Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe
-
Size
347KB
-
MD5
f8ebff840a24842dee80e1bf8053cb30
-
SHA1
ffcb7dc4fac230b4dc019b94f4278a5a025cd354
-
SHA256
ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990
-
SHA512
df2abf6b126a7940cb72b4b51a6cba18d829a67c14a1ce0e212c558f07f10076ee1e8c661e8fa5cee1242652127b953d8422b87022fa5a70eeffd8ddd2333d49
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYA8:l7TcbWXZshJX2VGd8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2252-6-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1636-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4708-14-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3552-19-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5016-24-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4388-34-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3872-42-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1972-53-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4124-63-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4736-70-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3264-76-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3624-84-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3392-83-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1576-95-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/60-113-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4444-122-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3052-125-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2172-139-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1128-146-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4408-166-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1248-172-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3644-189-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1308-194-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4748-198-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2028-219-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4580-228-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3384-235-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4356-239-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2040-252-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1932-261-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4428-265-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4936-272-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4204-276-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4140-298-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5068-305-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2132-307-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4972-316-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/60-323-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2940-327-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2356-337-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2172-344-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4964-348-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4468-355-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4852-368-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4612-405-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2964-409-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/216-425-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1720-460-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4508-464-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2020-477-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1880-496-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3616-503-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/720-528-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3388-532-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1312-545-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3404-597-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1936-613-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4344-647-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3008-654-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3640-761-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/984-801-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2040-865-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4628-1503-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3840-1543-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1636 rflfxxr.exe 4708 tttnhh.exe 3552 pjvvp.exe 5016 rrffxff.exe 4388 nhnnhh.exe 3872 ddjdv.exe 2092 lxfxffx.exe 1972 1nhbtn.exe 3184 1lxrrfx.exe 4124 tntnhb.exe 4736 vjjdv.exe 3264 ffxxxll.exe 3392 jpvvd.exe 3624 3lfxllf.exe 1576 xlxxrrl.exe 5032 tnntnt.exe 1452 djpjd.exe 1956 1lxfrxf.exe 60 bnhnth.exe 4444 bthnnb.exe 3052 vvvdd.exe 2812 vvpjd.exe 2172 bbhbnn.exe 1128 ppdjd.exe 3476 bttnbb.exe 1056 ppvdd.exe 3608 rrrrrll.exe 4408 nhnnnn.exe 1248 ttttnn.exe 3812 rlrrlff.exe 3320 bhnhhh.exe 3644 tthbbb.exe 1308 rlxrxrf.exe 4748 hbhbtt.exe 1936 bhnhbt.exe 2532 jdjdd.exe 3508 rlrlxxx.exe 3488 1bbtnt.exe 2044 bhbttn.exe 2988 ddpjd.exe 2028 lflfflf.exe 628 ffffrfx.exe 4580 thnhbb.exe 3952 3dppp.exe 3384 lxxrllr.exe 4356 bhttnn.exe 3188 pvpvd.exe 3008 rflfffx.exe 1948 hnnhtb.exe 2040 3vjvj.exe 2596 ffxfrlf.exe 5064 hhthtt.exe 1932 jvdpd.exe 4428 flrflfx.exe 3272 rfflfxl.exe 4936 jvvpd.exe 4204 djjdv.exe 4784 xrxrlrx.exe 4764 nbnbnh.exe 1880 pjvpj.exe 3056 lfxrrlf.exe 3372 nhtnhb.exe 3068 bbbntt.exe 4140 pvvdp.exe -
