Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 10:19
Behavioral task
behavioral1
Sample
fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe
-
Size
91KB
-
MD5
d86d960a54efe7c9f9801b7fc58e35ab
-
SHA1
76fa8703bda1dbad4cd62ed2ff9c030882e2aa0e
-
SHA256
fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb
-
SHA512
1b5398f0fb86e61a281ed82544ccdafcd171d6948f76109f9371a0ac99e5ab79ed4f80aa82bc703b03cb2281c54350c807bd8de3ed68f99f8303056cc236a8e1
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADUOj2YUW+S436Cn:9hOmTsF93UYfwC6GIoutyaVszyKd+XYt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2692-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2952-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3840-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/848-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3708-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/936-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-716-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-979-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-1085-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-1293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1868 xxrlxxx.exe 1628 bnnhbb.exe 1084 dpdvj.exe 5116 rlxrrrr.exe 1444 1tttht.exe 4928 djpjd.exe 2200 rxxrlff.exe 3524 thbbnb.exe 3164 9jpjd.exe 5084 flxllff.exe 1076 9tnhtt.exe 3864 vjvvp.exe 396 1xfrlfl.exe 3144 hnnbtn.exe 2016 jpvvp.exe 5072 xlfrxxx.exe 3576 nttnhh.exe 2556 pddvj.exe 1512 rffrllx.exe 2328 1bhhbb.exe 3868 nbhbnn.exe 2936 lrrlffr.exe 2892 rllrfxr.exe 2952 nnbnnn.exe 3040 jppvj.exe 1176 fffxlxx.exe 4120 7tbbbb.exe 4004 jjjvv.exe 2132 rlxrlfx.exe 5096 nnhbhb.exe 5004 pvpjv.exe 1040 7fxxlfr.exe 2752 hntthn.exe 1392 dpjdp.exe 4012 vvjvj.exe 2888 xxlfrxr.exe 4756 bnnbnh.exe 3296 1ntnbb.exe 3988 dpppv.exe 3840 llrlrlx.exe 4560 fxrxlrl.exe 3400 nntnnn.exe 3616 hbbhbt.exe 4248 xlfxrxx.exe 848 xrlfxrx.exe 1852 bbbbbt.exe 4404 5tbhbn.exe 2668 jjdpj.exe 996 fxfxllf.exe 3952 lflrffx.exe 984 thhhbb.exe 1464 djjdp.exe 2136 flxrxxf.exe 208 bntnbb.exe 4952 ttnbhb.exe 3768 jvdpv.exe 4928 7dvjv.exe 2200 lfxrxfx.exe 1292 3htttt.exe 116 9jpjv.exe 224 pjvjv.exe 316 5lxlxlx.exe 1888 5thbnt.exe 3304 jppjv.exe -
resource yara_rule behavioral2/memory/2692-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0011000000023b3d-3.dat upx behavioral2/memory/2692-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1868-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b4a-10.dat upx behavioral2/memory/1628-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b5c-16.dat upx behavioral2/memory/1084-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b5e-22.dat upx behavioral2/memory/1084-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5116-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b5f-28.dat upx behavioral2/files/0x000b000000023b60-34.dat upx behavioral2/memory/1444-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b61-39.dat upx behavioral2/memory/4928-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b63-46.dat upx behavioral2/memory/2200-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b64-52.dat upx