Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe
-
Size
454KB
-
MD5
e9779298fd1bd3f965a6e8ea11323700
-
SHA1
a4d7b3b48ae468042b2af2aa2c0c0951620e606a
-
SHA256
11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725
-
SHA512
90a1d5891e71d342ea719584cd4a650dd49e26a4c94ef66590a1d7f47d8682f732e20d96dab3dc23dfd18364b0062aec8e09ada8ffc9ec1b581a674c0747e89b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2040-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-1301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-1335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 32 xfffrxr.exe 720 ddvvp.exe 2428 rllfffx.exe 3992 hhhnhh.exe 4384 rllflrr.exe 384 bnhhbb.exe 1220 vppdj.exe 2280 pjjjd.exe 4244 bbbhbn.exe 3932 vpdvp.exe 4400 hbbbbb.exe 3996 9pvpp.exe 1356 pjjjd.exe 5060 rlxxrrl.exe 1276 3hnhhh.exe 3048 hbnnnt.exe 4652 hnnntt.exe 3228 pjjjj.exe 2600 nntnnt.exe 1288 jvpjj.exe 4468 frlllrl.exe 572 rxflllr.exe 4636 tnbnbb.exe 4648 vvdvv.exe 976 nntttt.exe 2932 bthbbb.exe 1968 ffllfff.exe 3744 nbbtnn.exe 1368 tnnhhh.exe 5112 vvvpp.exe 2164 9jdpj.exe 2184 btbthb.exe 3140 nttnhh.exe 1060 xrllxxr.exe 1260 ffffxxx.exe 3788 3bbtbb.exe 1904 jjjjd.exe 1108 fffxrrl.exe 1528 xflfllf.exe 4876 hhtnnh.exe 4480 vpdvp.exe 1504 frxlxxr.exe 1912 lfrlllf.exe 4320 nbbbbh.exe 312 djjjj.exe 3384 fxxfxfx.exe 2344 hnbbbn.exe 3476 bhtnhb.exe 4764 pvppd.exe 2684 9xfffff.exe 3084 bbnnnt.exe 2872 nthnbt.exe 4532 vdjdv.exe 4356 frxrllf.exe 3092 9hnnhn.exe 4492 pjvvp.exe 1292 frxrlff.exe 1476 lfrrrrx.exe 1508 hhhhnb.exe 1588 vpddv.exe 3052 lxfxrll.exe 448 bntbbb.exe 4824 dpvpd.exe 3680 vvjjp.exe -
resource yara_rule behavioral2/memory/2040-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-907-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflxrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 32 2040 11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe 82 PID 2040 wrote to memory of 32 2040 11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe 82 PID 2040 wrote to memory of 32 2040 11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe 82 PID 32 wrote to memory of 720 32 xfffrxr.exe 83 PID 32 wrote to memory of 720 32 xfffrxr.exe 83 PID 32 wrote to memory of 720 32 xfffrxr.exe 83 PID 720 wrote to memory of 2428 720 ddvvp.exe 84 PID 720 wrote to memory of 2428 720 ddvvp.exe 84 PID 720 wrote to memory of 2428 720 ddvvp.exe 84 PID 2428 wrote to memory of 3992 2428 rllfffx.exe 85 PID 2428 wrote to memory of 3992 2428 rllfffx.exe 85 PID 2428 wrote to memory of 3992 2428 rllfffx.exe 85 PID 3992 wrote to memory of 4384 3992 hhhnhh.exe 86 PID 3992 wrote to memory of 4384 3992 hhhnhh.exe 86 PID 3992 wrote to memory of 4384 3992 hhhnhh.exe 86 PID 4384 wrote to memory of 384 4384 rllflrr.exe 87 PID 4384 wrote to memory of 384 4384 rllflrr.exe 87 PID 4384 wrote to memory of 384 4384 rllflrr.exe 87 PID 384 wrote to memory of 1220 384 bnhhbb.exe 88 PID 384 wrote to memory of 1220 384 bnhhbb.exe 88 PID 384 wrote to memory of 1220 384 bnhhbb.exe 88 PID 1220 wrote to memory of 2280 1220 vppdj.exe 89 PID 1220 wrote to memory of 2280 1220 vppdj.exe 89 PID 1220 wrote to memory of 2280 1220 