Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 07:46
Behavioral task
behavioral1
Sample
c0801a8866247be62713d55695809680N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
c0801a8866247be62713d55695809680N.exe
-
Size
46KB
-
MD5
c0801a8866247be62713d55695809680
-
SHA1
b85459a154f0f4328e0b188daa9dfa59f88bee47
-
SHA256
a17812242cbb8be51961b3ba1fce4b388e7ff5e8a3a89014bbff134978086b64
-
SHA512
1bd096175deb9574ba11cf7971ce2e11cd23c596827d8efa829deb1a5ae4d2f70f6ba11cf0bf2ed43cb8f3d7ac74c338fe7b7eeb4977fc29234a6ce30263a9ae
-
SSDEEP
768:RvQB0ESOGg1UrYShBbgrrMo98l4yOoBDqANhhY/4El6BhGUVTnbcuyD7UNxV0:RvQBeOGtrYS3srx93UBWfwC6Ggnouy8O
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4640-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1324-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-638-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-672-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-682-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-701-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-735-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-994-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-1215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-1460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-1513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3856 fxllffx.exe 4556 nnntnn.exe 2692 nnttbb.exe 2440 ffrfxlr.exe 1436 ffrlxxf.exe 2840 tbtnhb.exe 3960 pdvpj.exe 228 rflxxfx.exe 3904 xxlfflf.exe 732 httnhh.exe 4884 pjdvp.exe 2808 3pvpd.exe 1832 ffrlxxr.exe 3864 ntttnt.exe 1216 1tnthh.exe 868 vppjv.exe 3088 fflfflr.exe 4000 fxfrxxl.exe 4800 hhtnnn.exe 1996 pjvvp.exe 4072 djppd.exe 1772 xrlrlrl.exe 3444 xrxrrrx.exe 2376 ttnnbn.exe 2052 pvvpj.exe 3412 3xllxfx.exe 1364 xxrlfff.exe 3616 7nnnhh.exe 1552 vjvvv.exe 4576 ppjjd.exe 2000 xrlfflf.exe 1720 thhbbb.exe 3560 bhhhtb.exe 1012 pdddd.exe 3104 ffllxfl.exe 1008 rflrrxx.exe 3572 tbbbth.exe 5108 vpvpj.exe 3108 7vpjd.exe 4816 lxxrlff.exe 432 xlfxrrr.exe 4244 nbbbtt.exe 3056 tnnnhb.exe 4948 vvvjd.exe 916 xlxlfff.exe 3856 flrllfx.exe 2792 bhbbtt.exe 4628 btnhhh.exe 2568 vdpjd.exe 4040 jdvpj.exe 1072 dpdjd.exe 1620 frfxxxf.exe 2772 lxffxxx.exe 2272 tnttnn.exe 1616 pddpp.exe 2168 1ddvp.exe 4884 rlllffx.exe 4364 lrxrrxx.exe 3496 nhbbbt.exe 3860 bntnhh.exe 2136 1hhbbb.exe 448 jjpjj.exe 1216 5xxrxrr.exe 868 frllxxr.exe -
resource yara_rule behavioral2/memory/4640-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000234ab-3.dat upx behavioral2/memory/4640-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234b3-8.dat upx behavioral2/files/0x00070000000234b4-13.dat upx behavioral2/memory/2692-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3856-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234b5-20.dat upx behavioral2/memory/2692-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2440-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234b6-26.dat upx behavioral2/files/0x00070000000234b7-32.dat upx behavioral2/memory/1436-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2840-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234b8-36.dat upx behavioral2/files/0x00070000000234b9-41.dat upx behavioral2/files/0x00070000000234ba-46.dat upx