Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe
-
Size
456KB
-
MD5
fec902f22894b297e6fbc4755a00320a
-
SHA1
75d5a389e0651b25a8f9e6ec9a39a5752bac2bda
-
SHA256
47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7
-
SHA512
5aaba52cd2dd108cfdc9cf7572f39875833d1ee089f1fe5a9bab222b04771bd9f3fbe7be05a9fb69c9635c2cd81b4a2424712212b8c369b7063ded6e3ec5cbd0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRe:q7Tc2NYHUrAwfMp3CDRe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3428-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-995-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4332 pdjpj.exe 452 xrxxffl.exe 4292 htttnn.exe 2920 rrrxrll.exe 5068 bttnht.exe 3436 tbhbbb.exe 2772 9jjpj.exe 4196 bnnhbb.exe 3640 pvdjv.exe 3612 bnbnhh.exe 3688 rfxrllf.exe 1204 tnttnn.exe 3528 xxlffrx.exe 2756 xxlxfrf.exe 1924 thbbhh.exe 532 llrlfxx.exe 4888 5pvdp.exe 1216 bbnhbt.exe 4432 rffxrrr.exe 4544 5vddv.exe 1796 xfxrlll.exe 3268 rxfxrlf.exe 1524 nntnbb.exe 4380 jvjjj.exe 2520 rflxllx.exe 1728 jjddv.exe 4232 rlrffrl.exe 1252 ppvpj.exe 4520 lflffff.exe 4220 htnhbb.exe 2280 vvdvp.exe 3056 pddvp.exe 3716 7pvpj.exe 3060 bbbthh.exe 1380 pjjdv.exe 3524 9vvpj.exe 1592 5ffrrrl.exe 4936 tnnnhh.exe 4868 hthbbb.exe 540 vjpjd.exe 4884 rfrllff.exe 3760 xrxffxx.exe 2964 nbhhbb.exe 3956 3vvpp.exe 2848 jvdvp.exe 796 xlxllll.exe 2172 bhtnhh.exe 4816 vdjdv.exe 4548 rfrrffx.exe 5020 frrlffx.exe 1116 nhnhnn.exe 4080 pvpdp.exe 2404 5flfffr.exe 4328 rrxxllf.exe 2804 ttbbnb.exe 4800 dvvjv.exe 4272 djvvj.exe 2880 rfxrflf.exe 4840 3nnhth.exe 2456 vvjdj.exe 4732 7lfxrxr.exe 1020 tbnnbn.exe 3596 djjvp.exe 1940 xlxrrlr.exe -
resource yara_rule behavioral2/memory/3428-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-833-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3428 wrote to memory of 4332 3428 47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe 82 PID 3428 wrote to memory of 4332 3428 47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe 82 PID 3428 wrote to memory of 4332 3428 47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe 82 PID 4332 wrote to memory of 452 4332 pdjpj.exe 83 PID 4332 wrote to memory of 452 4332 pdjpj.exe 83 PID 4332 wrote to memory of 452 4332 pdjpj.exe 83 PID 452 wrote to memory of 4292 452 xrxxffl.exe 84 PID 452 wrote to memory of 4292 452 xrxxffl.exe 84 PID 452 wrote to memory of 4292 452 xrxxffl.exe 84 PID 4292 wrote to memory of 2920 4292 htttnn.exe 85 PID 4292 wrote to memory of 2920 4292 htttnn.exe 85 PID 4292 wrote to memory of 2920 4292 htttnn.exe 85 PID 2920 wrote to memory of 5068 2920 rrrxrll.exe 86 PID 2920 wrote to memory of 5068 2920 rrrxrll.exe 86 PID 2920 wrote to memory of 5068 2920 rrrxrll.exe 86 PID 5068 wrote to memory of 3436 5068 bttnht.exe 87 PID 5068 wrote to memory of 3436 5068 bttnht.exe 87 PID 5068 wrote to memory of 3436 5068 bttnht.exe 87 PID 3436 wrote to memory of 2772 3436 tbhbbb.exe 88 PID 3436 wrote to memory of 2772 3436 tbhbbb.exe 88 PID 3436 wrote to memory of 2772 3436 tbhbbb.exe 88 PID 2772 wrote to memory of 4196 2772 9jjpj.exe 89 PID 2772 wrote to memory of 4196 2772 9jjpj.exe 89 PID 2772 wrote to