Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 04:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe
-
Size
455KB
-
MD5
3bdbc74e2652b7b492e9ac08389c5c4b
-
SHA1
a3211ac53589ae7b8f59c37699bf4753fdc3cddb
-
SHA256
465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8
-
SHA512
c9f66e562017c008fc1e535179fdfee72fe3c57f2e291eab26564df34290c530875f464ef4d0c9092635532100037ccdf5a2cdd93c91d4e7b81cd391695a7883
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRU:q7Tc2NYHUrAwfMp3CDRU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3016-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-1421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5084 dddvv.exe 3016 lrfxrxr.exe 1352 hbtnhh.exe 992 xxfxfff.exe 2752 9frrllf.exe 4388 tnbnht.exe 4788 ffxrxxr.exe 780 bnnhht.exe 4140 3vppj.exe 3064 9rlxrfx.exe 2768 fflflrx.exe 2224 btbtnn.exe 3148 9lrlxxf.exe 2316 jjdjd.exe 3488 hnnnbb.exe 5112 1fxlxrf.exe 2528 jppjv.exe 4676 llfrfxr.exe 4380 vppdv.exe 2740 5bnnhb.exe 4080 9dpjd.exe 4652 hbbtbt.exe 4352 dddvp.exe 2760 tttttb.exe 3916 rxxrrlx.exe 4860 jppdv.exe 4892 rllxlfr.exe 4808 vvpjj.exe 3720 tnthbt.exe 5056 jjdpd.exe 1284 tthbtn.exe 1256 7nnhhn.exe 4668 rllxrlx.exe 1824 tnnnhb.exe 2052 3ththb.exe 4444 jdpjj.exe 1436 5rfxllf.exe 2928 hnnhbt.exe 4284 jdvvp.exe 1340 rxrlllf.exe 3864 ntnntt.exe 3132 dppjj.exe 1368 pjvjd.exe 408 frfxrlf.exe 4448 7nnbbn.exe 4908 1btnnn.exe 4032 dddvp.exe 692 lrxrllf.exe 4108 5bbthb.exe 4928 tbbthb.exe 4788 5djdj.exe 1176 fflflfl.exe 3516 hnbtnn.exe 652 9jdjv.exe 4140 xxllrrx.exe 4768 bnhbnh.exe 2768 htbnbn.exe 4240 1jjvj.exe 680 xlfxrrl.exe 3148 bhhbnh.exe 3480 vppjd.exe 1608 fxffrrl.exe 2548 bbbthb.exe 4360 hhhttn.exe -
resource yara_rule behavioral2/memory/3016-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-817-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 5084 4948 465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe 83 PID 4948 wrote to memory of 5084 4948 465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe 83 PID 4948 wrote to memory of 5084 4948 465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe 83 PID 5084 wrote to memory of 3016 5084 dddvv.exe 84 PID 5084 wrote to memory of 3016 5084 dddvv.exe 84 PID 5084 wrote to memory of 3016 5084 dddvv.exe 84 PID 3016 wrote to memory of 1352 3016 lrfxrxr.exe 85 PID 3016 wrote to memory of 1352 3016 lrfxrxr.exe 85 PID 3016 wrote to memory of 1352 3016 lrfxrxr.exe 85 PID 1352 wrote to memory of 992 1352 hbtnhh.exe 86 PID 1352 wrote to memory of 992 1352 hbtnhh.exe 86 PID 1352 wrote to memory of 992 1352 hbtnhh.exe 86 PID 992 wrote to memory of 2752 992 xxfxfff.exe 87 PID 992 wrote to memory of 2752 992 xxfxfff.exe 87 PID 992 wrote to memory of 2752 992 xxfxfff.exe 87 PID 2752 wrote to memory of 4388 2752 9frrllf.exe 88 PID 2752 wrote to memory of 4388 2752 9frrllf.exe 88 PID 2752 wrote to memory of 4388 2752 9frrllf.exe 88 PID 4388 wrote to memory of 4788 4388 tnbnht.exe 89 PID 4388 wrote to memory of 4788 4388 tnbnht.exe 89 PID 4388 wrote to memory of 4788 4388 tnbnht.exe 89 PID 4788 wrote to memory of 780 4788 ffxrxxr.exe 90 PID 4788 wrote to memory of 780 