Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe
-
Size
453KB
-
MD5
be4f0822935bc370b0f5fa418d398bec
-
SHA1
8fc11f4f863ab959f3bddff00b06a5469adb282f
-
SHA256
dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df
-
SHA512
e47d926a7a2c5dbd093082fcb0b2e9ba9ceffa9a7dc2d6f3096a81c28c28302226aaf0eb9b484ef7101a4bec30eeb93ce8aec3a5b0ba489741a05473bbe9d39d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3500-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-1882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4064 pdjdd.exe 2176 rxfrlff.exe 2596 hbhbbt.exe 720 ddjvj.exe 4900 frlfxrl.exe 4528 rflffxx.exe 3104 hbhbbt.exe 1380 3bthbt.exe 1088 pvvpj.exe 1744 xllfrfx.exe 1264 rffrlfx.exe 540 nbbnht.exe 936 3jdpj.exe 1160 9dddp.exe 1608 3lxrlxl.exe 3280 nnthtb.exe 4300 1bnhtn.exe 220 3ppjv.exe 4928 xffxrlf.exe 1620 rffrxrr.exe 2772 3thhbh.exe 1916 jjjvj.exe 4684 jvdpp.exe 2096 7fxrllf.exe 4576 nbbnbn.exe 3132 hbnhnh.exe 4804 5ddpd.exe 1956 pvvjv.exe 3996 xlfxlfl.exe 3124 nnthbt.exe 4276 nnnhbb.exe 2896 vdjdp.exe 2868 lflfrlx.exe 4220 xllxrrf.exe 2044 5hhthb.exe 1204 vjjdp.exe 1168 jdpjj.exe 3080 lxxrfxl.exe 4632 bhhbtt.exe 1248 nhthnh.exe 1412 1pppd.exe 456 lfrlfxr.exe 1172 xlrllrr.exe 876 hnnhbn.exe 768 5nhtnn.exe 4380 vpjvj.exe 4352 9llxlfr.exe 4272 lfxlxrf.exe 3872 ntbthh.exe 452 bhhthb.exe 4548 3dvjv.exe 848 rlrlffx.exe 840 rrrfxrl.exe 4384 nthbnh.exe 5032 ddjvp.exe 4332 dvvjd.exe 1856 frlxlfr.exe 1972 thnhbt.exe 4628 nbnbbn.exe 3608 vjpjv.exe 4768 rxfrfxr.exe 4004 rrxrflf.exe 4668 ntnbtt.exe 3644 vvpjv.exe -
resource yara_rule behavioral2/memory/3500-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3500 wrote to memory of 4064 3500 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 82 PID 3500 wrote to memory of 4064 3500 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 82 PID 3500 wrote to memory of 4064 3500 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 82 PID 4064 wrote to memory of 2176 4064 pdjdd.exe 83 PID 4064 wrote to memory of 2176 4064 pdjdd.exe 83 PID 4064 wrote to memory of 2176 4064 pdjdd.exe 83 PID 2176 wrote to memory of 2596 2176 rxfrlff.exe 84 PID 2176 wrote to memory of 2596 2176 rxfrlff.exe 84 PID 2176 wrote to memory of 2596 2176 rxfrlff.exe 84 PID 2596 wrote to memory of 720 2596 hbhbbt.exe 85 PID 2596 wrote to memory of 720 2596 hbhbbt.exe 85 PID 2596 wrote to memory of 720 2596 hbhbbt.exe 85 PID 720 wrote to memory of 4900 720 ddjvj.exe 86 PID 720 wrote to memory of 4900 720 ddjvj.exe 86 PID 720 wrote to memory of 4900 720 ddjvj.exe 86 PID 4900 wrote to memory of 4528 4900 frlfxrl.exe 87 PID 4900 wrote to memory of 4528 4900 frlfxrl.exe 87 PID 4900 wrote to memory of 4528 4900 frlfxrl.exe 87 PID 4528 wrote to memory of 3104 4528 rflffxx.exe 88 PID 4528 wrote to memory of 3104 4528 rflffxx.exe 88 PID 4528 wrote to memory of 3104 4528 rflffxx.exe 88 PID 3104 wrote to memory of 1380 3104 hbhbbt.exe 89 PID 3104 wrote to memory of 1380 3104 hbhbbt.exe 89 PID 3104 wrote to memory of 1380 3104 hbhbbt.exe 89 PID 1380 wrote to memory of 1088 1380 3bthbt.exe 90 PID 1380 wrote to memory of 