Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe
-
Size
453KB
-
MD5
4ca25ba99a98481a8c84d6e2845b3190
-
SHA1
aa0c84bbaf754b4268c41f242be0076efdcddaee
-
SHA256
633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037
-
SHA512
a92c9c08300e52bd550063111112f118f1e78a0ccf2598b544f238d58d259d8203e07ef4fb6ded963717687648bed7f481c710633a726649468fc3ecd8feffec
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5108-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-1176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-1848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2828 xllxrlx.exe 4872 pdpjd.exe 1832 dvpjv.exe 4988 3ppdv.exe 1168 jvdvj.exe 2824 lllfrlx.exe 3640 jdvjj.exe 2848 rlxlfff.exe 2212 nhntnb.exe 1084 pddjd.exe 2132 hbthhb.exe 3780 vjjdv.exe 1620 fllxfxr.exe 4472 vjjvp.exe 3344 1rffxrf.exe 1048 fxfxxxr.exe 2044 1jppj.exe 3000 rxxrrrl.exe 2928 jvjdv.exe 3876 xrfxllf.exe 3292 bhtnhh.exe 4272 vvddj.exe 1456 pppjd.exe 4652 jvpjd.exe 468 llfxxxr.exe 4732 nnnbbb.exe 3268 nnnntn.exe 4308 dpvjj.exe 4092 rlrllxr.exe 4816 nbbtnn.exe 4996 rlllllf.exe 4876 hhttnn.exe 1764 tnntbb.exe 3100 pdvjd.exe 1644 hbbttn.exe 2780 5hhbbb.exe 784 vdpdv.exe 1052 frrxlrx.exe 4844 nntnnn.exe 2572 9pvpj.exe 3364 llxfxxr.exe 4824 tnntnn.exe 4920 vpvpj.exe 2740 pdpjv.exe 2436 1xxxrxr.exe 4396 tttnhh.exe 4388 bntthh.exe 4608 jjvpd.exe 4932 xrfrxrr.exe 3256 ntbthb.exe 1696 jddvj.exe 1832 frxrffx.exe 1268 thnhhb.exe 2876 bhtnbt.exe 1580 dpdpd.exe 752 xxxrlff.exe 2400 thhhht.exe 1428 tntntt.exe 4680 ppvvv.exe 4512 frrlffx.exe 2008 ttbnhh.exe 764 jvdvj.exe 4616 jddvp.exe 5040 9lfrffr.exe -
resource yara_rule behavioral2/memory/5108-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-705-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5108 wrote to memory of 2828 5108 633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe 84 PID 5108 wrote to memory of 2828 5108 633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe 84 PID 5108 wrote to memory of 2828 5108 633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe 84 PID 2828 wrote to memory of 4872 2828 xllxrlx.exe 85 PID 2828 wrote to memory of 4872 2828 xllxrlx.exe 85 PID 2828 wrote to memory of 4872 2828 xllxrlx.exe 85 PID 4872 wrote to memory of 1832 4872 pdpjd.exe 86 PID 4872 wrote to memory of 1832 4872 pdpjd.exe 86 PID 4872 wrote to memory of 1832 4872 pdpjd.exe 86 PID 1832 wrote to memory of 4988 1832 dvpjv.exe 87 PID 1832 wrote to memory of 4988 1832 dvpjv.exe 87 PID 1832 wrote to memory of 4988 1832 dvpjv.exe 87 PID 4988 wrote to memory of 1168 4988 3ppdv.exe 88 PID 4988 wrote to memory of 1168 4988 3ppdv.exe 88 PID 4988 wrote to memory of 1168 4988 3ppdv.exe 88 PID 1168 wrote to memory of 2824 1168 jvdvj.exe 89 PID 1168 wrote to memory of 2824 1168 jvdvj.exe 89 PID 1168 wrote to memory of 2824 1168 jvdvj.exe 89 PID 2824 wrote to memory of 3640 2824 lllfrlx.exe 90 PID 2824 wrote to memory of 3640 2824 lllfrlx.exe 90 PID 2824 wrote to memory of 3640 2824 lllfrlx.exe 90 PID 3640 wrote to memory of 2848 3640 jdvjj.exe 91 PID 3640 wrote to memory of 2848 3640 jdvjj.exe 91 PID 3640 wrote to memory of 2848 3640 jdvjj.exe 91 PID 2848 