Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe
-
Size
454KB
-
MD5
488c52cd631d9edaea3e83bb9212c330
-
SHA1
2b6154f8f8d5a725dd5d874099cd1e71098a74d9
-
SHA256
d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bf
-
SHA512
4deaed94b8cc6be02479a0128d335a6d48e1bbe6fb784cb0cfbe6765704340b756e5c890f50b4c3a9b42b2aed4e6bc5ef901e0eeb0ed572e520999e0b2d9a511
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5088-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-1522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4316 hnbnhb.exe 2044 xrxfrrl.exe 3724 hhtnnh.exe 2340 3nhhbb.exe 1824 vdvdd.exe 2824 fffxxxr.exe 3228 xrrllfx.exe 2896 tbbtnn.exe 2280 lfffllf.exe 4824 tntttt.exe 3892 3pvpd.exe 3068 xrfxfxf.exe 3136 jjjdv.exe 4876 pppjd.exe 3680 frrrllf.exe 5104 vdjdv.exe 3656 rxfxrrl.exe 220 9bthht.exe 712 nnnbtn.exe 3720 3thbtt.exe 3248 rfxxfrx.exe 4988 htbttn.exe 4840 jdvjd.exe 2212 thhhbb.exe 4560 pddvj.exe 3944 tthhnn.exe 64 nhbttn.exe 2336 nbhhnt.exe 1668 hhtnhh.exe 2408 bhhbhb.exe 4688 pppjd.exe 3904 rrfxrll.exe 3128 hhbthb.exe 1980 djjvj.exe 3468 frrfxfx.exe 540 djjdp.exe 892 pdjvj.exe 2688 rxlfxxx.exe 1628 nbnhbt.exe 1800 jjjvj.exe 1184 djpvd.exe 1420 lxrlxlx.exe 3056 thbthb.exe 3124 tnnbnn.exe 1532 ttnhhh.exe 3608 9hnbnh.exe 3956 vvdpd.exe 2132 fxllllr.exe 2852 htthtn.exe 3716 7vpjp.exe 3928 dvdpj.exe 2092 lxxrrrx.exe 2924 dpvpp.exe 5024 djjvj.exe 4352 5rlfrfx.exe 3344 hnhbnh.exe 3696 nhnbbt.exe 4480 pdpvv.exe 5004 rfrlffx.exe 4764 tttnbn.exe 3924 5ddpj.exe 680 vddvv.exe 2412 xxrlllr.exe 2708 httnhh.exe -
resource yara_rule behavioral2/memory/5088-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-871-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-981-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 4316 5088 d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe 82 PID 5088 wrote to memory of 4316 5088 d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe 82 PID 5088 wrote to memory of 4316 5088 d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe 82 PID 4316 wrote to memory of 2044 4316 hnbnhb.exe 83 PID 4316 wrote to memory of 2044 4316 hnbnhb.exe 83 PID 4316 wrote to memory of 2044 4316 hnbnhb.exe 83 PID 2044 wrote to memory of 3724 2044 xrxfrrl.exe 84 PID 2044 wrote to memory of 3724 2044 xrxfrrl.exe 84 PID 2044 wrote to memory of 3724 2044 xrxfrrl.exe 84 PID 3724 wrote to memory of 2340 3724 hhtnnh.exe 85 PID 3724 wrote to memory of 2340 3724 hhtnnh.exe 85 PID 3724 wrote to memory of 2340 3724 hhtnnh.exe 85 PID 2340 wrote to memory of 1824 2340 3nhhbb.exe 86 PID 2340 wrote to memory of 1824 2340 3nhhbb.exe 86 PID 2340 wrote to memory of 1824 2340 3nhhbb.exe 86 PID 1824 wrote to memory of 2824 1824 vdvdd.exe 87 PID 1824 wrote to memory of 2824 1824 vdvdd.exe 87 PID 1824 wrote to memory of 2824 1824 vdvdd.exe 87 PID 2824 wrote to memory of 3228 2824 fffxxxr.exe 88 PID 2824 wrote to memory of 3228 2824 fffxxxr.exe 88 PID 2824 wrote to memory of 3228 2824 fffxxxr.exe 88 PID 3228 wrote to memory of 2896 3228 xrrllfx.exe 89 PID 3228 wrote to memory of 2896 3228 xrrllfx.exe 89 PID 3228 wrote to memory