Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe
-
Size
455KB
-
MD5
41bec20e646e53a00f561cb782224220
-
SHA1
9b2b45d0c36a0fcf2a58812e96c3bed5e3f76c1c
-
SHA256
cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0
-
SHA512
b37ea2d6c65e56cb9e7cb76d21ce58d6a3a9fca3771ec93ba26561ef1cb2f63d4fecfa4919abffa10e4d38b5be378f8058ea6fdba4724fe77154809f709a29c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3516-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-1234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-1699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4944 242660.exe 3516 bhtnhb.exe 2260 frlffrx.exe 4040 vpdpd.exe 220 dppdv.exe 3504 djjjv.exe 2976 80402.exe 2044 ppvdj.exe 2316 6028204.exe 5088 24820.exe 4820 600488.exe 4792 48620.exe 4788 402004.exe 5020 7fxlfxr.exe 4180 646882.exe 3976 nbhhtn.exe 5048 w40048.exe 224 nttthn.exe 4360 fxxfrfx.exe 4468 w84004.exe 532 bnthbb.exe 1964 jppdv.exe 3500 pdvpj.exe 4120 1hthtn.exe 1564 xlrlrll.exe 3608 llrlxrf.exe 940 pvdpd.exe 396 pppdv.exe 756 288668.exe 2452 080btnh.exe 2192 bhnhth.exe 4572 xllfrrl.exe 2284 rflfxrl.exe 4992 04486.exe 1684 6288260.exe 4000 pjjvp.exe 876 088808.exe 3600 xrrfxrl.exe 212 06026.exe 4024 rlfxrlf.exe 232 6248644.exe 3036 4086004.exe 4512 pvddv.exe 3668 024862.exe 5024 668482.exe 1968 868826.exe 552 0620464.exe 3124 1bhtnb.exe 3396 vppdd.exe 1096 tnnbbn.exe 1856 lxlxrlr.exe 2180 vjjdv.exe 1788 rrfxffl.exe 1740 08820.exe 2032 dvvjv.exe 2044 6244486.exe 4524 7bthtn.exe 2000 862048.exe 4480 djpjd.exe 3736 frrlxxr.exe 4628 06426.exe 1340 rlfrfxx.exe 3128 rfrffxl.exe 2784 8262206.exe -
resource yara_rule behavioral2/memory/3516-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-987-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4620448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e48480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4248260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 4944 2760 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 83 PID 2760 wrote to memory of 4944 2760 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 83 PID 2760 wrote to memory of 4944 2760 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 83 PID 4944 wrote to memory of 3516 4944 242660.exe 84 PID 4944 wrote to memory of 3516 4944 242660.exe 84 PID 4944 wrote to memory of 3516 4944 242660.exe 84 PID 3516 wrote to memory of 2260 3516 bhtnhb.exe 85 PID 3516 wrote to memory of 2260 3516 bhtnhb.exe 85 PID 3516 wrote to memory of 2260 3516 bhtnhb.exe 85 PID 2260 wrote to memory of 4040 2260 frlffrx.exe 86 PID 2260 wrote to memory of 4040 2260 frlffrx.exe 86 PID 2260 wrote to memory of 4040 2260 frlffrx.exe 86 PID 4040 wrote to memory of 220 4040 vpdpd.exe 87 PID 4040 wrote to memory of 220 4040 vpdpd.exe 87 PID 4040 wrote to memory of 220 4040 vpdpd.exe 87 PID 220 wrote to memory of 3504 220 dppdv.exe 88 PID 220 wrote to memory of 3504 220 dppdv.exe 88 PID 220 wrote to memory of 3504 220 dppdv.exe 88 PID 3504 wrote to memory of 2976 3504 djjjv.exe 89 PID 3504 wrote to memory of 2976 3504 djjjv.exe 89 PID 3504 wrote to memory of 2976 3504 djjjv.exe 89 PID 2976 wrote to memory of 2044 