Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 19:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe
-
Size
454KB
-
MD5
7bda01d16c5ab3e3b5591247fc77f984
-
SHA1
1e917cd2df494541d9faa2a2c45890aed8aa6941
-
SHA256
540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080
-
SHA512
e2b84ae9ca724a71017c2dbb9eb13eb3f7eff7f82ee66266475cea6db8dfbb6670b4db8aa9d6760ddec60553eaf63351f1dd9b535a3691d9c163eb94d7859da9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3304-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/500-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-1112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-1325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-1447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4712 lflfrrx.exe 5088 rxffxxr.exe 500 6882666.exe 1196 02082.exe 2120 nhnhbt.exe 4628 2222626.exe 3092 4622226.exe 2160 bnbbbt.exe 4192 60448.exe 3244 rxxxfrl.exe 3764 424488.exe 1380 tthhnh.exe 1416 pjvvd.exe 2660 462660.exe 3500 6222600.exe 4312 jdjdp.exe 4184 nbnhhh.exe 4148 thhbbt.exe 876 44420.exe 4696 7tbtnt.exe 3508 jvddj.exe 5104 tbnnnn.exe 380 tnbbtn.exe 1588 062468.exe 3804 nnhhbb.exe 1908 426048.exe 216 hbbbtt.exe 5016 04482.exe 4444 a6202.exe 1940 k84606.exe 2680 nhbbnn.exe 1232 7llrllx.exe 4464 nnnnht.exe 4984 66806.exe 2976 444208.exe 1228 7djvv.exe 1844 62860.exe 652 80608.exe 3632 pjvvd.exe 2736 668266.exe 1340 1vpjd.exe 1464 e08848.exe 2908 844208.exe 264 dvdvd.exe 4612 0442608.exe 648 fllxlfx.exe 2328 rlfrfrf.exe 4380 hbhnbh.exe 3572 060860.exe 3676 jpvjv.exe 4712 46848.exe 5088 jpjpj.exe 1732 bhnhbb.exe 4744 6464248.exe 1196 vjdvp.exe 2076 2848606.exe 4012 26842.exe 3092 88602.exe 2848 hnhtbt.exe 1152 484404.exe 3256 2200804.exe 2372 lxrfxrf.exe 1612 lxflrll.exe 4388 vjdpd.exe -
resource yara_rule behavioral2/memory/3304-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/500-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-802-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4880404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e82604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6464248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e44204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2006060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8064260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 466048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3304 wrote to memory of 4712 3304 540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe 83 PID 3304 wrote to memory of 4712 3304 540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe 83 PID 3304 wrote to memory of 4712 3304 540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe 83 PID 4712 wrote to memory of 5088 4712 lflfrrx.exe 84 PID 4712 wrote to memory of 5088 4712 lflfrrx.exe 84 PID 4712 wrote to memory of 5088 4712 lflfrrx.exe 84 PID 5088 wrote to memory of 500 5088 rxffxxr.exe 85 PID 5088 wrote to memory of 500 5088 rxffxxr.exe 85 PID 5088 wrote to memory of 500 5088 rxffxxr.exe 85 PID 500 wrote to memory of 1196 500 6882666.exe 86 PID 500 wrote to memory of 1196 500 6882666.exe 86 PID 500 wrote to memory of 1196 500 6882666.exe 86 PID 1196 wrote to memory of 2120 1196 02082.exe 87 PID 1196 wrote to memory of 2120 1196 02082.exe 87 PID 1196 