Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe
-
Size
456KB
-
MD5
9ab36710d88b6fdc29a5a105751ea325
-
SHA1
8043c3be812e13705b518177a0798a43751d7cce
-
SHA256
72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58
-
SHA512
0554672c159e4101b907628ea6bc98189aa240d725b6e817f002be67580da1f776fb149bdacf75200257684b076d0c8f87ef0438d5213a54b70c5e72615f1961
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4200-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-1070-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-1107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1856 rxrfffx.exe 4148 ttbttn.exe 4200 pjpjj.exe 2912 ntnbhb.exe 4628 dvjvj.exe 4920 bhtnbb.exe 4176 ppdpj.exe 4612 xxffxxf.exe 2492 hbhbbt.exe 3500 fxfxfxf.exe 2516 bttnhb.exe 2928 vvjdp.exe 4352 dvjdd.exe 4456 lrxrffx.exe 4572 htnhbt.exe 4380 hhnntt.exe 1196 vvvvv.exe 5064 3ffxrrl.exe 2508 hbtnhb.exe 3160 jvvpj.exe 2696 rffffxx.exe 4768 xllffxx.exe 5000 bhnhnn.exe 3284 pdjdp.exe 1412 jvpjd.exe 3492 flrlffx.exe 3600 tnnhhh.exe 4468 pjvpj.exe 3560 lrxlfxr.exe 2904 rfxrllf.exe 3780 pjpjv.exe 4940 dvdvj.exe 3356 bbhhtn.exe 4716 jjdvd.exe 1040 xrxxrrr.exe 3580 bnnhbb.exe 4464 9ppdv.exe 3904 bhhttn.exe 4256 djdvj.exe 2284 3rrfxxl.exe 756 ntbtnh.exe 4260 fllfffx.exe 2000 pdjdj.exe 3996 frxxlrl.exe 2292 tbbthh.exe 3384 nbbtnn.exe 2876 9dvpj.exe 624 rflxrxl.exe 4084 ffllxxr.exe 3120 nhbhbn.exe 2972 dpjjj.exe 3804 rlrrxrf.exe 2272 hhttnn.exe 4836 hhhbbb.exe 1160 3vpjj.exe 2528 ffrrfll.exe 4612 thnbnn.exe 3004 ppddv.exe 1592 llxxxff.exe 4116 nnthhh.exe 2248 nhtthb.exe 2560 pdppj.exe 4600 flrlxxr.exe 5092 1llflff.exe -
resource yara_rule behavioral2/memory/1856-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-707-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 1856 4100 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 82 PID 4100 wrote to memory of 1856 4100 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 82 PID 4100 wrote to memory of 1856 4100 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 82 PID 1856 wrote to memory of 4148 1856 rxrfffx.exe 83 PID 1856 wrote to memory of 4148 1856 rxrfffx.exe 83 PID 1856 wrote to memory of 4148 1856 rxrfffx.exe 83 PID 4148 wrote to memory of 4200 4148 ttbttn.exe 84 PID 4148 wrote to memory of 4200 4148 ttbttn.exe 84 PID 4148 wrote to memory of 4200 4148 ttbttn.exe 84 PID 4200 wrote to memory of 2912 4200 pjpjj.exe 85 PID 4200 wrote to memory of 2912 4200 pjpjj.exe 85 PID 4200 wrote to memory of 2912 4200 pjpjj.exe 85 PID 2912 wrote to memory of 4628 2912 ntnbhb.exe 86 PID 2912 wrote to memory of 4628 2912 ntnbhb.exe 86 PID 2912 wrote to memory of 4628 2912 ntnbhb.exe 86 PID 4628 wrote to memory of 4920 4628 dvjvj.exe 87 PID 4628 wrote to memory of 4920 4628 dvjvj.exe 87 PID 4628 wrote to memory of 4920 4628 dvjvj.exe 87 PID 4920 wrote to memory of 4176 4920 bhtnbb.exe 88 PID 4920 wrote to memory of 4176 4920 bhtnbb.exe 88 PID 4920 wrote to memory of 4176 4920 bhtnbb.exe 88 PID 4176 wrote to memory of 4612 4176 ppdpj.exe 89 PID 4176 wrote to memory of 4612 4176 ppdpj.exe 89 