Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe
-
Size
453KB
-
MD5
6201e64431d58cd17ab33cffb5a31803
-
SHA1
4a3f8c85ac5a6cea0216124da2e4845ea0a22c2b
-
SHA256
00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e
-
SHA512
9c05d507f2ef835c5c2c8c3fa6b25c53783ae8d84cde366bcac5d3a6b1d6a9d2330d072d4b221c62be9aa24ecd95f091998088eabb374fe755c7462461657661
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG4:q7Tc2NYHUrAwfMp3CDG4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2844-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-1252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-1337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-1411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-1463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-1558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4008 9dvjd.exe 524 rxfxlfx.exe 1912 bttttn.exe 3840 1jjdd.exe 1392 lrrfrlf.exe 3232 7ffrrlx.exe 3388 9tnhtt.exe 2820 djjvj.exe 3536 pjvjv.exe 1000 bnhbht.exe 2316 xrrlxxr.exe 2508 nbhhht.exe 4952 pvvjv.exe 3076 hbhbhh.exe 4848 vpdvp.exe 4100 xrffxrf.exe 384 ddjdp.exe 1016 xxrlxrr.exe 4816 bnbtnh.exe 3456 vjvpd.exe 3716 btthbt.exe 2176 rrffxll.exe 4892 5bhhtb.exe 3520 llrrxxf.exe 4396 hbnnnt.exe 3848 jjpdp.exe 1272 3xxllfr.exe 3720 thbhbb.exe 1608 djvjd.exe 1148 fflfrrl.exe 4424 bbntht.exe 3032 xxfxlff.exe 4596 1xlfxrl.exe 2180 thbthb.exe 1708 9rlfffx.exe 4536 3dvpj.exe 2708 tbbbnn.exe 3292 jdvdd.exe 508 frxrlfx.exe 4476 xlrllrr.exe 744 ntnnhh.exe 4368 rrxrrlr.exe 2360 nhhbtt.exe 4364 dvpjd.exe 4176 xrlxlrx.exe 2844 htbtnn.exe 4128 thhbtn.exe 1592 pjddv.exe 2388 9rrrlrl.exe 3840 tnttnn.exe 544 dvvpp.exe 2500 9vpjd.exe 4192 7xfrffx.exe 4460 djppj.exe 2820 llrrffx.exe 2696 lxfrlfx.exe 4148 nhhbtn.exe 1180 9jpjd.exe 464 flrlxxr.exe 2616 frrrlll.exe 2508 tbtnhh.exe 4432 vdddp.exe 2668 xlfxrll.exe 2860 nhhbtt.exe -
resource yara_rule behavioral2/memory/2844-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-1252-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflfrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 4008 2844 00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe 82 PID 2844 wrote to memory of 4008 2844 00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe 82 PID 2844 wrote to memory of 4008 2844 00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe 82 PID 4008 wrote to memory of 524 4008 9dvjd.exe 83 PID 4008 wrote to memory of 524 4008 9dvjd.exe 83 PID 4008 wrote to memory of 524 4008 9dvjd.exe 83 PID 524 wrote to memory of 1912 524 rxfxlfx.exe 84 PID 524 wrote to memory of 1912 524 rxfxlfx.exe 84 PID 524 wrote to memory of 1912 524 rxfxlfx.exe 84 PID 1912 wrote to memory of 3840 1912 bttttn.exe 85 PID 1912 wrote to memory of 3840 1912 bttttn.exe 85 PID 1912 wrote to memory of 3840 1912 bttttn.exe 85 PID 3840 wrote to memory of 1392 3840 1jjdd.exe 86 PID 3840 wrote to memory of 1392 3840 1jjdd.exe 86 PID 3840 wrote to memory of 1392 3840 1jjdd.exe 86 PID 1392 wrote to memory of 3232 1392 lrrfrlf.exe 87 PID 1392 wrote to memory of 3232 1392 lrrfrlf.exe 87 PID 1392 wrote to memory of 3232 1392 lrrfrlf.exe 87 PID 3232 wrote to memory of 3388 