Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe
-
Size
454KB
-
MD5
9905cdebb12c9d809cb654f2ab7e31c0
-
SHA1
2483a8b413242cc138d2a23f7d3a1a2359727167
-
SHA256
2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2d
-
SHA512
0eac586dffb1287c7e0e99cc488076d58b18cf1f0a7018819ee91c3069aa4c5855b4757321948faae80f1148ea945d8c9d54acc020ccf7c1d4ecb87b69cb41f2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2720-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1340 fxrrllf.exe 1684 1thbnh.exe 1488 ppdvj.exe 408 3fxrffx.exe 4600 ttnbbt.exe 4120 bbhbbt.exe 5072 llxrfrl.exe 1752 hhbtnn.exe 2036 9rrlffx.exe 4188 nnttbb.exe 2456 bnhthb.exe 1660 3pvjd.exe 2060 ttbthb.exe 4228 1jjdp.exe 1452 ntbtnn.exe 3872 dvvvd.exe 1384 7frrffr.exe 2532 9bthbt.exe 4516 ppjvj.exe 384 3fxrrrr.exe 3608 ntnbnt.exe 4624 djjdp.exe 3168 ffxlxrf.exe 1548 9bnhtn.exe 1552 jddvj.exe 5032 rrfrfrl.exe 2612 flfrlxr.exe 4808 pvpjp.exe 2656 lrlfrrr.exe 3920 tnnnhb.exe 4684 bbhtth.exe 932 ppjvd.exe 3076 xrrfrfx.exe 3884 rxrlxrf.exe 4472 dvjdv.exe 3428 rxxrffr.exe 4832 9nbbnn.exe 3680 nhtnhh.exe 4292 9vddp.exe 2288 btnhtt.exe 3616 jvpjv.exe 1872 9rrfffx.exe 3820 9ddpv.exe 2692 fffxlrl.exe 4708 ntnbtt.exe 2064 dpvjj.exe 992 lfrllll.exe 4456 xlrfrfr.exe 3808 1bntbt.exe 4976 dvvvv.exe 4108 pjjdp.exe 3932 frrrxxf.exe 324 nhbntn.exe 1444 5ddvj.exe 2840 lxrlxxr.exe 3944 hhnhhb.exe 1376 pvddv.exe 2744 dpvpd.exe 2392 lrlxfrr.exe 3384 hntnhb.exe 2220 1tbbtt.exe 1468 ddvpd.exe 2528 xrxrlxr.exe 732 bhtnhb.exe -
resource yara_rule behavioral2/memory/2720-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-667-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 1340 2720 2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe 83 PID 2720 wrote to memory of 1340 2720 2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe 83 PID 2720 wrote to memory of 1340 2720 2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe 83 PID 1340 wrote to memory of 1684 1340 fxrrllf.exe 84 PID 1340 wrote to memory of 1684 1340 fxrrllf.exe 84 PID 1340 wrote to memory of 1684 1340 fxrrllf.exe 84 PID 1684 wrote to memory of 1488 1684 1thbnh.exe 85 PID 1684 wrote to memory of 1488 1684 1thbnh.exe 85 PID 1684 wrote to memory of 1488 1684 1thbnh.exe 85 PID 1488 wrote to memory of 408 1488 ppdvj.exe 86 PID 1488 wrote to memory of 408 1488 ppdvj.exe 86 PID 1488 wrote to memory of 408 1488 ppdvj.exe 86 PID 408 wrote to memory of 4600 408 3fxrffx.exe 87 PID 408 wrote to memory of 4600 408 3fxrffx.exe 87 PID 408 wrote to memory of 4600 408 3fxrffx.exe 87 PID 4600 wrote to memory of 4120 4600 ttnbbt.exe 88 PID 4600 wrote to memory of 4120 4600 ttnbbt.exe 88 PID 4600 wrote to memory of 4120 4600 ttnbbt.exe 88 PID 4120 wrote to memory of 5072 4120 bbhbbt.exe 89 PID 4120 wrote to memory of 5072 4120 bbhbbt.exe 89 PID 4120 wrote to memory of 5072 4120 bbhbbt.exe 89 PID 5072 wrote to memory of 1752 5072 llxrfrl.exe 90 PID 5072 wrote to memory of 1752 5072 llxrfrl.exe 90 PID 5072 wrote to memory of 1752 5072 llxrfrl.exe 90 PID 1752 wrote to memory of 2036 1752 hhbtnn.exe 91 PID 1752 wrote to memory of 2036 1752 hhbtnn.exe 