Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 20:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe
-
Size
453KB
-
MD5
08bbfa66ab0545db85dff79225017bd8
-
SHA1
1b619042832d5cafb387a40102ed9e4b63f2b173
-
SHA256
c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9
-
SHA512
ed32f7c29e485b5cc9deee16cfed9864531ff344d20b00bfe592ca5d383a614a4ca4519b11983de347c248ab980c8990708c1fa53cb56bf2f5cce554a9b8f6b6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/116-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-1069-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 rxfxrrr.exe 3660 tnnnhn.exe 3344 djvjd.exe 1568 rrfrxxf.exe 4880 1flfxfx.exe 3604 djvpj.exe 2004 bnnnhh.exe 3424 7pjjd.exe 2464 nnnhbt.exe 4428 fxrrlxr.exe 1936 xlxrrrl.exe 1796 7ttntb.exe 3368 xrrrlll.exe 3664 dpvdd.exe 3044 frrlllf.exe 3356 5vdvp.exe 2564 nbbhbb.exe 4400 ppvpj.exe 3752 7ffxrrl.exe 1784 3nhhbb.exe 1724 nthbbb.exe 3968 dvvpj.exe 1636 xrllllf.exe 1816 bnbnhn.exe 2928 jjpjd.exe 3420 lxlflfl.exe 620 9jdvp.exe 4528 7llflrl.exe 2744 7tbbhh.exe 2984 jpjdp.exe 1316 7lrffff.exe 3600 ffxfllr.exe 688 1ttnbt.exe 3496 rxfxrll.exe 736 lflxrrl.exe 936 btbthh.exe 4444 rlxxrlf.exe 1764 7hnhtn.exe 1660 tththb.exe 3872 1ddpv.exe 4332 rfffxlf.exe 4804 tnbtbt.exe 4384 9vppj.exe 1984 9btnhb.exe 2104 bhthbn.exe 1428 jvdvd.exe 764 rrxrxrx.exe 4056 1hnhhh.exe 3124 dvjvj.exe 4784 vjpvj.exe 1712 rfrfxfr.exe 4996 nhhbtn.exe 1740 vjvpj.exe 3276 7lffxxr.exe 4524 nhnhbb.exe 1512 bntbnb.exe 4608 7vjdv.exe 3448 lfflfrr.exe 3700 tbbhhn.exe 3784 1pjdp.exe 3992 flrlfxr.exe 1472 bbbnhn.exe 3320 vvpvv.exe 212 9rxxlxl.exe -
resource yara_rule behavioral2/memory/116-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-964-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 2300 116 c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe 82 PID 116 wrote to memory of 2300 116 c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe 82 PID 116 wrote to memory of 2300 116 c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe 82 PID 2300 wrote to memory of 3660 2300 rxfxrrr.exe 83 PID 2300 wrote to memory of 3660 2300 rxfxrrr.exe 83 PID 2300 wrote to memory of 3660 2300 rxfxrrr.exe 83 PID 3660 wrote to memory of 3344 3660 tnnnhn.exe 84 PID 3660 wrote to memory of 3344 3660 tnnnhn.exe 84 PID 3660 wrote to memory of 3344 3660 tnnnhn.exe 84 PID 3344 wrote to memory of 1568 3344 djvjd.exe 85 PID 3344 wrote to memory of 1568 3344 djvjd.exe 85 PID 3344 wrote to memory of 1568 3344 djvjd.exe 85 PID 1568 wrote to memory of 4880 1568 rrfrxxf.exe 86 PID 1568 wrote to memory of 4880 1568 rrfrxxf.exe 86 PID 1568 wrote to memory of 4880 1568 rrfrxxf.exe 86 PID 4880 wrote to memory of 3604 4880 1flfxfx.exe 87 PID 4880 wrote to memory of 3604 4880 1flfxfx.exe 87 PID 4880 wrote to memory of 3604 4880 1flfxfx.exe 87 PID 3604 wrote to memory of 2004 3604 djvpj.exe 88 PID 3604 wrote to memory of 2004 3604 djvpj.exe 88 PID 3604 wrote to memory of 2004 3604 djvpj.exe 88 PID 2004 wrote to memory of 3424 2004 bnnnhh.exe 89 PID 2004 wrote to memory of 3424 2004 bnnnhh.exe 89 PID 