Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe
-
Size
454KB
-
MD5
2ee18af53d3d1a78dd64d155ee6be0b4
-
SHA1
cc9a3fb76a74c17830048a3125e6aaf2a1acfd04
-
SHA256
c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49
-
SHA512
0c236db0e50a520347efd95aad45f22f5ad7bcda817f14c1aea431e222de992f057949e655819d5c8ee8dc3ebc47b378287bdf1273a251dea49eee59e548f4d0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3720-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-1409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-1966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5104 tbbhtn.exe 4640 rffrfxr.exe 2112 ppvjv.exe 212 pdpvj.exe 4504 rlfrlrf.exe 2308 htbnhb.exe 3128 frxrlff.exe 4884 ntbtnh.exe 1228 tthbbb.exe 4036 xflxllf.exe 312 jvpjj.exe 2376 thtnnn.exe 2872 vpvjj.exe 3952 bhhbnh.exe 3936 vpvpp.exe 2808 vpdpj.exe 2784 7bbnbt.exe 4456 rflxrrf.exe 3824 5bbtnh.exe 4728 7vvjv.exe 4600 pjdpd.exe 4092 rlrfxrr.exe 4356 hbntnb.exe 1844 pddvj.exe 5048 ppdpp.exe 1132 lfxrfxr.exe 5044 9bbtnn.exe 4440 hhbthh.exe 3480 1dvjd.exe 448 lfrllfx.exe 4420 lxlfrlx.exe 1744 tbhbbb.exe 3708 jjvdp.exe 1428 pvjdv.exe 3568 rrfrllf.exe 836 bnthbt.exe 808 nbbntn.exe 1956 pddpj.exe 3396 rlxrrlf.exe 1476 3btnbt.exe 3728 ththbt.exe 1560 pdpdd.exe 2720 9pvjv.exe 812 fxxrllf.exe 2124 hthtnn.exe 3376 hhhtnb.exe 5000 dvdvv.exe 4472 3ffrrlf.exe 4284 fflfxxx.exe 4124 1nbnbn.exe 724 jvppd.exe 5104 frrrrrl.exe 4580 thnttt.exe 3904 hnbtnn.exe 3652 ppppj.exe 3572 rxfxrll.exe 2052 ttbttn.exe 1304 vjpjd.exe 4116 xxffrll.exe 4396 hhnhhh.exe 3140 9tbbbh.exe 3412 vjppj.exe 2804 1rfffff.exe 3116 vppjd.exe -
resource yara_rule behavioral2/memory/3720-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-773-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3720 wrote to memory of 5104 3720 c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe 83 PID 3720 wrote to memory of 5104 3720 c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe 83 PID 3720 wrote to memory of 5104 3720 c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe 83 PID 5104 wrote to memory of 4640 5104 tbbhtn.exe 84 PID 5104 wrote to memory of 4640 5104 tbbhtn.exe 84 PID 5104 wrote to memory of 4640 5104 tbbhtn.exe 84 PID 4640 wrote to memory of 2112 4640 rffrfxr.exe 85 PID 4640 wrote to memory of 2112 4640 rffrfxr.exe 85 PID 4640 wrote to memory of 2112 4640 rffrfxr.exe 85 PID 2112 wrote to memory of 212 2112 ppvjv.exe 86 PID 2112 wrote to memory of 212 2112 ppvjv.exe 86 PID 2112 wrote to memory of 212 2112 ppvjv.exe 86 PID 212 wrote to memory of 4504 212 pdpvj.exe 87 PID 212 wrote to memory of 4504 212 pdpvj.exe 87 PID 212 wrote to memory of 4504 212 pdpvj.exe 87 PID 4504 wrote to memory of 2308 4504 rlfrlrf.exe 88 PID 4504 wrote to memory of 2308 4504 rlfrlrf.exe 88 PID 4504 wrote to memory of 2308 4504 rlfrlrf.exe 88 PID 2308 wrote to memory of 3128 2308 htbnhb.exe 89 PID 2308 wrote to memory of 3128 2308 htbnhb.exe 89 PID 2308 wrote to memory of 3128 2308 htbnhb.exe 89 PID 3128 wrote to memory of 4884 3128 frxrlff.exe 90 PID 3128 wrote to memory of 4884 3128 frxrlff.exe 90 PID 3128 wrote to memory