Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe
-
Size
455KB
-
MD5
02f0f3f5f0518f0b7efa6df356b34a30
-
SHA1
cb528f8d4a8572603b8bed76d50c0cc316a9ce45
-
SHA256
2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1
-
SHA512
a553cd050aff53624f1103455a9b4e7d666401676c7fe14142d3a134fbc7fe62d82784ad049e69dc7e8d63643745a72748c96b7b5174fca512de26b9f2d3143e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbew:q7Tc2NYHUrAwfMp3CDw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4748-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4880 nnnnnn.exe 4132 lrrrllf.exe 2312 nbbttt.exe 3248 vpjdd.exe 3804 djjdv.exe 552 fflfxxr.exe 4968 5bbtnn.exe 4120 jvdvp.exe 1804 dpvpp.exe 3616 frxrllf.exe 2600 hbhbtt.exe 1924 vjvvd.exe 3864 lxxxlfx.exe 4976 lrxrfrr.exe 3936 htttnb.exe 2112 pddpp.exe 4808 3lrlflf.exe 4264 fllxrrx.exe 2364 nbbtnn.exe 1096 pdjjv.exe 4716 fffllfr.exe 1600 rffxxxl.exe 4232 bttnhb.exe 3080 pppjd.exe 5028 lffxrrl.exe 4992 xxfxxxx.exe 1284 tnbthb.exe 1536 djpjd.exe 2280 7llfxxl.exe 1660 tnhhbh.exe 3308 hbnhbh.exe 3732 pvppj.exe 692 1xxlfxr.exe 2056 hhttbb.exe 4320 nnhttn.exe 3176 vjjvp.exe 1008 1rxrrrx.exe 1672 tnnhbb.exe 1400 9dvjj.exe 1848 pjjdv.exe 5008 frfxxrx.exe 2000 5nnnhn.exe 4528 pjpjj.exe 2540 jdddv.exe 1732 rfffxxr.exe 452 3bhbtt.exe 2332 nnnnhh.exe 3224 pppdd.exe 1680 lflllfr.exe 2512 xrxrxxf.exe 820 tthtbt.exe 4748 9vppj.exe 2492 lfffxxx.exe 3944 ttnhbt.exe 3020 5pjdv.exe 5064 lfllffl.exe 4268 hnnnhn.exe 1932 jjjdd.exe 3540 fxllrrx.exe 2976 btbttt.exe 3756 jpjdv.exe 4688 xxffrll.exe 2240 xrxxxff.exe 644 nhhbtt.exe -
resource yara_rule behavioral2/memory/4748-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-828-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 4880 4748 2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe 83 PID 4748 wrote to memory of 4880 4748 2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe 83 PID 4748 wrote to memory of 4880 4748 2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe 83 PID 4880 wrote to memory of 4132 4880 nnnnnn.exe 84 PID 4880 wrote to memory of 4132 4880 nnnnnn.exe 84 PID 4880 wrote to memory of 4132 4880 nnnnnn.exe 84 PID 4132 wrote to memory of 2312 4132 lrrrllf.exe 85 PID 4132 wrote to memory of 2312 4132 lrrrllf.exe 85 PID 4132 wrote to memory of 2312 4132 lrrrllf.exe 85 PID 2312 wrote to memory of 3248 2312 nbbttt.exe 86 PID 2312 wrote to memory of 3248 2312 nbbttt.exe 86 PID 2312 wrote to memory of 3248 2312 nbbttt.exe 86 PID 3248 wrote to memory of 3804 3248 vpjdd.exe 87 PID 3248 wrote to memory of 3804 3248 vpjdd.exe 87 PID 3248 wrote to memory of 3804 3248 vpjdd.exe 87 PID 3804 wrote to memory of 552 3804 djjdv.exe 88 PID 3804 wrote to memory of 552 3804 djjdv.exe 88 PID 3804 wrote to memory of 552 3804 djjdv.exe 88 PID 552 wrote to memory of 4968 552 fflfxxr.exe 89 PID 552 wrote to memory of 4968 552 fflfxxr.exe 89 PID 552 wrote to memory of 4968 552 fflfxxr.exe 89 PID 4968 wrote to memory of 4120 4968 5bbtnn.exe 90 PID 4968 wrote to memory of 4120 4968 5bbtnn.exe 90 PID 4968 wrote to memory of 4120 4968 5bbtnn.exe 90 PID 4120 wrote to memory of 1804 4120 jvdvp.exe 91 PID 