Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 09:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe
-
Size
487KB
-
MD5
6ee38431c177f390173f0ab32b549408
-
SHA1
3bf399258a013dec7952affe25b0909579948802
-
SHA256
fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57
-
SHA512
c523b1a2f4bc774621e6ff64221bb462f372f514c32061839c4852034a390fa5bbfb17d47e45fe393a59f36d2df6b1f3e677e7b116a48d7e0e22d22d89c84dfb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2CfNnkymTwaJ3tb:q7Tc2NYHUrAwfMHNnplsp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2784-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4940 rlfxrrr.exe 4824 vpjdv.exe 1788 hbbbbt.exe 2156 htbtnh.exe 3060 rllfffx.exe 1572 pdvdv.exe 1368 xrxrxrx.exe 4780 rllfffr.exe 4552 7vpjv.exe 984 nhtnhb.exe 1012 dpvjj.exe 2028 rffrffr.exe 2920 7nthtt.exe 3936 ttnnnb.exe 4424 jjdvp.exe 5000 frrfxrf.exe 3484 tntnnb.exe 1268 bthtnh.exe 3240 jvvpd.exe 4988 xlxrrll.exe 408 thnnnt.exe 3400 5tnhtb.exe 5048 dvdpj.exe 3920 rlxrrlf.exe 4904 rlrrlfl.exe 5012 hhhbnt.exe 2056 pppvj.exe 2976 pjjvj.exe 4512 5fxlfxl.exe 4696 nhbnbb.exe 1988 nhnbtn.exe 2652 dpvpv.exe 2036 xlxlxrr.exe 3064 xrlfrfr.exe 1524 bhnhbt.exe 3980 pvdpd.exe 380 3vdpj.exe 956 fxrllxx.exe 1912 nbbnhb.exe 1232 pvvjd.exe 4072 rxfrfxr.exe 4624 rffrxfx.exe 2744 ttthtb.exe 1748 pddpj.exe 2284 jvvjd.exe 2708 lxfxxrl.exe 3092 7thtnh.exe 3168 bbtnbh.exe 3008 pppjd.exe 2760 lrrfxrf.exe 2980 7hnhhh.exe 4888 htbbbt.exe 4852 5rfrllx.exe 2632 xllfrfx.exe 4584 nbnbnh.exe 4940 jjpvv.exe 396 9ppdp.exe 5080 1ffxrrl.exe 4768 btthth.exe 3648 vpdvv.exe 2156 fxxrlff.exe 664 htnnnh.exe 3688 vjjpd.exe 4732 lrlxrlx.exe -
resource yara_rule behavioral2/memory/2784-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-973-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4940 2784 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 82 PID 2784 wrote to memory of 4940 2784 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 82 PID 2784 wrote to memory of 4940 2784 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 82 PID 4940 wrote to memory of 4824 4940 rlfxrrr.exe 83 PID 4940 wrote to memory of 4824 4940 rlfxrrr.exe 83 PID 4940 wrote to memory of 4824 4940 rlfxrrr.exe 83 PID 4824 wrote to memory of 1788 4824 vpjdv.exe 84 PID 4824 wrote to memory of 1788 4824 vpjdv.exe 84 PID 4824 wrote to memory of 1788 4824 vpjdv.exe 84 PID 1788 wrote to memory of 2156 1788 hbbbbt.exe 85 PID 1788 wrote to memory of 2156 1788 hbbbbt.exe 85 PID 1788 wrote to memory of 2156 1788 hbbbbt.exe 85 PID 2156 wrote to memory of 3060 2156 htbtnh.exe 86 PID 2156 wrote to memory of 3060 2156 htbtnh.exe 86 PID 2156 wrote to memory of 3060 2156 htbtnh.exe 86 PID 3060 wrote to memory of 1572 3060 rllfffx.exe 87 PID 3060 wrote to memory of 1572 3060 rllfffx.exe 87 PID 3060 wrote to memory of 1572 3060 rllfffx.exe 87 PID 1572 wrote to memory of 1368 1572 pdvdv.exe 88 PID 1572 wrote to memory of 1368 1572 pdvdv.exe 88 PID 1572 wrote to memory of 1368 1572 pdvdv.exe 88 PID 1368 wrote to memory of 4780 1368 xrxrxrx.exe 89 PID 1368 wrote to memory of 4780 1368 xrxrxrx.exe 89 