vppdj.exe 89 PID 2280 wrote to memory of 4244 2280 pjjjd.exe 90 PID 2280 wrote to memory of 4244 2280 pjjjd.exe 90 PID 2280 wrote to memory of 4244 2280 pjjjd.exe 90 PID 4244 wrote to memory of 3932 4244 bbbhbn.exe 91 PID 4244 wrote to memory of 3932 4244 bbbhbn.exe 91 PID 4244 wrote to memory of 3932 4244 bbbhbn.exe 91 PID 3932 wrote to memory of 4400 3932 vpdvp.exe 92 PID 3932 wrote to memory of 4400 3932 vpdvp.exe 92 PID 3932 wrote to memory of 4400 3932 vpdvp.exe 92 PID 4400 wrote to memory of 3996 4400 hbbbbb.exe 93 PID 4400 wrote to memory of 3996 4400 hbbbbb.exe 93 PID 4400 wrote to memory of 3996 4400 hbbbbb.exe 93 PID 3996 wrote to memory of 1356 3996 9pvpp.exe 94 PID 3996 wrote to memory of 1356 3996 9pvpp.exe 94 PID 3996 wrote to memory of 1356 3996 9pvpp.exe 94 PID 1356 wrote to memory of 5060 1356 pjjjd.exe 95 PID 1356 wrote to memory of 5060 1356 pjjjd.exe 95 PID 1356 wrote to memory of 5060 1356 pjjjd.exe 95 PID 5060 wrote to memory of 1276 5060 rlxxrrl.exe 96 PID 5060 wrote to memory of 1276 5060 rlxxrrl.exe 96 PID 5060 wrote to memory of 1276 5060 rlxxrrl.exe 96 PID 1276 wrote to memory of 3048 1276 3hnhhh.exe 97 PID 1276 wrote to memory of 3048 1276 3hnhhh.exe 97 PID 1276 wrote to memory of 3048 1276 3hnhhh.exe 97 PID 3048 wrote to memory of 4652 3048 hbnnnt.exe 98 PID 3048 wrote to memory of 4652 3048 hbnnnt.exe 98 PID 3048 wrote to memory of 4652 3048 hbnnnt.exe 98 PID 4652 wrote to memory of 3228 4652 hnnntt.exe 99 PID 4652 wrote to memory of 3228 4652 hnnntt.exe 99 PID 4652 wrote to memory of 3228 4652 hnnntt.exe 99 PID 3228 wrote to memory of 2600 3228 pjjjj.exe 100 PID 3228 wrote to memory of 2600 3228 pjjjj.exe 100 PID 3228 wrote to memory of 2600 3228 pjjjj.exe 100 PID 2600 wrote to memory of 1288 2600 nntnnt.exe 101 PID 2600 wrote to memory of 1288 2600 nntnnt.exe 101 PID 2600 wrote to memory of 1288 2600 nntnnt.exe 101 PID 1288 wrote to memory of 4468 1288 jvpjj.exe 102 PID 1288 wrote to memory of 4468 1288 jvpjj.exe 102 PID 1288 wrote to memory of 4468 1288 jvpjj.exe 102 PID 4468 wrote to memory of 572 4468 frlllrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe"C:\Users\Admin\AppData\Local\Temp\11422d8f13424b8644b2d8a97c1d4a8aef4d2c3d65a51a1b23aaaf2080c04725N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\xfffrxr.exec:\xfffrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\ddvvp.exec:\ddvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\rllfffx.exec:\rllfffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\hhhnhh.exec:\hhhnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\rllflrr.exec:\rllflrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\bnhhbb.exec:\bnhhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\vppdj.exec:\vppdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\pjjjd.exec:\pjjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\bbbhbn.exec:\bbbhbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\vpdvp.exec:\vpdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\hbbbbb.exec:\hbbbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\9pvpp.exec:\9pvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\pjjjd.exec:\pjjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\rlxxrrl.exec:\rlxxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\3hnhhh.exec:\3hnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\hbnnnt.exec:\hbnnnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\hnnntt.exec:\hnnntt.