Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe
-
Size
454KB
-
MD5
0513969b95472b1d9ee2914d3e128090
-
SHA1
9e53fbd23675a914872bf2fe064196e3e8c2ddc7
-
SHA256
902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09
-
SHA512
a362a1137e7f7d8891fce1aac34c0b96e542d0c5978fe16f4902ff5fef3198f00c99ad4e47cf453b594814abf25d77b14436b89870a7170a9bf23a62393cd86d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec4:q7Tc2NYHUrAwfMp3CDc4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2368-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-1269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-1399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-1564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-1586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4792 xxfxxrr.exe 896 pdjdd.exe 4804 lxfxrrl.exe 1916 7rfrxxx.exe 1084 nnnhbt.exe 5008 9pjjd.exe 3264 lffxrxr.exe 4308 ttnntn.exe 4824 hntttn.exe 2996 vvdpj.exe 4052 hbbbtt.exe 1452 jvdvp.exe 872 lxxrxxr.exe 32 bhnhbb.exe 1440 ppppd.exe 4188 7fxxrrr.exe 1120 ddppp.exe 1564 5rrlffx.exe 60 lrxlxfx.exe 4292 ntbttn.exe 2936 pdvvp.exe 1700 nnnhbb.exe 2416 rxffxlf.exe 4684 ttbthh.exe 2056 1jddv.exe 4176 7rlffff.exe 3452 bhnnhb.exe 5048 lxlfxxx.exe 2408 nbbbtt.exe 4688 pdjdd.exe 3904 rrffrxx.exe 4524 nnbnhb.exe 4072 vjjdp.exe 2232 tbhbnn.exe 2356 nhhbnn.exe 3260 pjvvd.exe 3368 lfrllfl.exe 4320 nhnnhh.exe 3148 btnthh.exe 1072 dvvjv.exe 960 rrfxlll.exe 1620 xrrrlrl.exe 3460 tbtbht.exe 952 vdvdd.exe 1372 bntnhh.exe 4100 1vvdj.exe 1400 lfffxxx.exe 3832 bhbtnn.exe 1476 thhbnn.exe 3708 jpdvv.exe 3700 9rfrlrl.exe 4620 rlrlffl.exe 4372 htbhhb.exe 2708 pvdvd.exe 4792 5xrlxxr.exe 3488 tnnhbb.exe 3724 9jjjj.exe 4284 rlfxllf.exe 1744 xrrlllf.exe 3064 hhbbbt.exe 2468 3frlllr.exe 3164 rflfxxr.exe 3972 1bbbtt.exe 2304 vvjdv.exe -
resource yara_rule behavioral2/memory/2368-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 4792 2368 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 82 PID 2368 wrote to memory of 4792 2368 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 82 PID 2368 wrote to memory of 4792 2368 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 82 PID 4792 wrote to memory of 896 4792 xxfxxrr.exe 83 PID 4792 wrote to memory of 896 4792 xxfxxrr.exe 83 PID 4792 wrote to memory of 896 4792 xxfxxrr.exe 83 PID 896 wrote to memory of 4804 896 pdjdd.exe 84 PID 896 wrote to memory of 4804 896 pdjdd.exe 84 PID 896 wrote to memory of 4804 896 pdjdd.exe 84 PID 4804 wrote to memory of 1916 4804 lxfxrrl.exe 85 PID 4804 wrote to memory of 1916 4804 lxfxrrl.exe 85 PID 4804 wrote to memory of 1916 4804 lxfxrrl.exe 85 PID 1916 wrote to memory of 1084 1916 7rfrxxx.exe 86 PID 1916 wrote to memory of 1084 1916 7rfrxxx.exe 86 PID 1916 wrote to memory of 1084 1916 7rfrxxx.exe 86 PID 1084 wrote to memory of 5008 1084 nnnhbt.exe 87 PID 1084 wrote to memory of 5008 1084 nnnhbt.exe 87 PID 1084 wrote to memory of 5008 1084 nnnhbt.exe 87 PID 5008 wrote to memory of 3264 5008 9pjjd.exe 88 PID 5008 wrote to memory of 3264 5008 9pjjd.exe 88 PID 5008 wrote to memory of 3264 5008 9pjjd.exe 88 PID 3264 wrote