Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe
-
Size
453KB
-
MD5
b06b391c830140e6fc2a6bf3127a4a40
-
SHA1
cbf3694d39f15f0034d258fc91a2e77dc4286aeb
-
SHA256
4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314cca
-
SHA512
f0543f67d5e59f1b1c78019658fbd04c27e1fa0ccf836006cd58dd920254069c8b01cb9482ad5214c70866b6ba66965286f429e884f33ee1f5a13d48f476a620
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3028-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-1068-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-1244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-1329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3640 llrxxxr.exe 3256 hnnhbt.exe 1396 bhnhtt.exe 396 ffllrxl.exe 1168 djpvv.exe 1952 rlrlllr.exe 1460 bntnnt.exe 216 bhnhbt.exe 2372 3xrlxrl.exe 3140 5btnhb.exe 220 ddvdv.exe 4120 bhhbtn.exe 4608 frlfxrl.exe 400 nththt.exe 4344 dpvpj.exe 2508 htnhnh.exe 3816 htnbnh.exe 2284 jvvjv.exe 4388 xrlfxrl.exe 1864 lxfrlfx.exe 448 vppjj.exe 3820 rrrlxrr.exe 4952 9bbnhh.exe 1560 jjjpj.exe 2008 xllfxrl.exe 4632 5tnhhh.exe 2116 tnnhbn.exe 3200 9vdpj.exe 2344 9jvpd.exe 2920 ffxrlfx.exe 4524 3djvp.exe 1020 xrxxrrl.exe 3868 ttbnbt.exe 1820 1nnhhb.exe 2080 7pvjd.exe 4736 pvdpd.exe 1480 lfxfrfl.exe 3076 hhthht.exe 3984 vpppd.exe 4824 vpvjj.exe 4924 xllfrrf.exe 2556 bnnbhb.exe 4008 1nnbnn.exe 5056 jppdv.exe 648 flxrrlr.exe 4264 tbbtnn.exe 2076 ntnhtn.exe 1652 vpjdp.exe 2444 xxfxffr.exe 5000 lxxrlfx.exe 2428 hbhbbh.exe 2656 ttbbtn.exe 2316 jvdvv.exe 740 ffflffx.exe 2864 xrrfrlr.exe 4644 5bnhbh.exe 4692 djjdv.exe 2944 ppvpd.exe 3928 5ffrlfx.exe 2068 hnttnn.exe 1240 xxfxxxr.exe 3824 vppjd.exe 1900 fffxxrr.exe 1796 lllxxrf.exe -
resource yara_rule behavioral2/memory/3028-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-726-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 3640 3028 4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe 84 PID 3028 wrote to memory of 3640 3028 4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe 84 PID 3028 wrote to memory of 3640 3028 4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe 84 PID 3640 wrote to memory of 3256 3640 llrxxxr.exe 85 PID 3640 wrote to memory of 3256 3640 llrxxxr.exe 85 PID 3640 wrote to memory of 3256 3640 llrxxxr.exe 85 PID 3256 wrote to memory of 1396 3256 hnnhbt.exe 86 PID 3256 wrote to memory of 1396 3256 hnnhbt.exe 86 PID 3256 wrote to memory of 1396 3256 hnnhbt.exe 86 PID 1396 wrote to memory of 396 1396 bhnhtt.exe 87 PID 1396 wrote to memory of 396 1396 bhnhtt.exe 87 PID 1396 wrote to memory of 396 1396 bhnhtt.exe 87 PID 396 wrote to memory of 1168 396 ffllrxl.exe 88 PID 396 wrote to memory of 1168 396 ffllrxl.exe 88 PID 396 wrote to memory of 1168 396 ffllrxl.exe 88 PID 1168 wrote to memory of 1952 1168 djpvv.exe 89 PID 1168 wrote to memory of 1952 1168 djpvv.exe 89 PID 1168 wrote to memory of 1952 1168 djpvv.exe 89 PID 1952 wrote to memory of 1460 1952 rlrlllr.exe 90 PID 1952 wrote to memory of 1460 1952 rlrlllr.exe 90 PID 1952 wrote to memory of 1460 1952 rlrlllr.exe 90 PID 1460 wrote to memory of 216 1460 bntnnt.exe 91 PID 1460 wrote to memory