Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe
-
Size
457KB
-
MD5
6b6f6ab45056ceec50b44555bea7c3a1
-
SHA1
e0b9803fcc80aa2e6d2b339e13905935cc32b5a3
-
SHA256
54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a
-
SHA512
4e18850c7f6bffb8d0d500b3e75dd4df8266ae1d0ec9c8f6868a190ff300025892214827a768926f7196661ca2086a3bc26afae613a7506aa61886749b82a99c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRNa:q7Tc2NYHUrAwfMp3CDRA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2400-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-1073-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2400 9fffxfx.exe 4828 rflxrlx.exe 4664 3tthtb.exe 1752 jvvpd.exe 4324 ppvjv.exe 2820 7rrlxfx.exe 5016 bbtnnh.exe 3716 dvpjd.exe 4340 jdvjp.exe 1316 thnhhb.exe 3724 vjdpj.exe 2388 ddvjv.exe 1372 thhbhh.exe 2352 nhthbb.exe 464 rxfrfxr.exe 2732 hnthbh.exe 4204 jjjdj.exe 1356 tnhhbb.exe 4712 fxlffxx.exe 4232 9hhtbt.exe 5096 jpjpd.exe 1612 3lfrlfx.exe 2288 9hthbt.exe 1392 vvpjp.exe 2228 fllfrfx.exe 1248 thnntb.exe 932 btthbn.exe 2040 pvdvp.exe 1108 flrfxrl.exe 4676 nthbnh.exe 3096 xrxllfx.exe 2776 ddjdd.exe 2136 frrfxrl.exe 1212 9nthtt.exe 1424 7pvjv.exe 3320 7llxflf.exe 5112 ttthtn.exe 3624 djpjv.exe 2712 fllxlfl.exe 2404 btbntn.exe 2872 7nhbnh.exe 2168 dvpjv.exe 3800 7xrfxrl.exe 1216 rxxrrrf.exe 4488 tbhbhh.exe 4008 dpjvj.exe 1596 9rllfxl.exe 4156 hhhbnn.exe 3564 jdvjd.exe 4248 vvvjv.exe 1916 hhbtnh.exe 4720 nbhtnh.exe 864 dvdvp.exe 4244 7fxlxrf.exe 1972 3lrfllr.exe 2972 hbhthb.exe 5016 1djdj.exe 2396 3ffrlfx.exe 912 9tnnbb.exe 4060 1pjvj.exe 1068 lxffrlf.exe 2896 btbttn.exe 2388 7jpdj.exe 2424 dvpjv.exe -
resource yara_rule behavioral2/memory/2400-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-689-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3208 wrote to memory of 2400 3208 54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe 82 PID 3208 wrote to memory of 2400 3208 54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe 82 PID 3208 wrote to memory of 2400 3208 54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe 82 PID 2400 wrote to memory of 4828 2400 9fffxfx.exe 83 PID 2400 wrote to memory of 4828 2400 9fffxfx.exe 83 PID 2400 wrote to memory of 4828 2400 9fffxfx.exe 83 PID 4828 wrote to memory of 4664 4828 rflxrlx.exe 84 PID 4828 wrote to memory of 4664 4828 rflxrlx.exe 84 PID 4828 wrote to memory of 4664 4828 rflxrlx.exe 84 PID 4664 wrote to memory of 1752 4664 3tthtb.exe 85 PID 4664 wrote to memory of 1752 4664 3tthtb.exe 85 PID 4664 wrote to memory of 1752 4664 3tthtb.exe 85 PID 1752 wrote to memory of 4324 1752 jvvpd.exe 86 PID 1752 wrote to memory of 4324 1752 jvvpd.exe 86 PID 1752 wrote to memory of 4324 1752 jvvpd.exe 86 PID 4324 wrote to memory of 2820 4324 ppvjv.exe 87 PID 4324 wrote to memory of 2820 4324 ppvjv.exe 87 PID 4324 wrote to memory of 2820 4324 ppvjv.exe 87 PID 2820 wrote to memory of 5016 2820 7rrlxfx.exe 88 PID 2820 wrote to memory of 5016 2820 7rrlxfx.exe 88 PID 2820 wrote to memory of 5016 2820 7rrlxfx.exe 88 PID 5016 wrote to memory of 3716 5016 bbtnnh.exe 89 PID 5016 wrote to memory of 3716 5016 