Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe
-
Size
456KB
-
MD5
3a1faea2e629bd25ee9f1e53d3f69dc0
-
SHA1
8f936dcbe7b843782d05703cb9b918d9704b880f
-
SHA256
317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532
-
SHA512
84f5493a6e83b23d07541b4c80a10abebd8f598e53a6b11996ede44f3d0328b9e3ac470d268baa42ca6511bb0541c10a5b121eea5bd305101d7eebf273c003b5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRU:q7Tc2NYHUrAwfMp3CDRU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3444-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-1559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4620 rffxlfx.exe 3356 ttbtbt.exe 3776 bbbtnh.exe 1836 xrxlrrr.exe 232 pjjdv.exe 1308 ththtn.exe 828 1dvvp.exe 1504 9bbbbh.exe 3196 vjvvd.exe 4316 nnntnn.exe 3476 1ffxllf.exe 2396 rflllff.exe 4060 hnbtnh.exe 372 1vvpd.exe 1172 fflxflf.exe 3128 btnbnh.exe 4252 dvpjv.exe 4852 fxlfffl.exe 2260 ntnhbt.exe 4640 htnhtn.exe 1500 jvdvj.exe 468 3bthtb.exe 1556 pddpj.exe 1216 fffrrll.exe 4600 tnthbb.exe 4568 htbtnn.exe 1512 lfxlfxr.exe 1944 5rrlxrl.exe 3540 dppdv.exe 2348 ddjvj.exe 1584 3lxrffr.exe 4176 hbbnht.exe 1320 jvjjp.exe 1760 jddvv.exe 4212 vjjdj.exe 2368 jvpdv.exe 1132 dvpjv.exe 1384 dvvjv.exe 952 xlfrfrl.exe 1424 5nhbhb.exe 2600 jjdvp.exe 4608 jvpdp.exe 1264 rxfrfrl.exe 1124 bbbhtn.exe 184 3pjdp.exe 2240 xrrlxrx.exe 2052 rfrxxrx.exe 3164 thhtnb.exe 4020 pdvvp.exe 4476 rffxllf.exe 4940 thnhtt.exe 4088 thhbtt.exe 1180 3ffrfxr.exe 3568 1bnhhb.exe 2456 vjjvj.exe 4904 pdpdv.exe 1628 xllrxrx.exe 1492 5nthnh.exe 232 dppdv.exe 2532 5pjvp.exe 908 fxrlfxr.exe 2224 btnhbt.exe 748 hththt.exe 1564 5jvjd.exe -
resource yara_rule behavioral2/memory/3444-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-725-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3444 wrote to memory of 4620 3444 317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe 84 PID 3444 wrote to memory of 4620 3444 317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe 84 PID 3444 wrote to memory of 4620 3444 317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe 84 PID 4620 wrote to memory of 3356 4620 rffxlfx.exe 85 PID 4620 wrote to memory of 3356 4620 rffxlfx.exe 85 PID 4620 wrote to memory of 3356 4620 rffxlfx.exe 85 PID 3356 wrote to memory of 3776 3356 ttbtbt.exe 86 PID 3356 wrote to memory of 3776 3356 ttbtbt.exe 86 PID 3356 wrote to memory of 3776 3356 ttbtbt.exe 86 PID 3776 wrote to memory of 1836 3776 bbbtnh.exe 87 PID 3776 wrote to memory of 1836 3776 bbbtnh.exe 87 PID 3776 wrote to memory of 1836 3776 bbbtnh.exe 87 PID 1836 wrote to memory of 232 1836 xrxlrrr.exe 88 PID 1836 wrote to memory of 232 1836 xrxlrrr.exe 88 PID 1836 wrote to memory of 232 1836 xrxlrrr.exe 88 PID 232 wrote to memory of 1308 232 pjjdv.exe 89 PID 232 wrote to memory of 1308 232 pjjdv.exe 89 PID 232 wrote to memory of 1308 232 pjjdv.exe 89 PID 1308 wrote to memory of 828 1308 ththtn.exe 90 PID 1308 wrote to memory of 828 1308 ththtn.exe 90 PID 1308 wrote to memory of 828 1308 ththtn.exe 90 PID 828 wrote to memory of 1504 828 1dvvp.exe 91 PID 828 wrote to memory of 1504 828 1dvvp.exe 91 PID 828 wrote to memory of 1504 828 1dvvp.exe 91 PID 1504 wrote to memory of 3196 