of 216 1460 bntnnt.exe 91 PID 1460 wrote to memory of 216 1460 bntnnt.exe 91 PID 216 wrote to memory of 2372 216 bhnhbt.exe 92 PID 216 wrote to memory of 2372 216 bhnhbt.exe 92 PID 216 wrote to memory of 2372 216 bhnhbt.exe 92 PID 2372 wrote to memory of 3140 2372 3xrlxrl.exe 93 PID 2372 wrote to memory of 3140 2372 3xrlxrl.exe 93 PID 2372 wrote to memory of 3140 2372 3xrlxrl.exe 93 PID 3140 wrote to memory of 220 3140 5btnhb.exe 94 PID 3140 wrote to memory of 220 3140 5btnhb.exe 94 PID 3140 wrote to memory of 220 3140 5btnhb.exe 94 PID 220 wrote to memory of 4120 220 ddvdv.exe 95 PID 220 wrote to memory of 4120 220 ddvdv.exe 95 PID 220 wrote to memory of 4120 220 ddvdv.exe 95 PID 4120 wrote to memory of 4608 4120 bhhbtn.exe 96 PID 4120 wrote to memory of 4608 4120 bhhbtn.exe 96 PID 4120 wrote to memory of 4608 4120 bhhbtn.exe 96 PID 4608 wrote to memory of 400 4608 frlfxrl.exe 97 PID 4608 wrote to memory of 400 4608 frlfxrl.exe 97 PID 4608 wrote to memory of 400 4608 frlfxrl.exe 97 PID 400 wrote to memory of 4344 400 nththt.exe 98 PID 400 wrote to memory of 4344 400 nththt.exe 98 PID 400 wrote to memory of 4344 400 nththt.exe 98 PID 4344 wrote to memory of 2508 4344 dpvpj.exe 99 PID 4344 wrote to memory of 2508 4344 dpvpj.exe 99 PID 4344 wrote to memory of 2508 4344 dpvpj.exe 99 PID 2508 wrote to memory of 3816 2508 htnhnh.exe 100 PID 2508 wrote to memory of 3816 2508 htnhnh.exe 100 PID 2508 wrote to memory of 3816 2508 htnhnh.exe 100 PID 3816 wrote to memory of 2284 3816 htnbnh.exe 101 PID 3816 wrote to memory of 2284 3816 htnbnh.exe 101 PID 3816 wrote to memory of 2284 3816 htnbnh.exe 101 PID 2284 wrote to memory of 4388 2284 jvvjv.exe 102 PID 2284 wrote to memory of 4388 2284 jvvjv.exe 102 PID 2284 wrote to memory of 4388 2284 jvvjv.exe 102 PID 4388 wrote to memory of 1864 4388 xrlfxrl.exe 103 PID 4388 wrote to memory of 1864 4388 xrlfxrl.exe 103 PID 4388 wrote to memory of 1864 4388 xrlfxrl.exe 103 PID 1864 wrote to memory of 448 1864 lxfrlfx.exe 104 PID 1864 wrote to memory of 448 1864 lxfrlfx.exe 104 PID 1864 wrote to memory of 448 1864 lxfrlfx.exe 104 PID 448 wrote to memory of 3820 448 vppjj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe"C:\Users\Admin\AppData\Local\Temp\4a9c5abf3fdca23d0851e9b357306cececf832ad64459c0cc4f25a4797314ccaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\llrxxxr.exec:\llrxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\hnnhbt.exec:\hnnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\bhnhtt.exec:\bhnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\ffllrxl.exec:\ffllrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\djpvv.exec:\djpvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\rlrlllr.exec:\rlrlllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\bntnnt.exec:\bntnnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\bhnhbt.exec:\bhnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\3xrlxrl.exec:\3xrlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\5btnhb.exec:\5btnhb.