PID 4176 wrote to memory of 4612 4176 ppdpj.exe 89 PID 4612 wrote to memory of 2492 4612 xxffxxf.exe 90 PID 4612 wrote to memory of 2492 4612 xxffxxf.exe 90 PID 4612 wrote to memory of 2492 4612 xxffxxf.exe 90 PID 2492 wrote to memory of 3500 2492 hbhbbt.exe 91 PID 2492 wrote to memory of 3500 2492 hbhbbt.exe 91 PID 2492 wrote to memory of 3500 2492 hbhbbt.exe 91 PID 3500 wrote to memory of 2516 3500 fxfxfxf.exe 92 PID 3500 wrote to memory of 2516 3500 fxfxfxf.exe 92 PID 3500 wrote to memory of 2516 3500 fxfxfxf.exe 92 PID 2516 wrote to memory of 2928 2516 bttnhb.exe 93 PID 2516 wrote to memory of 2928 2516 bttnhb.exe 93 PID 2516 wrote to memory of 2928 2516 bttnhb.exe 93 PID 2928 wrote to memory of 4352 2928 vvjdp.exe 94 PID 2928 wrote to memory of 4352 2928 vvjdp.exe 94 PID 2928 wrote to memory of 4352 2928 vvjdp.exe 94 PID 4352 wrote to memory of 4456 4352 dvjdd.exe 95 PID 4352 wrote to memory of 4456 4352 dvjdd.exe 95 PID 4352 wrote to memory of 4456 4352 dvjdd.exe 95 PID 4456 wrote to memory of 4572 4456 lrxrffx.exe 96 PID 4456 wrote to memory of 4572 4456 lrxrffx.exe 96 PID 4456 wrote to memory of 4572 4456 lrxrffx.exe 96 PID 4572 wrote to memory of 4380 4572 htnhbt.exe 97 PID 4572 wrote to memory of 4380 4572 htnhbt.exe 97 PID 4572 wrote to memory of 4380 4572 htnhbt.exe 97 PID 4380 wrote to memory of 1196 4380 hhnntt.exe 98 PID 4380 wrote to memory of 1196 4380 hhnntt.exe 98 PID 4380 wrote to memory of 1196 4380 hhnntt.exe 98 PID 1196 wrote to memory of 5064 1196 vvvvv.exe 99 PID 1196 wrote to memory of 5064 1196 vvvvv.exe 99 PID 1196 wrote to memory of 5064 1196 vvvvv.exe 99 PID 5064 wrote to memory of 2508 5064 3ffxrrl.exe 100 PID 5064 wrote to memory of 2508 5064 3ffxrrl.exe 100 PID 5064 wrote to memory of 2508 5064 3ffxrrl.exe 100 PID 2508 wrote to memory of 3160 2508 hbtnhb.exe 101 PID 2508 wrote to memory of 3160 2508 hbtnhb.exe 101 PID 2508 wrote to memory of 3160 2508 hbtnhb.exe 101 PID 3160 wrote to memory of 2696 3160 jvvpj.exe 102 PID 3160 wrote to memory of 2696 3160 jvvpj.exe 102 PID 3160 wrote to memory of 2696 3160 jvvpj.exe 102 PID 2696 wrote to memory of 4768 2696 rffffxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe"C:\Users\Admin\AppData\Local\Temp\72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\rxrfffx.exec:\rxrfffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\ttbttn.exec:\ttbttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\pjpjj.exec:\pjpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\ntnbhb.exec:\ntnbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\dvjvj.exec:\dvjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\bhtnbb.exec:\bhtnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\ppdpj.exec:\ppdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\xxffxxf.exec:\xxffxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\hbhbbt.exec:\hbhbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\bttnhb.exec:\bttnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\vvjdp.exec:\vvjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\dvjdd.exec:\dvjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\lrxrffx.exec:\lrxrffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\htnhbt.exec:\htnhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\hhnntt.exec:\hhnntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\vvvvv.exec:\vvvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\hbtnhb.exec:\hbtnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\jvvpj.exec:\jvvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\rffffxx.exec:\rffffxx.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\xllffxx.exec:\xllffxx.exe23⤵
- Executes dropped EXE
PID:4768 -
\??\c:\bhnhnn.exec:\bhnhnn.exe24⤵
- Executes dropped EXE
PID:5000 -
\??\c:\pdjdp.exec:\pdjdp.exe25⤵
- Executes dropped EXE
PID:3284 -
\??\c:\jvpjd.exec:\jvpjd.exe26⤵
- Executes dropped EXE
PID:1412 -
\??\c:\flrlffx.exec:\flrlffx.exe27⤵
- Executes dropped EXE
PID:3492 -
\??\c:\tnnhhh.exec:\tnnhhh.exe28⤵
- Executes dropped EXE
PID:3600 -
\??\c:\pjvpj.exec:\pjvpj.exe29⤵
- Executes dropped EXE
PID:4468 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe30⤵
- Executes dropped EXE
PID:3560 -
\??\c:\rfxrllf.exec:\rfxrllf.exe31⤵
- Executes dropped EXE
PID:2904 -
\??\c:\pjpjv.exec:\pjpjv.exe32⤵
- Executes dropped EXE
PID:3780 -
\??\c:\dvdvj.exec:\dvdvj.exe33⤵
- Executes dropped EXE
PID:4940 -
\??\c:\bbhhtn.exec:\bbhhtn.exe34⤵
- Executes dropped EXE
PID:3356 -
\??\c:\jjdvd.exec:\jjdvd.exe35⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe36⤵
- Executes dropped EXE
PID:1040 -
\??\c:\bnnhbb.exec:\bnnhbb.exe37⤵
- Executes dropped EXE
PID:3580 -
\??\c:\9ppdv.exec:\9ppdv.exe38⤵
- Executes dropped EXE
PID:4464 -
\??\c:\bhhttn.exec:\bhhttn.exe39⤵
- Executes dropped EXE
PID:3904 -
\??\c:\djdvj.exec:\djdvj.exe40⤵
- Executes dropped EXE
PID:4256 -
\??\c:\3rrfxxl.exec:\3rrfxxl.exe41⤵
- Executes dropped EXE
PID:2284 -
\??\c:\ntbtnh.exec:\ntbtnh.exe42⤵
- Executes dropped EXE
PID:756 -
\??\c:\fllfffx.exec:\fllfffx.exe43⤵
- Executes dropped EXE
PID:4260 -
\??\c:\pdjdj.exec:\pdjdj.exe44⤵
- Executes dropped EXE
PID:2000 -
\??\c:\frxxlrl.exec:\frxxlrl.exe45⤵
- Executes dropped EXE
PID:3996 -
\??\c:\tbbthh.exec:\tbbthh.exe46⤵
- Executes dropped EXE
PID:2292 -
\??\c:\nbbtnn.exec:\nbbtnn.exe47⤵
- Executes dropped EXE
PID:3384 -
\??\c:\9dvpj.exec:\9dvpj.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rflxrxl.exec:\rflxrxl.exe49⤵
- Executes dropped EXE
PID:624 -
\??\c:\ffllxxr.exec:\ffllxxr.exe50⤵
- Executes dropped EXE
PID:4084 -
\??\c:\nhbhbn.exec:\nhbhbn.exe51⤵
- Executes dropped EXE
PID:3120 -
\??\c:\dpjjj.exec:\dpjjj.exe52⤵
- Executes dropped EXE
PID:2972 -
\??\c:\rlrrxrf.exec:\rlrrxrf.exe53⤵
- Executes dropped EXE
PID:3804 -
\??\c:\hhttnn.exec:\hhttnn.exe54⤵
- Executes dropped EXE
PID:2272 -
\??\c:\hhhbbb.exec:\hhhbbb.exe55⤵
- Executes dropped EXE
PID:4836 -
\??\c:\3vpjj.exec:\3vpjj.exe56⤵
- Executes dropped EXE
PID:1160 -
\??\c:\ffrrfll.exec:\ffrrfll.exe57⤵
- Executes dropped EXE
PID:2528 -
\??\c:\thnbnn.exec:\thnbnn.exe58⤵
- Executes dropped EXE
PID:4612 -
\??\c:\ppddv.exec:\ppddv.exe59⤵
- Executes dropped EXE
