Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe
-
Size
337KB
-
MD5
38e3f2dc1c787ea2f0dd506ced55f71f
-
SHA1
2ddaaba255f14d8f362a6e07c9d3f28dd1f22fc0
-
SHA256
969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25
-
SHA512
9543608ccf5f237837deca17107996ab243115b9cd01ff0878735cafb362e35f682876530e7613b9c5a6631d875dc15e60925bc07a973699ccefa87f723f9f6d
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhR:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1088-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3136 lffffff.exe 4060 lrfxrfx.exe 3708 tnhbnn.exe 3592 5hhbnt.exe 4852 jjddp.exe 2560 lxfxrrr.exe 1896 bnnnhh.exe 1116 7dvdv.exe 1600 ppvpj.exe 3916 3xxrllx.exe 4788 nhnhbb.exe 1472 btbthh.exe 2800 jddjv.exe 2944 7rfrfrl.exe 4124 hnttnn.exe 800 7ntnnn.exe 3500 jjjjj.exe 5052 jdjdd.exe 2516 fxxfrrr.exe 2480 nbbbtt.exe 3088 hhtttt.exe 1620 rxxrrrl.exe 4908 rffxrrl.exe 3648 7btnnt.exe 1340 jppjj.exe 3388 xrxrrrx.exe 4584 bbtbht.exe 4120 pjjdv.exe 4948 jdpjp.exe 4844 xrfxrll.exe 4556 rllllrl.exe 4780 3hnnhh.exe 876 1jpjv.exe 4396 7rrrflf.exe 1576 7frrllr.exe 4632 tnttnn.exe 1636 nthbth.exe 1932 pjdvp.exe 464 rlffxxx.exe 3764 hbnhhh.exe 1240 hntbhn.exe 2140 jvjvv.exe 4956 djpdp.exe 1068 3flfxxf.exe 548 ffrflxx.exe 452 ntnbtt.exe 2092 dvdvp.exe 4340 fflfxlf.exe 768 lfrrlfx.exe 2268 9bhbbb.exe 1724 hbbnhb.exe 2824 jpdvv.exe 4852 ddjjj.exe 4776 7rxrrrl.exe 1896 tbnnhh.exe 3436 thhbtt.exe 1136 vpjpv.exe 1660 jddvj.exe 3016 fffrrxx.exe 3812 nhnbtt.exe 4576 nthhtt.exe 3880 pppjd.exe 3060 dvvjv.exe 1012 xrfxxxx.exe -
resource yara_rule behavioral2/memory/1088-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-60-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 3136 1088 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 83 PID 1088 wrote to memory of 3136 1088 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 83 PID 1088 wrote to memory of 3136 1088 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 83 PID 3136 wrote to memory of 4060 3136 lffffff.exe 84 PID 3136 wrote to memory of 4060 3136 lffffff.exe 84 PID 3136 wrote to memory of 4060 3136 lffffff.exe 84 PID 4060 wrote to memory of 3708 4060 lrfxrfx.exe 85 PID 4060 wrote to memory of 3708 4060 lrfxrfx.exe 85 PID 4060 wrote to memory of 3708 4060 lrfxrfx.exe 85 PID 3708 wrote to memory of 3592 3708 tnhbnn.exe 86 PID 3708 wrote to memory of 3592 3708 tnhbnn.exe 86 PID 3708 wrote to memory of 3592 3708 tnhbnn.exe 86 PID 3592 wrote to memory of 4852 3592 5hhbnt.exe 135 PID 3592 wrote to memory of 4852 3592 5hhbnt.exe 135 PID 3592 wrote to memory of 4852 3592 5hhbnt.exe 135 PID 4852 wrote to memory of 2560 4852 jjddp.exe 262 PID 4852 wrote to memory of 2560 4852 jjddp.exe 262 PID 4852 wrote to memory of 2560 4852 jjddp.exe 262 PID 2560 wrote to memory of 1896 2560 lxfxrrr.exe 89 PID 2560 wrote to memory of 1896 2560 lxfxrrr.exe 89 PID 2560 wrote to memory of 1896 2560 lxfxrrr.exe 89 PID 1896 wrote to memory of 1116 1896 bnnnhh.exe 90 PID 1896 wrote to memory of 1116 1896 bnnnhh.exe 90 PID 1896 wrote to memory of 1116 1896 bnnnhh.exe 90 