Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe
-
Size
453KB
-
MD5
659958e45c42e6d06f6dedee6a6b8699
-
SHA1
0dc1de2cfa35bab7a5819f56b5884d7384d349bc
-
SHA256
8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59
-
SHA512
1dea4011a70ca4721c0d4683ed10236befb3cf1dffbc898d742f1b5f98553c28e60e376675e742dc2d8d97e50ebcc7479e896bd9f81291468e2e8ced2f859ddc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1044-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-1595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4604 frlfxrl.exe 1688 jjvpj.exe 3104 thtbhh.exe 1744 1vvpd.exe 4896 bbhnbn.exe 3552 xfxrlfx.exe 4612 nnthnh.exe 3076 xxrfrlx.exe 2884 btnhbt.exe 1920 jvvjp.exe 2844 xxrlxrf.exe 4392 htthhb.exe 2596 pppdj.exe 116 xrrfxrf.exe 220 hnhbnb.exe 2024 bnthbh.exe 2368 flfxxrr.exe 2728 tnnhhh.exe 3000 ffrlrlf.exe 3932 lrxlfxr.exe 2664 9ntnhh.exe 4716 lxxfffl.exe 5036 hhbtbb.exe 648 jdvpj.exe 4244 lrfxfrx.exe 3896 btnhbb.exe 3504 dpvpp.exe 4376 1bhbhb.exe 3464 djppj.exe 60 9xrxrlx.exe 2184 dvjvd.exe 4304 1xxlfxr.exe 3196 1vdpd.exe 624 rflffxf.exe 2268 5bbbhb.exe 2248 9lrfrrx.exe 1712 bhbthb.exe 2856 vjvdd.exe 3944 xxrfxrf.exe 2804 lfrfxfr.exe 3344 nbtnhb.exe 4952 3lrlfxl.exe 344 tbttht.exe 1988 3pjvd.exe 3388 frrfrlx.exe 4924 thhttn.exe 4032 bnhtht.exe 5004 jjjdp.exe 5024 xxxrfxr.exe 3600 hbhntb.exe 912 pjvvd.exe 2260 jvvpj.exe 1624 9hhhhn.exe 900 3pjpd.exe 2788 pddpv.exe 2216 lrfrfrl.exe 2640 httbbt.exe 4492 djjjv.exe 3356 3rfrfxr.exe 4740 nhthtn.exe 3552 jjppv.exe 1080 7lrrrxf.exe 4936 hnnbnh.exe 4512 dpvjv.exe -
resource yara_rule behavioral2/memory/1044-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-769-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 4604 1044 8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe 81 PID 1044 wrote to memory of 4604 1044 8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe 81 PID 1044 wrote to memory of 4604 1044 8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe 81 PID 4604 wrote to memory of 1688 4604 frlfxrl.exe 82 PID 4604 wrote to memory of 1688 4604 frlfxrl.exe 82 PID 4604 wrote to memory of 1688 4604 frlfxrl.exe 82 PID 1688 wrote to memory of 3104 1688 jjvpj.exe 83 PID 1688 wrote to memory of 3104 1688 jjvpj.exe 83 PID 1688 wrote to memory of 3104 1688 jjvpj.exe 83 PID 3104 wrote to memory of 1744 3104 thtbhh.exe 84 PID 3104 wrote to memory of 1744 3104 thtbhh.exe 84 PID 3104 wrote to memory of 1744 3104 thtbhh.exe 84 PID 1744 wrote to memory of 4896 1744 1vvpd.exe 85 PID 1744 wrote to memory of 4896 1744 1vvpd.exe 85 PID 1744 wrote to memory of 4896 1744 1vvpd.exe 85 PID 4896 wrote to memory of 3552 4896 bbhnbn.exe 86 PID 4896 wrote to memory of 3552 4896 bbhnbn.exe 86 PID 4896 wrote to memory of 3552 4896 bbhnbn.exe 86 PID 3552 wrote to memory of 4612 3552 xfxrlfx.exe 87 PID 3552 wrote to memory of 4612 3552 xfxrlfx.exe 87 PID 3552 wrote to memory of 4612 3552 xfxrlfx.exe 87 PID 4612 wrote to memory of 3076 4612 nnthnh.exe 88 PID 4612 wrote to memory of 3076 4612 nnthnh.exe 88 PID 4612 wrote to memory of 3076 