of 4884 3128 frxrlff.exe 90 PID 4884 wrote to memory of 1228 4884 ntbtnh.exe 91 PID 4884 wrote to memory of 1228 4884 ntbtnh.exe 91 PID 4884 wrote to memory of 1228 4884 ntbtnh.exe 91 PID 1228 wrote to memory of 4036 1228 tthbbb.exe 92 PID 1228 wrote to memory of 4036 1228 tthbbb.exe 92 PID 1228 wrote to memory of 4036 1228 tthbbb.exe 92 PID 4036 wrote to memory of 312 4036 xflxllf.exe 93 PID 4036 wrote to memory of 312 4036 xflxllf.exe 93 PID 4036 wrote to memory of 312 4036 xflxllf.exe 93 PID 312 wrote to memory of 2376 312 jvpjj.exe 94 PID 312 wrote to memory of 2376 312 jvpjj.exe 94 PID 312 wrote to memory of 2376 312 jvpjj.exe 94 PID 2376 wrote to memory of 2872 2376 thtnnn.exe 95 PID 2376 wrote to memory of 2872 2376 thtnnn.exe 95 PID 2376 wrote to memory of 2872 2376 thtnnn.exe 95 PID 2872 wrote to memory of 3952 2872 vpvjj.exe 96 PID 2872 wrote to memory of 3952 2872 vpvjj.exe 96 PID 2872 wrote to memory of 3952 2872 vpvjj.exe 96 PID 3952 wrote to memory of 3936 3952 bhhbnh.exe 97 PID 3952 wrote to memory of 3936 3952 bhhbnh.exe 97 PID 3952 wrote to memory of 3936 3952 bhhbnh.exe 97 PID 3936 wrote to memory of 2808 3936 vpvpp.exe 98 PID 3936 wrote to memory of 2808 3936 vpvpp.exe 98 PID 3936 wrote to memory of 2808 3936 vpvpp.exe 98 PID 2808 wrote to memory of 2784 2808 vpdpj.exe 99 PID 2808 wrote to memory of 2784 2808 vpdpj.exe 99 PID 2808 wrote to memory of 2784 2808 vpdpj.exe 99 PID 2784 wrote to memory of 4456 2784 7bbnbt.exe 100 PID 2784 wrote to memory of 4456 2784 7bbnbt.exe 100 PID 2784 wrote to memory of 4456 2784 7bbnbt.exe 100 PID 4456 wrote to memory of 3824 4456 rflxrrf.exe 101 PID 4456 wrote to memory of 3824 4456 rflxrrf.exe 101 PID 4456 wrote to memory of 3824 4456 rflxrrf.exe 101 PID 3824 wrote to memory of 4728 3824 5bbtnh.exe 102 PID 3824 wrote to memory of 4728 3824 5bbtnh.exe 102 PID 3824 wrote to memory of 4728 3824 5bbtnh.exe 102 PID 4728 wrote to memory of 4600 4728 7vvjv.exe 103 PID 4728 wrote to memory of 4600 4728 7vvjv.exe 103 PID 4728 wrote to memory of 4600 4728 7vvjv.exe 103 PID 4600 wrote to memory of 4092 4600 pjdpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe"C:\Users\Admin\AppData\Local\Temp\c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\tbbhtn.exec:\tbbhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rffrfxr.exec:\rffrfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\ppvjv.exec:\ppvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\pdpvj.exec:\pdpvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\rlfrlrf.exec:\rlfrlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\htbnhb.exec:\htbnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\frxrlff.exec:\frxrlff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\ntbtnh.exec:\ntbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\tthbbb.exec:\tthbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\xflxllf.exec:\xflxllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\jvpjj.exec:\jvpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\thtnnn.exec:\thtnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\vpvjj.exec:\vpvjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bhhbnh.exec:\bhhbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\vpvpp.exec:\vpvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\vpdpj.exec:\vpdpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\7bbnbt.exec:\7bbnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\rflxrrf.exec:\rflxrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\5bbtnh.exec:\5bbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\7vvjv.exec:\7vvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\pjdpd.exec:\pjdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\rlrfxrr.exec:\rlrfxrr.exe23⤵
- Executes dropped EXE
PID:4092 -
\??\c:\hbntnb.exec:\hbntnb.exe24⤵
- Executes dropped EXE
PID:4356 -
\??\c:\pddvj.exec:\pddvj.exe25⤵
- Executes dropped EXE
PID:1844 -
\??\c:\ppdpp.exec:\ppdpp.exe26⤵
- Executes dropped EXE
PID:5048 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe27⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9bbtnn.exec:\9bbtnn.exe28⤵
- Executes dropped EXE
PID:5044 -
\??\c:\hhbthh.exec:\hhbthh.exe29⤵
- Executes dropped EXE
PID:4440 -
\??\c:\1dvjd.exec:\1dvjd.exe30⤵
- Executes dropped EXE
PID:3480 -
\??\c:\lfrllfx.exec:\lfrllfx.exe31⤵
- Executes dropped EXE
PID:448 -
\??\c:\lxlfrlx.exec:\lxlfrlx.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
\??\c:\tbhbbb.exec:\tbhbbb.exe33⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jjvdp.exec:\jjvdp.exe34⤵
- Executes dropped EXE
PID:3708 -
\??\c:\pvjdv.exec:\pvjdv.exe35⤵
- Executes dropped EXE
PID:1428 -
\??\c:\rrfrllf.exec:\rrfrllf.exe36⤵
- Executes dropped EXE
PID:3568 -
\??\c:\bnthbt.exec:\bnthbt.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\nbbntn.exec:\nbbntn.exe38⤵
- Executes dropped EXE
PID:808 -
\??\c:\pddpj.exec:\pddpj.exe39⤵
- Executes dropped EXE
PID:1956 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe40⤵
- Executes dropped EXE
PID:3396 -
\??\c:\3btnbt.exec:\3btnbt.exe41⤵
- Executes dropped EXE
PID:1476 -
\??\c:\ththbt.exec:\ththbt.exe42⤵
- Executes dropped EXE
PID:3728 -
\??\c:\pdpdd.exec:\pdpdd.exe43⤵
- Executes dropped EXE
PID:1560 -
\??\c:\9pvjv.exec:\9pvjv.exe44⤵
- Executes dropped EXE
PID:2720 -
\??\c:\fxxrllf.exec:\fxxrllf.exe45⤵
- Executes dropped EXE
PID:812 -
\??\c:\hthtnn.exec:\hthtnn.exe46⤵
- Executes dropped EXE
PID:2124 -
\??\c:\hhhtnb.exec:\hhhtnb.exe47⤵
- Executes dropped EXE
PID:3376 -
\??\c:\dvdvv.exec:\dvdvv.exe48⤵
- Executes dropped EXE
PID:5000 -
\??\c:\3ffrrlf.exec:\3ffrrlf.exe49⤵
- Executes dropped EXE
PID:4472 -
\??\c:\fflfxxx.exec:\fflfxxx.exe50⤵
- Executes dropped EXE
PID:4284 -
\??\c:\1nbnbn.exec:\1nbnbn.exe51⤵
- Executes dropped EXE
PID:4124 -
\??\c:\jvppd.exec:\jvppd.exe52⤵
- Executes dropped EXE
PID:724 -
\??\c:\frrrrrl.exec:\frrrrrl.exe53⤵
- Executes dropped EXE
PID:5104 -
\??\c:\thnttt.exec:\thnttt.exe54⤵
- Executes dropped EXE
PID:4580 -
\??\c:\hnbtnn.exec:\hnbtnn.exe55⤵
- Executes dropped EXE
PID:3904 -
\??\c:\ppppj.exec:\ppppj.exe56⤵
- Executes dropped EXE
PID:3652 -
\??\c:\rxfxrll.exec:\rxfxrll.exe57⤵
- Executes dropped EXE
PID:3572 -
