Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 09:13
Behavioral task
behavioral1
Sample
78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe
-
Size
65KB
-
MD5
1d153d2c1756575f601e7bc0ef323e57
-
SHA1
7537b663257b3376e984bd6cf1d2bfa4186b03ab
-
SHA256
78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806
-
SHA512
7350142b190bc763ad1c71d888099abd0a40cf53605285cadaa43d8588ad00557e8a521f809f4406b8fb2b78ab655c6d3a95170159df42c675af319e6f792abe
-
SSDEEP
1536:tvQBeOGtrYS3srx93UBWfwC6Ggnouy8gA2l5CcSgui36:thOmTsF93UYfwC6GIoutgVocSr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1276-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2168-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-515-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-531-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-593-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-603-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-607-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-798-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-880-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-1016-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-1182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-1433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-1716-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1276 vpvvj.exe 3100 ffxrffl.exe 4704 btbbbb.exe 2844 hbbbtt.exe 4340 pdpdp.exe 2640 xrxrrrf.exe 808 fxffxrx.exe 1808 bbttbb.exe 3456 3fffxxr.exe 736 xfrlxrf.exe 372 tbhhtn.exe 2584 jdpjj.exe 1928 pjvpv.exe 4692 llllfrr.exe 3188 5tbbth.exe 4616 bhntbb.exe 2216 jdvvp.exe 1644 rlrlfff.exe 3468 tttttn.exe 4696 nttttt.exe 2168 7dvpv.exe 4520 jvvpj.exe 3520 fffxrrr.exe 3272 fffffff.exe 4832 btnnnn.exe 4716 hbhbtt.exe 4944 vpjjj.exe 1516 pvddp.exe 4344 flrrrfx.exe 4368 tnbbbh.exe 2224 btnbbt.exe 3224 jdddd.exe 1280 rffffff.exe 1556 xfxfxrl.exe 1524 ntbbbb.exe 2972 nttnbb.exe 3184 pjjdv.exe 4912 rrrfrfr.exe 3708 fxrrrrr.exe 1388 hhhhnn.exe 4144 3dvvd.exe 4920 xrrlrxx.exe 4100 9btbbn.exe 216 vjpjv.exe 3360 5pjdv.exe 3068 rlrlxxx.exe 3932 bhbbbn.exe 2564 dvjdv.exe 1976 1xxrfff.exe 4000 vppjj.exe 1044 lxxrlll.exe 468 xrrffxl.exe 4760 ttbbbb.exe 4704 jpppd.exe 2868 vdpjv.exe 1420 9fxxfxr.exe 2240 1hnnbh.exe 4356 vdjdv.exe 4796 dpppp.exe 2980 9rrlfxx.exe 4964 7xxxrrl.exe 3492 hnnhhb.exe 4748 dpjjp.exe 4808 ffllxxx.exe -
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1276-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c9e-4.dat upx behavioral2/memory/4000-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cae-12.dat upx behavioral2/files/0x0007000000023cb2-15.dat upx behavioral2/memory/3100-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4704-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-21.dat upx behavioral2/files/0x0007000000023cb4-28.dat upx behavioral2/memory/2844-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2640-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-34.dat upx behavioral2/memory/4340-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-39.dat upx behavioral2/memory/2640-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-45.dat upx