memory of 4196 2772 9jjpj.exe 89 PID 4196 wrote to memory of 3640 4196 bnnhbb.exe 90 PID 4196 wrote to memory of 3640 4196 bnnhbb.exe 90 PID 4196 wrote to memory of 3640 4196 bnnhbb.exe 90 PID 3640 wrote to memory of 3612 3640 pvdjv.exe 91 PID 3640 wrote to memory of 3612 3640 pvdjv.exe 91 PID 3640 wrote to memory of 3612 3640 pvdjv.exe 91 PID 3612 wrote to memory of 3688 3612 bnbnhh.exe 92 PID 3612 wrote to memory of 3688 3612 bnbnhh.exe 92 PID 3612 wrote to memory of 3688 3612 bnbnhh.exe 92 PID 3688 wrote to memory of 1204 3688 rfxrllf.exe 93 PID 3688 wrote to memory of 1204 3688 rfxrllf.exe 93 PID 3688 wrote to memory of 1204 3688 rfxrllf.exe 93 PID 1204 wrote to memory of 3528 1204 tnttnn.exe 94 PID 1204 wrote to memory of 3528 1204 tnttnn.exe 94 PID 1204 wrote to memory of 3528 1204 tnttnn.exe 94 PID 3528 wrote to memory of 2756 3528 xxlffrx.exe 95 PID 3528 wrote to memory of 2756 3528 xxlffrx.exe 95 PID 3528 wrote to memory of 2756 3528 xxlffrx.exe 95 PID 2756 wrote to memory of 1924 2756 xxlxfrf.exe 96 PID 2756 wrote to memory of 1924 2756 xxlxfrf.exe 96 PID 2756 wrote to memory of 1924 2756 xxlxfrf.exe 96 PID 1924 wrote to memory of 532 1924 thbbhh.exe 97 PID 1924 wrote to memory of 532 1924 thbbhh.exe 97 PID 1924 wrote to memory of 532 1924 thbbhh.exe 97 PID 532 wrote to memory of 4888 532 llrlfxx.exe 98 PID 532 wrote to memory of 4888 532 llrlfxx.exe 98 PID 532 wrote to memory of 4888 532 llrlfxx.exe 98 PID 4888 wrote to memory of 1216 4888 5pvdp.exe 99 PID 4888 wrote to memory of 1216 4888 5pvdp.exe 99 PID 4888 wrote to memory of 1216 4888 5pvdp.exe 99 PID 1216 wrote to memory of 4432 1216 bbnhbt.exe 100 PID 1216 wrote to memory of 4432 1216 bbnhbt.exe 100 PID 1216 wrote to memory of 4432 1216 bbnhbt.exe 100 PID 4432 wrote to memory of 4544 4432 rffxrrr.exe 101 PID 4432 wrote to memory of 4544 4432 rffxrrr.exe 101 PID 4432 wrote to memory of 4544 4432 rffxrrr.exe 101 PID 4544 wrote to memory of 1796 4544 5vddv.exe 102 PID 4544 wrote to memory of 1796 4544 5vddv.exe 102 PID 4544 wrote to memory of 1796 4544 5vddv.exe 102 PID 1796 wrote to memory of 3268 1796 xfxrlll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe"C:\Users\Admin\AppData\Local\Temp\47c132460dd78befed1b89fa1e788536de9ebf8b16dfcac9e3b0ba4801716ac7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\pdjpj.exec:\pdjpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\xrxxffl.exec:\xrxxffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\htttnn.exec:\htttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\rrrxrll.exec:\rrrxrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\bttnht.exec:\bttnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\tbhbbb.exec:\tbhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\9jjpj.exec:\9jjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\bnnhbb.exec:\bnnhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\pvdjv.exec:\pvdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\bnbnhh.exec:\bnbnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\rfxrllf.exec:\rfxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\tnttnn.exec:\tnttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\xxlffrx.exec:\xxlffrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\xxlxfrf.exec:\xxlxfrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\thbbhh.exec:\thbbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\llrlfxx.exec:\llrlfxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\5pvdp.exec:\5pvdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\bbnhbt.exec:\bbnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\rffxrrr.exec:\rffxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\5vddv.exec:\5vddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\xfxrlll.exec:\xfxrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe23⤵
- Executes dropped EXE
PID:3268 -
\??\c:\nntnbb.exec:\nntnbb.exe24⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jvjjj.exec:\jvjjj.exe25⤵
- Executes dropped EXE
PID:4380 -
\??\c:\rflxllx.exec:\rflxllx.exe26⤵
- Executes dropped EXE
PID:2520 -
\??\c:\jjddv.exec:\jjddv.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\rlrffrl.exec:\rlrffrl.exe28⤵
- Executes dropped EXE
PID:4232 -
\??\c:\ppvpj.exec:\ppvpj.exe29⤵
- Executes dropped EXE
PID:1252 -
\??\c:\lflffff.exec:\lflffff.exe30⤵
- Executes dropped EXE
PID:4520 -
\??\c:\htnhbb.exec:\htnhbb.exe31⤵
- Executes dropped EXE
PID:4220 -
\??\c:\vvdvp.exec:\vvdvp.exe32⤵
- Executes dropped EXE
PID:2280 -
\??\c:\pddvp.exec:\pddvp.exe33⤵
- Executes dropped EXE
PID:3056 -
\??\c:\7pvpj.exec:\7pvpj.exe34⤵
- Executes dropped EXE
PID:3716 -
\??\c:\bbbthh.exec:\bbbthh.exe35⤵
- Executes dropped EXE
PID:3060 -
\??\c:\pjjdv.exec:\pjjdv.exe36⤵
- Executes dropped EXE
PID:1380 -
\??\c:\9vvpj.exec:\9vvpj.exe37⤵
- Executes dropped EXE
PID:3524 -
\??\c:\5ffrrrl.exec:\5ffrrrl.exe38⤵
- Executes dropped EXE
PID:1592 -
\??\c:\tnnnhh.exec:\tnnnhh.exe39⤵
- Executes dropped EXE
PID:4936 -
\??\c:\hthbbb.exec:\hthbbb.exe40⤵
- Executes dropped EXE
PID:4868 -
\??\c:\vjpjd.exec:\vjpjd.exe41⤵
- Executes dropped EXE
PID:540 -
\??\c:\rfrllff.exec:\rfrllff.exe42⤵
- Executes dropped EXE
PID:4884 -
\??\c:\xrxffxx.exec:\xrxffxx.exe43⤵
- Executes dropped EXE
PID:3760 -
\??\c:\nbhhbb.exec:\nbhhbb.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3vvpp.exec:\3vvpp.exe45⤵
- Executes dropped EXE
PID:3956 -
\??\c:\jvdvp.exec:\jvdvp.exe46⤵
- Executes dropped EXE
PID:2848 -
\??\c:\xlxllll.exec:\xlxllll.exe47⤵
- Executes dropped EXE
PID:796 -
\??\c:\bhtnhh.exec:\bhtnhh.exe48⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vdjdv.exec:\vdjdv.exe49⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rfrrffx.exec:\rfrrffx.exe50⤵
- Executes dropped EXE
PID:4548 -
\??\c:\frrlffx.exec:\frrlffx.exe51⤵
- Executes dropped EXE
PID:5020 -
\??\c:\nhnhnn.exec:\nhnhnn.exe52⤵
- Executes dropped EXE
PID:1116 -
\??\c:\pvpdp.exec:\pvpdp.exe53⤵
- Executes dropped EXE
PID:4080 -
\??\c:\5flfffr.exec:\5flfffr.exe54⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rrxxllf.exec:\rrxxllf.exe55⤵
- Executes dropped EXE
PID:4328 -
\??\c:\ttbbnb.exec:\ttbbnb.exe56⤵
- Executes dropped EXE
PID:2804 -
\??\c:\dvvjv.exec:\dvvjv.exe57⤵
- Executes dropped EXE
PID:4800 -
\??\c:\djvvj.exec:\djvvj.exe58⤵
