Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe
-
Size
453KB
-
MD5
59160f133f69f78c6b675451e88d3c20
-
SHA1
bfe6d5a405d1a621b3a4a32b254e12959335a2c5
-
SHA256
e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269
-
SHA512
b1f08b8bc68ee7f71f0deaba15d361121474d018f694e96f786484fcf377013c4f806be9609ea2acb326507423c1ed3827dcdf0f5b20cd99cb3152ca84ce7f3c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1596-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-1481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4404 xrllffx.exe 4464 9fxrllf.exe 4588 rrxrlfx.exe 1440 htnnnb.exe 452 pdjdv.exe 2224 lllfrlf.exe 880 5htnbb.exe 1528 7pdjv.exe 2016 jvvvp.exe 3464 nhbthb.exe 1668 5lxrllf.exe 4040 5tnnnt.exe 2924 pddpj.exe 3040 jvjvp.exe 1992 7dvjj.exe 2012 vjjdp.exe 1104 jdvpd.exe 1348 rxlfxxr.exe 1168 llrrrrl.exe 4668 5ddpd.exe 628 jdvpv.exe 1976 jdvjd.exe 2692 9fxrffr.exe 4820 hthtnb.exe 2956 3pjvj.exe 804 jvvdp.exe 4652 bnbtnn.exe 468 1ttnnn.exe 2028 vvdvj.exe 4768 5nthbt.exe 3536 xxfxrlf.exe 4056 vppjv.exe 3744 1xxlfxr.exe 4780 tbbhnb.exe 2032 pdjdv.exe 3212 rlfflfx.exe 796 nhnhnb.exe 3148 jppjv.exe 4284 dpjdv.exe 1652 1rfxlfx.exe 2736 bhnnhb.exe 4348 1pjdv.exe 5084 xlrlrfx.exe 4404 hbnbtn.exe 3440 3jdjv.exe 3844 dvjvd.exe 1580 3llfrfx.exe 2384 hhnhbt.exe 1636 ddjdv.exe 1824 jdvpd.exe 1112 lllfxxr.exe 2424 pjdvp.exe 3116 rrrfrlf.exe 1436 rrxrlff.exe 1480 tntnht.exe 1324 1jvpj.exe 2016 3pjvj.exe 3464 rlrrrxr.exe 2024 bhnhtt.exe 3036 btthbt.exe 1220 9jdpj.exe 224 3rffxfl.exe 2180 nbbnhb.exe 1432 vjpjv.exe -
resource yara_rule behavioral2/memory/1596-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-783-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 4404 1596 e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe 82 PID 1596 wrote to memory of 4404 1596 e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe 82 PID 1596 wrote to memory of 4404 1596 e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe 82 PID 4404 wrote to memory of 4464 4404 xrllffx.exe 83 PID 4404 wrote to memory of 4464 4404 xrllffx.exe 83 PID 4404 wrote to memory of 4464 4404 xrllffx.exe 83 PID 4464 wrote to memory of 4588 4464 9fxrllf.exe 84 PID 4464 wrote to memory of 4588 4464 9fxrllf.exe 84 PID 4464 wrote to memory of 4588 4464 9fxrllf.exe 84 PID 4588 wrote to memory of 1440 4588 rrxrlfx.exe 85 PID 4588 wrote to memory of 1440 4588 rrxrlfx.exe 85 PID 4588 wrote to memory of 1440 4588 rrxrlfx.exe 85 PID 1440 wrote to memory of 452 1440 htnnnb.exe 86 PID 1440 wrote to memory of 452 1440 htnnnb.exe 86 PID 1440 wrote to memory of 452 1440 htnnnb.exe 86 PID 452 wrote to memory of 2224 452 pdjdv.exe 87 PID 452 wrote to memory of 2224 452 pdjdv.exe 87 PID 452 wrote to memory of 2224 452 pdjdv.exe 87 PID 2224 wrote to memory of 880 2224 lllfrlf.exe 88 PID 2224 wrote to memory of 880 2224 lllfrlf.exe 88 PID 2224 wrote to memory of 880 2224 lllfrlf.exe 88 PID 880 wrote to memory of 1528 880 5htnbb.exe 89 PID 880 wrote to memory of 1528 880 5htnbb.exe 89 PID 880 wrote to memory of 1528 880 5htnbb.exe 89 PID 1528 wrote to memory of 2016 1528 7pdjv.exe 90 PID 1528 