Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe
-
Size
454KB
-
MD5
1b02dba29fcb821bc9aab174675a8e30
-
SHA1
66b93b077ec6cbca35d54f3acd467e4271c77686
-
SHA256
2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14
-
SHA512
8c3ad84f794363ecd1955366ee9847df65d66dbfa444266642a4d8b349368813e7dd50c6c645dc9ed0778774ecddc3e25d30df7c64e012e8e6716e0258138c7d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2252-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-925-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-1051-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-1082-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-1155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-1292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-1365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-1591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 nbhttn.exe 3848 7lfrfrf.exe 2568 5hhbth.exe 2628 ffxrffr.exe 468 bhnbnh.exe 3940 jvvvp.exe 3272 xlrlfxx.exe 2020 nnbthb.exe 1864 5djdv.exe 2736 rrrlfxr.exe 3276 hnhhnn.exe 3776 pvppj.exe 3244 vdpdv.exe 3964 3rxrlfx.exe 4044 vpdvj.exe 5068 bhttth.exe 2512 vjjdd.exe 2592 dvdvp.exe 368 9nnntt.exe 1164 ddvjd.exe 404 rxffxxr.exe 2812 bttnhb.exe 2172 1rflxlf.exe 5104 httnbt.exe 3300 dvdvp.exe 3096 fxxrffl.exe 4468 nbbtnh.exe 1816 nhtnbn.exe 1104 pdjvv.exe 4312 3rxlxlf.exe 4900 frxlrlr.exe 1860 thnbtn.exe 3404 9bhttn.exe 4980 9dvpv.exe 3516 fllxrxl.exe 412 frrlffx.exe 2724 bhnbnn.exe 3340 dvpdp.exe 4732 xfxfxfx.exe 2004 bbhnhb.exe 3804 tnhhtn.exe 5072 vpjdp.exe 2640 xxfflff.exe 4368 1rllfxr.exe 3536 7tbbbt.exe 4092 jjjvp.exe 4908 djvpp.exe 4364 xrfrfxl.exe 1244 rfxrffr.exe 1300 9hhnbt.exe 3008 vjdvp.exe 3848 vvdvd.exe 3148 xlrlllf.exe 4724 hbtbhb.exe 2568 hbnhbt.exe 4380 9ddvj.exe 4276 dpjdv.exe 2992 nhttbn.exe 2736 tnbbhb.exe 3276 3jjdv.exe 4124 vdpjj.exe 3068 xrllffl.exe 2600 htnbtn.exe 1052 pvdpd.exe -
resource yara_rule behavioral2/memory/2300-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-867-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-1155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-1234-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2300 2252 2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe 83 PID 2252 wrote to memory of 2300 2252 2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe 83 PID 2252 wrote to memory of 2300 2252 2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe 83 PID 2300 wrote to memory of 3848 2300 nbhttn.exe 134 PID 2300 wrote to memory of 3848 2300 nbhttn.exe 134 PID 2300 wrote to memory of 3848 2300 nbhttn.exe 134 PID 3848 wrote to memory of 2568 3848 7lfrfrf.exe 137 PID 3848 wrote to memory of 2568 3848 7lfrfrf.exe 137 PID 3848 wrote to memory of 2568 3848 7lfrfrf.exe 137 PID 2568 wrote to memory of 2628 2568 5hhbth.exe 86 PID 2568 wrote to memory of 2628 2568 5hhbth.exe 86 PID 2568 wrote to memory of 2628 2568 5hhbth.exe 86 PID 2628 wrote to memory of 468 2628 ffxrffr.exe 87 PID 2628 wrote to memory of 468 2628 ffxrffr.exe 87 PID 2628 wrote to memory of 468 2628 ffxrffr.exe 87 PID 468 wrote to memory of 3940 468 bhnbnh.exe 88 PID 468 wrote to memory of 3940 468 bhnbnh.exe 88 PID 468 wrote to