Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 05:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe
-
Size
454KB
-
MD5
6503689e6e1dc128232bc30cf5e336df
-
SHA1
7635c8a9834b22b8715ef027d5c03c62c6df44ab
-
SHA256
d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8
-
SHA512
bb069969882cb2304da507aba4429aae08c03824efab78e526eeb84437458b863ff414eae2f36bc3c769da3eb51a732edd2fcf486cce20c75d684e36d1288912
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeta:q7Tc2NYHUrAwfMp3CDta
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2820-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-1340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4728 jjvjv.exe 1008 rxlxfxl.exe 4504 pddpj.exe 2892 ttthbn.exe 964 xrfxrrf.exe 1844 djjdp.exe 4400 xxrxrff.exe 3748 nhnbnh.exe 4780 xlxrrrl.exe 2948 frlxrlx.exe 984 5nnhbh.exe 1364 fffrfxl.exe 908 1vddp.exe 2920 ttnbth.exe 4052 pvvjp.exe 4424 dpvpp.exe 1136 lfrllfl.exe 4708 tnnbtn.exe 1344 pdjdd.exe 4816 rxxlxrf.exe 1196 xrlxfrr.exe 2648 7tthth.exe 1528 1jdpv.exe 1352 lffrlfx.exe 4204 xlxxlfr.exe 3000 hbbtth.exe 4756 jdvjp.exe 968 rrrlxll.exe 3496 xrrrrrx.exe 2600 nhhbnn.exe 4420 7jjdj.exe 4196 jjdpj.exe 2652 flxlfxr.exe 4084 httnhb.exe 4804 ppdvj.exe 3104 pjppp.exe 3980 rrxrllf.exe 4328 tntnhh.exe 208 tbhbtt.exe 1228 9ppjv.exe 4072 rlfrllf.exe 1556 nbhtth.exe 4628 jppdp.exe 4868 xflxllx.exe 312 xflxxrl.exe 2284 bnhbnh.exe 2140 9vpdp.exe 2096 3jjdp.exe 2508 rflfxxr.exe 2464 tthtnn.exe 3960 5nhbtt.exe 4888 vjjpd.exe 4840 btbnnb.exe 736 ddjvj.exe 3776 nbnbth.exe 2360 vpppd.exe 5064 rrrfrlx.exe 2672 lfxfrlf.exe 3648 tnhthb.exe 1052 vvvjd.exe 964 vddvv.exe 1844 pjpdp.exe 3028 thhtht.exe 2516 3pdpp.exe -
resource yara_rule behavioral2/memory/2820-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-723-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 4728 2820 d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe 82 PID 2820 wrote to memory of 4728 2820 d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe 82 PID 2820 wrote to memory of 4728 2820 d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe 82 PID 4728 wrote to memory of 1008 4728 jjvjv.exe 83 PID 4728 wrote to memory of 1008 4728 jjvjv.exe 83 PID 4728 wrote to memory of 1008 4728 jjvjv.exe 83 PID 1008 wrote to memory of 4504 1008 rxlxfxl.exe 84 PID 1008 wrote to memory of 4504 1008 rxlxfxl.exe 84 PID 1008 wrote to memory of 4504 1008 rxlxfxl.exe 84 PID 4504 wrote to memory of 2892 4504 pddpj.exe 85 PID 4504 wrote to memory of 2892 4504 pddpj.exe 85 PID 4504 wrote to memory of 2892 4504 pddpj.exe 85 PID 2892 wrote to memory of 964 2892 ttthbn.exe 86 PID 2892 wrote to memory of 964 2892 ttthbn.exe 86 PID 2892 wrote to memory of 964 2892 ttthbn.exe 86 PID 964 wrote to memory of 1844 964 xrfxrrf.exe 87 PID 964 wrote to memory of 1844 964 xrfxrrf.exe 87 PID 964 wrote to memory of 1844 964 xrfxrrf.exe 87 PID 1844 wrote to memory of 4400 1844 djjdp.exe 88 PID 1844 wrote to memory of 4400 1844 djjdp.exe 88 PID 1844 wrote to memory of 4400 1844 djjdp.exe 88 PID 4400 wrote to memory of 3748 4400 xxrxrff.exe 89 PID 4400 wrote to