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\pjjjj.exec:\pjjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\nntnnt.exec:\nntnnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\jvpjj.exec:\jvpjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\frlllrl.exec:\frlllrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\rxflllr.exec:\rxflllr.exe23⤵
- Executes dropped EXE
PID:572 -
\??\c:\tnbnbb.exec:\tnbnbb.exe24⤵
- Executes dropped EXE
PID:4636 -
\??\c:\vvdvv.exec:\vvdvv.exe25⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nntttt.exec:\nntttt.exe26⤵
- Executes dropped EXE
PID:976 -
\??\c:\bthbbb.exec:\bthbbb.exe27⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ffllfff.exec:\ffllfff.exe28⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nbbtnn.exec:\nbbtnn.exe29⤵
- Executes dropped EXE
PID:3744 -
\??\c:\tnnhhh.exec:\tnnhhh.exe30⤵
- Executes dropped EXE
PID:1368 -
\??\c:\vvvpp.exec:\vvvpp.exe31⤵
- Executes dropped EXE
PID:5112 -
\??\c:\9jdpj.exec:\9jdpj.exe32⤵
- Executes dropped EXE
PID:2164 -
\??\c:\btbthb.exec:\btbthb.exe33⤵
- Executes dropped EXE
PID:2184 -
\??\c:\nttnhh.exec:\nttnhh.exe34⤵
- Executes dropped EXE
PID:3140 -
\??\c:\xrllxxr.exec:\xrllxxr.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060 -
\??\c:\ffffxxx.exec:\ffffxxx.exe36⤵
- Executes dropped EXE
PID:1260 -
\??\c:\3bbtbb.exec:\3bbtbb.exe37⤵
- Executes dropped EXE
PID:3788 -
\??\c:\jjjjd.exec:\jjjjd.exe38⤵
- Executes dropped EXE
PID:1904 -
\??\c:\fffxrrl.exec:\fffxrrl.exe39⤵
- Executes dropped EXE
PID:1108 -
\??\c:\xflfllf.exec:\xflfllf.exe40⤵
- Executes dropped EXE
PID:1528 -
\??\c:\hhtnnh.exec:\hhtnnh.exe41⤵
- Executes dropped EXE
PID:4876 -
\??\c:\vpdvp.exec:\vpdvp.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
\??\c:\frxlxxr.exec:\frxlxxr.exe43⤵
- Executes dropped EXE
PID:1504 -
\??\c:\lfrlllf.exec:\lfrlllf.exe44⤵
- Executes dropped EXE
PID:1912 -
\??\c:\nbbbbh.exec:\nbbbbh.exe45⤵
- Executes dropped EXE
PID:4320 -
\??\c:\djjjj.exec:\djjjj.exe46⤵
- Executes dropped EXE
PID:312 -
\??\c:\fxxfxfx.exec:\fxxfxfx.exe47⤵
- Executes dropped EXE
PID:3384 -
\??\c:\hnbbbn.exec:\hnbbbn.exe48⤵
- Executes dropped EXE
PID:2344 -
\??\c:\bhtnhb.exec:\bhtnhb.exe49⤵
- Executes dropped EXE
PID:3476 -
\??\c:\pvppd.exec:\pvppd.exe50⤵
- Executes dropped EXE
PID:4764 -
\??\c:\9xfffff.exec:\9xfffff.exe51⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bbnnnt.exec:\bbnnnt.exe52⤵
- Executes dropped EXE
PID:3084 -
\??\c:\nthnbt.exec:\nthnbt.exe53⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vdjdv.exec:\vdjdv.exe54⤵
- Executes dropped EXE
PID:4532 -
\??\c:\frxrllf.exec:\frxrllf.exe55⤵
- Executes dropped EXE
PID:4356 -
\??\c:\9hnnhn.exec:\9hnnhn.exe56⤵
- Executes dropped EXE
PID:3092 -
\??\c:\pjvvp.exec:\pjvvp.exe57⤵
- Executes dropped EXE
PID:4492 -
\??\c:\frxrlff.exec:\frxrlff.exe58⤵