2976 80402.exe 90 PID 2976 wrote to memory of 2044 2976 80402.exe 90 PID 2976 wrote to memory of 2044 2976 80402.exe 90 PID 2044 wrote to memory of 2316 2044 ppvdj.exe 91 PID 2044 wrote to memory of 2316 2044 ppvdj.exe 91 PID 2044 wrote to memory of 2316 2044 ppvdj.exe 91 PID 2316 wrote to memory of 5088 2316 6028204.exe 92 PID 2316 wrote to memory of 5088 2316 6028204.exe 92 PID 2316 wrote to memory of 5088 2316 6028204.exe 92 PID 5088 wrote to memory of 4820 5088 24820.exe 93 PID 5088 wrote to memory of 4820 5088 24820.exe 93 PID 5088 wrote to memory of 4820 5088 24820.exe 93 PID 4820 wrote to memory of 4792 4820 600488.exe 94 PID 4820 wrote to memory of 4792 4820 600488.exe 94 PID 4820 wrote to memory of 4792 4820 600488.exe 94 PID 4792 wrote to memory of 4788 4792 48620.exe 95 PID 4792 wrote to memory of 4788 4792 48620.exe 95 PID 4792 wrote to memory of 4788 4792 48620.exe 95 PID 4788 wrote to memory of 5020 4788 402004.exe 96 PID 4788 wrote to memory of 5020 4788 402004.exe 96 PID 4788 wrote to memory of 5020 4788 402004.exe 96 PID 5020 wrote to memory of 4180 5020 7fxlfxr.exe 97 PID 5020 wrote to memory of 4180 5020 7fxlfxr.exe 97 PID 5020 wrote to memory of 4180 5020 7fxlfxr.exe 97 PID 4180 wrote to memory of 3976 4180 646882.exe 98 PID 4180 wrote to memory of 3976 4180 646882.exe 98 PID 4180 wrote to memory of 3976 4180 646882.exe 98 PID 3976 wrote to memory of 5048 3976 nbhhtn.exe 99 PID 3976 wrote to memory of 5048 3976 nbhhtn.exe 99 PID 3976 wrote to memory of 5048 3976 nbhhtn.exe 99 PID 5048 wrote to memory of 224 5048 w40048.exe 100 PID 5048 wrote to memory of 224 5048 w40048.exe 100 PID 5048 wrote to memory of 224 5048 w40048.exe 100 PID 224 wrote to memory of 4360 224 nttthn.exe 101 PID 224 wrote to memory of 4360 224 nttthn.exe 101 PID 224 wrote to memory of 4360 224 nttthn.exe 101 PID 4360 wrote to memory of 4468 4360 fxxfrfx.exe 102 PID 4360 wrote to memory of 4468 4360 fxxfrfx.exe 102 PID 4360 wrote to memory of 4468 4360 fxxfrfx.exe 102 PID 4468 wrote to memory of 532 4468 w84004.exe 103 PID 4468 wrote to memory of 532 4468 w84004.exe 103 PID 4468 wrote to memory of 532 4468 w84004.exe 103 PID 532 wrote to memory of 1964 532 bnthbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe"C:\Users\Admin\AppData\Local\Temp\cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\242660.exec:\242660.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\bhtnhb.exec:\bhtnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\frlffrx.exec:\frlffrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vpdpd.exec:\vpdpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\dppdv.exec:\dppdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\djjjv.exec:\djjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\80402.exec:\80402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\ppvdj.exec:\ppvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\6028204.exec:\6028204.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\24820.exec:\24820.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\600488.exec:\600488.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\48620.exec:\48620.