to memory of 4308 3264 lffxrxr.exe 89 PID 3264 wrote to memory of 4308 3264 lffxrxr.exe 89 PID 3264 wrote to memory of 4308 3264 lffxrxr.exe 89 PID 4308 wrote to memory of 4824 4308 ttnntn.exe 90 PID 4308 wrote to memory of 4824 4308 ttnntn.exe 90 PID 4308 wrote to memory of 4824 4308 ttnntn.exe 90 PID 4824 wrote to memory of 2996 4824 hntttn.exe 91 PID 4824 wrote to memory of 2996 4824 hntttn.exe 91 PID 4824 wrote to memory of 2996 4824 hntttn.exe 91 PID 2996 wrote to memory of 4052 2996 vvdpj.exe 92 PID 2996 wrote to memory of 4052 2996 vvdpj.exe 92 PID 2996 wrote to memory of 4052 2996 vvdpj.exe 92 PID 4052 wrote to memory of 1452 4052 hbbbtt.exe 93 PID 4052 wrote to memory of 1452 4052 hbbbtt.exe 93 PID 4052 wrote to memory of 1452 4052 hbbbtt.exe 93 PID 1452 wrote to memory of 872 1452 jvdvp.exe 94 PID 1452 wrote to memory of 872 1452 jvdvp.exe 94 PID 1452 wrote to memory of 872 1452 jvdvp.exe 94 PID 872 wrote to memory of 32 872 lxxrxxr.exe 95 PID 872 wrote to memory of 32 872 lxxrxxr.exe 95 PID 872 wrote to memory of 32 872 lxxrxxr.exe 95 PID 32 wrote to memory of 1440 32 bhnhbb.exe 96 PID 32 wrote to memory of 1440 32 bhnhbb.exe 96 PID 32 wrote to memory of 1440 32 bhnhbb.exe 96 PID 1440 wrote to memory of 4188 1440 ppppd.exe 97 PID 1440 wrote to memory of 4188 1440 ppppd.exe 97 PID 1440 wrote to memory of 4188 1440 ppppd.exe 97 PID 4188 wrote to memory of 1120 4188 7fxxrrr.exe 98 PID 4188 wrote to memory of 1120 4188 7fxxrrr.exe 98 PID 4188 wrote to memory of 1120 4188 7fxxrrr.exe 98 PID 1120 wrote to memory of 1564 1120 ddppp.exe 99 PID 1120 wrote to memory of 1564 1120 ddppp.exe 99 PID 1120 wrote to memory of 1564 1120 ddppp.exe 99 PID 1564 wrote to memory of 60 1564 5rrlffx.exe 100 PID 1564 wrote to memory of 60 1564 5rrlffx.exe 100 PID 1564 wrote to memory of 60 1564 5rrlffx.exe 100 PID 60 wrote to memory of 4292 60 lrxlxfx.exe 101 PID 60 wrote to memory of 4292 60 lrxlxfx.exe 101 PID 60 wrote to memory of 4292 60 lrxlxfx.exe 101 PID 4292 wrote to memory of 2936 4292 ntbttn.exe 102 PID 4292 wrote to memory of 2936 4292 ntbttn.exe 102 PID 4292 wrote to memory of 2936 4292 ntbttn.exe 102 PID 2936 wrote to memory of 1700 2936 pdvvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe"C:\Users\Admin\AppData\Local\Temp\902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\xxfxxrr.exec:\xxfxxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\pdjdd.exec:\pdjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\7rfrxxx.exec:\7rfrxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\nnnhbt.exec:\nnnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\9pjjd.exec:\9pjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\lffxrxr.exec:\lffxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\ttnntn.exec:\ttnntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\hntttn.exec:\hntttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\vvdpj.exec:\vvdpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\hbbbtt.exec:\hbbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\jvdvp.exec:\jvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