Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe
-
Size
454KB
-
MD5
2293fabcca4b10c39d073bb5f83f895c
-
SHA1
d4752c6d7144ddff46dd6f2a5340d343b7693fa7
-
SHA256
41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616
-
SHA512
553c9e29f7ffc65c4742f947f5127033f3d2f2006c3ee4622e89acb3bdc4b402342020940146b56e02fab0d1a7b6ad5924c2234f8a72c19f5276a5b4ff5948cf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1100-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-915-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-1030-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-1199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4032 1hhtnn.exe 3512 lxlllrr.exe 1612 nhhnhn.exe 3656 rfrlflf.exe 1264 tbbnbt.exe 2324 lllfrlf.exe 4828 5dvjv.exe 412 7pdvd.exe 3452 vjpjd.exe 3124 frxlxrx.exe 3408 hbhtnt.exe 3152 dpjdv.exe 556 tnnnbt.exe 2720 lrlxrlf.exe 1624 1nbthh.exe 3564 pdjvv.exe 2488 7rrflfr.exe 4612 vpjvd.exe 4092 nbbthh.exe 5012 pjdpd.exe 696 xlrxlfr.exe 3032 tbbtnh.exe 4972 3jpjv.exe 868 lrxrlll.exe 3192 tbbtnh.exe 2396 fxrrfxl.exe 4260 nnnhbb.exe 3448 ntnbth.exe 4988 lflxxrf.exe 1336 djvpd.exe 4580 dvdvp.exe 4296 9flrfrf.exe 380 hnnnnn.exe 4912 pjpjd.exe 1784 5rrfxll.exe 4616 1lrllff.exe 3968 9tnnbt.exe 1228 9jjvj.exe 3932 fflxfxr.exe 1480 btbnhb.exe 4440 ppjvj.exe 1488 jvdvp.exe 3632 bnthtn.exe 3172 hbhttn.exe 440 pddpd.exe 1612 rxfxrrf.exe 3656 ntbnbt.exe 1932 vpvjd.exe 2200 1ddpp.exe 2324 9xfrxfr.exe 468 thnbbt.exe 3772 5jjvp.exe 4228 vjjvj.exe 3756 lxlrxxx.exe 3452 hnhbhb.exe 528 dpvvv.exe 1744 7frffff.exe 3284 lflffrl.exe 3304 nnnhbh.exe 4548 vvvjp.exe 1040 xxrllfl.exe 2952 xlfrfxl.exe 2004 nbbnnh.exe 856 5pvpv.exe -
resource yara_rule behavioral2/memory/1100-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-814-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 4032 1100 41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe 84 PID 1100 wrote to memory of 4032 1100 41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe 84 PID 1100 wrote to memory of 4032 1100 41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe 84 PID 4032 wrote to memory of 3512 4032 1hhtnn.exe 85 PID 4032 wrote to memory of 3512 4032 1hhtnn.exe 85 PID 4032 wrote to memory of 3512 4032 1hhtnn.exe 85 PID 3512 wrote to memory of 1612 3512 lxlllrr.exe 86 PID 3512 wrote to memory of 1612 3512 lxlllrr.exe 86 PID 3512 wrote to memory of 1612 3512 lxlllrr.exe 86 PID 1612 wrote to memory of 3656 1612 nhhnhn.exe 87 PID 1612 wrote to memory of 3656 1612 nhhnhn.exe 87 PID 1612 wrote to memory of 3656 1612 nhhnhn.exe 87 PID 3656 wrote to memory of 1264 3656 rfrlflf.exe 88 PID 3656 wrote to memory of 1264 3656 rfrlflf.exe 88 PID 3656 wrote to memory of 1264 3656 rfrlflf.exe 88 PID 1264 wrote to memory of 2324 1264 tbbnbt.exe 89 PID 1264 wrote to memory of 2324 1264 tbbnbt.exe 89 PID 1264 wrote to memory of 2324 1264 tbbnbt.exe 89 PID 2324 wrote to memory of 4828 2324 lllfrlf.exe 90 PID 2324 wrote to memory of 4828 2324 lllfrlf.exe 90 PID 2324 wrote to memory of 4828 2324 lllfrlf.exe 90 PID 4828 wrote to memory of 412 4828 5dvjv.exe 91 PID 4828 wrote to memory of 412 4828 5dvjv.exe 