Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 16:05
Behavioral task
behavioral1
Sample
d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe
-
Size
78KB
-
MD5
36fe4429aa9fe723066f85d27d8134f9
-
SHA1
118a2801451743b606ea3addc5a81a70bc34e7cc
-
SHA256
d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a
-
SHA512
dfb518201b9e7c2caa108ced5641eeb85d44ce0458e0b3596fc6b02f8104da88f5fafc8bfe0105547a323665e962621a5814932c2edd53426dff4e19d15eca1d
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w1rCJtzx8/p7kew:xhOmTsF93UYfwC6GIout03LzGFw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4444-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3976-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/512-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3080-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-481-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-611-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-624-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-656-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-678-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-709-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-785-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-858-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-889-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-1133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-1563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3976 xfrlflf.exe 2796 hhbbtb.exe 3920 pjjpp.exe 3500 xllfxrr.exe 4892 bttttt.exe 4932 vpdvd.exe 844 rflfxrl.exe 748 ntbnhh.exe 3488 nntttt.exe 4876 pjjdv.exe 1868 9ffxxxx.exe 1804 nhhnnn.exe 4668 1jpjv.exe 1912 xxffffl.exe 2192 thbthh.exe 4132 pdvvv.exe 4340 fxxfxff.exe 5068 nbbttt.exe 3276 3pppd.exe 4548 fxxrxxl.exe 2892 ntnnnn.exe 2368 dpppv.exe 3348 pdjdv.exe 2216 ffxllxx.exe 4624 tnbbtt.exe 2932 vjvdp.exe 1052 7pppd.exe 1728 xrrlxxr.exe 4124 bnhtnh.exe 4460 vvvpj.exe 4696 pjjdd.exe 2668 xrrrllf.exe 908 nhnnhh.exe 3036 tnhhtt.exe 372 lfxxlff.exe 1464 tnhbtb.exe 2024 bhhtnh.exe 5040 jvpvv.exe 5096 llxxrxx.exe 3088 lxfffll.exe 4248 nnhhhh.exe 2080 nnhhbb.exe 2012 frffxff.exe 4628 rxfffll.exe 4376 9tnnnn.exe 4468 vdpjp.exe 3576 1vpvd.exe 2816 bttnhh.exe 3456 tttbtt.exe 4044 djjjd.exe 4156 lrrrlll.exe 772 lxxllrr.exe 3448 bnnnnn.exe 2364 jdddv.exe 1576 jjppp.exe 748 3ffxffr.exe 3056 5hhhhh.exe 1680 vdddd.exe 4328 vdjdv.exe 2916 fflfxrl.exe 2384 tthbnt.exe 2124 httttt.exe 2252 dpvpp.exe 3252 ffrlrrr.exe -
resource yara_rule behavioral2/memory/4444-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b35-3.dat upx behavioral2/memory/4444-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8d-8.dat upx behavioral2/memory/3976-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-11.dat upx behavioral2/memory/2796-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3920-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-20.dat upx behavioral2/memory/3920-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3500-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-26.dat upx behavioral2/files/0x000a000000023b94-32.dat upx behavioral2/memory/4892-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-38.dat upx behavioral2/memory/4932-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-43.dat