Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 18:16
Behavioral task
behavioral1
Sample
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe
-
Size
61KB
-
MD5
a9b1f3ca5d3acddd7dde1424ac09bcfe
-
SHA1
8276bd88b686c54884ef5e9a5ae5dd132be0ef4b
-
SHA256
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38
-
SHA512
1f0c7e05152f929b79ae6475cba2b3de35df58d4d411ac84c27fc39ba5f442fd53326b207fb1d6174fbcbf7ec59547829d64c752b9de8b56f98717e103cec02a
-
SSDEEP
1536:kvQBeOGtrYS3srx93UBWfwC6Ggnouy8p5yAXNlIQldWAw:khOmTsF93UYfwC6GIoutpYcvldWAw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4596-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3080-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-631-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-641-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-808-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-834-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-1147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-1257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-1607-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
ffxfxxf.exetnnttb.exevvdjv.exelfxfrxf.exe7bhhhn.exevvpjd.exelxrxrxx.exetbttbb.exedpjjd.exefrllfxx.exehntbhn.exe3ppdv.exepdpdp.exefrxrrrf.exetbbnnb.exejjjpd.exerlxxxrl.exenbbhtb.exejdpvj.exetntbnn.exevvpjd.exebnnnbn.exedpdvv.exeffllffl.exenhtbnh.exejvvpj.exedvdjd.exerfllxfr.exethhhhh.exe3lrrrrr.exedvddv.exeddjdp.exe5lxrxfx.exelffffff.exenthhbh.exepjvvp.exerffxrfx.exexrfxxxx.exeddpdv.exelxfxrrr.exebtbbtt.exevjdvp.exehtbtnn.exenbthbb.exedpjpp.exejpjvv.exeffllfff.exe7nnnnn.exe3vvvp.exeffffxll.exefrlrrfx.exerrxxrxr.exethhtnb.exedpppp.exevvpjp.exexrllrxr.exehhbhbb.exe9vddv.exedvddv.exe1lxxffr.exehttbtb.exehntbtt.exejppjj.exe1fllfff.exepid Process 2316 ffxfxxf.exe 3656 tnnttb.exe 1748 vvdjv.exe 4768 lfxfrxf.exe 3916 7bhhhn.exe 5032 vvpjd.exe 2720 lxrxrxx.exe 4160 tbttbb.exe 4444 dpjjd.exe 2008 frllfxx.exe 3912 hntbhn.exe 1404 3ppdv.exe 2440 pdpdp.exe 4496 frxrrrf.exe 2600 tbbnnb.exe 5024 jjjpd.exe 2708 rlxxxrl.exe 216 nbbhtb.exe 3160 jdpvj.exe 2824 tntbnn.exe 1900 vvpjd.exe 1492 bnnnbn.exe 2704 dpdvv.exe 3988 ffllffl.exe 2236 nhtbnh.exe 4260 jvvpj.exe 4396 dvdjd.exe 2068 rfllxfr.exe 2924 thhhhh.exe 1272 3lrrrrr.exe 1520 dvddv.exe 2020 ddjdp.exe 4052 5lxrxfx.exe 4088 lffffff.exe 4476 nthhbh.exe 2460 pjvvp.exe 3352 rffxrfx.exe 1680 xrfxxxx.exe 4188 ddpdv.exe 1820 lxfxrrr.exe 2732 btbbtt.exe 4540 vjdvp.exe 2664 htbtnn.exe 3572 nbthbb.exe 3080 dpjpp.exe 2016 jpjvv.exe 2868 ffllfff.exe 4516 7nnnnn.exe 4820 3vvvp.exe 4388 ffffxll.exe 2916 frlrrfx.exe 2672 rrxxrxr.exe 2316 thhtnb.exe 1908 dpppp.exe 4984 vvpjp.exe 544 xrllrxr.exe 4124 hhbhbb.exe 3664 9vddv.exe 2552 dvddv.exe 5032 1lxxffr.exe 2496 httbtb.exe 4224 hntbtt.exe 5028 jppjj.exe 4444 1fllfff.exe -
Processes:
resource yara_rule behavioral2/memory/4596-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c1e-3.dat upx behavioral2/memory/4596-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c98-9.dat upx behavioral2/memory/2316-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-13.dat upx behavioral2/memory/3656-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-23.dat upx behavioral2/memory/1748-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4768-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-29.dat upx behavioral2/files/0x0007000000023caf-33.dat upx