wrote to memory of 2120 1196 02082.exe 87 PID 2120 wrote to memory of 4628 2120 nhnhbt.exe 88 PID 2120 wrote to memory of 4628 2120 nhnhbt.exe 88 PID 2120 wrote to memory of 4628 2120 nhnhbt.exe 88 PID 4628 wrote to memory of 3092 4628 2222626.exe 89 PID 4628 wrote to memory of 3092 4628 2222626.exe 89 PID 4628 wrote to memory of 3092 4628 2222626.exe 89 PID 3092 wrote to memory of 2160 3092 4622226.exe 90 PID 3092 wrote to memory of 2160 3092 4622226.exe 90 PID 3092 wrote to memory of 2160 3092 4622226.exe 90 PID 2160 wrote to memory of 4192 2160 bnbbbt.exe 91 PID 2160 wrote to memory of 4192 2160 bnbbbt.exe 91 PID 2160 wrote to memory of 4192 2160 bnbbbt.exe 91 PID 4192 wrote to memory of 3244 4192 60448.exe 92 PID 4192 wrote to memory of 3244 4192 60448.exe 92 PID 4192 wrote to memory of 3244 4192 60448.exe 92 PID 3244 wrote to memory of 3764 3244 rxxxfrl.exe 93 PID 3244 wrote to memory of 3764 3244 rxxxfrl.exe 93 PID 3244 wrote to memory of 3764 3244 rxxxfrl.exe 93 PID 3764 wrote to memory of 1380 3764 424488.exe 94 PID 3764 wrote to memory of 1380 3764 424488.exe 94 PID 3764 wrote to memory of 1380 3764 424488.exe 94 PID 1380 wrote to memory of 1416 1380 tthhnh.exe 95 PID 1380 wrote to memory of 1416 1380 tthhnh.exe 95 PID 1380 wrote to memory of 1416 1380 tthhnh.exe 95 PID 1416 wrote to memory of 2660 1416 pjvvd.exe 96 PID 1416 wrote to memory of 2660 1416 pjvvd.exe 96 PID 1416 wrote to memory of 2660 1416 pjvvd.exe 96 PID 2660 wrote to memory of 3500 2660 462660.exe 97 PID 2660 wrote to memory of 3500 2660 462660.exe 97 PID 2660 wrote to memory of 3500 2660 462660.exe 97 PID 3500 wrote to memory of 4312 3500 6222600.exe 98 PID 3500 wrote to memory of 4312 3500 6222600.exe 98 PID 3500 wrote to memory of 4312 3500 6222600.exe 98 PID 4312 wrote to memory of 4184 4312 jdjdp.exe 99 PID 4312 wrote to memory of 4184 4312 jdjdp.exe 99 PID 4312 wrote to memory of 4184 4312 jdjdp.exe 99 PID 4184 wrote to memory of 4148 4184 nbnhhh.exe 100 PID 4184 wrote to memory of 4148 4184 nbnhhh.exe 100 PID 4184 wrote to memory of 4148 4184 nbnhhh.exe 100 PID 4148 wrote to memory of 876 4148 thhbbt.exe 101 PID 4148 wrote to memory of 876 4148 thhbbt.exe 101 PID 4148 wrote to memory of 876 4148 thhbbt.exe 101 PID 876 wrote to memory of 4696 876 44420.exe 102 PID 876 wrote to memory of 4696 876 44420.exe 102 PID 876 wrote to memory of 4696 876 44420.exe 102 PID 4696 wrote to memory of 3508 4696 7tbtnt.exe 103 PID 4696 wrote to memory of 3508 4696 7tbtnt.exe 103 PID 4696 wrote to memory of 3508 4696 7tbtnt.exe 103 PID 3508 wrote to memory of 5104 3508 jvddj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe"C:\Users\Admin\AppData\Local\Temp\540603761e43c90c1329fc9e689d2cfd2fd6fa012ee07c342ddd54db9ac61080.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\lflfrrx.exec:\lflfrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\rxffxxr.exec:\rxffxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\6882666.exec:\6882666.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:500 -