\lxxrxxr.exec:\lxxrxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\bhnhbb.exec:\bhnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\ppppd.exec:\ppppd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\7fxxrrr.exec:\7fxxrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\ddppp.exec:\ddppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\5rrlffx.exec:\5rrlffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\lrxlxfx.exec:\lrxlxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\ntbttn.exec:\ntbttn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\pdvvp.exec:\pdvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\nnnhbb.exec:\nnnhbb.exe23⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rxffxlf.exec:\rxffxlf.exe24⤵
- Executes dropped EXE
PID:2416 -
\??\c:\ttbthh.exec:\ttbthh.exe25⤵
- Executes dropped EXE
PID:4684 -
\??\c:\1jddv.exec:\1jddv.exe26⤵
- Executes dropped EXE
PID:2056 -
\??\c:\7rlffff.exec:\7rlffff.exe27⤵
- Executes dropped EXE
PID:4176 -
\??\c:\bhnnhb.exec:\bhnnhb.exe28⤵
- Executes dropped EXE
PID:3452 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe29⤵
- Executes dropped EXE
PID:5048 -
\??\c:\nbbbtt.exec:\nbbbtt.exe30⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pdjdd.exec:\pdjdd.exe31⤵
- Executes dropped EXE
PID:4688 -
\??\c:\rrffrxx.exec:\rrffrxx.exe32⤵
- Executes dropped EXE
PID:3904 -
\??\c:\nnbnhb.exec:\nnbnhb.exe33⤵
- Executes dropped EXE
PID:4524 -
\??\c:\vjjdp.exec:\vjjdp.exe34⤵
- Executes dropped EXE
PID:4072 -
\??\c:\tbhbnn.exec:\tbhbnn.exe35⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nhhbnn.exec:\nhhbnn.exe36⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pjvvd.exec:\pjvvd.exe37⤵
- Executes dropped EXE
PID:3260 -
\??\c:\lfrllfl.exec:\lfrllfl.exe38⤵
- Executes dropped EXE
PID:3368 -
\??\c:\nhnnhh.exec:\nhnnhh.exe39⤵
- Executes dropped EXE
PID:4320 -
\??\c:\btnthh.exec:\btnthh.exe40⤵
- Executes dropped EXE
PID:3148 -
\??\c:\dvvjv.exec:\dvvjv.exe41⤵
- Executes dropped EXE
PID:1072 -
\??\c:\rrfxlll.exec:\rrfxlll.exe42⤵
- Executes dropped EXE
PID:960 -
\??\c:\xrrrlrl.exec:\xrrrlrl.exe43⤵
- Executes dropped EXE
PID:1620 -
\??\c:\tbtbht.exec:\tbtbht.exe44⤵
- Executes dropped EXE
PID:3460 -
\??\c:\vdvdd.exec:\vdvdd.exe45⤵
- Executes dropped EXE
PID:952 -
\??\c:\bntnhh.exec:\bntnhh.exe46⤵
- Executes dropped EXE
PID:1372 -
\??\c:\1vvdj.exec:\1vvdj.exe47⤵
- Executes dropped EXE
PID:4100 -
\??\c:\lfffxxx.exec:\lfffxxx.exe48⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bhbtnn.exec:\bhbtnn.exe49⤵
- Executes dropped EXE
PID:3832 -
\??\c:\thhbnn.exec:\thhbnn.exe50⤵
- Executes dropped EXE
PID:1476 -
\??\c:\jpdvv.exec:\jpdvv.exe51⤵
- Executes dropped EXE
PID:3708 -
\??\c:\9rfrlrl.exec:\9rfrlrl.exe52⤵
- Executes dropped EXE
PID:3700 -
\??\c:\rlrlffl.exec:\rlrlffl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4620 -
\??\c:\htbhhb.exec:\htbhhb.exe54⤵
- Executes dropped EXE
PID:4372 -
\??\c:\pvdvd.exec:\pvdvd.exe55⤵
- Executes dropped EXE
PID:2708 -
\??\c:\5xrlxxr.exec:\5xrlxxr.exe56⤵
- Executes dropped EXE
PID:4792 -
\??\c:\tnnhbb.exec:\tnnhbb.exe57⤵
- Executes dropped EXE