PID:3004 -
\??\c:\llxxxff.exec:\llxxxff.exe60⤵
- Executes dropped EXE
PID:1592 -
\??\c:\nnthhh.exec:\nnthhh.exe61⤵
- Executes dropped EXE
PID:4116 -
\??\c:\nhtthb.exec:\nhtthb.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\pdppj.exec:\pdppj.exe63⤵
- Executes dropped EXE
PID:2560 -
\??\c:\flrlxxr.exec:\flrlxxr.exe64⤵
- Executes dropped EXE
PID:4600 -
\??\c:\1llflff.exec:\1llflff.exe65⤵
- Executes dropped EXE
PID:5092 -
\??\c:\3hhbtn.exec:\3hhbtn.exe66⤵PID:3232
-
\??\c:\djpjd.exec:\djpjd.exe67⤵PID:3008
-
\??\c:\5lrfrrl.exec:\5lrfrrl.exe68⤵PID:1196
-
\??\c:\nbnhtn.exec:\nbnhtn.exe69⤵PID:5064
-
\??\c:\ntbbbt.exec:\ntbbbt.exe70⤵PID:1928
-
\??\c:\dpvjd.exec:\dpvjd.exe71⤵PID:2120
-
\??\c:\flrfrlf.exec:\flrfrlf.exe72⤵
- System Location Discovery: System Language Discovery
PID:1000 -
\??\c:\7bhhbh.exec:\7bhhbh.exe73⤵PID:4768
-
\??\c:\hntnhn.exec:\hntnhn.exe74⤵PID:2944
-
\??\c:\pddpd.exec:\pddpd.exe75⤵PID:3756
-
\??\c:\1rllfff.exec:\1rllfff.exe76⤵PID:3656
-
\??\c:\tbhbtn.exec:\tbhbtn.exe77⤵PID:4736
-
\??\c:\9hhbtt.exec:\9hhbtt.exe78⤵PID:8
-
\??\c:\vddvp.exec:\vddvp.exe79⤵PID:1760
-
\??\c:\rflfrrl.exec:\rflfrrl.exe80⤵PID:1412
-
\??\c:\bthnbb.exec:\bthnbb.exe81⤵PID:4008
-
\??\c:\ddpvp.exec:\ddpvp.exe82⤵PID:2800
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe83⤵PID:4468
-
\??\c:\1hbbbn.exec:\1hbbbn.exe84⤵PID:4480
-
\??\c:\tbhbnh.exec:\tbhbnh.exe85⤵PID:2484
-
\??\c:\jpdvd.exec:\jpdvd.exe86⤵PID:1108
-
\??\c:\rfffllx.exec:\rfffllx.exe87⤵PID:1236
-
\??\c:\llrlxxr.exec:\llrlxxr.exe88⤵PID:704
-
\??\c:\9tnhnn.exec:\9tnhnn.exe89⤵PID:3688
-
\??\c:\7jpjv.exec:\7jpjv.exe90⤵PID:3408
-
\??\c:\jpvjp.exec:\jpvjp.exe91⤵PID:3368
-
\??\c:\frfxrrr.exec:\frfxrrr.exe92⤵PID:4372
-
\??\c:\5hnhbt.exec:\5hnhbt.exe93⤵PID:3304
-
\??\c:\5ttnhh.exec:\5ttnhh.exe94⤵PID:2016
-
\??\c:\9pppj.exec:\9pppj.exe95⤵PID:4308
-
\??\c:\lrfxffr.exec:\lrfxffr.exe96⤵PID:228
-
\??\c:\fxlrlrr.exec:\fxlrlrr.exe97⤵PID:4128
-
\??\c:\7ntntt.exec:\7ntntt.exe98⤵PID:4896
-
\??\c:\dpddd.exec:\dpddd.exe99⤵PID:4320
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe100⤵PID:4652
-
\??\c:\nbnnhn.exec:\nbnnhn.exe101⤵PID:3784
-
\??\c:\pdjvj.exec:\pdjvj.exe102⤵PID:4620
-
\??\c:\1flllrx.exec:\1flllrx.exe103⤵PID:1620
-
\??\c:\htbnhh.exec:\htbnhh.exe104⤵PID:4332
-
\??\c:\bthbnb.exec:\bthbnb.exe105⤵PID:4260
-
\??\c:\dppvv.exec:\dppvv.exe106⤵PID:2324
-
\??\c:\3ddpj.exec:\3ddpj.exe107⤵PID:3592
-
\??\c:\xxrlrrf.exec:\xxrlrrf.exe108⤵PID:2772
-
\??\c:\bbhhnn.exec:\bbhhnn.exe109⤵PID:2808
-
\??\c:\ddjjd.exec:\ddjjd.exe110⤵PID:1532
-
\??\c:\3lrlffx.exec:\3lrlffx.exe111⤵PID:3552
-
\??\c:\7lrrxxl.exec:\7lrrxxl.exe112⤵PID:624
-
\??\c:\ttnntn.exec:\ttnntn.exe113⤵PID:636
-
\??\c:\vpdvd.exec:\vpdvd.exe114⤵PID:3120
-
\??\c:\5frrxlf.exec:\5frrxlf.exe115⤵PID:4012
-
\??\c:\fxfrffx.exec:\fxfrffx.exe116⤵PID:4592
-
\??\c:\hbnhhh.exec:\hbnhhh.exe117⤵PID:1480
-
\??\c:\vpjjd.exec:\vpjjd.exe118⤵PID:3116
-
\??\c:\lrrrxfx.exec:\lrrrxfx.exe119⤵PID:2412
-
\??\c:\nhttbb.exec:\nhttbb.exe120⤵PID:5080
-
\??\c:\bttbth.exec:\bttbth.exe121⤵PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-