1504 9bbbbh.exe 92 PID 1504 wrote to memory of 3196 1504 9bbbbh.exe 92 PID 1504 wrote to memory of 3196 1504 9bbbbh.exe 92 PID 3196 wrote to memory of 4316 3196 vjvvd.exe 93 PID 3196 wrote to memory of 4316 3196 vjvvd.exe 93 PID 3196 wrote to memory of 4316 3196 vjvvd.exe 93 PID 4316 wrote to memory of 3476 4316 nnntnn.exe 94 PID 4316 wrote to memory of 3476 4316 nnntnn.exe 94 PID 4316 wrote to memory of 3476 4316 nnntnn.exe 94 PID 3476 wrote to memory of 2396 3476 1ffxllf.exe 95 PID 3476 wrote to memory of 2396 3476 1ffxllf.exe 95 PID 3476 wrote to memory of 2396 3476 1ffxllf.exe 95 PID 2396 wrote to memory of 4060 2396 rflllff.exe 96 PID 2396 wrote to memory of 4060 2396 rflllff.exe 96 PID 2396 wrote to memory of 4060 2396 rflllff.exe 96 PID 4060 wrote to memory of 372 4060 hnbtnh.exe 97 PID 4060 wrote to memory of 372 4060 hnbtnh.exe 97 PID 4060 wrote to memory of 372 4060 hnbtnh.exe 97 PID 372 wrote to memory of 1172 372 1vvpd.exe 98 PID 372 wrote to memory of 1172 372 1vvpd.exe 98 PID 372 wrote to memory of 1172 372 1vvpd.exe 98 PID 1172 wrote to memory of 3128 1172 fflxflf.exe 99 PID 1172 wrote to memory of 3128 1172 fflxflf.exe 99 PID 1172 wrote to memory of 3128 1172 fflxflf.exe 99 PID 3128 wrote to memory of 4252 3128 btnbnh.exe 100 PID 3128 wrote to memory of 4252 3128 btnbnh.exe 100 PID 3128 wrote to memory of 4252 3128 btnbnh.exe 100 PID 4252 wrote to memory of 4852 4252 dvpjv.exe 101 PID 4252 wrote to memory of 4852 4252 dvpjv.exe 101 PID 4252 wrote to memory of 4852 4252 dvpjv.exe 101 PID 4852 wrote to memory of 2260 4852 fxlfffl.exe 102 PID 4852 wrote to memory of 2260 4852 fxlfffl.exe 102 PID 4852 wrote to memory of 2260 4852 fxlfffl.exe 102 PID 2260 wrote to memory of 4640 2260 ntnhbt.exe 103 PID 2260 wrote to memory of 4640 2260 ntnhbt.exe 103 PID 2260 wrote to memory of 4640 2260 ntnhbt.exe 103 PID 4640 wrote to memory of 1500 4640 htnhtn.exe 104 PID 4640 wrote to memory of 1500 4640 htnhtn.exe 104 PID 4640 wrote to memory of 1500 4640 htnhtn.exe 104 PID 1500 wrote to memory of 468 1500 jvdvj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe"C:\Users\Admin\AppData\Local\Temp\317a1e13863470f415deb8f3e9764244325844a645548da51bcbcf757cc32532N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\rffxlfx.exec:\rffxlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\ttbtbt.exec:\ttbtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\bbbtnh.exec:\bbbtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\xrxlrrr.exec:\xrxlrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\pjjdv.exec:\pjjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ththtn.exec:\ththtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\1dvvp.exec:\1dvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\9bbbbh.exec:\9bbbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\vjvvd.exec:\vjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\nnntnn.exec:\nnntnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\1ffxllf.exec:\1ffxllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\rflllff.exec:\rflllff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\hnbtnh.exec:\hnbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