Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 17:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe
-
Size
453KB
-
MD5
e4cdb9ed3175f2b340f2dbcfe1d67dd6
-
SHA1
ee574b0f170d29ab732ce85455270210a621c2b3
-
SHA256
1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5
-
SHA512
ff2957eae403190012aebf6ba3810fce12a8ab8412f1d2e0b725687745256af16444bd088511f138721acf4670a9870cd730e6c6a6b66568da7c966f1fac1739
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeUA:q7Tc2NYHUrAwfMp3CDUA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4144-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1041-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-1291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-1316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-1675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1268 xrfrxfr.exe 4372 nbhbtt.exe 3316 vpdvv.exe 1824 xllffxx.exe 3232 tnnnnn.exe 4708 7bhhbb.exe 4676 lrxrlxr.exe 1208 rrxxlrx.exe 1528 lfxxrfx.exe 2376 7llrxlr.exe 3856 nbhbhb.exe 772 dvddj.exe 112 rfxllrx.exe 1020 dpvpj.exe 3100 xlrlxrl.exe 516 httnhn.exe 4428 fffxxrr.exe 1468 9nttnb.exe 3604 vjddv.exe 1288 bttnhn.exe 708 pjpjp.exe 3612 lrffxxr.exe 4008 vdddv.exe 4960 pjdvj.exe 3940 htbtbt.exe 3872 dpvpp.exe 4944 xrxfxll.exe 3584 tnnnhh.exe 4352 bttthh.exe 1420 pjjdd.exe 1720 vdjdv.exe 1096 rfffxxx.exe 324 btbtbb.exe 1504 vpvpv.exe 1180 vjjjv.exe 468 5xxxxrr.exe 4764 tbnbth.exe 1688 nntnnn.exe 3636 dpdpj.exe 1512 9xfxxxx.exe 4300 9xrlflx.exe 5036 nntnhb.exe 4576 lrxrrll.exe 3424 htthbb.exe 1716 jpdvv.exe 1160 dpvpj.exe 3596 9rxrxxx.exe 4572 tbtnbt.exe 2812 pvdvv.exe 3064 lfrfrrl.exe 1572 9llfffx.exe 2708 hbtnhh.exe 3048 5bnnbb.exe 2892 vjjdp.exe 2056 xlrfrfx.exe 2364 ntbnbb.exe 3788 7bbtnb.exe 5108 jvvpp.exe 4680 fxxrllf.exe 1920 tnbttt.exe 1540 7nnnhb.exe 3968 jvdvp.exe 4700 9rxrlll.exe 4964 rxxrllr.exe -
resource yara_rule behavioral2/memory/4144-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4144 wrote to memory of 1268 4144 1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe 82 PID 4144 wrote to memory of 1268 4144 1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe 82 PID 4144 wrote to memory of 1268 4144 1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe 82 PID 1268 wrote to memory of 4372 1268 xrfrxfr.exe 83 PID 1268 wrote to memory of 4372 1268 xrfrxfr.exe 83 PID 1268 wrote to memory of 4372 1268 xrfrxfr.exe 83 PID 4372 wrote to memory of 3316 4372 nbhbtt.exe 84 PID 4372 wrote to memory of 3316 4372 nbhbtt.exe 84 PID 4372 wrote to memory of 3316 4372 nbhbtt.exe 84 PID 3316 wrote to memory of 1824 3316 vpdvv.exe 85 PID 3316 wrote to memory of 1824 3316 vpdvv.exe 85 PID 3316 wrote to memory of 1824 3316 vpdvv.exe 85 PID 1824 wrote to memory of 3232 1824 xllffxx.exe 86 PID 1824 wrote to memory of 3232 1824 xllffxx.exe 86 PID 1824 wrote to memory of 3232 1824 xllffxx.exe 86 PID 3232 wrote to memory of 4708 3232 tnnnnn.exe 87 PID 3232 wrote to memory of 4708 3232 tnnnnn.exe 87 PID 3232 wrote to memory of 4708 3232 tnnnnn.exe 87 PID 4708 wrote to memory of 4676 4708 7bhhbb.exe 88 PID 4708 wrote to memory of 4676 4708 7bhhbb.exe 88 PID 4708 wrote to memory of 4676 4708 