memory of 3748 4400 xxrxrff.exe 89 PID 4400 wrote to memory of 3748 4400 xxrxrff.exe 89 PID 3748 wrote to memory of 4780 3748 nhnbnh.exe 90 PID 3748 wrote to memory of 4780 3748 nhnbnh.exe 90 PID 3748 wrote to memory of 4780 3748 nhnbnh.exe 90 PID 4780 wrote to memory of 2948 4780 xlxrrrl.exe 91 PID 4780 wrote to memory of 2948 4780 xlxrrrl.exe 91 PID 4780 wrote to memory of 2948 4780 xlxrrrl.exe 91 PID 2948 wrote to memory of 984 2948 frlxrlx.exe 92 PID 2948 wrote to memory of 984 2948 frlxrlx.exe 92 PID 2948 wrote to memory of 984 2948 frlxrlx.exe 92 PID 984 wrote to memory of 1364 984 5nnhbh.exe 93 PID 984 wrote to memory of 1364 984 5nnhbh.exe 93 PID 984 wrote to memory of 1364 984 5nnhbh.exe 93 PID 1364 wrote to memory of 908 1364 fffrfxl.exe 94 PID 1364 wrote to memory of 908 1364 fffrfxl.exe 94 PID 1364 wrote to memory of 908 1364 fffrfxl.exe 94 PID 908 wrote to memory of 2920 908 1vddp.exe 95 PID 908 wrote to memory of 2920 908 1vddp.exe 95 PID 908 wrote to memory of 2920 908 1vddp.exe 95 PID 2920 wrote to memory of 4052 2920 ttnbth.exe 96 PID 2920 wrote to memory of 4052 2920 ttnbth.exe 96 PID 2920 wrote to memory of 4052 2920 ttnbth.exe 96 PID 4052 wrote to memory of 4424 4052 pvvjp.exe 97 PID 4052 wrote to memory of 4424 4052 pvvjp.exe 97 PID 4052 wrote to memory of 4424 4052 pvvjp.exe 97 PID 4424 wrote to memory of 1136 4424 dpvpp.exe 98 PID 4424 wrote to memory of 1136 4424 dpvpp.exe 98 PID 4424 wrote to memory of 1136 4424 dpvpp.exe 98 PID 1136 wrote to memory of 4708 1136 lfrllfl.exe 99 PID 1136 wrote to memory of 4708 1136 lfrllfl.exe 99 PID 1136 wrote to memory of 4708 1136 lfrllfl.exe 99 PID 4708 wrote to memory of 1344 4708 tnnbtn.exe 100 PID 4708 wrote to memory of 1344 4708 tnnbtn.exe 100 PID 4708 wrote to memory of 1344 4708 tnnbtn.exe 100 PID 1344 wrote to memory of 4816 1344 pdjdd.exe 101 PID 1344 wrote to memory of 4816 1344 pdjdd.exe 101 PID 1344 wrote to memory of 4816 1344 pdjdd.exe 101 PID 4816 wrote to memory of 1196 4816 rxxlxrf.exe 102 PID 4816 wrote to memory of 1196 4816 rxxlxrf.exe 102 PID 4816 wrote to memory of 1196 4816 rxxlxrf.exe 102 PID 1196 wrote to memory of 2648 1196 xrlxfrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe"C:\Users\Admin\AppData\Local\Temp\d2d8c7fba2ca67084a16f518c81d66c6f34c036740c04ed9aed88b4d9281dfd8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jjvjv.exec:\jjvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\rxlxfxl.exec:\rxlxfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\pddpj.exec:\pddpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\ttthbn.exec:\ttthbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xrfxrrf.exec:\xrfxrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\djjdp.exec:\djjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\xxrxrff.exec:\xxrxrff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\nhnbnh.exec:\nhnbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\frlxrlx.exec:\frlxrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\5nnhbh.exec:\5nnhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\fffrfxl.exec:\fffrfxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\1vddp.exec:\1vddp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\ttnbth.exec:\ttnbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\pvvjp.exec:\pvvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\dpvpp.exec:\dpvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\lfrllfl.exec:\lfrllfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\tnnbtn.exec:\tnnbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\pdjdd.exec:\pdjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\xrlxfrr.exec:\xrlxfrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\7tthth.exec:\7tthth.exe23⤵
- Executes dropped EXE
PID:2648 -
\??\c:\1jdpv.exec:\1jdpv.exe24⤵
- Executes dropped EXE
PID:1528 -
\??\c:\lffrlfx.exec:\lffrlfx.exe25⤵
- Executes dropped EXE
PID:1352 -
\??\c:\xlxxlfr.exec:\xlxxlfr.exe26⤵
- Executes dropped EXE
PID:4204 -
\??\c:\hbbtth.exec:\hbbtth.exe27⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jdvjp.exec:\jdvjp.exe28⤵
- Executes dropped EXE
PID:4756 -
\??\c:\rrrlxll.exec:\rrrlxll.exe29⤵
- Executes dropped EXE
PID:968 -
\??\c:\xrrrrrx.exec:\xrrrrrx.exe30⤵
- Executes dropped EXE
PID:3496 -
\??\c:\nhhbnn.exec:\nhhbnn.exe31⤵
- Executes dropped EXE
PID:2600 -
\??\c:\7jjdj.exec:\7jjdj.exe32⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jjdpj.exec:\jjdpj.exe33⤵
- Executes dropped EXE
PID:4196 -
\??\c:\flxlfxr.exec:\flxlfxr.exe34⤵
- Executes dropped EXE
PID:2652 -
\??\c:\httnhb.exec:\httnhb.exe35⤵
- Executes dropped EXE
PID:4084 -
\??\c:\ppdvj.exec:\ppdvj.exe36⤵
- Executes dropped EXE
PID:4804 -
\??\c:\pjppp.exec:\pjppp.exe37⤵
- Executes dropped EXE
PID:3104 -
\??\c:\rrxrllf.exec:\rrxrllf.exe38⤵
- Executes dropped EXE
PID:3980 -
\??\c:\tntnhh.exec:\tntnhh.exe39⤵
- Executes dropped EXE
PID:4328 -
\??\c:\tbhbtt.exec:\tbhbtt.exe40⤵
- Executes dropped EXE
PID:208 -
\??\c:\9ppjv.exec:\9ppjv.exe41⤵
- Executes dropped EXE
PID:1228 -
\??\c:\rlfrllf.exec:\rlfrllf.exe42⤵
- Executes dropped EXE
PID:4072 -
\??\c:\nbhtth.exec:\nbhtth.exe43⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jppdp.exec:\jppdp.exe44⤵
- Executes dropped EXE
PID:4628 -
\??\c:\xflxllx.exec:\xflxllx.exe45⤵
- Executes dropped EXE
PID:4868 -
\??\c:\xflxxrl.exec:\xflxxrl.exe46⤵
- Executes dropped EXE
PID:312 -
\??\c:\bnhbnh.exec:\bnhbnh.exe47⤵
- Executes dropped EXE
PID:2284 -
\??\c:\9vpdp.exec:\9vpdp.exe48⤵
- Executes dropped EXE
PID:2140 -
\??\c:\3jjdp.exec:\3jjdp.exe49⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rflfxxr.exec:\rflfxxr.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\tthtnn.exec:\tthtnn.exe51⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5nhbtt.exec:\5nhbtt.exe52⤵
- Executes dropped EXE
PID:3960 -
\??\c:\vjjpd.exec:\vjjpd.exe53⤵
- Executes dropped EXE
PID:4888 -
\??\c:\fxfxffr.exec:\fxfxffr.exe54⤵PID:1760
-
\??\c:\btbnnb.exec:\btbnnb.exe55⤵
- Executes dropped EXE
PID:4840 -
\??\c:\ddjvj.exec:\ddjvj.exe56⤵
- Executes dropped EXE
PID:736 -
\??\c:\nbnbth.exec:\nbnbth.exe57⤵
- Executes dropped EXE
PID:3776 -
\??\c:\vpppd.exec:\vpppd.exe58⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe59⤵