behavioral2/memory/5032-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-39.dat upx behavioral2/memory/5032-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-44.dat upx behavioral2/memory/2720-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-50.dat upx behavioral2/memory/4160-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-56.dat upx behavioral2/memory/4444-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-62.dat upx behavioral2/memory/2008-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-68.dat upx behavioral2/memory/3912-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1404-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-74.dat upx behavioral2/files/0x0007000000023cb7-80.dat upx behavioral2/memory/2440-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-86.dat upx behavioral2/files/0x0007000000023cb9-91.dat upx behavioral2/memory/5024-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2600-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-98.dat upx behavioral2/memory/5024-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-104.dat upx behavioral2/memory/2708-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-110.dat upx behavioral2/memory/216-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-116.dat upx behavioral2/memory/3160-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-123.dat upx behavioral2/files/0x000a000000023c9f-127.dat upx behavioral2/memory/1492-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-134.dat upx behavioral2/files/0x0007000000023cbf-141.dat upx behavioral2/memory/2704-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-145.dat upx behavioral2/files/0x0007000000023cc2-150.dat upx behavioral2/files/0x0007000000023cc3-154.dat upx behavioral2/memory/4260-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-160.dat upx behavioral2/files/0x0007000000023cc5-167.dat upx behavioral2/memory/2924-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-172.dat upx behavioral2/memory/1272-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1520-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-178.dat upx behavioral2/files/0x0007000000023cc8-183.dat upx behavioral2/memory/4052-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4476-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2460-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1680-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4188-214-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
lrxxlrx.exebhthhn.exedpvjp.exelxflxxx.exejpjpv.exefrxflrr.exepdppj.exedpvdd.exejpdvd.exenbbtnn.exe3nhhnn.exexxxxxff.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exeffxfxxf.exetnnttb.exevvdjv.exelfxfrxf.exe7bhhhn.exevvpjd.exelxrxrxx.exetbttbb.exedpjjd.exefrllfxx.exehntbhn.exe3ppdv.exepdpdp.exefrxrrrf.exetbbnnb.exejjjpd.exerlxxxrl.exenbbhtb.exejdpvj.exetntbnn.exevvpjd.exedescription pid Process procid_target PID 4596 wrote to memory of 2316 4596 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 82 PID 4596 wrote to memory of 2316 4596 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 82 PID 4596 wrote to memory of 2316 4596 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 82 PID 2316 wrote to memory of 3656 2316 ffxfxxf.exe 83 PID 2316 wrote to memory of 3656 2316 ffxfxxf.exe 83 PID 2316 wrote to memory of 3656 2316 ffxfxxf.exe 83 PID 3656 wrote to memory of 1748 3656 tnnttb.exe 84 