behavioral2/memory/808-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-50.dat upx behavioral2/memory/1808-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/736-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-59.dat upx behavioral2/files/0x0007000000023cba-63.dat upx behavioral2/memory/372-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-69.dat upx behavioral2/memory/372-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-75.dat upx behavioral2/files/0x0007000000023cbd-80.dat upx behavioral2/memory/1928-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-86.dat upx behavioral2/memory/3188-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-93.dat upx behavioral2/memory/4616-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-98.dat upx behavioral2/memory/4616-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-104.dat upx behavioral2/memory/2216-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-110.dat upx behavioral2/memory/1644-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3468-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-118.dat upx behavioral2/memory/4696-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-123.dat upx behavioral2/memory/2168-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-128.dat upx behavioral2/files/0x0007000000023cc7-134.dat upx behavioral2/memory/4520-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-140.dat upx behavioral2/memory/3520-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3272-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-147.dat upx behavioral2/files/0x0007000000023ccb-153.dat upx behavioral2/memory/4716-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-158.dat upx behavioral2/memory/4832-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-163.dat upx behavioral2/files/0x0007000000023cce-169.dat upx behavioral2/files/0x0007000000023ccf-174.dat upx behavioral2/files/0x0007000000023cd0-180.dat upx behavioral2/files/0x0007000000023cd1-186.dat upx behavioral2/memory/4368-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1524-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-206-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4000 wrote to memory of 1276 4000 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 83 PID 4000 wrote to memory of 1276 4000 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 83 PID 4000 wrote to memory of 1276 4000 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 83 PID 1276 wrote to memory of 3100 1276 vpvvj.exe 84 PID 1276 wrote to memory of 3100 1276 vpvvj.exe 84 PID 1276 wrote to memory of 3100 1276 vpvvj.exe 84 PID 3100 wrote to memory of 4704 3100 ffxrffl.exe 85 PID 3100 wrote to memory of 4704 3100 ffxrffl.exe 85 PID 3100 wrote to memory of 4704 3100 ffxrffl.exe 85 PID 4704 wrote to memory of 2844 4704 btbbbb.exe 86 PID 4704 wrote to memory of 2844 4704 btbbbb.exe 86 PID 4704 wrote to memory of 2844 4704 btbbbb.exe 86 PID 2844 wrote to memory of 4340 2844 hbbbtt.exe 87 PID 2844 wrote to memory of 4340 2844 hbbbtt.exe 87 PID 2844 wrote to memory of 4340 2844 hbbbtt.exe 87 PID 4340 wrote to memory of 2640 4340 pdpdp.exe 88 PID 4340 wrote to memory of 2640 4340 pdpdp.exe 88 PID 4340 wrote to