Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:44
Behavioral task
behavioral1
Sample
a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe
-
Size
70KB
-
MD5
f680f03a3be21eb9f63ddc567dc0d5e0
-
SHA1
3d9eaade8b7dbe2d4aebd42c506783dc50787647
-
SHA256
a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792
-
SHA512
bd948ec5223275d69ff101b8678426ab5a7128f4c924b96de4c1b7fe536b84a91af8fb3add611b0582b7c2ea460a1c2626ac04b93d0aa1420a9873d31278f08e
-
SSDEEP
1536:0vQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7qQhtr+mCaWVzi:0hOmTsF93UYfwC6GIoutX8hUDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1068-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2292-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/348-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3028-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/436-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-654-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-682-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-720-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-754-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-776-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/348-799-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-999-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/720-1006-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1068 frllfll.exe 4340 lxfffxr.exe 5108 jvvjd.exe 468 1ffxlfx.exe 3988 btbttn.exe 812 thtntt.exe 1120 ddddv.exe 4804 fxrlffl.exe 4992 7nbntn.exe 2884 vddjd.exe 4156 5vdvj.exe 2292 1xxxrll.exe 2844 bbhhnh.exe 4436 ddvvp.exe 2004 7lfxrlf.exe 1360 7llfrfx.exe 4204 nbhbbb.exe 4928 vpjjj.exe 1752 jddvp.exe 4088 xxfxllx.exe 3216 rxxxllf.exe 1916 tbtnhb.exe 1960 vjdvp.exe 2876 flllffx.exe 4936 7tttnt.exe 1384 dvpdv.exe 4480 jvddv.exe 2484 llxrrrl.exe 2084 htnhbt.exe 4484 pjdvp.exe 2520 jdjvd.exe 4108 fxlfllr.exe 4608 rlfxllf.exe 3528 3hnnhh.exe 1964 jddvp.exe 2512 9rxlfff.exe 244 3lxrffx.exe 2092 nntnhh.exe 1864 jddvp.exe 212 pvpdd.exe 2064 fxxlrlx.exe 348 hnnbtn.exe 5012 xxrrrrr.exe 2136 jpvvp.exe 3580 pvpvj.exe 3312 xxfrlxf.exe 5108 bntnbb.exe 2676 3hhbnh.exe 3676 xfrfxrf.exe 4284 nntnhb.exe 3028 5dvpj.exe 1768 lfxrrlr.exe 4548 thhbnh.exe 1196 vdjpv.exe 376 5xfxllx.exe 2924 htnhhb.exe 4332 btnhbt.exe 872 5vvdv.exe 4788 lfxrrrr.exe 4184 1rllfff.exe 3568 thnhbt.exe 4072 jvdvj.exe 3232 1xfxfxr.exe 2128 ffflffx.exe -
resource yara_rule behavioral2/memory/3220-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b27-3.dat upx behavioral2/memory/1068-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b7a-11.dat upx behavioral2/memory/3220-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-13.dat upx behavioral2/memory/4340-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-21.dat upx behavioral2/files/0x000a000000023b81-27.dat upx behavioral2/memory/468-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-32.dat upx behavioral2/memory/3988-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-37.dat upx behavioral2/memory/812-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-43.dat upx behavioral2/files/0x000a000000023b85-48.dat upx behavioral2/memory/4804-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-54.dat