Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe
-
Size
456KB
-
MD5
bcd03d2bfe25f8c17b07b6f38dbcf9d0
-
SHA1
b9725e856ff0b1bb855ed16809b0ce436126cd52
-
SHA256
a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510
-
SHA512
5c236f9c80de418d0a0d13e78f8206f49a6cb238c8a74daa56a9b456d9dd94d005cffca04c18a8f842b295447a13cdb4d94423bb85a9820a953b92607fa8a186
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRZ:q7Tc2NYHUrAwfMp3CDRZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4024-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/588-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-1182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1436 rlrlrlx.exe 3168 ddvjd.exe 2908 pvpjd.exe 2240 7nbtnh.exe 1208 1ffrllr.exe 760 9xlfffx.exe 1264 vjppj.exe 3988 rfllrrr.exe 460 dvddj.exe 3824 rrlllll.exe 4188 nnhhbh.exe 3252 btbtnh.exe 3400 9rrlllf.exe 3540 9lrrlrl.exe 2568 nbbtbt.exe 3204 7rxrlxr.exe 1704 tbnnnn.exe 3304 ffxxxff.exe 512 lxffxxx.exe 1616 nhhbbb.exe 2072 xffxlfx.exe 4336 ppvvp.exe 588 bhhhhh.exe 2960 ffxxxxx.exe 4100 9xxxrrr.exe 4528 tntttt.exe 2748 hnhhbb.exe 3272 5nnhhh.exe 1992 1xrrrrr.exe 3020 3dvpj.exe 2828 frlffxx.exe 1432 9httbh.exe 944 nnhbbb.exe 1284 pvvpp.exe 3152 btbhhh.exe 1692 tnhbbn.exe 1644 jpvdv.exe 4880 lrlxrff.exe 3500 lxfxrrr.exe 3208 tthbnn.exe 668 3dvvp.exe 3332 lrxfllf.exe 4456 rxxrlll.exe 4408 hhbhhh.exe 3408 ddpjv.exe 4680 rxxrrfx.exe 4588 nhnnhh.exe 4360 btbbtt.exe 3736 pvvvv.exe 532 vpppj.exe 2908 frfffff.exe 3336 tbthbn.exe 2264 dpppj.exe 2288 rxlrxxf.exe 1148 flllllr.exe 1484 bhhhtt.exe 4464 3vdvd.exe 3464 lrrrffl.exe 3988 lxlllrr.exe 4884 7bhbtt.exe 716 7rrrxff.exe 4572 btnhbb.exe 2944 hhhbbt.exe 1196 jvjpp.exe -
resource yara_rule behavioral2/memory/4024-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/588-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-668-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 1436 4024 a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe 83 PID 4024 wrote to memory of 1436 4024 a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe 83 PID 4024 wrote to memory of 1436 4024 a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe 83 PID 1436 wrote to memory of 3168 1436 rlrlrlx.exe 84 PID 1436 wrote to memory of 3168 1436 rlrlrlx.exe 84 PID 1436 wrote to memory of 3168 1436 rlrlrlx.exe 84 PID 3168 wrote to memory of 2908 3168 ddvjd.exe 85 PID 3168 wrote to memory of 2908 3168 ddvjd.exe 85 PID 3168 wrote to memory of 2908 3168 ddvjd.exe 85 PID 2908 wrote to memory of 2240 2908 pvpjd.exe 86 PID 2908 wrote to memory of 2240 2908 pvpjd.exe 86 PID 2908 wrote to memory of 2240 2908 pvpjd.exe 86 PID 2240 wrote to memory of 1208 2240 7nbtnh.exe 87 PID 2240 wrote to memory of 1208 2240 7nbtnh.exe 87 PID 2240 wrote to memory of 1208 2240 7nbtnh.exe 87 PID 1208 wrote to memory of 760 1208 1ffrllr.exe 88 PID 1208 wrote to memory of 760 1208 1ffrllr.exe 88 PID 1208 wrote to memory of 760 1208 1ffrllr.exe 88 PID 760 wrote to memory of 1264 760 9xlfffx.exe 89 PID 760 wrote to memory of 1264 760 9xlfffx.exe 89 PID 760 wrote to memory of 1264 760 9xlfffx.exe 89 PID 1264 wrote to memory of 3988 1264 vjppj.exe 90 PID 1264 wrote to memory of 3988 1264 vjppj.exe 90 PID 1264 wrote