3232 7ffrrlx.exe 88 PID 3232 wrote to memory of 3388 3232 7ffrrlx.exe 88 PID 3232 wrote to memory of 3388 3232 7ffrrlx.exe 88 PID 3388 wrote to memory of 2820 3388 9tnhtt.exe 89 PID 3388 wrote to memory of 2820 3388 9tnhtt.exe 89 PID 3388 wrote to memory of 2820 3388 9tnhtt.exe 89 PID 2820 wrote to memory of 3536 2820 djjvj.exe 90 PID 2820 wrote to memory of 3536 2820 djjvj.exe 90 PID 2820 wrote to memory of 3536 2820 djjvj.exe 90 PID 3536 wrote to memory of 1000 3536 pjvjv.exe 91 PID 3536 wrote to memory of 1000 3536 pjvjv.exe 91 PID 3536 wrote to memory of 1000 3536 pjvjv.exe 91 PID 1000 wrote to memory of 2316 1000 bnhbht.exe 92 PID 1000 wrote to memory of 2316 1000 bnhbht.exe 92 PID 1000 wrote to memory of 2316 1000 bnhbht.exe 92 PID 2316 wrote to memory of 2508 2316 xrrlxxr.exe 93 PID 2316 wrote to memory of 2508 2316 xrrlxxr.exe 93 PID 2316 wrote to memory of 2508 2316 xrrlxxr.exe 93 PID 2508 wrote to memory of 4952 2508 nbhhht.exe 94 PID 2508 wrote to memory of 4952 2508 nbhhht.exe 94 PID 2508 wrote to memory of 4952 2508 nbhhht.exe 94 PID 4952 wrote to memory of 3076 4952 pvvjv.exe 95 PID 4952 wrote to memory of 3076 4952 pvvjv.exe 95 PID 4952 wrote to memory of 3076 4952 pvvjv.exe 95 PID 3076 wrote to memory of 4848 3076 hbhbhh.exe 96 PID 3076 wrote to memory of 4848 3076 hbhbhh.exe 96 PID 3076 wrote to memory of 4848 3076 hbhbhh.exe 96 PID 4848 wrote to memory of 4100 4848 vpdvp.exe 97 PID 4848 wrote to memory of 4100 4848 vpdvp.exe 97 PID 4848 wrote to memory of 4100 4848 vpdvp.exe 97 PID 4100 wrote to memory of 384 4100 xrffxrf.exe 98 PID 4100 wrote to memory of 384 4100 xrffxrf.exe 98 PID 4100 wrote to memory of 384 4100 xrffxrf.exe 98 PID 384 wrote to memory of 1016 384 ddjdp.exe 99 PID 384 wrote to memory of 1016 384 ddjdp.exe 99 PID 384 wrote to memory of 1016 384 ddjdp.exe 99 PID 1016 wrote to memory of 4816 1016 xxrlxrr.exe 100 PID 1016 wrote to memory of 4816 1016 xxrlxrr.exe 100 PID 1016 wrote to memory of 4816 1016 xxrlxrr.exe 100 PID 4816 wrote to memory of 3456 4816 bnbtnh.exe 101 PID 4816 wrote to memory of 3456 4816 bnbtnh.exe 101 PID 4816 wrote to memory of 3456 4816 bnbtnh.exe 101 PID 3456 wrote to memory of 3716 3456 vjvpd.exe 102 PID 3456 wrote to memory of 3716 3456 vjvpd.exe 102 PID 3456 wrote to memory of 3716 3456 vjvpd.exe 102 PID 3716 wrote to memory of 2176 3716 btthbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe"C:\Users\Admin\AppData\Local\Temp\00a9234320895355e6180f9f32f823e55f20f1e7a82cdccb2e78bfcb4171984e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\9dvjd.exec:\9dvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\bttttn.exec:\bttttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\1jjdd.exec:\1jjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\7ffrrlx.exec:\7ffrrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\9tnhtt.exec:\9tnhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\djjvj.exec:\djjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\pjvjv.exec:\pjvjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\bnhbht.exec:\bnhbht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\nbhhht.exec:\nbhhht