of 2896 3228 xrrllfx.exe 89 PID 2896 wrote to memory of 2280 2896 tbbtnn.exe 90 PID 2896 wrote to memory of 2280 2896 tbbtnn.exe 90 PID 2896 wrote to memory of 2280 2896 tbbtnn.exe 90 PID 2280 wrote to memory of 4824 2280 lfffllf.exe 91 PID 2280 wrote to memory of 4824 2280 lfffllf.exe 91 PID 2280 wrote to memory of 4824 2280 lfffllf.exe 91 PID 4824 wrote to memory of 3892 4824 tntttt.exe 92 PID 4824 wrote to memory of 3892 4824 tntttt.exe 92 PID 4824 wrote to memory of 3892 4824 tntttt.exe 92 PID 3892 wrote to memory of 3068 3892 3pvpd.exe 93 PID 3892 wrote to memory of 3068 3892 3pvpd.exe 93 PID 3892 wrote to memory of 3068 3892 3pvpd.exe 93 PID 3068 wrote to memory of 3136 3068 xrfxfxf.exe 94 PID 3068 wrote to memory of 3136 3068 xrfxfxf.exe 94 PID 3068 wrote to memory of 3136 3068 xrfxfxf.exe 94 PID 3136 wrote to memory of 4876 3136 jjjdv.exe 95 PID 3136 wrote to memory of 4876 3136 jjjdv.exe 95 PID 3136 wrote to memory of 4876 3136 jjjdv.exe 95 PID 4876 wrote to memory of 3680 4876 pppjd.exe 96 PID 4876 wrote to memory of 3680 4876 pppjd.exe 96 PID 4876 wrote to memory of 3680 4876 pppjd.exe 96 PID 3680 wrote to memory of 5104 3680 frrrllf.exe 97 PID 3680 wrote to memory of 5104 3680 frrrllf.exe 97 PID 3680 wrote to memory of 5104 3680 frrrllf.exe 97 PID 5104 wrote to memory of 3656 5104 vdjdv.exe 98 PID 5104 wrote to memory of 3656 5104 vdjdv.exe 98 PID 5104 wrote to memory of 3656 5104 vdjdv.exe 98 PID 3656 wrote to memory of 220 3656 rxfxrrl.exe 99 PID 3656 wrote to memory of 220 3656 rxfxrrl.exe 99 PID 3656 wrote to memory of 220 3656 rxfxrrl.exe 99 PID 220 wrote to memory of 712 220 9bthht.exe 100 PID 220 wrote to memory of 712 220 9bthht.exe 100 PID 220 wrote to memory of 712 220 9bthht.exe 100 PID 712 wrote to memory of 3720 712 nnnbtn.exe 101 PID 712 wrote to memory of 3720 712 nnnbtn.exe 101 PID 712 wrote to memory of 3720 712 nnnbtn.exe 101 PID 3720 wrote to memory of 3248 3720 3thbtt.exe 102 PID 3720 wrote to memory of 3248 3720 3thbtt.exe 102 PID 3720 wrote to memory of 3248 3720 3thbtt.exe 102 PID 3248 wrote to memory of 4988 3248 rfxxfrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe"C:\Users\Admin\AppData\Local\Temp\d4511a6d4b58ce7b582055192b79629044aa9cb92fc4933926a1ef80619113bfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\hnbnhb.exec:\hnbnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\xrxfrrl.exec:\xrxfrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\hhtnnh.exec:\hhtnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\3nhhbb.exec:\3nhhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\vdvdd.exec:\vdvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\fffxxxr.exec:\fffxxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\xrrllfx.exec:\xrrllfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\tbbtnn.exec:\tbbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\lfffllf.exec:\lfffllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\tntttt.exec:\tntttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\3pvpd.exec:\3pvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