wrote to memory of 2212 2848 rlxlfff.exe 92 PID 2848 wrote to memory of 2212 2848 rlxlfff.exe 92 PID 2848 wrote to memory of 2212 2848 rlxlfff.exe 92 PID 2212 wrote to memory of 1084 2212 nhntnb.exe 93 PID 2212 wrote to memory of 1084 2212 nhntnb.exe 93 PID 2212 wrote to memory of 1084 2212 nhntnb.exe 93 PID 1084 wrote to memory of 2132 1084 pddjd.exe 94 PID 1084 wrote to memory of 2132 1084 pddjd.exe 94 PID 1084 wrote to memory of 2132 1084 pddjd.exe 94 PID 2132 wrote to memory of 3780 2132 hbthhb.exe 95 PID 2132 wrote to memory of 3780 2132 hbthhb.exe 95 PID 2132 wrote to memory of 3780 2132 hbthhb.exe 95 PID 3780 wrote to memory of 1620 3780 vjjdv.exe 96 PID 3780 wrote to memory of 1620 3780 vjjdv.exe 96 PID 3780 wrote to memory of 1620 3780 vjjdv.exe 96 PID 1620 wrote to memory of 4472 1620 fllxfxr.exe 97 PID 1620 wrote to memory of 4472 1620 fllxfxr.exe 97 PID 1620 wrote to memory of 4472 1620 fllxfxr.exe 97 PID 4472 wrote to memory of 3344 4472 vjjvp.exe 98 PID 4472 wrote to memory of 3344 4472 vjjvp.exe 98 PID 4472 wrote to memory of 3344 4472 vjjvp.exe 98 PID 3344 wrote to memory of 1048 3344 1rffxrf.exe 99 PID 3344 wrote to memory of 1048 3344 1rffxrf.exe 99 PID 3344 wrote to memory of 1048 3344 1rffxrf.exe 99 PID 1048 wrote to memory of 2044 1048 fxfxxxr.exe 100 PID 1048 wrote to memory of 2044 1048 fxfxxxr.exe 100 PID 1048 wrote to memory of 2044 1048 fxfxxxr.exe 100 PID 2044 wrote to memory of 3000 2044 1jppj.exe 101 PID 2044 wrote to memory of 3000 2044 1jppj.exe 101 PID 2044 wrote to memory of 3000 2044 1jppj.exe 101 PID 3000 wrote to memory of 2928 3000 rxxrrrl.exe 102 PID 3000 wrote to memory of 2928 3000 rxxrrrl.exe 102 PID 3000 wrote to memory of 2928 3000 rxxrrrl.exe 102 PID 2928 wrote to memory of 3876 2928 jvjdv.exe 103 PID 2928 wrote to memory of 3876 2928 jvjdv.exe 103 PID 2928 wrote to memory of 3876 2928 jvjdv.exe 103 PID 3876 wrote to memory of 3292 3876 xrfxllf.exe 104 PID 3876 wrote to memory of 3292 3876 xrfxllf.exe 104 PID 3876 wrote to memory of 3292 3876 xrfxllf.exe 104 PID 3292 wrote to memory of 4272 3292 bhtnhh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe"C:\Users\Admin\AppData\Local\Temp\633c39ba6b1e049e44a69dc47cd5c8829137c0dbf0c7d0ef9b4151cd175ba037N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\xllxrlx.exec:\xllxrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\pdpjd.exec:\pdpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\dvpjv.exec:\dvpjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\3ppdv.exec:\3ppdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\jvdvj.exec:\jvdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\lllfrlx.exec:\lllfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\jdvjj.exec:\jdvjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\rlxlfff.exec:\rlxlfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\nhntnb.exec:\nhntnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\pddjd.exec:\pddjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\hbthhb.exec:\hbthhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\vjjdv.exec:\vjjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\fllxfxr.exec:\fllxfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\vjjvp.exec:\vjjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\1rffxrf.exec:\1rffxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\1jppj.exec:\1jppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\rxxrrrl.exec:\rxxrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\jvjdv.exec:\jvjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\xrfxllf.exec:\xrfxllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\bhtnhh.exec:\bhtnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\vvddj.exec:\vvddj.exe23⤵
- Executes dropped EXE
PID:4272 -
\??\c:\pppjd.exec:\pppjd.exe24⤵
- Executes dropped EXE
PID:1456 -
\??\c:\jvpjd.exec:\jvpjd.exe25⤵
- Executes dropped EXE
PID:4652 -
\??\c:\llfxxxr.exec:\llfxxxr.exe26⤵
- Executes dropped EXE
PID:468 -
\??\c:\nnnbbb.exec:\nnnbbb.exe27⤵
- Executes dropped EXE
PID:4732 -
\??\c:\nnnntn.exec:\nnnntn.exe28⤵
- Executes dropped EXE
PID:3268 -
\??\c:\dpvjj.exec:\dpvjj.exe29⤵
- Executes dropped EXE
PID:4308 -
\??\c:\rlrllxr.exec:\rlrllxr.exe30⤵
- Executes dropped EXE
PID:4092 -
\??\c:\nbbtnn.exec:\nbbtnn.exe31⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rlllllf.exec:\rlllllf.exe32⤵
- Executes dropped EXE
PID:4996 -
\??\c:\hhttnn.exec:\hhttnn.exe33⤵
- Executes dropped EXE
PID:4876 -
\??\c:\tnntbb.exec:\tnntbb.exe34⤵
- Executes dropped EXE
PID:1764 -
\??\c:\pdvjd.exec:\pdvjd.exe35⤵
- Executes dropped EXE
PID:3100 -
\??\c:\hbbttn.exec:\hbbttn.exe36⤵
- Executes dropped EXE
PID:1644 -
\??\c:\5hhbbb.exec:\5hhbbb.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\vdpdv.exec:\vdpdv.exe38⤵
- Executes dropped EXE
PID:784 -
\??\c:\frrxlrx.exec:\frrxlrx.exe39⤵
- Executes dropped EXE
PID:1052 -
\??\c:\nntnnn.exec:\nntnnn.exe40⤵
- Executes dropped EXE
PID:4844 -
\??\c:\9pvpj.exec:\9pvpj.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\llxfxxr.exec:\llxfxxr.exe42⤵
- Executes dropped EXE
PID:3364 -
\??\c:\tnntnn.exec:\tnntnn.exe43⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vpvpj.exec:\vpvpj.exe44⤵
- Executes dropped EXE
PID:4920 -
\??\c:\pdpjv.exec:\pdpjv.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\1xxxrxr.exec:\1xxxrxr.exe46⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tttnhh.exec:\tttnhh.exe47⤵
- Executes dropped EXE
PID:4396 -
\??\c:\bntthh.exec:\bntthh.exe48⤵
- Executes dropped EXE
PID:4388 -
\??\c:\jjvpd.exec:\jjvpd.exe49⤵
- Executes dropped EXE
PID:4608 -
\??\c:\xrfrxrr.exec:\xrfrxrr.exe50⤵
- Executes dropped EXE
PID:4932 -
\??\c:\ntbthb.exec:\ntbthb.exe51⤵
- Executes dropped EXE
PID:3256 -
\??\c:\jddvj.exec:\jddvj.exe52⤵
- Executes dropped EXE
PID:1696 -
\??\c:\frxrffx.exec:\frxrffx.exe53⤵
- Executes dropped EXE
PID:1832 -
\??\c:\thnhhb.exec:\thnhhb.exe54⤵
- Executes dropped EXE
PID:1268 -
\??\c:\bhtnbt.exec:\bhtnbt.exe55⤵
- Executes dropped EXE
PID:2876 -
\??\c:\dpdpd.exec:\dpdpd.exe56⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xxxrlff.exec:\xxxrlff.exe57⤵
- Executes dropped EXE
PID:752 -
\??\c:\thhhht.exec:\thhhht.exe58⤵
- Executes dropped EXE
PID:2400 -
\??\c:\tntntt.exec:\tntntt.exe59⤵
- Executes dropped EXE
PID:1428 -
