Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 19:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe
-
Size
454KB
-
MD5
1b718d0a33a75f0e94b32967ac276790
-
SHA1
9b3a50af913c4a023ab82a4946395ae0e538c4ab
-
SHA256
ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745
-
SHA512
20fa19614a18abeec677fbb950ada4e13ce104a331324bf7a931054cd6159f48c80104c960ba0c8d3867aa90ee5927cdaaa077c6a8cc2c4ddb5e23fb3bbc3fbb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2808-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-1316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-1706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4840 rxfxxlr.exe 4824 pvddv.exe 4032 dppjj.exe 3040 nbnbtt.exe 1532 flxxlrf.exe 1824 bbnnnn.exe 5092 3nhbbb.exe 3652 ddddd.exe 2292 nhbbnn.exe 4936 nbhhhh.exe 4152 bhbbbt.exe 3548 pvjjv.exe 2656 5lrrrxx.exe 3096 vvjjv.exe 4304 nbhhhn.exe 2204 nbtttt.exe 3868 djjjj.exe 4252 tbbbtb.exe 3504 tbhhhn.exe 4156 hnbbtt.exe 2496 rrlffxx.exe 1756 tnnbbh.exe 2428 1rrfxxr.exe 948 pjddd.exe 1224 lxxlfxr.exe 912 jpjjj.exe 5100 thhhbt.exe 2964 rfffllf.exe 4628 ffllrll.exe 2468 1xrrllf.exe 4616 rfllrxl.exe 772 httnnb.exe 2212 hhhbnn.exe 3700 3ppjj.exe 1828 lxfxrxr.exe 1912 tbhbnt.exe 2620 5hnhnb.exe 1516 pvpjd.exe 2856 frrlxrr.exe 376 nthbtt.exe 4388 pjpjv.exe 4008 1lllffx.exe 4680 7nbtnn.exe 2188 jvdvp.exe 1084 5rfxxxx.exe 4464 fxxrlfx.exe 856 1tnbth.exe 4372 5jjjd.exe 3508 rxxxffx.exe 1296 lllffxr.exe 1872 hbtnhb.exe 3844 djvvp.exe 1440 rffxllf.exe 2328 3lffxlx.exe 2136 nhhbtb.exe 5024 vppjd.exe 3204 3rrrlll.exe 1824 hhbtnn.exe 2040 pddpv.exe 2948 vdppj.exe 996 frrxxxx.exe 968 hhtbtn.exe 4444 9jjdp.exe 2472 3ddvj.exe -
resource yara_rule behavioral2/memory/2808-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-583-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 4840 2808 ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe 83 PID 2808 wrote to memory of 4840 2808 ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe 83 PID 2808 wrote to memory of 4840 2808 ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe 83 PID 4840 wrote to memory of 4824 4840 rxfxxlr.exe 84 PID 4840 wrote to memory of 4824 4840 rxfxxlr.exe 84 PID 4840 wrote to memory of 4824 4840 rxfxxlr.exe 84 PID 4824 wrote to memory of 4032 4824 pvddv.exe 85 PID 4824 wrote to memory of 4032 4824 pvddv.exe 85 PID 4824 wrote to memory of 4032 4824 pvddv.exe 85 PID 4032 wrote to memory of 3040 4032 dppjj.exe 86 PID 4032 wrote to memory of 3040 4032 dppjj.exe 86 PID 4032 wrote to memory of 3040 4032 dppjj.exe 86 PID 3040 wrote to memory of 1532 3040 nbnbtt.exe 87 PID 3040 wrote to memory of 1532 3040 nbnbtt.exe 87 PID 3040 wrote to memory of 1532 3040 nbnbtt.exe 87 PID 1532 wrote to memory of 1824 1532 flxxlrf.exe 88 PID 1532 wrote to memory of 1824 1532 flxxlrf.exe 88 PID 1532 wrote to memory of 1824 1532 flxxlrf.exe 88 PID 1824 wrote to memory of 5092 1824 bbnnnn.exe 89 PID 1824 wrote to memory of 5092 1824 bbnnnn.exe 89 PID 1824 wrote to memory of 5092 1824 bbnnnn.exe 89 PID 5092 wrote to memory of 3652 5092 3nhbbb.exe 90 PID 5092 wrote to memory of 3652 5092 3nhbbb.exe 90 PID 5092 wrote to memory