2004 wrote to memory of 3424 2004 bnnnhh.exe 89 PID 3424 wrote to memory of 2464 3424 7pjjd.exe 90 PID 3424 wrote to memory of 2464 3424 7pjjd.exe 90 PID 3424 wrote to memory of 2464 3424 7pjjd.exe 90 PID 2464 wrote to memory of 4428 2464 nnnhbt.exe 91 PID 2464 wrote to memory of 4428 2464 nnnhbt.exe 91 PID 2464 wrote to memory of 4428 2464 nnnhbt.exe 91 PID 4428 wrote to memory of 1936 4428 fxrrlxr.exe 92 PID 4428 wrote to memory of 1936 4428 fxrrlxr.exe 92 PID 4428 wrote to memory of 1936 4428 fxrrlxr.exe 92 PID 1936 wrote to memory of 1796 1936 xlxrrrl.exe 93 PID 1936 wrote to memory of 1796 1936 xlxrrrl.exe 93 PID 1936 wrote to memory of 1796 1936 xlxrrrl.exe 93 PID 1796 wrote to memory of 3368 1796 7ttntb.exe 94 PID 1796 wrote to memory of 3368 1796 7ttntb.exe 94 PID 1796 wrote to memory of 3368 1796 7ttntb.exe 94 PID 3368 wrote to memory of 3664 3368 xrrrlll.exe 95 PID 3368 wrote to memory of 3664 3368 xrrrlll.exe 95 PID 3368 wrote to memory of 3664 3368 xrrrlll.exe 95 PID 3664 wrote to memory of 3044 3664 dpvdd.exe 96 PID 3664 wrote to memory of 3044 3664 dpvdd.exe 96 PID 3664 wrote to memory of 3044 3664 dpvdd.exe 96 PID 3044 wrote to memory of 3356 3044 frrlllf.exe 97 PID 3044 wrote to memory of 3356 3044 frrlllf.exe 97 PID 3044 wrote to memory of 3356 3044 frrlllf.exe 97 PID 3356 wrote to memory of 2564 3356 5vdvp.exe 98 PID 3356 wrote to memory of 2564 3356 5vdvp.exe 98 PID 3356 wrote to memory of 2564 3356 5vdvp.exe 98 PID 2564 wrote to memory of 4400 2564 nbbhbb.exe 99 PID 2564 wrote to memory of 4400 2564 nbbhbb.exe 99 PID 2564 wrote to memory of 4400 2564 nbbhbb.exe 99 PID 4400 wrote to memory of 3752 4400 ppvpj.exe 100 PID 4400 wrote to memory of 3752 4400 ppvpj.exe 100 PID 4400 wrote to memory of 3752 4400 ppvpj.exe 100 PID 3752 wrote to memory of 1784 3752 7ffxrrl.exe 101 PID 3752 wrote to memory of 1784 3752 7ffxrrl.exe 101 PID 3752 wrote to memory of 1784 3752 7ffxrrl.exe 101 PID 1784 wrote to memory of 1724 1784 3nhhbb.exe 102 PID 1784 wrote to memory of 1724 1784 3nhhbb.exe 102 PID 1784 wrote to memory of 1724 1784 3nhhbb.exe 102 PID 1724 wrote to memory of 3968 1724 nthbbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe"C:\Users\Admin\AppData\Local\Temp\c6408b075d5af18244b4b11377ac374ea11a709fdb805f8aafe3fc7c4b1400b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\tnnnhn.exec:\tnnnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\djvjd.exec:\djvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\rrfrxxf.exec:\rrfrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\1flfxfx.exec:\1flfxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\djvpj.exec:\djvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\bnnnhh.exec:\bnnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\7pjjd.exec:\7pjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\nnnhbt.exec:\nnnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\fxrrlxr.exec:\fxrrlxr.