wrote to memory of 2016 1528 7pdjv.exe 90 PID 1528 wrote to memory of 2016 1528 7pdjv.exe 90 PID 2016 wrote to memory of 3464 2016 jvvvp.exe 91 PID 2016 wrote to memory of 3464 2016 jvvvp.exe 91 PID 2016 wrote to memory of 3464 2016 jvvvp.exe 91 PID 3464 wrote to memory of 1668 3464 nhbthb.exe 92 PID 3464 wrote to memory of 1668 3464 nhbthb.exe 92 PID 3464 wrote to memory of 1668 3464 nhbthb.exe 92 PID 1668 wrote to memory of 4040 1668 5lxrllf.exe 93 PID 1668 wrote to memory of 4040 1668 5lxrllf.exe 93 PID 1668 wrote to memory of 4040 1668 5lxrllf.exe 93 PID 4040 wrote to memory of 2924 4040 5tnnnt.exe 94 PID 4040 wrote to memory of 2924 4040 5tnnnt.exe 94 PID 4040 wrote to memory of 2924 4040 5tnnnt.exe 94 PID 2924 wrote to memory of 3040 2924 pddpj.exe 95 PID 2924 wrote to memory of 3040 2924 pddpj.exe 95 PID 2924 wrote to memory of 3040 2924 pddpj.exe 95 PID 3040 wrote to memory of 1992 3040 jvjvp.exe 96 PID 3040 wrote to memory of 1992 3040 jvjvp.exe 96 PID 3040 wrote to memory of 1992 3040 jvjvp.exe 96 PID 1992 wrote to memory of 2012 1992 7dvjj.exe 97 PID 1992 wrote to memory of 2012 1992 7dvjj.exe 97 PID 1992 wrote to memory of 2012 1992 7dvjj.exe 97 PID 2012 wrote to memory of 1104 2012 vjjdp.exe 98 PID 2012 wrote to memory of 1104 2012 vjjdp.exe 98 PID 2012 wrote to memory of 1104 2012 vjjdp.exe 98 PID 1104 wrote to memory of 1348 1104 jdvpd.exe 99 PID 1104 wrote to memory of 1348 1104 jdvpd.exe 99 PID 1104 wrote to memory of 1348 1104 jdvpd.exe 99 PID 1348 wrote to memory of 1168 1348 rxlfxxr.exe 100 PID 1348 wrote to memory of 1168 1348 rxlfxxr.exe 100 PID 1348 wrote to memory of 1168 1348 rxlfxxr.exe 100 PID 1168 wrote to memory of 4668 1168 llrrrrl.exe 101 PID 1168 wrote to memory of 4668 1168 llrrrrl.exe 101 PID 1168 wrote to memory of 4668 1168 llrrrrl.exe 101 PID 4668 wrote to memory of 628 4668 5ddpd.exe 102 PID 4668 wrote to memory of 628 4668 5ddpd.exe 102 PID 4668 wrote to memory of 628 4668 5ddpd.exe 102 PID 628 wrote to memory of 1976 628 jdvpv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe"C:\Users\Admin\AppData\Local\Temp\e368571d0422c1902114f0fa8b37c1f6670ec68c7ea6fefb22e72748c620e269N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\xrllffx.exec:\xrllffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\9fxrllf.exec:\9fxrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\htnnnb.exec:\htnnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\pdjdv.exec:\pdjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\lllfrlf.exec:\lllfrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\5htnbb.exec:\5htnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\7pdjv.exec:\7pdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\jvvvp.exec:\jvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\nhbthb.exec:\nhbthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\5lxrllf.exec:\5lxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\5tnnnt.exec:\5tnnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\pddpj.exec:\pddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\jvjvp.exec:\jvjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\7dvjj.exec:\7dvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\vjjdp.exec:\vjjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\jdvpd.exec:\jdvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\llrrrrl.exec:\llrrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\5ddpd.exec:\5ddpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\jdvpv.exec:\jdvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\jdvjd.exec:\jdvjd.exe23⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9fxrffr.exec:\9fxrffr.exe24⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hthtnb.exec:\hthtnb.exe25⤵
- Executes dropped EXE
PID:4820 -
\??\c:\3pjvj.exec:\3pjvj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
\??\c:\jvvdp.exec:\jvvdp.exe27⤵
- Executes dropped EXE
PID:804 -
\??\c:\bnbtnn.exec:\bnbtnn.exe28⤵
- Executes dropped EXE
PID:4652 -
\??\c:\1ttnnn.exec:\1ttnnn.exe29⤵
- Executes dropped EXE
PID:468 -
\??\c:\vvdvj.exec:\vvdvj.exe30⤵
- Executes dropped EXE
PID:2028 -
\??\c:\5nthbt.exec:\5nthbt.exe31⤵
- Executes dropped EXE
PID:4768 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe32⤵
- Executes dropped EXE
PID:3536 -
\??\c:\vppjv.exec:\vppjv.exe33⤵
- Executes dropped EXE
PID:4056 -
\??\c:\1xxlfxr.exec:\1xxlfxr.exe34⤵
- Executes dropped EXE
PID:3744 -
\??\c:\tbbhnb.exec:\tbbhnb.exe35⤵
- Executes dropped EXE
PID:4780 -
\??\c:\pdjdv.exec:\pdjdv.exe36⤵
- Executes dropped EXE
PID:2032 -
\??\c:\rlfflfx.exec:\rlfflfx.exe37⤵
- Executes dropped EXE
PID:3212 -
\??\c:\nhnhnb.exec:\nhnhnb.exe38⤵
- Executes dropped EXE
PID:796 -
\??\c:\jppjv.exec:\jppjv.exe39⤵
- Executes dropped EXE
PID:3148 -
\??\c:\dpjdv.exec:\dpjdv.exe40⤵
- Executes dropped EXE
PID:4284 -
\??\c:\1rfxlfx.exec:\1rfxlfx.exe41⤵
- Executes dropped EXE
PID:1652 -
\??\c:\bhnnhb.exec:\bhnnhb.exe42⤵
- Executes dropped EXE
PID:2736 -
\??\c:\1pjdv.exec:\1pjdv.exe43⤵
- Executes dropped EXE
PID:4348 -
\??\c:\xlrlrfx.exec:\xlrlrfx.exe44⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hbnbtn.exec:\hbnbtn.exe45⤵
- Executes dropped EXE
PID:4404 -
\??\c:\3jdjv.exec:\3jdjv.exe46⤵
- Executes dropped EXE
PID:3440 -
\??\c:\dvjvd.exec:\dvjvd.exe47⤵
- Executes dropped EXE
PID:3844 -
\??\c:\3llfrfx.exec:\3llfrfx.exe48⤵
- Executes dropped EXE
PID:1580 -
\??\c:\hhnhbt.exec:\hhnhbt.exe49⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ddjdv.exec:\ddjdv.exe50⤵
- Executes dropped EXE
PID:1636 -
\??\c:\jdvpd.exec:\jdvpd.exe51⤵
- Executes dropped EXE
PID:1824 -
\??\c:\lllfxxr.exec:\lllfxxr.exe52⤵
- Executes dropped EXE
PID:1112 -
\??\c:\pjdvp.exec:\pjdvp.exe53⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe54⤵
- Executes dropped EXE
PID:3116 -
\??\c:\rrxrlff.exec:\rrxrlff.exe55⤵
- Executes dropped EXE
PID:1436 -
\??\c:\tntnht.exec:\tntnht.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
\??\c:\1jvpj.exec:\1jvpj.exe57⤵
- Executes dropped EXE
PID:1324 -
\??\c:\3pjvj.exec:\3pjvj.exe58⤵
- Executes dropped EXE
PID:2016 -
\??\c:\rlrrrxr.exec:\rlrrrxr.exe59⤵
- Executes dropped EXE
PID:3464 -
\??\c:\bhnhtt.exec:\bhnhtt.exe60⤵
- Executes dropped EXE
PID:2024 -