to memory of 3988 1264 vjppj.exe 90 PID 3988 wrote to memory of 460 3988 rfllrrr.exe 91 PID 3988 wrote to memory of 460 3988 rfllrrr.exe 91 PID 3988 wrote to memory of 460 3988 rfllrrr.exe 91 PID 460 wrote to memory of 3824 460 dvddj.exe 92 PID 460 wrote to memory of 3824 460 dvddj.exe 92 PID 460 wrote to memory of 3824 460 dvddj.exe 92 PID 3824 wrote to memory of 4188 3824 rrlllll.exe 93 PID 3824 wrote to memory of 4188 3824 rrlllll.exe 93 PID 3824 wrote to memory of 4188 3824 rrlllll.exe 93 PID 4188 wrote to memory of 3252 4188 nnhhbh.exe 94 PID 4188 wrote to memory of 3252 4188 nnhhbh.exe 94 PID 4188 wrote to memory of 3252 4188 nnhhbh.exe 94 PID 3252 wrote to memory of 3400 3252 btbtnh.exe 95 PID 3252 wrote to memory of 3400 3252 btbtnh.exe 95 PID 3252 wrote to memory of 3400 3252 btbtnh.exe 95 PID 3400 wrote to memory of 3540 3400 9rrlllf.exe 96 PID 3400 wrote to memory of 3540 3400 9rrlllf.exe 96 PID 3400 wrote to memory of 3540 3400 9rrlllf.exe 96 PID 3540 wrote to memory of 2568 3540 9lrrlrl.exe 97 PID 3540 wrote to memory of 2568 3540 9lrrlrl.exe 97 PID 3540 wrote to memory of 2568 3540 9lrrlrl.exe 97 PID 2568 wrote to memory of 3204 2568 nbbtbt.exe 98 PID 2568 wrote to memory of 3204 2568 nbbtbt.exe 98 PID 2568 wrote to memory of 3204 2568 nbbtbt.exe 98 PID 3204 wrote to memory of 1704 3204 7rxrlxr.exe 99 PID 3204 wrote to memory of 1704 3204 7rxrlxr.exe 99 PID 3204 wrote to memory of 1704 3204 7rxrlxr.exe 99 PID 1704 wrote to memory of 3304 1704 tbnnnn.exe 100 PID 1704 wrote to memory of 3304 1704 tbnnnn.exe 100 PID 1704 wrote to memory of 3304 1704 tbnnnn.exe 100 PID 3304 wrote to memory of 512 3304 ffxxxff.exe 101 PID 3304 wrote to memory of 512 3304 ffxxxff.exe 101 PID 3304 wrote to memory of 512 3304 ffxxxff.exe 101 PID 512 wrote to memory of 1616 512 lxffxxx.exe 102 PID 512 wrote to memory of 1616 512 lxffxxx.exe 102 PID 512 wrote to memory of 1616 512 lxffxxx.exe 102 PID 1616 wrote to memory of 2072 1616 nhhbbb.exe 103 PID 1616 wrote to memory of 2072 1616 nhhbbb.exe 103 PID 1616 wrote to memory of 2072 1616 nhhbbb.exe 103 PID 2072 wrote to memory of 4336 2072 xffxlfx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe"C:\Users\Admin\AppData\Local\Temp\a8243d78cd67f1d23df9d6a8882266baf5fee8b6c0699a31928cfbd3ccc50510N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\rlrlrlx.exec:\rlrlrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\ddvjd.exec:\ddvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\pvpjd.exec:\pvpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\7nbtnh.exec:\7nbtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\1ffrllr.exec:\1ffrllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\9xlfffx.exec:\9xlfffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\vjppj.exec:\vjppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\rfllrrr.exec:\rfllrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\dvddj.exec:\dvddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\rrlllll.exec:\rrlllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\nnhhbh.exec:\nnhhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\btbtnh.exec:\btbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\9rrlllf.exec:\9rrlllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\9lrrlrl.exec:\9lrrlrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\nbbtbt.exec:\nbbtbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\7rxrlxr.exec:\7rxrlxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\tbnnnn.exec:\tbnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\ffxxxff.exec:\ffxxxff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\lxffxxx.exec:\lxffxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\nhhbbb.exec:\nhhbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\xffxlfx.exec:\xffxlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\ppvvp.exec:\ppvvp.exe23⤵
- Executes dropped EXE
PID:4336 -
\??\c:\bhhhhh.exec:\bhhhhh.exe24⤵
- Executes dropped EXE
PID:588 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe25⤵
- Executes dropped EXE
PID:2960 -
\??\c:\9xxxrrr.exec:\9xxxrrr.exe26⤵
- Executes dropped EXE
PID:4100 -
\??\c:\tntttt.exec:\tntttt.exe27⤵
- Executes dropped EXE
PID:4528 -
\??\c:\hnhhbb.exec:\hnhhbb.exe28⤵
- Executes dropped EXE
PID:2748 -
\??\c:\5nnhhh.exec:\5nnhhh.exe29⤵
- Executes dropped EXE
PID:3272 -
\??\c:\1xrrrrr.exec:\1xrrrrr.exe30⤵
- Executes dropped EXE
PID:1992 -
\??\c:\3dvpj.exec:\3dvpj.exe31⤵
- Executes dropped EXE
PID:3020 -
\??\c:\frlffxx.exec:\frlffxx.exe32⤵
- Executes dropped EXE
PID:2828 -
\??\c:\9httbh.exec:\9httbh.exe33⤵
- Executes dropped EXE
PID:1432 -
\??\c:\nnhbbb.exec:\nnhbbb.exe34⤵
- Executes dropped EXE
PID:944 -
\??\c:\pvvpp.exec:\pvvpp.exe35⤵
- Executes dropped EXE
PID:1284 -
\??\c:\btbhhh.exec:\btbhhh.exe36⤵
- Executes dropped EXE
PID:3152 -
\??\c:\tnhbbn.exec:\tnhbbn.exe37⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jpvdv.exec:\jpvdv.exe38⤵
- Executes dropped EXE
PID:1644 -
\??\c:\lrlxrff.exec:\lrlxrff.exe39⤵
- Executes dropped EXE
PID:4880 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe40⤵
- Executes dropped EXE
PID:3500 -
\??\c:\tthbnn.exec:\tthbnn.exe41⤵
- Executes dropped EXE
PID:3208 -
\??\c:\3dvvp.exec:\3dvvp.exe42⤵
- Executes dropped EXE
PID:668 -
\??\c:\lrxfllf.exec:\lrxfllf.exe43⤵
- Executes dropped EXE
PID:3332 -
\??\c:\rxxrlll.exec:\rxxrlll.exe44⤵
- Executes dropped EXE
PID:4456 -
\??\c:\hhbhhh.exec:\hhbhhh.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ddpjv.exec:\ddpjv.exe46⤵
- Executes dropped EXE
PID:3408 -
\??\c:\rxxrrfx.exec:\rxxrrfx.exe47⤵
- Executes dropped EXE
PID:4680 -
\??\c:\nhnnhh.exec:\nhnnhh.exe48⤵
- Executes dropped EXE
PID:4588 -
\??\c:\btbbtt.exec:\btbbtt.exe49⤵
- Executes dropped EXE
PID:4360 -
\??\c:\pvvvv.exec:\pvvvv.exe50⤵
- Executes dropped EXE
PID:3736 -
\??\c:\vpppj.exec:\vpppj.exe51⤵
- Executes dropped EXE
PID:532 -
\??\c:\frfffff.exec:\frfffff.exe52⤵
- Executes dropped EXE
PID:2908 -
\??\c:\tbthbn.exec:\tbthbn.exe53⤵
- Executes dropped EXE
PID:3336 -
\??\c:\dpppj.exec:\dpppj.exe54⤵
- Executes dropped EXE
PID:2264 -
\??\c:\rxlrxxf.exec:\rxlrxxf.exe55⤵
- Executes dropped EXE
PID:2288 -
\??\c:\flllllr.exec:\flllllr.exe56⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bhhhtt.exec:\bhhhtt.exe57⤵
- Executes dropped EXE
PID:1484 -
\??\c:\3vdvd.exec:\3vdvd.exe58⤵
- Executes dropped EXE
PID:4464 -
\??\c:\lrrrffl.exec:\lrrrffl.exe59⤵
- Executes dropped EXE
PID:3464 -