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\7ttntb.exec:\7ttntb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\xrrrlll.exec:\xrrrlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\dpvdd.exec:\dpvdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\frrlllf.exec:\frrlllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\5vdvp.exec:\5vdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\nbbhbb.exec:\nbbhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\ppvpj.exec:\ppvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\3nhhbb.exec:\3nhhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\nthbbb.exec:\nthbbb.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\dvvpj.exec:\dvvpj.exe23⤵
- Executes dropped EXE
PID:3968 -
\??\c:\xrllllf.exec:\xrllllf.exe24⤵
- Executes dropped EXE
PID:1636 -
\??\c:\bnbnhn.exec:\bnbnhn.exe25⤵
- Executes dropped EXE
PID:1816 -
\??\c:\jjpjd.exec:\jjpjd.exe26⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lxlflfl.exec:\lxlflfl.exe27⤵
- Executes dropped EXE
PID:3420 -
\??\c:\9jdvp.exec:\9jdvp.exe28⤵
- Executes dropped EXE
PID:620 -
\??\c:\7llflrl.exec:\7llflrl.exe29⤵
- Executes dropped EXE
PID:4528 -
\??\c:\7tbbhh.exec:\7tbbhh.exe30⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jpjdp.exec:\jpjdp.exe31⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7lrffff.exec:\7lrffff.exe32⤵
- Executes dropped EXE
PID:1316 -
\??\c:\ffxfllr.exec:\ffxfllr.exe33⤵
- Executes dropped EXE
PID:3600 -
\??\c:\1ttnbt.exec:\1ttnbt.exe34⤵
- Executes dropped EXE
PID:688 -
\??\c:\rxfxrll.exec:\rxfxrll.exe35⤵
- Executes dropped EXE
PID:3496 -
\??\c:\lflxrrl.exec:\lflxrrl.exe36⤵
- Executes dropped EXE
PID:736 -
\??\c:\btbthh.exec:\btbthh.exe37⤵
- Executes dropped EXE
PID:936 -
\??\c:\rlxxrlf.exec:\rlxxrlf.exe38⤵
- Executes dropped EXE
PID:4444 -
\??\c:\7hnhtn.exec:\7hnhtn.exe39⤵
- Executes dropped EXE
PID:1764 -
\??\c:\tththb.exec:\tththb.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1ddpv.exec:\1ddpv.exe41⤵
- Executes dropped EXE
PID:3872 -
\??\c:\rfffxlf.exec:\rfffxlf.exe42⤵
- Executes dropped EXE
PID:4332 -
\??\c:\tnbtbt.exec:\tnbtbt.exe43⤵
- Executes dropped EXE
PID:4804 -
\??\c:\9vppj.exec:\9vppj.exe44⤵
- Executes dropped EXE
PID:4384 -
\??\c:\9btnhb.exec:\9btnhb.exe45⤵
- Executes dropped EXE
PID:1984 -
\??\c:\bhthbn.exec:\bhthbn.exe46⤵
- Executes dropped EXE
PID:2104 -
\??\c:\jvdvd.exec:\jvdvd.exe47⤵
- Executes dropped EXE
PID:1428 -
\??\c:\rrxrxrx.exec:\rrxrxrx.exe48⤵
- Executes dropped EXE
PID:764 -
\??\c:\1hnhhh.exec:\1hnhhh.exe49⤵
- Executes dropped EXE
PID:4056 -
\??\c:\dvjvj.exec:\dvjvj.exe50⤵
- Executes dropped EXE
PID:3124 -
\??\c:\vjpvj.exec:\vjpvj.exe51⤵
- Executes dropped EXE
PID:4784 -
\??\c:\rfrfxfr.exec:\rfrfxfr.exe52⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhhbtn.exec:\nhhbtn.exe53⤵
- Executes dropped EXE
PID:4996 -
\??\c:\vjvpj.exec:\vjvpj.exe54⤵
- Executes dropped EXE
PID:1740 -
\??\c:\7lffxxr.exec:\7lffxxr.exe55⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nhnhbb.exec:\nhnhbb.exe56⤵
- Executes dropped EXE
PID:4524 -
\??\c:\bntbnb.exec:\bntbnb.exe57⤵
- Executes dropped EXE
PID:1512 -
\??\c:\7vjdv.exec:\7vjdv.exe58⤵
- Executes dropped EXE
PID:4608 -