\1vvpd.exec:\1vvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\fflxflf.exec:\fflxflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\btnbnh.exec:\btnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\dvpjv.exec:\dvpjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\fxlfffl.exec:\fxlfffl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\ntnhbt.exec:\ntnhbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\htnhtn.exec:\htnhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\jvdvj.exec:\jvdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\3bthtb.exec:\3bthtb.exe23⤵
- Executes dropped EXE
PID:468 -
\??\c:\pddpj.exec:\pddpj.exe24⤵
- Executes dropped EXE
PID:1556 -
\??\c:\fffrrll.exec:\fffrrll.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
\??\c:\tnthbb.exec:\tnthbb.exe26⤵
- Executes dropped EXE
PID:4600 -
\??\c:\htbtnn.exec:\htbtnn.exe27⤵
- Executes dropped EXE
PID:4568 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe28⤵
- Executes dropped EXE
PID:1512 -
\??\c:\5rrlxrl.exec:\5rrlxrl.exe29⤵
- Executes dropped EXE
PID:1944 -
\??\c:\dppdv.exec:\dppdv.exe30⤵
- Executes dropped EXE
PID:3540 -
\??\c:\ddjvj.exec:\ddjvj.exe31⤵
- Executes dropped EXE
PID:2348 -
\??\c:\3lxrffr.exec:\3lxrffr.exe32⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hbbnht.exec:\hbbnht.exe33⤵
- Executes dropped EXE
PID:4176 -
\??\c:\jvjjp.exec:\jvjjp.exe34⤵
- Executes dropped EXE
PID:1320 -
\??\c:\jddvv.exec:\jddvv.exe35⤵
- Executes dropped EXE
PID:1760 -
\??\c:\vjjdj.exec:\vjjdj.exe36⤵
- Executes dropped EXE
PID:4212 -
\??\c:\jvpdv.exec:\jvpdv.exe37⤵
- Executes dropped EXE
PID:2368 -
\??\c:\dvpjv.exec:\dvpjv.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
\??\c:\dvvjv.exec:\dvvjv.exe39⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xlfrfrl.exec:\xlfrfrl.exe40⤵
- Executes dropped EXE
PID:952 -
\??\c:\5nhbhb.exec:\5nhbhb.exe41⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jjdvp.exec:\jjdvp.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jvpdp.exec:\jvpdp.exe43⤵
- Executes dropped EXE
PID:4608 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe44⤵
- Executes dropped EXE
PID:1264 -
\??\c:\bbbhtn.exec:\bbbhtn.exe45⤵
- Executes dropped EXE
PID:1124 -
\??\c:\3pjdp.exec:\3pjdp.exe46⤵
- Executes dropped EXE
PID:184 -
\??\c:\xrrlxrx.exec:\xrrlxrx.exe47⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rfrxxrx.exec:\rfrxxrx.exe48⤵
- Executes dropped EXE
PID:2052 -
\??\c:\thhtnb.exec:\thhtnb.exe49⤵
- Executes dropped EXE
PID:3164 -
\??\c:\pdvvp.exec:\pdvvp.exe50⤵
- Executes dropped EXE
PID:4020 -
\??\c:\rffxllf.exec:\rffxllf.exe51⤵
- Executes dropped EXE
PID:4476 -
\??\c:\thnhtt.exec:\thnhtt.exe52⤵
- Executes dropped EXE
PID:4940 -
\??\c:\thhbtt.exec:\thhbtt.exe53⤵
- Executes dropped EXE
PID:4088 -
\??\c:\3ffrfxr.exec:\3ffrfxr.exe54⤵
- Executes dropped EXE
PID:1180 -
\??\c:\1bnhhb.exec:\1bnhhb.exe55⤵
- Executes dropped EXE
PID:3568 -
\??\c:\vjjvj.exec:\vjjvj.exe56⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pdpdv.exec:\pdpdv.exe57⤵
- Executes dropped EXE
PID:4904 -
\??\c:\xllrxrx.exec:\xllrxrx.exe58⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5nthnh.exec:\5nthnh.exe59⤵