1088 1380 3bthbt.exe 90 PID 1380 wrote to memory of 1088 1380 3bthbt.exe 90 PID 1088 wrote to memory of 1744 1088 pvvpj.exe 91 PID 1088 wrote to memory of 1744 1088 pvvpj.exe 91 PID 1088 wrote to memory of 1744 1088 pvvpj.exe 91 PID 1744 wrote to memory of 1264 1744 xllfrfx.exe 92 PID 1744 wrote to memory of 1264 1744 xllfrfx.exe 92 PID 1744 wrote to memory of 1264 1744 xllfrfx.exe 92 PID 1264 wrote to memory of 540 1264 rffrlfx.exe 93 PID 1264 wrote to memory of 540 1264 rffrlfx.exe 93 PID 1264 wrote to memory of 540 1264 rffrlfx.exe 93 PID 540 wrote to memory of 936 540 nbbnht.exe 94 PID 540 wrote to memory of 936 540 nbbnht.exe 94 PID 540 wrote to memory of 936 540 nbbnht.exe 94 PID 936 wrote to memory of 1160 936 3jdpj.exe 95 PID 936 wrote to memory of 1160 936 3jdpj.exe 95 PID 936 wrote to memory of 1160 936 3jdpj.exe 95 PID 1160 wrote to memory of 1608 1160 9dddp.exe 96 PID 1160 wrote to memory of 1608 1160 9dddp.exe 96 PID 1160 wrote to memory of 1608 1160 9dddp.exe 96 PID 1608 wrote to memory of 3280 1608 3lxrlxl.exe 97 PID 1608 wrote to memory of 3280 1608 3lxrlxl.exe 97 PID 1608 wrote to memory of 3280 1608 3lxrlxl.exe 97 PID 3280 wrote to memory of 4300 3280 nnthtb.exe 98 PID 3280 wrote to memory of 4300 3280 nnthtb.exe 98 PID 3280 wrote to memory of 4300 3280 nnthtb.exe 98 PID 4300 wrote to memory of 220 4300 1bnhtn.exe 99 PID 4300 wrote to memory of 220 4300 1bnhtn.exe 99 PID 4300 wrote to memory of 220 4300 1bnhtn.exe 99 PID 220 wrote to memory of 4928 220 3ppjv.exe 100 PID 220 wrote to memory of 4928 220 3ppjv.exe 100 PID 220 wrote to memory of 4928 220 3ppjv.exe 100 PID 4928 wrote to memory of 1620 4928 xffxrlf.exe 101 PID 4928 wrote to memory of 1620 4928 xffxrlf.exe 101 PID 4928 wrote to memory of 1620 4928 xffxrlf.exe 101 PID 1620 wrote to memory of 2772 1620 rffrxrr.exe 102 PID 1620 wrote to memory of 2772 1620 rffrxrr.exe 102 PID 1620 wrote to memory of 2772 1620 rffrxrr.exe 102 PID 2772 wrote to memory of 1916 2772 3thhbh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe"C:\Users\Admin\AppData\Local\Temp\dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\pdjdd.exec:\pdjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\rxfrlff.exec:\rxfrlff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\hbhbbt.exec:\hbhbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\ddjvj.exec:\ddjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\frlfxrl.exec:\frlfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\rflffxx.exec:\rflffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\hbhbbt.exec:\hbhbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\3bthbt.exec:\3bthbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\pvvpj.exec:\pvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\xllfrfx.exec:\xllfrfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\rffrlfx.exec:\rffrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\nbbnht.exec:\nbbnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\3jdpj.exec:\3jdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\9dddp.exec:\9dddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