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\402004.exec:\402004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\7fxlfxr.exec:\7fxlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\646882.exec:\646882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\nbhhtn.exec:\nbhhtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\w40048.exec:\w40048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\nttthn.exec:\nttthn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\fxxfrfx.exec:\fxxfrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\w84004.exec:\w84004.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\bnthbb.exec:\bnthbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\jppdv.exec:\jppdv.exe23⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdvpj.exec:\pdvpj.exe24⤵
- Executes dropped EXE
PID:3500 -
\??\c:\1hthtn.exec:\1hthtn.exe25⤵
- Executes dropped EXE
PID:4120 -
\??\c:\xlrlrll.exec:\xlrlrll.exe26⤵
- Executes dropped EXE
PID:1564 -
\??\c:\llrlxrf.exec:\llrlxrf.exe27⤵
- Executes dropped EXE
PID:3608 -
\??\c:\pvdpd.exec:\pvdpd.exe28⤵
- Executes dropped EXE
PID:940 -
\??\c:\pppdv.exec:\pppdv.exe29⤵
- Executes dropped EXE
PID:396 -
\??\c:\288668.exec:\288668.exe30⤵
- Executes dropped EXE
PID:756 -
\??\c:\080btnh.exec:\080btnh.exe31⤵
- Executes dropped EXE
PID:2452 -
\??\c:\bhnhth.exec:\bhnhth.exe32⤵
- Executes dropped EXE
PID:2192 -
\??\c:\xllfrrl.exec:\xllfrrl.exe33⤵
- Executes dropped EXE
PID:4572 -
\??\c:\rflfxrl.exec:\rflfxrl.exe34⤵
- Executes dropped EXE
PID:2284 -
\??\c:\04486.exec:\04486.exe35⤵
- Executes dropped EXE
PID:4992 -
\??\c:\6288260.exec:\6288260.exe36⤵
- Executes dropped EXE
PID:1684 -
\??\c:\pjjvp.exec:\pjjvp.exe37⤵
- Executes dropped EXE
PID:4000 -
\??\c:\088808.exec:\088808.exe38⤵
- Executes dropped EXE
PID:876 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe39⤵
- Executes dropped EXE
PID:3600 -
\??\c:\06026.exec:\06026.exe40⤵
- Executes dropped EXE
PID:212 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe41⤵
- Executes dropped EXE
PID:4024 -
\??\c:\6248644.exec:\6248644.exe42⤵
- Executes dropped EXE
PID:232 -
\??\c:\4086004.exec:\4086004.exe43⤵
- Executes dropped EXE
PID:3036 -
\??\c:\pvddv.exec:\pvddv.exe44⤵
- Executes dropped EXE
PID:4512 -
\??\c:\024862.exec:\024862.exe45⤵
- Executes dropped EXE
PID:3668 -
\??\c:\668482.exec:\668482.exe46⤵
- Executes dropped EXE
PID:5024 -
\??\c:\868826.exec:\868826.exe47⤵
- Executes dropped EXE
PID:1968 -
\??\c:\0620464.exec:\0620464.exe48⤵
- Executes dropped EXE
PID:552 -
\??\c:\1bhtnb.exec:\1bhtnb.exe49⤵
- Executes dropped EXE
PID:3124 -
\??\c:\vppdd.exec:\vppdd.exe50⤵
- Executes dropped EXE
PID:3396 -
\??\c:\tnnbbn.exec:\tnnbbn.exe51⤵
- Executes dropped EXE
PID:1096 -
\??\c:\lxlxrlr.exec:\lxlxrlr.exe52⤵
- Executes dropped EXE
PID:1856 -
\??\c:\vjjdv.exec:\vjjdv.exe53⤵
- Executes dropped EXE
PID:2180 -
\??\c:\rrfxffl.exec:\rrfxffl.exe54⤵
- Executes dropped EXE
PID:1788 -
\??\c:\08820.exec:\08820.exe55⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dvvjv.exec:\dvvjv.exe56⤵
- Executes dropped EXE
PID:2032 -
\??\c:\6244486.exec:\6244486.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\7bthtn.exec:\7bthtn.exe58⤵
