Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe
-
Size
454KB
-
MD5
948f63e472e5ad9dccff0c88ebe700e0
-
SHA1
db1f3a8025c65d4b4d9dc7f30ca09ba575212e8d
-
SHA256
a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93
-
SHA512
621adfbd8410ef98140f79074158af53277a95a3ab3d8f4627e543e536fdd47fcfa34cd43bf538aea2083f9ae6371692aaf0dd3be87fbf389d089b9dacb20f5b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4836-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-1157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-1421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2116 7jjdv.exe 4108 rrffrrl.exe 2272 bnttnh.exe 3308 pddvp.exe 1196 rfrllll.exe 3400 tthhbb.exe 3812 tnnthh.exe 2264 djdvj.exe 2356 rxxllff.exe 2348 rrlflrx.exe 1688 dpdvj.exe 5012 flrlrrr.exe 1224 7hnntt.exe 2576 9ddvd.exe 2296 rrllxxx.exe 1004 9hhbtn.exe 4100 djdvv.exe 1584 frxxlll.exe 3244 thhbtt.exe 4612 vdjdv.exe 3664 xrlxfxf.exe 2548 hnttnn.exe 468 7vjvd.exe 2908 frfxxxr.exe 3876 vdjvj.exe 3968 jpddv.exe 4536 xffrllf.exe 1392 bnhtbt.exe 2856 tnnhhh.exe 4220 dvvpj.exe 5100 lfrlffx.exe 1428 tbbthh.exe 920 vjjpp.exe 3284 9lfxxxx.exe 2608 7tnbbt.exe 2336 thnnhh.exe 4116 jvvdp.exe 4348 rflfxxx.exe 4716 hnhbtn.exe 3496 hthbhh.exe 2288 fxxlrrr.exe 3476 ntbbnt.exe 4260 ttbhbt.exe 4268 dpvpd.exe 1308 jddvp.exe 2116 3xxrfxr.exe 3536 tbbtnn.exe 2128 bhbnnt.exe 1712 vjjpp.exe 4940 xxxlrxx.exe 536 ffxrlfr.exe 1196 btbhbh.exe 4832 tnhhbn.exe 4720 7jpdv.exe 4192 flllffl.exe 4916 rfffrrl.exe 2064 bttnnn.exe 1580 1bhbbn.exe 5024 jvjdj.exe 1688 nbhhbb.exe 892 dvjpd.exe 4688 pvdvv.exe 2208 xlxflrx.exe 448 tbnhhh.exe -
resource yara_rule behavioral2/memory/4836-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-712-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2116 4836 a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe 128 PID 4836 wrote to memory of 2116 4836 a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe 128 PID 4836 wrote to memory of 2116 4836 a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe 128 PID 2116 wrote to memory of 4108 2116 7jjdv.exe 84 PID 2116 wrote to memory of 4108 2116 7jjdv.exe 84 PID 2116 wrote to memory of 4108 2116 7jjdv.exe 84 PID 4108 wrote to memory of 2272 4108 rrffrrl.exe 85 PID 4108 wrote to memory of 2272 4108 rrffrrl.exe 85 PID 4108 wrote to memory of 2272 4108 rrffrrl.exe 85 PID 2272 wrote to memory of 3308 2272 bnttnh.exe 86 PID 2272 wrote to memory of 3308 2272 bnttnh.exe 86 PID 2272 wrote to memory of 3308 2272 bnttnh.exe 86 PID 3308 wrote to memory of 1196 3308 pddvp.exe 87 PID 3308 wrote to memory of 1196 3308 pddvp.exe 87 PID 3308 wrote to memory of 1196 3308 pddvp.exe 87 PID 1196 wrote to memory of 3400 1196 rfrllll.exe 88 PID 1196 wrote to memory of 3400 1196 rfrllll.exe 88 PID 1196 wrote to memory of 3400 1196 rfrllll.exe 88 PID 3400 wrote to memory of 3812 3400 tthhbb.exe 89 PID 3400 wrote to memory of 3812 3400 tthhbb.exe 89 PID 3400 wrote to memory of 3812 3400 tthhbb.exe 89 PID 3812 wrote to memory of 2264 3812 tnnthh.exe 90 PID 3812 wrote to memory of 2264 3812 tnnthh.exe 90 PID 3812 wrote to memory of 2264 3812 tnnthh.exe 90 PID 2264 wrote to memory