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\pvvjv.exec:\pvvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\hbhbhh.exec:\hbhbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\vpdvp.exec:\vpdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\xrffxrf.exec:\xrffxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\ddjdp.exec:\ddjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\xxrlxrr.exec:\xxrlxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\bnbtnh.exec:\bnbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\vjvpd.exec:\vjvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\btthbt.exec:\btthbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\rrffxll.exec:\rrffxll.exe23⤵
- Executes dropped EXE
PID:2176 -
\??\c:\5bhhtb.exec:\5bhhtb.exe24⤵
- Executes dropped EXE
PID:4892 -
\??\c:\llrrxxf.exec:\llrrxxf.exe25⤵
- Executes dropped EXE
PID:3520 -
\??\c:\hbnnnt.exec:\hbnnnt.exe26⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jjpdp.exec:\jjpdp.exe27⤵
- Executes dropped EXE
PID:3848 -
\??\c:\3xxllfr.exec:\3xxllfr.exe28⤵
- Executes dropped EXE
PID:1272 -
\??\c:\thbhbb.exec:\thbhbb.exe29⤵
- Executes dropped EXE
PID:3720 -
\??\c:\djvjd.exec:\djvjd.exe30⤵
- Executes dropped EXE
PID:1608 -
\??\c:\fflfrrl.exec:\fflfrrl.exe31⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bbntht.exec:\bbntht.exe32⤵
- Executes dropped EXE
PID:4424 -
\??\c:\xxfxlff.exec:\xxfxlff.exe33⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1xlfxrl.exec:\1xlfxrl.exe34⤵
- Executes dropped EXE
PID:4596 -
\??\c:\thbthb.exec:\thbthb.exe35⤵
- Executes dropped EXE
PID:2180 -
\??\c:\9rlfffx.exec:\9rlfffx.exe36⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3dvpj.exec:\3dvpj.exe37⤵
- Executes dropped EXE
PID:4536 -
\??\c:\tbbbnn.exec:\tbbbnn.exe38⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jdvdd.exec:\jdvdd.exe39⤵
- Executes dropped EXE
PID:3292 -
\??\c:\frxrlfx.exec:\frxrlfx.exe40⤵
- Executes dropped EXE
PID:508 -
\??\c:\xlrllrr.exec:\xlrllrr.exe41⤵
- Executes dropped EXE
PID:4476 -
\??\c:\ntnnhh.exec:\ntnnhh.exe42⤵
- Executes dropped EXE
PID:744 -
\??\c:\rrxrrlr.exec:\rrxrrlr.exe43⤵
- Executes dropped EXE
PID:4368 -
\??\c:\nhhbtt.exec:\nhhbtt.exe44⤵
- Executes dropped EXE
PID:2360 -
\??\c:\dvpjd.exec:\dvpjd.exe45⤵
- Executes dropped EXE
PID:4364 -
\??\c:\xrlxlrx.exec:\xrlxlrx.exe46⤵
- Executes dropped EXE
PID:4176 -
\??\c:\htbtnn.exec:\htbtnn.exe47⤵
- Executes dropped EXE
PID:2844 -
\??\c:\thhbtn.exec:\thhbtn.exe48⤵
- Executes dropped EXE
PID:4128 -
\??\c:\pjddv.exec:\pjddv.exe49⤵
- Executes dropped EXE
PID:1592 -
\??\c:\9rrrlrl.exec:\9rrrlrl.exe50⤵
- Executes dropped EXE
PID:2388 -
\??\c:\tnttnn.exec:\tnttnn.exe51⤵
- Executes dropped EXE
PID:3840 -
\??\c:\dvvpp.exec:\dvvpp.exe52⤵
- Executes dropped EXE
PID:544 -
\??\c:\9vpjd.exec:\9vpjd.exe53⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7xfrffx.exec:\7xfrffx.exe54⤵
- Executes dropped EXE
PID:4192 -
\??\c:\djppj.exec:\djppj.exe55⤵
- Executes dropped EXE
PID:4460 -
\??\c:\llrrffx.exec:\llrrffx.exe56⤵
- Executes dropped EXE
PID:2820 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe57⤵
- Executes dropped EXE
PID:2696 -