- Executes dropped EXE
PID:1292 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe59⤵
- Executes dropped EXE
PID:1476 -
\??\c:\hhhhnb.exec:\hhhhnb.exe60⤵
- Executes dropped EXE
PID:1508 -
\??\c:\vpddv.exec:\vpddv.exe61⤵
- Executes dropped EXE
PID:1588 -
\??\c:\lxfxrll.exec:\lxfxrll.exe62⤵
- Executes dropped EXE
PID:3052 -
\??\c:\bntbbb.exec:\bntbbb.exe63⤵
- Executes dropped EXE
PID:448 -
\??\c:\dpvpd.exec:\dpvpd.exe64⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vvjjp.exec:\vvjjp.exe65⤵
- Executes dropped EXE
PID:3680 -
\??\c:\7lllfll.exec:\7lllfll.exe66⤵PID:2388
-
\??\c:\ttnntt.exec:\ttnntt.exe67⤵PID:912
-
\??\c:\hthhbb.exec:\hthhbb.exe68⤵PID:5104
-
\??\c:\ddjdd.exec:\ddjdd.exe69⤵PID:1840
-
\??\c:\vpvdd.exec:\vpvdd.exe70⤵PID:2156
-
\??\c:\3bhhbh.exec:\3bhhbh.exe71⤵PID:3016
-
\??\c:\ntbhnt.exec:\ntbhnt.exe72⤵PID:2288
-
\??\c:\7djjj.exec:\7djjj.exe73⤵PID:2132
-
\??\c:\rrllflr.exec:\rrllflr.exe74⤵PID:1496
-
\??\c:\5bbhhh.exec:\5bbhhh.exe75⤵PID:3256
-
\??\c:\tthhbb.exec:\tthhbb.exe76⤵PID:5060
-
\??\c:\3ppjj.exec:\3ppjj.exe77⤵PID:3840
-
\??\c:\7lxfxff.exec:\7lxfxff.exe78⤵PID:1276
-
\??\c:\3frrrxl.exec:\3frrrxl.exe79⤵PID:4020
-
\??\c:\thhtnh.exec:\thhtnh.exe80⤵PID:3048
-
\??\c:\jjvvp.exec:\jjvvp.exe81⤵PID:336
-
\??\c:\frxrllf.exec:\frxrllf.exe82⤵PID:4420
-
\??\c:\3nbhbh.exec:\3nbhbh.exe83⤵PID:3820
-
\??\c:\vjdjd.exec:\vjdjd.exe84⤵
- System Location Discovery: System Language Discovery
PID:2304 -
\??\c:\vpddd.exec:\vpddd.exe85⤵PID:2300
-
\??\c:\xxlffll.exec:\xxlffll.exe86⤵PID:4468
-
\??\c:\9tbtbb.exec:\9tbtbb.exe87⤵PID:3068
-
\??\c:\nhbhtt.exec:\nhbhtt.exe88⤵PID:4516
-
\??\c:\djppp.exec:\djppp.exe89⤵PID:1532
-
\??\c:\fxffxff.exec:\fxffxff.exe90⤵PID:928
-
\??\c:\flfllrr.exec:\flfllrr.exe91⤵PID:2728
-
\??\c:\bbhhhn.exec:\bbhhhn.exe92⤵PID:2928
-
\??\c:\vdppp.exec:\vdppp.exe93⤵PID:512
-
\??\c:\llllrxx.exec:\llllrxx.exe94⤵PID:2912
-
\??\c:\rxllfll.exec:\rxllfll.exe95⤵PID:5092
-
\??\c:\hntnbh.exec:\hntnbh.exe96⤵PID:5028
-
\??\c:\ddddv.exec:\ddddv.exe97⤵PID:2488
-
\??\c:\5jjjv.exec:\5jjjv.exe98⤵PID:2584
-
\??\c:\frxxrxx.exec:\frxxrxx.exe99⤵PID:3492
-
\??\c:\nhnttt.exec:\nhnttt.exe100⤵PID:3580
-
\??\c:\thnntn.exec:\thnntn.exe101⤵PID:4808
-
\??\c:\vvddv.exec:\vvddv.exe102⤵PID:3096
-
\??\c:\rlfffff.exec:\rlfffff.exe103⤵PID:2296
-
\??\c:\9tbbbh.exec:\9tbbbh.exe104⤵PID:2324
-
\??\c:\bbtttt.exec:\bbtttt.exe105⤵PID:2088
-
\??\c:\pvjjd.exec:\pvjjd.exe106⤵PID:1644
-
\??\c:\fxlffll.exec:\fxlffll.exe107⤵PID:3608
-
\??\c:\ttbbnt.exec:\ttbbnt.exe108⤵PID:1456
-
\??\c:\9vppj.exec:\9vppj.exe109⤵PID:3684
-
\??\c:\rrxrlrr.exec:\rrxrlrr.exe110⤵PID:4644
-
\??\c:\rrxffll.exec:\rrxffll.exe111⤵PID:4908
-
\??\c:\ddjpd.exec:\ddjpd.exe112⤵PID:4656
-
\??\c:\pvdjd.exec:\pvdjd.exe113⤵PID:224
-
\??\c:\rlrllll.exec:\rlrllll.exe114⤵PID:3132
-
\??\c:\xxlxxfl.exec:\xxlxxfl.exe115⤵PID:672
-
\??\c:\5hnttb.exec:\5hnttb.exe116⤵PID:2128
-
\??\c:\vvjjd.exec:\vvjjd.exe117⤵PID:2640
-
\??\c:\fxllfll.exec:\fxllfll.exe118⤵PID:4528
-
\??\c:\xflxxrx.exec:\xflxxrx.exe119⤵PID:1980
-
\??\c:\bbnnhb.exec:\bbnnhb.exe120⤵PID:2684
-
\??\c:\jdvpj.exec:\jdvpj.exe121⤵PID:656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-