91 PID 4828 wrote to memory of 412 4828 5dvjv.exe 91 PID 412 wrote to memory of 3452 412 7pdvd.exe 92 PID 412 wrote to memory of 3452 412 7pdvd.exe 92 PID 412 wrote to memory of 3452 412 7pdvd.exe 92 PID 3452 wrote to memory of 3124 3452 vjpjd.exe 93 PID 3452 wrote to memory of 3124 3452 vjpjd.exe 93 PID 3452 wrote to memory of 3124 3452 vjpjd.exe 93 PID 3124 wrote to memory of 3408 3124 frxlxrx.exe 94 PID 3124 wrote to memory of 3408 3124 frxlxrx.exe 94 PID 3124 wrote to memory of 3408 3124 frxlxrx.exe 94 PID 3408 wrote to memory of 3152 3408 hbhtnt.exe 95 PID 3408 wrote to memory of 3152 3408 hbhtnt.exe 95 PID 3408 wrote to memory of 3152 3408 hbhtnt.exe 95 PID 3152 wrote to memory of 556 3152 dpjdv.exe 96 PID 3152 wrote to memory of 556 3152 dpjdv.exe 96 PID 3152 wrote to memory of 556 3152 dpjdv.exe 96 PID 556 wrote to memory of 2720 556 tnnnbt.exe 97 PID 556 wrote to memory of 2720 556 tnnnbt.exe 97 PID 556 wrote to memory of 2720 556 tnnnbt.exe 97 PID 2720 wrote to memory of 1624 2720 lrlxrlf.exe 98 PID 2720 wrote to memory of 1624 2720 lrlxrlf.exe 98 PID 2720 wrote to memory of 1624 2720 lrlxrlf.exe 98 PID 1624 wrote to memory of 3564 1624 1nbthh.exe 99 PID 1624 wrote to memory of 3564 1624 1nbthh.exe 99 PID 1624 wrote to memory of 3564 1624 1nbthh.exe 99 PID 3564 wrote to memory of 2488 3564 pdjvv.exe 100 PID 3564 wrote to memory of 2488 3564 pdjvv.exe 100 PID 3564 wrote to memory of 2488 3564 pdjvv.exe 100 PID 2488 wrote to memory of 4612 2488 7rrflfr.exe 101 PID 2488 wrote to memory of 4612 2488 7rrflfr.exe 101 PID 2488 wrote to memory of 4612 2488 7rrflfr.exe 101 PID 4612 wrote to memory of 4092 4612 vpjvd.exe 102 PID 4612 wrote to memory of 4092 4612 vpjvd.exe 102 PID 4612 wrote to memory of 4092 4612 vpjvd.exe 102 PID 4092 wrote to memory of 5012 4092 nbbthh.exe 103 PID 4092 wrote to memory of 5012 4092 nbbthh.exe 103 PID 4092 wrote to memory of 5012 4092 nbbthh.exe 103 PID 5012 wrote to memory of 696 5012 pjdpd.exe 104 PID 5012 wrote to memory of 696 5012 pjdpd.exe 104 PID 5012 wrote to memory of 696 5012 pjdpd.exe 104 PID 696 wrote to memory of 3032 696 xlrxlfr.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe"C:\Users\Admin\AppData\Local\Temp\41cd1ec5c24a09a59c02c247230f72ba08076663d779d6ab6814d79ac3d3c616.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\1hhtnn.exec:\1hhtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\lxlllrr.exec:\lxlllrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\nhhnhn.exec:\nhhnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\rfrlflf.exec:\rfrlflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\tbbnbt.exec:\tbbnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\lllfrlf.exec:\lllfrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\5dvjv.exec:\5dvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\7pdvd.exec:\7pdvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\vjpjd.exec:\vjpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\frxlxrx.exec:\frxlxrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\hbhtnt.exec:\hbhtnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\dpjdv.exec:\dpjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\tnnnbt.exec:\tnnnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\lrlxrlf.exec:\lrlxrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\1nbthh.exec:\1nbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\pdjvv.exec:\pdjvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\7rrflfr.exec:\7rrflfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\vpjvd.exec:\vpjvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\nbbthh.exec:\nbbthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\pjdpd.exec:\pjdpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\xlrxlfr.exec:\xlrxlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\tbbtnh.exec:\tbbtnh.exe23⤵
- Executes dropped EXE
PID:3032 -
\??\c:\3jpjv.exec:\3jpjv.exe24⤵
- Executes dropped EXE
PID:4972 -
\??\c:\lrxrlll.exec:\lrxrlll.exe25⤵
- Executes dropped EXE
PID:868 -
\??\c:\tbbtnh.exec:\tbbtnh.exe26⤵
- Executes dropped EXE
PID:3192 -
\??\c:\fxrrfxl.exec:\fxrrfxl.exe27⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nnnhbb.exec:\nnnhbb.exe28⤵
- Executes dropped EXE
PID:4260 -
\??\c:\ntnbth.exec:\ntnbth.exe29⤵
- Executes dropped EXE
PID:3448 -
\??\c:\lflxxrf.exec:\lflxxrf.exe30⤵
- Executes dropped EXE
PID:4988 -
\??\c:\djvpd.exec:\djvpd.exe31⤵
- Executes dropped EXE
PID:1336 -
\??\c:\dvdvp.exec:\dvdvp.exe32⤵
- Executes dropped EXE
PID:4580 -
\??\c:\9flrfrf.exec:\9flrfrf.exe33⤵
- Executes dropped EXE
PID:4296 -
\??\c:\hnnnnn.exec:\hnnnnn.exe34⤵
- Executes dropped EXE
PID:380 -
\??\c:\pjpjd.exec:\pjpjd.exe35⤵
- Executes dropped EXE
PID:4912 -
\??\c:\5rrfxll.exec:\5rrfxll.exe36⤵
- Executes dropped EXE
PID:1784 -
\??\c:\1lrllff.exec:\1lrllff.exe37⤵
- Executes dropped EXE
PID:4616 -
\??\c:\9tnnbt.exec:\9tnnbt.exe38⤵
- Executes dropped EXE
PID:3968 -
\??\c:\9jjvj.exec:\9jjvj.exe39⤵
- Executes dropped EXE
PID:1228 -
\??\c:\fflxfxr.exec:\fflxfxr.exe40⤵
- Executes dropped EXE
PID:3932 -
\??\c:\btbnhb.exec:\btbnhb.exe41⤵
- Executes dropped EXE
PID:1480 -
\??\c:\ppjvj.exec:\ppjvj.exe42⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jvdvp.exec:\jvdvp.exe43⤵
- Executes dropped EXE
PID:1488 -
\??\c:\bnthtn.exec:\bnthtn.exe44⤵
- Executes dropped EXE
PID:3632 -
\??\c:\hbhttn.exec:\hbhttn.exe45⤵
- Executes dropped EXE
PID:3172 -
\??\c:\pddpd.exec:\pddpd.exe46⤵
- Executes dropped EXE
PID:440 -
\??\c:\rxfxrrf.exec:\rxfxrrf.exe47⤵
- Executes dropped EXE
PID:1612 -
\??\c:\ntbnbt.exec:\ntbnbt.exe48⤵
- Executes dropped EXE
PID:3656 -
\??\c:\vpvjd.exec:\vpvjd.exe49⤵
- Executes dropped EXE
PID:1932 -
\??\c:\1ddpp.exec:\1ddpp.exe50⤵
- Executes dropped EXE
PID:2200 -
\??\c:\9xfrxfr.exec:\9xfrxfr.exe51⤵
- Executes dropped EXE
PID:2324 -
\??\c:\thnbbt.exec:\thnbbt.exe52⤵
- Executes dropped EXE
PID:468 -
\??\c:\5jjvp.exec:\5jjvp.exe53⤵
- Executes dropped EXE
PID:3772 -
\??\c:\vjjvj.exec:\vjjvj.exe54⤵
- Executes dropped EXE
PID:4228 -
\??\c:\lxlrxxx.exec:\lxlrxxx.exe55⤵
- Executes dropped EXE
PID:3756 -
\??\c:\hnhbhb.exec:\hnhbhb.exe56⤵
- Executes dropped EXE
PID:3452 -
\??\c:\dpvvv.exec:\dpvvv.exe57⤵
- Executes dropped EXE
PID:528 -
\??\c:\7frffff.exec:\7frffff.exe58⤵
- Executes dropped EXE