of 3652 5092 3nhbbb.exe 90 PID 3652 wrote to memory of 2292 3652 ddddd.exe 91 PID 3652 wrote to memory of 2292 3652 ddddd.exe 91 PID 3652 wrote to memory of 2292 3652 ddddd.exe 91 PID 2292 wrote to memory of 4936 2292 nhbbnn.exe 92 PID 2292 wrote to memory of 4936 2292 nhbbnn.exe 92 PID 2292 wrote to memory of 4936 2292 nhbbnn.exe 92 PID 4936 wrote to memory of 4152 4936 nbhhhh.exe 93 PID 4936 wrote to memory of 4152 4936 nbhhhh.exe 93 PID 4936 wrote to memory of 4152 4936 nbhhhh.exe 93 PID 4152 wrote to memory of 3548 4152 bhbbbt.exe 94 PID 4152 wrote to memory of 3548 4152 bhbbbt.exe 94 PID 4152 wrote to memory of 3548 4152 bhbbbt.exe 94 PID 3548 wrote to memory of 2656 3548 pvjjv.exe 95 PID 3548 wrote to memory of 2656 3548 pvjjv.exe 95 PID 3548 wrote to memory of 2656 3548 pvjjv.exe 95 PID 2656 wrote to memory of 3096 2656 5lrrrxx.exe 96 PID 2656 wrote to memory of 3096 2656 5lrrrxx.exe 96 PID 2656 wrote to memory of 3096 2656 5lrrrxx.exe 96 PID 3096 wrote to memory of 4304 3096 vvjjv.exe 97 PID 3096 wrote to memory of 4304 3096 vvjjv.exe 97 PID 3096 wrote to memory of 4304 3096 vvjjv.exe 97 PID 4304 wrote to memory of 2204 4304 nbhhhn.exe 98 PID 4304 wrote to memory of 2204 4304 nbhhhn.exe 98 PID 4304 wrote to memory of 2204 4304 nbhhhn.exe 98 PID 2204 wrote to memory of 3868 2204 nbtttt.exe 99 PID 2204 wrote to memory of 3868 2204 nbtttt.exe 99 PID 2204 wrote to memory of 3868 2204 nbtttt.exe 99 PID 3868 wrote to memory of 4252 3868 djjjj.exe 100 PID 3868 wrote to memory of 4252 3868 djjjj.exe 100 PID 3868 wrote to memory of 4252 3868 djjjj.exe 100 PID 4252 wrote to memory of 3504 4252 tbbbtb.exe 101 PID 4252 wrote to memory of 3504 4252 tbbbtb.exe 101 PID 4252 wrote to memory of 3504 4252 tbbbtb.exe 101 PID 3504 wrote to memory of 4156 3504 tbhhhn.exe 102 PID 3504 wrote to memory of 4156 3504 tbhhhn.exe 102 PID 3504 wrote to memory of 4156 3504 tbhhhn.exe 102 PID 4156 wrote to memory of 2496 4156 hnbbtt.exe 103 PID 4156 wrote to memory of 2496 4156 hnbbtt.exe 103 PID 4156 wrote to memory of 2496 4156 hnbbtt.exe 103 PID 2496 wrote to memory of 1756 2496 rrlffxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe"C:\Users\Admin\AppData\Local\Temp\ffb7b41188ab0e8bdaa51cc89c2775dffb9c9251c0b30573f9bcda4393f74745N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\rxfxxlr.exec:\rxfxxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\pvddv.exec:\pvddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\dppjj.exec:\dppjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\nbnbtt.exec:\nbnbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\flxxlrf.exec:\flxxlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\bbnnnn.exec:\bbnnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\3nhbbb.exec:\3nhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\ddddd.exec:\ddddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\nhbbnn.exec:\nhbbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\nbhhhh.exec:\nbhhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\bhbbbt.exec:\bhbbbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\pvjjv.exec:\pvjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