\??\c:\ppvvv.exec:\ppvvv.exe60⤵
- Executes dropped EXE
PID:4680 -
\??\c:\frrlffx.exec:\frrlffx.exe61⤵
- Executes dropped EXE
PID:4512 -
\??\c:\ttbnhh.exec:\ttbnhh.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jvdvj.exec:\jvdvj.exe63⤵
- Executes dropped EXE
PID:764 -
\??\c:\jddvp.exec:\jddvp.exe64⤵
- Executes dropped EXE
PID:4616 -
\??\c:\9lfrffr.exec:\9lfrffr.exe65⤵
- Executes dropped EXE
PID:5040 -
\??\c:\thnbtn.exec:\thnbtn.exe66⤵PID:3864
-
\??\c:\jpdvp.exec:\jpdvp.exe67⤵PID:3052
-
\??\c:\ddvvd.exec:\ddvvd.exe68⤵PID:2568
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe69⤵PID:4256
-
\??\c:\btnbnn.exec:\btnbnn.exe70⤵PID:4472
-
\??\c:\3tttbb.exec:\3tttbb.exe71⤵PID:2988
-
\??\c:\jppjv.exec:\jppjv.exe72⤵PID:1584
-
\??\c:\rxfxlrr.exec:\rxfxlrr.exe73⤵PID:4080
-
\??\c:\nnbttn.exec:\nnbttn.exe74⤵PID:4236
-
\??\c:\dpppd.exec:\dpppd.exe75⤵PID:4200
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe76⤵PID:2472
-
\??\c:\llrlrrx.exec:\llrlrrx.exe77⤵PID:3876
-
\??\c:\htthbt.exec:\htthbt.exe78⤵PID:3608
-
\??\c:\vdjvj.exec:\vdjvj.exe79⤵PID:956
-
\??\c:\xfllfxx.exec:\xfllfxx.exe80⤵PID:2872
-
\??\c:\xxrxxrf.exec:\xxrxxrf.exe81⤵PID:4956
-
\??\c:\5btnbt.exec:\5btnbt.exe82⤵PID:1028
-
\??\c:\dvdvp.exec:\dvdvp.exe83⤵PID:64
-
\??\c:\9xlfrxr.exec:\9xlfrxr.exe84⤵PID:1720
-
\??\c:\5nhttn.exec:\5nhttn.exe85⤵PID:2276
-
\??\c:\dpvjj.exec:\dpvjj.exe86⤵PID:3756
-
\??\c:\9lxrrrr.exec:\9lxrrrr.exe87⤵PID:2388
-
\??\c:\btnhbt.exec:\btnhbt.exe88⤵PID:2712
-
\??\c:\htnbbn.exec:\htnbbn.exe89⤵PID:3592
-
\??\c:\vvpjv.exec:\vvpjv.exe90⤵PID:5044
-
\??\c:\1xxrllf.exec:\1xxrllf.exe91⤵PID:4036
-
\??\c:\9bhbhh.exec:\9bhbhh.exe92⤵PID:5028
-
\??\c:\5dvjv.exec:\5dvjv.exe93⤵PID:2068
-
\??\c:\xxfxrff.exec:\xxfxrff.exe94⤵PID:1888
-
\??\c:\nhttbb.exec:\nhttbb.exe95⤵PID:464
-
\??\c:\nhbtbb.exec:\nhbtbb.exe96⤵PID:3952
-
\??\c:\vppjd.exec:\vppjd.exe97⤵PID:3632
-
\??\c:\lrfxllf.exec:\lrfxllf.exe98⤵PID:816
-
\??\c:\9ntnhh.exec:\9ntnhh.exe99⤵PID:3604
-
\??\c:\hbtnnt.exec:\hbtnnt.exe100⤵PID:2192
-
\??\c:\dvpjv.exec:\dvpjv.exe101⤵PID:652
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe102⤵PID:4972
-
\??\c:\nbnhbb.exec:\nbnhbb.exe103⤵PID:3364
-
\??\c:\vvdvp.exec:\vvdvp.exe104⤵PID:676
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe105⤵PID:696
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe106⤵PID:184
-
\??\c:\bntntt.exec:\bntntt.exe107⤵PID:4400
-
\??\c:\9ppdv.exec:\9ppdv.exe108⤵PID:2608
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe109⤵PID:1336
-
\??\c:\3hbtnh.exec:\3hbtnh.exe110⤵PID:2828
-
\??\c:\jpdvp.exec:\jpdvp.exe111⤵PID:3508
-
\??\c:\pjjdp.exec:\pjjdp.exe112⤵PID:3660
-
\??\c:\xrrlffx.exec:\xrrlffx.exe113⤵
- System Location Discovery: System Language Discovery
PID:1692 -
\??\c:\ntbtnh.exec:\ntbtnh.exe114⤵PID:3620
-
\??\c:\jdppj.exec:\jdppj.exe115⤵PID:5096
-
\??\c:\ffxrlfx.exec:\ffxrlfx.exe116⤵PID:1148
-
\??\c:\llrfxrf.exec:\llrfxrf.exe117⤵PID:1168
-
\??\c:\3htnht.exec:\3htnht.exe118⤵PID:4180
-
\??\c:\5pjdv.exec:\5pjdv.exe119⤵
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\1ffrlfx.exec:\1ffrlfx.exe120⤵PID:2848
-
\??\c:\nntnhh.exec:\nntnhh.exe121⤵PID:2444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-