bbtnnh.exe 89 PID 5016 wrote to memory of 3716 5016 bbtnnh.exe 89 PID 3716 wrote to memory of 4340 3716 dvpjd.exe 90 PID 3716 wrote to memory of 4340 3716 dvpjd.exe 90 PID 3716 wrote to memory of 4340 3716 dvpjd.exe 90 PID 4340 wrote to memory of 1316 4340 jdvjp.exe 91 PID 4340 wrote to memory of 1316 4340 jdvjp.exe 91 PID 4340 wrote to memory of 1316 4340 jdvjp.exe 91 PID 1316 wrote to memory of 3724 1316 thnhhb.exe 92 PID 1316 wrote to memory of 3724 1316 thnhhb.exe 92 PID 1316 wrote to memory of 3724 1316 thnhhb.exe 92 PID 3724 wrote to memory of 2388 3724 vjdpj.exe 93 PID 3724 wrote to memory of 2388 3724 vjdpj.exe 93 PID 3724 wrote to memory of 2388 3724 vjdpj.exe 93 PID 2388 wrote to memory of 1372 2388 ddvjv.exe 94 PID 2388 wrote to memory of 1372 2388 ddvjv.exe 94 PID 2388 wrote to memory of 1372 2388 ddvjv.exe 94 PID 1372 wrote to memory of 2352 1372 thhbhh.exe 95 PID 1372 wrote to memory of 2352 1372 thhbhh.exe 95 PID 1372 wrote to memory of 2352 1372 thhbhh.exe 95 PID 2352 wrote to memory of 464 2352 nhthbb.exe 96 PID 2352 wrote to memory of 464 2352 nhthbb.exe 96 PID 2352 wrote to memory of 464 2352 nhthbb.exe 96 PID 464 wrote to memory of 2732 464 rxfrfxr.exe 97 PID 464 wrote to memory of 2732 464 rxfrfxr.exe 97 PID 464 wrote to memory of 2732 464 rxfrfxr.exe 97 PID 2732 wrote to memory of 4204 2732 hnthbh.exe 98 PID 2732 wrote to memory of 4204 2732 hnthbh.exe 98 PID 2732 wrote to memory of 4204 2732 hnthbh.exe 98 PID 4204 wrote to memory of 1356 4204 jjjdj.exe 99 PID 4204 wrote to memory of 1356 4204 jjjdj.exe 99 PID 4204 wrote to memory of 1356 4204 jjjdj.exe 99 PID 1356 wrote to memory of 4712 1356 tnhhbb.exe 100 PID 1356 wrote to memory of 4712 1356 tnhhbb.exe 100 PID 1356 wrote to memory of 4712 1356 tnhhbb.exe 100 PID 4712 wrote to memory of 4232 4712 fxlffxx.exe 101 PID 4712 wrote to memory of 4232 4712 fxlffxx.exe 101 PID 4712 wrote to memory of 4232 4712 fxlffxx.exe 101 PID 4232 wrote to memory of 5096 4232 9hhtbt.exe 102 PID 4232 wrote to memory of 5096 4232 9hhtbt.exe 102 PID 4232 wrote to memory of 5096 4232 9hhtbt.exe 102 PID 5096 wrote to memory of 1612 5096 jpjpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe"C:\Users\Admin\AppData\Local\Temp\54519c46bf5fedb48aa1859294b70ae1eb1961c31d1e41e63991dacad8af900a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\9fffxfx.exec:\9fffxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\rflxrlx.exec:\rflxrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\3tthtb.exec:\3tthtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\jvvpd.exec:\jvvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\ppvjv.exec:\ppvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\7rrlxfx.exec:\7rrlxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\bbtnnh.exec:\bbtnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\dvpjd.exec:\dvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\jdvjp.exec:\jdvjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\thnhhb.exec:\thnhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\vjdpj.exec:\vjdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\ddvjv.exec:\ddvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\thhbhh.exec:\thhbhh.