4120 wrote to memory of 1804 4120 jvdvp.exe 91 PID 4120 wrote to memory of 1804 4120 jvdvp.exe 91 PID 1804 wrote to memory of 3616 1804 dpvpp.exe 92 PID 1804 wrote to memory of 3616 1804 dpvpp.exe 92 PID 1804 wrote to memory of 3616 1804 dpvpp.exe 92 PID 3616 wrote to memory of 2600 3616 frxrllf.exe 93 PID 3616 wrote to memory of 2600 3616 frxrllf.exe 93 PID 3616 wrote to memory of 2600 3616 frxrllf.exe 93 PID 2600 wrote to memory of 1924 2600 hbhbtt.exe 94 PID 2600 wrote to memory of 1924 2600 hbhbtt.exe 94 PID 2600 wrote to memory of 1924 2600 hbhbtt.exe 94 PID 1924 wrote to memory of 3864 1924 vjvvd.exe 95 PID 1924 wrote to memory of 3864 1924 vjvvd.exe 95 PID 1924 wrote to memory of 3864 1924 vjvvd.exe 95 PID 3864 wrote to memory of 4976 3864 lxxxlfx.exe 96 PID 3864 wrote to memory of 4976 3864 lxxxlfx.exe 96 PID 3864 wrote to memory of 4976 3864 lxxxlfx.exe 96 PID 4976 wrote to memory of 3936 4976 lrxrfrr.exe 97 PID 4976 wrote to memory of 3936 4976 lrxrfrr.exe 97 PID 4976 wrote to memory of 3936 4976 lrxrfrr.exe 97 PID 3936 wrote to memory of 2112 3936 htttnb.exe 98 PID 3936 wrote to memory of 2112 3936 htttnb.exe 98 PID 3936 wrote to memory of 2112 3936 htttnb.exe 98 PID 2112 wrote to memory of 4808 2112 pddpp.exe 99 PID 2112 wrote to memory of 4808 2112 pddpp.exe 99 PID 2112 wrote to memory of 4808 2112 pddpp.exe 99 PID 4808 wrote to memory of 4264 4808 3lrlflf.exe 100 PID 4808 wrote to memory of 4264 4808 3lrlflf.exe 100 PID 4808 wrote to memory of 4264 4808 3lrlflf.exe 100 PID 4264 wrote to memory of 2364 4264 fllxrrx.exe 101 PID 4264 wrote to memory of 2364 4264 fllxrrx.exe 101 PID 4264 wrote to memory of 2364 4264 fllxrrx.exe 101 PID 2364 wrote to memory of 1096 2364 nbbtnn.exe 153 PID 2364 wrote to memory of 1096 2364 nbbtnn.exe 153 PID 2364 wrote to memory of 1096 2364 nbbtnn.exe 153 PID 1096 wrote to memory of 4716 1096 pdjjv.exe 103 PID 1096 wrote to memory of 4716 1096 pdjjv.exe 103 PID 1096 wrote to memory of 4716 1096 pdjjv.exe 103 PID 4716 wrote to memory of 1600 4716 fffllfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe"C:\Users\Admin\AppData\Local\Temp\2b3abc7bd204182229353eb14d3c46fa0bb1013879b6621072612a22f1a63ea1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\nnnnnn.exec:\nnnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\lrrrllf.exec:\lrrrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\nbbttt.exec:\nbbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\vpjdd.exec:\vpjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\djjdv.exec:\djjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\fflfxxr.exec:\fflfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\5bbtnn.exec:\5bbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\jvdvp.exec:\jvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\dpvpp.exec:\dpvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\frxrllf.exec:\frxrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\hbhbtt.exec:\hbhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\vjvvd.exec:\vjvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\lxxxlfx.exec:\lxxxlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