\??\c:\ttbttn.exec:\ttbttn.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vjpjd.exec:\vjpjd.exe59⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xxffrll.exec:\xxffrll.exe60⤵
- Executes dropped EXE
PID:4116 -
\??\c:\hhnhhh.exec:\hhnhhh.exe61⤵
- Executes dropped EXE
PID:4396 -
\??\c:\9tbbbh.exec:\9tbbbh.exe62⤵
- Executes dropped EXE
PID:3140 -
\??\c:\vjppj.exec:\vjppj.exe63⤵
- Executes dropped EXE
PID:3412 -
\??\c:\1rfffff.exec:\1rfffff.exe64⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vppjd.exec:\vppjd.exe65⤵
- Executes dropped EXE
PID:3116 -
\??\c:\rflfrrr.exec:\rflfrrr.exe66⤵PID:4036
-
\??\c:\tnnhbt.exec:\tnnhbt.exe67⤵PID:4372
-
\??\c:\jdddd.exec:\jdddd.exe68⤵PID:1048
-
\??\c:\xrrlffx.exec:\xrrlffx.exe69⤵PID:1920
-
\??\c:\hbnhbb.exec:\hbnhbb.exe70⤵PID:2872
-
\??\c:\3jjdv.exec:\3jjdv.exe71⤵PID:3192
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe72⤵PID:1948
-
\??\c:\nbnhbt.exec:\nbnhbt.exe73⤵PID:5004
-
\??\c:\hhnhtt.exec:\hhnhtt.exe74⤵PID:2868
-
\??\c:\dvpjp.exec:\dvpjp.exe75⤵PID:2784
-
\??\c:\hbbbtn.exec:\hbbbtn.exe76⤵PID:4916
-
\??\c:\1bhbtt.exec:\1bhbtt.exe77⤵PID:2380
-
\??\c:\pjdvp.exec:\pjdvp.exe78⤵PID:2060
-
\??\c:\bttnhh.exec:\bttnhh.exe79⤵PID:1984
-
\??\c:\5hhbtt.exec:\5hhbtt.exe80⤵PID:3656
-
\??\c:\vvvvp.exec:\vvvvp.exe81⤵PID:4820
-
\??\c:\ffxfllx.exec:\ffxfllx.exe82⤵PID:3800
-
\??\c:\bbnnbb.exec:\bbnnbb.exe83⤵PID:4848
-
\??\c:\rxfxxrf.exec:\rxfxxrf.exe84⤵PID:2864
-
\??\c:\btbtnn.exec:\btbtnn.exe85⤵PID:4724
-
\??\c:\7ttnhh.exec:\7ttnhh.exe86⤵PID:3636
-
\??\c:\thnbht.exec:\thnbht.exe87⤵PID:4440
-
\??\c:\5frlffx.exec:\5frlffx.exe88⤵PID:448
-
\??\c:\hhbttt.exec:\hhbttt.exe89⤵PID:4900
-
\??\c:\jjjdv.exec:\jjjdv.exe90⤵PID:2184
-
\??\c:\dvpjv.exec:\dvpjv.exe91⤵PID:3896
-
\??\c:\xlxxrxr.exec:\xlxxrxr.exe92⤵PID:3472
-
\??\c:\frfxrxr.exec:\frfxrxr.exe93⤵PID:3288
-
\??\c:\hnnnnn.exec:\hnnnnn.exe94⤵PID:2632
-
\??\c:\jdddv.exec:\jdddv.exe95⤵PID:4436
-
\??\c:\rllfrrl.exec:\rllfrrl.exe96⤵PID:3692
-
\??\c:\hbbttt.exec:\hbbttt.exe97⤵PID:1232
-
\??\c:\hhnbnn.exec:\hhnbnn.exe98⤵PID:1972
-
\??\c:\jdpjj.exec:\jdpjj.exe99⤵PID:4216
-
\??\c:\rllfrrl.exec:\rllfrrl.exe100⤵PID:3728
-
\??\c:\bttttb.exec:\bttttb.exe101⤵PID:1468
-
\??\c:\dddvj.exec:\dddvj.exe102⤵PID:2076
-
\??\c:\pjjdp.exec:\pjjdp.exe103⤵PID:3676
-
\??\c:\lffxxxr.exec:\lffxxxr.exe104⤵PID:3368
-
\??\c:\thnhbb.exec:\thnhbb.exe105⤵PID:908
-
\??\c:\tnbnhn.exec:\tnbnhn.exe106⤵PID:4016
-
\??\c:\3dpjd.exec:\3dpjd.exe107⤵PID:1464
-
\??\c:\9xfxxxl.exec:\9xfxxxl.exe108⤵PID:5000
-
\??\c:\htnhhb.exec:\htnhhb.exe109⤵PID:2932
-
\??\c:\tbthbt.exec:\tbthbt.exe110⤵PID:1628
-
\??\c:\9ppjp.exec:\9ppjp.exe111⤵PID:3124
-
\??\c:\frxlflf.exec:\frxlflf.exe112⤵PID:4984
-
\??\c:\frxrffx.exec:\frxrffx.exe113⤵PID:2128
-
\??\c:\btthhb.exec:\btthhb.exe114⤵PID:4792
-
\??\c:\dpvpj.exec:\dpvpj.exe115⤵PID:1336
-
\??\c:\3xfrrll.exec:\3xfrrll.exe116⤵PID:1484
-
\??\c:\hbhhhh.exec:\hbhhhh.exe117⤵PID:4280
-
\??\c:\thbtbt.exec:\thbtbt.exe118⤵PID:1224
-
\??\c:\5vpjv.exec:\5vpjv.exe119⤵PID:4920
-
\??\c:\lllxlfr.exec:\lllxlfr.exe120⤵PID:3572
-
\??\c:\bnbtnn.exec:\bnbtnn.exe121⤵PID:1120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-