\5lrrrxx.exec:\5lrrrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\vvjjv.exec:\vvjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\nbhhhn.exec:\nbhhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\nbtttt.exec:\nbtttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\djjjj.exec:\djjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\tbbbtb.exec:\tbbbtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\tbhhhn.exec:\tbhhhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\hnbbtt.exec:\hnbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\rrlffxx.exec:\rrlffxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\tnnbbh.exec:\tnnbbh.exe23⤵
- Executes dropped EXE
PID:1756 -
\??\c:\1rrfxxr.exec:\1rrfxxr.exe24⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pjddd.exec:\pjddd.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe26⤵
- Executes dropped EXE
PID:1224 -
\??\c:\jpjjj.exec:\jpjjj.exe27⤵
- Executes dropped EXE
PID:912 -
\??\c:\thhhbt.exec:\thhhbt.exe28⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rfffllf.exec:\rfffllf.exe29⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ffllrll.exec:\ffllrll.exe30⤵
- Executes dropped EXE
PID:4628 -
\??\c:\1xrrllf.exec:\1xrrllf.exe31⤵
- Executes dropped EXE
PID:2468 -
\??\c:\rfllrxl.exec:\rfllrxl.exe32⤵
- Executes dropped EXE
PID:4616 -
\??\c:\httnnb.exec:\httnnb.exe33⤵
- Executes dropped EXE
PID:772 -
\??\c:\hhhbnn.exec:\hhhbnn.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\3ppjj.exec:\3ppjj.exe35⤵
- Executes dropped EXE
PID:3700 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe36⤵
- Executes dropped EXE
PID:1828 -
\??\c:\tbhbnt.exec:\tbhbnt.exe37⤵
- Executes dropped EXE
PID:1912 -
\??\c:\5hnhnb.exec:\5hnhnb.exe38⤵
- Executes dropped EXE
PID:2620 -
\??\c:\pvpjd.exec:\pvpjd.exe39⤵
- Executes dropped EXE
PID:1516 -
\??\c:\frrlxrr.exec:\frrlxrr.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nthbtt.exec:\nthbtt.exe41⤵
- Executes dropped EXE
PID:376 -
\??\c:\pjpjv.exec:\pjpjv.exe42⤵
- Executes dropped EXE
PID:4388 -
\??\c:\1lllffx.exec:\1lllffx.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4008 -
\??\c:\7nbtnn.exec:\7nbtnn.exe44⤵
- Executes dropped EXE
PID:4680 -
\??\c:\jvdvp.exec:\jvdvp.exe45⤵
- Executes dropped EXE
PID:2188 -
\??\c:\5rfxxxx.exec:\5rfxxxx.exe46⤵
- Executes dropped EXE
PID:1084 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe47⤵
- Executes dropped EXE
PID:4464 -
\??\c:\1tnbth.exec:\1tnbth.exe48⤵
- Executes dropped EXE
PID:856 -
\??\c:\5jjjd.exec:\5jjjd.exe49⤵
- Executes dropped EXE
PID:4372 -
\??\c:\rxxxffx.exec:\rxxxffx.exe50⤵
- Executes dropped EXE
PID:3508 -
\??\c:\lllffxr.exec:\lllffxr.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hbtnhb.exec:\hbtnhb.exe52⤵
- Executes dropped EXE
PID:1872 -
\??\c:\djvvp.exec:\djvvp.exe53⤵
- Executes dropped EXE
PID:3844 -
\??\c:\rffxllf.exec:\rffxllf.exe54⤵
- Executes dropped EXE
PID:1440 -
\??\c:\3lffxlx.exec:\3lffxlx.exe55⤵
- Executes dropped EXE
PID:2328 -
\??\c:\nhhbtb.exec:\nhhbtb.exe56⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vppjd.exec:\vppjd.exe57⤵
- Executes dropped EXE
PID:5024 -