memory of 3940 468 bhnbnh.exe 88 PID 3940 wrote to memory of 3272 3940 jvvvp.exe 89 PID 3940 wrote to memory of 3272 3940 jvvvp.exe 89 PID 3940 wrote to memory of 3272 3940 jvvvp.exe 89 PID 3272 wrote to memory of 2020 3272 xlrlfxx.exe 90 PID 3272 wrote to memory of 2020 3272 xlrlfxx.exe 90 PID 3272 wrote to memory of 2020 3272 xlrlfxx.exe 90 PID 2020 wrote to memory of 1864 2020 nnbthb.exe 91 PID 2020 wrote to memory of 1864 2020 nnbthb.exe 91 PID 2020 wrote to memory of 1864 2020 nnbthb.exe 91 PID 1864 wrote to memory of 2736 1864 5djdv.exe 141 PID 1864 wrote to memory of 2736 1864 5djdv.exe 141 PID 1864 wrote to memory of 2736 1864 5djdv.exe 141 PID 2736 wrote to memory of 3276 2736 rrrlfxr.exe 93 PID 2736 wrote to memory of 3276 2736 rrrlfxr.exe 93 PID 2736 wrote to memory of 3276 2736 rrrlfxr.exe 93 PID 3276 wrote to memory of 3776 3276 hnhhnn.exe 94 PID 3276 wrote to memory of 3776 3276 hnhhnn.exe 94 PID 3276 wrote to memory of 3776 3276 hnhhnn.exe 94 PID 3776 wrote to memory of 3244 3776 pvppj.exe 95 PID 3776 wrote to memory of 3244 3776 pvppj.exe 95 PID 3776 wrote to memory of 3244 3776 pvppj.exe 95 PID 3244 wrote to memory of 3964 3244 vdpdv.exe 96 PID 3244 wrote to memory of 3964 3244 vdpdv.exe 96 PID 3244 wrote to memory of 3964 3244 vdpdv.exe 96 PID 3964 wrote to memory of 4044 3964 3rxrlfx.exe 97 PID 3964 wrote to memory of 4044 3964 3rxrlfx.exe 97 PID 3964 wrote to memory of 4044 3964 3rxrlfx.exe 97 PID 4044 wrote to memory of 5068 4044 vpdvj.exe 98 PID 4044 wrote to memory of 5068 4044 vpdvj.exe 98 PID 4044 wrote to memory of 5068 4044 vpdvj.exe 98 PID 5068 wrote to memory of 2512 5068 bhttth.exe 150 PID 5068 wrote to memory of 2512 5068 bhttth.exe 150 PID 5068 wrote to memory of 2512 5068 bhttth.exe 150 PID 2512 wrote to memory of 2592 2512 vjjdd.exe 100 PID 2512 wrote to memory of 2592 2512 vjjdd.exe 100 PID 2512 wrote to memory of 2592 2512 vjjdd.exe 100 PID 2592 wrote to memory of 368 2592 dvdvp.exe 153 PID 2592 wrote to memory of 368 2592 dvdvp.exe 153 PID 2592 wrote to memory of 368 2592 dvdvp.exe 153 PID 368 wrote to memory of 1164 368 9nnntt.exe 102 PID 368 wrote to memory of 1164 368 9nnntt.exe 102 PID 368 wrote to memory of 1164 368 9nnntt.exe 102 PID 1164 wrote to memory of 404 1164 ddvjd.exe 103 PID 1164 wrote to memory of 404 1164 ddvjd.exe 103 PID 1164 wrote to memory of 404 1164 ddvjd.exe 103 PID 404 wrote to memory of 2812 404 rxffxxr.exe 157
Processes
-
C:\Users\Admin\AppData\Local\Temp\2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe"C:\Users\Admin\AppData\Local\Temp\2482edb5085a8bb00156863af39adf6aca6919437a3a0eb765cbe4ec0e245a14N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\nbhttn.exec:\nbhttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\7lfrfrf.exec:\7lfrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\5hhbth.exec:\5hhbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\ffxrffr.exec:\ffxrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\bhnbnh.exec:\bhnbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\jvvvp.exec:\jvvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\nnbthb.exec:\nnbthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\5djdv.exec