\??\c:\btthbt.exec:\btthbt.exe61⤵
- Executes dropped EXE
PID:3036 -
\??\c:\9jdpj.exec:\9jdpj.exe62⤵
- Executes dropped EXE
PID:1220 -
\??\c:\3rffxfl.exec:\3rffxfl.exe63⤵
- Executes dropped EXE
PID:224 -
\??\c:\nbbnhb.exec:\nbbnhb.exe64⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vjpjv.exec:\vjpjv.exe65⤵
- Executes dropped EXE
PID:1432 -
\??\c:\vppdv.exec:\vppdv.exe66⤵PID:4656
-
\??\c:\xrllffx.exec:\xrllffx.exe67⤵PID:3756
-
\??\c:\htthbt.exec:\htthbt.exe68⤵PID:4992
-
\??\c:\jvdvv.exec:\jvdvv.exe69⤵PID:1256
-
\??\c:\frrfxrf.exec:\frrfxrf.exe70⤵PID:4788
-
\??\c:\rllfxrr.exec:\rllfxrr.exe71⤵
- System Location Discovery: System Language Discovery
PID:3032 -
\??\c:\bnbnbh.exec:\bnbnbh.exe72⤵PID:2308
-
\??\c:\vpvjd.exec:\vpvjd.exe73⤵PID:3760
-
\??\c:\flrfxlf.exec:\flrfxlf.exe74⤵PID:4720
-
\??\c:\flllffx.exec:\flllffx.exe75⤵PID:4744
-
\??\c:\tnnhbt.exec:\tnnhbt.exe76⤵
- System Location Discovery: System Language Discovery
PID:3948 -
\??\c:\7tbtnn.exec:\7tbtnn.exe77⤵PID:2692
-
\??\c:\1vvpj.exec:\1vvpj.exe78⤵PID:4764
-
\??\c:\fxxlfrl.exec:\fxxlfrl.exe79⤵PID:2860
-
\??\c:\nhthnb.exec:\nhthnb.exe80⤵PID:2328
-
\??\c:\7bnhbb.exec:\7bnhbb.exe81⤵PID:804
-
\??\c:\pvdpj.exec:\pvdpj.exe82⤵PID:3436
-
\??\c:\llxlfxl.exec:\llxlfxl.exe83⤵PID:4324
-
\??\c:\nhhbbt.exec:\nhhbbt.exe84⤵PID:4632
-
\??\c:\nhhtnb.exec:\nhhtnb.exe85⤵PID:1740
-
\??\c:\vdvdj.exec:\vdvdj.exe86⤵PID:2240
-
\??\c:\llrlxxr.exec:\llrlxxr.exe87⤵PID:2364
-
\??\c:\tthbnh.exec:\tthbnh.exe88⤵PID:2832
-
\??\c:\7pvjd.exec:\7pvjd.exe89⤵PID:4056
-
\??\c:\jvvpv.exec:\jvvpv.exe90⤵PID:2100
-
\??\c:\lxllffx.exec:\lxllffx.exe91⤵PID:4780
-
\??\c:\9hhbtt.exec:\9hhbtt.exe92⤵PID:2616
-
\??\c:\vvpdv.exec:\vvpdv.exe93⤵PID:3496
-
\??\c:\fxxrxrl.exec:\fxxrxrl.exe94⤵PID:856
-
\??\c:\7xrlxxf.exec:\7xrlxxf.exe95⤵PID:3204
-
\??\c:\tbhbtt.exec:\tbhbtt.exe96⤵PID:3900
-
\??\c:\dpdjj.exec:\dpdjj.exe97⤵
- System Location Discovery: System Language Discovery
PID:3428 -
\??\c:\vpvpv.exec:\vpvpv.exe98⤵PID:4220
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe99⤵PID:4492
-
\??\c:\htnbtn.exec:\htnbtn.exe100⤵PID:1596
-
\??\c:\vvvpj.exec:\vvvpj.exe101⤵PID:1940
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe102⤵PID:2140
-
\??\c:\rxfrllr.exec:\rxfrllr.exe103⤵PID:4036
-
\??\c:\btbbbb.exec:\btbbbb.exe104⤵PID:4252
-
\??\c:\pvjdd.exec:\pvjdd.exe105⤵PID:744
-
\??\c:\vpvpj.exec:\vpvpj.exe106⤵PID:4480
-
\??\c:\llrlffx.exec:\llrlffx.exe107⤵PID:4336
-
\??\c:\1tbtnt.exec:\1tbtnt.exe108⤵PID:1624
-
\??\c:\3dvpj.exec:\3dvpj.exe109⤵PID:1636
-
\??\c:\3rfrlxr.exec:\3rfrlxr.exe110⤵PID:4516
-
\??\c:\7ffxrlf.exec:\7ffxrlf.exe111⤵PID:880
-
\??\c:\bnthbb.exec:\bnthbb.exe112⤵PID:1260
-
\??\c:\jpjpj.exec:\jpjpj.exe113⤵PID:1528
-
\??\c:\1xxxrrl.exec:\1xxxrrl.exe114⤵PID:2312
-
\??\c:\fxxlfxl.exec:\fxxlfxl.exe115⤵PID:1972
-
\??\c:\thtnhh.exec:\thtnhh.exe116⤵PID:1480
-
\??\c:\djvpd.exec:\djvpd.exe117⤵PID:1324
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe118⤵PID:5060
-
\??\c:\xrxrrll.exec:\xrxrrll.exe119⤵PID:4432
-
\??\c:\ntnhbb.exec:\ntnhbb.exe120⤵PID:4044
-
\??\c:\1djdv.exec:\1djdv.exe121⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-