behavioral2/memory/3524-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3164-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b66-60.dat upx behavioral2/files/0x000b000000023b67-64.dat upx behavioral2/memory/5084-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1076-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b69-72.dat upx behavioral2/files/0x000b000000023b93-78.dat upx behavioral2/memory/3864-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c77-82.dat upx behavioral2/memory/396-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-88.dat upx behavioral2/files/0x0007000000023c79-93.dat upx behavioral2/memory/5072-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2016-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7a-100.dat upx behavioral2/files/0x0007000000023c7b-105.dat upx behavioral2/memory/3576-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-111.dat upx behavioral2/memory/2556-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-116.dat upx behavioral2/memory/1512-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-123.dat upx behavioral2/memory/2328-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-129.dat upx behavioral2/memory/2936-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c80-137.dat upx behavioral2/files/0x000d000000023b4d-140.dat upx behavioral2/memory/2952-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2892-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-147.dat upx behavioral2/files/0x0007000000023c82-152.dat upx behavioral2/memory/3040-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-158.dat upx behavioral2/memory/1176-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c84-164.dat upx behavioral2/memory/4120-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c85-170.dat upx behavioral2/files/0x0007000000023c86-175.dat upx behavioral2/memory/2132-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-181.dat upx behavioral2/memory/5096-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-189.dat upx behavioral2/memory/5004-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1040-191-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 1868 2692 fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe 84 PID 2692 wrote to memory of 1868 2692 fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe 84 PID 2692 wrote to memory of 1868 2692 fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe 84 PID 1868 wrote to memory of 1628 1868 xxrlxxx.exe 85 PID 1868 wrote to memory of 1628 1868 xxrlxxx.exe 85 PID 1868 wrote to memory of 1628 1868 xxrlxxx.exe 85 PID 1628 wrote to memory of 1084 1628 bnnhbb.exe 86 PID 1628 wrote to memory of 1084 1628 bnnhbb.exe 86 PID 1628 wrote to memory of 1084 1628 bnnhbb.exe 86 PID 1084 wrote to memory of 5116 1084 dpdvj.exe 87 PID 1084 wrote to memory of 5116 1084 dpdvj.exe 87 PID 1084 wrote to memory of 5116 1084 dpdvj.exe 87 PID 5116 wrote to memory of 1444 5116 rlxrrrr.exe 88 PID 5116 wrote to memory of 1444 5116 rlxrrrr.exe 88 PID 5116 wrote to memory of 1444 5116 rlxrrrr.exe 88 PID 1444 wrote to memory of 4928 1444 1tttht.exe 89 PID 1444 wrote to memory of 4928 1444 1tttht.exe 89 PID 1444 wrote to memory of 4928 1444 1tttht.exe 89 PID 4928 wrote to