:\5djdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\hnhhnn.exec:\hnhhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\pvppj.exec:\pvppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\vdpdv.exec:\vdpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\3rxrlfx.exec:\3rxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\vpdvj.exec:\vpdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\bhttth.exec:\bhttth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\vjjdd.exec:\vjjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\dvdvp.exec:\dvdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\9nnntt.exec:\9nnntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\ddvjd.exec:\ddvjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\rxffxxr.exec:\rxffxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\bttnhb.exec:\bttnhb.exe23⤵
- Executes dropped EXE
PID:2812 -
\??\c:\1rflxlf.exec:\1rflxlf.exe24⤵
- Executes dropped EXE
PID:2172 -
\??\c:\httnbt.exec:\httnbt.exe25⤵
- Executes dropped EXE
PID:5104 -
\??\c:\dvdvp.exec:\dvdvp.exe26⤵
- Executes dropped EXE
PID:3300 -
\??\c:\fxxrffl.exec:\fxxrffl.exe27⤵
- Executes dropped EXE
PID:3096 -
\??\c:\nbbtnh.exec:\nbbtnh.exe28⤵
- Executes dropped EXE
PID:4468 -
\??\c:\nhtnbn.exec:\nhtnbn.exe29⤵
- Executes dropped EXE
PID:1816 -
\??\c:\pdjvv.exec:\pdjvv.exe30⤵
- Executes dropped EXE
PID:1104 -
\??\c:\3rxlxlf.exec:\3rxlxlf.exe31⤵
- Executes dropped EXE
PID:4312 -
\??\c:\frxlrlr.exec:\frxlrlr.exe32⤵
- Executes dropped EXE
PID:4900 -
\??\c:\thnbtn.exec:\thnbtn.exe33⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9bhttn.exec:\9bhttn.exe34⤵
- Executes dropped EXE
PID:3404 -
\??\c:\9dvpv.exec:\9dvpv.exe35⤵
- Executes dropped EXE
PID:4980 -
\??\c:\fllxrxl.exec:\fllxrxl.exe36⤵
- Executes dropped EXE
PID:3516 -
\??\c:\frrlffx.exec:\frrlffx.exe37⤵
- Executes dropped EXE
PID:412 -
\??\c:\bhnbnn.exec:\bhnbnn.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\dvpdp.exec:\dvpdp.exe39⤵
- Executes dropped EXE
PID:3340 -
\??\c:\xfxfxfx.exec:\xfxfxfx.exe40⤵
- Executes dropped EXE
PID:4732 -
\??\c:\bbhnhb.exec:\bbhnhb.exe41⤵
- Executes dropped EXE
PID:2004 -
\??\c:\tnhhtn.exec:\tnhhtn.exe42⤵
- Executes dropped EXE
PID:3804 -
\??\c:\vpjdp.exec:\vpjdp.exe43⤵
- Executes dropped EXE
PID:5072 -
\??\c:\xxfflff.exec:\xxfflff.exe44⤵
- Executes dropped EXE
PID:2640 -
\??\c:\1rllfxr.exec:\1rllfxr.exe45⤵
- Executes dropped EXE
PID:4368 -
\??\c:\7tbbbt.exec:\7tbbbt.exe46⤵
- Executes dropped EXE
PID:3536 -
\??\c:\jjjvp.exec:\jjjvp.exe47⤵
- Executes dropped EXE
PID:4092 -
\??\c:\djvpp.exec:\djvpp.exe48⤵
- Executes dropped EXE
PID:4908 -
\??\c:\xrfrfxl.exec:\xrfrfxl.exe49⤵
- Executes dropped EXE
PID:4364 -
\??\c:\rfxrffr.exec:\rfxrffr.exe50⤵
- Executes dropped EXE
PID:1244 -
\??\c:\9hhnbt.exec:\9hhnbt.exe51⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vjdvp.exec:\vjdvp.exe52⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vvdvd.exec:\vvdvd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3848 -
\??\c:\xlrlllf.exec:\xlrlllf.exe54⤵
- Executes dropped EXE
PID:3148 -
\??\c:\hbtbhb.exec:\hbtbhb.exe55⤵
- Executes dropped EXE
PID:4724 -
\??\c:\hbnhbt.exec:\hbnhbt.exe56⤵