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\nhthbb.exec:\nhthbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\hnthbh.exec:\hnthbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\jjjdj.exec:\jjjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\tnhhbb.exec:\tnhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\fxlffxx.exec:\fxlffxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\9hhtbt.exec:\9hhtbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\jpjpd.exec:\jpjpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\3lfrlfx.exec:\3lfrlfx.exe23⤵
- Executes dropped EXE
PID:1612 -
\??\c:\9hthbt.exec:\9hthbt.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
\??\c:\vvpjp.exec:\vvpjp.exe25⤵
- Executes dropped EXE
PID:1392 -
\??\c:\fllfrfx.exec:\fllfrfx.exe26⤵
- Executes dropped EXE
PID:2228 -
\??\c:\thnntb.exec:\thnntb.exe27⤵
- Executes dropped EXE
PID:1248 -
\??\c:\btthbn.exec:\btthbn.exe28⤵
- Executes dropped EXE
PID:932 -
\??\c:\pvdvp.exec:\pvdvp.exe29⤵
- Executes dropped EXE
PID:2040 -
\??\c:\flrfxrl.exec:\flrfxrl.exe30⤵
- Executes dropped EXE
PID:1108 -
\??\c:\nthbnh.exec:\nthbnh.exe31⤵
- Executes dropped EXE
PID:4676 -
\??\c:\xrxllfx.exec:\xrxllfx.exe32⤵
- Executes dropped EXE
PID:3096 -
\??\c:\ddjdd.exec:\ddjdd.exe33⤵
- Executes dropped EXE
PID:2776 -
\??\c:\frrfxrl.exec:\frrfxrl.exe34⤵
- Executes dropped EXE
PID:2136 -
\??\c:\9nthtt.exec:\9nthtt.exe35⤵
- Executes dropped EXE
PID:1212 -
\??\c:\7pvjv.exec:\7pvjv.exe36⤵
- Executes dropped EXE
PID:1424 -
\??\c:\7llxflf.exec:\7llxflf.exe37⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ttthtn.exec:\ttthtn.exe38⤵
- Executes dropped EXE
PID:5112 -
\??\c:\djpjv.exec:\djpjv.exe39⤵
- Executes dropped EXE
PID:3624 -
\??\c:\fllxlfl.exec:\fllxlfl.exe40⤵
- Executes dropped EXE
PID:2712 -
\??\c:\btbntn.exec:\btbntn.exe41⤵
- Executes dropped EXE
PID:2404 -
\??\c:\7nhbnh.exec:\7nhbnh.exe42⤵
- Executes dropped EXE
PID:2872 -
\??\c:\dvpjv.exec:\dvpjv.exe43⤵
- Executes dropped EXE
PID:2168 -
\??\c:\7xrfxrl.exec:\7xrfxrl.exe44⤵
- Executes dropped EXE
PID:3800 -
\??\c:\rxxrrrf.exec:\rxxrrrf.exe45⤵
- Executes dropped EXE
PID:1216 -
\??\c:\tbhbhh.exec:\tbhbhh.exe46⤵
- Executes dropped EXE
PID:4488 -
\??\c:\dpjvj.exec:\dpjvj.exe47⤵
- Executes dropped EXE
PID:4008 -
\??\c:\9rllfxl.exec:\9rllfxl.exe48⤵
- Executes dropped EXE
PID:1596 -
\??\c:\hhhbnn.exec:\hhhbnn.exe49⤵
- Executes dropped EXE
PID:4156 -
\??\c:\jdvjd.exec:\jdvjd.exe50⤵
- Executes dropped EXE
PID:3564 -
\??\c:\vvvjv.exec:\vvvjv.exe51⤵
- Executes dropped EXE
PID:4248 -
\??\c:\hhbtnh.exec:\hhbtnh.exe52⤵
- Executes dropped EXE
PID:1916 -
\??\c:\nbhtnh.exec:\nbhtnh.exe53⤵
- Executes dropped EXE
PID:4720 -
\??\c:\dvdvp.exec:\dvdvp.exe54⤵
- Executes dropped EXE
PID:864 -
\??\c:\7fxlxrf.exec:\7fxlxrf.exe55⤵
- Executes dropped EXE
PID:4244 -
\??\c:\3lrfllr.exec:\3lrfllr.exe56⤵
- Executes dropped EXE
PID:1972 -
\??\c:\hbhthb.exec:\hbhthb.exe57⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1djdj.exec:\1djdj.exe58⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3ffrlfx.exec:\3ffrlfx.exe59⤵
