Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe
-
Size
454KB
-
MD5
c63d14477da91588cb655e21d00964ab
-
SHA1
96a6d0ff1b443bd4b96327db5d90d8a8e8784b41
-
SHA256
12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb
-
SHA512
229d63470b59c344586712c73da2fe1a28e8998e5f30d84beb920a9232e26efdcaccc769c5fe19e8ab99675e67f8fe5372c94098077d840bada7c00b0146ae63
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4528-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-1618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1504 7vdvp.exe 3292 nhbtnh.exe 4240 pddvp.exe 428 rlrrrlr.exe 2320 tnbbth.exe 1848 tnthbt.exe 2700 xlflflf.exe 3616 jpvvp.exe 832 ttbtnn.exe 4748 vvpjv.exe 432 tnhbtn.exe 2448 xxfffxr.exe 4880 nbbthb.exe 116 5jvpp.exe 1852 flxlxrf.exe 3988 nhhtnt.exe 2932 fxxfffl.exe 4324 5bnhnn.exe 4864 rxrlxxf.exe 2832 jvjdv.exe 1548 flfrrrx.exe 3016 hbtttb.exe 4536 xrrfxxl.exe 4168 pvdjv.exe 5000 tbhbbt.exe 2860 vdjjj.exe 4804 bhhbbb.exe 3296 pjvdv.exe 3804 pjvpj.exe 1344 hhhhbh.exe 4936 xxrrlrl.exe 3060 nhtnhh.exe 1600 jpjdp.exe 1904 xfxrlll.exe 2896 bbnnbn.exe 2916 pjvpv.exe 4304 xlxrlrl.exe 2704 lrflflf.exe 1112 ntthht.exe 528 jdvpj.exe 1732 ffxxxxr.exe 2624 7thhbb.exe 2196 jdvvp.exe 1856 xlxxffl.exe 860 bbbhbt.exe 3752 tnbbbh.exe 3044 lflfxxr.exe 1004 llrlffx.exe 4456 jjjjd.exe 4496 xfrrlfx.exe 1936 fxfxrrx.exe 912 btttbb.exe 5092 vvddd.exe 4240 lflfxxx.exe 1656 btbtnn.exe 1340 pjppp.exe 3860 xfrllll.exe 4364 bnbbtt.exe 3644 hbhhbb.exe 2356 rxllllr.exe 4760 bhnntb.exe 2808 jdddd.exe 2128 lfllllr.exe 3960 nbtttt.exe -
resource yara_rule behavioral2/memory/4528-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-668-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 1504 4528 12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe 83 PID 4528 wrote to memory of 1504 4528 12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe 83 PID 4528 wrote to memory of 1504 4528 12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe 83 PID 1504 wrote to memory of 3292 1504 7vdvp.exe 84 PID 1504 wrote to memory of 3292 1504 7vdvp.exe 84 PID 1504 wrote to memory of 3292 1504 7vdvp.exe 84 PID 3292 wrote to memory of 4240 3292 nhbtnh.exe 85 PID 3292 wrote to memory of 4240 3292 nhbtnh.exe 85 PID 3292 wrote to memory of 4240 3292 nhbtnh.exe 85 PID 4240 wrote to memory of 428 4240 pddvp.exe 86 PID 4240 wrote to memory of 428 4240 pddvp.exe 86 PID 4240 wrote to memory of 428 4240 pddvp.exe 86 PID 428 wrote to memory of 2320 428 rlrrrlr.exe 87 PID 428 wrote to memory of 2320 428 rlrrrlr.exe 87 PID 428 wrote to memory of 2320 428 rlrrrlr.exe 87 PID 2320 wrote to memory of 1848 2320 tnbbth.exe 88 PID 2320 wrote to memory of 1848 2320 tnbbth.exe 88 PID 2320 wrote to memory of 1848 2320 tnbbth.exe 88 PID 1848 wrote to memory of 2700 1848 tnthbt.exe 89 PID 1848 wrote to memory of 2700 1848 tnthbt.exe 89 PID 1848 wrote to memory of 2700 1848 tnthbt.exe 89 PID 2700 wrote to memory of 3616 2700 xlflflf.exe 90 PID 2700 wrote to memory of 3616 2700 xlflflf.exe 90 PID 2700 wrote to memory of 3616 2700 xlflflf.exe 90 PID 3616 wrote to memory of 832 3616 jpvvp.exe 91 PID 3616 wrote