upx behavioral2/memory/844-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-49.dat upx behavioral2/memory/748-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-54.dat upx behavioral2/memory/4876-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3488-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-61.dat upx behavioral2/memory/4876-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-67.dat upx behavioral2/memory/1804-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1868-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1804-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-74.dat upx behavioral2/files/0x000a000000023b9c-80.dat upx behavioral2/files/0x000a000000023b9d-85.dat upx behavioral2/files/0x000b000000023b9f-91.dat upx behavioral2/files/0x000b000000023ba0-95.dat upx behavioral2/memory/4132-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba1-102.dat upx behavioral2/files/0x000a000000023ba9-106.dat upx behavioral2/memory/5068-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bb0-112.dat upx behavioral2/memory/3276-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb9-119.dat upx behavioral2/files/0x0009000000023bbe-124.dat upx behavioral2/files/0x0009000000023bbf-128.dat upx behavioral2/memory/2368-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3348-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8e-136.dat upx behavioral2/memory/2216-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc0-140.dat upx behavioral2/memory/4624-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bc4-146.dat upx behavioral2/files/0x0008000000023bc6-151.dat upx behavioral2/files/0x0008000000023bc9-156.dat upx behavioral2/files/0x0008000000023bca-161.dat upx behavioral2/files/0x0008000000023bcb-166.dat upx behavioral2/memory/4124-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfb-173.dat upx behavioral2/files/0x0008000000023bfc-178.dat upx behavioral2/memory/3088-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2080-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2012-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4628-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4376-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4468-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3576-234-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4444 wrote to memory of 3976 4444 d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe 84 PID 4444 wrote to memory of 3976 4444 d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe 84 PID 4444 wrote to memory of 3976 4444 d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe 84 PID 3976 wrote to memory of 2796 3976 xfrlflf.exe 85 PID 3976 wrote to memory of 2796 3976 xfrlflf.exe 85 PID 3976 wrote to memory of 2796 3976 xfrlflf.exe 85 PID 2796 wrote to memory of 3920 2796 hhbbtb.exe 86 PID 2796 wrote to memory of 3920 2796 hhbbtb.exe 86 PID 2796 wrote to memory of 3920 2796 hhbbtb.exe 86 PID 3920 wrote to memory of 3500 3920 pjjpp.exe 87 PID 3920 wrote to memory of 3500 3920 pjjpp.exe 87 PID 3920 wrote to memory of 3500 3920 pjjpp.exe 87 PID 3500 wrote to memory of 4892 3500 xllfxrr.exe 88 PID 3500 wrote to memory of 4892 3500 xllfxrr.exe 88 PID 3500 wrote to memory of 4892 3500 xllfxrr.exe 88 PID 4892 wrote