resource yara_rule behavioral2/memory/2252-6-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1636-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4708-14-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3552-19-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5016-24-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4388-30-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4388-34-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3872-42-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1972-53-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4124-63-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4736-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3264-76-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3624-84-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3392-83-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1576-95-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5032-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1956-106-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/60-113-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4444-122-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3052-125-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2172-139-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1128-146-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4408-166-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1248-172-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3644-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3644-189-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1308-190-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1308-194-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4748-198-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2532-202-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2028-219-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4580-228-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3384-235-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4356-239-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2040-252-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1932-261-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4428-265-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4936-272-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4204-276-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4140-298-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5068-305-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2132-307-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4972-316-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/60-323-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2940-327-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2356-337-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2172-344-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4964-348-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4468-355-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4852-368-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4612-405-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2964-409-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/216-425-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1720-460-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4508-464-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2020-477-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1880-496-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3616-503-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/720-528-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3388-532-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1312-545-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3404-597-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1936-613-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4344-647-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1636 2252 ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe 83 PID 2252 wrote to memory of 1636 2252 ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe 83 PID 2252 wrote to memory of 1636 2252 ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe 83 PID 1636 wrote to memory of 4708 1636 rflfxxr.exe 84 PID 1636 wrote to memory of 4708 1636 rflfxxr.exe 84 PID 1636 wrote to memory of 4708 1636 rflfxxr.exe 84 PID 4708 wrote to memory of 3552 4708 tttnhh.exe 85 PID 4708 wrote to memory of 3552 4708 tttnhh.exe 85 PID 4708 wrote to memory of 3552 4708 tttnhh.exe 85 PID 3552 wrote to memory of 5016 3552 pjvvp.exe 86 PID 3552 wrote to memory of 5016 3552 pjvvp.exe 86 PID 3552 wrote to memory of 5016 3552 pjvvp.exe 86 PID 5016 wrote to memory of 4388 5016 rrffxff.exe 87 PID 5016 wrote to memory of 4388 5016 rrffxff.exe 87 PID 5016 wrote to memory of 4388 5016 rrffxff.exe 87 PID 4388 wrote to memory of 3872 4388 nhnnhh.exe 88 PID 4388 wrote to memory of 3872 4388 nhnnhh.exe 88 PID 4388 wrote to memory of 3872 4388 nhnnhh.exe 88 PID 3872 wrote to memory of 2092 3872 ddjdv.exe 89 PID 3872 wrote to memory of 2092 3872 ddjdv.exe 89 PID 3872 wrote to memory of 2092 3872 ddjdv.exe 89 PID 2092 wrote to memory of 1972 2092 lxfxffx.exe 90 PID 2092 wrote to memory of 1972 2092 lxfxffx.exe 90 PID 2092 wrote to memory of 1972 2092 lxfxffx.exe 90 PID 1972 wrote to memory of 3184 1972 1nhbtn.exe 91 PID 1972 wrote to memory of 3184 1972 1nhbtn.exe 91 PID 1972 wrote to memory of 3184 1972 1nhbtn.exe 91 PID 3184 wrote to memory of 4124 3184 1lxrrfx.exe 92 PID 3184 wrote to memory of 4124 3184 1lxrrfx.exe 92 PID 3184 wrote to memory of 4124 3184 1lxrrfx.exe 92 PID 4124 wrote to memory of 4736 4124 tntnhb.exe 93 PID 4124 wrote to memory of 4736 4124 tntnhb.exe 93 PID 4124 wrote to memory of 4736 4124 tntnhb.exe 93 PID 4736 wrote to memory of 3264 4736 vjjdv.exe 94 PID 4736 wrote to memory of 3264 4736 vjjdv.exe 94 PID 4736 wrote to memory of 3264 4736 vjjdv.exe 94 PID 3264 wrote to memory of 3392 3264 ffxxxll.exe 95 PID 3264 wrote to memory of 3392 3264 ffxxxll.exe 95 PID 3264 wrote to memory of 3392 3264 ffxxxll.exe 95 PID 3392 wrote to memory of 3624 3392 jpvvd.exe 96 PID 3392 wrote to memory of 3624 3392 jpvvd.exe 96 PID 3392 wrote to memory of 3624 3392 jpvvd.exe 96 PID 3624 wrote to memory of 1576 3624 3lfxllf.exe 97 PID 3624 wrote to memory of 1576 3624 3lfxllf.exe 97 PID 3624 wrote to memory of 1576 3624 3lfxllf.exe 97 PID 1576 wrote to memory of 5032 1576 xlxxrrl.exe 