PID 1368 wrote to memory of 4780 1368 xrxrxrx.exe 89 PID 4780 wrote to memory of 4552 4780 rllfffr.exe 90 PID 4780 wrote to memory of 4552 4780 rllfffr.exe 90 PID 4780 wrote to memory of 4552 4780 rllfffr.exe 90 PID 4552 wrote to memory of 984 4552 7vpjv.exe 91 PID 4552 wrote to memory of 984 4552 7vpjv.exe 91 PID 4552 wrote to memory of 984 4552 7vpjv.exe 91 PID 984 wrote to memory of 1012 984 nhtnhb.exe 92 PID 984 wrote to memory of 1012 984 nhtnhb.exe 92 PID 984 wrote to memory of 1012 984 nhtnhb.exe 92 PID 1012 wrote to memory of 2028 1012 dpvjj.exe 93 PID 1012 wrote to memory of 2028 1012 dpvjj.exe 93 PID 1012 wrote to memory of 2028 1012 dpvjj.exe 93 PID 2028 wrote to memory of 2920 2028 rffrffr.exe 94 PID 2028 wrote to memory of 2920 2028 rffrffr.exe 94 PID 2028 wrote to memory of 2920 2028 rffrffr.exe 94 PID 2920 wrote to memory of 3936 2920 7nthtt.exe 95 PID 2920 wrote to memory of 3936 2920 7nthtt.exe 95 PID 2920 wrote to memory of 3936 2920 7nthtt.exe 95 PID 3936 wrote to memory of 4424 3936 ttnnnb.exe 96 PID 3936 wrote to memory of 4424 3936 ttnnnb.exe 96 PID 3936 wrote to memory of 4424 3936 ttnnnb.exe 96 PID 4424 wrote to memory of 5000 4424 jjdvp.exe 97 PID 4424 wrote to memory of 5000 4424 jjdvp.exe 97 PID 4424 wrote to memory of 5000 4424 jjdvp.exe 97 PID 5000 wrote to memory of 3484 5000 frrfxrf.exe 98 PID 5000 wrote to memory of 3484 5000 frrfxrf.exe 98 PID 5000 wrote to memory of 3484 5000 frrfxrf.exe 98 PID 3484 wrote to memory of 1268 3484 tntnnb.exe 99 PID 3484 wrote to memory of 1268 3484 tntnnb.exe 99 PID 3484 wrote to memory of 1268 3484 tntnnb.exe 99 PID 1268 wrote to memory of 3240 1268 bthtnh.exe 100 PID 1268 wrote to memory of 3240 1268 bthtnh.exe 100 PID 1268 wrote to memory of 3240 1268 bthtnh.exe 100 PID 3240 wrote to memory of 4988 3240 jvvpd.exe 101 PID 3240 wrote to memory of 4988 3240 jvvpd.exe 101 PID 3240 wrote to memory of 4988 3240 jvvpd.exe 101 PID 4988 wrote to memory of 408 4988 xlxrrll.exe 102 PID 4988 wrote to memory of 408 4988 xlxrrll.exe 102 PID 4988 wrote to memory of 408 4988 xlxrrll.exe 102 PID 408 wrote to memory of 3400 408 thnnnt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe"C:\Users\Admin\AppData\Local\Temp\fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\vpjdv.exec:\vpjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\hbbbbt.exec:\hbbbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\htbtnh.exec:\htbtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\rllfffx.exec:\rllfffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\pdvdv.exec:\pdvdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\rllfffr.exec:\rllfffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\7vpjv.exec:\7vpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\nhtnhb.exec:\nhtnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\dpvjj.exec:\dpvjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\rffrffr.exec:\rffrffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\7nthtt.exec:\7nthtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\ttnnnb.exec:\ttnnnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\jjdvp.exec:\jjdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\frrfxrf.exec:\frrfxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\tntnnb.exec:\tntnnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\bthtnh.exec:\bthtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\jvvpd.exec:\jvvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\xlxrrll.exec:\xlxrrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\thnnnt.exec:\thnnnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\5tnhtb.exec:\5tnhtb.exe23⤵
- Executes dropped EXE
PID:3400 -
\??\c:\dvdpj.exec:\dvdpj.exe24⤵
- Executes dropped EXE
PID:5048 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe25⤵
- Executes dropped EXE
PID:3920 -
\??\c:\rlrrlfl.exec:\rlrrlfl.exe26⤵
- Executes dropped EXE
PID:4904 -
\??\c:\hhhbnt.exec:\hhhbnt.exe27⤵
- Executes dropped EXE
PID:5012 -
\??\c:\pppvj.exec:\pppvj.exe28⤵
- Executes dropped EXE
PID:2056 -
\??\c:\pjjvj.exec:\pjjvj.exe29⤵
- Executes dropped EXE
PID:2976 -
\??\c:\5fxlfxl.exec:\5fxlfxl.exe30⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nhbnbb.exec:\nhbnbb.exe31⤵
- Executes dropped EXE
PID:4696 -
\??\c:\nhnbtn.exec:\nhnbtn.exe32⤵
- Executes dropped EXE
PID:1988 -
\??\c:\dpvpv.exec:\dpvpv.exe33⤵
- Executes dropped EXE
PID:2652 -
\??\c:\xlxlxrr.exec:\xlxlxrr.exe34⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xrlfrfr.exec:\xrlfrfr.exe35⤵
- Executes dropped EXE
PID:3064 -
\??\c:\bhnhbt.exec:\bhnhbt.exe36⤵
- Executes dropped EXE
PID:1524 -
\??\c:\pvdpd.exec:\pvdpd.exe37⤵
- Executes dropped EXE
PID:3980 -
\??\c:\3vdpj.exec:\3vdpj.exe38⤵
- Executes dropped EXE
PID:380 -
\??\c:\fxrllxx.exec:\fxrllxx.exe39⤵
- Executes dropped EXE
PID:956 -
\??\c:\nbbnhb.exec:\nbbnhb.exe40⤵
- Executes dropped EXE
PID:1912 -
\??\c:\pvvjd.exec:\pvvjd.exe41⤵
- Executes dropped EXE
PID:1232 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe42⤵
- Executes dropped EXE
PID:4072 -
\??\c:\rffrxfx.exec:\rffrxfx.exe43⤵
- Executes dropped EXE
PID:4624 -
\??\c:\ttthtb.exec:\ttthtb.exe44⤵
- Executes dropped EXE
PID:2744 -
\??\c:\pddpj.exec:\pddpj.exe45⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jvvjd.exec:\jvvjd.exe46⤵
- Executes dropped EXE
PID:2284 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe47⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7thtnh.exec:\7thtnh.exe48⤵
- Executes dropped EXE
PID:3092 -
\??\c:\bbtnbh.exec:\bbtnbh.exe49⤵
- Executes dropped EXE
PID:3168 -
\??\c:\pppjd.exec:\pppjd.exe50⤵
- Executes dropped EXE
PID:3008 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe51⤵
- Executes dropped EXE
PID:2760 -
\??\c:\7hnhhh.exec:\7hnhhh.exe52⤵
- Executes dropped EXE
PID:2980 -
\??\c:\htbbbt.exec:\htbbbt.exe53⤵
- Executes dropped EXE
PID:4888 -
\??\c:\dpjdp.exec:\dpjdp.exe54⤵PID:4352
-
\??\c:\5rfrllx.exec:\5rfrllx.exe55⤵
- Executes dropped EXE
PID:4852 -
\??\c:\xllfrfx.exec:\xllfrfx.exe56⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nbnbnh.exec:\nbnbnh.exe57⤵
- Executes dropped EXE
PID:4584 -
\??\c:\jjpvv.exec:\jjpvv.exe58⤵
- Executes dropped EXE
PID:4940 -