- Executes dropped EXE
PID:2396 -
\??\c:\9tnnbb.exec:\9tnnbb.exe60⤵
- Executes dropped EXE
PID:912 -
\??\c:\1pjvj.exec:\1pjvj.exe61⤵
- Executes dropped EXE
PID:4060 -
\??\c:\lxffrlf.exec:\lxffrlf.exe62⤵
- Executes dropped EXE
PID:1068 -
\??\c:\btbttn.exec:\btbttn.exe63⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7jpdj.exec:\7jpdj.exe64⤵
- Executes dropped EXE
PID:2388 -
\??\c:\dvpjv.exec:\dvpjv.exe65⤵
- Executes dropped EXE
PID:2424 -
\??\c:\3xfrxxf.exec:\3xfrxxf.exe66⤵PID:3956
-
\??\c:\tttnbt.exec:\tttnbt.exe67⤵PID:2960
-
\??\c:\bhhthb.exec:\bhhthb.exe68⤵PID:2028
-
\??\c:\pppvj.exec:\pppvj.exe69⤵PID:2408
-
\??\c:\xllfrlf.exec:\xllfrlf.exe70⤵PID:2732
-
\??\c:\nhnbbt.exec:\nhnbbt.exe71⤵PID:5072
-
\??\c:\vpvjv.exec:\vpvjv.exe72⤵PID:5092
-
\??\c:\5ddpd.exec:\5ddpd.exe73⤵PID:1284
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe74⤵PID:1152
-
\??\c:\bnnbnb.exec:\bnnbnb.exe75⤵PID:3008
-
\??\c:\hthbnb.exec:\hthbnb.exe76⤵PID:3060
-
\??\c:\pjpdp.exec:\pjpdp.exe77⤵PID:4836
-
\??\c:\1dpdv.exec:\1dpdv.exe78⤵PID:2232
-
\??\c:\rrxlfrf.exec:\rrxlfrf.exe79⤵PID:1240
-
\??\c:\hhhtnb.exec:\hhhtnb.exe80⤵PID:368
-
\??\c:\tnhhnh.exec:\tnhhnh.exe81⤵PID:1080
-
\??\c:\7ddpd.exec:\7ddpd.exe82⤵PID:2568
-
\??\c:\1lxfrlx.exec:\1lxfrlx.exe83⤵PID:4980
-
\??\c:\hbtnbb.exec:\hbtnbb.exe84⤵PID:3628
-
\??\c:\bhhthb.exec:\bhhthb.exe85⤵PID:3228
-
\??\c:\1pdpp.exec:\1pdpp.exe86⤵PID:2900
-
\??\c:\vpjvj.exec:\vpjvj.exe87⤵PID:1108
-
\??\c:\lxlfxff.exec:\lxlfxff.exe88⤵PID:4504
-
\??\c:\btttnn.exec:\btttnn.exe89⤵PID:3440
-
\??\c:\pddpj.exec:\pddpj.exe90⤵PID:3096
-
\??\c:\vjpjj.exec:\vjpjj.exe91⤵PID:3588
-
\??\c:\rxxlrlx.exec:\rxxlrlx.exe92⤵PID:4464
-
\??\c:\btthtn.exec:\btthtn.exe93⤵PID:4068
-
\??\c:\9thbnn.exec:\9thbnn.exe94⤵PID:1928
-
\??\c:\9ppjv.exec:\9ppjv.exe95⤵PID:4688
-
\??\c:\3lrflfx.exec:\3lrflfx.exe96⤵PID:516
-
\??\c:\rxfrlxr.exec:\rxfrlxr.exe97⤵PID:3312
-
\??\c:\bnnnhn.exec:\bnnnhn.exe98⤵PID:2932
-
\??\c:\pdvvj.exec:\pdvvj.exe99⤵PID:1364
-
\??\c:\5xlxlfx.exec:\5xlxlfx.exe100⤵PID:2404
-
\??\c:\1llfrrl.exec:\1llfrrl.exe101⤵PID:2864
-
\??\c:\tnnbnh.exec:\tnnbnh.exe102⤵PID:2168
-
\??\c:\dddvj.exec:\dddvj.exe103⤵PID:4600
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe104⤵PID:1216
-
\??\c:\frxxfxx.exec:\frxxfxx.exe105⤵PID:3388
-
\??\c:\9jdvd.exec:\9jdvd.exe106⤵PID:3216
-
\??\c:\7ppdp.exec:\7ppdp.exe107⤵PID:1836
-
\??\c:\xfrfrxr.exec:\xfrfrxr.exe108⤵PID:3688
-
\??\c:\thhbhb.exec:\thhbhb.exe109⤵PID:3684
-
\??\c:\5vpjv.exec:\5vpjv.exe110⤵PID:2724
-
\??\c:\9pvdj.exec:\9pvdj.exe111⤵PID:2472
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe112⤵PID:1752
-
\??\c:\9btnbt.exec:\9btnbt.exe113⤵PID:4416
-
\??\c:\9vppd.exec:\9vppd.exe114⤵PID:3924
-
\??\c:\pddpj.exec:\pddpj.exe115⤵PID:3128
-
\??\c:\7rllxfr.exec:\7rllxfr.exe116⤵PID:3872
-
\??\c:\thhnbt.exec:\thhnbt.exe117⤵PID:4040
-
\??\c:\vjpdv.exec:\vjpdv.exe118⤵PID:5016
-
\??\c:\pjdjv.exec:\pjdjv.exe119⤵PID:4340
-
\??\c:\1rrxlxl.exec:\1rrxlxl.exe120⤵PID:1352
-
\??\c:\bbhtht.exec:\bbhtht.exe121⤵PID:4060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-