PID 3656 wrote to memory of 1748 3656 tnnttb.exe 84 PID 3656 wrote to memory of 1748 3656 tnnttb.exe 84 PID 1748 wrote to memory of 4768 1748 vvdjv.exe 85 PID 1748 wrote to memory of 4768 1748 vvdjv.exe 85 PID 1748 wrote to memory of 4768 1748 vvdjv.exe 85 PID 4768 wrote to memory of 3916 4768 lfxfrxf.exe 86 PID 4768 wrote to memory of 3916 4768 lfxfrxf.exe 86 PID 4768 wrote to memory of 3916 4768 lfxfrxf.exe 86 PID 3916 wrote to memory of 5032 3916 7bhhhn.exe 87 PID 3916 wrote to memory of 5032 3916 7bhhhn.exe 87 PID 3916 wrote to memory of 5032 3916 7bhhhn.exe 87 PID 5032 wrote to memory of 2720 5032 vvpjd.exe 88 PID 5032 wrote to memory of 2720 5032 vvpjd.exe 88 PID 5032 wrote to memory of 2720 5032 vvpjd.exe 88 PID 2720 wrote to memory of 4160 2720 lxrxrxx.exe 89 PID 2720 wrote to memory of 4160 2720 lxrxrxx.exe 89 PID 2720 wrote to memory of 4160 2720 lxrxrxx.exe 89 PID 4160 wrote to memory of 4444 4160 tbttbb.exe 90 PID 4160 wrote to memory of 4444 4160 tbttbb.exe 90 PID 4160 wrote to memory of 4444 4160 tbttbb.exe 90 PID 4444 wrote to memory of 2008 4444 dpjjd.exe 91 PID 4444 wrote to memory of 2008 4444 dpjjd.exe 91 PID 4444 wrote to memory of 2008 4444 dpjjd.exe 91 PID 2008 wrote to memory of 3912 2008 frllfxx.exe 92 PID 2008 wrote to memory of 3912 2008 frllfxx.exe 92 PID 2008 wrote to memory of 3912 2008 frllfxx.exe 92 PID 3912 wrote to memory of 1404 3912 hntbhn.exe 93 PID 3912 wrote to memory of 1404 3912 hntbhn.exe 93 PID 3912 wrote to memory of 1404 3912 hntbhn.exe 93 PID 1404 wrote to memory of 2440 1404 3ppdv.exe 94 PID 1404 wrote to memory of 2440 1404 3ppdv.exe 94 PID 1404 wrote to memory of 2440 1404 3ppdv.exe 94 PID 2440 wrote to memory of 4496 2440 pdpdp.exe 95 PID 2440 wrote to memory of 4496 2440 pdpdp.exe 95 PID 2440 wrote to memory of 4496 2440 pdpdp.exe 95 PID 4496 wrote to memory of 2600 4496 frxrrrf.exe 96 PID 4496 wrote to memory of 2600 4496 frxrrrf.exe 96 PID 4496 wrote to memory of 2600 4496 frxrrrf.exe 96 PID 2600 wrote to memory of 5024 2600 tbbnnb.exe 97 PID 2600 wrote to memory of 5024 2600 tbbnnb.exe 97 PID 2600 wrote to memory of 5024 2600 tbbnnb.exe 97 PID 5024 wrote to memory of 2708 5024 jjjpd.exe 98 PID 5024 wrote to memory of 2708 5024 jjjpd.exe 98 PID 5024 wrote to memory of 2708 5024 jjjpd.exe 98 PID 2708 wrote to memory of 216 2708 rlxxxrl.exe 99 PID 2708 wrote to memory of 216 2708 rlxxxrl.exe 99 PID 2708 wrote to memory of 216 2708 rlxxxrl.exe 99 PID 216 wrote to memory of 3160 216 nbbhtb.exe 100 PID 216 wrote to memory of 3160 216 nbbhtb.exe 100 PID 216 wrote to memory of 3160 216 nbbhtb.exe 100 PID 3160 wrote to memory of 2824 3160 jdpvj.exe 101 PID 3160 wrote to memory of 2824 3160 jdpvj.exe 101 PID 3160 wrote to memory of 2824 3160 jdpvj.exe 101 PID 2824 wrote to memory of 1900 2824 tntbnn.exe 102 PID 2824 wrote to memory of 1900 2824 tntbnn.exe 102 PID 2824 wrote to memory of 1900 2824 tntbnn.exe 102 PID 1900 wrote to memory of 1492 1900 vvpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe"C:\Users\Admin\AppData\Local\Temp\375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\ffxfxxf.exec:\ffxfxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\tnnttb.exec:\tnnttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\vvdjv.exec:\vvdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\7bhhhn.exec:\7bhhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\vvpjd.exec:\vvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\lxrxrxx.exec:\lxrxrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\tbttbb.exec:\tbttbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\dpjjd.exec:\dpjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\frllfxx.exec:\frllfxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\hntbhn.exec:\hntbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\3ppdv.exec:\3ppdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\pdpdp.exec:\pdpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\frxrrrf.exec:\frxrrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\tbbnnb.exec:\tbbnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\jjjpd.exec:\jjjpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\rlxxxrl.exec:\rlxxxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\nbbhtb.exec:\nbbhtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\jdpvj.exec:\jdpvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\tntbnn.exec:\tntbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\vvpjd.exec:\vvpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\bnnnbn.exec:\bnnnbn.exe23⤵
- Executes dropped EXE
PID:1492 -
\??\c:\dpdvv.exec:\dpdvv.exe24⤵
- Executes dropped EXE
PID:2704 -
\??\c:\ffllffl.exec:\ffllffl.exe25⤵
- Executes dropped EXE
PID:3988 -
\??\c:\nhtbnh.exec:\nhtbnh.exe26⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jvvpj.exec:\jvvpj.exe27⤵
- Executes dropped EXE
PID:4260 -
\??\c:\dvdjd.exec:\dvdjd.exe28⤵
- Executes dropped EXE
PID:4396 -
\??\c:\rfllxfr.exec:\rfllxfr.exe29⤵
- Executes dropped EXE
PID:2068 -
\??\c:\thhhhh.exec:\thhhhh.exe30⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3lrrrrr.exec:\3lrrrrr.exe31⤵
- Executes dropped EXE
PID:1272 -
\??\c:\dvddv.exec:\dvddv.exe32⤵
- Executes dropped EXE
PID:1520 -
\??\c:\ddjdp.exec:\ddjdp.exe33⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5lxrxfx.exec:\5lxrxfx.exe34⤵
- Executes dropped EXE
PID:4052 -
\??\c:\lffffff.exec:\lffffff.exe35⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nthhbh.exec:\nthhbh.exe36⤵
- Executes dropped EXE
PID:4476 -
\??\c:\pjvvp.exec:\pjvvp.exe37⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rffxrfx.exec:\rffxrfx.exe38⤵
- Executes dropped EXE
PID:3352 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe39⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ddpdv.exec:\ddpdv.exe40⤵
- Executes dropped EXE
PID:4188 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe41⤵
- Executes dropped EXE
PID:1820 -
\??\c:\btbbtt.exec:\btbbtt.exe42⤵
- Executes dropped EXE
PID:2732 -
\??\c:\vjdvp.exec:\vjdvp.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\htbtnn.exec:\htbtnn.exe44⤵
- Executes dropped EXE
PID:2664 -
\??\c:\nbthbb.exec:\nbthbb.exe45⤵
- Executes dropped EXE
PID:3572 -
\??\c:\dpjpp.exec:\dpjpp.exe46⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jpjvv.exec:\jpjvv.exe47⤵
- Executes dropped EXE
PID:2016 -
\??\c:\ffllfff.exec:\ffllfff.exe48⤵
- Executes dropped EXE
PID:2868 -
\??\c:\7nnnnn.exec:\7nnnnn.exe49⤵
- Executes dropped EXE
PID:4516 -
\??\c:\3vvvp.exec:\3vvvp.exe50⤵
- Executes dropped EXE
PID:4820 -
\??\c:\ffffxll.exec:\ffffxll.exe51⤵
- Executes dropped EXE
PID:4388 -
\??\c:\frlrrfx.exec:\frlrrfx.exe52⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rrxxrxr.exec:\rrxxrxr.exe53⤵
- Executes dropped EXE
PID:2672 -
\??\c:\thhtnb.exec:\thhtnb.exe54⤵