\lrxrfrr.exec:\lrxrfrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\htttnb.exec:\htttnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\pddpp.exec:\pddpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\3lrlflf.exec:\3lrlflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\fllxrrx.exec:\fllxrrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\nbbtnn.exec:\nbbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\pdjjv.exec:\pdjjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\fffllfr.exec:\fffllfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\rffxxxl.exec:\rffxxxl.exe23⤵
- Executes dropped EXE
PID:1600 -
\??\c:\bttnhb.exec:\bttnhb.exe24⤵
- Executes dropped EXE
PID:4232 -
\??\c:\pppjd.exec:\pppjd.exe25⤵
- Executes dropped EXE
PID:3080 -
\??\c:\lffxrrl.exec:\lffxrrl.exe26⤵
- Executes dropped EXE
PID:5028 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe27⤵
- Executes dropped EXE
PID:4992 -
\??\c:\tnbthb.exec:\tnbthb.exe28⤵
- Executes dropped EXE
PID:1284 -
\??\c:\djpjd.exec:\djpjd.exe29⤵
- Executes dropped EXE
PID:1536 -
\??\c:\7llfxxl.exec:\7llfxxl.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tnhhbh.exec:\tnhhbh.exe31⤵
- Executes dropped EXE
PID:1660 -
\??\c:\hbnhbh.exec:\hbnhbh.exe32⤵
- Executes dropped EXE
PID:3308 -
\??\c:\pvppj.exec:\pvppj.exe33⤵
- Executes dropped EXE
PID:3732 -
\??\c:\1xxlfxr.exec:\1xxlfxr.exe34⤵
- Executes dropped EXE
PID:692 -
\??\c:\hhttbb.exec:\hhttbb.exe35⤵
- Executes dropped EXE
PID:2056 -
\??\c:\nnhttn.exec:\nnhttn.exe36⤵
- Executes dropped EXE
PID:4320 -
\??\c:\vjjvp.exec:\vjjvp.exe37⤵
- Executes dropped EXE
PID:3176 -
\??\c:\1rxrrrx.exec:\1rxrrrx.exe38⤵
- Executes dropped EXE
PID:1008 -
\??\c:\tnnhbb.exec:\tnnhbb.exe39⤵
- Executes dropped EXE
PID:1672 -
\??\c:\9dvjj.exec:\9dvjj.exe40⤵
- Executes dropped EXE
PID:1400 -
\??\c:\pjjdv.exec:\pjjdv.exe41⤵
- Executes dropped EXE
PID:1848 -
\??\c:\frfxxrx.exec:\frfxxrx.exe42⤵
- Executes dropped EXE
PID:5008 -
\??\c:\5nnnhn.exec:\5nnnhn.exe43⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pjpjj.exec:\pjpjj.exe44⤵
- Executes dropped EXE
PID:4528 -
\??\c:\jdddv.exec:\jdddv.exe45⤵
- Executes dropped EXE
PID:2540 -
\??\c:\rfffxxr.exec:\rfffxxr.exe46⤵
- Executes dropped EXE
PID:1732 -
\??\c:\3bhbtt.exec:\3bhbtt.exe47⤵
- Executes dropped EXE
PID:452 -
\??\c:\nnnnhh.exec:\nnnnhh.exe48⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pppdd.exec:\pppdd.exe49⤵
- Executes dropped EXE
PID:3224 -
\??\c:\lflllfr.exec:\lflllfr.exe50⤵
- Executes dropped EXE
PID:1680 -
\??\c:\xrxrxxf.exec:\xrxrxxf.exe51⤵
- Executes dropped EXE
PID:2512 -
\??\c:\tthtbt.exec:\tthtbt.exe52⤵
- Executes dropped EXE
PID:820 -
\??\c:\9vppj.exec:\9vppj.exe53⤵
- Executes dropped EXE
PID:4748 -
\??\c:\lfffxxx.exec:\lfffxxx.exe54⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ttnhbt.exec:\ttnhbt.exe55⤵
- Executes dropped EXE
PID:3944 -
\??\c:\5pjdv.exec:\5pjdv.exe56⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lfllffl.exec:\lfllffl.exe57⤵
- Executes dropped EXE
PID:5064 -
\??\c:\hnnnhn.exec:\hnnnhn.exe58⤵
- Executes dropped EXE
PID:4268 -