91 PID 1752 wrote to memory of 2036 1752 hhbtnn.exe 91 PID 2036 wrote to memory of 4188 2036 9rrlffx.exe 92 PID 2036 wrote to memory of 4188 2036 9rrlffx.exe 92 PID 2036 wrote to memory of 4188 2036 9rrlffx.exe 92 PID 4188 wrote to memory of 2456 4188 nnttbb.exe 93 PID 4188 wrote to memory of 2456 4188 nnttbb.exe 93 PID 4188 wrote to memory of 2456 4188 nnttbb.exe 93 PID 2456 wrote to memory of 1660 2456 bnhthb.exe 94 PID 2456 wrote to memory of 1660 2456 bnhthb.exe 94 PID 2456 wrote to memory of 1660 2456 bnhthb.exe 94 PID 1660 wrote to memory of 2060 1660 3pvjd.exe 95 PID 1660 wrote to memory of 2060 1660 3pvjd.exe 95 PID 1660 wrote to memory of 2060 1660 3pvjd.exe 95 PID 2060 wrote to memory of 4228 2060 ttbthb.exe 96 PID 2060 wrote to memory of 4228 2060 ttbthb.exe 96 PID 2060 wrote to memory of 4228 2060 ttbthb.exe 96 PID 4228 wrote to memory of 1452 4228 1jjdp.exe 97 PID 4228 wrote to memory of 1452 4228 1jjdp.exe 97 PID 4228 wrote to memory of 1452 4228 1jjdp.exe 97 PID 1452 wrote to memory of 3872 1452 ntbtnn.exe 98 PID 1452 wrote to memory of 3872 1452 ntbtnn.exe 98 PID 1452 wrote to memory of 3872 1452 ntbtnn.exe 98 PID 3872 wrote to memory of 1384 3872 dvvvd.exe 99 PID 3872 wrote to memory of 1384 3872 dvvvd.exe 99 PID 3872 wrote to memory of 1384 3872 dvvvd.exe 99 PID 1384 wrote to memory of 2532 1384 7frrffr.exe 100 PID 1384 wrote to memory of 2532 1384 7frrffr.exe 100 PID 1384 wrote to memory of 2532 1384 7frrffr.exe 100 PID 2532 wrote to memory of 4516 2532 9bthbt.exe 101 PID 2532 wrote to memory of 4516 2532 9bthbt.exe 101 PID 2532 wrote to memory of 4516 2532 9bthbt.exe 101 PID 4516 wrote to memory of 384 4516 ppjvj.exe 102 PID 4516 wrote to memory of 384 4516 ppjvj.exe 102 PID 4516 wrote to memory of 384 4516 ppjvj.exe 102 PID 384 wrote to memory of 3608 384 3fxrrrr.exe 103 PID 384 wrote to memory of 3608 384 3fxrrrr.exe 103 PID 384 wrote to memory of 3608 384 3fxrrrr.exe 103 PID 3608 wrote to memory of 4624 3608 ntnbnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe"C:\Users\Admin\AppData\Local\Temp\2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\fxrrllf.exec:\fxrrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\1thbnh.exec:\1thbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ppdvj.exec:\ppdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\3fxrffx.exec:\3fxrffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\ttnbbt.exec:\ttnbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\bbhbbt.exec:\bbhbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\llxrfrl.exec:\llxrfrl.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\hhbtnn.exec:\hhbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\9rrlffx.exec:\9rrlffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\nnttbb.exec:\nnttbb.