\??\c:\nhhbtn.exec:\nhhbtn.exe58⤵
- Executes dropped EXE
PID:4148 -
\??\c:\9jpjd.exec:\9jpjd.exe59⤵
- Executes dropped EXE
PID:1180 -
\??\c:\flrlxxr.exec:\flrlxxr.exe60⤵
- Executes dropped EXE
PID:464 -
\??\c:\frrrlll.exec:\frrrlll.exe61⤵
- Executes dropped EXE
PID:2616 -
\??\c:\tbtnhh.exec:\tbtnhh.exe62⤵
- Executes dropped EXE
PID:2508 -
\??\c:\vdddp.exec:\vdddp.exe63⤵
- Executes dropped EXE
PID:4432 -
\??\c:\xlfxrll.exec:\xlfxrll.exe64⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nhhbtt.exec:\nhhbtt.exe65⤵
- Executes dropped EXE
PID:2860 -
\??\c:\hbtnnn.exec:\hbtnnn.exe66⤵PID:4044
-
\??\c:\vjvvp.exec:\vjvvp.exe67⤵PID:2412
-
\??\c:\rxrlfxx.exec:\rxrlfxx.exe68⤵PID:2976
-
\??\c:\rlrrllf.exec:\rlrrllf.exe69⤵PID:4404
-
\??\c:\hhbbtn.exec:\hhbbtn.exe70⤵PID:228
-
\??\c:\pjjjv.exec:\pjjjv.exe71⤵PID:3984
-
\??\c:\9rxlfff.exec:\9rxlfff.exe72⤵PID:3888
-
\??\c:\lfrrxrx.exec:\lfrrxrx.exe73⤵PID:4816
-
\??\c:\ttnnnh.exec:\ttnnnh.exe74⤵PID:2856
-
\??\c:\vvpjv.exec:\vvpjv.exe75⤵PID:3532
-
\??\c:\7fxrffx.exec:\7fxrffx.exe76⤵PID:3044
-
\??\c:\rrrlffx.exec:\rrrlffx.exe77⤵PID:1428
-
\??\c:\bntnnn.exec:\bntnnn.exe78⤵PID:5068
-
\??\c:\pvjdj.exec:\pvjdj.exe79⤵PID:1816
-
\??\c:\lrfxxxx.exec:\lrfxxxx.exe80⤵PID:3520
-
\??\c:\thbhbb.exec:\thbhbb.exe81⤵PID:3356
-
\??\c:\3nbnht.exec:\3nbnht.exe82⤵PID:636
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe83⤵PID:4504
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe84⤵PID:2428
-
\??\c:\bbhhnn.exec:\bbhhnn.exe85⤵PID:2216
-
\??\c:\bbnhbb.exec:\bbnhbb.exe86⤵PID:1608
-
\??\c:\9jdvj.exec:\9jdvj.exe87⤵PID:3028
-
\??\c:\xlffrrl.exec:\xlffrrl.exe88⤵PID:3704
-
\??\c:\btttnn.exec:\btttnn.exe89⤵PID:4424
-
\??\c:\jdpjd.exec:\jdpjd.exe90⤵PID:3056
-
\??\c:\5djdp.exec:\5djdp.exe91⤵PID:3304
-
\??\c:\lrxlxxr.exec:\lrxlxxr.exe92⤵PID:1464
-
\??\c:\btnhbt.exec:\btnhbt.exe93⤵PID:1956
-
\??\c:\vppjj.exec:\vppjj.exe94⤵PID:4676
-
\??\c:\5djjd.exec:\5djjd.exe95⤵PID:4556
-
\??\c:\rffxlll.exec:\rffxlll.exe96⤵PID:2764
-
\??\c:\9ttbbb.exec:\9ttbbb.exe97⤵PID:4248
-
\??\c:\5jdvp.exec:\5jdvp.exe98⤵PID:1564
-
\??\c:\lfrlllr.exec:\lfrlllr.exe99⤵PID:3376
-
\??\c:\nttnhh.exec:\nttnhh.exe100⤵PID:4896
-
\??\c:\7pvpd.exec:\7pvpd.exe101⤵PID:828
-
\??\c:\ffffxlf.exec:\ffffxlf.exe102⤵PID:3596
-
\??\c:\9rxrxxf.exec:\9rxrxxf.exe103⤵PID:4380
-
\??\c:\nthbtb.exec:\nthbtb.exe104⤵PID:4364
-
\??\c:\pddvj.exec:\pddvj.exe105⤵PID:720
-
\??\c:\xrfxlfl.exec:\xrfxlfl.exe106⤵PID:2844
-
\??\c:\lxxxllf.exec:\lxxxllf.exe107⤵PID:4188
-
\??\c:\nnnhhb.exec:\nnnhhb.exe108⤵PID:1912
-
\??\c:\ppdpp.exec:\ppdpp.exe109⤵PID:2364
-
\??\c:\lrllrrx.exec:\lrllrrx.exe110⤵PID:3920
-
\??\c:\xflfxxx.exec:\xflfxxx.exe111⤵PID:2112
-
\??\c:\hnttnn.exec:\hnttnn.exe112⤵PID:4876
-
\??\c:\nnbnth.exec:\nnbnth.exe113⤵PID:1584
-
\??\c:\7pvvp.exec:\7pvvp.exe114⤵PID:4192
-
\??\c:\lrfxxrf.exec:\lrfxxrf.exe115⤵PID:5060
-
\??\c:\7hbttt.exec:\7hbttt.exe116⤵PID:4576
-
\??\c:\jvvdp.exec:\jvvdp.exe117⤵PID:3980
-
\??\c:\lfxrllf.exec:\lfxrllf.exe118⤵PID:4148
-
\??\c:\ttnhhh.exec:\ttnhhh.exe119⤵PID:1180
-
\??\c:\dddvp.exec:\dddvp.exe120⤵PID:4592
-
\??\c:\fxffffl.exec:\fxffffl.exe121⤵PID:4828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-