of 2356 2264 djdvj.exe 91 PID 2264 wrote to memory of 2356 2264 djdvj.exe 91 PID 2264 wrote to memory of 2356 2264 djdvj.exe 91 PID 2356 wrote to memory of 2348 2356 rxxllff.exe 92 PID 2356 wrote to memory of 2348 2356 rxxllff.exe 92 PID 2356 wrote to memory of 2348 2356 rxxllff.exe 92 PID 2348 wrote to memory of 1688 2348 rrlflrx.exe 142 PID 2348 wrote to memory of 1688 2348 rrlflrx.exe 142 PID 2348 wrote to memory of 1688 2348 rrlflrx.exe 142 PID 1688 wrote to memory of 5012 1688 dpdvj.exe 94 PID 1688 wrote to memory of 5012 1688 dpdvj.exe 94 PID 1688 wrote to memory of 5012 1688 dpdvj.exe 94 PID 5012 wrote to memory of 1224 5012 flrlrrr.exe 95 PID 5012 wrote to memory of 1224 5012 flrlrrr.exe 95 PID 5012 wrote to memory of 1224 5012 flrlrrr.exe 95 PID 1224 wrote to memory of 2576 1224 7hnntt.exe 96 PID 1224 wrote to memory of 2576 1224 7hnntt.exe 96 PID 1224 wrote to memory of 2576 1224 7hnntt.exe 96 PID 2576 wrote to memory of 2296 2576 9ddvd.exe 97 PID 2576 wrote to memory of 2296 2576 9ddvd.exe 97 PID 2576 wrote to memory of 2296 2576 9ddvd.exe 97 PID 2296 wrote to memory of 1004 2296 rrllxxx.exe 98 PID 2296 wrote to memory of 1004 2296 rrllxxx.exe 98 PID 2296 wrote to memory of 1004 2296 rrllxxx.exe 98 PID 1004 wrote to memory of 4100 1004 9hhbtn.exe 99 PID 1004 wrote to memory of 4100 1004 9hhbtn.exe 99 PID 1004 wrote to memory of 4100 1004 9hhbtn.exe 99 PID 4100 wrote to memory of 1584 4100 djdvv.exe 100 PID 4100 wrote to memory of 1584 4100 djdvv.exe 100 PID 4100 wrote to memory of 1584 4100 djdvv.exe 100 PID 1584 wrote to memory of 3244 1584 frxxlll.exe 101 PID 1584 wrote to memory of 3244 1584 frxxlll.exe 101 PID 1584 wrote to memory of 3244 1584 frxxlll.exe 101 PID 3244 wrote to memory of 4612 3244 thhbtt.exe 102 PID 3244 wrote to memory of 4612 3244 thhbtt.exe 102 PID 3244 wrote to memory of 4612 3244 thhbtt.exe 102 PID 4612 wrote to memory of 3664 4612 vdjdv.exe 103 PID 4612 wrote to memory of 3664 4612 vdjdv.exe 103 PID 4612 wrote to memory of 3664 4612 vdjdv.exe 103 PID 3664 wrote to memory of 2548 3664 xrlxfxf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe"C:\Users\Admin\AppData\Local\Temp\a1a467a8abb4308dcade1caac2489d15f62526efc6ec724b3761fe9f2f8b4d93N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\7jjdv.exec:\7jjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\rrffrrl.exec:\rrffrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\bnttnh.exec:\bnttnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\pddvp.exec:\pddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\rfrllll.exec:\rfrllll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\tthhbb.exec:\tthhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\tnnthh.exec:\tnnthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\djdvj.exec:\djdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\rxxllff.exec:\rxxllff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\rrlflrx.exec:\rrlflrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\dpdvj.exec:\dpdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\flrlrrr.exec:\flrlrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\7hnntt.