\??\c:\rxxrlff.exec:\rxxrlff.exe59⤵PID:4512
-
\??\c:\lfflfrr.exec:\lfflfrr.exe60⤵
- Executes dropped EXE
PID:3448 -
\??\c:\tbbhhn.exec:\tbbhhn.exe61⤵
- Executes dropped EXE
PID:3700 -
\??\c:\1pjdp.exec:\1pjdp.exe62⤵
- Executes dropped EXE
PID:3784 -
\??\c:\flrlfxr.exec:\flrlfxr.exe63⤵
- Executes dropped EXE
PID:3992 -
\??\c:\bbbnhn.exec:\bbbnhn.exe64⤵
- Executes dropped EXE
PID:1472 -
\??\c:\vvpvv.exec:\vvpvv.exe65⤵
- Executes dropped EXE
PID:3320 -
\??\c:\9rxxlxl.exec:\9rxxlxl.exe66⤵
- Executes dropped EXE
PID:212 -
\??\c:\7ttnhb.exec:\7ttnhb.exe67⤵PID:2800
-
\??\c:\btthbt.exec:\btthbt.exe68⤵PID:3524
-
\??\c:\vjvpv.exec:\vjvpv.exe69⤵PID:4160
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe70⤵PID:4732
-
\??\c:\hhhtht.exec:\hhhtht.exe71⤵PID:2772
-
\??\c:\nntthb.exec:\nntthb.exe72⤵PID:4316
-
\??\c:\1vdvj.exec:\1vdvj.exe73⤵PID:4156
-
\??\c:\rlfrlfr.exec:\rlfrlfr.exe74⤵PID:3440
-
\??\c:\5bbtnn.exec:\5bbtnn.exe75⤵PID:3432
-
\??\c:\bbhtht.exec:\bbhtht.exe76⤵PID:668
-
\??\c:\jvjpp.exec:\jvjpp.exe77⤵PID:4484
-
\??\c:\rlxrrrr.exec:\rlxrrrr.exe78⤵PID:3176
-
\??\c:\bnbbhh.exec:\bnbbhh.exe79⤵PID:3364
-
\??\c:\vjpjd.exec:\vjpjd.exe80⤵PID:4100
-
\??\c:\xfxrrlf.exec:\xfxrrlf.exe81⤵PID:1480
-
\??\c:\bbthtn.exec:\bbthtn.exe82⤵PID:536
-
\??\c:\jdpjd.exec:\jdpjd.exe83⤵PID:5004
-
\??\c:\jvdvp.exec:\jvdvp.exe84⤵PID:2264
-
\??\c:\fxrfrfr.exec:\fxrfrfr.exe85⤵PID:1572
-
\??\c:\bnhbnn.exec:\bnhbnn.exe86⤵PID:1784
-
\??\c:\9pvvd.exec:\9pvvd.exe87⤵PID:4868
-
\??\c:\ffxfxxr.exec:\ffxfxxr.exe88⤵PID:2516
-
\??\c:\lflffxl.exec:\lflffxl.exe89⤵PID:1148
-
\??\c:\bbhttt.exec:\bbhttt.exe90⤵PID:2216
-
\??\c:\jdpjj.exec:\jdpjj.exe91⤵PID:2552
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe92⤵PID:3492
-
\??\c:\tbbbtt.exec:\tbbbtt.exe93⤵PID:3164
-
\??\c:\vpppd.exec:\vpppd.exe94⤵PID:1620
-
\??\c:\jpdjd.exec:\jpdjd.exe95⤵PID:4008
-
\??\c:\1rxxrfr.exec:\1rxxrfr.exe96⤵PID:2368
-
\??\c:\hnhnhb.exec:\hnhnhb.exe97⤵PID:2384
-
\??\c:\jjjjd.exec:\jjjjd.exe98⤵PID:5024
-
\??\c:\xrlxllx.exec:\xrlxllx.exe99⤵PID:4036
-
\??\c:\bttnbb.exec:\bttnbb.exe100⤵PID:3656
-
\??\c:\nhhttn.exec:\nhhttn.exe101⤵PID:4836
-
\??\c:\3jpjd.exec:\3jpjd.exe102⤵PID:3984
-
\??\c:\xlxllll.exec:\xlxllll.exe103⤵PID:1596
-
\??\c:\lfxrrll.exec:\lfxrrll.exe104⤵PID:1192
-
\??\c:\ddjjd.exec:\ddjjd.exe105⤵PID:4128
-
\??\c:\1xlxlfx.exec:\1xlxlfx.exe106⤵PID:2932
-
\??\c:\fxxrlll.exec:\fxxrlll.exe107⤵PID:5048
-
\??\c:\ntbttn.exec:\ntbttn.exe108⤵PID:1276
-
\??\c:\jdvpd.exec:\jdvpd.exe109⤵PID:548
-
\??\c:\rxrxfxr.exec:\rxrxfxr.exe110⤵PID:1780
-
\??\c:\bthbtt.exec:\bthbtt.exe111⤵PID:1240
-
\??\c:\1btntn.exec:\1btntn.exe112⤵PID:1052
-
\??\c:\xllfxrl.exec:\xllfxrl.exe113⤵PID:3376
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe114⤵PID:4488
-
\??\c:\thhbtn.exec:\thhbtn.exe115⤵PID:3628
-
\??\c:\9jpjv.exec:\9jpjv.exe116⤵PID:4468
-
\??\c:\xflfxlf.exec:\xflfxlf.exe117⤵PID:4284
-
\??\c:\1tnhhh.exec:\1tnhhh.exe118⤵PID:1160
-
\??\c:\pjvjp.exec:\pjvjp.exe119⤵PID:2348
-
\??\c:\vjdvp.exec:\vjdvp.exe120⤵PID:3168
-
\??\c:\flxflll.exec:\flxflll.exe121⤵PID:4228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-