PID:3488 -
\??\c:\9jjjj.exec:\9jjjj.exe58⤵
- Executes dropped EXE
PID:3724 -
\??\c:\rlfxllf.exec:\rlfxllf.exe59⤵
- Executes dropped EXE
PID:4284 -
\??\c:\xrrlllf.exec:\xrrlllf.exe60⤵
- Executes dropped EXE
PID:1744 -
\??\c:\hhbbbt.exec:\hhbbbt.exe61⤵
- Executes dropped EXE
PID:3064 -
\??\c:\3frlllr.exec:\3frlllr.exe62⤵
- Executes dropped EXE
PID:2468 -
\??\c:\rflfxxr.exec:\rflfxxr.exe63⤵
- Executes dropped EXE
PID:3164 -
\??\c:\1bbbtt.exec:\1bbbtt.exe64⤵
- Executes dropped EXE
PID:3972 -
\??\c:\vvjdv.exec:\vvjdv.exe65⤵
- Executes dropped EXE
PID:2304 -
\??\c:\fllfrrr.exec:\fllfrrr.exe66⤵PID:4280
-
\??\c:\ffffffx.exec:\ffffffx.exe67⤵PID:4080
-
\??\c:\hhtbhb.exec:\hhtbhb.exe68⤵PID:4824
-
\??\c:\jdpjd.exec:\jdpjd.exe69⤵PID:4164
-
\??\c:\flllffx.exec:\flllffx.exe70⤵PID:4956
-
\??\c:\rlllfff.exec:\rlllfff.exe71⤵PID:388
-
\??\c:\7tttnn.exec:\7tttnn.exe72⤵PID:772
-
\??\c:\vjjjv.exec:\vjjjv.exe73⤵PID:1332
-
\??\c:\jdjjd.exec:\jdjjd.exe74⤵PID:3744
-
\??\c:\ffrlffx.exec:\ffrlffx.exe75⤵PID:3504
-
\??\c:\bbhhtt.exec:\bbhhtt.exe76⤵PID:2564
-
\??\c:\1ddpj.exec:\1ddpj.exe77⤵PID:4008
-
\??\c:\rrrrxrx.exec:\rrrrxrx.exe78⤵PID:4032
-
\??\c:\1rllllf.exec:\1rllllf.exe79⤵PID:3144
-
\??\c:\tbbbhb.exec:\tbbbhb.exe80⤵PID:4012
-
\??\c:\djpjj.exec:\djpjj.exe81⤵PID:712
-
\??\c:\bbbttt.exec:\bbbttt.exe82⤵PID:5016
-
\??\c:\btnnhh.exec:\btnnhh.exe83⤵PID:3060
-
\??\c:\pppjd.exec:\pppjd.exe84⤵PID:3736
-
\??\c:\3fxrlff.exec:\3fxrlff.exe85⤵PID:4872
-
\??\c:\3hhhbb.exec:\3hhhbb.exe86⤵PID:4840
-
\??\c:\jvddv.exec:\jvddv.exe87⤵PID:2936
-
\??\c:\ffffxxx.exec:\ffffxxx.exe88⤵PID:2664
-
\??\c:\9lxxrrr.exec:\9lxxrrr.exe89⤵PID:1016
-
\??\c:\htbttt.exec:\htbttt.exe90⤵PID:728
-
\??\c:\dpvpd.exec:\dpvpd.exe91⤵PID:3732
-
\??\c:\dpvvp.exec:\dpvvp.exe92⤵PID:64
-
\??\c:\9xrrlff.exec:\9xrrlff.exe93⤵PID:4044
-
\??\c:\7bhhhh.exec:\7bhhhh.exe94⤵PID:3888
-
\??\c:\7thbhh.exec:\7thbhh.exe95⤵PID:5032
-
\??\c:\7jjpd.exec:\7jjpd.exe96⤵PID:2104
-
\??\c:\xflfrxx.exec:\xflfrxx.exe97⤵PID:4448
-
\??\c:\httnhh.exec:\httnhh.exe98⤵PID:1048
-
\??\c:\bnnhhn.exec:\bnnhhn.exe99⤵PID:1296
-
\??\c:\dpvpj.exec:\dpvpj.exe100⤵PID:1480
-
\??\c:\rxxrrll.exec:\rxxrrll.exe101⤵PID:5096
-
\??\c:\hntnhh.exec:\hntnhh.exe102⤵PID:4524
-
\??\c:\tnttbt.exec:\tnttbt.exe103⤵PID:892
-
\??\c:\ddpjd.exec:\ddpjd.exe104⤵PID:2232
-
\??\c:\xllfxxl.exec:\xllfxxl.exe105⤵PID:4132
-
\??\c:\rlfxxrf.exec:\rlfxxrf.exe106⤵PID:1232
-
\??\c:\tnbbhh.exec:\tnbbhh.exe107⤵PID:2164
-
\??\c:\jddpd.exec:\jddpd.exe108⤵PID:4848
-
\??\c:\9rrlffx.exec:\9rrlffx.exe109⤵PID:3148
-
\??\c:\rllxrxr.exec:\rllxrxr.exe110⤵PID:3056
-
\??\c:\hthbtn.exec:\hthbtn.exe111⤵PID:3664
-
\??\c:\pddvp.exec:\pddvp.exe112⤵PID:3124
-
\??\c:\7djdv.exec:\7djdv.exe113⤵PID:3460
-
\??\c:\xllfxrl.exec:\xllfxrl.exe114⤵PID:3608
-
\??\c:\tnbttt.exec:\tnbttt.exe115⤵PID:4464
-
\??\c:\jvvpj.exec:\jvvpj.exe116⤵PID:460
-
\??\c:\fflfrlr.exec:\fflfrlr.exe117⤵PID:1500
-
\??\c:\btttnn.exec:\btttnn.exe118⤵PID:4476
-
\??\c:\3pjpd.exec:\3pjpd.exe119⤵PID:1308
-
\??\c:\7xrrlll.exec:\7xrrlll.exe120⤵PID:3384
-
\??\c:\tnhnbb.exec:\tnhnbb.exe121⤵PID:4552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-