exec:\7hnntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\9ddvd.exec:\9ddvd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\rrllxxx.exec:\rrllxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\9hhbtn.exec:\9hhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\djdvv.exec:\djdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\frxxlll.exec:\frxxlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\thhbtt.exec:\thhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\vdjdv.exec:\vdjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\xrlxfxf.exec:\xrlxfxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\hnttnn.exec:\hnttnn.exe23⤵
- Executes dropped EXE
PID:2548 -
\??\c:\7vjvd.exec:\7vjvd.exe24⤵
- Executes dropped EXE
PID:468 -
\??\c:\frfxxxr.exec:\frfxxxr.exe25⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vdjvj.exec:\vdjvj.exe26⤵
- Executes dropped EXE
PID:3876 -
\??\c:\jpddv.exec:\jpddv.exe27⤵
- Executes dropped EXE
PID:3968 -
\??\c:\xffrllf.exec:\xffrllf.exe28⤵
- Executes dropped EXE
PID:4536 -
\??\c:\bnhtbt.exec:\bnhtbt.exe29⤵
- Executes dropped EXE
PID:1392 -
\??\c:\tnnhhh.exec:\tnnhhh.exe30⤵
- Executes dropped EXE
PID:2856 -
\??\c:\dvvpj.exec:\dvvpj.exe31⤵
- Executes dropped EXE
PID:4220 -
\??\c:\lfrlffx.exec:\lfrlffx.exe32⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tbbthh.exec:\tbbthh.exe33⤵
- Executes dropped EXE
PID:1428 -
\??\c:\vjjpp.exec:\vjjpp.exe34⤵
- Executes dropped EXE
PID:920 -
\??\c:\9lfxxxx.exec:\9lfxxxx.exe35⤵
- Executes dropped EXE
PID:3284 -
\??\c:\7tnbbt.exec:\7tnbbt.exe36⤵
- Executes dropped EXE
PID:2608 -
\??\c:\thnnhh.exec:\thnnhh.exe37⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jvvdp.exec:\jvvdp.exe38⤵
- Executes dropped EXE
PID:4116 -
\??\c:\rflfxxx.exec:\rflfxxx.exe39⤵
- Executes dropped EXE
PID:4348 -
\??\c:\hnhbtn.exec:\hnhbtn.exe40⤵
- Executes dropped EXE
PID:4716 -
\??\c:\hthbhh.exec:\hthbhh.exe41⤵
- Executes dropped EXE
PID:3496 -
\??\c:\fxxlrrr.exec:\fxxlrrr.exe42⤵
- Executes dropped EXE
PID:2288 -
\??\c:\ntbbnt.exec:\ntbbnt.exe43⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ttbhbt.exec:\ttbhbt.exe44⤵
- Executes dropped EXE
PID:4260 -
\??\c:\dpvpd.exec:\dpvpd.exe45⤵
- Executes dropped EXE
PID:4268 -
\??\c:\jddvp.exec:\jddvp.exe46⤵
- Executes dropped EXE
PID:1308 -
\??\c:\3xxrfxr.exec:\3xxrfxr.exe47⤵
- Executes dropped EXE
PID:2116 -
\??\c:\tbbtnn.exec:\tbbtnn.exe48⤵
- Executes dropped EXE
PID:3536 -
\??\c:\bhbnnt.exec:\bhbnnt.exe49⤵
- Executes dropped EXE
PID:2128 -
\??\c:\vjjpp.exec:\vjjpp.exe50⤵
- Executes dropped EXE
PID:1712 -
\??\c:\xxxlrxx.exec:\xxxlrxx.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\ffxrlfr.exec:\ffxrlfr.exe52⤵
- Executes dropped EXE
PID:536 -
\??\c:\btbhbh.exec:\btbhbh.exe53⤵
- Executes dropped EXE
PID:1196 -
\??\c:\tnhhbn.exec:\tnhhbn.exe54⤵
- Executes dropped EXE
PID:4832 -
\??\c:\7jpdv.exec:\7jpdv.exe55⤵
- Executes dropped EXE
PID:4720 -
\??\c:\flllffl.exec:\flllffl.exe56⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rfffrrl.exec:\rfffrrl.exe57⤵
- Executes dropped EXE
PID:4916 -
\??\c:\bttnnn.exec:\bttnnn.exe58⤵
- Executes dropped EXE
PID:2064 -