memory of 2200 4928 djpjd.exe 90 PID 4928 wrote to memory of 2200 4928 djpjd.exe 90 PID 4928 wrote to memory of 2200 4928 djpjd.exe 90 PID 2200 wrote to memory of 3524 2200 rxxrlff.exe 91 PID 2200 wrote to memory of 3524 2200 rxxrlff.exe 91 PID 2200 wrote to memory of 3524 2200 rxxrlff.exe 91 PID 3524 wrote to memory of 3164 3524 thbbnb.exe 92 PID 3524 wrote to memory of 3164 3524 thbbnb.exe 92 PID 3524 wrote to memory of 3164 3524 thbbnb.exe 92 PID 3164 wrote to memory of 5084 3164 9jpjd.exe 93 PID 3164 wrote to memory of 5084 3164 9jpjd.exe 93 PID 3164 wrote to memory of 5084 3164 9jpjd.exe 93 PID 5084 wrote to memory of 1076 5084 flxllff.exe 94 PID 5084 wrote to memory of 1076 5084 flxllff.exe 94 PID 5084 wrote to memory of 1076 5084 flxllff.exe 94 PID 1076 wrote to memory of 3864 1076 9tnhtt.exe 95 PID 1076 wrote to memory of 3864 1076 9tnhtt.exe 95 PID 1076 wrote to memory of 3864 1076 9tnhtt.exe 95 PID 3864 wrote to memory of 396 3864 vjvvp.exe 96 PID 3864 wrote to memory of 396 3864 vjvvp.exe 96 PID 3864 wrote to memory of 396 3864 vjvvp.exe 96 PID 396 wrote to memory of 3144 396 1xfrlfl.exe 97 PID 396 wrote to memory of 3144 396 1xfrlfl.exe 97 PID 396 wrote to memory of 3144 396 1xfrlfl.exe 97 PID 3144 wrote to memory of 2016 3144 hnnbtn.exe 98 PID 3144 wrote to memory of 2016 3144 hnnbtn.exe 98 PID 3144 wrote to memory of 2016 3144 hnnbtn.exe 98 PID 2016 wrote to memory of 5072 2016 jpvvp.exe 99 PID 2016 wrote to memory of 5072 2016 jpvvp.exe 99 PID 2016 wrote to memory of 5072 2016 jpvvp.exe 99 PID 5072 wrote to memory of 3576 5072 xlfrxxx.exe 100 PID 5072 wrote to memory of 3576 5072 xlfrxxx.exe 100 PID 5072 wrote to memory of 3576 5072 xlfrxxx.exe 100 PID 3576 wrote to memory of 2556 3576 nttnhh.exe 101 PID 3576 wrote to memory of 2556 3576 nttnhh.exe 101 PID 3576 wrote to memory of 2556 3576 nttnhh.exe 101 PID 2556 wrote to memory of 1512 2556 pddvj.exe 102 PID 2556 wrote to memory of 1512 2556 pddvj.exe 102 PID 2556 wrote to memory of 1512 2556 pddvj.exe 102 PID 1512 wrote to memory of 2328 1512 rffrllx.exe 103 PID 1512 wrote to memory of 2328 1512 rffrllx.exe 103 PID 1512 wrote to memory of 2328 1512 rffrllx.exe 103 PID 2328 wrote to memory of 3868 2328 1bhhbb.exe 104 PID 2328 wrote to memory of 3868 2328 1bhhbb.exe 104 PID 2328 wrote to memory of 3868 2328 1bhhbb.exe 104 PID 3868 wrote to memory of 2936 3868 nbhbnn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe"C:\Users\Admin\AppData\Local\Temp\fe792787839413ec9052e7b6a9a0d267d501191e1df639530971074b20f1b0bb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\xxrlxxx.exec:\xxrlxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\bnnhbb.exec:\bnnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\dpdvj.exec:\dpdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\1tttht.exec:\1tttht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\djpjd.exec:\djpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\rxxrlff.exec:\rxxrlff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\thbbnb.exec:\thbbnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\9jpjd.exec:\9jpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\flxllff.exec:\flxllff