4788 ffxrxxr.exe 90 PID 4788 wrote to memory of 780 4788 ffxrxxr.exe 90 PID 780 wrote to memory of 4140 780 bnnhht.exe 91 PID 780 wrote to memory of 4140 780 bnnhht.exe 91 PID 780 wrote to memory of 4140 780 bnnhht.exe 91 PID 4140 wrote to memory of 3064 4140 3vppj.exe 92 PID 4140 wrote to memory of 3064 4140 3vppj.exe 92 PID 4140 wrote to memory of 3064 4140 3vppj.exe 92 PID 3064 wrote to memory of 2768 3064 9rlxrfx.exe 93 PID 3064 wrote to memory of 2768 3064 9rlxrfx.exe 93 PID 3064 wrote to memory of 2768 3064 9rlxrfx.exe 93 PID 2768 wrote to memory of 2224 2768 fflflrx.exe 94 PID 2768 wrote to memory of 2224 2768 fflflrx.exe 94 PID 2768 wrote to memory of 2224 2768 fflflrx.exe 94 PID 2224 wrote to memory of 3148 2224 btbtnn.exe 95 PID 2224 wrote to memory of 3148 2224 btbtnn.exe 95 PID 2224 wrote to memory of 3148 2224 btbtnn.exe 95 PID 3148 wrote to memory of 2316 3148 9lrlxxf.exe 96 PID 3148 wrote to memory of 2316 3148 9lrlxxf.exe 96 PID 3148 wrote to memory of 2316 3148 9lrlxxf.exe 96 PID 2316 wrote to memory of 3488 2316 jjdjd.exe 97 PID 2316 wrote to memory of 3488 2316 jjdjd.exe 97 PID 2316 wrote to memory of 3488 2316 jjdjd.exe 97 PID 3488 wrote to memory of 5112 3488 hnnnbb.exe 98 PID 3488 wrote to memory of 5112 3488 hnnnbb.exe 98 PID 3488 wrote to memory of 5112 3488 hnnnbb.exe 98 PID 5112 wrote to memory of 2528 5112 1fxlxrf.exe 99 PID 5112 wrote to memory of 2528 5112 1fxlxrf.exe 99 PID 5112 wrote to memory of 2528 5112 1fxlxrf.exe 99 PID 2528 wrote to memory of 4676 2528 jppjv.exe 100 PID 2528 wrote to memory of 4676 2528 jppjv.exe 100 PID 2528 wrote to memory of 4676 2528 jppjv.exe 100 PID 4676 wrote to memory of 4380 4676 llfrfxr.exe 101 PID 4676 wrote to memory of 4380 4676 llfrfxr.exe 101 PID 4676 wrote to memory of 4380 4676 llfrfxr.exe 101 PID 4380 wrote to memory of 2740 4380 vppdv.exe 102 PID 4380 wrote to memory of 2740 4380 vppdv.exe 102 PID 4380 wrote to memory of 2740 4380 vppdv.exe 102 PID 2740 wrote to memory of 4080 2740 5bnnhb.exe 103 PID 2740 wrote to memory of 4080 2740 5bnnhb.exe 103 PID 2740 wrote to memory of 4080 2740 5bnnhb.exe 103 PID 4080 wrote to memory of 4652 4080 9dpjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe"C:\Users\Admin\AppData\Local\Temp\465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\dddvv.exec:\dddvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\lrfxrxr.exec:\lrfxrxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\hbtnhh.exec:\hbtnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\xxfxfff.exec:\xxfxfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\9frrllf.exec:\9frrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\tnbnht.exec:\tnbnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\ffxrxxr.exec:\ffxrxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\bnnhht.exec:\bnnhht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\3vppj.exec:\3vppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\9rlxrfx.exec:\9rlxrfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\fflflrx.exec:\fflflrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\btbtnn.exec:\btbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\9lrlxxf.exec:\9lrlxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\jjdjd.exec:\jjdjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\hnnnbb.exec:\hnnnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\1fxlxrf.exec:\1fxlxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\jppjv.exec:\jppjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\llfrfxr.exec:\llfrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\vppdv.exec:\vppdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\5bnnhb.exec:\5bnnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\9dpjd.exec:\9dpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\hbbtbt.exec:\hbbtbt.exe23⤵
- Executes dropped EXE
PID:4652 -
\??\c:\dddvp.exec:\dddvp.exe24⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tttttb.exec:\tttttb.exe25⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rxxrrlx.exec:\rxxrrlx.exe26⤵
- Executes dropped EXE
PID:3916 -
\??\c:\jppdv.exec:\jppdv.exe27⤵
- Executes dropped EXE
PID:4860 -
\??\c:\rllxlfr.exec:\rllxlfr.exe28⤵
- Executes dropped EXE
PID:4892 -
\??\c:\vvpjj.exec:\vvpjj.exe29⤵
- Executes dropped EXE
PID:4808 -
\??\c:\tnthbt.exec:\tnthbt.exe30⤵
- Executes dropped EXE
PID:3720 -
\??\c:\jjdpd.exec:\jjdpd.exe31⤵
- Executes dropped EXE
PID:5056 -
\??\c:\tthbtn.exec:\tthbtn.exe32⤵
- Executes dropped EXE
PID:1284 -
\??\c:\7nnhhn.exec:\7nnhhn.exe33⤵
- Executes dropped EXE
PID:1256 -
\??\c:\rllxrlx.exec:\rllxrlx.exe34⤵
- Executes dropped EXE
PID:4668 -
\??\c:\tnnnhb.exec:\tnnnhb.exe35⤵
- Executes dropped EXE
PID:1824 -
\??\c:\3ththb.exec:\3ththb.exe36⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jdpjj.exec:\jdpjj.exe37⤵
- Executes dropped EXE
PID:4444 -
\??\c:\5rfxllf.exec:\5rfxllf.exe38⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hnnhbt.exec:\hnnhbt.exe39⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jdvvp.exec:\jdvvp.exe40⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rxrlllf.exec:\rxrlllf.exe41⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ntnntt.exec:\ntnntt.exe42⤵
- Executes dropped EXE
PID:3864 -
\??\c:\dppjj.exec:\dppjj.exe43⤵
- Executes dropped EXE
PID:3132 -
\??\c:\pjvjd.exec:\pjvjd.exe44⤵
- Executes dropped EXE
PID:1368 -
\??\c:\frfxrlf.exec:\frfxrlf.exe45⤵
- Executes dropped EXE
PID:408 -
\??\c:\7nnbbn.exec:\7nnbbn.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\1btnnn.exec:\1btnnn.exe47⤵
- Executes dropped EXE
PID:4908 -
\??\c:\dddvp.exec:\dddvp.exe48⤵
- Executes dropped EXE
PID:4032 -
\??\c:\lrxrllf.exec:\lrxrllf.exe49⤵
- Executes dropped EXE
PID:692 -
\??\c:\5bbthb.exec:\5bbthb.exe50⤵
- Executes dropped EXE
PID:4108 -
\??\c:\tbbthb.exec:\tbbthb.exe51⤵
- Executes dropped EXE
PID:4928 -
\??\c:\5djdj.exec:\5djdj.exe52⤵
- Executes dropped EXE
PID:4788 -
\??\c:\fflflfl.exec:\fflflfl.exe53⤵
- Executes dropped EXE
PID:1176 -
\??\c:\hnbtnn.exec:\hnbtnn.exe54⤵
- Executes dropped EXE
PID:3516 -
\??\c:\9jdjv.exec:\9jdjv.exe55⤵
- Executes dropped EXE
PID:652 -
\??\c:\xxllrrx.exec:\xxllrrx.exe56⤵
- Executes dropped EXE
PID:4140 -
\??\c:\bnhbnh.exec:\bnhbnh.exe57⤵
- Executes dropped EXE