\??\c:\02082.exec:\02082.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\nhnhbt.exec:\nhnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\2222626.exec:\2222626.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\4622226.exec:\4622226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\bnbbbt.exec:\bnbbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\60448.exec:\60448.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rxxxfrl.exec:\rxxxfrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\424488.exec:\424488.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\tthhnh.exec:\tthhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\pjvvd.exec:\pjvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\462660.exec:\462660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\6222600.exec:\6222600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\jdjdp.exec:\jdjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\nbnhhh.exec:\nbnhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\thhbbt.exec:\thhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\44420.exec:\44420.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\7tbtnt.exec:\7tbtnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\jvddj.exec:\jvddj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\tbnnnn.exec:\tbnnnn.exe23⤵
- Executes dropped EXE
PID:5104 -
\??\c:\tnbbtn.exec:\tnbbtn.exe24⤵
- Executes dropped EXE
PID:380 -
\??\c:\062468.exec:\062468.exe25⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nnhhbb.exec:\nnhhbb.exe26⤵
- Executes dropped EXE
PID:3804 -
\??\c:\426048.exec:\426048.exe27⤵
- Executes dropped EXE
PID:1908 -
\??\c:\hbbbtt.exec:\hbbbtt.exe28⤵
- Executes dropped EXE
PID:216 -
\??\c:\04482.exec:\04482.exe29⤵
- Executes dropped EXE
PID:5016 -
\??\c:\a6202.exec:\a6202.exe30⤵
- Executes dropped EXE
PID:4444 -
\??\c:\k84606.exec:\k84606.exe31⤵
- Executes dropped EXE
PID:1940 -
\??\c:\nhbbnn.exec:\nhbbnn.exe32⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7llrllx.exec:\7llrllx.exe33⤵
- Executes dropped EXE
PID:1232 -
\??\c:\nnnnht.exec:\nnnnht.exe34⤵
- Executes dropped EXE
PID:4464 -
\??\c:\66806.exec:\66806.exe35⤵
- Executes dropped EXE
PID:4984 -
\??\c:\444208.exec:\444208.exe36⤵
- Executes dropped EXE
PID:2976 -
\??\c:\7djvv.exec:\7djvv.exe37⤵
- Executes dropped EXE
PID:1228 -
\??\c:\62860.exec:\62860.exe38⤵
- Executes dropped EXE
PID:1844 -
\??\c:\80608.exec:\80608.exe39⤵
- Executes dropped EXE
PID:652 -
\??\c:\pjvvd.exec:\pjvvd.exe40⤵
- Executes dropped EXE
PID:3632 -
\??\c:\668266.exec:\668266.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\1vpjd.exec:\1vpjd.exe42⤵
- Executes dropped EXE
PID:1340 -
\??\c:\e08848.exec:\e08848.exe43⤵
- Executes dropped EXE
PID:1464 -
\??\c:\844208.exec:\844208.exe44⤵
- Executes dropped EXE
PID:2908 -
\??\c:\dvdvd.exec:\dvdvd.exe45⤵
- Executes dropped EXE
PID:264 -
\??\c:\0442608.exec:\0442608.exe46⤵
- Executes dropped EXE
PID:4612 -
\??\c:\fllxlfx.exec:\fllxlfx.exe47⤵
- Executes dropped EXE
PID:648 -
\??\c:\rlfrfrf.exec:\rlfrfrf.exe48⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hbhnbh.exec:\hbhnbh.exe49⤵
- Executes dropped EXE
PID:4380 -
\??\c:\060860.exec:\060860.exe50⤵
- Executes dropped EXE
PID:3572 -
\??\c:\jpvjv.exec:\jpvjv.exe51⤵
- Executes dropped EXE
PID:3676 -
\??\c:\46848.exec:\46848.exe52⤵
- Executes dropped EXE
PID:4712 -
\??\c:\jpjpj.exec:\jpjpj.exe53⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bhnhbb.exec:\bhnhbb.exe54⤵
- Executes dropped EXE
PID:1732 -