- Executes dropped EXE
PID:4524 -
\??\c:\862048.exec:\862048.exe59⤵
- Executes dropped EXE
PID:2000 -
\??\c:\djpjd.exec:\djpjd.exe60⤵
- Executes dropped EXE
PID:4480 -
\??\c:\frrlxxr.exec:\frrlxxr.exe61⤵
- Executes dropped EXE
PID:3736 -
\??\c:\06426.exec:\06426.exe62⤵
- Executes dropped EXE
PID:4628 -
\??\c:\rlfrfxx.exec:\rlfrfxx.exe63⤵
- Executes dropped EXE
PID:1340 -
\??\c:\rfrffxl.exec:\rfrffxl.exe64⤵
- Executes dropped EXE
PID:3128 -
\??\c:\8262206.exec:\8262206.exe65⤵
- Executes dropped EXE
PID:2784 -
\??\c:\tnbtnn.exec:\tnbtnn.exe66⤵PID:3696
-
\??\c:\lfxlxfx.exec:\lfxlxfx.exe67⤵PID:2984
-
\??\c:\8482884.exec:\8482884.exe68⤵PID:2528
-
\??\c:\tnttnb.exec:\tnttnb.exe69⤵PID:4224
-
\??\c:\xxllfrr.exec:\xxllfrr.exe70⤵PID:224
-
\??\c:\40680.exec:\40680.exe71⤵PID:4544
-
\??\c:\4222064.exec:\4222064.exe72⤵PID:4484
-
\??\c:\btnbnh.exec:\btnbnh.exe73⤵PID:2744
-
\??\c:\02826.exec:\02826.exe74⤵PID:3376
-
\??\c:\m2608.exec:\m2608.exe75⤵PID:3120
-
\??\c:\dpdpp.exec:\dpdpp.exe76⤵PID:4972
-
\??\c:\ppvjv.exec:\ppvjv.exe77⤵PID:4064
-
\??\c:\64626.exec:\64626.exe78⤵PID:4252
-
\??\c:\ttnbnb.exec:\ttnbnb.exe79⤵PID:1564
-
\??\c:\bhnbtn.exec:\bhnbtn.exe80⤵PID:5112
-
\??\c:\224204.exec:\224204.exe81⤵PID:3608
-
\??\c:\vdpdv.exec:\vdpdv.exe82⤵PID:3520
-
\??\c:\lrfxllf.exec:\lrfxllf.exe83⤵PID:5096
-
\??\c:\86404.exec:\86404.exe84⤵PID:3684
-
\??\c:\2280086.exec:\2280086.exe85⤵PID:4644
-
\??\c:\666464.exec:\666464.exe86⤵PID:4248
-
\??\c:\jpvjd.exec:\jpvjd.exe87⤵PID:4928
-
\??\c:\vvdvj.exec:\vvdvj.exe88⤵
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\5xlrlll.exec:\5xlrlll.exe89⤵PID:2556
-
\??\c:\bntntn.exec:\bntntn.exe90⤵PID:4584
-
\??\c:\htttnt.exec:\htttnt.exe91⤵PID:4756
-
\??\c:\pjjdv.exec:\pjjdv.exe92⤵PID:3288
-
\??\c:\nbhbtn.exec:\nbhbtn.exe93⤵PID:3084
-
\??\c:\bbhtnb.exec:\bbhtnb.exe94⤵PID:428
-
\??\c:\22426.exec:\22426.exe95⤵PID:3184
-
\??\c:\dvvpp.exec:\dvvpp.exe96⤵PID:4996
-
\??\c:\jdjdv.exec:\jdjdv.exe97⤵PID:3172
-
\??\c:\046284.exec:\046284.exe98⤵PID:232
-
\??\c:\5xrfrrl.exec:\5xrfrrl.exe99⤵PID:3720
-
\??\c:\jppdp.exec:\jppdp.exe100⤵PID:4916
-
\??\c:\rllxlxr.exec:\rllxlxr.exe101⤵PID:2568
-
\??\c:\vpvdp.exec:\vpvdp.exe102⤵PID:5024
-
\??\c:\0664460.exec:\0664460.exe103⤵PID:1452
-
\??\c:\6244864.exec:\6244864.exe104⤵PID:4232
-
\??\c:\bhntbh.exec:\bhntbh.exe105⤵PID:1560
-
\??\c:\htthtn.exec:\htthtn.exe106⤵PID:1464
-
\??\c:\xlrllfx.exec:\xlrllfx.exe107⤵PID:4140
-
\??\c:\bhhbtn.exec:\bhhbtn.exe108⤵PID:1064
-
\??\c:\200420.exec:\200420.exe109⤵PID:1804
-
\??\c:\pvvpd.exec:\pvvpd.exe110⤵PID:1508
-
\??\c:\jvvjv.exec:\jvvjv.exe111⤵PID:8
-
\??\c:\200848.exec:\200848.exe112⤵PID:1596
-
\??\c:\82024.exec:\82024.exe113⤵
- System Location Discovery: System Language Discovery
PID:3532 -
\??\c:\44488.exec:\44488.exe114⤵PID:208
-
\??\c:\o886442.exec:\o886442.exe115⤵PID:716
-
\??\c:\28248.exec:\28248.exe116⤵PID:948
-
\??\c:\vddjd.exec:\vddjd.exe117⤵PID:3648
-
\??\c:\7xfrlfx.exec:\7xfrlfx.exe118⤵PID:4792
-
\??\c:\bbthht.exec:\bbthht.exe119⤵PID:1888
-
\??\c:\0886042.exec:\0886042.exe120⤵PID:2816
-
\??\c:\242262.exec:\242262.exe121⤵PID:5076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-