\??\c:\3rrrlll.exec:\3rrrlll.exe58⤵
- Executes dropped EXE
PID:3204 -
\??\c:\hhbtnn.exec:\hhbtnn.exe59⤵
- Executes dropped EXE
PID:1824 -
\??\c:\pddpv.exec:\pddpv.exe60⤵
- Executes dropped EXE
PID:2040 -
\??\c:\vdppj.exec:\vdppj.exe61⤵
- Executes dropped EXE
PID:2948 -
\??\c:\frrxxxx.exec:\frrxxxx.exe62⤵
- Executes dropped EXE
PID:996 -
\??\c:\hhtbtn.exec:\hhtbtn.exe63⤵
- Executes dropped EXE
PID:968 -
\??\c:\9jjdp.exec:\9jjdp.exe64⤵
- Executes dropped EXE
PID:4444 -
\??\c:\3ddvj.exec:\3ddvj.exe65⤵
- Executes dropped EXE
PID:2472 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe66⤵PID:2716
-
\??\c:\hnnhbt.exec:\hnnhbt.exe67⤵PID:228
-
\??\c:\vdjjd.exec:\vdjjd.exe68⤵PID:3712
-
\??\c:\jdjdp.exec:\jdjdp.exe69⤵PID:1692
-
\??\c:\rxfrlfl.exec:\rxfrlfl.exe70⤵PID:4044
-
\??\c:\bbhbnn.exec:\bbhbnn.exe71⤵PID:4304
-
\??\c:\7ddvj.exec:\7ddvj.exe72⤵PID:1416
-
\??\c:\7pvvp.exec:\7pvvp.exe73⤵PID:4584
-
\??\c:\xrrlfff.exec:\xrrlfff.exe74⤵PID:3852
-
\??\c:\ttnbtt.exec:\ttnbtt.exe75⤵PID:2312
-
\??\c:\jppjd.exec:\jppjd.exe76⤵PID:3772
-
\??\c:\7xfxrlf.exec:\7xfxrlf.exe77⤵PID:3104
-
\??\c:\frfxrlf.exec:\frfxrlf.exe78⤵PID:1744
-
\??\c:\3nnhbb.exec:\3nnhbb.exe79⤵PID:4112
-
\??\c:\djjdd.exec:\djjdd.exe80⤵PID:804
-
\??\c:\jvvjd.exec:\jvvjd.exe81⤵PID:1992
-
\??\c:\lffxrll.exec:\lffxrll.exe82⤵PID:2348
-
\??\c:\httnhn.exec:\httnhn.exe83⤵PID:4972
-
\??\c:\hntnbb.exec:\hntnbb.exe84⤵PID:1224
-
\??\c:\jpjdd.exec:\jpjdd.exe85⤵PID:404
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe86⤵PID:4140
-
\??\c:\1ntntt.exec:\1ntntt.exe87⤵PID:2776
-
\??\c:\jddvv.exec:\jddvv.exe88⤵PID:2928
-
\??\c:\9xrlrrl.exec:\9xrlrrl.exe89⤵PID:2224
-
\??\c:\xlfxfrl.exec:\xlfxfrl.exe90⤵PID:880
-
\??\c:\1nnhbt.exec:\1nnhbt.exe91⤵PID:2468
-
\??\c:\vvjvp.exec:\vvjvp.exe92⤵PID:832
-
\??\c:\rlfffff.exec:\rlfffff.exe93⤵PID:4200
-
\??\c:\9tbnnn.exec:\9tbnnn.exe94⤵PID:672
-
\??\c:\vjvdp.exec:\vjvdp.exe95⤵PID:3440
-
\??\c:\7rfxrxr.exec:\7rfxrxr.exe96⤵PID:3284
-
\??\c:\tbtnbt.exec:\tbtnbt.exe97⤵PID:1708
-
\??\c:\djjdp.exec:\djjdp.exe98⤵PID:392
-
\??\c:\3pjdj.exec:\3pjdj.exe99⤵PID:4884
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe100⤵PID:4256
-
\??\c:\tnhhnt.exec:\tnhhnt.exe101⤵PID:2660
-
\??\c:\vjdvp.exec:\vjdvp.exe102⤵PID:4544
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe103⤵PID:2172
-
\??\c:\3ttnhh.exec:\3ttnhh.exe104⤵PID:4008
-
\??\c:\jjpjj.exec:\jjpjj.exe105⤵PID:4680
-
\??\c:\pppvv.exec:\pppvv.exe106⤵PID:3988
-
\??\c:\rfllllf.exec:\rfllllf.exe107⤵PID:5048
-
\??\c:\7hhnnn.exec:\7hhnnn.exe108⤵PID:2860
-
\??\c:\vdjjd.exec:\vdjjd.exe109⤵PID:4524
-
\??\c:\jvjjd.exec:\jvjjd.exe110⤵PID:2140
-
\??\c:\lfrllll.exec:\lfrllll.exe111⤵PID:2808
-
\??\c:\hhhhtn.exec:\hhhhtn.exe112⤵PID:3672
-
\??\c:\vvpjd.exec:\vvpjd.exe113⤵PID:1720
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe114⤵PID:3208
-
\??\c:\hntnhh.exec:\hntnhh.exe115⤵PID:320
-
\??\c:\bhhhbt.exec:\bhhhbt.exe116⤵PID:4668
-
\??\c:\vdpvp.exec:\vdpvp.exe117⤵PID:2328
-
\??\c:\xrfffrr.exec:\xrfffrr.exe118⤵PID:2252
-
\??\c:\httnhh.exec:\httnhh.exe119⤵PID:5104
-
\??\c:\vjvpp.exec:\vjvpp.exe120⤵PID:452
-
\??\c:\jpjdd.exec:\jpjdd.exe121⤵PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-