to memory of 4932 4892 bttttt.exe 89 PID 4892 wrote to memory of 4932 4892 bttttt.exe 89 PID 4892 wrote to memory of 4932 4892 bttttt.exe 89 PID 4932 wrote to memory of 844 4932 vpdvd.exe 90 PID 4932 wrote to memory of 844 4932 vpdvd.exe 90 PID 4932 wrote to memory of 844 4932 vpdvd.exe 90 PID 844 wrote to memory of 748 844 rflfxrl.exe 91 PID 844 wrote to memory of 748 844 rflfxrl.exe 91 PID 844 wrote to memory of 748 844 rflfxrl.exe 91 PID 748 wrote to memory of 3488 748 ntbnhh.exe 92 PID 748 wrote to memory of 3488 748 ntbnhh.exe 92 PID 748 wrote to memory of 3488 748 ntbnhh.exe 92 PID 3488 wrote to memory of 4876 3488 nntttt.exe 93 PID 3488 wrote to memory of 4876 3488 nntttt.exe 93 PID 3488 wrote to memory of 4876 3488 nntttt.exe 93 PID 4876 wrote to memory of 1868 4876 pjjdv.exe 94 PID 4876 wrote to memory of 1868 4876 pjjdv.exe 94 PID 4876 wrote to memory of 1868 4876 pjjdv.exe 94 PID 1868 wrote to memory of 1804 1868 9ffxxxx.exe 95 PID 1868 wrote to memory of 1804 1868 9ffxxxx.exe 95 PID 1868 wrote to memory of 1804 1868 9ffxxxx.exe 95 PID 1804 wrote to memory of 4668 1804 nhhnnn.exe 96 PID 1804 wrote to memory of 4668 1804 nhhnnn.exe 96 PID 1804 wrote to memory of 4668 1804 nhhnnn.exe 96 PID 4668 wrote to memory of 1912 4668 1jpjv.exe 97 PID 4668 wrote to memory of 1912 4668 1jpjv.exe 97 PID 4668 wrote to memory of 1912 4668 1jpjv.exe 97 PID 1912 wrote to memory of 2192 1912 xxffffl.exe 98 PID 1912 wrote to memory of 2192 1912 xxffffl.exe 98 PID 1912 wrote to memory of 2192 1912 xxffffl.exe 98 PID 2192 wrote to memory of 4132 2192 thbthh.exe 99 PID 2192 wrote to memory of 4132 2192 thbthh.exe 99 PID 2192 wrote to memory of 4132 2192 thbthh.exe 99 PID 4132 wrote to memory of 4340 4132 pdvvv.exe 100 PID 4132 wrote to memory of 4340 4132 pdvvv.exe 100 PID 4132 wrote to memory of 4340 4132 pdvvv.exe 100 PID 4340 wrote to memory of 5068 4340 fxxfxff.exe 101 PID 4340 wrote to memory of 5068 4340 fxxfxff.exe 101 PID 4340 wrote to memory of 5068 4340 fxxfxff.exe 101 PID 5068 wrote to memory of 3276 5068 nbbttt.exe 102 PID 5068 wrote to memory of 3276 5068 nbbttt.exe 102 PID 5068 wrote to memory of 3276 5068 nbbttt.exe 102 PID 3276 wrote to memory of 4548 3276 3pppd.exe 103 PID 3276 wrote to memory of 4548 3276 3pppd.exe 103 PID 3276 wrote to memory of 4548 3276 3pppd.exe 103 PID 4548 wrote to memory of 2892 4548 fxxrxxl.exe 104 PID 4548 wrote to memory of 2892 4548 fxxrxxl.exe 104 PID 4548 wrote to memory of 2892 4548 fxxrxxl.exe 104 PID 2892 wrote to memory of 2368 2892 ntnnnn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe"C:\Users\Admin\AppData\Local\Temp\d6daa0ae8a42440d9ad2a1daff2f2f296aca817e0a6e11f341af7b5a0017595a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\xfrlflf.exec:\xfrlflf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\hhbbtb.exec:\hhbbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\pjjpp.exec:\pjjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\xllfxrr.exec:\xllfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\bttttt.exec:\bttttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\vpdvd.exec:\vpdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\rflfxrl.exec:\rflfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\ntbnhh.exec:\ntbnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