjj.exec:\pjpjj.exe86⤵PID:5084
-
\??\c:\bntnnh.exec:\bntnnh.exe87⤵PID:3620
-
\??\c:\bttntt.exec:\bttntt.exe88⤵PID:4832
-
\??\c:\pddjj.exec:\pddjj.exe89⤵PID:4612
-
\??\c:\7xfxxxf.exec:\7xfxxxf.exe90⤵PID:1828
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe91⤵PID:1460
-
\??\c:\7btnhh.exec:\7btnhh.exe92⤵PID:1316
-
\??\c:\jvdvp.exec:\jvdvp.exe93⤵PID:836
-
\??\c:\jdjjd.exec:\jdjjd.exe94⤵PID:4912
-
\??\c:\rlfxxrl.exec:\rlfxxrl.exe95⤵PID:4160
-
\??\c:\httntn.exec:\httntn.exe96⤵PID:3244
-
\??\c:\ppvpj.exec:\ppvpj.exe97⤵PID:2052
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe98⤵PID:1736
-
\??\c:\hbhtbh.exec:\hbhtbh.exe99⤵PID:2448
-
\??\c:\1djdv.exec:\1djdv.exe100⤵PID:1984
-
\??\c:\fffxrfx.exec:\fffxrfx.exe101⤵PID:4916
-
\??\c:\ffffxxr.exec:\ffffxxr.exe102⤵PID:3556
-
\??\c:\hhbtnt.exec:\hhbtnt.exe103⤵PID:1844
-
\??\c:\dvdjd.exec:\dvdjd.exe104⤵PID:4264
-
\??\c:\ppdvv.exec:\ppdvv.exe105⤵PID:4248
-
\??\c:\rrxrrlf.exec:\rrxrrlf.exe106⤵PID:1696
-
\??\c:\tnhtht.exec:\tnhtht.exe107⤵PID:4376
-
\??\c:\ddvpj.exec:\ddvpj.exe108⤵PID:1132
-
\??\c:\xlffrfx.exec:\xlffrfx.exe109⤵PID:4500
-
\??\c:\3xrrlll.exec:\3xrrlll.exe110⤵PID:2352
-
\??\c:\btbtnh.exec:\btbtnh.exe111⤵PID:832
-
\??\c:\vdjdd.exec:\vdjdd.exe112⤵PID:3368
-
\??\c:\fxfrrll.exec:\fxfrrll.exe113⤵PID:1924
-
\??\c:\fxfrlff.exec:\fxfrlff.exe114⤵PID:384
-
\??\c:\hbnbtt.exec:\hbnbtt.exe115⤵PID:444
-
\??\c:\ppdvd.exec:\ppdvd.exe116⤵PID:3884
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe117⤵PID:1888
-
\??\c:\rrrrllf.exec:\rrrrllf.exe118⤵PID:3020
-
\??\c:\tthnnt.exec:\tthnnt.exe119⤵PID:1452
-
\??\c:\1vjvj.exec:\1vjvj.exe120⤵PID:4540
-
\??\c:\3jddd.exec:\3jddd.exe121⤵PID:1176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-