4612 nnthnh.exe 88 PID 3076 wrote to memory of 2884 3076 xxrfrlx.exe 89 PID 3076 wrote to memory of 2884 3076 xxrfrlx.exe 89 PID 3076 wrote to memory of 2884 3076 xxrfrlx.exe 89 PID 2884 wrote to memory of 1920 2884 btnhbt.exe 90 PID 2884 wrote to memory of 1920 2884 btnhbt.exe 90 PID 2884 wrote to memory of 1920 2884 btnhbt.exe 90 PID 1920 wrote to memory of 2844 1920 jvvjp.exe 91 PID 1920 wrote to memory of 2844 1920 jvvjp.exe 91 PID 1920 wrote to memory of 2844 1920 jvvjp.exe 91 PID 2844 wrote to memory of 4392 2844 xxrlxrf.exe 92 PID 2844 wrote to memory of 4392 2844 xxrlxrf.exe 92 PID 2844 wrote to memory of 4392 2844 xxrlxrf.exe 92 PID 4392 wrote to memory of 2596 4392 htthhb.exe 93 PID 4392 wrote to memory of 2596 4392 htthhb.exe 93 PID 4392 wrote to memory of 2596 4392 htthhb.exe 93 PID 2596 wrote to memory of 116 2596 pppdj.exe 94 PID 2596 wrote to memory of 116 2596 pppdj.exe 94 PID 2596 wrote to memory of 116 2596 pppdj.exe 94 PID 116 wrote to memory of 220 116 xrrfxrf.exe 95 PID 116 wrote to memory of 220 116 xrrfxrf.exe 95 PID 116 wrote to memory of 220 116 xrrfxrf.exe 95 PID 220 wrote to memory of 2024 220 hnhbnb.exe 96 PID 220 wrote to memory of 2024 220 hnhbnb.exe 96 PID 220 wrote to memory of 2024 220 hnhbnb.exe 96 PID 2024 wrote to memory of 2368 2024 bnthbh.exe 97 PID 2024 wrote to memory of 2368 2024 bnthbh.exe 97 PID 2024 wrote to memory of 2368 2024 bnthbh.exe 97 PID 2368 wrote to memory of 2728 2368 flfxxrr.exe 98 PID 2368 wrote to memory of 2728 2368 flfxxrr.exe 98 PID 2368 wrote to memory of 2728 2368 flfxxrr.exe 98 PID 2728 wrote to memory of 3000 2728 tnnhhh.exe 99 PID 2728 wrote to memory of 3000 2728 tnnhhh.exe 99 PID 2728 wrote to memory of 3000 2728 tnnhhh.exe 99 PID 3000 wrote to memory of 3932 3000 ffrlrlf.exe 100 PID 3000 wrote to memory of 3932 3000 ffrlrlf.exe 100 PID 3000 wrote to memory of 3932 3000 ffrlrlf.exe 100 PID 3932 wrote to memory of 2664 3932 lrxlfxr.exe 101 PID 3932 wrote to memory of 2664 3932 lrxlfxr.exe 101 PID 3932 wrote to memory of 2664 3932 lrxlfxr.exe 101 PID 2664 wrote to memory of 4716 2664 9ntnhh.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe"C:\Users\Admin\AppData\Local\Temp\8df35ff77b0576f60cedd33f9fd8a99fc9a67b0833b370e7ce33a5153b0fac59.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\frlfxrl.exec:\frlfxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\jjvpj.exec:\jjvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\thtbhh.exec:\thtbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\1vvpd.exec:\1vvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\bbhnbn.exec:\bbhnbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\nnthnh.exec:\nnthnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\xxrfrlx.exec:\xxrfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\btnhbt.exec:\btnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\jvvjp.exec:\jvvjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\xxrlxrf.exec:\xxrlxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\htthhb.exec:\htthhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\pppdj.exec:\pppdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\hnhbnb.exec:\hnhbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\bnthbh.exec:\bnthbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\flfxxrr.exec:\flfxxrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\tnnhhh.exec:\tnnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\ffrlrlf.exec:\ffrlrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\9ntnhh.exec:\9ntnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\lxxfffl.exec:\lxxfffl.exe23⤵
- Executes dropped EXE
PID:4716 -
\??\c:\hhbtbb.exec:\hhbtbb.exe24⤵
- Executes dropped EXE
PID:5036 -
\??\c:\jdvpj.exec:\jdvpj.exe25⤵
- Executes dropped EXE
PID:648 -
\??\c:\lrfxfrx.exec:\lrfxfrx.exe26⤵
- Executes dropped EXE
PID:4244 -
\??\c:\btnhbb.exec:\btnhbb.exe27⤵
- Executes dropped EXE
PID:3896 -
\??\c:\dpvpp.exec:\dpvpp.exe28⤵
- Executes dropped EXE
PID:3504 -
\??\c:\1bhbhb.exec:\1bhbhb.exe29⤵
- Executes dropped EXE
PID:4376 -
\??\c:\djppj.exec:\djppj.exe30⤵
- Executes dropped EXE
PID:3464 -
\??\c:\9xrxrlx.exec:\9xrxrlx.exe31⤵
- Executes dropped EXE
PID:60 -
\??\c:\dvjvd.exec:\dvjvd.exe32⤵
- Executes dropped EXE
PID:2184 -
\??\c:\1xxlfxr.exec:\1xxlfxr.exe33⤵
- Executes dropped EXE
PID:4304 -
\??\c:\1vdpd.exec:\1vdpd.exe34⤵
- Executes dropped EXE
PID:3196 -
\??\c:\rflffxf.exec:\rflffxf.exe35⤵
- Executes dropped EXE
PID:624 -
\??\c:\5bbbhb.exec:\5bbbhb.exe36⤵
- Executes dropped EXE
PID:2268 -
\??\c:\9lrfrrx.exec:\9lrfrrx.exe37⤵
- Executes dropped EXE
PID:2248 -
\??\c:\bhbthb.exec:\bhbthb.exe38⤵
- Executes dropped EXE
PID:1712 -
\??\c:\vjvdd.exec:\vjvdd.exe39⤵
- Executes dropped EXE
PID:2856 -
\??\c:\xxrfxrf.exec:\xxrfxrf.exe40⤵
- Executes dropped EXE
PID:3944 -
\??\c:\lfrfxfr.exec:\lfrfxfr.exe41⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nbtnhb.exec:\nbtnhb.exe42⤵
- Executes dropped EXE
PID:3344 -
\??\c:\3lrlfxl.exec:\3lrlfxl.exe43⤵
- Executes dropped EXE
PID:4952 -
\??\c:\tbttht.exec:\tbttht.exe44⤵
- Executes dropped EXE
PID:344 -
\??\c:\3pjvd.exec:\3pjvd.exe45⤵
- Executes dropped EXE
PID:1988 -
\??\c:\frrfrlx.exec:\frrfrlx.exe46⤵
- Executes dropped EXE
PID:3388 -
\??\c:\thhttn.exec:\thhttn.exe47⤵
- Executes dropped EXE
PID:4924 -
\??\c:\bnhtht.exec:\bnhtht.exe48⤵
- Executes dropped EXE
PID:4032 -
\??\c:\jjjdp.exec:\jjjdp.exe49⤵
- Executes dropped EXE
PID:5004 -
\??\c:\xxxrfxr.exec:\xxxrfxr.exe50⤵
- Executes dropped EXE
PID:5024 -
\??\c:\hbhntb.exec:\hbhntb.exe51⤵
- Executes dropped EXE
PID:3600 -
\??\c:\pjvvd.exec:\pjvvd.exe52⤵
- Executes dropped EXE
PID:912 -
\??\c:\jvvpj.exec:\jvvpj.exe53⤵
- Executes dropped EXE
PID:2260 -
\??\c:\9hhhhn.exec:\9hhhhn.exe54⤵
- Executes dropped EXE
PID:1624 -
\??\c:\3pjpd.exec:\3pjpd.exe55⤵
- Executes dropped EXE
PID:900 -
\??\c:\pddpv.exec:\pddpv.exe56⤵
- Executes dropped EXE
PID:2788 -
\??\c:\lrfrfrl.exec:\lrfrfrl.exe57⤵
- Executes dropped EXE
PID:2216 -
\??\c:\httbbt.exec:\httbbt.exe58⤵
- Executes dropped EXE
PID:2640 -
\??\c:\djjjv.exec:\djjjv.exe59⤵
- Executes dropped EXE