\jjjdv.exec:\jjjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\pppjd.exec:\pppjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\frrrllf.exec:\frrrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\vdjdv.exec:\vdjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\9bthht.exec:\9bthht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\nnnbtn.exec:\nnnbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\3thbtt.exec:\3thbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\rfxxfrx.exec:\rfxxfrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\htbttn.exec:\htbttn.exe23⤵
- Executes dropped EXE
PID:4988 -
\??\c:\jdvjd.exec:\jdvjd.exe24⤵
- Executes dropped EXE
PID:4840 -
\??\c:\thhhbb.exec:\thhhbb.exe25⤵
- Executes dropped EXE
PID:2212 -
\??\c:\pddvj.exec:\pddvj.exe26⤵
- Executes dropped EXE
PID:4560 -
\??\c:\tthhnn.exec:\tthhnn.exe27⤵
- Executes dropped EXE
PID:3944 -
\??\c:\nhbttn.exec:\nhbttn.exe28⤵
- Executes dropped EXE
PID:64 -
\??\c:\nbhhnt.exec:\nbhhnt.exe29⤵
- Executes dropped EXE
PID:2336 -
\??\c:\hhtnhh.exec:\hhtnhh.exe30⤵
- Executes dropped EXE
PID:1668 -
\??\c:\bhhbhb.exec:\bhhbhb.exe31⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pppjd.exec:\pppjd.exe32⤵
- Executes dropped EXE
PID:4688 -
\??\c:\rrfxrll.exec:\rrfxrll.exe33⤵
- Executes dropped EXE
PID:3904 -
\??\c:\hhbthb.exec:\hhbthb.exe34⤵
- Executes dropped EXE
PID:3128 -
\??\c:\djjvj.exec:\djjvj.exe35⤵
- Executes dropped EXE
PID:1980 -
\??\c:\frrfxfx.exec:\frrfxfx.exe36⤵
- Executes dropped EXE
PID:3468 -
\??\c:\djjdp.exec:\djjdp.exe37⤵
- Executes dropped EXE
PID:540 -
\??\c:\pdjvj.exec:\pdjvj.exe38⤵
- Executes dropped EXE
PID:892 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe39⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nbnhbt.exec:\nbnhbt.exe40⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jjjvj.exec:\jjjvj.exe41⤵
- Executes dropped EXE
PID:1800 -
\??\c:\djpvd.exec:\djpvd.exe42⤵
- Executes dropped EXE
PID:1184 -
\??\c:\lxrlxlx.exec:\lxrlxlx.exe43⤵
- Executes dropped EXE
PID:1420 -
\??\c:\thbthb.exec:\thbthb.exe44⤵
- Executes dropped EXE
PID:3056 -
\??\c:\tnnbnn.exec:\tnnbnn.exe45⤵
- Executes dropped EXE
PID:3124 -
\??\c:\ttnhhh.exec:\ttnhhh.exe46⤵
- Executes dropped EXE
PID:1532 -
\??\c:\9hnbnh.exec:\9hnbnh.exe47⤵
- Executes dropped EXE
PID:3608 -
\??\c:\vvdpd.exec:\vvdpd.exe48⤵
- Executes dropped EXE
PID:3956 -
\??\c:\fxllllr.exec:\fxllllr.exe49⤵
- Executes dropped EXE
PID:2132 -
\??\c:\htthtn.exec:\htthtn.exe50⤵
- Executes dropped EXE
PID:2852 -
\??\c:\7vpjp.exec:\7vpjp.exe51⤵
- Executes dropped EXE
PID:3716 -
\??\c:\dvdpj.exec:\dvdpj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3928 -
\??\c:\lxxrrrx.exec:\lxxrrrx.exe53⤵
- Executes dropped EXE
PID:2092 -
\??\c:\3nnhtn.exec:\3nnhtn.exe54⤵PID:4552
-
\??\c:\dpvpp.exec:\dpvpp.exe55⤵
- Executes dropped EXE
PID:2924 -
\??\c:\djjvj.exec:\djjvj.exe56⤵
- Executes dropped EXE
PID:5024 -
\??\c:\5rlfrfx.exec:\5rlfrfx.exe57⤵
- Executes dropped EXE
PID:4352 -
\??\c:\hnhbnh.exec:\hnhbnh.exe58⤵
- Executes dropped EXE
PID:3344 -
\??\c:\nhnbbt.exec:\nhnbbt.exe59⤵