7bhhbb.exe 88 PID 4676 wrote to memory of 1208 4676 lrxrlxr.exe 89 PID 4676 wrote to memory of 1208 4676 lrxrlxr.exe 89 PID 4676 wrote to memory of 1208 4676 lrxrlxr.exe 89 PID 1208 wrote to memory of 1528 1208 rrxxlrx.exe 90 PID 1208 wrote to memory of 1528 1208 rrxxlrx.exe 90 PID 1208 wrote to memory of 1528 1208 rrxxlrx.exe 90 PID 1528 wrote to memory of 2376 1528 lfxxrfx.exe 91 PID 1528 wrote to memory of 2376 1528 lfxxrfx.exe 91 PID 1528 wrote to memory of 2376 1528 lfxxrfx.exe 91 PID 2376 wrote to memory of 3856 2376 7llrxlr.exe 92 PID 2376 wrote to memory of 3856 2376 7llrxlr.exe 92 PID 2376 wrote to memory of 3856 2376 7llrxlr.exe 92 PID 3856 wrote to memory of 772 3856 nbhbhb.exe 93 PID 3856 wrote to memory of 772 3856 nbhbhb.exe 93 PID 3856 wrote to memory of 772 3856 nbhbhb.exe 93 PID 772 wrote to memory of 112 772 dvddj.exe 94 PID 772 wrote to memory of 112 772 dvddj.exe 94 PID 772 wrote to memory of 112 772 dvddj.exe 94 PID 112 wrote to memory of 1020 112 rfxllrx.exe 95 PID 112 wrote to memory of 1020 112 rfxllrx.exe 95 PID 112 wrote to memory of 1020 112 rfxllrx.exe 95 PID 1020 wrote to memory of 3100 1020 dpvpj.exe 96 PID 1020 wrote to memory of 3100 1020 dpvpj.exe 96 PID 1020 wrote to memory of 3100 1020 dpvpj.exe 96 PID 3100 wrote to memory of 516 3100 xlrlxrl.exe 97 PID 3100 wrote to memory of 516 3100 xlrlxrl.exe 97 PID 3100 wrote to memory of 516 3100 xlrlxrl.exe 97 PID 516 wrote to memory of 4428 516 httnhn.exe 98 PID 516 wrote to memory of 4428 516 httnhn.exe 98 PID 516 wrote to memory of 4428 516 httnhn.exe 98 PID 4428 wrote to memory of 1468 4428 fffxxrr.exe 99 PID 4428 wrote to memory of 1468 4428 fffxxrr.exe 99 PID 4428 wrote to memory of 1468 4428 fffxxrr.exe 99 PID 1468 wrote to memory of 3604 1468 9nttnb.exe 100 PID 1468 wrote to memory of 3604 1468 9nttnb.exe 100 PID 1468 wrote to memory of 3604 1468 9nttnb.exe 100 PID 3604 wrote to memory of 1288 3604 vjddv.exe 101 PID 3604 wrote to memory of 1288 3604 vjddv.exe 101 PID 3604 wrote to memory of 1288 3604 vjddv.exe 101 PID 1288 wrote to memory of 708 1288 bttnhn.exe 102 PID 1288 wrote to memory of 708 1288 bttnhn.exe 102 PID 1288 wrote to memory of 708 1288 bttnhn.exe 102 PID 708 wrote to memory of 3612 708 pjpjp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe"C:\Users\Admin\AppData\Local\Temp\1d36edb235439c2f51004e65714048cc0751b336077b71137389ec0688e2e2d5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\xrfrxfr.exec:\xrfrxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\nbhbtt.exec:\nbhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\vpdvv.exec:\vpdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\xllffxx.exec:\xllffxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\tnnnnn.exec:\tnnnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\7bhhbb.exec:\7bhhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\lrxrlxr.exec:\lrxrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\rrxxlrx.exec:\rrxxlrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\lfxxrfx.exec:\lfxxrfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\7llrxlr.exec:\7llrxlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\nbhbhb.exec:\nbhbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\dvddj.exec:\dvddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\rfxllrx.exec:\rfxllrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\dpvpj.exec:\dpvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\httnhn.exec:\httnhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\fffxxrr.exec:\fffxxrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\9nttnb.exec:\9nttnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\vjddv.exec:\vjddv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\bttnhn.exec:\bttnhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\pjpjp.exec:\pjpjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\lrffxxr.exec:\lrffxxr.exe23⤵
- Executes dropped EXE
PID:3612 -
\??\c:\vdddv.exec:\vdddv.exe24⤵
- Executes dropped EXE
PID:4008 -
\??\c:\pjdvj.exec:\pjdvj.exe25⤵
- Executes dropped EXE
PID:4960 -
\??\c:\htbtbt.exec:\htbtbt.exe26⤵
- Executes dropped EXE
PID:3940 -
\??\c:\dpvpp.exec:\dpvpp.exe27⤵
- Executes dropped EXE
PID:3872 -
\??\c:\xrxfxll.exec:\xrxfxll.exe28⤵
- Executes dropped EXE
PID:4944 -
\??\c:\tnnnhh.exec:\tnnnhh.exe29⤵
- Executes dropped EXE
PID:3584 -
\??\c:\bttthh.exec:\bttthh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4352 -
\??\c:\pjjdd.exec:\pjjdd.exe31⤵
- Executes dropped EXE
PID:1420 -
\??\c:\vdjdv.exec:\vdjdv.exe32⤵
- Executes dropped EXE
PID:1720 -
\??\c:\rfffxxx.exec:\rfffxxx.exe33⤵
- Executes dropped EXE
PID:1096 -
\??\c:\btbtbb.exec:\btbtbb.exe34⤵
- Executes dropped EXE
PID:324 -
\??\c:\vpvpv.exec:\vpvpv.exe35⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vjjjv.exec:\vjjjv.exe36⤵
- Executes dropped EXE
PID:1180 -
\??\c:\5xxxxrr.exec:\5xxxxrr.exe37⤵
- Executes dropped EXE
PID:468 -
\??\c:\tbnbth.exec:\tbnbth.exe38⤵
- Executes dropped EXE
PID:4764 -
\??\c:\nntnnn.exec:\nntnnn.exe39⤵
- Executes dropped EXE
PID:1688 -
\??\c:\dpdpj.exec:\dpdpj.exe40⤵
- Executes dropped EXE
PID:3636 -
\??\c:\9xfxxxx.exec:\9xfxxxx.exe41⤵
- Executes dropped EXE
PID:1512 -
\??\c:\9xrlflx.exec:\9xrlflx.exe42⤵
- Executes dropped EXE
PID:4300 -
\??\c:\nntnhb.exec:\nntnhb.exe43⤵
- Executes dropped EXE
PID:5036 -
\??\c:\lrxrrll.exec:\lrxrrll.exe44⤵
- Executes dropped EXE
PID:4576 -
\??\c:\htthbb.exec:\htthbb.exe45⤵
- Executes dropped EXE
PID:3424 -
\??\c:\jpdvv.exec:\jpdvv.exe46⤵
- Executes dropped EXE
PID:1716 -
\??\c:\dpvpj.exec:\dpvpj.exe47⤵
- Executes dropped EXE
PID:1160 -
\??\c:\9rxrxxx.exec:\9rxrxxx.exe48⤵
- Executes dropped EXE
PID:3596 -
\??\c:\tbtnbt.exec:\tbtnbt.exe49⤵
- Executes dropped EXE
PID:4572 -
\??\c:\pvdvv.exec:\pvdvv.exe50⤵
- Executes dropped EXE
PID:2812 -
\??\c:\lfrfrrl.exec:\lfrfrrl.exe51⤵
- Executes dropped EXE
PID:3064 -
\??\c:\9llfffx.exec:\9llfffx.exe52⤵
- Executes dropped EXE
PID:1572 -
\??\c:\hbtnhh.exec:\hbtnhh.exe53⤵
- Executes dropped EXE
PID:2708 -
\??\c:\5bnnbb.exec:\5bnnbb.exe54⤵
- Executes dropped EXE
PID:3048 -
\??\c:\vjjdp.exec:\vjjdp.exe55⤵
- Executes dropped EXE
PID:2892 -
\??\c:\xlrfrfx.exec:\xlrfrfx.exe56⤵
- Executes dropped EXE
PID:2056 -
\??\c:\ntbnbb.exec:\ntbnbb.exe57⤵
- Executes dropped EXE
PID:2364 -
\??\c:\7bbtnb.exec:\7bbtnb.exe58⤵
- Executes dropped EXE
PID:3788 -
