Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe
-
Size
456KB
-
MD5
308f9c62657646584911ab5cce117155
-
SHA1
b75919d9b063fe6118d1fc0c01ee8ca2fcedd70a
-
SHA256
277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b
-
SHA512
e769d3c66e769d8a582c4301d852dca8c679850d463056eebd816162a20b17dec7e473786210563e143d07b9afa56dd8667e559d44b16106ba2478b084591331
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRz:q7Tc2NYHUrAwfMp3CDRz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3828-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-1496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1684 bnbnbh.exe 2796 pjdjp.exe 848 rxfrfrf.exe 3364 5ttnhb.exe 2132 bbhbtb.exe 3680 hbbnbt.exe 3936 pjpdv.exe 3124 frlfrfx.exe 2832 pjpdd.exe 4720 xlxrxxf.exe 644 frrlfxx.exe 4184 bttntn.exe 1076 pjjdp.exe 2384 5jvdd.exe 3944 frxrrll.exe 4640 nbhnht.exe 1500 nhnnnn.exe 1464 thhhhb.exe 4728 7rlfrrf.exe 896 bntnhh.exe 3612 hhtnbt.exe 4156 5pjvj.exe 3312 ttntth.exe 3984 ddpdp.exe 3608 frrlrlr.exe 3588 tnbthh.exe 2280 vvvpj.exe 4776 jvdpp.exe 5060 fxrrrrx.exe 400 pdjdp.exe 3652 vjpdv.exe 1152 3lxrrrl.exe 1596 tnnhtt.exe 4072 jvvpp.exe 1880 xlllfff.exe 4856 bnbtnn.exe 1144 vpvvv.exe 1504 fxrlfxr.exe 4772 7xxrlfx.exe 1920 tbnhbt.exe 1960 httbtt.exe 876 jdvpp.exe 4336 jdddd.exe 2388 rrxrlfr.exe 1088 1hhbnb.exe 4632 pjvpp.exe 4328 vpvjd.exe 376 1lrlllf.exe 3692 rfrlllr.exe 532 hbtnhh.exe 640 jpdvp.exe 4688 vdjdv.exe 1484 rlrflff.exe 2428 fxfxllf.exe 4076 nttntn.exe 1620 htnhtb.exe 3536 ddjvj.exe 556 rrfflfl.exe 4860 3lrlllr.exe 464 tnbhhb.exe 3472 nhnntn.exe 4448 dppjd.exe 1448 jvpvp.exe 2336 fxxrllf.exe -
resource yara_rule behavioral2/memory/3828-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-852-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3828 wrote to memory of 1684 3828 277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe 84 PID 3828 wrote to memory of 1684 3828 277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe 84 PID 3828 wrote to memory of 1684 3828 277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe 84 PID 1684 wrote to memory of 2796 1684 bnbnbh.exe 85 PID 1684 wrote to memory of 2796 1684 bnbnbh.exe 85 PID 1684 wrote to memory of 2796 1684 bnbnbh.exe 85 PID 2796 wrote to memory of 848 2796 pjdjp.exe 86 PID 2796 wrote to memory of 848 2796 pjdjp.exe 86 PID 2796 wrote to memory of 848 2796 pjdjp.exe 86 PID 848 wrote to memory of 3364 848 rxfrfrf.exe 87 PID 848 wrote to memory of 3364 848 rxfrfrf.exe 87 PID 848 wrote to memory of 3364 848 rxfrfrf.exe 87 PID 3364 wrote to memory of 2132 3364 5ttnhb.exe 88 PID 3364 wrote to memory of 2132 3364 5ttnhb.exe 88 PID 3364 wrote to memory of 2132 3364 5ttnhb.exe 88 PID 2132 wrote to memory of 3680 2132 bbhbtb.exe 89 PID 2132 wrote to memory of 3680 2132 bbhbtb.exe 89 PID 2132 wrote to memory of 3680 2132 bbhbtb.exe 89 PID 3680 wrote to memory of 3936 3680 hbbnbt.exe 90 PID 3680 wrote to memory of 3936 3680 hbbnbt.exe 90 PID 3680 wrote to memory of 3936 3680 hbbnbt.exe 90 PID 3936 wrote to memory of 3124 3936 pjpdv.exe 91 PID 3936 wrote to memory of 3124 3936 pjpdv.exe 91 PID 3936 wrote to memory of 3124 