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\bnhthb.exec:\bnhthb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\3pvjd.exec:\3pvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\ttbthb.exec:\ttbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\1jjdp.exec:\1jjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\ntbtnn.exec:\ntbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\dvvvd.exec:\dvvvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\7frrffr.exec:\7frrffr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\9bthbt.exec:\9bthbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ppjvj.exec:\ppjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\3fxrrrr.exec:\3fxrrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\ntnbnt.exec:\ntnbnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\djjdp.exec:\djjdp.exe23⤵
- Executes dropped EXE
PID:4624 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe24⤵
- Executes dropped EXE
PID:3168 -
\??\c:\9bnhtn.exec:\9bnhtn.exe25⤵
- Executes dropped EXE
PID:1548 -
\??\c:\jddvj.exec:\jddvj.exe26⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rrfrfrl.exec:\rrfrfrl.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5032 -
\??\c:\flfrlxr.exec:\flfrlxr.exe28⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pvpjp.exec:\pvpjp.exe29⤵
- Executes dropped EXE
PID:4808 -
\??\c:\lrlfrrr.exec:\lrlfrrr.exe30⤵
- Executes dropped EXE
PID:2656 -
\??\c:\tnnnhb.exec:\tnnnhb.exe31⤵
- Executes dropped EXE
PID:3920 -
\??\c:\bbhtth.exec:\bbhtth.exe32⤵
- Executes dropped EXE
PID:4684 -
\??\c:\ppjvd.exec:\ppjvd.exe33⤵
- Executes dropped EXE
PID:932 -
\??\c:\xrrfrfx.exec:\xrrfrfx.exe34⤵
- Executes dropped EXE
PID:3076 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe35⤵
- Executes dropped EXE
PID:3884 -
\??\c:\dvjdv.exec:\dvjdv.exe36⤵
- Executes dropped EXE
PID:4472 -
\??\c:\rxxrffr.exec:\rxxrffr.exe37⤵
- Executes dropped EXE
PID:3428 -
\??\c:\9nbbnn.exec:\9nbbnn.exe38⤵
- Executes dropped EXE
PID:4832 -
\??\c:\nhtnhh.exec:\nhtnhh.exe39⤵
- Executes dropped EXE
PID:3680 -
\??\c:\9vddp.exec:\9vddp.exe40⤵
- Executes dropped EXE
PID:4292 -
\??\c:\btnhtt.exec:\btnhtt.exe41⤵
- Executes dropped EXE
PID:2288 -
\??\c:\jvpjv.exec:\jvpjv.exe42⤵
- Executes dropped EXE
PID:3616 -
\??\c:\9rrfffx.exec:\9rrfffx.exe43⤵
- Executes dropped EXE
PID:1872 -
\??\c:\9ddpv.exec:\9ddpv.exe44⤵
- Executes dropped EXE
PID:3820 -
\??\c:\fffxlrl.exec:\fffxlrl.exe45⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ntnbtt.exec:\ntnbtt.exe46⤵
- Executes dropped EXE
PID:4708 -
\??\c:\dpvjj.exec:\dpvjj.exe47⤵
- Executes dropped EXE
PID:2064 -
\??\c:\lfrllll.exec:\lfrllll.exe48⤵
- Executes dropped EXE
PID:992 -
\??\c:\xlrfrfr.exec:\xlrfrfr.exe49⤵
- Executes dropped EXE
PID:4456 -
\??\c:\1bntbt.exec:\1bntbt.exe50⤵
- Executes dropped EXE
PID:3808 -
\??\c:\dvvvv.exec:\dvvvv.exe51⤵
- Executes dropped EXE
PID:4976 -
\??\c:\pjjdp.exec:\pjjdp.exe52⤵
- Executes dropped EXE
PID:4108 -
\??\c:\frrrxxf.exec:\frrrxxf.exe53⤵
- Executes dropped EXE
PID:3932 -
\??\c:\nhbntn.exec:\nhbntn.exe54⤵
- Executes dropped EXE
PID:324 -
\??\c:\5ddvj.exec:\5ddvj.exe55⤵
- Executes dropped EXE
PID:1444 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe56⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hhnhhb.exec:\hhnhhb.exe57⤵
- Executes dropped EXE
PID:3944 -
\??\c:\pvddv.exec:\pvddv.exe58⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dpvpd.exec:\dpvpd.exe59⤵