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\9tnhtt.exec:\9tnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\vjvvp.exec:\vjvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\1xfrlfl.exec:\1xfrlfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\hnnbtn.exec:\hnnbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\jpvvp.exec:\jpvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\xlfrxxx.exec:\xlfrxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\nttnhh.exec:\nttnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\pddvj.exec:\pddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\rffrllx.exec:\rffrllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\1bhhbb.exec:\1bhhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\nbhbnn.exec:\nbhbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\lrrlffr.exec:\lrrlffr.exe23⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rllrfxr.exec:\rllrfxr.exe24⤵
- Executes dropped EXE
PID:2892 -
\??\c:\nnbnnn.exec:\nnbnnn.exe25⤵
- Executes dropped EXE
PID:2952 -
\??\c:\jppvj.exec:\jppvj.exe26⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fffxlxx.exec:\fffxlxx.exe27⤵
- Executes dropped EXE
PID:1176 -
\??\c:\7tbbbb.exec:\7tbbbb.exe28⤵
- Executes dropped EXE
PID:4120 -
\??\c:\jjjvv.exec:\jjjvv.exe29⤵
- Executes dropped EXE
PID:4004 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe30⤵
- Executes dropped EXE
PID:2132 -
\??\c:\nnhbhb.exec:\nnhbhb.exe31⤵
- Executes dropped EXE
PID:5096 -
\??\c:\pvpjv.exec:\pvpjv.exe32⤵
- Executes dropped EXE
PID:5004 -
\??\c:\7fxxlfr.exec:\7fxxlfr.exe33⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hntthn.exec:\hntthn.exe34⤵
- Executes dropped EXE
PID:2752 -
\??\c:\dpjdp.exec:\dpjdp.exe35⤵
- Executes dropped EXE
PID:1392 -
\??\c:\vvjvj.exec:\vvjvj.exe36⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xxlfrxr.exec:\xxlfrxr.exe37⤵
- Executes dropped EXE
PID:2888 -
\??\c:\bnnbnh.exec:\bnnbnh.exe38⤵
- Executes dropped EXE
PID:4756 -
\??\c:\1ntnbb.exec:\1ntnbb.exe39⤵
- Executes dropped EXE
PID:3296 -
\??\c:\dpppv.exec:\dpppv.exe40⤵
- Executes dropped EXE
PID:3988 -
\??\c:\llrlrlx.exec:\llrlrlx.exe41⤵
- Executes dropped EXE
PID:3840 -
\??\c:\fxrxlrl.exec:\fxrxlrl.exe42⤵
- Executes dropped EXE
PID:4560 -
\??\c:\nntnnn.exec:\nntnnn.exe43⤵
- Executes dropped EXE
PID:3400 -
\??\c:\hbbhbt.exec:\hbbhbt.exe44⤵
- Executes dropped EXE
PID:3616 -
\??\c:\xlfxrxx.exec:\xlfxrxx.exe45⤵
- Executes dropped EXE
PID:4248 -
\??\c:\xrlfxrx.exec:\xrlfxrx.exe46⤵
- Executes dropped EXE
PID:848 -
\??\c:\bbbbbt.exec:\bbbbbt.exe47⤵
- Executes dropped EXE
PID:1852 -
\??\c:\5tbhbn.exec:\5tbhbn.exe48⤵
- Executes dropped EXE
PID:4404 -
\??\c:\jjdpj.exec:\jjdpj.exe49⤵
- Executes dropped EXE
PID:2668 -
\??\c:\fxfxllf.exec:\fxfxllf.exe50⤵
- Executes dropped EXE
PID:996 -
\??\c:\lflrffx.exec:\lflrffx.exe51⤵
- Executes dropped EXE
PID:3952 -
\??\c:\thhhbb.exec:\thhhbb.exe52⤵
- Executes dropped EXE
PID:984 -
\??\c:\djjdp.exec:\djjdp.exe53⤵
- Executes dropped EXE
PID:1464 -
\??\c:\flxrxxf.exec:\flxrxxf.exe54⤵
- Executes dropped EXE
PID:2136 -
\??\c:\bntnbb.exec:\bntnbb.exe55⤵
- Executes dropped EXE
PID:208 -
\??\c:\ttnbhb.exec:\ttnbhb.exe56⤵
- Executes dropped EXE