PID 1116 wrote to memory of 1600 1116 7dvdv.exe 268 PID 1116 wrote to memory of 1600 1116 7dvdv.exe 268 PID 1116 wrote to memory of 1600 1116 7dvdv.exe 268 PID 1600 wrote to memory of 3916 1600 ppvpj.exe 92 PID 1600 wrote to memory of 3916 1600 ppvpj.exe 92 PID 1600 wrote to memory of 3916 1600 ppvpj.exe 92 PID 3916 wrote to memory of 4788 3916 3xxrllx.exe 93 PID 3916 wrote to memory of 4788 3916 3xxrllx.exe 93 PID 3916 wrote to memory of 4788 3916 3xxrllx.exe 93 PID 4788 wrote to memory of 1472 4788 nhnhbb.exe 94 PID 4788 wrote to memory of 1472 4788 nhnhbb.exe 94 PID 4788 wrote to memory of 1472 4788 nhnhbb.exe 94 PID 1472 wrote to memory of 2800 1472 btbthh.exe 95 PID 1472 wrote to memory of 2800 1472 btbthh.exe 95 PID 1472 wrote to memory of 2800 1472 btbthh.exe 95 PID 2800 wrote to memory of 2944 2800 jddjv.exe 96 PID 2800 wrote to memory of 2944 2800 jddjv.exe 96 PID 2800 wrote to memory of 2944 2800 jddjv.exe 96 PID 2944 wrote to memory of 4124 2944 7rfrfrl.exe 97 PID 2944 wrote to memory of 4124 2944 7rfrfrl.exe 97 PID 2944 wrote to memory of 4124 2944 7rfrfrl.exe 97 PID 4124 wrote to memory of 800 4124 hnttnn.exe 98 PID 4124 wrote to memory of 800 4124 hnttnn.exe 98 PID 4124 wrote to memory of 800 4124 hnttnn.exe 98 PID 800 wrote to memory of 3500 800 7ntnnn.exe 99 PID 800 wrote to memory of 3500 800 7ntnnn.exe 99 PID 800 wrote to memory of 3500 800 7ntnnn.exe 99 PID 3500 wrote to memory of 5052 3500 jjjjj.exe 100 PID 3500 wrote to memory of 5052 3500 jjjjj.exe 100 PID 3500 wrote to memory of 5052 3500 jjjjj.exe 100 PID 5052 wrote to memory of 2516 5052 jdjdd.exe 101 PID 5052 wrote to memory of 2516 5052 jdjdd.exe 101 PID 5052 wrote to memory of 2516 5052 jdjdd.exe 101 PID 2516 wrote to memory of 2480 2516 fxxfrrr.exe 102 PID 2516 wrote to memory of 2480 2516 fxxfrrr.exe 102 PID 2516 wrote to memory of 2480 2516 fxxfrrr.exe 102 PID 2480 wrote to memory of 3088 2480 nbbbtt.exe 103 PID 2480 wrote to memory of 3088 2480 nbbbtt.exe 103 PID 2480 wrote to memory of 3088 2480 nbbbtt.exe 103 PID 3088 wrote to memory of 1620 3088 hhtttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe"C:\Users\Admin\AppData\Local\Temp\969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\lffffff.exec:\lffffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\lrfxrfx.exec:\lrfxrfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\tnhbnn.exec:\tnhbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\5hhbnt.exec:\5hhbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\jjddp.exec:\jjddp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\bnnnhh.exec:\bnnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\7dvdv.exec:\7dvdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\ppvpj.exec:\ppvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\3xxrllx.exec:\3xxrllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\nhnhbb.exec:\nhnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\btbthh.exec:\btbthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\jddjv.exec:\jddjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\7rfrfrl.exec:\7rfrfrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\hnttnn.exec:\hnttnn.