\??\c:\jjjdd.exec:\jjjdd.exe59⤵
- Executes dropped EXE
PID:1932 -
\??\c:\fxllrrx.exec:\fxllrrx.exe60⤵
- Executes dropped EXE
PID:3540 -
\??\c:\btbttt.exec:\btbttt.exe61⤵
- Executes dropped EXE
PID:2976 -
\??\c:\jpjdv.exec:\jpjdv.exe62⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xxffrll.exec:\xxffrll.exe63⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xrxxxff.exec:\xrxxxff.exe64⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nhhbtt.exec:\nhhbtt.exe65⤵
- Executes dropped EXE
PID:644 -
\??\c:\dpjpv.exec:\dpjpv.exe66⤵PID:3988
-
\??\c:\frxxxxr.exec:\frxxxxr.exe67⤵PID:3716
-
\??\c:\thnttt.exec:\thnttt.exe68⤵PID:4108
-
\??\c:\dddvv.exec:\dddvv.exe69⤵PID:2372
-
\??\c:\bhhbbh.exec:\bhhbbh.exe70⤵PID:2068
-
\??\c:\djpjd.exec:\djpjd.exe71⤵PID:2052
-
\??\c:\flfxllx.exec:\flfxllx.exe72⤵PID:1096
-
\??\c:\tnnbtn.exec:\tnnbtn.exe73⤵PID:3548
-
\??\c:\vdjjd.exec:\vdjjd.exe74⤵PID:3260
-
\??\c:\xfrfrrx.exec:\xfrfrrx.exe75⤵PID:1856
-
\??\c:\vjppv.exec:\vjppv.exe76⤵PID:4328
-
\??\c:\dppjv.exec:\dppjv.exe77⤵
- System Location Discovery: System Language Discovery
PID:4988 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe78⤵PID:376
-
\??\c:\bthtbb.exec:\bthtbb.exe79⤵PID:4644
-
\??\c:\dvvdj.exec:\dvvdj.exe80⤵PID:1860
-
\??\c:\7rlflfx.exec:\7rlflfx.exe81⤵PID:4384
-
\??\c:\dppjd.exec:\dppjd.exe82⤵PID:5000
-
\??\c:\llfxrrf.exec:\llfxrrf.exe83⤵PID:1156
-
\??\c:\tntnbb.exec:\tntnbb.exe84⤵PID:2368
-
\??\c:\xrfxrfx.exec:\xrfxrfx.exe85⤵PID:2304
-
\??\c:\pjdpj.exec:\pjdpj.exe86⤵PID:3800
-
\??\c:\fxrfrrl.exec:\fxrfrrl.exe87⤵PID:4708
-
\??\c:\frxfxrl.exec:\frxfxrl.exe88⤵PID:4456
-
\??\c:\tbthbn.exec:\tbthbn.exe89⤵PID:1624
-
\??\c:\vppjp.exec:\vppjp.exe90⤵PID:692
-
\??\c:\lrrxfrf.exec:\lrrxfrf.exe91⤵PID:2084
-
\??\c:\bbbtnn.exec:\bbbtnn.exe92⤵PID:1524
-
\??\c:\pdjdd.exec:\pdjdd.exe93⤵PID:2968
-
\??\c:\fxlffxf.exec:\fxlffxf.exe94⤵PID:1892
-
\??\c:\pddpj.exec:\pddpj.exe95⤵PID:1008
-
\??\c:\lffxxxr.exec:\lffxxxr.exe96⤵PID:1404
-
\??\c:\bbbtbt.exec:\bbbtbt.exe97⤵PID:4864
-
\??\c:\fffxrlf.exec:\fffxrlf.exe98⤵PID:812
-
\??\c:\hbtnnh.exec:\hbtnnh.exe99⤵PID:2012
-
\??\c:\jjvdj.exec:\jjvdj.exe100⤵PID:2716
-
\??\c:\lfrlllf.exec:\lfrlllf.exe101⤵PID:4568
-
\??\c:\tnnbtn.exec:\tnnbtn.exe102⤵PID:2896
-
\??\c:\ddpjp.exec:\ddpjp.exe103⤵PID:2016
-
\??\c:\rlxrlrl.exec:\rlxrlrl.exe104⤵PID:3192
-
\??\c:\3btbtn.exec:\3btbtn.exe105⤵PID:1612
-
\??\c:\jdddd.exec:\jdddd.exe106⤵PID:876
-
\??\c:\vdjjj.exec:\vdjjj.exe107⤵PID:1340
-
\??\c:\ntnhbb.exec:\ntnhbb.exe108⤵PID:1196
-
\??\c:\rllfxxr.exec:\rllfxxr.exe109⤵PID:4392
-
\??\c:\tbhhnn.exec:\tbhhnn.exe110⤵PID:3488
-
\??\c:\dvpjj.exec:\dvpjj.exe111⤵PID:1252
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe112⤵PID:3244
-
\??\c:\thhtnh.exec:\thhtnh.exe113⤵PID:540
-
\??\c:\dpvpp.exec:\dpvpp.exe114⤵PID:1376
-
\??\c:\pvjjd.exec:\pvjjd.exe115⤵PID:4884
-
\??\c:\lrfrlrl.exec:\lrfrlrl.exe116⤵PID:3524
-
\??\c:\nhhbtt.exec:\nhhbtt.exe117⤵PID:3968
-
\??\c:\pvpvd.exec:\pvpvd.exe118⤵PID:2312
-
\??\c:\rlrlrrl.exec:\rlrlrrl.exe119⤵PID:4220
-
\??\c:\5hhbtn.exec:\5hhbtn.exe120⤵PID:1868
-
\??\c:\hntnhh.exec:\hntnhh.exe121⤵PID:3240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-