Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe
-
Size
454KB
-
MD5
1f63b1e218d7855f4113ccf2ac095310
-
SHA1
b084b62beaf064ee27eee1eae21a898f31ae539e
-
SHA256
a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54de
-
SHA512
f5ed7b42a0b5990aca4007471871ad20545f972443bb8df13ba1e50e7e2d06a82fddc2611a6374790d557af787cf2bfe8c87b62fdb2514b75e8d42b41b526d40
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2528-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4352 xffrfxl.exe 2528 nbtnhh.exe 3620 jddpv.exe 1868 rlxlxrx.exe 3864 9llfrrf.exe 2284 bhhhhb.exe 3284 jvpdp.exe 1380 ttnhbb.exe 4812 ppvpj.exe 2696 pdjdp.exe 2792 fflflrx.exe 924 jpjjv.exe 3764 lllfxxr.exe 2652 bntthh.exe 5100 dvdvd.exe 5076 bttnht.exe 1988 dvjvp.exe 4948 ffffffl.exe 4488 ttbhnn.exe 2184 thhbbh.exe 4016 vppdv.exe 2988 3rlfxxr.exe 4628 rllfrlx.exe 2688 tbhbbh.exe 4448 hhhhbb.exe 3748 rlllffx.exe 2800 5ppdp.exe 4784 bhtnhb.exe 2972 flfrlfx.exe 4832 bnbtbt.exe 1168 bnnhbb.exe 4644 xxlrlrl.exe 3928 tbbnnn.exe 3588 1jvpd.exe 1340 xlrlfrl.exe 1544 vdvvp.exe 1732 jpdpv.exe 2272 rfxxrxx.exe 1824 bhhnbb.exe 4964 dpdvj.exe 760 rrlllrr.exe 2044 rlxrrrr.exe 1372 htbbnn.exe 3636 jpdpj.exe 3068 3jvpv.exe 4932 9xlllll.exe 1868 bnnnnt.exe 4956 bhtthh.exe 1932 dppjd.exe 1444 xfxllxx.exe 2284 httnnn.exe 4656 hhhbtt.exe 2068 pvvdd.exe 3284 5rxxrrl.exe 1432 hhhhhh.exe 4516 7jjjj.exe 1640 rlrlffr.exe 3964 nhnttt.exe 2696 tnbtbb.exe 3784 1vddd.exe 4144 1rxrlrl.exe 4168 hhttth.exe 3504 vdjjj.exe 3764 5lrrlll.exe -
resource yara_rule behavioral2/memory/2528-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-743-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xffrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 4352 4912 a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe 83 PID 4912 wrote to memory of 4352 4912 a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe 83 PID 4912 wrote to memory of 4352 4912 a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe 83 PID 4352 wrote to memory of 2528 4352 xffrfxl.exe 84 PID 4352 wrote to memory of 2528 4352 xffrfxl.exe 84 PID 4352 wrote to memory of 2528 4352 xffrfxl.exe 84 PID 2528 wrote to memory of 3620 2528 nbtnhh.exe 85 PID 2528 wrote to memory of 3620 2528 nbtnhh.exe 85 PID 2528 wrote to memory of 3620 2528 nbtnhh.exe 85 PID 3620 wrote to memory of 1868 3620 jddpv.exe 86 PID 3620 wrote to memory of 1868 3620 jddpv.exe 86 PID 3620 wrote to memory of 1868 3620 jddpv.exe 86 PID 1868 wrote to memory of 3864 1868 rlxlxrx.exe 87 PID 1868 wrote to memory of 3864 1868 rlxlxrx.exe 87 PID 1868 wrote to memory of 3864 1868 rlxlxrx.exe 87 PID 3864 wrote to memory of 2284 3864 9llfrrf.exe 88 PID 3864 wrote to memory of 2284 3864 9llfrrf.exe 88 PID 3864 wrote to memory of 2284 3864 9llfrrf.exe 88 PID 2284 wrote to memory of 3284 2284 bhhhhb.exe 89 PID 2284 wrote to memory of 3284 2284 bhhhhb.exe 89 PID 2284 wrote to memory of 3284 2284 bhhhhb.exe 89 PID 3284 wrote to memory of 1380 3284 jvpdp.exe 90 PID 3284 wrote to memory of 1380 3284 jvpdp.exe 90 PID 3284 wrote to memory of 1380 3284 jvpdp.exe 90 PID 1380 wrote to memory of 4812 1380 