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\7ntnnn.exec:\7ntnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\jjjjj.exec:\jjjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\jdjdd.exec:\jdjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\fxxfrrr.exec:\fxxfrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\nbbbtt.exec:\nbbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\hhtttt.exec:\hhtttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\rxxrrrl.exec:\rxxrrrl.exe23⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rffxrrl.exec:\rffxrrl.exe24⤵
- Executes dropped EXE
PID:4908 -
\??\c:\7btnnt.exec:\7btnnt.exe25⤵
- Executes dropped EXE
PID:3648 -
\??\c:\jppjj.exec:\jppjj.exe26⤵
- Executes dropped EXE
PID:1340 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe27⤵
- Executes dropped EXE
PID:3388 -
\??\c:\bbtbht.exec:\bbtbht.exe28⤵
- Executes dropped EXE
PID:4584 -
\??\c:\pjjdv.exec:\pjjdv.exe29⤵
- Executes dropped EXE
PID:4120 -
\??\c:\jdpjp.exec:\jdpjp.exe30⤵
- Executes dropped EXE
PID:4948 -
\??\c:\xrfxrll.exec:\xrfxrll.exe31⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rllllrl.exec:\rllllrl.exe32⤵
- Executes dropped EXE
PID:4556 -
\??\c:\3hnnhh.exec:\3hnnhh.exe33⤵
- Executes dropped EXE
PID:4780 -
\??\c:\1jpjv.exec:\1jpjv.exe34⤵
- Executes dropped EXE
PID:876 -
\??\c:\7rrrflf.exec:\7rrrflf.exe35⤵
- Executes dropped EXE
PID:4396 -
\??\c:\7frrllr.exec:\7frrllr.exe36⤵
- Executes dropped EXE
PID:1576 -
\??\c:\tnttnn.exec:\tnttnn.exe37⤵
- Executes dropped EXE
PID:4632 -
\??\c:\nthbth.exec:\nthbth.exe38⤵
- Executes dropped EXE
PID:1636 -
\??\c:\pjdvp.exec:\pjdvp.exe39⤵
- Executes dropped EXE
PID:1932 -
\??\c:\rlffxxx.exec:\rlffxxx.exe40⤵
- Executes dropped EXE
PID:464 -
\??\c:\hbnhhh.exec:\hbnhhh.exe41⤵
- Executes dropped EXE
PID:3764 -
\??\c:\hntbhn.exec:\hntbhn.exe42⤵
- Executes dropped EXE
PID:1240 -
\??\c:\jvjvv.exec:\jvjvv.exe43⤵
- Executes dropped EXE
PID:2140 -
\??\c:\djpdp.exec:\djpdp.exe44⤵
- Executes dropped EXE
PID:4956 -
\??\c:\3flfxxf.exec:\3flfxxf.exe45⤵
- Executes dropped EXE
PID:1068 -
\??\c:\ffrflxx.exec:\ffrflxx.exe46⤵
- Executes dropped EXE
PID:548 -
\??\c:\ntnbtt.exec:\ntnbtt.exe47⤵
- Executes dropped EXE
PID:452 -
\??\c:\dvdvp.exec:\dvdvp.exe48⤵
- Executes dropped EXE
PID:2092 -
\??\c:\fflfxlf.exec:\fflfxlf.exe49⤵
- Executes dropped EXE
PID:4340 -
\??\c:\lfrrlfx.exec:\lfrrlfx.exe50⤵
- Executes dropped EXE
PID:768 -
\??\c:\9bhbbb.exec:\9bhbbb.exe51⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hbbnhb.exec:\hbbnhb.exe52⤵
- Executes dropped EXE
PID:1724 -
\??\c:\jpdvv.exec:\jpdvv.exe53⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ddjjj.exec:\ddjjj.exe54⤵
- Executes dropped EXE
PID:4852 -
\??\c:\7rxrrrl.exec:\7rxrrrl.exe55⤵
- Executes dropped EXE
PID:4776 -
\??\c:\tbnnhh.exec:\tbnnhh.exe56⤵
- Executes dropped EXE
PID:1896 -
\??\c:\thhbtt.exec:\thhbtt.exe57⤵
- Executes dropped EXE
PID:3436 -
\??\c:\vpjpv.exec:\vpjpv.exe58⤵
- Executes dropped EXE