- Executes dropped EXE
PID:2316 -
\??\c:\dpppp.exec:\dpppp.exe55⤵
- Executes dropped EXE
PID:1908 -
\??\c:\vvpjp.exec:\vvpjp.exe56⤵
- Executes dropped EXE
PID:4984 -
\??\c:\xrllrxr.exec:\xrllrxr.exe57⤵
- Executes dropped EXE
PID:544 -
\??\c:\hhbhbb.exec:\hhbhbb.exe58⤵
- Executes dropped EXE
PID:4124 -
\??\c:\9vddv.exec:\9vddv.exe59⤵
- Executes dropped EXE
PID:3664 -
\??\c:\dvddv.exec:\dvddv.exe60⤵
- Executes dropped EXE
PID:2552 -
\??\c:\1lxxffr.exec:\1lxxffr.exe61⤵
- Executes dropped EXE
PID:5032 -
\??\c:\httbtb.exec:\httbtb.exe62⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hntbtt.exec:\hntbtt.exe63⤵
- Executes dropped EXE
PID:4224 -
\??\c:\jppjj.exec:\jppjj.exe64⤵
- Executes dropped EXE
PID:5028 -
\??\c:\1fllfff.exec:\1fllfff.exe65⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vvdvv.exec:\vvdvv.exe66⤵PID:2516
-
\??\c:\jdjjj.exec:\jdjjj.exe67⤵PID:2008
-
\??\c:\dvvvp.exec:\dvvvp.exe68⤵PID:2444
-
\??\c:\llllfff.exec:\llllfff.exe69⤵PID:3708
-
\??\c:\7nbbbh.exec:\7nbbbh.exe70⤵PID:3272
-
\??\c:\jdvvd.exec:\jdvvd.exe71⤵PID:5004
-
\??\c:\7pvjj.exec:\7pvjj.exe72⤵PID:2684
-
\??\c:\pjvpp.exec:\pjvpp.exe73⤵PID:1468
-
\??\c:\fllfxxl.exec:\fllfxxl.exe74⤵PID:4952
-
\??\c:\1hhbbb.exec:\1hhbbb.exe75⤵PID:4812
-
\??\c:\jjdvd.exec:\jjdvd.exe76⤵PID:2528
-
\??\c:\ddjjd.exec:\ddjjd.exe77⤵PID:2584
-
\??\c:\1fxrxfx.exec:\1fxrxfx.exe78⤵PID:1260
-
\??\c:\5tttnh.exec:\5tttnh.exe79⤵PID:5092
-
\??\c:\nbhbtt.exec:\nbhbtt.exe80⤵PID:2180
-
\??\c:\vjjpj.exec:\vjjpj.exe81⤵PID:3412
-
\??\c:\rllffll.exec:\rllffll.exe82⤵PID:636
-
\??\c:\xlrxxxr.exec:\xlrxxxr.exe83⤵PID:368
-
\??\c:\hbhbbb.exec:\hbhbbb.exe84⤵PID:1328
-
\??\c:\7bnbhh.exec:\7bnbhh.exe85⤵PID:2704
-
\??\c:\jvddd.exec:\jvddd.exe86⤵PID:3872
-
\??\c:\3xllllf.exec:\3xllllf.exe87⤵PID:384
-
\??\c:\hbtntb.exec:\hbtntb.exe88⤵PID:1040
-
\??\c:\jdvpp.exec:\jdvpp.exe89⤵PID:2000
-
\??\c:\dvppj.exec:\dvppj.exe90⤵PID:4900
-
\??\c:\xxfxrrf.exec:\xxfxrrf.exe91⤵PID:4536
-
\??\c:\nbbhbh.exec:\nbbhbh.exe92⤵PID:2488
-
\??\c:\ttttbb.exec:\ttttbb.exe93⤵PID:4120
-
\??\c:\jjvvv.exec:\jjvvv.exe94⤵PID:1752
-
\??\c:\frxflrr.exec:\frxflrr.exe95⤵
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\rlxfrff.exec:\rlxfrff.exe96⤵PID:208
-
\??\c:\nnnnht.exec:\nnnnht.exe97⤵PID:804
-
\??\c:\pjpjj.exec:\pjpjj.exe98⤵PID:4896
-
\??\c:\3vvpj.exec:\3vvpj.exe99⤵PID:5060
-
\??\c:\5lxlfff.exec:\5lxlfff.exe100⤵PID:4440
-
\??\c:\xrrxxxx.exec:\xrrxxxx.exe101⤵PID:2952
-
\??\c:\tnnntt.exec:\tnnntt.exe102⤵PID:2676
-
\??\c:\vppjj.exec:\vppjj.exe103⤵PID:1632
-
\??\c:\vdjjv.exec:\vdjjv.exe104⤵PID:3600
-
\??\c:\3rxxrxr.exec:\3rxxrxr.exe105⤵PID:3324
-
\??\c:\btbhtb.exec:\btbhtb.exe106⤵PID:3752
-
\??\c:\hhtnhh.exec:\hhtnhh.exe107⤵PID:4320
-
\??\c:\dddvp.exec:\dddvp.exe108⤵PID:1792
-
\??\c:\3fxxrff.exec:\3fxxrff.exe109⤵PID:2876
-
\??\c:\rfrxrxx.exec:\rfrxrxx.exe110⤵PID:2940
-
\??\c:\thhhhb.exec:\thhhhb.exe111⤵PID:1476
-
\??\c:\jjddd.exec:\jjddd.exe112⤵PID:1364
-
\??\c:\3vddv.exec:\3vddv.exe113⤵PID:4516
-
\??\c:\xffffrl.exec:\xffffrl.exe114⤵PID:320
-
\??\c:\bnnbnt.exec:\bnnbnt.exe115⤵PID:3096
-
\??\c:\5bbtnb.exec:\5bbtnb.exe116⤵PID:3952
-
\??\c:\pjpjd.exec:\pjpjd.exe117⤵PID:2672
-
\??\c:\lxfllrr.exec:\lxfllrr.exe118⤵PID:3148
-
\??\c:\flffrrl.exec:\flffrrl.exe119⤵PID:3516
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe120⤵PID:1748
-
\??\c:\hnbbhn.exec:\hnbbhn.exe121⤵PID:4768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-