\??\c:\jvvpp.exec:\jvvpp.exe59⤵
- Executes dropped EXE
PID:5108 -
\??\c:\fxxrllf.exec:\fxxrllf.exe60⤵
- Executes dropped EXE
PID:4680 -
\??\c:\tnbttt.exec:\tnbttt.exe61⤵
- Executes dropped EXE
PID:1920 -
\??\c:\7nnnhb.exec:\7nnnhb.exe62⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jvdvp.exec:\jvdvp.exe63⤵
- Executes dropped EXE
PID:3968 -
\??\c:\9rxrlll.exec:\9rxrlll.exe64⤵
- Executes dropped EXE
PID:4700 -
\??\c:\rxxrllr.exec:\rxxrllr.exe65⤵
- Executes dropped EXE
PID:4964 -
\??\c:\tnhbtt.exec:\tnhbtt.exe66⤵PID:680
-
\??\c:\1dvpv.exec:\1dvpv.exe67⤵PID:3192
-
\??\c:\jpvpj.exec:\jpvpj.exe68⤵PID:2136
-
\??\c:\rllfllf.exec:\rllfllf.exe69⤵PID:4292
-
\??\c:\bnbhbb.exec:\bnbhbb.exe70⤵PID:1560
-
\??\c:\vppjj.exec:\vppjj.exe71⤵PID:1168
-
\??\c:\vjdvp.exec:\vjdvp.exe72⤵PID:2028
-
\??\c:\xlllfxx.exec:\xlllfxx.exe73⤵PID:320
-
\??\c:\htbttn.exec:\htbttn.exe74⤵PID:4072
-
\??\c:\vjpdp.exec:\vjpdp.exe75⤵PID:232
-
\??\c:\3vpjv.exec:\3vpjv.exe76⤵PID:112
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe77⤵PID:1132
-
\??\c:\1hbtnn.exec:\1hbtnn.exe78⤵PID:3592
-
\??\c:\vddvp.exec:\vddvp.exe79⤵PID:2788
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe80⤵PID:1360
-
\??\c:\xrxrxrl.exec:\xrxrxrl.exe81⤵PID:3300
-
\??\c:\bbtnnh.exec:\bbtnnh.exe82⤵PID:3368
-
\??\c:\pjdvv.exec:\pjdvv.exe83⤵PID:4272
-
\??\c:\llrxlxr.exec:\llrxlxr.exe84⤵PID:2672
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe85⤵PID:1288
-
\??\c:\bnthbt.exec:\bnthbt.exe86⤵PID:3880
-
\??\c:\1hhbtt.exec:\1hhbtt.exe87⤵PID:208
-
\??\c:\7jdjv.exec:\7jdjv.exe88⤵PID:5048
-
\??\c:\fffxlxr.exec:\fffxlxr.exe89⤵PID:1488
-
\??\c:\bbttnt.exec:\bbttnt.exe90⤵PID:4064
-
\??\c:\btnhhb.exec:\btnhhb.exe91⤵PID:4284
-
\??\c:\vdjvp.exec:\vdjvp.exe92⤵PID:1244
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe93⤵
- System Location Discovery: System Language Discovery
PID:3428 -
\??\c:\thhbtn.exec:\thhbtn.exe94⤵PID:3808
-
\??\c:\pvdvp.exec:\pvdvp.exe95⤵PID:4352
-
\??\c:\rxxrffx.exec:\rxxrffx.exe96⤵PID:1080
-
\??\c:\rffxllf.exec:\rffxllf.exe97⤵PID:3520
-
\??\c:\thtnhb.exec:\thtnhb.exe98⤵PID:316
-
\??\c:\9jdvj.exec:\9jdvj.exe99⤵PID:5040
-
\??\c:\9lrlxrl.exec:\9lrlxrl.exe100⤵PID:2504
-
\??\c:\nbbttn.exec:\nbbttn.exe101⤵PID:4772
-
\??\c:\bhnhbt.exec:\bhnhbt.exe102⤵PID:4612
-
\??\c:\1vvpj.exec:\1vvpj.exe103⤵PID:1660
-
\??\c:\fxxrxxr.exec:\fxxrxxr.exe104⤵PID:2844
-
\??\c:\bhbthb.exec:\bhbthb.exe105⤵PID:652
-
\??\c:\jjjjd.exec:\jjjjd.exe106⤵PID:1948
-
\??\c:\xflfrll.exec:\xflfrll.exe107⤵PID:4396
-
\??\c:\frfxfxr.exec:\frfxfxr.exe108⤵PID:1344
-
\??\c:\nbbthh.exec:\nbbthh.exe109⤵PID:4636
-
\??\c:\djdvp.exec:\djdvp.exe110⤵PID:2560
-
\??\c:\rflfrxx.exec:\rflfrxx.exe111⤵PID:4584
-
\??\c:\9flfrrx.exec:\9flfrrx.exe112⤵PID:3036
-
\??\c:\7hhtnt.exec:\7hhtnt.exe113⤵PID:4672
-
\??\c:\jvvpj.exec:\jvvpj.exe114⤵PID:3624
-
\??\c:\3ffxrrf.exec:\3ffxrrf.exe115⤵PID:2872
-
\??\c:\xlllfxr.exec:\xlllfxr.exe116⤵PID:3596
-
\??\c:\htnhhh.exec:\htnhhh.exe117⤵PID:4572
-
\??\c:\pdjvj.exec:\pdjvj.exe118⤵PID:1776
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe119⤵PID:3064
-
\??\c:\thhthb.exec:\thhthb.exe120⤵PID:4928
-
\??\c:\hntnnt.exec:\hntnnt.exe121⤵PID:3168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-