upx behavioral2/memory/4992-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-60.dat upx behavioral2/memory/4156-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-67.dat upx behavioral2/memory/2292-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-71.dat upx behavioral2/files/0x000a000000023b8a-77.dat upx behavioral2/memory/2844-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-82.dat upx behavioral2/memory/4436-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-88.dat upx behavioral2/memory/2004-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-94.dat upx behavioral2/memory/1360-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-100.dat upx behavioral2/memory/4204-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-113.dat upx behavioral2/memory/1752-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4088-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-119.dat upx behavioral2/memory/3216-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-107.dat upx behavioral2/files/0x000a000000023b93-127.dat upx behavioral2/memory/1916-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-133.dat upx behavioral2/files/0x000a000000023b95-137.dat upx behavioral2/memory/1960-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4088-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-144.dat upx behavioral2/memory/2876-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-149.dat upx behavioral2/memory/4936-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b7b-155.dat upx behavioral2/files/0x000a000000023b98-161.dat upx behavioral2/files/0x000a000000023b99-165.dat upx behavioral2/memory/2484-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9a-171.dat upx behavioral2/memory/2084-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9b-178.dat upx behavioral2/files/0x000b000000023b9c-182.dat upx behavioral2/memory/4108-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4608-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1964-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2512-203-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3220 wrote to memory of 1068 3220 a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe 82 PID 3220 wrote to memory of 1068 3220 a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe 82 PID 3220 wrote to memory of 1068 3220 a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe 82 PID 1068 wrote to memory of 4340 1068 frllfll.exe 83 PID 1068 wrote to memory of 4340 1068 frllfll.exe 83 PID 1068 wrote to memory of 4340 1068 frllfll.exe 83 PID 4340 wrote to memory of 5108 4340 lxfffxr.exe 84 PID 4340 wrote to memory of 5108 4340 lxfffxr.exe 84 PID 4340 wrote to memory of 5108 4340 lxfffxr.exe 84 PID 5108 wrote to memory of 468 5108 jvvjd.exe 85 PID 5108 wrote to memory of 468 5108 jvvjd.exe 85 PID 5108 wrote to memory of 468 5108 jvvjd.exe 85 PID 468 wrote to memory of 3988 468 1ffxlfx.exe 86 PID 468 wrote to memory of 3988 468 1ffxlfx.exe 86 PID 468 wrote to memory of 3988 468 1ffxlfx.exe 86 PID 3988 wrote to memory of 812 3988 btbttn.exe 87 PID 3988 wrote to memory of 812 3988 btbttn.exe 87 PID 3988 wrote to memory of 812 3988 btbttn.exe 87 PID 812 wrote to memory