- Executes dropped EXE
PID:3696 -
\??\c:\pdpvv.exec:\pdpvv.exe60⤵
- Executes dropped EXE
PID:4480 -
\??\c:\rfrlffx.exec:\rfrlffx.exe61⤵
- Executes dropped EXE
PID:5004 -
\??\c:\tttnbn.exec:\tttnbn.exe62⤵
- Executes dropped EXE
PID:4764 -
\??\c:\5ddpj.exec:\5ddpj.exe63⤵
- Executes dropped EXE
PID:3924 -
\??\c:\vddvv.exec:\vddvv.exe64⤵
- Executes dropped EXE
PID:680 -
\??\c:\xxrlllr.exec:\xxrlllr.exe65⤵
- Executes dropped EXE
PID:2412 -
\??\c:\httnhh.exec:\httnhh.exe66⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jdvdp.exec:\jdvdp.exe67⤵PID:636
-
\??\c:\vjvvj.exec:\vjvvj.exe68⤵PID:3768
-
\??\c:\fxrrlll.exec:\fxrrlll.exe69⤵PID:1484
-
\??\c:\ntthhb.exec:\ntthhb.exe70⤵PID:1284
-
\??\c:\jpjdj.exec:\jpjdj.exe71⤵PID:4108
-
\??\c:\jjjdp.exec:\jjjdp.exe72⤵PID:2772
-
\??\c:\7xxrffx.exec:\7xxrffx.exe73⤵PID:832
-
\??\c:\bhhtnb.exec:\bhhtnb.exe74⤵PID:3004
-
\??\c:\jjvjv.exec:\jjvjv.exe75⤵PID:772
-
\??\c:\fllrffx.exec:\fllrffx.exe76⤵PID:3744
-
\??\c:\htttnn.exec:\htttnn.exe77⤵PID:2884
-
\??\c:\ntnbtn.exec:\ntnbtn.exe78⤵PID:3680
-
\??\c:\pdvpd.exec:\pdvpd.exe79⤵
- System Location Discovery: System Language Discovery
PID:2564 -
\??\c:\9lfrxrf.exec:\9lfrxrf.exe80⤵PID:4564
-
\??\c:\7ffrfxl.exec:\7ffrfxl.exe81⤵PID:3656
-
\??\c:\nttntn.exec:\nttntn.exe82⤵PID:1832
-
\??\c:\dpvjd.exec:\dpvjd.exe83⤵PID:1352
-
\??\c:\frxfxxr.exec:\frxfxxr.exe84⤵PID:2848
-
\??\c:\btbbtt.exec:\btbbtt.exe85⤵PID:5056
-
\??\c:\dddvv.exec:\dddvv.exe86⤵PID:3248
-
\??\c:\xlrllfl.exec:\xlrllfl.exe87⤵PID:1436
-
\??\c:\bhnnhb.exec:\bhnnhb.exe88⤵PID:4028
-
\??\c:\dvdpp.exec:\dvdpp.exe89⤵PID:3788
-
\??\c:\vvdpp.exec:\vvdpp.exe90⤵PID:2212
-
\??\c:\fxfrxxx.exec:\fxfrxxx.exe91⤵PID:4684
-
\??\c:\bbhbbt.exec:\bbhbbt.exe92⤵PID:404
-
\??\c:\pjppd.exec:\pjppd.exe93⤵PID:1576
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe94⤵PID:3420
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe95⤵PID:4176
-
\??\c:\bntnhb.exec:\bntnhb.exe96⤵PID:2336
-
\??\c:\nbhtbt.exec:\nbhtbt.exe97⤵PID:1600
-
\??\c:\jvjdp.exec:\jvjdp.exe98⤵PID:3588
-
\??\c:\frlxlxr.exec:\frlxlxr.exe99⤵PID:3776
-
\??\c:\xxxllfr.exec:\xxxllfr.exe100⤵PID:4912
-
\??\c:\btnhbt.exec:\btnhbt.exe101⤵PID:1248
-
\??\c:\vddvd.exec:\vddvd.exe102⤵PID:2324
-
\??\c:\jvdpj.exec:\jvdpj.exe103⤵PID:4072
-
\??\c:\1xxffxx.exec:\1xxffxx.exe104⤵PID:2232
-
\??\c:\tnhtnh.exec:\tnhtnh.exe105⤵PID:2356
-
\??\c:\vjdvv.exec:\vjdvv.exe106⤵PID:1696
-
\??\c:\dvdpp.exec:\dvdpp.exe107⤵PID:2712
-
\??\c:\rfxxlff.exec:\rfxxlff.exe108⤵PID:4040
-
\??\c:\nnthtn.exec:\nnthtn.exe109⤵PID:1684
-
\??\c:\hnnbbt.exec:\hnnbbt.exe110⤵PID:3564
-
\??\c:\9vvdj.exec:\9vvdj.exe111⤵PID:1956
-
\??\c:\rrxrlff.exec:\rrxrlff.exe112⤵PID:1620
-
\??\c:\ntnbnb.exec:\ntnbnb.exe113⤵PID:3056
-
\??\c:\dvvjv.exec:\dvvjv.exe114⤵PID:3120
-
\??\c:\pjdpj.exec:\pjdpj.exe115⤵PID:1532
-
\??\c:\frrrllf.exec:\frrrllf.exe116⤵PID:1764
-
\??\c:\tnnbth.exec:\tnnbth.exe117⤵PID:3908
-
\??\c:\pdvdp.exec:\pdvdp.exe118⤵PID:2888
-
\??\c:\jjddp.exec:\jjddp.exe119⤵PID:2920
-
\??\c:\fxxfrfr.exec:\fxxfrfr.exe120⤵PID:1676
-
\??\c:\thhthn.exec:\thhthn.exe121⤵PID:3668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-