- Executes dropped EXE
PID:5064 -
\??\c:\lfxfrlf.exec:\lfxfrlf.exe60⤵
- Executes dropped EXE
PID:2672 -
\??\c:\tnhthb.exec:\tnhthb.exe61⤵
- Executes dropped EXE
PID:3648 -
\??\c:\vvvjd.exec:\vvvjd.exe62⤵
- Executes dropped EXE
PID:1052 -
\??\c:\vddvv.exec:\vddvv.exe63⤵
- Executes dropped EXE
PID:964 -
\??\c:\pjpdp.exec:\pjpdp.exe64⤵
- Executes dropped EXE
PID:1844 -
\??\c:\thhtht.exec:\thhtht.exe65⤵
- Executes dropped EXE
PID:3028 -
\??\c:\3pdpp.exec:\3pdpp.exe66⤵
- Executes dropped EXE
PID:2516 -
\??\c:\rffrrff.exec:\rffrrff.exe67⤵PID:2608
-
\??\c:\vddpj.exec:\vddpj.exe68⤵PID:3748
-
\??\c:\dppdj.exec:\dppdj.exe69⤵PID:1056
-
\??\c:\rxxfrlx.exec:\rxxfrlx.exe70⤵PID:2932
-
\??\c:\thnhtn.exec:\thnhtn.exe71⤵PID:2948
-
\??\c:\vjjpd.exec:\vjjpd.exe72⤵PID:3500
-
\??\c:\jdjpd.exec:\jdjpd.exe73⤵PID:4404
-
\??\c:\xffrxxx.exec:\xffrxxx.exe74⤵PID:4860
-
\??\c:\1hbnhb.exec:\1hbnhb.exe75⤵PID:2176
-
\??\c:\vjpdv.exec:\vjpdv.exe76⤵PID:3040
-
\??\c:\ddjvj.exec:\ddjvj.exe77⤵PID:4760
-
\??\c:\7lrfrrf.exec:\7lrfrrf.exe78⤵PID:2024
-
\??\c:\hthbbn.exec:\hthbbn.exe79⤵PID:5032
-
\??\c:\jjpdv.exec:\jjpdv.exe80⤵PID:4424
-
\??\c:\dpvdd.exec:\dpvdd.exe81⤵PID:2472
-
\??\c:\rxrfxxr.exec:\rxrfxxr.exe82⤵PID:2772
-
\??\c:\1nhhnh.exec:\1nhhnh.exe83⤵PID:2888
-
\??\c:\ddvvj.exec:\ddvvj.exe84⤵PID:512
-
\??\c:\dvdpd.exec:\dvdpd.exe85⤵PID:624
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe86⤵PID:1528
-
\??\c:\bnnthb.exec:\bnnthb.exe87⤵PID:2548
-
\??\c:\tnthtn.exec:\tnthtn.exe88⤵PID:848
-
\??\c:\dpvpd.exec:\dpvpd.exe89⤵PID:1416
-
\??\c:\xflxlfr.exec:\xflxlfr.exe90⤵PID:2288
-
\??\c:\htbbbh.exec:\htbbbh.exe91⤵PID:3888
-
\??\c:\tntnnn.exec:\tntnnn.exe92⤵PID:3848
-
\??\c:\jpjvj.exec:\jpjvj.exe93⤵
- System Location Discovery: System Language Discovery
PID:2748 -
\??\c:\frxrlfx.exec:\frxrlfx.exe94⤵PID:4988
-
\??\c:\nbbnhb.exec:\nbbnhb.exe95⤵PID:3612
-
\??\c:\hbttnh.exec:\hbttnh.exe96⤵PID:1988
-
\??\c:\vddvj.exec:\vddvj.exe97⤵PID:4048
-
\??\c:\fxffxfx.exec:\fxffxfx.exe98⤵PID:3792
-
\??\c:\hhhbtn.exec:\hhhbtn.exe99⤵PID:1812
-
\??\c:\dppdj.exec:\dppdj.exe100⤵PID:1912
-
\??\c:\dppvv.exec:\dppvv.exe101⤵PID:1952
-
\??\c:\xllfrrf.exec:\xllfrrf.exe102⤵PID:4360
-
\??\c:\nntttt.exec:\nntttt.exe103⤵PID:956
-
\??\c:\dpvjj.exec:\dpvjj.exe104⤵PID:4920
-
\??\c:\xlrffxf.exec:\xlrffxf.exe105⤵PID:2188
-
\??\c:\thtnbb.exec:\thtnbb.exe106⤵PID:1672
-
\??\c:\pjjvp.exec:\pjjvp.exe107⤵PID:2444
-
\??\c:\1xrrffr.exec:\1xrrffr.exe108⤵PID:3528
-
\??\c:\frxxrrr.exec:\frxxrrr.exe109⤵PID:3640
-
\??\c:\bthbhh.exec:\bthbhh.exe110⤵PID:400
-
\??\c:\jddpd.exec:\jddpd.exe111⤵PID:4640
-
\??\c:\frlxlxr.exec:\frlxlxr.exe112⤵PID:2272
-
\??\c:\9lfxrlf.exec:\9lfxrlf.exe113⤵PID:2116
-
\??\c:\nhbntn.exec:\nhbntn.exe114⤵PID:3884
-
\??\c:\jpjpd.exec:\jpjpd.exe115⤵PID:2616
-
\??\c:\frlfrrl.exec:\frlfrrl.exe116⤵PID:5104
-
\??\c:\btnbnh.exec:\btnbnh.exe117⤵PID:2980
-
\??\c:\bntnnh.exec:\bntnnh.exe118⤵PID:3276
-
\??\c:\pjjdv.exec:\pjjdv.exe119⤵PID:3568
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe120⤵PID:4516
-
\??\c:\bnbthb.exec:\bnbthb.exe121⤵PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-