of 1120 812 thtntt.exe 88 PID 812 wrote to memory of 1120 812 thtntt.exe 88 PID 812 wrote to memory of 1120 812 thtntt.exe 88 PID 1120 wrote to memory of 4804 1120 ddddv.exe 89 PID 1120 wrote to memory of 4804 1120 ddddv.exe 89 PID 1120 wrote to memory of 4804 1120 ddddv.exe 89 PID 4804 wrote to memory of 4992 4804 fxrlffl.exe 90 PID 4804 wrote to memory of 4992 4804 fxrlffl.exe 90 PID 4804 wrote to memory of 4992 4804 fxrlffl.exe 90 PID 4992 wrote to memory of 2884 4992 7nbntn.exe 91 PID 4992 wrote to memory of 2884 4992 7nbntn.exe 91 PID 4992 wrote to memory of 2884 4992 7nbntn.exe 91 PID 2884 wrote to memory of 4156 2884 vddjd.exe 92 PID 2884 wrote to memory of 4156 2884 vddjd.exe 92 PID 2884 wrote to memory of 4156 2884 vddjd.exe 92 PID 4156 wrote to memory of 2292 4156 5vdvj.exe 93 PID 4156 wrote to memory of 2292 4156 5vdvj.exe 93 PID 4156 wrote to memory of 2292 4156 5vdvj.exe 93 PID 2292 wrote to memory of 2844 2292 1xxxrll.exe 94 PID 2292 wrote to memory of 2844 2292 1xxxrll.exe 94 PID 2292 wrote to memory of 2844 2292 1xxxrll.exe 94 PID 2844 wrote to memory of 4436 2844 bbhhnh.exe 95 PID 2844 wrote to memory of 4436 2844 bbhhnh.exe 95 PID 2844 wrote to memory of 4436 2844 bbhhnh.exe 95 PID 4436 wrote to memory of 2004 4436 ddvvp.exe 96 PID 4436 wrote to memory of 2004 4436 ddvvp.exe 96 PID 4436 wrote to memory of 2004 4436 ddvvp.exe 96 PID 2004 wrote to memory of 1360 2004 7lfxrlf.exe 97 PID 2004 wrote to memory of 1360 2004 7lfxrlf.exe 97 PID 2004 wrote to memory of 1360 2004 7lfxrlf.exe 97 PID 1360 wrote to memory of 4204 1360 7llfrfx.exe 98 PID 1360 wrote to memory of 4204 1360 7llfrfx.exe 98 PID 1360 wrote to memory of 4204 1360 7llfrfx.exe 98 PID 4204 wrote to memory of 4928 4204 nbhbbb.exe 99 PID 4204 wrote to memory of 4928 4204 nbhbbb.exe 99 PID 4204 wrote to memory of 4928 4204 nbhbbb.exe 99 PID 4928 wrote to memory of 1752 4928 vpjjj.exe 100 PID 4928 wrote to memory of 1752 4928 vpjjj.exe 100 PID 4928 wrote to memory of 1752 4928 vpjjj.exe 100 PID 1752 wrote to memory of 4088 1752 jddvp.exe 101 PID 1752 wrote to memory of 4088 1752 jddvp.exe 101 PID 1752 wrote to memory of 4088 1752 jddvp.exe 101 PID 4088 wrote to memory of 3216 4088 xxfxllx.exe 102 PID 4088 wrote to memory of 3216 4088 xxfxllx.exe 102 PID 4088 wrote to memory of 3216 4088 xxfxllx.exe 102 PID 3216 wrote to memory of 1916 3216 rxxxllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe"C:\Users\Admin\AppData\Local\Temp\a0e58c8d2d148f598a300889e549f1645f12864aa5e4775876bf109724386792N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\frllfll.exec:\frllfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\lxfffxr.exec:\lxfffxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\jvvjd.exec:\jvvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\1ffxlfx.exec:\1ffxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\btbttn.exec:\btbttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\thtntt.exec:\thtntt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\ddddv.exec:\ddddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\fxrlffl.exec:\fxrlffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\7nbntn.exec:\7nbntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