\??\c:\9ppdp.exec:\9ppdp.exe59⤵
- Executes dropped EXE
PID:396 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe60⤵
- Executes dropped EXE
PID:5080 -
\??\c:\btthth.exec:\btthth.exe61⤵
- Executes dropped EXE
PID:4768 -
\??\c:\vpdvv.exec:\vpdvv.exe62⤵
- Executes dropped EXE
PID:3648 -
\??\c:\fxxrlff.exec:\fxxrlff.exe63⤵
- Executes dropped EXE
PID:2156 -
\??\c:\htnnnh.exec:\htnnnh.exe64⤵
- Executes dropped EXE
PID:664 -
\??\c:\vjjpd.exec:\vjjpd.exe65⤵
- Executes dropped EXE
PID:3688 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe66⤵
- Executes dropped EXE
PID:4732 -
\??\c:\hbnhbt.exec:\hbnhbt.exe67⤵PID:1772
-
\??\c:\9ddvj.exec:\9ddvj.exe68⤵PID:3192
-
\??\c:\xrrlfrl.exec:\xrrlfrl.exe69⤵PID:2844
-
\??\c:\nhhbbt.exec:\nhhbbt.exe70⤵PID:4436
-
\??\c:\jvjdd.exec:\jvjdd.exe71⤵PID:1532
-
\??\c:\nhttnt.exec:\nhttnt.exe72⤵PID:2916
-
\??\c:\dppdj.exec:\dppdj.exe73⤵PID:4884
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe74⤵PID:2840
-
\??\c:\hbbnhb.exec:\hbbnhb.exe75⤵PID:2024
-
\??\c:\9ppdp.exec:\9ppdp.exe76⤵PID:3428
-
\??\c:\1tbtnh.exec:\1tbtnh.exe77⤵PID:2736
-
\??\c:\jvjdp.exec:\jvjdp.exe78⤵PID:3512
-
\??\c:\dddvp.exec:\dddvp.exe79⤵PID:1136
-
\??\c:\hbbhbn.exec:\hbbhbn.exe80⤵PID:3432
-
\??\c:\bhthth.exec:\bhthth.exe81⤵PID:2244
-
\??\c:\pppdp.exec:\pppdp.exe82⤵PID:2348
-
\??\c:\3ffxxrr.exec:\3ffxxrr.exe83⤵PID:2648
-
\??\c:\tnnbbt.exec:\tnnbbt.exe84⤵PID:4612
-
\??\c:\tbhhhh.exec:\tbhhhh.exe85⤵PID:460
-
\??\c:\djvdd.exec:\djvdd.exe86⤵PID:4408
-
\??\c:\7rxrlrx.exec:\7rxrlrx.exe87⤵PID:3528
-
\??\c:\bnbttn.exec:\bnbttn.exe88⤵PID:4904
-
\??\c:\7xflllf.exec:\7xflllf.exe89⤵PID:432
-
\??\c:\bbhbnn.exec:\bbhbnn.exe90⤵PID:2976
-
\??\c:\dddvj.exec:\dddvj.exe91⤵PID:4892
-
\??\c:\jdjdp.exec:\jdjdp.exe92⤵PID:3988
-
\??\c:\lfrfrrl.exec:\lfrfrrl.exe93⤵PID:1988
-
\??\c:\5hhhbb.exec:\5hhhbb.exe94⤵PID:4036
-
\??\c:\djjjv.exec:\djjjv.exe95⤵PID:3064
-
\??\c:\lxxlxrx.exec:\lxxlxrx.exe96⤵PID:3492
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe97⤵PID:4080
-
\??\c:\thhhtn.exec:\thhhtn.exe98⤵PID:4880
-
\??\c:\vpddd.exec:\vpddd.exe99⤵PID:444
-
\??\c:\fxlfrfr.exec:\fxlfrfr.exe100⤵PID:4360
-
\??\c:\bntnbt.exec:\bntnbt.exe101⤵PID:4328
-
\??\c:\jvvpj.exec:\jvvpj.exe102⤵PID:624
-
\??\c:\jdjvd.exec:\jdjvd.exe103⤵PID:1232
-
\??\c:\lllfrrr.exec:\lllfrrr.exe104⤵PID:4624
-
\??\c:\btthth.exec:\btthth.exe105⤵PID:2968
-
\??\c:\1dddj.exec:\1dddj.exe106⤵PID:1748
-
\??\c:\rrfxxxf.exec:\rrfxxxf.exe107⤵PID:3652
-
\??\c:\htttnn.exec:\htttnn.exe108⤵PID:3708
-
\??\c:\hthtnh.exec:\hthtnh.exe109⤵PID:3092
-
\??\c:\3jjvp.exec:\3jjvp.exe110⤵PID:3496
-
\??\c:\frxxrrr.exec:\frxxrrr.exe111⤵PID:4040
-
\??\c:\thbthh.exec:\thbthh.exe112⤵PID:2464
-
\??\c:\pvjvp.exec:\pvjvp.exe113⤵PID:2956
-
\??\c:\pjdpj.exec:\pjdpj.exe114⤵PID:4488
-
\??\c:\xxxrffx.exec:\xxxrffx.exe115⤵PID:1760
-
\??\c:\thnhbt.exec:\thnhbt.exe116⤵PID:3204
-
\??\c:\ntbnbt.exec:\ntbnbt.exe117⤵PID:2288
-
\??\c:\3vpjj.exec:\3vpjj.exe118⤵PID:2136
-
\??\c:\fflxlfx.exec:\fflxlfx.exe119⤵PID:4740
-
\??\c:\nhnhbb.exec:\nhnhbb.exe120⤵PID:736
-
\??\c:\9dvpd.exec:\9dvpd.exe121⤵PID:3848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-