ttnhbb.exe 91 PID 1380 wrote to memory of 4812 1380 ttnhbb.exe 91 PID 1380 wrote to memory of 4812 1380 ttnhbb.exe 91 PID 4812 wrote to memory of 2696 4812 ppvpj.exe 92 PID 4812 wrote to memory of 2696 4812 ppvpj.exe 92 PID 4812 wrote to memory of 2696 4812 ppvpj.exe 92 PID 2696 wrote to memory of 2792 2696 pdjdp.exe 93 PID 2696 wrote to memory of 2792 2696 pdjdp.exe 93 PID 2696 wrote to memory of 2792 2696 pdjdp.exe 93 PID 2792 wrote to memory of 924 2792 fflflrx.exe 94 PID 2792 wrote to memory of 924 2792 fflflrx.exe 94 PID 2792 wrote to memory of 924 2792 fflflrx.exe 94 PID 924 wrote to memory of 3764 924 jpjjv.exe 95 PID 924 wrote to memory of 3764 924 jpjjv.exe 95 PID 924 wrote to memory of 3764 924 jpjjv.exe 95 PID 3764 wrote to memory of 2652 3764 lllfxxr.exe 96 PID 3764 wrote to memory of 2652 3764 lllfxxr.exe 96 PID 3764 wrote to memory of 2652 3764 lllfxxr.exe 96 PID 2652 wrote to memory of 5100 2652 bntthh.exe 97 PID 2652 wrote to memory of 5100 2652 bntthh.exe 97 PID 2652 wrote to memory of 5100 2652 bntthh.exe 97 PID 5100 wrote to memory of 5076 5100 dvdvd.exe 98 PID 5100 wrote to memory of 5076 5100 dvdvd.exe 98 PID 5100 wrote to memory of 5076 5100 dvdvd.exe 98 PID 5076 wrote to memory of 1988 5076 bttnht.exe 99 PID 5076 wrote to memory of 1988 5076 bttnht.exe 99 PID 5076 wrote to memory of 1988 5076 bttnht.exe 99 PID 1988 wrote to memory of 4948 1988 dvjvp.exe 100 PID 1988 wrote to memory of 4948 1988 dvjvp.exe 100 PID 1988 wrote to memory of 4948 1988 dvjvp.exe 100 PID 4948 wrote to memory of 4488 4948 ffffffl.exe 101 PID 4948 wrote to memory of 4488 4948 ffffffl.exe 101 PID 4948 wrote to memory of 4488 4948 ffffffl.exe 101 PID 4488 wrote to memory of 2184 4488 ttbhnn.exe 102 PID 4488 wrote to memory of 2184 4488 ttbhnn.exe 102 PID 4488 wrote to memory of 2184 4488 ttbhnn.exe 102 PID 2184 wrote to memory of 4016 2184 thhbbh.exe 103 PID 2184 wrote to memory of 4016 2184 thhbbh.exe 103 PID 2184 wrote to memory of 4016 2184 thhbbh.exe 103 PID 4016 wrote to memory of 2988 4016 vppdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe"C:\Users\Admin\AppData\Local\Temp\a467830b48f4ae74ed93025831647e984c9616ad4bbf4d3450d9cddeb81b54deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\xffrfxl.exec:\xffrfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\nbtnhh.exec:\nbtnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\jddpv.exec:\jddpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\rlxlxrx.exec:\rlxlxrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\9llfrrf.exec:\9llfrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\bhhhhb.exec:\bhhhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\jvpdp.exec:\jvpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\ttnhbb.exec:\ttnhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\ppvpj.exec:\ppvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\pdjdp.exec:\pdjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\fflflrx.exec:\fflflrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\jpjjv.exec:\jpjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\lllfxxr.exec:\lllfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\bntthh.exec:\bntthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\dvdvd.exec:\dvdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\bttnht.exec:\bttnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\dvjvp.exec:\dvjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\ffffffl.exec:\ffffffl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\ttbhnn.exec:\ttbhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\thhbbh.exec:\thhbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\vppdv.exec:\vppdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe23⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rllfrlx.exec:\rllfrlx.exe24⤵
- Executes dropped EXE
PID:4628 -
\??\c:\tbhbbh.exec:\tbhbbh.exe25⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hhhhbb.exec:\hhhhbb.exe26⤵
- Executes dropped EXE
PID:4448 -
\??\c:\rlllffx.exec:\rlllffx.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748 -
\??\c:\5ppdp.exec:\5ppdp.exe28⤵
- Executes dropped EXE
PID:2800 -
\??\c:\bhtnhb.exec:\bhtnhb.exe29⤵
- Executes dropped EXE
PID:4784 -
\??\c:\flfrlfx.exec:\flfrlfx.exe30⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bnbtbt.exec:\bnbtbt.exe31⤵
- Executes dropped EXE
PID:4832 -
\??\c:\bnnhbb.exec:\bnnhbb.exe32⤵
- Executes dropped EXE
PID:1168 -
\??\c:\xxlrlrl.exec:\xxlrlrl.exe33⤵
- Executes dropped EXE
PID:4644 -
\??\c:\tbbnnn.exec:\tbbnnn.exe34⤵
- Executes dropped EXE
PID:3928 -
\??\c:\1jvpd.exec:\1jvpd.exe35⤵
- Executes dropped EXE
PID:3588 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe36⤵
- Executes dropped EXE
PID:1340 -
\??\c:\vdvvp.exec:\vdvvp.exe37⤵
- Executes dropped EXE
PID:1544 -
\??\c:\jpdpv.exec:\jpdpv.exe38⤵
- Executes dropped EXE
PID:1732 -
\??\c:\rfxxrxx.exec:\rfxxrxx.exe39⤵
- Executes dropped EXE
PID:2272 -
\??\c:\bhhnbb.exec:\bhhnbb.exe40⤵
- Executes dropped EXE
PID:1824 -
\??\c:\dpdvj.exec:\dpdvj.exe41⤵
- Executes dropped EXE
PID:4964 -
\??\c:\rrlllrr.exec:\rrlllrr.exe42⤵
- Executes dropped EXE
PID:760 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe43⤵
- Executes dropped EXE
PID:2044 -
\??\c:\htbbnn.exec:\htbbnn.exe44⤵
- Executes dropped EXE
PID:1372 -
\??\c:\jpdpj.exec:\jpdpj.exe45⤵
- Executes dropped EXE
PID:3636 -
\??\c:\3jvpv.exec:\3jvpv.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\9xlllll.exec:\9xlllll.exe47⤵
- Executes dropped EXE
PID:4932 -
\??\c:\bnnnnt.exec:\bnnnnt.exe48⤵
- Executes dropped EXE
PID:1868 -
\??\c:\bhtthh.exec:\bhtthh.exe49⤵
- Executes dropped EXE
PID:4956 -
\??\c:\dppjd.exec:\dppjd.exe50⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xfxllxx.exec:\xfxllxx.exe51⤵
- Executes dropped EXE
PID:1444 -
\??\c:\httnnn.exec:\httnnn.exe52⤵
- Executes dropped EXE
PID:2284 -
\??\c:\hhhbtt.exec:\hhhbtt.exe53⤵
- Executes dropped EXE
PID:4656 -
\??\c:\pvvdd.exec:\pvvdd.exe54⤵
- Executes dropped EXE
PID:2068 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe55⤵
- Executes dropped EXE
PID:3284 -
\??\c:\hhhhhh.exec:\hhhhhh.exe56⤵
- Executes dropped EXE
PID:1432 -
\??\c:\7jjjj.exec:\7jjjj.exe57⤵
- Executes dropped EXE
PID:4516 -