\??\c:\lxlllrr.exec:\lxlllrr.exe60⤵
- Executes dropped EXE
PID:3988 -
\??\c:\7bhbtt.exec:\7bhbtt.exe61⤵
- Executes dropped EXE
PID:4884 -
\??\c:\7rrrxff.exec:\7rrrxff.exe62⤵
- Executes dropped EXE
PID:716 -
\??\c:\btnhbb.exec:\btnhbb.exe63⤵
- Executes dropped EXE
PID:4572 -
\??\c:\hhhbbt.exec:\hhhbbt.exe64⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jvjpp.exec:\jvjpp.exe65⤵
- Executes dropped EXE
PID:1196 -
\??\c:\3llfxxr.exec:\3llfxxr.exe66⤵PID:2728
-
\??\c:\9bbtnn.exec:\9bbtnn.exe67⤵PID:3732
-
\??\c:\1tbtnn.exec:\1tbtnn.exe68⤵PID:212
-
\??\c:\9jddd.exec:\9jddd.exe69⤵PID:1016
-
\??\c:\rrlfflf.exec:\rrlfflf.exe70⤵
- System Location Discovery: System Language Discovery
PID:3156 -
\??\c:\bhntbb.exec:\bhntbb.exe71⤵PID:1872
-
\??\c:\vvdpj.exec:\vvdpj.exe72⤵PID:1708
-
\??\c:\ffrrxxr.exec:\ffrrxxr.exe73⤵PID:4840
-
\??\c:\hnhhht.exec:\hnhhht.exe74⤵PID:4712
-
\??\c:\tbhntt.exec:\tbhntt.exe75⤵PID:4920
-
\??\c:\pvppp.exec:\pvppp.exe76⤵PID:4472
-
\??\c:\llrlffx.exec:\llrlffx.exe77⤵PID:3652
-
\??\c:\1xrrllf.exec:\1xrrllf.exe78⤵
- System Location Discovery: System Language Discovery
PID:4580 -
\??\c:\bbtttb.exec:\bbtttb.exe79⤵PID:4924
-
\??\c:\pjppj.exec:\pjppj.exe80⤵PID:2072
-
\??\c:\fffflrl.exec:\fffflrl.exe81⤵PID:552
-
\??\c:\xrllflf.exec:\xrllflf.exe82⤵PID:908
-
\??\c:\bttnhh.exec:\bttnhh.exe83⤵PID:2436
-
\??\c:\jvdvp.exec:\jvdvp.exe84⤵PID:1168
-
\??\c:\7xrlllx.exec:\7xrlllx.exe85⤵PID:1136
-
\??\c:\bhnhnn.exec:\bhnhnn.exe86⤵PID:2024
-
\??\c:\9pppj.exec:\9pppj.exe87⤵PID:2300
-
\??\c:\pppjd.exec:\pppjd.exe88⤵PID:4000
-
\??\c:\lflfxxr.exec:\lflfxxr.exe89⤵PID:3368
-
\??\c:\ffffxxf.exec:\ffffxxf.exe90⤵PID:2472
-
\??\c:\7btnhh.exec:\7btnhh.exe91⤵PID:3800
-
\??\c:\vdjjj.exec:\vdjjj.exe92⤵PID:4348
-
\??\c:\xrxrllx.exec:\xrxrllx.exe93⤵PID:112
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe94⤵PID:2828
-
\??\c:\thnnhn.exec:\thnnhn.exe95⤵PID:656
-
\??\c:\7pdvd.exec:\7pdvd.exe96⤵PID:2428
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe97⤵PID:3136
-
\??\c:\rxrlffx.exec:\rxrlffx.exe98⤵PID:4648
-
\??\c:\nbbtbb.exec:\nbbtbb.exe99⤵PID:4452
-
\??\c:\3djpj.exec:\3djpj.exe100⤵PID:4596
-
\??\c:\rrlllll.exec:\rrlllll.exe101⤵PID:1668
-
\??\c:\hhhbbb.exec:\hhhbbb.exe102⤵PID:3708
-
\??\c:\bhhhbb.exec:\bhhhbb.exe103⤵PID:2868
-
\??\c:\pjpjj.exec:\pjpjj.exe104⤵PID:1908
-
\??\c:\lfxxxxx.exec:\lfxxxxx.exe105⤵PID:2996
-
\??\c:\rlffxxx.exec:\rlffxxx.exe106⤵PID:3332
-
\??\c:\ntbbtt.exec:\ntbbtt.exe107⤵PID:4548
-
\??\c:\ppppj.exec:\ppppj.exe108⤵PID:4060
-
\??\c:\xfxxfff.exec:\xfxxfff.exe109⤵PID:1636
-
\??\c:\bbnnhn.exec:\bbnnhn.exe110⤵PID:3980
-
\??\c:\hhtntt.exec:\hhtntt.exe111⤵PID:3616
-
\??\c:\vjvpv.exec:\vjvpv.exe112⤵PID:4752
-
\??\c:\5ffllll.exec:\5ffllll.exe113⤵PID:2228
-
\??\c:\tnhbtt.exec:\tnhbtt.exe114⤵PID:2296
-
\??\c:\dpvpp.exec:\dpvpp.exe115⤵PID:244
-
\??\c:\jvjdv.exec:\jvjdv.exe116⤵
- System Location Discovery: System Language Discovery
PID:2240 -
\??\c:\9lllffx.exec:\9lllffx.exe117⤵PID:2900
-
\??\c:\nbhhhh.exec:\nbhhhh.exe118⤵PID:4420
-
\??\c:\1bnhnn.exec:\1bnhnn.exe119⤵PID:4576
-
\??\c:\ppvvp.exec:\ppvvp.exe120⤵
- System Location Discovery: System Language Discovery
PID:4216 -
\??\c:\pdvvp.exec:\pdvvp.exe121⤵PID:1464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-