behavioral2/memory/228-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234bb-52.dat upx behavioral2/memory/3904-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234bc-59.dat upx behavioral2/memory/732-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4884-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234bd-66.dat upx behavioral2/files/0x00070000000234be-72.dat upx behavioral2/files/0x00070000000234bf-75.dat upx behavioral2/memory/1832-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c0-81.dat upx behavioral2/memory/3864-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c1-86.dat upx behavioral2/memory/1216-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c2-92.dat upx behavioral2/files/0x00070000000234c3-97.dat upx behavioral2/files/0x00070000000234c4-102.dat upx behavioral2/memory/4000-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c5-109.dat upx behavioral2/memory/4800-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c6-114.dat upx behavioral2/files/0x00070000000234c7-120.dat upx behavioral2/memory/4072-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c8-124.dat upx behavioral2/memory/1772-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3444-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c9-130.dat upx behavioral2/files/0x00070000000234cb-136.dat upx behavioral2/memory/2376-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cc-144.dat upx behavioral2/memory/3412-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cd-150.dat upx behavioral2/memory/2052-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1364-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ce-154.dat upx behavioral2/files/0x00070000000234cf-160.dat upx behavioral2/files/0x00070000000234d0-167.dat upx behavioral2/memory/3616-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4576-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234b0-173.dat upx behavioral2/files/0x00070000000234d1-178.dat upx behavioral2/memory/1720-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3560-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3104-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3108-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4244-217-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 3856 4640 c0801a8866247be62713d55695809680N.exe 84 PID 4640 wrote to memory of 3856 4640 c0801a8866247be62713d55695809680N.exe 84 PID 4640 wrote to memory of 3856 4640 c0801a8866247be62713d55695809680N.exe 84 PID 3856 wrote to memory of 4556 3856 fxllffx.exe 85 PID 3856 wrote to memory of 4556 3856 fxllffx.exe 85 PID 3856 wrote to memory of 4556 3856 fxllffx.exe 85 PID 4556 wrote to memory of 2692 4556 nnntnn.exe 86 PID 4556 wrote to memory of 2692 4556 nnntnn.exe 86 PID 4556 wrote to memory of 2692 4556 nnntnn.exe 86 PID 2692 wrote to memory of 2440 2692 nnttbb.exe 87 PID 2692 wrote to memory of 2440 2692 nnttbb.exe 87 PID 2692 wrote to memory of 2440 2692 nnttbb.exe 87 PID 2440 wrote to memory of 1436 2440 ffrfxlr.exe 88 PID 2440 wrote to memory of 1436 2440 ffrfxlr.exe 88 PID 2440 wrote to memory of 1436 2440 ffrfxlr.exe 88 PID 1436 wrote to memory of 2840 1436 ffrlxxf.exe 89 PID 1436 wrote to memory of 2840 1436 ffrlxxf.exe 89 PID 1436 wrote to memory of 2840 1436 ffrlxxf.exe 