\nntttt.exec:\nntttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\pjjdv.exec:\pjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\9ffxxxx.exec:\9ffxxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\nhhnnn.exec:\nhhnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\1jpjv.exec:\1jpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\xxffffl.exec:\xxffffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\thbthh.exec:\thbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\pdvvv.exec:\pdvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\fxxfxff.exec:\fxxfxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\nbbttt.exec:\nbbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\3pppd.exec:\3pppd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\fxxrxxl.exec:\fxxrxxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\ntnnnn.exec:\ntnnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\dpppv.exec:\dpppv.exe23⤵
- Executes dropped EXE
PID:2368 -
\??\c:\pdjdv.exec:\pdjdv.exe24⤵
- Executes dropped EXE
PID:3348 -
\??\c:\ffxllxx.exec:\ffxllxx.exe25⤵
- Executes dropped EXE
PID:2216 -
\??\c:\tnbbtt.exec:\tnbbtt.exe26⤵
- Executes dropped EXE
PID:4624 -
\??\c:\vjvdp.exec:\vjvdp.exe27⤵
- Executes dropped EXE
PID:2932 -
\??\c:\7pppd.exec:\7pppd.exe28⤵
- Executes dropped EXE
PID:1052 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe29⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bnhtnh.exec:\bnhtnh.exe30⤵
- Executes dropped EXE
PID:4124 -
\??\c:\vvvpj.exec:\vvvpj.exe31⤵
- Executes dropped EXE
PID:4460 -
\??\c:\pjjdd.exec:\pjjdd.exe32⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xrrrllf.exec:\xrrrllf.exe33⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nhnnhh.exec:\nhnnhh.exe34⤵
- Executes dropped EXE
PID:908 -
\??\c:\tnhhtt.exec:\tnhhtt.exe35⤵
- Executes dropped EXE
PID:3036 -
\??\c:\lfxxlff.exec:\lfxxlff.exe36⤵
- Executes dropped EXE
PID:372 -
\??\c:\tnhbtb.exec:\tnhbtb.exe37⤵
- Executes dropped EXE
PID:1464 -
\??\c:\bhhtnh.exec:\bhhtnh.exe38⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jvpvv.exec:\jvpvv.exe39⤵
- Executes dropped EXE
PID:5040 -
\??\c:\llxxrxx.exec:\llxxrxx.exe40⤵
- Executes dropped EXE
PID:5096 -
\??\c:\lxfffll.exec:\lxfffll.exe41⤵
- Executes dropped EXE
PID:3088 -
\??\c:\nnhhhh.exec:\nnhhhh.exe42⤵
- Executes dropped EXE
PID:4248 -
\??\c:\nnhhbb.exec:\nnhhbb.exe43⤵
- Executes dropped EXE
PID:2080 -
\??\c:\frffxff.exec:\frffxff.exe44⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rxfffll.exec:\rxfffll.exe45⤵
- Executes dropped EXE
PID:4628 -
\??\c:\9tnnnn.exec:\9tnnnn.exe46⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vdpjp.exec:\vdpjp.exe47⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1vpvd.exec:\1vpvd.exe48⤵
- Executes dropped EXE
PID:3576 -
\??\c:\bttnhh.exec:\bttnhh.exe49⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tttbtt.exec:\tttbtt.exe50⤵
- Executes dropped EXE
PID:3456 -
\??\c:\djjjd.exec:\djjjd.exe51⤵
- Executes dropped EXE
PID:4044 -
\??\c:\lrrrlll.exec:\lrrrlll.exe52⤵
- Executes dropped EXE
PID:4156 -
\??\c:\lxxllrr.exec:\lxxllrr.exe53⤵
- Executes dropped EXE
PID:772 -
\??\c:\bnnnnn.exec:\bnnnnn.exe54⤵
- Executes dropped EXE
PID:3448 -
\??\c:\jdddv.exec:\jdddv.exe55⤵
- Executes dropped EXE
PID:2364 -