PID:1744 -
\??\c:\lflffrl.exec:\lflffrl.exe59⤵
- Executes dropped EXE
PID:3284 -
\??\c:\nnnhbh.exec:\nnnhbh.exe60⤵
- Executes dropped EXE
PID:3304 -
\??\c:\vvvjp.exec:\vvvjp.exe61⤵
- Executes dropped EXE
PID:4548 -
\??\c:\xxrllfl.exec:\xxrllfl.exe62⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe63⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nbbnnh.exec:\nbbnnh.exe64⤵
- Executes dropped EXE
PID:2004 -
\??\c:\5pvpv.exec:\5pvpv.exe65⤵
- Executes dropped EXE
PID:856 -
\??\c:\ddjdp.exec:\ddjdp.exe66⤵PID:4708
-
\??\c:\lxxxlff.exec:\lxxxlff.exe67⤵PID:5004
-
\??\c:\1tbhbh.exec:\1tbhbh.exe68⤵PID:4420
-
\??\c:\jdddv.exec:\jdddv.exe69⤵PID:3108
-
\??\c:\5fxfrrl.exec:\5fxfrrl.exe70⤵PID:1740
-
\??\c:\1tthnn.exec:\1tthnn.exe71⤵
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\nttnbt.exec:\nttnbt.exe72⤵PID:4092
-
\??\c:\jddpd.exec:\jddpd.exe73⤵PID:1828
-
\??\c:\rlfrfxl.exec:\rlfrfxl.exe74⤵PID:2296
-
\??\c:\nnntbt.exec:\nnntbt.exe75⤵PID:4160
-
\??\c:\nttnhn.exec:\nttnhn.exe76⤵PID:2548
-
\??\c:\pdpjp.exec:\pdpjp.exe77⤵PID:3032
-
\??\c:\1rfrxrl.exec:\1rfrxrl.exe78⤵PID:4764
-
\??\c:\htnhtn.exec:\htnhtn.exe79⤵PID:1204
-
\??\c:\pddpj.exec:\pddpj.exe80⤵PID:1244
-
\??\c:\xrfrxrf.exec:\xrfrxrf.exe81⤵PID:4108
-
\??\c:\3rffrff.exec:\3rffrff.exe82⤵PID:5008
-
\??\c:\bbbbbt.exec:\bbbbbt.exe83⤵PID:3192
-
\??\c:\vpjvj.exec:\vpjvj.exe84⤵PID:5000
-
\??\c:\lllffxx.exec:\lllffxx.exe85⤵PID:2816
-
\??\c:\ntthtn.exec:\ntthtn.exe86⤵PID:5088
-
\??\c:\jvddv.exec:\jvddv.exe87⤵PID:1412
-
\??\c:\rrlxxlx.exec:\rrlxxlx.exe88⤵PID:1944
-
\??\c:\lfxrrlf.exec:\lfxrrlf.exe89⤵PID:3348
-
\??\c:\bhntnh.exec:\bhntnh.exe90⤵PID:4516
-
\??\c:\pjvpp.exec:\pjvpp.exe91⤵PID:3084
-
\??\c:\fxfrxrl.exec:\fxfrxrl.exe92⤵PID:2688
-
\??\c:\7llxlfl.exec:\7llxlfl.exe93⤵PID:4844
-
\??\c:\tnnnhh.exec:\tnnnhh.exe94⤵PID:632
-
\??\c:\pjpdp.exec:\pjpdp.exe95⤵PID:3336
-
\??\c:\llrlllf.exec:\llrlllf.exe96⤵PID:1516
-
\??\c:\xrlfrlx.exec:\xrlfrlx.exe97⤵PID:4724
-
\??\c:\nbtntb.exec:\nbtntb.exe98⤵PID:656
-
\??\c:\1vvjv.exec:\1vvjv.exe99⤵PID:4024
-
\??\c:\frxlfff.exec:\frxlfff.exe100⤵PID:1228
-
\??\c:\nhnnhh.exec:\nhnnhh.exe101⤵PID:3668
-
\??\c:\htbthb.exec:\htbthb.exe102⤵PID:4596
-
\??\c:\7vvvd.exec:\7vvvd.exe103⤵PID:5076
-
\??\c:\9rlxfxl.exec:\9rlxfxl.exe104⤵PID:1488
-
\??\c:\bntnhb.exec:\bntnhb.exe105⤵PID:4312
-
\??\c:\jjpjd.exec:\jjpjd.exe106⤵PID:3212
-
\??\c:\9llxrlr.exec:\9llxrlr.exe107⤵PID:3528
-
\??\c:\bbtnth.exec:\bbtnth.exe108⤵PID:3636
-
\??\c:\hhhbnn.exec:\hhhbnn.exe109⤵PID:2936
-
\??\c:\9jjdp.exec:\9jjdp.exe110⤵
- System Location Discovery: System Language Discovery
PID:3656 -
\??\c:\flfrlfx.exec:\flfrlfx.exe111⤵PID:1264
-
\??\c:\1hhbth.exec:\1hhbth.exe112⤵PID:2200
-
\??\c:\5htnbb.exec:\5htnbb.exe113⤵PID:4020
-
\??\c:\pjjdd.exec:\pjjdd.exe114⤵PID:4688
-
\??\c:\ppdvd.exec:\ppdvd.exe115⤵PID:4856
-
\??\c:\xlxlxxr.exec:\xlxlxxr.exe116⤵PID:3960
-
\??\c:\hbnhhh.exec:\hbnhhh.exe117⤵PID:3684
-
\??\c:\1dvvp.exec:\1dvvp.exe118⤵PID:4528
-
\??\c:\fffxrlf.exec:\fffxrlf.exe119⤵PID:1548
-
\??\c:\nbhbbt.exec:\nbhbbt.exe120⤵PID:528
-
\??\c:\9vvpd.exec:\9vvpd.exe121⤵PID:4512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-