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\ddvdv.exec:\ddvdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\bhhbtn.exec:\bhhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\frlfxrl.exec:\frlfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\nththt.exec:\nththt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\dpvpj.exec:\dpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\htnhnh.exec:\htnhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\htnbnh.exec:\htnbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\jvvjv.exec:\jvvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\vppjj.exec:\vppjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\rrrlxrr.exec:\rrrlxrr.exe23⤵
- Executes dropped EXE
PID:3820 -
\??\c:\9bbnhh.exec:\9bbnhh.exe24⤵
- Executes dropped EXE
PID:4952 -
\??\c:\jjjpj.exec:\jjjpj.exe25⤵
- Executes dropped EXE
PID:1560 -
\??\c:\xllfxrl.exec:\xllfxrl.exe26⤵
- Executes dropped EXE
PID:2008 -
\??\c:\5tnhhh.exec:\5tnhhh.exe27⤵
- Executes dropped EXE
PID:4632 -
\??\c:\tnnhbn.exec:\tnnhbn.exe28⤵
- Executes dropped EXE
PID:2116 -
\??\c:\9vdpj.exec:\9vdpj.exe29⤵
- Executes dropped EXE
PID:3200 -
\??\c:\9jvpd.exec:\9jvpd.exe30⤵
- Executes dropped EXE
PID:2344 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe31⤵
- Executes dropped EXE
PID:2920 -
\??\c:\3djvp.exec:\3djvp.exe32⤵
- Executes dropped EXE
PID:4524 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe33⤵
- Executes dropped EXE
PID:1020 -
\??\c:\ttbnbt.exec:\ttbnbt.exe34⤵
- Executes dropped EXE
PID:3868 -
\??\c:\1nnhhb.exec:\1nnhhb.exe35⤵
- Executes dropped EXE
PID:1820 -
\??\c:\7pvjd.exec:\7pvjd.exe36⤵
- Executes dropped EXE
PID:2080 -
\??\c:\pvdpd.exec:\pvdpd.exe37⤵
- Executes dropped EXE
PID:4736 -
\??\c:\lfxfrfl.exec:\lfxfrfl.exe38⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hhthht.exec:\hhthht.exe39⤵
- Executes dropped EXE
PID:3076 -
\??\c:\vpppd.exec:\vpppd.exe40⤵
- Executes dropped EXE
PID:3984 -
\??\c:\vpvjj.exec:\vpvjj.exe41⤵
- Executes dropped EXE
PID:4824 -
\??\c:\xllfrrf.exec:\xllfrrf.exe42⤵
- Executes dropped EXE
PID:4924 -
\??\c:\bnnbhb.exec:\bnnbhb.exe43⤵
- Executes dropped EXE
PID:2556 -
\??\c:\1nnbnn.exec:\1nnbnn.exe44⤵
- Executes dropped EXE
PID:4008 -
\??\c:\jppdv.exec:\jppdv.exe45⤵
- Executes dropped EXE
PID:5056 -
\??\c:\flxrrlr.exec:\flxrrlr.exe46⤵
- Executes dropped EXE
PID:648 -
\??\c:\tbbtnn.exec:\tbbtnn.exe47⤵
- Executes dropped EXE
PID:4264 -
\??\c:\ntnhtn.exec:\ntnhtn.exe48⤵
- Executes dropped EXE
PID:2076 -
\??\c:\vpjdp.exec:\vpjdp.exe49⤵
- Executes dropped EXE
PID:1652 -
\??\c:\xxfxffr.exec:\xxfxffr.exe50⤵
- Executes dropped EXE
PID:2444 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000 -
\??\c:\hbhbbh.exec:\hbhbbh.exe52⤵
- Executes dropped EXE
PID:2428 -
\??\c:\ttbbtn.exec:\ttbbtn.exe53⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jvdvv.exec:\jvdvv.exe54⤵
- Executes dropped EXE
PID:2316 -
\??\c:\ffflffx.exec:\ffflffx.exe55⤵
- Executes dropped EXE
PID:740 -
\??\c:\xrrfrlr.exec:\xrrfrlr.exe56⤵
- Executes dropped EXE
PID:2864 -
\??\c:\5bnhbh.exec:\5bnhbh.exe57⤵
- Executes dropped EXE
PID:4644 -
\??\c:\djjdv.exec:\djjdv.exe58⤵
- Executes dropped EXE
PID:4692 -
\??\c:\ppvpd.exec:\ppvpd.exe59⤵