memory of 2640 4340 pdpdp.exe 88 PID 2640 wrote to memory of 808 2640 xrxrrrf.exe 89 PID 2640 wrote to memory of 808 2640 xrxrrrf.exe 89 PID 2640 wrote to memory of 808 2640 xrxrrrf.exe 89 PID 808 wrote to memory of 1808 808 fxffxrx.exe 90 PID 808 wrote to memory of 1808 808 fxffxrx.exe 90 PID 808 wrote to memory of 1808 808 fxffxrx.exe 90 PID 1808 wrote to memory of 3456 1808 bbttbb.exe 91 PID 1808 wrote to memory of 3456 1808 bbttbb.exe 91 PID 1808 wrote to memory of 3456 1808 bbttbb.exe 91 PID 3456 wrote to memory of 736 3456 3fffxxr.exe 92 PID 3456 wrote to memory of 736 3456 3fffxxr.exe 92 PID 3456 wrote to memory of 736 3456 3fffxxr.exe 92 PID 736 wrote to memory of 372 736 xfrlxrf.exe 93 PID 736 wrote to memory of 372 736 xfrlxrf.exe 93 PID 736 wrote to memory of 372 736 xfrlxrf.exe 93 PID 372 wrote to memory of 2584 372 tbhhtn.exe 94 PID 372 wrote to memory of 2584 372 tbhhtn.exe 94 PID 372 wrote to memory of 2584 372 tbhhtn.exe 94 PID 2584 wrote to memory of 1928 2584 jdpjj.exe 95 PID 2584 wrote to memory of 1928 2584 jdpjj.exe 95 PID 2584 wrote to memory of 1928 2584 jdpjj.exe 95 PID 1928 wrote to memory of 4692 1928 pjvpv.exe 96 PID 1928 wrote to memory of 4692 1928 pjvpv.exe 96 PID 1928 wrote to memory of 4692 1928 pjvpv.exe 96 PID 4692 wrote to memory of 3188 4692 llllfrr.exe 97 PID 4692 wrote to memory of 3188 4692 llllfrr.exe 97 PID 4692 wrote to memory of 3188 4692 llllfrr.exe 97 PID 3188 wrote to memory of 4616 3188 5tbbth.exe 98 PID 3188 wrote to memory of 4616 3188 5tbbth.exe 98 PID 3188 wrote to memory of 4616 3188 5tbbth.exe 98 PID 4616 wrote to memory of 2216 4616 bhntbb.exe 99 PID 4616 wrote to memory of 2216 4616 bhntbb.exe 99 PID 4616 wrote to memory of 2216 4616 bhntbb.exe 99 PID 2216 wrote to memory of 1644 2216 jdvvp.exe 100 PID 2216 wrote to memory of 1644 2216 jdvvp.exe 100 PID 2216 wrote to memory of 1644 2216 jdvvp.exe 100 PID 1644 wrote to memory of 3468 1644 rlrlfff.exe 101 PID 1644 wrote to memory of 3468 1644 rlrlfff.exe 101 PID 1644 wrote to memory of 3468 1644 rlrlfff.exe 101 PID 3468 wrote to memory of 4696 3468 tttttn.exe 102 PID 3468 wrote to memory of 4696 3468 tttttn.exe 102 PID 3468 wrote to memory of 4696 3468 tttttn.exe 102 PID 4696 wrote to memory of 2168 4696 nttttt.exe 103 PID 4696 wrote to memory of 2168 4696 nttttt.exe 103 PID 4696 wrote to memory of 2168 4696 nttttt.exe 103 PID 2168 wrote to memory of 4520 2168 7dvpv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe"C:\Users\Admin\AppData\Local\Temp\78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\vpvvj.exec:\vpvvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\ffxrffl.exec:\ffxrffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\btbbbb.exec:\btbbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\hbbbtt.exec:\hbbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\pdpdp.exec:\pdpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\xrxrrrf.exec:\xrxrrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\fxffxrx.exec:\fxffxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\bbttbb.exec:\bbttbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\3fffxxr.exec:\3fffxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