\??\c:\jjppp.exec:\jjppp.exe56⤵
- Executes dropped EXE
PID:1576 -
\??\c:\3ffxffr.exec:\3ffxffr.exe57⤵
- Executes dropped EXE
PID:748 -
\??\c:\5hhhhh.exec:\5hhhhh.exe58⤵
- Executes dropped EXE
PID:3056 -
\??\c:\vdddd.exec:\vdddd.exe59⤵
- Executes dropped EXE
PID:1680 -
\??\c:\vdjdv.exec:\vdjdv.exe60⤵
- Executes dropped EXE
PID:4328 -
\??\c:\fflfxrl.exec:\fflfxrl.exe61⤵
- Executes dropped EXE
PID:2916 -
\??\c:\tthbnt.exec:\tthbnt.exe62⤵
- Executes dropped EXE
PID:2384 -
\??\c:\httttt.exec:\httttt.exe63⤵
- Executes dropped EXE
PID:2124 -
\??\c:\dpvpp.exec:\dpvpp.exe64⤵
- Executes dropped EXE
PID:2252 -
\??\c:\ffrlrrr.exec:\ffrlrrr.exe65⤵
- Executes dropped EXE
PID:3252 -
\??\c:\lflrrxf.exec:\lflrrxf.exe66⤵PID:532
-
\??\c:\htbhhn.exec:\htbhhn.exe67⤵PID:3132
-
\??\c:\fxfllrr.exec:\fxfllrr.exe68⤵PID:4880
-
\??\c:\1fllrrr.exec:\1fllrrr.exe69⤵PID:4488
-
\??\c:\nnbnth.exec:\nnbnth.exe70⤵PID:868
-
\??\c:\pjjjd.exec:\pjjjd.exe71⤵PID:4788
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe72⤵PID:1600
-
\??\c:\rrxxxlf.exec:\rrxxxlf.exe73⤵PID:4548
-
\??\c:\nhnnnb.exec:\nhnnnb.exe74⤵PID:3636
-
\??\c:\htnhbh.exec:\htnhbh.exe75⤵PID:2768
-
\??\c:\vjpdd.exec:\vjpdd.exe76⤵PID:2368
-
\??\c:\fffffll.exec:\fffffll.exe77⤵PID:4104
-
\??\c:\thhbhh.exec:\thhbhh.exe78⤵PID:2360
-
\??\c:\bnhhbt.exec:\bnhhbt.exe79⤵PID:3388
-
\??\c:\3dvvp.exec:\3dvvp.exe80⤵PID:512
-
\??\c:\rlrrfll.exec:\rlrrfll.exe81⤵PID:1496
-
\??\c:\9ntbbh.exec:\9ntbbh.exe82⤵PID:4792
-
\??\c:\tnhbbh.exec:\tnhbbh.exe83⤵PID:3236
-
\??\c:\pdjdd.exec:\pdjdd.exe84⤵PID:4900
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe85⤵PID:3080
-
\??\c:\3xxxxxx.exec:\3xxxxxx.exe86⤵PID:452
-
\??\c:\bntntn.exec:\bntntn.exe87⤵PID:4728
-
\??\c:\jdvdv.exec:\jdvdv.exe88⤵PID:2440
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe89⤵PID:3396
-
\??\c:\xxlrlrl.exec:\xxlrlrl.exe90⤵PID:4656
-
\??\c:\thnntb.exec:\thnntb.exe91⤵PID:1776
-
\??\c:\5thbbb.exec:\5thbbb.exe92⤵PID:4060
-
\??\c:\dvddj.exec:\dvddj.exe93⤵PID:4252
-
\??\c:\dddvv.exec:\dddvv.exe94⤵PID:1876
-
\??\c:\9rlxrfx.exec:\9rlxrfx.exe95⤵PID:3216
-
\??\c:\rrxxrrx.exec:\rrxxrrx.exe96⤵PID:4644
-
\??\c:\vvjvp.exec:\vvjvp.exe97⤵PID:1200
-
\??\c:\llrlflr.exec:\llrlflr.exe98⤵PID:3104
-
\??\c:\rrllfll.exec:\rrllfll.exe99⤵PID:4616
-
\??\c:\bnttbt.exec:\bnttbt.exe100⤵PID:4628
-
\??\c:\7thbnn.exec:\7thbnn.exe101⤵PID:4376
-
\??\c:\pdppj.exec:\pdppj.exe102⤵PID:2580
-
\??\c:\frxffll.exec:\frxffll.exe103⤵PID:3872
-
\??\c:\xlrffll.exec:\xlrffll.exe104⤵PID:2848
-
\??\c:\1ttnnn.exec:\1ttnnn.exe105⤵PID:2136
-
\??\c:\pjvvd.exec:\pjvvd.exe106⤵PID:3500
-
\??\c:\jddvv.exec:\jddvv.exe107⤵PID:4072
-
\??\c:\9lllfrr.exec:\9lllfrr.exe108⤵PID:4892
-
\??\c:\frrflll.exec:\frrflll.exe109⤵PID:772
-
\??\c:\tbbbbh.exec:\tbbbbh.exe110⤵PID:844
-
\??\c:\bbhnnt.exec:\bbhnnt.exe111⤵PID:1668
-
\??\c:\djppd.exec:\djppd.exe112⤵PID:1824
-
\??\c:\5xxrffr.exec:\5xxrffr.exe113⤵PID:2700
-
\??\c:\bnhntt.exec:\bnhntt.exe114⤵PID:1168
-
\??\c:\7ppdv.exec:\7ppdv.exe115⤵PID:2776
-
\??\c:\xffxrrr.exec:\xffxrrr.exe116⤵PID:1512
-
\??\c:\5xfllll.exec:\5xfllll.exe117⤵PID:2916
-
\??\c:\hhnhnn.exec:\hhnhnn.exe118⤵PID:1804
-
\??\c:\hhhhbh.exec:\hhhhbh.exe119⤵PID:1768
-
\??\c:\pvdjd.exec:\pvdjd.exe120⤵PID:2812
-
\??\c:\1jjdv.exec:\1jjdv.exe121⤵PID:4672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-