PID:4492 -
\??\c:\3rfrfxr.exec:\3rfrfxr.exe60⤵
- Executes dropped EXE
PID:3356 -
\??\c:\nhthtn.exec:\nhthtn.exe61⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jjppv.exec:\jjppv.exe62⤵
- Executes dropped EXE
PID:3552 -
\??\c:\7lrrrxf.exec:\7lrrrxf.exe63⤵
- Executes dropped EXE
PID:1080 -
\??\c:\hnnbnh.exec:\hnnbnh.exe64⤵
- Executes dropped EXE
PID:4936 -
\??\c:\dpvjv.exec:\dpvjv.exe65⤵
- Executes dropped EXE
PID:4512 -
\??\c:\vpjdp.exec:\vpjdp.exe66⤵PID:4500
-
\??\c:\lxlfrxr.exec:\lxlfrxr.exe67⤵PID:1920
-
\??\c:\bhbthb.exec:\bhbthb.exe68⤵PID:1604
-
\??\c:\nntthh.exec:\nntthh.exe69⤵PID:2544
-
\??\c:\7jvjv.exec:\7jvjv.exe70⤵PID:2676
-
\??\c:\5xfrfxr.exec:\5xfrfxr.exe71⤵PID:4004
-
\??\c:\tbbhtn.exec:\tbbhtn.exe72⤵
- System Location Discovery: System Language Discovery
PID:936 -
\??\c:\pdvvp.exec:\pdvvp.exe73⤵PID:512
-
\??\c:\xrrrllf.exec:\xrrrllf.exe74⤵PID:2416
-
\??\c:\nhnhhb.exec:\nhnhhb.exe75⤵PID:216
-
\??\c:\7ppdv.exec:\7ppdv.exe76⤵PID:4788
-
\??\c:\fxfrffl.exec:\fxfrffl.exe77⤵PID:904
-
\??\c:\bbhhhb.exec:\bbhhhb.exe78⤵PID:4968
-
\??\c:\vjjdp.exec:\vjjdp.exe79⤵PID:4300
-
\??\c:\vvvjv.exec:\vvvjv.exe80⤵PID:2728
-
\??\c:\9xrfrll.exec:\9xrfrll.exe81⤵PID:4000
-
\??\c:\rflxxrf.exec:\rflxxrf.exe82⤵PID:2172
-
\??\c:\btnnbt.exec:\btnnbt.exe83⤵PID:2304
-
\??\c:\jjjvj.exec:\jjjvj.exe84⤵PID:2664
-
\??\c:\vddvp.exec:\vddvp.exe85⤵PID:1172
-
\??\c:\lxfxrlx.exec:\lxfxrlx.exe86⤵PID:1360
-
\??\c:\bntnnh.exec:\bntnnh.exe87⤵PID:4060
-
\??\c:\5hbtbt.exec:\5hbtbt.exe88⤵PID:4076
-
\??\c:\5vjvd.exec:\5vjvd.exe89⤵PID:3652
-
\??\c:\9xxlxlx.exec:\9xxlxlx.exe90⤵PID:1284
-
\??\c:\lxrfrfr.exec:\lxrfrfr.exe91⤵PID:4156
-
\??\c:\3ththb.exec:\3ththb.exe92⤵PID:3504
-
\??\c:\vjvvj.exec:\vjvvj.exe93⤵PID:1516
-
\??\c:\rffxxxx.exec:\rffxxxx.exe94⤵PID:4544
-
\??\c:\xlrxlrf.exec:\xlrxlrf.exe95⤵PID:4600
-
\??\c:\bhnbnn.exec:\bhnbnn.exe96⤵PID:4708
-
\??\c:\vdvjv.exec:\vdvjv.exe97⤵PID:3360
-
\??\c:\rffxlxr.exec:\rffxlxr.exe98⤵PID:4304
-
\??\c:\3hhbnn.exec:\3hhbnn.exe99⤵PID:3196
-
\??\c:\3tnbtn.exec:\3tnbtn.exe100⤵PID:4192
-
\??\c:\1jpjd.exec:\1jpjd.exe101⤵PID:4104
-
\??\c:\xlrflxr.exec:\xlrflxr.exe102⤵PID:4700
-
\??\c:\9rrlxxr.exec:\9rrlxxr.exe103⤵PID:1880
-
\??\c:\nhtnhh.exec:\nhtnhh.exe104⤵PID:3716
-
\??\c:\vpjdp.exec:\vpjdp.exe105⤵PID:2856
-
\??\c:\lrfrllx.exec:\lrfrllx.exe106⤵PID:3944
-
\??\c:\ththhb.exec:\ththhb.exe107⤵PID:2804
-
\??\c:\ppppv.exec:\ppppv.exe108⤵PID:3560
-
\??\c:\pdvjp.exec:\pdvjp.exe109⤵PID:8
-
\??\c:\lxffffx.exec:\lxffffx.exe110⤵PID:3028
-
\??\c:\9thtnh.exec:\9thtnh.exe111⤵PID:2376
-
\??\c:\vpdvj.exec:\vpdvj.exe112⤵PID:4348
-
\??\c:\9xrrffx.exec:\9xrrffx.exe113⤵PID:3860
-
\??\c:\ttthtn.exec:\ttthtn.exe114⤵PID:740
-
\??\c:\vjjvj.exec:\vjjvj.exe115⤵PID:2940
-
\??\c:\djjdd.exec:\djjdd.exe116⤵PID:4276
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe117⤵PID:1844
-
\??\c:\5nnbnt.exec:\5nnbnt.exe118⤵PID:4488
-
\??\c:\dpdvd.exec:\dpdvd.exe119⤵PID:4592
-
\??\c:\lflfxxr.exec:\lflfxxr.exe120⤵PID:1600
-
\??\c:\7nnhbb.exec:\7nnhbb.exe121⤵PID:4280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-