PID:4768 -
\??\c:\htbnbn.exec:\htbnbn.exe58⤵
- Executes dropped EXE
PID:2768 -
\??\c:\1jjvj.exec:\1jjvj.exe59⤵
- Executes dropped EXE
PID:4240 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe60⤵
- Executes dropped EXE
PID:680 -
\??\c:\bhhbnh.exec:\bhhbnh.exe61⤵
- Executes dropped EXE
PID:3148 -
\??\c:\vppjd.exec:\vppjd.exe62⤵
- Executes dropped EXE
PID:3480 -
\??\c:\fxffrrl.exec:\fxffrrl.exe63⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bbbthb.exec:\bbbthb.exe64⤵
- Executes dropped EXE
PID:2548 -
\??\c:\hhhttn.exec:\hhhttn.exe65⤵
- Executes dropped EXE
PID:4360 -
\??\c:\dppjd.exec:\dppjd.exe66⤵PID:3484
-
\??\c:\vvvpj.exec:\vvvpj.exe67⤵PID:3952
-
\??\c:\9bthbh.exec:\9bthbh.exe68⤵PID:2892
-
\??\c:\jpdvv.exec:\jpdvv.exe69⤵PID:3028
-
\??\c:\xxfxffl.exec:\xxfxffl.exe70⤵PID:4076
-
\??\c:\tnnbnh.exec:\tnnbnh.exe71⤵PID:2472
-
\??\c:\vdvdp.exec:\vdvdp.exe72⤵PID:4080
-
\??\c:\7vvpd.exec:\7vvpd.exe73⤵PID:4968
-
\??\c:\rllxrlx.exec:\rllxrlx.exe74⤵PID:1548
-
\??\c:\9bnnhh.exec:\9bnnhh.exe75⤵PID:3676
-
\??\c:\djjjd.exec:\djjjd.exe76⤵PID:2640
-
\??\c:\vpvjj.exec:\vpvjj.exe77⤵PID:3916
-
\??\c:\fxflxfx.exec:\fxflxfx.exe78⤵PID:4860
-
\??\c:\ttnhbb.exec:\ttnhbb.exe79⤵PID:4200
-
\??\c:\ddvdv.exec:\ddvdv.exe80⤵PID:3756
-
\??\c:\llfxrrl.exec:\llfxrrl.exe81⤵PID:3180
-
\??\c:\rrlfrlx.exec:\rrlfrlx.exe82⤵PID:864
-
\??\c:\hbbnbt.exec:\hbbnbt.exe83⤵PID:2460
-
\??\c:\ppjdp.exec:\ppjdp.exe84⤵PID:3100
-
\??\c:\lxllffr.exec:\lxllffr.exe85⤵PID:1496
-
\??\c:\bhhbnh.exec:\bhhbnh.exe86⤵PID:1256
-
\??\c:\jppjj.exec:\jppjj.exe87⤵PID:4668
-
\??\c:\xxrlrrf.exec:\xxrlrrf.exe88⤵PID:1824
-
\??\c:\htnhtn.exec:\htnhtn.exe89⤵PID:1968
-
\??\c:\djjdj.exec:\djjdj.exe90⤵PID:2256
-
\??\c:\vjjdd.exec:\vjjdd.exe91⤵PID:3680
-
\??\c:\xfxxxrl.exec:\xfxxxrl.exe92⤵PID:2720
-
\??\c:\hhthth.exec:\hhthth.exe93⤵PID:4320
-
\??\c:\pddvp.exec:\pddvp.exe94⤵PID:2844
-
\??\c:\3vvpv.exec:\3vvpv.exe95⤵PID:1340
-
\??\c:\xxrlfff.exec:\xxrlfff.exe96⤵PID:3008
-
\??\c:\5pdjj.exec:\5pdjj.exe97⤵PID:3716
-
\??\c:\vpjdp.exec:\vpjdp.exe98⤵PID:4708
-
\??\c:\3rrlllx.exec:\3rrlllx.exe99⤵PID:1236
-
\??\c:\hbhbbb.exec:\hbhbbb.exe100⤵PID:2200
-
\??\c:\jppjj.exec:\jppjj.exe101⤵PID:4456
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe102⤵PID:3924
-
\??\c:\xxrlfxl.exec:\xxrlfxl.exe103⤵PID:3968
-
\??\c:\bnnbnh.exec:\bnnbnh.exe104⤵PID:1376
-
\??\c:\jpvjd.exec:\jpvjd.exe105⤵PID:1104
-
\??\c:\xfrlxrx.exec:\xfrlxrx.exe106⤵PID:5004
-
\??\c:\5tbtnn.exec:\5tbtnn.exe107⤵PID:4956
-
\??\c:\ddjpp.exec:\ddjpp.exe108⤵PID:5088
-
\??\c:\dvvpp.exec:\dvvpp.exe109⤵PID:848
-
\??\c:\xxxrfxx.exec:\xxxrfxx.exe110⤵PID:1800
-
\??\c:\bthtnh.exec:\bthtnh.exe111⤵PID:2840
-
\??\c:\vvppj.exec:\vvppj.exe112⤵PID:2164
-
\??\c:\frrlfxr.exec:\frrlfxr.exe113⤵PID:4412
-
\??\c:\xllxrlr.exec:\xllxrlr.exe114⤵PID:1928
-
\??\c:\bhhbbb.exec:\bhhbbb.exe115⤵PID:2060
-
\??\c:\1vvjd.exec:\1vvjd.exe116⤵PID:4240
-
\??\c:\xlrrllr.exec:\xlrrllr.exe117⤵PID:1156
-
\??\c:\9hbtnn.exec:\9hbtnn.exe118⤵PID:1468
-
\??\c:\pddpd.exec:\pddpd.exe119⤵PID:2316
-
\??\c:\jvpjd.exec:\jvpjd.exe120⤵PID:1384
-
\??\c:\ntnhbb.exec:\ntnhbb.exe121⤵PID:3092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-