- Executes dropped EXE
PID:2568 -
\??\c:\9ddvj.exec:\9ddvj.exe57⤵
- Executes dropped EXE
PID:4380 -
\??\c:\dpjdv.exec:\dpjdv.exe58⤵
- Executes dropped EXE
PID:4276 -
\??\c:\nhttbn.exec:\nhttbn.exe59⤵
- Executes dropped EXE
PID:2992 -
\??\c:\tnbbhb.exec:\tnbbhb.exe60⤵
- Executes dropped EXE
PID:2736 -
\??\c:\3jjdv.exec:\3jjdv.exe61⤵
- Executes dropped EXE
PID:3276 -
\??\c:\vdpjj.exec:\vdpjj.exe62⤵
- Executes dropped EXE
PID:4124 -
\??\c:\xrllffl.exec:\xrllffl.exe63⤵
- Executes dropped EXE
PID:3068 -
\??\c:\htnbtn.exec:\htnbtn.exe64⤵
- Executes dropped EXE
PID:2600 -
\??\c:\pvdpd.exec:\pvdpd.exe65⤵
- Executes dropped EXE
PID:1052 -
\??\c:\xllrxfr.exec:\xllrxfr.exe66⤵PID:4884
-
\??\c:\nnnhtn.exec:\nnnhtn.exe67⤵PID:808
-
\??\c:\ppvpp.exec:\ppvpp.exe68⤵PID:2528
-
\??\c:\rffrfxr.exec:\rffrfxr.exe69⤵PID:2512
-
\??\c:\9nnbtn.exec:\9nnbtn.exe70⤵PID:1060
-
\??\c:\bthhhn.exec:\bthhhn.exe71⤵PID:1576
-
\??\c:\dpdpp.exec:\dpdpp.exe72⤵PID:368
-
\??\c:\1rxlxxx.exec:\1rxlxxx.exe73⤵PID:4304
-
\??\c:\hbbtnh.exec:\hbbtnh.exe74⤵PID:4772
-
\??\c:\pjjvj.exec:\pjjvj.exe75⤵PID:2756
-
\??\c:\3ffrlrf.exec:\3ffrlrf.exe76⤵PID:2812
-
\??\c:\bbhbtn.exec:\bbhbtn.exe77⤵PID:2172
-
\??\c:\fffxxrl.exec:\fffxxrl.exe78⤵PID:4964
-
\??\c:\bhbnnn.exec:\bhbnnn.exe79⤵PID:3892
-
\??\c:\djpjp.exec:\djpjp.exe80⤵PID:764
-
\??\c:\frrfrlf.exec:\frrfrlf.exe81⤵PID:5100
-
\??\c:\7bbttn.exec:\7bbttn.exe82⤵PID:4960
-
\??\c:\nbntth.exec:\nbntth.exe83⤵PID:3812
-
\??\c:\vjjvj.exec:\vjjvj.exe84⤵PID:4252
-
\??\c:\tttbtt.exec:\tttbtt.exe85⤵PID:4572
-
\??\c:\ttnbhh.exec:\ttnbhh.exe86⤵PID:1740
-
\??\c:\thnnhb.exec:\thnnhb.exe87⤵PID:2948
-
\??\c:\3bhnhh.exec:\3bhnhh.exe88⤵PID:2572
-
\??\c:\vvvvp.exec:\vvvvp.exe89⤵PID:3320
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe90⤵PID:4852
-
\??\c:\thbthb.exec:\thbthb.exe91⤵PID:1860
-
\??\c:\tnnnhh.exec:\tnnnhh.exe92⤵PID:820
-
\??\c:\nbnhhh.exec:\nbnhhh.exe93⤵PID:2196
-
\??\c:\3dvpj.exec:\3dvpj.exe94⤵PID:1168
-
\??\c:\llrlfff.exec:\llrlfff.exe95⤵PID:4348
-
\??\c:\nhhnnn.exec:\nhhnnn.exe96⤵PID:2664
-
\??\c:\vpjdv.exec:\vpjdv.exe97⤵PID:1428
-
\??\c:\rrrfxxr.exec:\rrrfxxr.exe98⤵PID:3508
-
\??\c:\hthbbb.exec:\hthbbb.exe99⤵PID:3688
-
\??\c:\1hbntn.exec:\1hbntn.exe100⤵PID:3636
-
\??\c:\dpjvj.exec:\dpjvj.exe101⤵PID:4888
-
\??\c:\xflfffl.exec:\xflfffl.exe102⤵PID:628
-
\??\c:\nbhtnh.exec:\nbhtnh.exe103⤵PID:5072
-
\??\c:\jvdjv.exec:\jvdjv.exe104⤵PID:3864
-
\??\c:\dpjdj.exec:\dpjdj.exe105⤵PID:3032
-
\??\c:\rxrxllf.exec:\rxrxllf.exe106⤵PID:640
-
\??\c:\nhnnhb.exec:\nhnnhb.exe107⤵PID:4788
-
\??\c:\bnnhtn.exec:\bnnhtn.exe108⤵PID:2712
-
\??\c:\ppdvp.exec:\ppdvp.exe109⤵PID:4372
-
\??\c:\xxrxlxf.exec:\xxrxlxf.exe110⤵PID:4708
-
\??\c:\hbbthb.exec:\hbbthb.exe111⤵PID:4296
-
\??\c:\vddvv.exec:\vddvv.exe112⤵PID:4484
-
\??\c:\pjvvv.exec:\pjvvv.exe113⤵PID:3008
-
\??\c:\fffrlrr.exec:\fffrlrr.exe114⤵PID:3380
-
\??\c:\nhhbtb.exec:\nhhbtb.exe115⤵PID:1560
-
\??\c:\vjdjj.exec:\vjdjj.exe116⤵PID:4724
-
\??\c:\7rlrfrl.exec:\7rlrfrl.exe117⤵PID:2568
-
\??\c:\9hnbhb.exec:\9hnbhb.exe118⤵PID:4000
-
\??\c:\jdjdv.exec:\jdjdv.exe119⤵PID:2368
-
\??\c:\vvppv.exec:\vvppv.exe120⤵PID:4936
-
\??\c:\5xxxrxx.exec:\5xxxrxx.exe121⤵PID:4300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-