\??\c:\rlrlffr.exec:\rlrlffr.exe58⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nhnttt.exec:\nhnttt.exe59⤵
- Executes dropped EXE
PID:3964 -
\??\c:\tnbtbb.exec:\tnbtbb.exe60⤵
- Executes dropped EXE
PID:2696 -
\??\c:\1vddd.exec:\1vddd.exe61⤵
- Executes dropped EXE
PID:3784 -
\??\c:\1rxrlrl.exec:\1rxrlrl.exe62⤵
- Executes dropped EXE
PID:4144 -
\??\c:\hhttth.exec:\hhttth.exe63⤵
- Executes dropped EXE
PID:4168 -
\??\c:\vdjjj.exec:\vdjjj.exe64⤵
- Executes dropped EXE
PID:3504 -
\??\c:\5lrrlll.exec:\5lrrlll.exe65⤵
- Executes dropped EXE
PID:3764 -
\??\c:\xxfffff.exec:\xxfffff.exe66⤵PID:3992
-
\??\c:\hhnnnn.exec:\hhnnnn.exe67⤵PID:804
-
\??\c:\pjjjj.exec:\pjjjj.exe68⤵PID:920
-
\??\c:\vpjjp.exec:\vpjjp.exe69⤵PID:5056
-
\??\c:\flrlflf.exec:\flrlflf.exe70⤵PID:1404
-
\??\c:\nbnhbb.exec:\nbnhbb.exe71⤵PID:1988
-
\??\c:\3jpjd.exec:\3jpjd.exe72⤵PID:3212
-
\??\c:\lfrlflf.exec:\lfrlflf.exe73⤵PID:644
-
\??\c:\thnhht.exec:\thnhht.exe74⤵PID:3188
-
\??\c:\dvpjj.exec:\dvpjj.exe75⤵PID:2184
-
\??\c:\3vvpj.exec:\3vvpj.exe76⤵PID:4032
-
\??\c:\7fxxrlf.exec:\7fxxrlf.exe77⤵PID:4016
-
\??\c:\9nttnn.exec:\9nttnn.exe78⤵PID:1492
-
\??\c:\jjdjp.exec:\jjdjp.exe79⤵PID:2988
-
\??\c:\1flflrl.exec:\1flflrl.exe80⤵PID:4152
-
\??\c:\nthnbh.exec:\nthnbh.exe81⤵PID:4628
-
\??\c:\hbnhnn.exec:\hbnhnn.exe82⤵PID:1320
-
\??\c:\pppjd.exec:\pppjd.exe83⤵PID:2092
-
\??\c:\1fllxxr.exec:\1fllxxr.exe84⤵PID:880
-
\??\c:\hhtnhh.exec:\hhtnhh.exe85⤵PID:2944
-
\??\c:\dpddd.exec:\dpddd.exe86⤵PID:3820
-
\??\c:\xxfrrlf.exec:\xxfrrlf.exe87⤵PID:3336
-
\??\c:\3frlxxx.exec:\3frlxxx.exe88⤵PID:1580
-
\??\c:\hbnntt.exec:\hbnntt.exe89⤵PID:700
-
\??\c:\djpjj.exec:\djpjj.exe90⤵PID:3708
-
\??\c:\xxfxlxl.exec:\xxfxlxl.exe91⤵PID:2972
-
\??\c:\ttbthh.exec:\ttbthh.exe92⤵PID:916
-
\??\c:\pvjjj.exec:\pvjjj.exe93⤵PID:3788
-
\??\c:\llfxffr.exec:\llfxffr.exe94⤵PID:456
-
\??\c:\9ffrllx.exec:\9ffrllx.exe95⤵PID:212
-
\??\c:\tbbnbn.exec:\tbbnbn.exe96⤵PID:1764
-
\??\c:\vpvpj.exec:\vpvpj.exe97⤵PID:4368
-
\??\c:\frfxrrl.exec:\frfxrrl.exe98⤵PID:2148
-
\??\c:\bnhtnn.exec:\bnhtnn.exe99⤵PID:1200
-
\??\c:\pvjdv.exec:\pvjdv.exe100⤵PID:2936
-
\??\c:\xrxfxll.exec:\xrxfxll.exe101⤵PID:5080
-
\??\c:\xlflrrx.exec:\xlflrrx.exe102⤵PID:2240
-
\??\c:\bhbthb.exec:\bhbthb.exe103⤵PID:4316
-
\??\c:\vjjdv.exec:\vjjdv.exe104⤵PID:2556
-
\??\c:\rrrfxxr.exec:\rrrfxxr.exe105⤵PID:4328
-
\??\c:\7hbnhb.exec:\7hbnhb.exe106⤵PID:3116
-
\??\c:\5bbnhh.exec:\5bbnhh.exe107⤵PID:4432
-
\??\c:\vvpdv.exec:\vvpdv.exe108⤵PID:3732
-
\??\c:\rxrrlll.exec:\rxrrlll.exe109⤵PID:3756
-
\??\c:\nnbbbb.exec:\nnbbbb.exe110⤵PID:1276
-
\??\c:\jjpjd.exec:\jjpjd.exe111⤵PID:4704
-
\??\c:\frxxrrr.exec:\frxxrrr.exe112⤵PID:784
-
\??\c:\ffrfrlf.exec:\ffrfrlf.exe113⤵PID:392
-
\??\c:\nhbbtb.exec:\nhbbtb.exe114⤵PID:1932
-
\??\c:\pjvjj.exec:\pjvjj.exe115⤵PID:1048
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe116⤵PID:4492
-
\??\c:\thnnhh.exec:\thnnhh.exe117⤵PID:4656
-
\??\c:\pjpjj.exec:\pjpjj.exe118⤵PID:8
-
\??\c:\lflxfrf.exec:\lflxfrf.exe119⤵PID:1900
-
\??\c:\1nnthb.exec:\1nnthb.exe120⤵PID:1696
-
\??\c:\vjdvp.exec:\vjdvp.exe121⤵PID:3016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-