\??\c:\6464248.exec:\6464248.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4744 -
\??\c:\vjdvp.exec:\vjdvp.exe56⤵
- Executes dropped EXE
PID:1196 -
\??\c:\2848606.exec:\2848606.exe57⤵
- Executes dropped EXE
PID:2076 -
\??\c:\26842.exec:\26842.exe58⤵
- Executes dropped EXE
PID:4012 -
\??\c:\88602.exec:\88602.exe59⤵
- Executes dropped EXE
PID:3092 -
\??\c:\hnhtbt.exec:\hnhtbt.exe60⤵
- Executes dropped EXE
PID:2848 -
\??\c:\484404.exec:\484404.exe61⤵
- Executes dropped EXE
PID:1152 -
\??\c:\2200804.exec:\2200804.exe62⤵
- Executes dropped EXE
PID:3256 -
\??\c:\lxrfxrf.exec:\lxrfxrf.exe63⤵
- Executes dropped EXE
PID:2372 -
\??\c:\lxflrll.exec:\lxflrll.exe64⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vjdpd.exec:\vjdpd.exe65⤵
- Executes dropped EXE
PID:4388 -
\??\c:\48422.exec:\48422.exe66⤵PID:1704
-
\??\c:\djdpd.exec:\djdpd.exe67⤵PID:4884
-
\??\c:\nnhnhn.exec:\nnhnhn.exe68⤵PID:1380
-
\??\c:\4286644.exec:\4286644.exe69⤵PID:2088
-
\??\c:\pjddv.exec:\pjddv.exe70⤵PID:704
-
\??\c:\frxxxxr.exec:\frxxxxr.exe71⤵PID:1616
-
\??\c:\hnbtbb.exec:\hnbtbb.exe72⤵PID:4520
-
\??\c:\dvpjd.exec:\dvpjd.exe73⤵PID:1444
-
\??\c:\bnhthb.exec:\bnhthb.exe74⤵PID:2872
-
\??\c:\0842828.exec:\0842828.exe75⤵PID:4184
-
\??\c:\1xxrlfx.exec:\1xxrlfx.exe76⤵PID:1552
-
\??\c:\nhbtnn.exec:\nhbtnn.exe77⤵PID:1284
-
\??\c:\dppjd.exec:\dppjd.exe78⤵PID:4992
-
\??\c:\64088.exec:\64088.exe79⤵PID:4564
-
\??\c:\i848668.exec:\i848668.exe80⤵PID:4376
-
\??\c:\llrrllf.exec:\llrrllf.exe81⤵PID:4404
-
\??\c:\60048.exec:\60048.exe82⤵PID:380
-
\??\c:\6464600.exec:\6464600.exe83⤵PID:3640
-
\??\c:\hbhbtt.exec:\hbhbtt.exe84⤵PID:1688
-
\??\c:\0882042.exec:\0882042.exe85⤵PID:2856
-
\??\c:\9pjdv.exec:\9pjdv.exe86⤵PID:2692
-
\??\c:\82608.exec:\82608.exe87⤵PID:2332
-
\??\c:\5nbnbt.exec:\5nbnbt.exe88⤵PID:3384
-
\??\c:\824606.exec:\824606.exe89⤵PID:4872
-
\??\c:\dvpjv.exec:\dvpjv.exe90⤵PID:1804
-
\??\c:\8884804.exec:\8884804.exe91⤵PID:1028
-
\??\c:\jvvvp.exec:\jvvvp.exe92⤵PID:1436
-
\??\c:\64422.exec:\64422.exe93⤵PID:4812
-
\??\c:\vjvjd.exec:\vjvjd.exe94⤵PID:2712
-
\??\c:\7ffrlfx.exec:\7ffrlfx.exe95⤵PID:4660
-
\??\c:\0444800.exec:\0444800.exe96⤵PID:4788
-
\??\c:\w88882.exec:\w88882.exe97⤵PID:1544
-
\??\c:\4884826.exec:\4884826.exe98⤵PID:4984
-
\??\c:\9rllllf.exec:\9rllllf.exe99⤵PID:2976
-
\??\c:\8460482.exec:\8460482.exe100⤵PID:1228
-
\??\c:\9rlfxxr.exec:\9rlfxxr.exe101⤵PID:4836
-
\??\c:\vvvvp.exec:\vvvvp.exe102⤵PID:2268
-
\??\c:\62482.exec:\62482.exe103⤵PID:3632
-
\??\c:\o024260.exec:\o024260.exe104⤵PID:780
-
\??\c:\606066.exec:\606066.exe105⤵PID:4408
-
\??\c:\w28886.exec:\w28886.exe106⤵PID:3972
-
\??\c:\466442.exec:\466442.exe107⤵PID:4336
-
\??\c:\jdpdp.exec:\jdpdp.exe108⤵PID:3240
-
\??\c:\86604.exec:\86604.exe109⤵PID:264
-
\??\c:\6622600.exec:\6622600.exe110⤵PID:2772
-
\??\c:\fxrxxxf.exec:\fxrxxxf.exe111⤵PID:3008
-
\??\c:\vdjdp.exec:\vdjdp.exe112⤵PID:3988
-
\??\c:\6404484.exec:\6404484.exe113⤵PID:4672
-
\??\c:\0626660.exec:\0626660.exe114⤵PID:2016
-
\??\c:\htntnh.exec:\htntnh.exe115⤵PID:4748
-
\??\c:\pvvvp.exec:\pvvvp.exe116⤵PID:2884
-
\??\c:\djdvp.exec:\djdvp.exe117⤵PID:4852
-
\??\c:\9tbtnn.exec:\9tbtnn.exe118⤵PID:1732
-
\??\c:\068222.exec:\068222.exe119⤵PID:4744
-
\??\c:\nhhbnn.exec:\nhhbnn.exe120⤵PID:3904
-
\??\c:\pjdvp.exec:\pjdvp.exe121⤵PID:4980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-