\??\c:\1bhbbn.exec:\1bhbbn.exe59⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jvjdj.exec:\jvjdj.exe60⤵
- Executes dropped EXE
PID:5024 -
\??\c:\nbhhbb.exec:\nbhhbb.exe61⤵
- Executes dropped EXE
PID:1688 -
\??\c:\dvjpd.exec:\dvjpd.exe62⤵
- Executes dropped EXE
PID:892 -
\??\c:\pvdvv.exec:\pvdvv.exe63⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xlxflrx.exec:\xlxflrx.exe64⤵
- Executes dropped EXE
PID:2208 -
\??\c:\tbnhhh.exec:\tbnhhh.exe65⤵
- Executes dropped EXE
PID:448 -
\??\c:\xrlffxx.exec:\xrlffxx.exe66⤵PID:1528
-
\??\c:\3bhbbb.exec:\3bhbbb.exe67⤵PID:3488
-
\??\c:\7pjdd.exec:\7pjdd.exe68⤵PID:1556
-
\??\c:\jvdvv.exec:\jvdvv.exe69⤵PID:4492
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe70⤵PID:5104
-
\??\c:\thtbhh.exec:\thtbhh.exe71⤵PID:1492
-
\??\c:\1djpd.exec:\1djpd.exe72⤵PID:3616
-
\??\c:\3rfxxrx.exec:\3rfxxrx.exe73⤵PID:4456
-
\??\c:\7ttnhh.exec:\7ttnhh.exe74⤵PID:4840
-
\??\c:\dvjjj.exec:\dvjjj.exe75⤵PID:5112
-
\??\c:\7rrlffx.exec:\7rrlffx.exe76⤵PID:4412
-
\??\c:\5tbtnn.exec:\5tbtnn.exe77⤵PID:4440
-
\??\c:\bnnhtn.exec:\bnnhtn.exe78⤵
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\rfrlffx.exec:\rfrlffx.exe79⤵PID:4444
-
\??\c:\nnnhbt.exec:\nnnhbt.exe80⤵PID:2000
-
\??\c:\tbnhbb.exec:\tbnhbb.exe81⤵PID:2908
-
\??\c:\vdddj.exec:\vdddj.exe82⤵PID:640
-
\??\c:\fxlxlrl.exec:\fxlxlrl.exe83⤵PID:2424
-
\??\c:\jppjd.exec:\jppjd.exe84⤵PID:3744
-
\??\c:\3llfxxx.exec:\3llfxxx.exe85⤵PID:984
-
\??\c:\nthbnh.exec:\nthbnh.exe86⤵PID:2876
-
\??\c:\dvdpj.exec:\dvdpj.exe87⤵PID:3116
-
\??\c:\1nhhbh.exec:\1nhhbh.exe88⤵PID:4220
-
\??\c:\dddvv.exec:\dddvv.exe89⤵PID:2256
-
\??\c:\lfrlxxl.exec:\lfrlxxl.exe90⤵PID:548
-
\??\c:\bnnbtn.exec:\bnnbtn.exe91⤵PID:2328
-
\??\c:\vpvvj.exec:\vpvvj.exe92⤵PID:4912
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe93⤵PID:1216
-
\??\c:\ppppj.exec:\ppppj.exe94⤵PID:3688
-
\??\c:\tttnhh.exec:\tttnhh.exe95⤵PID:404
-
\??\c:\xxxxrxf.exec:\xxxxrxf.exe96⤵PID:4800
-
\??\c:\9hbtbh.exec:\9hbtbh.exe97⤵PID:4336
-
\??\c:\bthbnb.exec:\bthbnb.exe98⤵PID:2884
-
\??\c:\hhbbnh.exec:\hhbbnh.exe99⤵PID:2476
-
\??\c:\jjpjj.exec:\jjpjj.exe100⤵PID:3496
-
\??\c:\dvjdj.exec:\dvjdj.exe101⤵PID:2016
-
\??\c:\5nnhhh.exec:\5nnhhh.exe102⤵PID:4284
-
\??\c:\3jjdv.exec:\3jjdv.exe103⤵PID:3544
-
\??\c:\pjvvp.exec:\pjvvp.exe104⤵PID:4268
-
\??\c:\fxlxrfx.exec:\fxlxrfx.exe105⤵PID:3036
-
\??\c:\vjjdv.exec:\vjjdv.exe106⤵PID:3620
-
\??\c:\3jvpd.exec:\3jvpd.exe107⤵PID:972
-
\??\c:\xlrfrrl.exec:\xlrfrrl.exe108⤵PID:3600
-
\??\c:\3tbthh.exec:\3tbthh.exe109⤵PID:1140
-
\??\c:\dpjdp.exec:\dpjdp.exe110⤵PID:1448
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe111⤵PID:3324
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe112⤵PID:764
-
\??\c:\bntnhh.exec:\bntnhh.exe113⤵PID:2008
-
\??\c:\dpjvj.exec:\dpjvj.exe114⤵PID:1028
-
\??\c:\3rlxlfx.exec:\3rlxlfx.exe115⤵PID:2112
-
\??\c:\bnnhtt.exec:\bnnhtt.exe116⤵PID:4320
-
\??\c:\vpvpj.exec:\vpvpj.exe117⤵PID:2356
-
\??\c:\5xlxlfx.exec:\5xlxlfx.exe118⤵PID:3672
-
\??\c:\tnthbt.exec:\tnthbt.exe119⤵PID:3944
-
\??\c:\vjjvj.exec:\vjjvj.exe120⤵PID:2244
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe121⤵PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-