PID:1136 -
\??\c:\jddvj.exec:\jddvj.exe59⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fffrrxx.exec:\fffrrxx.exe60⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nhnbtt.exec:\nhnbtt.exe61⤵
- Executes dropped EXE
PID:3812 -
\??\c:\nthhtt.exec:\nthhtt.exe62⤵
- Executes dropped EXE
PID:4576 -
\??\c:\pppjd.exec:\pppjd.exe63⤵
- Executes dropped EXE
PID:3880 -
\??\c:\dvvjv.exec:\dvvjv.exe64⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe65⤵
- Executes dropped EXE
PID:1012 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe66⤵PID:2652
-
\??\c:\htbtnn.exec:\htbtnn.exe67⤵PID:4124
-
\??\c:\7ddvv.exec:\7ddvv.exe68⤵PID:3872
-
\??\c:\3pjvd.exec:\3pjvd.exe69⤵PID:1040
-
\??\c:\xffxrrl.exec:\xffxrrl.exe70⤵PID:3376
-
\??\c:\llxlxlx.exec:\llxlxlx.exe71⤵PID:4404
-
\??\c:\nhhbtt.exec:\nhhbtt.exe72⤵PID:4196
-
\??\c:\9btthh.exec:\9btthh.exe73⤵PID:2292
-
\??\c:\jddvp.exec:\jddvp.exe74⤵PID:4748
-
\??\c:\jpjdd.exec:\jpjdd.exe75⤵PID:3612
-
\??\c:\rlrrrrx.exec:\rlrrrrx.exe76⤵PID:1336
-
\??\c:\lfxlllf.exec:\lfxlllf.exe77⤵PID:3944
-
\??\c:\tbhtnh.exec:\tbhtnh.exe78⤵PID:2608
-
\??\c:\5tnhbb.exec:\5tnhbb.exe79⤵PID:3940
-
\??\c:\jvddp.exec:\jvddp.exe80⤵PID:692
-
\??\c:\vvjpj.exec:\vvjpj.exe81⤵PID:1340
-
\??\c:\lfllrlr.exec:\lfllrlr.exe82⤵PID:4084
-
\??\c:\rlffxxr.exec:\rlffxxr.exe83⤵PID:640
-
\??\c:\7thbnt.exec:\7thbnt.exe84⤵PID:3564
-
\??\c:\nnnhbb.exec:\nnnhbb.exe85⤵PID:3984
-
\??\c:\1pvpd.exec:\1pvpd.exe86⤵PID:3292
-
\??\c:\vpvvj.exec:\vpvvj.exe87⤵PID:832
-
\??\c:\5rxrllf.exec:\5rxrllf.exe88⤵PID:3780
-
\??\c:\1frlfxr.exec:\1frlfxr.exe89⤵PID:4556
-
\??\c:\bnbtnh.exec:\bnbtnh.exe90⤵PID:2556
-
\??\c:\vjjdv.exec:\vjjdv.exe91⤵PID:2336
-
\??\c:\jppjj.exec:\jppjj.exe92⤵PID:3684
-
\??\c:\ppddv.exec:\ppddv.exe93⤵PID:5040
-
\??\c:\fxfrllf.exec:\fxfrllf.exe94⤵PID:1864
-
\??\c:\flfxffr.exec:\flfxffr.exe95⤵PID:4632
-
\??\c:\hhhhbb.exec:\hhhhbb.exe96⤵PID:432
-
\??\c:\nhhbhh.exec:\nhhbhh.exe97⤵PID:1528
-
\??\c:\dddvp.exec:\dddvp.exe98⤵PID:1932
-
\??\c:\5djdd.exec:\5djdd.exe99⤵PID:2404
-
\??\c:\xxlflfr.exec:\xxlflfr.exe100⤵PID:1376
-
\??\c:\fxxfxrf.exec:\fxxfxrf.exe101⤵PID:3676
-
\??\c:\tbthbn.exec:\tbthbn.exe102⤵PID:532
-
\??\c:\jdpjd.exec:\jdpjd.exe103⤵PID:2140
-
\??\c:\pjjjd.exec:\pjjjd.exe104⤵PID:4676
-
\??\c:\xxxrrxl.exec:\xxxrrxl.exe105⤵PID:4624
-
\??\c:\lfxrlff.exec:\lfxrlff.exe106⤵PID:1068
-
\??\c:\5tnnbh.exec:\5tnnbh.exe107⤵PID:4252
-
\??\c:\nnnhhn.exec:\nnnhhn.exe108⤵PID:2000
-
\??\c:\vpppj.exec:\vpppj.exe109⤵PID:4620
-
\??\c:\djvvp.exec:\djvvp.exe110⤵PID:4532
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe111⤵PID:2896
-
\??\c:\xllflxl.exec:\xllflxl.exe112⤵PID:3044
-
\??\c:\hhtnbb.exec:\hhtnbb.exe113⤵PID:4868
-
\??\c:\9jdvj.exec:\9jdvj.exe114⤵PID:2936
-
\??\c:\3pvpv.exec:\3pvpv.exe115⤵PID:724
-
\??\c:\fflfxxr.exec:\fflfxxr.exe116⤵PID:508
-
\??\c:\xrrrlll.exec:\xrrrlll.exe117⤵PID:3980
-
\??\c:\thnnnb.exec:\thnnnb.exe118⤵PID:1120
-
\??\c:\hbtntn.exec:\hbtntn.exe119⤵PID:1116
-
\??\c:\dpjjd.exec:\dpjjd.exe120⤵PID:388
-
\??\c:\1pvvv.exec:\1pvvv.exe121⤵PID:1280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-