to memory of 832 3616 jpvvp.exe 91 PID 3616 wrote to memory of 832 3616 jpvvp.exe 91 PID 832 wrote to memory of 4748 832 ttbtnn.exe 92 PID 832 wrote to memory of 4748 832 ttbtnn.exe 92 PID 832 wrote to memory of 4748 832 ttbtnn.exe 92 PID 4748 wrote to memory of 432 4748 vvpjv.exe 93 PID 4748 wrote to memory of 432 4748 vvpjv.exe 93 PID 4748 wrote to memory of 432 4748 vvpjv.exe 93 PID 432 wrote to memory of 2448 432 tnhbtn.exe 94 PID 432 wrote to memory of 2448 432 tnhbtn.exe 94 PID 432 wrote to memory of 2448 432 tnhbtn.exe 94 PID 2448 wrote to memory of 4880 2448 xxfffxr.exe 95 PID 2448 wrote to memory of 4880 2448 xxfffxr.exe 95 PID 2448 wrote to memory of 4880 2448 xxfffxr.exe 95 PID 4880 wrote to memory of 116 4880 nbbthb.exe 96 PID 4880 wrote to memory of 116 4880 nbbthb.exe 96 PID 4880 wrote to memory of 116 4880 nbbthb.exe 96 PID 116 wrote to memory of 1852 116 5jvpp.exe 97 PID 116 wrote to memory of 1852 116 5jvpp.exe 97 PID 116 wrote to memory of 1852 116 5jvpp.exe 97 PID 1852 wrote to memory of 3988 1852 flxlxrf.exe 98 PID 1852 wrote to memory of 3988 1852 flxlxrf.exe 98 PID 1852 wrote to memory of 3988 1852 flxlxrf.exe 98 PID 3988 wrote to memory of 2932 3988 nhhtnt.exe 99 PID 3988 wrote to memory of 2932 3988 nhhtnt.exe 99 PID 3988 wrote to memory of 2932 3988 nhhtnt.exe 99 PID 2932 wrote to memory of 4324 2932 fxxfffl.exe 100 PID 2932 wrote to memory of 4324 2932 fxxfffl.exe 100 PID 2932 wrote to memory of 4324 2932 fxxfffl.exe 100 PID 4324 wrote to memory of 4864 4324 5bnhnn.exe 101 PID 4324 wrote to memory of 4864 4324 5bnhnn.exe 101 PID 4324 wrote to memory of 4864 4324 5bnhnn.exe 101 PID 4864 wrote to memory of 2832 4864 rxrlxxf.exe 102 PID 4864 wrote to memory of 2832 4864 rxrlxxf.exe 102 PID 4864 wrote to memory of 2832 4864 rxrlxxf.exe 102 PID 2832 wrote to memory of 1548 2832 jvjdv.exe 103 PID 2832 wrote to memory of 1548 2832 jvjdv.exe 103 PID 2832 wrote to memory of 1548 2832 jvjdv.exe 103 PID 1548 wrote to memory of 3016 1548 flfrrrx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe"C:\Users\Admin\AppData\Local\Temp\12e67291045029b5985c8fbe3fcf29d9c80340fa8ca5e6b5f970fbf633fcb3cb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\7vdvp.exec:\7vdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\nhbtnh.exec:\nhbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\pddvp.exec:\pddvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\rlrrrlr.exec:\rlrrrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\tnbbth.exec:\tnbbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\tnthbt.exec:\tnthbt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\xlflflf.exec:\xlflflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\jpvvp.exec:\jpvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\ttbtnn.exec:\ttbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\vvpjv.exec:\vvpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\tnhbtn.exec:\tnhbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\xxfffxr.exec:\xxfffxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\nbbthb.exec:\nbbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