PID:4952 -
\??\c:\jvdpv.exec:\jvdpv.exe57⤵
- Executes dropped EXE
PID:3768 -
\??\c:\7dvjv.exec:\7dvjv.exe58⤵
- Executes dropped EXE
PID:4928 -
\??\c:\lfxrxfx.exec:\lfxrxfx.exe59⤵
- Executes dropped EXE
PID:2200 -
\??\c:\3htttt.exec:\3htttt.exe60⤵
- Executes dropped EXE
PID:1292 -
\??\c:\9jpjv.exec:\9jpjv.exe61⤵
- Executes dropped EXE
PID:116 -
\??\c:\pjvjv.exec:\pjvjv.exe62⤵
- Executes dropped EXE
PID:224 -
\??\c:\5lxlxlx.exec:\5lxlxlx.exe63⤵
- Executes dropped EXE
PID:316 -
\??\c:\5thbnt.exec:\5thbnt.exe64⤵
- Executes dropped EXE
PID:1888 -
\??\c:\jppjv.exec:\jppjv.exe65⤵
- Executes dropped EXE
PID:3304 -
\??\c:\ppvpv.exec:\ppvpv.exe66⤵PID:384
-
\??\c:\frllfxr.exec:\frllfxr.exe67⤵PID:4360
-
\??\c:\ntttnb.exec:\ntttnb.exe68⤵PID:4996
-
\??\c:\jvdjd.exec:\jvdjd.exe69⤵PID:3008
-
\??\c:\vvvjv.exec:\vvvjv.exe70⤵PID:3256
-
\??\c:\pdpjv.exec:\pdpjv.exe71⤵PID:3708
-
\??\c:\9lfrffr.exec:\9lfrffr.exe72⤵PID:3808
-
\??\c:\ttbtnt.exec:\ttbtnt.exe73⤵PID:1028
-
\??\c:\9hbnhb.exec:\9hbnhb.exe74⤵PID:5064
-
\??\c:\dvdvd.exec:\dvdvd.exe75⤵PID:1716
-
\??\c:\xffrxrf.exec:\xffrxrf.exe76⤵PID:516
-
\??\c:\lrfxxll.exec:\lrfxxll.exe77⤵PID:3320
-
\??\c:\nbbnhb.exec:\nbbnhb.exe78⤵PID:3364
-
\??\c:\dddpd.exec:\dddpd.exe79⤵PID:3660
-
\??\c:\xlllrrl.exec:\xlllrrl.exe80⤵PID:1692
-
\??\c:\7xrrxrx.exec:\7xrrxrx.exe81⤵PID:2492
-
\??\c:\nhhnhh.exec:\nhhnhh.exe82⤵PID:3776
-
\??\c:\5jvjj.exec:\5jvjj.exe83⤵PID:4704
-
\??\c:\vpdjj.exec:\vpdjj.exe84⤵PID:3992
-
\??\c:\xllrxxr.exec:\xllrxxr.exe85⤵PID:3416
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe86⤵PID:4228
-
\??\c:\7hnbhh.exec:\7hnbhh.exe87⤵PID:3140
-
\??\c:\9jjdp.exec:\9jjdp.exe88⤵PID:2560
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe89⤵PID:3448
-
\??\c:\xfxxrlr.exec:\xfxxrlr.exe90⤵PID:2388
-
\??\c:\hntbtt.exec:\hntbtt.exe91⤵PID:5024
-
\??\c:\hhbhtt.exec:\hhbhtt.exe92⤵PID:4488
-
\??\c:\jjvpv.exec:\jjvpv.exe93⤵PID:2992
-
\??\c:\llxxflf.exec:\llxxflf.exe94⤵PID:4716
-
\??\c:\9hnnnn.exec:\9hnnnn.exe95⤵PID:2620
-
\??\c:\hhhhhh.exec:\hhhhhh.exe96⤵PID:1900
-
\??\c:\jjpjp.exec:\jjpjp.exe97⤵PID:2264
-
\??\c:\vpjdv.exec:\vpjdv.exe98⤵PID:4284
-
\??\c:\9nnnbb.exec:\9nnnbb.exe99⤵PID:5016
-
\??\c:\tnhhth.exec:\tnhhth.exe100⤵PID:792
-
\??\c:\jdpvp.exec:\jdpvp.exe101⤵PID:4540
-
\??\c:\ppdjj.exec:\ppdjj.exe102⤵PID:3840
-
\??\c:\fxfflll.exec:\fxfflll.exe103⤵PID:4560
-
\??\c:\hhbhht.exec:\hhbhht.exe104⤵PID:3400
-
\??\c:\lrrrlll.exec:\lrrrlll.exe105⤵PID:1920
-
\??\c:\tbnntb.exec:\tbnntb.exe106⤵PID:4248
-
\??\c:\9tbtnn.exec:\9tbtnn.exe107⤵PID:848
-
\??\c:\bbbbbt.exec:\bbbbbt.exe108⤵PID:1852
-
\??\c:\7vvvd.exec:\7vvvd.exe109⤵PID:4592
-
\??\c:\rllxrfx.exec:\rllxrfx.exe110⤵PID:1868
-
\??\c:\rlfffff.exec:\rlfffff.exe111⤵PID:1148
-
\??\c:\bbthhb.exec:\bbthhb.exe112⤵PID:1484
-
\??\c:\jjvvp.exec:\jjvvp.exe113⤵PID:2364
-
\??\c:\ppvvp.exec:\ppvvp.exe114⤵PID:5116
-
\??\c:\xlxrllx.exec:\xlxrllx.exe115⤵PID:1300
-
\??\c:\ffrrlll.exec:\ffrrlll.exe116⤵PID:764
-
\??\c:\tbbbtn.exec:\tbbbtn.exe117⤵PID:4952
-
\??\c:\bbhhnt.exec:\bbhhnt.exe118⤵PID:2076
-
\??\c:\pvddv.exec:\pvddv.exe119⤵PID:4056
-
\??\c:\xrrllrr.exec:\xrrllrr.exe120⤵PID:3524
-
\??\c:\9lffxxf.exec:\9lffxxf.exe121⤵PID:4940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-