3936 pjpdv.exe 91 PID 3124 wrote to memory of 2832 3124 frlfrfx.exe 92 PID 3124 wrote to memory of 2832 3124 frlfrfx.exe 92 PID 3124 wrote to memory of 2832 3124 frlfrfx.exe 92 PID 2832 wrote to memory of 4720 2832 pjpdd.exe 93 PID 2832 wrote to memory of 4720 2832 pjpdd.exe 93 PID 2832 wrote to memory of 4720 2832 pjpdd.exe 93 PID 4720 wrote to memory of 644 4720 xlxrxxf.exe 94 PID 4720 wrote to memory of 644 4720 xlxrxxf.exe 94 PID 4720 wrote to memory of 644 4720 xlxrxxf.exe 94 PID 644 wrote to memory of 4184 644 frrlfxx.exe 95 PID 644 wrote to memory of 4184 644 frrlfxx.exe 95 PID 644 wrote to memory of 4184 644 frrlfxx.exe 95 PID 4184 wrote to memory of 1076 4184 bttntn.exe 96 PID 4184 wrote to memory of 1076 4184 bttntn.exe 96 PID 4184 wrote to memory of 1076 4184 bttntn.exe 96 PID 1076 wrote to memory of 2384 1076 pjjdp.exe 97 PID 1076 wrote to memory of 2384 1076 pjjdp.exe 97 PID 1076 wrote to memory of 2384 1076 pjjdp.exe 97 PID 2384 wrote to memory of 3944 2384 5jvdd.exe 98 PID 2384 wrote to memory of 3944 2384 5jvdd.exe 98 PID 2384 wrote to memory of 3944 2384 5jvdd.exe 98 PID 3944 wrote to memory of 4640 3944 frxrrll.exe 99 PID 3944 wrote to memory of 4640 3944 frxrrll.exe 99 PID 3944 wrote to memory of 4640 3944 frxrrll.exe 99 PID 4640 wrote to memory of 1500 4640 nbhnht.exe 100 PID 4640 wrote to memory of 1500 4640 nbhnht.exe 100 PID 4640 wrote to memory of 1500 4640 nbhnht.exe 100 PID 1500 wrote to memory of 1464 1500 nhnnnn.exe 101 PID 1500 wrote to memory of 1464 1500 nhnnnn.exe 101 PID 1500 wrote to memory of 1464 1500 nhnnnn.exe 101 PID 1464 wrote to memory of 4728 1464 thhhhb.exe 102 PID 1464 wrote to memory of 4728 1464 thhhhb.exe 102 PID 1464 wrote to memory of 4728 1464 thhhhb.exe 102 PID 4728 wrote to memory of 896 4728 7rlfrrf.exe 157 PID 4728 wrote to memory of 896 4728 7rlfrrf.exe 157 PID 4728 wrote to memory of 896 4728 7rlfrrf.exe 157 PID 896 wrote to memory of 3612 896 bntnhh.exe 104 PID 896 wrote to memory of 3612 896 bntnhh.exe 104 PID 896 wrote to memory of 3612 896 bntnhh.exe 104 PID 3612 wrote to memory of 4156 3612 hhtnbt.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe"C:\Users\Admin\AppData\Local\Temp\277610c6a551d1f14b9dd6d283d6fbd1f280139b2c1f808114da176a4c13b87b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\bnbnbh.exec:\bnbnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\pjdjp.exec:\pjdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rxfrfrf.exec:\rxfrfrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\5ttnhb.exec:\5ttnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\bbhbtb.exec:\bbhbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\hbbnbt.exec:\hbbnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\pjpdv.exec:\pjpdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\frlfrfx.exec:\frlfrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\pjpdd.exec:\pjpdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\xlxrxxf.exec:\xlxrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\frrlfxx.exec:\frrlfxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\bttntn.exec:\bttntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