- Executes dropped EXE
PID:4272 -
\??\c:\rfxrflf.exec:\rfxrflf.exe59⤵
- Executes dropped EXE
PID:2880 -
\??\c:\3nnhth.exec:\3nnhth.exe60⤵
- Executes dropped EXE
PID:4840 -
\??\c:\vvjdj.exec:\vvjdj.exe61⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7lfxrxr.exec:\7lfxrxr.exe62⤵
- Executes dropped EXE
PID:4732 -
\??\c:\tbnnbn.exec:\tbnnbn.exe63⤵
- Executes dropped EXE
PID:1020 -
\??\c:\djjvp.exec:\djjvp.exe64⤵
- Executes dropped EXE
PID:3596 -
\??\c:\xlxrrlr.exec:\xlxrrlr.exe65⤵
- Executes dropped EXE
PID:1940 -
\??\c:\fxfrllf.exec:\fxfrllf.exe66⤵PID:2552
-
\??\c:\ntbtnn.exec:\ntbtnn.exe67⤵PID:4196
-
\??\c:\djpvj.exec:\djpvj.exe68⤵PID:3640
-
\??\c:\rflfxrr.exec:\rflfxrr.exe69⤵PID:4540
-
\??\c:\ttbbht.exec:\ttbbht.exe70⤵PID:5072
-
\??\c:\vjpjv.exec:\vjpjv.exe71⤵PID:1448
-
\??\c:\xxlxrrl.exec:\xxlxrrl.exe72⤵PID:1204
-
\??\c:\tnnbtn.exec:\tnnbtn.exe73⤵PID:928
-
\??\c:\dvdvd.exec:\dvdvd.exe74⤵PID:2092
-
\??\c:\pjvpd.exec:\pjvpd.exe75⤵PID:2276
-
\??\c:\xrxrllf.exec:\xrxrllf.exe76⤵PID:464
-
\??\c:\bnnhhb.exec:\bnnhhb.exe77⤵PID:4388
-
\??\c:\pjvpp.exec:\pjvpp.exe78⤵PID:1612
-
\??\c:\ddjdv.exec:\ddjdv.exe79⤵PID:3016
-
\??\c:\rlxlfxl.exec:\rlxlfxl.exe80⤵PID:4212
-
\??\c:\nhttbt.exec:\nhttbt.exe81⤵PID:3788
-
\??\c:\vjjvv.exec:\vjjvv.exe82⤵PID:2016
-
\??\c:\3vvpv.exec:\3vvpv.exe83⤵PID:1312
-
\??\c:\lllfffx.exec:\lllfffx.exe84⤵PID:5076
-
\??\c:\bthhnn.exec:\bthhnn.exe85⤵PID:4064
-
\??\c:\9vdvp.exec:\9vdvp.exe86⤵PID:1444
-
\??\c:\dddvp.exec:\dddvp.exe87⤵PID:3920
-
\??\c:\fxlxrlf.exec:\fxlxrlf.exe88⤵PID:5060
-
\??\c:\thnhbb.exec:\thnhbb.exe89⤵PID:3756
-
\??\c:\5pjdp.exec:\5pjdp.exe90⤵PID:3668
-
\??\c:\lffxxrl.exec:\lffxxrl.exe91⤵PID:1776
-
\??\c:\ntbnhh.exec:\ntbnhh.exe92⤵PID:2780
-
\??\c:\1jpdj.exec:\1jpdj.exe93⤵PID:4364
-
\??\c:\3jdvp.exec:\3jdvp.exe94⤵PID:3328
-
\??\c:\rxxflrx.exec:\rxxflrx.exe95⤵PID:3932
-
\??\c:\btbbhh.exec:\btbbhh.exe96⤵PID:4220
-
\??\c:\bbnhhh.exec:\bbnhhh.exe97⤵PID:4972
-
\??\c:\dppjv.exec:\dppjv.exe98⤵PID:4940
-
\??\c:\3xxlffr.exec:\3xxlffr.exe99⤵PID:1696
-
\??\c:\nbbtnh.exec:\nbbtnh.exe100⤵PID:2304
-
\??\c:\jdvpj.exec:\jdvpj.exe101⤵PID:2168
-
\??\c:\1lfxllf.exec:\1lfxllf.exe102⤵PID:3192
-
\??\c:\tbhtnn.exec:\tbhtnn.exe103⤵PID:3924
-
\??\c:\ppvvj.exec:\ppvvj.exe104⤵PID:3584
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe105⤵PID:2640
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe106⤵PID:4628
-
\??\c:\btbbbn.exec:\btbbbn.exe107⤵PID:4436
-
\??\c:\jddjv.exec:\jddjv.exe108⤵PID:540
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe109⤵PID:1540
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe110⤵PID:3812
-
\??\c:\1tbtbb.exec:\1tbtbb.exe111⤵PID:4932
-
\??\c:\pddpd.exec:\pddpd.exe112⤵PID:3480
-
\??\c:\fxxrrll.exec:\fxxrrll.exe113⤵PID:2432
-
\??\c:\rrrxrrr.exec:\rrrxrrr.exe114⤵PID:3672
-
\??\c:\nhbbtn.exec:\nhbbtn.exe115⤵PID:3108
-
\??\c:\pvdvp.exec:\pvdvp.exe116⤵PID:2652
-
\??\c:\frrfllx.exec:\frrfllx.exe117⤵PID:2884
-
\??\c:\nhhbtb.exec:\nhhbtb.exe118⤵PID:2876
-
\??\c:\tntnnh.exec:\tntnnh.exe119⤵PID:3116
-
\??\c:\5ddjv.exec:\5ddjv.exe120⤵PID:1116
-
\??\c:\rflxxxx.exec:\rflxxxx.exe121⤵PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-