\5jvpp.exec:\5jvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\flxlxrf.exec:\flxlxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\nhhtnt.exec:\nhhtnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\fxxfffl.exec:\fxxfffl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\5bnhnn.exec:\5bnhnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\rxrlxxf.exec:\rxrlxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\jvjdv.exec:\jvjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\flfrrrx.exec:\flfrrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\hbtttb.exec:\hbtttb.exe23⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xrrfxxl.exec:\xrrfxxl.exe24⤵
- Executes dropped EXE
PID:4536 -
\??\c:\pvdjv.exec:\pvdjv.exe25⤵
- Executes dropped EXE
PID:4168 -
\??\c:\tbhbbt.exec:\tbhbbt.exe26⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vdjjj.exec:\vdjjj.exe27⤵
- Executes dropped EXE
PID:2860 -
\??\c:\bhhbbb.exec:\bhhbbb.exe28⤵
- Executes dropped EXE
PID:4804 -
\??\c:\pjvdv.exec:\pjvdv.exe29⤵
- Executes dropped EXE
PID:3296 -
\??\c:\pjvpj.exec:\pjvpj.exe30⤵
- Executes dropped EXE
PID:3804 -
\??\c:\hhhhbh.exec:\hhhhbh.exe31⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xxrrlrl.exec:\xxrrlrl.exe32⤵
- Executes dropped EXE
PID:4936 -
\??\c:\nhtnhh.exec:\nhtnhh.exe33⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jpjdp.exec:\jpjdp.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\xfxrlll.exec:\xfxrlll.exe35⤵
- Executes dropped EXE
PID:1904 -
\??\c:\bbnnbn.exec:\bbnnbn.exe36⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pjvpv.exec:\pjvpv.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\xlxrlrl.exec:\xlxrlrl.exe38⤵
- Executes dropped EXE
PID:4304 -
\??\c:\lrflflf.exec:\lrflflf.exe39⤵
- Executes dropped EXE
PID:2704 -
\??\c:\ntthht.exec:\ntthht.exe40⤵
- Executes dropped EXE
PID:1112 -
\??\c:\jdvpj.exec:\jdvpj.exe41⤵
- Executes dropped EXE
PID:528 -
\??\c:\ffxxxxr.exec:\ffxxxxr.exe42⤵
- Executes dropped EXE
PID:1732 -
\??\c:\7thhbb.exec:\7thhbb.exe43⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jdvvp.exec:\jdvvp.exe44⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xlxxffl.exec:\xlxxffl.exe45⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bbbhbt.exec:\bbbhbt.exe46⤵
- Executes dropped EXE
PID:860 -
\??\c:\tnbbbh.exec:\tnbbbh.exe47⤵
- Executes dropped EXE
PID:3752 -
\??\c:\lflfxxr.exec:\lflfxxr.exe48⤵
- Executes dropped EXE
PID:3044 -
\??\c:\llrlffx.exec:\llrlffx.exe49⤵
- Executes dropped EXE
PID:1004 -
\??\c:\jjjjd.exec:\jjjjd.exe50⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xfrrlfx.exec:\xfrrlfx.exe51⤵
- Executes dropped EXE
PID:4496 -
\??\c:\fxfxrrx.exec:\fxfxrrx.exe52⤵
- Executes dropped EXE
PID:1936 -
\??\c:\btttbb.exec:\btttbb.exe53⤵
- Executes dropped EXE
PID:912 -
\??\c:\vvddd.exec:\vvddd.exe54⤵
- Executes dropped EXE
PID:5092 -
\??\c:\lflfxxx.exec:\lflfxxx.exe55⤵
- Executes dropped EXE
PID:4240 -
\??\c:\btbtnn.exec:\btbtnn.exe56⤵
- Executes dropped EXE
PID:1656 -
\??\c:\pjppp.exec:\pjppp.exe57⤵
- Executes dropped EXE
PID:1340 -
\??\c:\xfrllll.exec:\xfrllll.exe58⤵
- Executes dropped EXE