\xfrlxrf.exec:\xfrlxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\tbhhtn.exec:\tbhhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\jdpjj.exec:\jdpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\pjvpv.exec:\pjvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\llllfrr.exec:\llllfrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\5tbbth.exec:\5tbbth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\bhntbb.exec:\bhntbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\jdvvp.exec:\jdvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\rlrlfff.exec:\rlrlfff.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\tttttn.exec:\tttttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\nttttt.exec:\nttttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\7dvpv.exec:\7dvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\jvvpj.exec:\jvvpj.exe23⤵
- Executes dropped EXE
PID:4520 -
\??\c:\fffxrrr.exec:\fffxrrr.exe24⤵
- Executes dropped EXE
PID:3520 -
\??\c:\fffffff.exec:\fffffff.exe25⤵
- Executes dropped EXE
PID:3272 -
\??\c:\btnnnn.exec:\btnnnn.exe26⤵
- Executes dropped EXE
PID:4832 -
\??\c:\hbhbtt.exec:\hbhbtt.exe27⤵
- Executes dropped EXE
PID:4716 -
\??\c:\vpjjj.exec:\vpjjj.exe28⤵
- Executes dropped EXE
PID:4944 -
\??\c:\pvddp.exec:\pvddp.exe29⤵
- Executes dropped EXE
PID:1516 -
\??\c:\flrrrfx.exec:\flrrrfx.exe30⤵
- Executes dropped EXE
PID:4344 -
\??\c:\tnbbbh.exec:\tnbbbh.exe31⤵
- Executes dropped EXE
PID:4368 -
\??\c:\btnbbt.exec:\btnbbt.exe32⤵
- Executes dropped EXE
PID:2224 -
\??\c:\jdddd.exec:\jdddd.exe33⤵
- Executes dropped EXE
PID:3224 -
\??\c:\rffffff.exec:\rffffff.exe34⤵
- Executes dropped EXE
PID:1280 -
\??\c:\xfxfxrl.exec:\xfxfxrl.exe35⤵
- Executes dropped EXE
PID:1556 -
\??\c:\ntbbbb.exec:\ntbbbb.exe36⤵
- Executes dropped EXE
PID:1524 -
\??\c:\nttnbb.exec:\nttnbb.exe37⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pjjdv.exec:\pjjdv.exe38⤵
- Executes dropped EXE
PID:3184 -
\??\c:\rrrfrfr.exec:\rrrfrfr.exe39⤵
- Executes dropped EXE
PID:4912 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe40⤵
- Executes dropped EXE
PID:3708 -
\??\c:\hhhhnn.exec:\hhhhnn.exe41⤵
- Executes dropped EXE
PID:1388 -
\??\c:\3dvvd.exec:\3dvvd.exe42⤵
- Executes dropped EXE
PID:4144 -
\??\c:\xrrlrxx.exec:\xrrlrxx.exe43⤵
- Executes dropped EXE
PID:4920 -
\??\c:\9btbbn.exec:\9btbbn.exe44⤵
- Executes dropped EXE
PID:4100 -
\??\c:\vjpjv.exec:\vjpjv.exe45⤵
- Executes dropped EXE
PID:216 -
\??\c:\5pjdv.exec:\5pjdv.exe46⤵
- Executes dropped EXE
PID:3360 -
\??\c:\rlrlxxx.exec:\rlrlxxx.exe47⤵
- Executes dropped EXE
PID:3068 -
\??\c:\bhbbbn.exec:\bhbbbn.exe48⤵
- Executes dropped EXE
PID:3932 -
\??\c:\dvjdv.exec:\dvjdv.exe49⤵
- Executes dropped EXE
PID:2564 -
\??\c:\1xxrfff.exec:\1xxrfff.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9bbnhh.exec:\9bbnhh.exe51⤵PID:4656
-
\??\c:\vppjj.exec:\vppjj.exe52⤵
- Executes dropped EXE
PID:4000 -
\??\c:\lxxrlll.exec:\lxxrlll.exe53⤵
- Executes dropped EXE
PID:1044 -
\??\c:\xrrffxl.exec:\xrrffxl.exe54⤵
- Executes dropped EXE
PID:468 -
\??\c:\ttbbbb.exec:\ttbbbb.exe55⤵
- Executes dropped EXE
PID:4760 -
\??\c:\jpppd.exec:\jpppd.exe56⤵
- Executes dropped EXE