\vddjd.exec:\vddjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\5vdvj.exec:\5vdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\1xxxrll.exec:\1xxxrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\bbhhnh.exec:\bbhhnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\ddvvp.exec:\ddvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\7lfxrlf.exec:\7lfxrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\7llfrfx.exec:\7llfrfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\nbhbbb.exec:\nbhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\vpjjj.exec:\vpjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\jddvp.exec:\jddvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\xxfxllx.exec:\xxfxllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\rxxxllf.exec:\rxxxllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\tbtnhb.exec:\tbtnhb.exe23⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vjdvp.exec:\vjdvp.exe24⤵
- Executes dropped EXE
PID:1960 -
\??\c:\flllffx.exec:\flllffx.exe25⤵
- Executes dropped EXE
PID:2876 -
\??\c:\7tttnt.exec:\7tttnt.exe26⤵
- Executes dropped EXE
PID:4936 -
\??\c:\dvpdv.exec:\dvpdv.exe27⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jvddv.exec:\jvddv.exe28⤵
- Executes dropped EXE
PID:4480 -
\??\c:\llxrrrl.exec:\llxrrrl.exe29⤵
- Executes dropped EXE
PID:2484 -
\??\c:\htnhbt.exec:\htnhbt.exe30⤵
- Executes dropped EXE
PID:2084 -
\??\c:\pjdvp.exec:\pjdvp.exe31⤵
- Executes dropped EXE
PID:4484 -
\??\c:\jdjvd.exec:\jdjvd.exe32⤵
- Executes dropped EXE
PID:2520 -
\??\c:\fxlfllr.exec:\fxlfllr.exe33⤵
- Executes dropped EXE
PID:4108 -
\??\c:\rlfxllf.exec:\rlfxllf.exe34⤵
- Executes dropped EXE
PID:4608 -
\??\c:\3hnnhh.exec:\3hnnhh.exe35⤵
- Executes dropped EXE
PID:3528 -
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
PID:1964 -
\??\c:\9rxlfff.exec:\9rxlfff.exe37⤵
- Executes dropped EXE
PID:2512 -
\??\c:\3lxrffx.exec:\3lxrffx.exe38⤵
- Executes dropped EXE
PID:244 -
\??\c:\nntnhh.exec:\nntnhh.exe39⤵
- Executes dropped EXE
PID:2092 -
\??\c:\jddvp.exec:\jddvp.exe40⤵
- Executes dropped EXE
PID:1864 -
\??\c:\pvpdd.exec:\pvpdd.exe41⤵
- Executes dropped EXE
PID:212 -
\??\c:\fxxlrlx.exec:\fxxlrlx.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\hnnbtn.exec:\hnnbtn.exe43⤵
- Executes dropped EXE
PID:348 -
\??\c:\vvvvd.exec:\vvvvd.exe44⤵PID:4528
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe45⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jpvvp.exec:\jpvvp.exe46⤵
- Executes dropped EXE
PID:2136 -
\??\c:\pvpvj.exec:\pvpvj.exe47⤵
- Executes dropped EXE
PID:3580 -
\??\c:\xxfrlxf.exec:\xxfrlxf.exe48⤵
- Executes dropped EXE
PID:3312 -
\??\c:\bntnbb.exec:\bntnbb.exe49⤵
- Executes dropped EXE
PID:5108 -
\??\c:\3hhbnh.exec:\3hhbnh.exe50⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xfrfxrf.exec:\xfrfxrf.exe51⤵
- Executes dropped EXE
PID:3676 -
\??\c:\nntnhb.exec:\nntnhb.exe52⤵
- Executes dropped EXE
PID:4284 -
\??\c:\5dvpj.exec:\5dvpj.exe53⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lfxrrlr.exec:\lfxrrlr.exe54⤵
- Executes dropped EXE
PID:1768 -
\??\c:\thhbnh.exec:\thhbnh.exe55⤵
- Executes dropped EXE
PID:4548 -
\??\c:\vdjpv.exec:\vdjpv.exe56⤵
- Executes dropped EXE