89 PID 2840 wrote to memory of 3960 2840 tbtnhb.exe 90 PID 2840 wrote to memory of 3960 2840 tbtnhb.exe 90 PID 2840 wrote to memory of 3960 2840 tbtnhb.exe 90 PID 3960 wrote to memory of 228 3960 pdvpj.exe 91 PID 3960 wrote to memory of 228 3960 pdvpj.exe 91 PID 3960 wrote to memory of 228 3960 pdvpj.exe 91 PID 228 wrote to memory of 3904 228 rflxxfx.exe 92 PID 228 wrote to memory of 3904 228 rflxxfx.exe 92 PID 228 wrote to memory of 3904 228 rflxxfx.exe 92 PID 3904 wrote to memory of 732 3904 xxlfflf.exe 93 PID 3904 wrote to memory of 732 3904 xxlfflf.exe 93 PID 3904 wrote to memory of 732 3904 xxlfflf.exe 93 PID 732 wrote to memory of 4884 732 httnhh.exe 94 PID 732 wrote to memory of 4884 732 httnhh.exe 94 PID 732 wrote to memory of 4884 732 httnhh.exe 94 PID 4884 wrote to memory of 2808 4884 pjdvp.exe 95 PID 4884 wrote to memory of 2808 4884 pjdvp.exe 95 PID 4884 wrote to memory of 2808 4884 pjdvp.exe 95 PID 2808 wrote to memory of 1832 2808 3pvpd.exe 96 PID 2808 wrote to memory of 1832 2808 3pvpd.exe 96 PID 2808 wrote to memory of 1832 2808 3pvpd.exe 96 PID 1832 wrote to memory of 3864 1832 ffrlxxr.exe 97 PID 1832 wrote to memory of 3864 1832 ffrlxxr.exe 97 PID 1832 wrote to memory of 3864 1832 ffrlxxr.exe 97 PID 3864 wrote to memory of 1216 3864 ntttnt.exe 98 PID 3864 wrote to memory of 1216 3864 ntttnt.exe 98 PID 3864 wrote to memory of 1216 3864 ntttnt.exe 98 PID 1216 wrote to memory of 868 1216 1tnthh.exe 99 PID 1216 wrote to memory of 868 1216 1tnthh.exe 99 PID 1216 wrote to memory of 868 1216 1tnthh.exe 99 PID 868 wrote to memory of 3088 868 vppjv.exe 100 PID 868 wrote to memory of 3088 868 vppjv.exe 100 PID 868 wrote to memory of 3088 868 vppjv.exe 100 PID 3088 wrote to memory of 4000 3088 fflfflr.exe 101 PID 3088 wrote to memory of 4000 3088 fflfflr.exe 101 PID 3088 wrote to memory of 4000 3088 fflfflr.exe 101 PID 4000 wrote to memory of 4800 4000 fxfrxxl.exe 103 PID 4000 wrote to memory of 4800 4000 fxfrxxl.exe 103 PID 4000 wrote to memory of 4800 4000 fxfrxxl.exe 103 PID 4800 wrote to memory of 1996 4800 hhtnnn.exe 104 PID 4800 wrote to memory of 1996 4800 hhtnnn.exe 104 PID 4800 wrote to memory of 1996 4800 hhtnnn.exe 104 PID 1996 wrote to memory of 4072 1996 pjvvp.exe 105 PID 1996 wrote to memory of 4072 1996 pjvvp.exe 105 PID 1996 wrote to memory of 4072 1996 pjvvp.exe 105 PID 4072 wrote to memory of 1772 4072 djppd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0801a8866247be62713d55695809680N.exe"C:\Users\Admin\AppData\Local\Temp\c0801a8866247be62713d55695809680N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\fxllffx.exec:\fxllffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\nnntnn.exec:\nnntnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\nnttbb.exec:\nnttbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\ffrfxlr.exec:\ffrfxlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\ffrlxxf.exec:\ffrlxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\tbtnhb.exec:\tbtnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\pdvpj.exec:\pdvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\rflxxfx.exec:\rflxxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\xxlfflf.exec:\xxlfflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