\3lxrlxl.exec:\3lxrlxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\nnthtb.exec:\nnthtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\1bnhtn.exec:\1bnhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\3ppjv.exec:\3ppjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\xffxrlf.exec:\xffxrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\rffrxrr.exec:\rffrxrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\3thhbh.exec:\3thhbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\jjjvj.exec:\jjjvj.exe23⤵
- Executes dropped EXE
PID:1916 -
\??\c:\jvdpp.exec:\jvdpp.exe24⤵
- Executes dropped EXE
PID:4684 -
\??\c:\7fxrllf.exec:\7fxrllf.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\nbbnbn.exec:\nbbnbn.exe26⤵
- Executes dropped EXE
PID:4576 -
\??\c:\hbnhnh.exec:\hbnhnh.exe27⤵
- Executes dropped EXE
PID:3132 -
\??\c:\5ddpd.exec:\5ddpd.exe28⤵
- Executes dropped EXE
PID:4804 -
\??\c:\pvvjv.exec:\pvvjv.exe29⤵
- Executes dropped EXE
PID:1956 -
\??\c:\xlfxlfl.exec:\xlfxlfl.exe30⤵
- Executes dropped EXE
PID:3996 -
\??\c:\nnthbt.exec:\nnthbt.exe31⤵
- Executes dropped EXE
PID:3124 -
\??\c:\nnnhbb.exec:\nnnhbb.exe32⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vdjdp.exec:\vdjdp.exe33⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lflfrlx.exec:\lflfrlx.exe34⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xllxrrf.exec:\xllxrrf.exe35⤵
- Executes dropped EXE
PID:4220 -
\??\c:\5hhthb.exec:\5hhthb.exe36⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vjjdp.exec:\vjjdp.exe37⤵
- Executes dropped EXE
PID:1204 -
\??\c:\jdpjj.exec:\jdpjj.exe38⤵
- Executes dropped EXE
PID:1168 -
\??\c:\lxxrfxl.exec:\lxxrfxl.exe39⤵
- Executes dropped EXE
PID:3080 -
\??\c:\bhhbtt.exec:\bhhbtt.exe40⤵
- Executes dropped EXE
PID:4632 -
\??\c:\nhthnh.exec:\nhthnh.exe41⤵
- Executes dropped EXE
PID:1248 -
\??\c:\1pppd.exec:\1pppd.exe42⤵
- Executes dropped EXE
PID:1412 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe43⤵
- Executes dropped EXE
PID:456 -
\??\c:\xlrllrr.exec:\xlrllrr.exe44⤵
- Executes dropped EXE
PID:1172 -
\??\c:\hnnhbn.exec:\hnnhbn.exe45⤵
- Executes dropped EXE
PID:876 -
\??\c:\5nhtnn.exec:\5nhtnn.exe46⤵
- Executes dropped EXE
PID:768 -
\??\c:\vpjvj.exec:\vpjvj.exe47⤵
- Executes dropped EXE
PID:4380 -
\??\c:\9llxlfr.exec:\9llxlfr.exe48⤵
- Executes dropped EXE
PID:4352 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe49⤵
- Executes dropped EXE
PID:4272 -
\??\c:\ntbthh.exec:\ntbthh.exe50⤵
- Executes dropped EXE
PID:3872 -
\??\c:\bhhthb.exec:\bhhthb.exe51⤵
- Executes dropped EXE
PID:452 -
\??\c:\3dvjv.exec:\3dvjv.exe52⤵
- Executes dropped EXE
PID:4548 -
\??\c:\rlrlffx.exec:\rlrlffx.exe53⤵
- Executes dropped EXE
PID:848 -
\??\c:\rrrfxrl.exec:\rrrfxrl.exe54⤵
- Executes dropped EXE
PID:840 -
\??\c:\nthbnh.exec:\nthbnh.exe55⤵
- Executes dropped EXE
PID:4384 -
\??\c:\ddjvp.exec:\ddjvp.exe56⤵
- Executes dropped EXE
PID:5032 -
\??\c:\dvvjd.exec:\dvvjd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332 -
\??\c:\frlxlfr.exec:\frlxlfr.exe58⤵
- Executes dropped EXE
PID:1856 -