\pjjdp.exec:\pjjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\5jvdd.exec:\5jvdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\frxrrll.exec:\frxrrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\nbhnht.exec:\nbhnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\nhnnnn.exec:\nhnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\thhhhb.exec:\thhhhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\7rlfrrf.exec:\7rlfrrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\bntnhh.exec:\bntnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\hhtnbt.exec:\hhtnbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\5pjvj.exec:\5pjvj.exe23⤵
- Executes dropped EXE
PID:4156 -
\??\c:\ttntth.exec:\ttntth.exe24⤵
- Executes dropped EXE
PID:3312 -
\??\c:\ddpdp.exec:\ddpdp.exe25⤵
- Executes dropped EXE
PID:3984 -
\??\c:\frrlrlr.exec:\frrlrlr.exe26⤵
- Executes dropped EXE
PID:3608 -
\??\c:\tnbthh.exec:\tnbthh.exe27⤵
- Executes dropped EXE
PID:3588 -
\??\c:\vvvpj.exec:\vvvpj.exe28⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jvdpp.exec:\jvdpp.exe29⤵
- Executes dropped EXE
PID:4776 -
\??\c:\fxrrrrx.exec:\fxrrrrx.exe30⤵
- Executes dropped EXE
PID:5060 -
\??\c:\pdjdp.exec:\pdjdp.exe31⤵
- Executes dropped EXE
PID:400 -
\??\c:\vjpdv.exec:\vjpdv.exe32⤵
- Executes dropped EXE
PID:3652 -
\??\c:\3lxrrrl.exec:\3lxrrrl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
\??\c:\tnnhtt.exec:\tnnhtt.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jvvpp.exec:\jvvpp.exe35⤵
- Executes dropped EXE
PID:4072 -
\??\c:\xlllfff.exec:\xlllfff.exe36⤵
- Executes dropped EXE
PID:1880 -
\??\c:\bnbtnn.exec:\bnbtnn.exe37⤵
- Executes dropped EXE
PID:4856 -
\??\c:\vpvvv.exec:\vpvvv.exe38⤵
- Executes dropped EXE
PID:1144 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe39⤵
- Executes dropped EXE
PID:1504 -
\??\c:\7xxrlfx.exec:\7xxrlfx.exe40⤵
- Executes dropped EXE
PID:4772 -
\??\c:\tbnhbt.exec:\tbnhbt.exe41⤵
- Executes dropped EXE
PID:1920 -
\??\c:\httbtt.exec:\httbtt.exe42⤵
- Executes dropped EXE
PID:1960 -
\??\c:\jdvpp.exec:\jdvpp.exe43⤵
- Executes dropped EXE
PID:876 -
\??\c:\jdddd.exec:\jdddd.exe44⤵
- Executes dropped EXE
PID:4336 -
\??\c:\rrxrlfr.exec:\rrxrlfr.exe45⤵
- Executes dropped EXE
PID:2388 -
\??\c:\1hhbnb.exec:\1hhbnb.exe46⤵
- Executes dropped EXE
PID:1088 -
\??\c:\pjvpp.exec:\pjvpp.exe47⤵
- Executes dropped EXE
PID:4632 -
\??\c:\vpvjd.exec:\vpvjd.exe48⤵
- Executes dropped EXE
PID:4328 -
\??\c:\1lrlllf.exec:\1lrlllf.exe49⤵
- Executes dropped EXE
PID:376 -
\??\c:\rfrlllr.exec:\rfrlllr.exe50⤵
- Executes dropped EXE
PID:3692 -
\??\c:\hbtnhh.exec:\hbtnhh.exe51⤵
- Executes dropped EXE
PID:532 -
\??\c:\jpdvp.exec:\jpdvp.exe52⤵
- Executes dropped EXE
PID:640 -
\??\c:\vdjdv.exec:\vdjdv.exe53⤵
- Executes dropped EXE
PID:4688 -
\??\c:\rlrflff.exec:\rlrflff.exe54⤵
- Executes dropped EXE
PID:1484 -
\??\c:\fxfxllf.exec:\fxfxllf.exe55⤵
- Executes dropped EXE
PID:2428 -
\??\c:\nttntn.exec:\nttntn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076 -
\??\c:\htnhtb.exec:\htnhtb.exe57⤵
- Executes dropped EXE
PID:1620 -