\httnhh.exec:\httnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\pjdvp.exec:\pjdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\3pvpd.exec:\3pvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\ntttnt.exec:\ntttnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\1tnthh.exec:\1tnthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\vppjv.exec:\vppjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\fflfflr.exec:\fflfflr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\fxfrxxl.exec:\fxfrxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\hhtnnn.exec:\hhtnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\pjvvp.exec:\pjvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\djppd.exec:\djppd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe23⤵
- Executes dropped EXE
PID:1772 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe24⤵
- Executes dropped EXE
PID:3444 -
\??\c:\ttnnbn.exec:\ttnnbn.exe25⤵
- Executes dropped EXE
PID:2376 -
\??\c:\pvvpj.exec:\pvvpj.exe26⤵
- Executes dropped EXE
PID:2052 -
\??\c:\3xllxfx.exec:\3xllxfx.exe27⤵
- Executes dropped EXE
PID:3412 -
\??\c:\xxrlfff.exec:\xxrlfff.exe28⤵
- Executes dropped EXE
PID:1364 -
\??\c:\7nnnhh.exec:\7nnnhh.exe29⤵
- Executes dropped EXE
PID:3616 -
\??\c:\vjvvv.exec:\vjvvv.exe30⤵
- Executes dropped EXE
PID:1552 -
\??\c:\ppjjd.exec:\ppjjd.exe31⤵
- Executes dropped EXE
PID:4576 -
\??\c:\xrlfflf.exec:\xrlfflf.exe32⤵
- Executes dropped EXE
PID:2000 -
\??\c:\thhbbb.exec:\thhbbb.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bhhhtb.exec:\bhhhtb.exe34⤵
- Executes dropped EXE
PID:3560 -
\??\c:\pdddd.exec:\pdddd.exe35⤵
- Executes dropped EXE
PID:1012 -
\??\c:\ffllxfl.exec:\ffllxfl.exe36⤵
- Executes dropped EXE
PID:3104 -
\??\c:\rflrrxx.exec:\rflrrxx.exe37⤵
- Executes dropped EXE
PID:1008 -
\??\c:\tbbbth.exec:\tbbbth.exe38⤵
- Executes dropped EXE
PID:3572 -
\??\c:\vpvpj.exec:\vpvpj.exe39⤵
- Executes dropped EXE
PID:5108 -
\??\c:\7vpjd.exec:\7vpjd.exe40⤵
- Executes dropped EXE
PID:3108 -
\??\c:\lxxrlff.exec:\lxxrlff.exe41⤵
- Executes dropped EXE
PID:4816 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe42⤵
- Executes dropped EXE
PID:432 -
\??\c:\nbbbtt.exec:\nbbbtt.exe43⤵
- Executes dropped EXE
PID:4244 -
\??\c:\tnnnhb.exec:\tnnnhb.exe44⤵
- Executes dropped EXE
PID:3056 -
\??\c:\vvvjd.exec:\vvvjd.exe45⤵
- Executes dropped EXE
PID:4948 -
\??\c:\xlxlfff.exec:\xlxlfff.exe46⤵
- Executes dropped EXE
PID:916 -
\??\c:\flrllfx.exec:\flrllfx.exe47⤵
- Executes dropped EXE
PID:3856 -
\??\c:\bhbbtt.exec:\bhbbtt.exe48⤵
- Executes dropped EXE
PID:2792 -
\??\c:\btnhhh.exec:\btnhhh.exe49⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vdpjd.exec:\vdpjd.exe50⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jdvpj.exec:\jdvpj.exe51⤵
- Executes dropped EXE
PID:4040 -
\??\c:\dpdjd.exec:\dpdjd.exe52⤵
- Executes dropped EXE
PID:1072 -
\??\c:\frfxxxf.exec:\frfxxxf.exe53⤵
- Executes dropped EXE
PID:1620 -
\??\c:\lxffxxx.exec:\lxffxxx.exe54⤵
- Executes dropped EXE
PID:2772 -
\??\c:\tnttnn.exec:\tnttnn.exe55⤵
- Executes dropped EXE
PID:2272 -
\??\c:\pddpp.exec:\pddpp.exe56⤵
- Executes dropped EXE
PID:1616 -
\??\c:\1ddvp.exec:\1ddvp.exe57⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rlllffx.exec:\rlllffx.exe58⤵