\??\c:\thnhbt.exec:\thnhbt.exe59⤵
- Executes dropped EXE
PID:1972 -
\??\c:\nbnbbn.exec:\nbnbbn.exe60⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vjpjv.exec:\vjpjv.exe61⤵
- Executes dropped EXE
PID:3608 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe62⤵
- Executes dropped EXE
PID:4768 -
\??\c:\rrxrflf.exec:\rrxrflf.exe63⤵
- Executes dropped EXE
PID:4004 -
\??\c:\ntnbtt.exec:\ntnbtt.exe64⤵
- Executes dropped EXE
PID:4668 -
\??\c:\vvpjv.exec:\vvpjv.exe65⤵
- Executes dropped EXE
PID:3644 -
\??\c:\djjvv.exec:\djjvv.exe66⤵PID:3296
-
\??\c:\lflffff.exec:\lflffff.exe67⤵PID:1376
-
\??\c:\1hhthb.exec:\1hhthb.exe68⤵PID:1232
-
\??\c:\1jdpd.exec:\1jdpd.exe69⤵PID:1732
-
\??\c:\djpdp.exec:\djpdp.exe70⤵PID:3136
-
\??\c:\1rxrxrx.exec:\1rxrxrx.exe71⤵PID:3004
-
\??\c:\1vpdv.exec:\1vpdv.exe72⤵PID:3852
-
\??\c:\frlrfxr.exec:\frlrfxr.exe73⤵PID:4968
-
\??\c:\bbbbtt.exec:\bbbbtt.exe74⤵PID:3432
-
\??\c:\dvpjv.exec:\dvpjv.exe75⤵PID:4984
-
\??\c:\9llffrl.exec:\9llffrl.exe76⤵PID:2232
-
\??\c:\tttnnb.exec:\tttnnb.exe77⤵PID:4612
-
\??\c:\pvdpj.exec:\pvdpj.exe78⤵PID:4684
-
\??\c:\jjvjv.exec:\jjvjv.exe79⤵PID:2096
-
\??\c:\1frfxff.exec:\1frfxff.exe80⤵PID:1648
-
\??\c:\3hhttb.exec:\3hhttb.exe81⤵PID:5024
-
\??\c:\djjdv.exec:\djjdv.exe82⤵PID:1020
-
\??\c:\1xxrrlf.exec:\1xxrrlf.exe83⤵PID:4588
-
\??\c:\llrlfxr.exec:\llrlfxr.exe84⤵PID:3124
-
\??\c:\vdjvp.exec:\vdjvp.exe85⤵PID:4276
-
\??\c:\9jdvp.exec:\9jdvp.exe86⤵PID:3356
-
\??\c:\xlxrlxx.exec:\xlxrlxx.exe87⤵PID:1800
-
\??\c:\hhnhnh.exec:\hhnhnh.exe88⤵PID:3040
-
\??\c:\dvddp.exec:\dvddp.exe89⤵PID:2984
-
\??\c:\xfllflf.exec:\xfllflf.exe90⤵PID:2612
-
\??\c:\xrxxrll.exec:\xrxxrll.exe91⤵PID:2508
-
\??\c:\1tbnhb.exec:\1tbnhb.exe92⤵PID:1352
-
\??\c:\ddjdj.exec:\ddjdj.exe93⤵PID:3884
-
\??\c:\9ffrlfx.exec:\9ffrlfx.exe94⤵PID:1792
-
\??\c:\nntnnn.exec:\nntnnn.exe95⤵PID:4484
-
\??\c:\jvdpj.exec:\jvdpj.exe96⤵PID:1456
-
\??\c:\fxrfxrf.exec:\fxrfxrf.exe97⤵
- System Location Discovery: System Language Discovery
PID:2576 -
\??\c:\3tthbt.exec:\3tthbt.exe98⤵PID:876
-
\??\c:\vppjv.exec:\vppjv.exe99⤵PID:768
-
\??\c:\7fxxlfx.exec:\7fxxlfx.exe100⤵PID:3556
-
\??\c:\5tthbt.exec:\5tthbt.exe101⤵PID:2424
-
\??\c:\jdddd.exec:\jdddd.exe102⤵PID:4412
-
\??\c:\fxfrrrl.exec:\fxfrrrl.exe103⤵PID:452
-
\??\c:\nhhbtt.exec:\nhhbtt.exe104⤵PID:4388
-
\??\c:\9bhthn.exec:\9bhthn.exe105⤵PID:4552
-
\??\c:\pddpj.exec:\pddpj.exe106⤵PID:4036
-
\??\c:\9llrlfx.exec:\9llrlfx.exe107⤵PID:3924
-
\??\c:\vjpvj.exec:\vjpvj.exe108⤵PID:1820
-
\??\c:\1vpdv.exec:\1vpdv.exe109⤵PID:2012
-
\??\c:\hbbtnh.exec:\hbbtnh.exe110⤵PID:2836
-
\??\c:\xxfxlxr.exec:\xxfxlxr.exe111⤵PID:2004
-
\??\c:\xflfrrf.exec:\xflfrrf.exe112⤵PID:4332
-
\??\c:\3tthth.exec:\3tthth.exe113⤵PID:3660
-
\??\c:\1pjdv.exec:\1pjdv.exe114⤵PID:1972
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe115⤵PID:4692
-
\??\c:\nbbthh.exec:\nbbthh.exe116⤵PID:3104
-
\??\c:\jdvvj.exec:\jdvvj.exe117⤵PID:3060
-
\??\c:\nnhbnh.exec:\nnhbnh.exe118⤵PID:4004
-
\??\c:\ddddv.exec:\ddddv.exe119⤵PID:1728
-
\??\c:\frfrrrr.exec:\frfrrrr.exe120⤵PID:1828
-
\??\c:\frlfxrf.exec:\frlfxrf.exe121⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-