PID:1196 -
\??\c:\5xfxllx.exec:\5xfxllx.exe57⤵
- Executes dropped EXE
PID:376 -
\??\c:\htnhhb.exec:\htnhhb.exe58⤵
- Executes dropped EXE
PID:2924 -
\??\c:\btnhbt.exec:\btnhbt.exe59⤵
- Executes dropped EXE
PID:4332 -
\??\c:\5vvdv.exec:\5vvdv.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe61⤵
- Executes dropped EXE
PID:4788 -
\??\c:\1rllfff.exec:\1rllfff.exe62⤵
- Executes dropped EXE
PID:4184 -
\??\c:\thnhbt.exec:\thnhbt.exe63⤵
- Executes dropped EXE
PID:3568 -
\??\c:\jvdvj.exec:\jvdvj.exe64⤵
- Executes dropped EXE
PID:4072 -
\??\c:\1xfxfxr.exec:\1xfxfxr.exe65⤵
- Executes dropped EXE
PID:3232 -
\??\c:\ffflffx.exec:\ffflffx.exe66⤵
- Executes dropped EXE
PID:2128 -
\??\c:\3httnn.exec:\3httnn.exe67⤵PID:4188
-
\??\c:\jdpdd.exec:\jdpdd.exe68⤵PID:3268
-
\??\c:\lxlxrxr.exec:\lxlxrxr.exe69⤵PID:1968
-
\??\c:\1fffrrl.exec:\1fffrrl.exe70⤵PID:4792
-
\??\c:\nttbtt.exec:\nttbtt.exe71⤵PID:4852
-
\??\c:\3dddp.exec:\3dddp.exe72⤵PID:3252
-
\??\c:\pdjdp.exec:\pdjdp.exe73⤵PID:2932
-
\??\c:\frlfxrl.exec:\frlfxrl.exe74⤵PID:3728
-
\??\c:\nhnhbt.exec:\nhnhbt.exe75⤵PID:2864
-
\??\c:\bttnhb.exec:\bttnhb.exe76⤵PID:1272
-
\??\c:\3dvpj.exec:\3dvpj.exe77⤵
- System Location Discovery: System Language Discovery
PID:3996 -
\??\c:\jdpjj.exec:\jdpjj.exe78⤵PID:1588
-
\??\c:\xlllxrl.exec:\xlllxrl.exe79⤵PID:4444
-
\??\c:\1nbttn.exec:\1nbttn.exe80⤵PID:4900
-
\??\c:\pjdvv.exec:\pjdvv.exe81⤵PID:1976
-
\??\c:\dpjvp.exec:\dpjvp.exe82⤵PID:1688
-
\??\c:\xlxrllf.exec:\xlxrllf.exe83⤵PID:1404
-
\??\c:\5lrlfrf.exec:\5lrlfrf.exe84⤵PID:2484
-
\??\c:\thnhbb.exec:\thnhbb.exe85⤵PID:3612
-
\??\c:\vjppj.exec:\vjppj.exe86⤵PID:2984
-
\??\c:\lfxrxrr.exec:\lfxrxrr.exe87⤵PID:4496
-
\??\c:\1rrlffx.exec:\1rrlffx.exe88⤵PID:1152
-
\??\c:\9ntttb.exec:\9ntttb.exe89⤵PID:4108
-
\??\c:\hhhhhh.exec:\hhhhhh.exe90⤵PID:4796
-
\??\c:\vvdvj.exec:\vvdvj.exe91⤵PID:2544
-
\??\c:\rfrrffx.exec:\rfrrffx.exe92⤵PID:3712
-
\??\c:\lfllflf.exec:\lfllflf.exe93⤵PID:4196
-
\??\c:\hbnntt.exec:\hbnntt.exe94⤵PID:1576
-
\??\c:\dvvvp.exec:\dvvvp.exe95⤵PID:3292
-
\??\c:\xxxrffx.exec:\xxxrffx.exe96⤵PID:4052
-
\??\c:\ntttnn.exec:\ntttnn.exe97⤵PID:436
-
\??\c:\vpjpp.exec:\vpjpp.exe98⤵PID:2392
-
\??\c:\jdjdv.exec:\jdjdv.exe99⤵PID:4400
-
\??\c:\rflxrxl.exec:\rflxrxl.exe100⤵PID:4432
-
\??\c:\htntnn.exec:\htntnn.exe101⤵PID:5024
-
\??\c:\dppjv.exec:\dppjv.exe102⤵PID:4344
-
\??\c:\7djdj.exec:\7djdj.exe103⤵PID:1276
-
\??\c:\xllxxxx.exec:\xllxxxx.exe104⤵PID:5056
-
\??\c:\hbbbtt.exec:\hbbbtt.exe105⤵PID:4580
-
\??\c:\5ththn.exec:\5ththn.exe106⤵PID:3564
-
\??\c:\djppj.exec:\djppj.exe107⤵PID:4920
-
\??\c:\pjvjd.exec:\pjvjd.exe108⤵PID:3676
-
\??\c:\1fxlfll.exec:\1fxlfll.exe109⤵PID:3948
-
\??\c:\xxrfxxx.exec:\xxrfxxx.exe110⤵PID:3028
-
\??\c:\ntnbbh.exec:\ntnbbh.exe111⤵PID:1860
-
\??\c:\dvdvv.exec:\dvdvv.exe112⤵PID:1972
-
\??\c:\xlxlxxr.exec:\xlxlxxr.exe113⤵PID:4992
-
\??\c:\bbnhnh.exec:\bbnhnh.exe114⤵PID:3440
-
\??\c:\1bttbb.exec:\1bttbb.exe115⤵PID:1928
-
\??\c:\dvpjd.exec:\dvpjd.exe116⤵PID:3200
-
\??\c:\1xfxxrf.exec:\1xfxxrf.exe117⤵PID:4868
-
\??\c:\xlxrlfr.exec:\xlxrlfr.exe118⤵PID:1132
-
\??\c:\tnnhhb.exec:\tnnhhb.exe119⤵PID:4820
-
\??\c:\bhnbnn.exec:\bhnbnn.exe120⤵PID:2232
-
\??\c:\pjjdp.exec:\pjjdp.exe121⤵PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-