\??\c:\ddjvj.exec:\ddjvj.exe58⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rrfflfl.exec:\rrfflfl.exe59⤵
- Executes dropped EXE
PID:556 -
\??\c:\3lrlllr.exec:\3lrlllr.exe60⤵
- Executes dropped EXE
PID:4860 -
\??\c:\tnbhhb.exec:\tnbhhb.exe61⤵
- Executes dropped EXE
PID:464 -
\??\c:\nhnntn.exec:\nhnntn.exe62⤵
- Executes dropped EXE
PID:3472 -
\??\c:\dppjd.exec:\dppjd.exe63⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jvpvp.exec:\jvpvp.exe64⤵
- Executes dropped EXE
PID:1448 -
\??\c:\fxxrllf.exec:\fxxrllf.exe65⤵
- Executes dropped EXE
PID:2336 -
\??\c:\tbnbtn.exec:\tbnbtn.exe66⤵PID:4572
-
\??\c:\htbtnb.exec:\htbtnb.exe67⤵
- System Location Discovery: System Language Discovery
PID:3888 -
\??\c:\jdjdj.exec:\jdjdj.exe68⤵PID:1092
-
\??\c:\pjpjd.exec:\pjpjd.exe69⤵PID:3224
-
\??\c:\rxxxrxx.exec:\rxxxrxx.exe70⤵PID:2320
-
\??\c:\hbhbhh.exec:\hbhbhh.exe71⤵PID:4152
-
\??\c:\ntbthh.exec:\ntbthh.exe72⤵PID:5048
-
\??\c:\pppdd.exec:\pppdd.exe73⤵PID:2312
-
\??\c:\lfxrffx.exec:\lfxrffx.exe74⤵PID:4728
-
\??\c:\lllfrrf.exec:\lllfrrf.exe75⤵PID:896
-
\??\c:\tnnhbb.exec:\tnnhbb.exe76⤵PID:3612
-
\??\c:\thhbbb.exec:\thhbbb.exe77⤵PID:4508
-
\??\c:\dvddd.exec:\dvddd.exe78⤵PID:1768
-
\??\c:\dvjvp.exec:\dvjvp.exe79⤵PID:1624
-
\??\c:\1lfxlrf.exec:\1lfxlrf.exe80⤵PID:1668
-
\??\c:\xxxrllf.exec:\xxxrllf.exe81⤵PID:908
-
\??\c:\3hbbtb.exec:\3hbbtb.exe82⤵PID:3608
-
\??\c:\vjvpj.exec:\vjvpj.exe83⤵PID:2068
-
\??\c:\7llfffl.exec:\7llfffl.exe84⤵PID:2444
-
\??\c:\5bhtbt.exec:\5bhtbt.exe85⤵PID:1864
-
\??\c:\jvdpv.exec:\jvdpv.exe86⤵PID:2492
-
\??\c:\5llfxxr.exec:\5llfxxr.exe87⤵PID:3664
-
\??\c:\bhnhhb.exec:\bhnhhb.exe88⤵PID:2984
-
\??\c:\nhnhnh.exec:\nhnhnh.exe89⤵PID:1216
-
\??\c:\fxxrllf.exec:\fxxrllf.exe90⤵PID:404
-
\??\c:\llllffr.exec:\llllffr.exe91⤵PID:4300
-
\??\c:\3pppj.exec:\3pppj.exe92⤵PID:2820
-
\??\c:\jdjvp.exec:\jdjvp.exe93⤵PID:4204
-
\??\c:\xxrrxxl.exec:\xxrrxxl.exe94⤵PID:4460
-
\??\c:\tnnhbb.exec:\tnnhbb.exe95⤵PID:1880
-
\??\c:\thtttn.exec:\thtttn.exe96⤵PID:4796
-
\??\c:\tnnhhh.exec:\tnnhhh.exe97⤵PID:4332
-
\??\c:\jdddv.exec:\jdddv.exe98⤵PID:3532
-
\??\c:\rxxrrrx.exec:\rxxrrrx.exe99⤵PID:2208
-
\??\c:\9nttnn.exec:\9nttnn.exe100⤵PID:4772
-
\??\c:\ddvpp.exec:\ddvpp.exe101⤵PID:3928
-
\??\c:\pddvp.exec:\pddvp.exe102⤵PID:4028
-
\??\c:\fllfxrl.exec:\fllfxrl.exe103⤵PID:2744
-
\??\c:\hbnhhb.exec:\hbnhhb.exe104⤵PID:2596
-
\??\c:\pjjdp.exec:\pjjdp.exe105⤵PID:1176
-
\??\c:\3jdpp.exec:\3jdpp.exe106⤵PID:1544
-
\??\c:\xfffxrr.exec:\xfffxrr.exe107⤵PID:2828
-
\??\c:\hnhhbb.exec:\hnhhbb.exe108⤵PID:4084
-
\??\c:\dvpjv.exec:\dvpjv.exe109⤵PID:3032
-
\??\c:\5ppjv.exec:\5ppjv.exe110⤵PID:2800
-
\??\c:\lrxflrf.exec:\lrxflrf.exe111⤵PID:792
-
\??\c:\bnbbtn.exec:\bnbbtn.exe112⤵PID:532
-
\??\c:\7btnhn.exec:\7btnhn.exe113⤵PID:3680
-
\??\c:\5vvdp.exec:\5vvdp.exe114⤵PID:852
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe115⤵PID:2464
-
\??\c:\nthbnh.exec:\nthbnh.exe116⤵PID:1644
-
\??\c:\hbttbt.exec:\hbttbt.exe117⤵PID:2196
-
\??\c:\djjdd.exec:\djjdd.exe118⤵PID:4248
-
\??\c:\lfllffx.exec:\lfllffx.exe119⤵PID:1844
-
\??\c:\tnhhbb.exec:\tnhhbb.exe120⤵PID:2972
-
\??\c:\1bhhbh.exec:\1bhhbh.exe121⤵PID:4748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-