- Executes dropped EXE
PID:2744 -
\??\c:\lrlxfrr.exec:\lrlxfrr.exe60⤵
- Executes dropped EXE
PID:2392 -
\??\c:\hntnhb.exec:\hntnhb.exe61⤵
- Executes dropped EXE
PID:3384 -
\??\c:\1tbbtt.exec:\1tbbtt.exe62⤵
- Executes dropped EXE
PID:2220 -
\??\c:\ddvpd.exec:\ddvpd.exe63⤵
- Executes dropped EXE
PID:1468 -
\??\c:\xrxrlxr.exec:\xrxrlxr.exe64⤵
- Executes dropped EXE
PID:2528 -
\??\c:\bhtnhb.exec:\bhtnhb.exe65⤵
- Executes dropped EXE
PID:732 -
\??\c:\hbtnbb.exec:\hbtnbb.exe66⤵PID:3484
-
\??\c:\dpjdp.exec:\dpjdp.exe67⤵PID:4688
-
\??\c:\3xlfxrl.exec:\3xlfxrl.exe68⤵PID:740
-
\??\c:\hbthbt.exec:\hbthbt.exe69⤵PID:1848
-
\??\c:\jddpj.exec:\jddpj.exe70⤵PID:1372
-
\??\c:\rrrfrll.exec:\rrrfrll.exe71⤵PID:4080
-
\??\c:\nnttbh.exec:\nnttbh.exe72⤵PID:2992
-
\??\c:\bbtnbt.exec:\bbtnbt.exe73⤵PID:4332
-
\??\c:\7xrlxrf.exec:\7xrlxrf.exe74⤵PID:2764
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe75⤵PID:1876
-
\??\c:\nbbtnh.exec:\nbbtnh.exe76⤵PID:2856
-
\??\c:\vjjvj.exec:\vjjvj.exe77⤵PID:5032
-
\??\c:\7lxrllx.exec:\7lxrllx.exe78⤵PID:4860
-
\??\c:\bbnnht.exec:\bbnnht.exe79⤵PID:3988
-
\??\c:\btbthh.exec:\btbthh.exe80⤵PID:4872
-
\??\c:\9dpjd.exec:\9dpjd.exe81⤵PID:2044
-
\??\c:\xfxxxxr.exec:\xfxxxxr.exe82⤵PID:3920
-
\??\c:\btbntn.exec:\btbntn.exe83⤵PID:4644
-
\??\c:\dpvvp.exec:\dpvvp.exe84⤵PID:4648
-
\??\c:\1rxrlfx.exec:\1rxrlfx.exe85⤵PID:3896
-
\??\c:\3frlrrr.exec:\3frlrrr.exe86⤵PID:2976
-
\??\c:\nbhhbh.exec:\nbhhbh.exe87⤵PID:3884
-
\??\c:\pdjjj.exec:\pdjjj.exe88⤵PID:4472
-
\??\c:\lrxrxxf.exec:\lrxrxxf.exe89⤵PID:1436
-
\??\c:\bbttnn.exec:\bbttnn.exe90⤵PID:4832
-
\??\c:\vpjjd.exec:\vpjjd.exe91⤵PID:3680
-
\??\c:\rxfxrxf.exec:\rxfxrxf.exe92⤵PID:4292
-
\??\c:\tnnhbb.exec:\tnnhbb.exe93⤵PID:2324
-
\??\c:\vdvvp.exec:\vdvvp.exe94⤵PID:3948
-
\??\c:\3flrrrf.exec:\3flrrrf.exe95⤵PID:3008
-
\??\c:\1nhhtt.exec:\1nhhtt.exe96⤵PID:868
-
\??\c:\vddvd.exec:\vddvd.exe97⤵PID:5008
-
\??\c:\ddvpj.exec:\ddvpj.exe98⤵
- System Location Discovery: System Language Discovery
PID:4048 -
\??\c:\xfxxfff.exec:\xfxxfff.exe99⤵PID:2200
-
\??\c:\nhhbtn.exec:\nhhbtn.exe100⤵PID:4060
-
\??\c:\ppjdd.exec:\ppjdd.exe101⤵PID:1208
-
\??\c:\fffxffx.exec:\fffxffx.exe102⤵PID:3924
-
\??\c:\nnhhbb.exec:\nnhhbb.exe103⤵PID:4932
-
\??\c:\vvjdd.exec:\vvjdd.exe104⤵PID:4760
-
\??\c:\xflfllr.exec:\xflfllr.exe105⤵PID:4296
-
\??\c:\rrrlfff.exec:\rrrlfff.exe106⤵PID:2036
-
\??\c:\nntnhh.exec:\nntnhh.exe107⤵PID:4952
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe108⤵PID:4140
-
\??\c:\nhnthh.exec:\nhnthh.exe109⤵PID:2224
-
\??\c:\nhtnhb.exec:\nhtnhb.exe110⤵PID:2384
-
\??\c:\1pjjj.exec:\1pjjj.exe111⤵PID:824
-
\??\c:\5llfxxr.exec:\5llfxxr.exe112⤵PID:1096
-
\??\c:\thnhbb.exec:\thnhbb.exe113⤵PID:4928
-
\??\c:\jjppv.exec:\jjppv.exe114⤵PID:1104
-
\??\c:\jppjj.exec:\jppjj.exe115⤵PID:4488
-
\??\c:\flffxll.exec:\flffxll.exe116⤵PID:2820
-
\??\c:\bbbttt.exec:\bbbttt.exe117⤵PID:3488
-
\??\c:\vjjdp.exec:\vjjdp.exe118⤵PID:2920
-
\??\c:\rxrlflx.exec:\rxrlflx.exe119⤵PID:4440
-
\??\c:\7tnhhb.exec:\7tnhhb.exe120⤵PID:2836
-
\??\c:\bthbtt.exec:\bthbtt.exe121⤵PID:444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-