- Executes dropped EXE
PID:1492 -
\??\c:\dppdv.exec:\dppdv.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:232 -
\??\c:\5pjvp.exec:\5pjvp.exe61⤵
- Executes dropped EXE
PID:2532 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe62⤵
- Executes dropped EXE
PID:908 -
\??\c:\btnhbt.exec:\btnhbt.exe63⤵
- Executes dropped EXE
PID:2224 -
\??\c:\hththt.exec:\hththt.exe64⤵
- Executes dropped EXE
PID:748 -
\??\c:\5jvjd.exec:\5jvjd.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rffxrlf.exec:\rffxrlf.exe66⤵PID:400
-
\??\c:\9rllfxr.exec:\9rllfxr.exe67⤵PID:5088
-
\??\c:\9bbnhb.exec:\9bbnhb.exe68⤵PID:4420
-
\??\c:\djjdp.exec:\djjdp.exe69⤵PID:3024
-
\??\c:\frxrrll.exec:\frxrrll.exe70⤵PID:1568
-
\??\c:\nbbtnh.exec:\nbbtnh.exe71⤵PID:4236
-
\??\c:\3tthtn.exec:\3tthtn.exe72⤵PID:1624
-
\??\c:\pdpjd.exec:\pdpjd.exe73⤵PID:4736
-
\??\c:\rflfxrl.exec:\rflfxrl.exe74⤵PID:4348
-
\??\c:\1hhttn.exec:\1hhttn.exe75⤵PID:4372
-
\??\c:\dpdjp.exec:\dpdjp.exe76⤵PID:4436
-
\??\c:\pjjpj.exec:\pjjpj.exe77⤵PID:4948
-
\??\c:\llfxxll.exec:\llfxxll.exe78⤵PID:4344
-
\??\c:\5bbhbt.exec:\5bbhbt.exe79⤵PID:4728
-
\??\c:\1tthtn.exec:\1tthtn.exe80⤵PID:412
-
\??\c:\pdpdp.exec:\pdpdp.exe81⤵PID:3656
-
\??\c:\7rxxxxf.exec:\7rxxxxf.exe82⤵PID:1500
-
\??\c:\tnhtbn.exec:\tnhtbn.exe83⤵PID:392
-
\??\c:\dvvpp.exec:\dvvpp.exe84⤵PID:1312
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe85⤵PID:4748
-
\??\c:\lxfrrlf.exec:\lxfrrlf.exe86⤵PID:4332
-
\??\c:\1hbnbt.exec:\1hbnbt.exe87⤵PID:5112
-
\??\c:\3ppjd.exec:\3ppjd.exe88⤵PID:1768
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe89⤵PID:3816
-
\??\c:\lxrlxrf.exec:\lxrlxrf.exe90⤵PID:864
-
\??\c:\thbnbh.exec:\thbnbh.exe91⤵PID:2944
-
\??\c:\httntn.exec:\httntn.exe92⤵PID:3540
-
\??\c:\pjdpd.exec:\pjdpd.exe93⤵PID:1160
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe94⤵PID:1580
-
\??\c:\9hbnhb.exec:\9hbnhb.exe95⤵PID:2776
-
\??\c:\1hbnbt.exec:\1hbnbt.exe96⤵PID:3532
-
\??\c:\dvdjv.exec:\dvdjv.exe97⤵PID:3976
-
\??\c:\rffrlfx.exec:\rffrlfx.exe98⤵PID:4404
-
\??\c:\xxffxrl.exec:\xxffxrl.exe99⤵PID:2524
-
\??\c:\9bbnbb.exec:\9bbnbb.exe100⤵PID:1396
-
\??\c:\jvvpj.exec:\jvvpj.exe101⤵PID:4624
-
\??\c:\5xrfrrf.exec:\5xrfrrf.exe102⤵PID:3936
-
\??\c:\bbbtbb.exec:\bbbtbb.exe103⤵PID:3468
-
\??\c:\nttnbb.exec:\nttnbb.exe104⤵PID:2112
-
\??\c:\vjdvv.exec:\vjdvv.exe105⤵PID:3220
-
\??\c:\3llfxxf.exec:\3llfxxf.exe106⤵PID:2096
-
\??\c:\rxlrfxl.exec:\rxlrfxl.exe107⤵PID:4608
-
\??\c:\nhbtnn.exec:\nhbtnn.exe108⤵PID:4024
-
\??\c:\5pjdp.exec:\5pjdp.exe109⤵PID:2744
-
\??\c:\9rrrllf.exec:\9rrrllf.exe110⤵PID:1096
-
\??\c:\9nnbtt.exec:\9nnbtt.exe111⤵PID:760
-
\??\c:\bhtbhh.exec:\bhtbhh.exe112⤵PID:1244
-
\??\c:\pdvvd.exec:\pdvvd.exe113⤵PID:1364
-
\??\c:\frrlffx.exec:\frrlffx.exe114⤵PID:5044
-
\??\c:\bbnbhb.exec:\bbnbhb.exe115⤵PID:4576
-
\??\c:\vjvdp.exec:\vjvdp.exe116⤵PID:5004
-
\??\c:\3vvpj.exec:\3vvpj.exe117⤵PID:4620
-
\??\c:\fxlxrlf.exec:\fxlxrlf.exe118⤵PID:4076
-
\??\c:\bnhtnh.exec:\bnhtnh.exe119⤵PID:4120
-
\??\c:\pddvj.exec:\pddvj.exe120⤵PID:3568
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe121⤵
- System Location Discovery: System Language Discovery
PID:4400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-