PID:3860 -
\??\c:\bnbbtt.exec:\bnbbtt.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\hbhhbb.exec:\hbhhbb.exe60⤵
- Executes dropped EXE
PID:3644 -
\??\c:\rxllllr.exec:\rxllllr.exe61⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bhnntb.exec:\bhnntb.exe62⤵
- Executes dropped EXE
PID:4760 -
\??\c:\jdddd.exec:\jdddd.exe63⤵
- Executes dropped EXE
PID:2808 -
\??\c:\lfllllr.exec:\lfllllr.exe64⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nbtttt.exec:\nbtttt.exe65⤵
- Executes dropped EXE
PID:3960 -
\??\c:\jjjdd.exec:\jjjdd.exe66⤵PID:700
-
\??\c:\xlxrxxx.exec:\xlxrxxx.exe67⤵PID:4984
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe68⤵PID:4608
-
\??\c:\hbnhhh.exec:\hbnhhh.exe69⤵PID:3464
-
\??\c:\jvpvp.exec:\jvpvp.exe70⤵PID:3076
-
\??\c:\xlrlffx.exec:\xlrlffx.exe71⤵PID:4844
-
\??\c:\rlrlffx.exec:\rlrlffx.exe72⤵PID:2928
-
\??\c:\nbhhhh.exec:\nbhhhh.exe73⤵PID:4828
-
\??\c:\pjpdv.exec:\pjpdv.exe74⤵PID:4692
-
\??\c:\rllfxll.exec:\rllfxll.exe75⤵PID:2236
-
\??\c:\3hhhnn.exec:\3hhhnn.exe76⤵PID:3664
-
\??\c:\vjjdv.exec:\vjjdv.exe77⤵PID:1216
-
\??\c:\rlrfxxr.exec:\rlrfxxr.exe78⤵PID:1720
-
\??\c:\9nnhhn.exec:\9nnhhn.exe79⤵PID:4908
-
\??\c:\pjvpj.exec:\pjvpj.exe80⤵PID:3596
-
\??\c:\vpvvv.exec:\vpvvv.exe81⤵PID:3556
-
\??\c:\rlfllll.exec:\rlfllll.exe82⤵PID:3280
-
\??\c:\nhhhbb.exec:\nhhhbb.exe83⤵PID:2392
-
\??\c:\3jpjj.exec:\3jpjj.exe84⤵PID:4836
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe85⤵PID:3512
-
\??\c:\ttbttt.exec:\ttbttt.exe86⤵PID:1536
-
\??\c:\pjvpv.exec:\pjvpv.exe87⤵PID:3604
-
\??\c:\jjppj.exec:\jjppj.exe88⤵PID:2860
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe89⤵PID:1828
-
\??\c:\htbbtt.exec:\htbbtt.exe90⤵PID:3984
-
\??\c:\ppjjv.exec:\ppjjv.exe91⤵PID:3208
-
\??\c:\7pvvv.exec:\7pvvv.exe92⤵PID:4772
-
\??\c:\7llfxxr.exec:\7llfxxr.exe93⤵PID:4884
-
\??\c:\ntbtnn.exec:\ntbtnn.exe94⤵PID:4616
-
\??\c:\jpvvd.exec:\jpvvd.exe95⤵PID:4372
-
\??\c:\lxlfflf.exec:\lxlfflf.exe96⤵PID:2224
-
\??\c:\fxxrllf.exec:\fxxrllf.exe97⤵PID:3136
-
\??\c:\htnnhh.exec:\htnnhh.exe98⤵PID:2016
-
\??\c:\vdjdd.exec:\vdjdd.exe99⤵PID:4820
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe100⤵PID:2916
-
\??\c:\7hnhbn.exec:\7hnhbn.exe101⤵PID:4504
-
\??\c:\dvvpj.exec:\dvvpj.exe102⤵PID:3244
-
\??\c:\pvdvp.exec:\pvdvp.exe103⤵PID:4716
-
\??\c:\9lxrxfx.exec:\9lxrxfx.exe104⤵PID:528
-
\??\c:\3bbnhb.exec:\3bbnhb.exe105⤵PID:1732
-
\??\c:\djpjd.exec:\djpjd.exe106⤵PID:1304
-
\??\c:\vppjd.exec:\vppjd.exe107⤵PID:2196
-
\??\c:\lflfllf.exec:\lflfllf.exe108⤵PID:1856
-
\??\c:\htthtb.exec:\htthtb.exe109⤵PID:860
-
\??\c:\ddppd.exec:\ddppd.exe110⤵PID:2520
-
\??\c:\1dpjv.exec:\1dpjv.exe111⤵PID:4296
-
\??\c:\flrlxxr.exec:\flrlxxr.exe112⤵PID:4604
-
\??\c:\hhhbtb.exec:\hhhbtb.exe113⤵PID:1496
-
\??\c:\3vjdd.exec:\3vjdd.exe114⤵PID:1028
-
\??\c:\fxrfxrl.exec:\fxrfxrl.exe115⤵PID:1156
-
\??\c:\bhtttt.exec:\bhtttt.exe116⤵PID:1416
-
\??\c:\bhnhbb.exec:\bhnhbb.exe117⤵PID:2180
-
\??\c:\djpjd.exec:\djpjd.exe118⤵PID:4004
-
\??\c:\xrrlfff.exec:\xrrlfff.exe119⤵PID:5016
-
\??\c:\1bbthh.exec:\1bbthh.exe120⤵PID:3672
-
\??\c:\pvjdd.exec:\pvjdd.exe121⤵PID:1316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-