- Executes dropped EXE
PID:4884 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe59⤵
- Executes dropped EXE
PID:4364 -
\??\c:\nhbbbt.exec:\nhbbbt.exe60⤵
- Executes dropped EXE
PID:3496 -
\??\c:\bntnhh.exec:\bntnhh.exe61⤵
- Executes dropped EXE
PID:3860 -
\??\c:\1hhbbb.exec:\1hhbbb.exe62⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jjpjj.exec:\jjpjj.exe63⤵
- Executes dropped EXE
PID:448 -
\??\c:\5xxrxrr.exec:\5xxrxrr.exe64⤵
- Executes dropped EXE
PID:1216 -
\??\c:\frllxxr.exec:\frllxxr.exe65⤵
- Executes dropped EXE
PID:868 -
\??\c:\7nttbb.exec:\7nttbb.exe66⤵PID:4180
-
\??\c:\nhbthh.exec:\nhbthh.exe67⤵PID:1668
-
\??\c:\vpjdv.exec:\vpjdv.exe68⤵PID:2548
-
\??\c:\jjpjv.exec:\jjpjv.exe69⤵PID:4728
-
\??\c:\xlrlflf.exec:\xlrlflf.exe70⤵PID:2560
-
\??\c:\1rfxxxx.exec:\1rfxxxx.exe71⤵PID:3712
-
\??\c:\thbtnn.exec:\thbtnn.exe72⤵PID:1772
-
\??\c:\tthhtt.exec:\tthhtt.exe73⤵PID:2308
-
\??\c:\ddjvv.exec:\ddjvv.exe74⤵PID:3028
-
\??\c:\pvjdv.exec:\pvjdv.exe75⤵PID:2360
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe76⤵PID:1496
-
\??\c:\frffxxx.exec:\frffxxx.exe77⤵PID:3412
-
\??\c:\hbbbbb.exec:\hbbbbb.exe78⤵PID:1364
-
\??\c:\3bbthh.exec:\3bbthh.exe79⤵PID:1972
-
\??\c:\nhnhhh.exec:\nhnhhh.exe80⤵PID:1604
-
\??\c:\vpjdv.exec:\vpjdv.exe81⤵PID:2404
-
\??\c:\jdddj.exec:\jdddj.exe82⤵PID:4400
-
\??\c:\flrlxxl.exec:\flrlxxl.exe83⤵PID:4256
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe84⤵PID:1924
-
\??\c:\nntttt.exec:\nntttt.exe85⤵PID:4764
-
\??\c:\bbhnbh.exec:\bbhnbh.exe86⤵PID:1880
-
\??\c:\jjdvp.exec:\jjdvp.exe87⤵PID:3692
-
\??\c:\jpdvj.exec:\jpdvj.exe88⤵PID:4548
-
\??\c:\lxxrlff.exec:\lxxrlff.exe89⤵PID:2112
-
\??\c:\rrrrrxr.exec:\rrrrrxr.exe90⤵PID:3144
-
\??\c:\nhttbn.exec:\nhttbn.exe91⤵PID:2236
-
\??\c:\lxlfffx.exec:\lxlfffx.exe92⤵PID:3952
-
\??\c:\xxfxxrr.exec:\xxfxxrr.exe93⤵PID:4100
-
\??\c:\nnbbtn.exec:\nnbbtn.exe94⤵PID:1272
-
\??\c:\ttbtnn.exec:\ttbtnn.exe95⤵PID:1324
-
\??\c:\pvdjv.exec:\pvdjv.exe96⤵PID:460
-
\??\c:\9lxrrrr.exec:\9lxrrrr.exe97⤵PID:2268
-
\??\c:\7fxxxxr.exec:\7fxxxxr.exe98⤵PID:1588
-
\??\c:\nhthbb.exec:\nhthbb.exe99⤵
- System Location Discovery: System Language Discovery
PID:916 -
\??\c:\jppjv.exec:\jppjv.exe100⤵PID:2832
-
\??\c:\djjdp.exec:\djjdp.exe101⤵PID:1556
-
\??\c:\xflflfx.exec:\xflflfx.exe102⤵PID:116
-
\??\c:\nhhhbn.exec:\nhhhbn.exe103⤵PID:4040
-
\??\c:\bbnnhh.exec:\bbnnhh.exe104⤵PID:1072
-
\??\c:\jjdpj.exec:\jjdpj.exe105⤵PID:2216
-
\??\c:\pvvpj.exec:\pvvpj.exe106⤵PID:4644
-
\??\c:\flrllff.exec:\flrllff.exe107⤵PID:732
-
\??\c:\frfxfff.exec:\frfxfff.exe108⤵PID:1624
-
\??\c:\bbbbtn.exec:\bbbbtn.exe109⤵PID:4824
-
\??\c:\7hnhbb.exec:\7hnhbb.exe110⤵PID:3740
-
\??\c:\ppjjv.exec:\ppjjv.exe111⤵PID:2332
-
\??\c:\9pjjv.exec:\9pjjv.exe112⤵PID:3864
-
\??\c:\frlfrrx.exec:\frlfrrx.exe113⤵PID:1408
-
\??\c:\9lrlffx.exec:\9lrlffx.exe114⤵PID:2948
-
\??\c:\nthhnn.exec:\nthhnn.exe115⤵
- System Location Discovery: System Language Discovery
PID:744 -
\??\c:\tbtnhh.exec:\tbtnhh.exe116⤵PID:3892
-
\??\c:\vvdvj.exec:\vvdvj.exe117⤵PID:4652
-
\??\c:\ddvpp.exec:\ddvpp.exe118⤵PID:4480
-
\??\c:\lrrlxxf.exec:\lrrlxxf.exe119⤵PID:4604
-
\??\c:\3bnhtt.exec:\3bnhtt.exe120⤵PID:1996
-
\??\c:\ntbbhh.exec:\ntbbhh.exe121⤵PID:1768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-