PID:4704 -
\??\c:\vdpjv.exec:\vdpjv.exe57⤵
- Executes dropped EXE
PID:2868 -
\??\c:\9fxxfxr.exec:\9fxxfxr.exe58⤵
- Executes dropped EXE
PID:1420 -
\??\c:\1hnnbh.exec:\1hnnbh.exe59⤵
- Executes dropped EXE
PID:2240 -
\??\c:\vdjdv.exec:\vdjdv.exe60⤵
- Executes dropped EXE
PID:4356 -
\??\c:\dpppp.exec:\dpppp.exe61⤵
- Executes dropped EXE
PID:4796 -
\??\c:\9rrlfxx.exec:\9rrlfxx.exe62⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7xxxrrl.exec:\7xxxrrl.exe63⤵
- Executes dropped EXE
PID:4964 -
\??\c:\hnnhhb.exec:\hnnhhb.exe64⤵
- Executes dropped EXE
PID:3492 -
\??\c:\dpjjp.exec:\dpjjp.exe65⤵
- Executes dropped EXE
PID:4748 -
\??\c:\ffllxxx.exec:\ffllxxx.exe66⤵
- Executes dropped EXE
PID:4808 -
\??\c:\hbnnhh.exec:\hbnnhh.exe67⤵PID:2588
-
\??\c:\pjpvp.exec:\pjpvp.exe68⤵PID:524
-
\??\c:\dvpjd.exec:\dvpjd.exe69⤵PID:828
-
\??\c:\vdvjv.exec:\vdvjv.exe70⤵PID:1928
-
\??\c:\1lfxrrr.exec:\1lfxrrr.exe71⤵PID:1836
-
\??\c:\bbhhhh.exec:\bbhhhh.exe72⤵PID:3840
-
\??\c:\dvppd.exec:\dvppd.exe73⤵PID:4152
-
\??\c:\pddvp.exec:\pddvp.exe74⤵PID:4616
-
\??\c:\xfffflf.exec:\xfffflf.exe75⤵PID:3524
-
\??\c:\tntnhn.exec:\tntnhn.exe76⤵PID:3680
-
\??\c:\xffffll.exec:\xffffll.exe77⤵PID:3448
-
\??\c:\hbhbtn.exec:\hbhbtn.exe78⤵PID:3468
-
\??\c:\hbnhnn.exec:\hbnhnn.exe79⤵PID:396
-
\??\c:\jdvvp.exec:\jdvvp.exe80⤵PID:548
-
\??\c:\frrlffr.exec:\frrlffr.exe81⤵PID:1060
-
\??\c:\nbbhhh.exec:\nbbhhh.exe82⤵PID:4520
-
\??\c:\hnnnnt.exec:\hnnnnt.exe83⤵PID:772
-
\??\c:\jvddp.exec:\jvddp.exe84⤵PID:3620
-
\??\c:\lfxrfff.exec:\lfxrfff.exe85⤵PID:4724
-
\??\c:\rxxxxfx.exec:\rxxxxfx.exe86⤵PID:2624
-
\??\c:\thhhbb.exec:\thhhbb.exe87⤵PID:2144
-
\??\c:\tntttt.exec:\tntttt.exe88⤵PID:3376
-
\??\c:\pdjpp.exec:\pdjpp.exe89⤵PID:3956
-
\??\c:\ffllffl.exec:\ffllffl.exe90⤵PID:3624
-
\??\c:\lfllrxl.exec:\lfllrxl.exe91⤵PID:2284
-
\??\c:\hnnntn.exec:\hnnntn.exe92⤵PID:1112
-
\??\c:\thhbtt.exec:\thhbtt.exe93⤵PID:1220
-
\??\c:\vpvpp.exec:\vpvpp.exe94⤵PID:2812
-
\??\c:\djjjj.exec:\djjjj.exe95⤵PID:1444
-
\??\c:\xxrlfxl.exec:\xxrlfxl.exe96⤵PID:1524
-
\??\c:\nhbtbt.exec:\nhbtbt.exe97⤵PID:3928
-
\??\c:\rfrlxrl.exec:\rfrlxrl.exe98⤵PID:3184
-
\??\c:\llxfffx.exec:\llxfffx.exe99⤵PID:3412
-
\??\c:\bntnbn.exec:\bntnbn.exe100⤵PID:3024
-
\??\c:\vvdpj.exec:\vvdpj.exe101⤵PID:4148
-
\??\c:\fxxrlrl.exec:\fxxrlrl.exe102⤵PID:3208
-
\??\c:\7lrlrrx.exec:\7lrlrrx.exe103⤵PID:768
-
\??\c:\flrxxfx.exec:\flrxxfx.exe104⤵PID:4784
-
\??\c:\ththbt.exec:\ththbt.exe105⤵PID:5096
-
\??\c:\3vvpd.exec:\3vvpd.exe106⤵PID:1980
-
\??\c:\lrlrxfr.exec:\lrlrxfr.exe107⤵PID:2984
-
\??\c:\fxrrlll.exec:\fxrrlll.exe108⤵PID:3480
-
\??\c:\thnntt.exec:\thnntt.exe109⤵PID:5100
-
\??\c:\1ddvj.exec:\1ddvj.exe110⤵PID:3104
-
\??\c:\pdjdv.exec:\pdjdv.exe111⤵PID:4288
-
\??\c:\xrfxfxl.exec:\xrfxfxl.exe112⤵PID:1976
-
\??\c:\rllfrrl.exec:\rllfrrl.exe113⤵PID:1276
-
\??\c:\btnnhh.exec:\btnnhh.exe114⤵PID:2392
-
\??\c:\jvddj.exec:\jvddj.exe115⤵PID:4160
-
\??\c:\pjjdv.exec:\pjjdv.exe116⤵PID:3312
-
\??\c:\dvdvp.exec:\dvdvp.exe117⤵PID:464
-
\??\c:\lxrlfll.exec:\lxrlfll.exe118⤵PID:4804
-
\??\c:\tbbtbb.exec:\tbbtbb.exe119⤵PID:3460
-
\??\c:\jppjv.exec:\jppjv.exe120⤵PID:2456
-
\??\c:\jddvv.exec:\jddvv.exe121⤵PID:1224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-