- Executes dropped EXE
PID:2944 -
\??\c:\5ffrlfx.exec:\5ffrlfx.exe60⤵
- Executes dropped EXE
PID:3928 -
\??\c:\hnttnn.exec:\hnttnn.exe61⤵
- Executes dropped EXE
PID:2068 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe62⤵
- Executes dropped EXE
PID:1240 -
\??\c:\vppjd.exec:\vppjd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3824 -
\??\c:\fffxxrr.exec:\fffxxrr.exe64⤵
- Executes dropped EXE
PID:1900 -
\??\c:\lllxxrf.exec:\lllxxrf.exe65⤵
- Executes dropped EXE
PID:1796 -
\??\c:\ttbbbb.exec:\ttbbbb.exe66⤵PID:3352
-
\??\c:\ppjjj.exec:\ppjjj.exe67⤵PID:2332
-
\??\c:\hbnhbb.exec:\hbnhbb.exe68⤵PID:4944
-
\??\c:\9lfxxxx.exec:\9lfxxxx.exe69⤵PID:1412
-
\??\c:\bhbbnh.exec:\bhbbnh.exe70⤵PID:3732
-
\??\c:\bbnhht.exec:\bbnhht.exe71⤵PID:3380
-
\??\c:\7jjpj.exec:\7jjpj.exe72⤵PID:2508
-
\??\c:\jjjdv.exec:\jjjdv.exe73⤵PID:3080
-
\??\c:\xrrxrrr.exec:\xrrxrrr.exe74⤵PID:3192
-
\??\c:\fxfrfrr.exec:\fxfrfrr.exe75⤵PID:732
-
\??\c:\bbbnht.exec:\bbbnht.exe76⤵PID:1136
-
\??\c:\thhbtn.exec:\thhbtn.exe77⤵PID:1388
-
\??\c:\dvpdv.exec:\dvpdv.exe78⤵PID:3780
-
\??\c:\5vvpd.exec:\5vvpd.exe79⤵PID:1440
-
\??\c:\5btnht.exec:\5btnht.exe80⤵PID:2532
-
\??\c:\1dpdp.exec:\1dpdp.exe81⤵PID:1556
-
\??\c:\flrfxxr.exec:\flrfxxr.exe82⤵PID:1560
-
\??\c:\bnnbnh.exec:\bnnbnh.exe83⤵PID:4836
-
\??\c:\vpdvp.exec:\vpdvp.exe84⤵PID:2736
-
\??\c:\vvvpp.exec:\vvvpp.exe85⤵PID:2448
-
\??\c:\xxlrxrx.exec:\xxlrxrx.exe86⤵PID:2592
-
\??\c:\bbhhhn.exec:\bbhhhn.exe87⤵PID:1568
-
\??\c:\dvvpd.exec:\dvvpd.exe88⤵PID:1752
-
\??\c:\5xlfrrl.exec:\5xlfrrl.exe89⤵PID:3680
-
\??\c:\5htnbb.exec:\5htnbb.exe90⤵PID:1196
-
\??\c:\9bnhtt.exec:\9bnhtt.exe91⤵PID:2108
-
\??\c:\3vjvp.exec:\3vjvp.exe92⤵PID:4524
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe93⤵PID:2012
-
\??\c:\nttnbb.exec:\nttnbb.exe94⤵PID:3868
-
\??\c:\jvvvp.exec:\jvvvp.exe95⤵PID:1852
-
\??\c:\ppdjj.exec:\ppdjj.exe96⤵PID:1432
-
\??\c:\rflfxxf.exec:\rflfxxf.exe97⤵PID:5052
-
\??\c:\bnbbtn.exec:\bnbbtn.exe98⤵PID:744
-
\??\c:\btnhhh.exec:\btnhhh.exe99⤵PID:1480
-
\??\c:\djdpv.exec:\djdpv.exe100⤵PID:2664
-
\??\c:\flxxflf.exec:\flxxflf.exe101⤵PID:3644
-
\??\c:\nhhhbb.exec:\nhhhbb.exe102⤵PID:4712
-
\??\c:\vpjjd.exec:\vpjjd.exe103⤵PID:3904
-
\??\c:\jjvpj.exec:\jjvpj.exe104⤵PID:1860
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe105⤵PID:3896
-
\??\c:\tbhbtn.exec:\tbhbtn.exe106⤵PID:3856
-
\??\c:\bbthbb.exec:\bbthbb.exe107⤵PID:4368
-
\??\c:\vpppj.exec:\vpppj.exe108⤵PID:3860
-
\??\c:\3bbhbh.exec:\3bbhbh.exe109⤵PID:4264
-
\??\c:\bbnnhh.exec:\bbnnhh.exe110⤵PID:3500
-
\??\c:\ppvdd.exec:\ppvdd.exe111⤵PID:1652
-
\??\c:\3xxxrxx.exec:\3xxxrxx.exe112⤵PID:876
-
\??\c:\tnhhbh.exec:\tnhhbh.exe113⤵PID:3208
-
\??\c:\dvjjd.exec:\dvjjd.exe114⤵PID:3468
-
\??\c:\vpddv.exec:\vpddv.exe115⤵PID:4528
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe116⤵PID:1168
-
\??\c:\thhhbb.exec:\thhhbb.exe117⤵PID:872
-
\??\c:\dddvj.exec:\dddvj.exe118⤵PID:996
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe119⤵PID:1264
-
\??\c:\bbhbtn.exec:\bbhbtn.exe120⤵PID:1500
-
\??\c:\7nhbnn.exec:\7nhbnn.exe121⤵PID:216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-