98 PID 1576 wrote to memory of 5032 1576 xlxxrrl.exe 98 PID 1576 wrote to memory of 5032 1576 xlxxrrl.exe 98 PID 5032 wrote to memory of 1452 5032 tnntnt.exe 99 PID 5032 wrote to memory of 1452 5032 tnntnt.exe 99 PID 5032 wrote to memory of 1452 5032 tnntnt.exe 99 PID 1452 wrote to memory of 1956 1452 djpjd.exe 100 PID 1452 wrote to memory of 1956 1452 djpjd.exe 100 PID 1452 wrote to memory of 1956 1452 djpjd.exe 100 PID 1956 wrote to memory of 60 1956 1lxfrxf.exe 101 PID 1956 wrote to memory of 60 1956 1lxfrxf.exe 101 PID 1956 wrote to memory of 60 1956 1lxfrxf.exe 101 PID 60 wrote to memory of 4444 60 bnhnth.exe 102 PID 60 wrote to memory of 4444 60 bnhnth.exe 102 PID 60 wrote to memory of 4444 60 bnhnth.exe 102 PID 4444 wrote to memory of 3052 4444 bthnnb.exe 103 PID 4444 wrote to memory of 3052 4444 bthnnb.exe 103 PID 4444 wrote to memory of 3052 4444 bthnnb.exe 103 PID 3052 wrote to memory of 2812 3052 vvvdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe"C:\Users\Admin\AppData\Local\Temp\ddaefb0873b8cf91f507398d23a57f33a850e10a0ae5c47358325775e1d34990N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\rflfxxr.exec:\rflfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\tttnhh.exec:\tttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\pjvvp.exec:\pjvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\rrffxff.exec:\rrffxff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\nhnnhh.exec:\nhnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\ddjdv.exec:\ddjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\lxfxffx.exec:\lxfxffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\1nhbtn.exec:\1nhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\1lxrrfx.exec:\1lxrrfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\tntnhb.exec:\tntnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\vjjdv.exec:\vjjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\ffxxxll.exec:\ffxxxll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\jpvvd.exec:\jpvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\3lfxllf.exec:\3lfxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\xlxxrrl.exec:\xlxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\tnntnt.exec:\tnntnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\djpjd.exec:\djpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\1lxfrxf.exec:\1lxfrxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\bnhnth.exec:\bnhnth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\bthnnb.exec:\bthnnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\vvvdd.exec:\vvvdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\vvpjd.exec:\vvpjd.exe23⤵
- Executes dropped EXE
PID:2812 -
\??\c:\bbhbnn.exec:\bbhbnn.exe24⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ppdjd.exec:\ppdjd.exe25⤵
- Executes dropped EXE
PID:1128 -
\??\c:\bttnbb.exec:\bttnbb.exe26⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ppvdd.exec:\ppvdd.exe27⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rrrrrll.exec:\rrrrrll.exe28⤵
- Executes dropped EXE
PID:3608 -
\??\c:\nhnnnn.exec:\nhnnnn.exe29⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ttttnn.exec:\ttttnn.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
\??\c:\rlrrlff.exec:\rlrrlff.exe31⤵
- Executes dropped EXE
PID:3812 -
\??\c:\bhnhhh.exec:\bhnhhh.exe32⤵
- Executes dropped EXE
PID:3320 -
\??\c:\tthbbb.exec:\tthbbb.exe33⤵
- Executes dropped EXE
PID:3644 -
\??\c:\rlxrxrf.exec:\rlxrxrf.exe34⤵
- Executes dropped EXE
PID:1308 -
\??\c:\hbhbtt.exec:\hbhbtt.exe35⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bhnhbt.exec:\bhnhbt.exe36⤵
- Executes dropped EXE
PID:1936 -
\??\c:\jdjdd.exec:\jdjdd.exe37⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rlrlxxx.exec:\rlrlxxx.exe38⤵
- Executes dropped EXE
PID:3508 -
\??\c:\1bbtnt.exec:\1bbtnt.exe39⤵
- Executes dropped EXE
PID:3488 -
\??\c:\bhbttn.exec:\bhbttn.exe40⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ddpjd.exec:\ddpjd.exe41⤵
- Executes dropped EXE
PID:2988 -
\??\c:\lflfflf.exec:\lflfflf.exe42⤵
- Executes dropped EXE
PID:2028 -
\??\c:\ffffrfx.exec:\ffffrfx.exe43⤵
- Executes dropped EXE
PID:628 -
\??\c:\thnhbb.exec:\thnhbb.exe44⤵
- Executes dropped EXE
PID:4580 -
\??\c:\3dppp.exec:\3dppp.exe45⤵
- Executes dropped EXE
PID:3952 -
\??\c:\lxxrllr.exec:\lxxrllr.exe46⤵
- Executes dropped EXE
PID:3384 -
\??\c:\bhttnn.exec:\bhttnn.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\pvpvd.exec:\pvpvd.exe48⤵
- Executes dropped EXE
PID:3188 -
\??\c:\rflfffx.exec:\rflfffx.exe49⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hnnhtb.exec:\hnnhtb.exe50⤵
- Executes dropped EXE
PID:1948 -
\??\c:\3vjvj.exec:\3vjvj.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ffxfrlf.exec:\ffxfrlf.exe52⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hhthtt.exec:\hhthtt.exe53⤵
- Executes dropped EXE
PID:5064 -
\??\c:\jvdpd.exec:\jvdpd.exe54⤵
- Executes dropped EXE
PID:1932 -
\??\c:\flrflfx.exec:\flrflfx.exe55⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rfflfxl.exec:\rfflfxl.exe56⤵
- Executes dropped EXE
PID:3272 -
\??\c:\jvvpd.exec:\jvvpd.exe57⤵
- Executes dropped EXE
PID:4936 -
\??\c:\djjdv.exec:\djjdv.exe58⤵
- Executes dropped EXE
PID:4204 -
\??\c:\xrxrlrx.exec:\xrxrlrx.exe59⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nbnbnh.exec:\nbnbnh.exe60⤵
- Executes dropped EXE
PID:4764 -
\??\c:\pjvpj.exec:\pjvpj.exe61⤵
- Executes dropped EXE
PID:1880 -
\??\c:\lfxrrlf.exec:\lfxrrlf.exe62⤵
- Executes dropped EXE
PID:3056 -
\??\c:\nhtnhb.exec:\nhtnhb.exe63⤵
- Executes dropped EXE
PID:3372 -
\??\c:\bbbntt.exec:\bbbntt.exe64⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pvvdp.exec:\pvvdp.exe65⤵
- Executes dropped EXE
PID:4140 -
\??\c:\3rfxrlf.exec:\3rfxrlf.exe66⤵PID:3576
-
\??\c:\bntnbb.exec:\bntnbb.exe67⤵PID:5068
-
\??\c:\hnhthn.exec:\hnhthn.exe68⤵PID:2132
-
\??\c:\7vddd.exec:\7vddd.exe69⤵PID:2592
-
\??\c:\jvdpd.exec:\jvdpd.exe70⤵
- System Location Discovery: System Language Discovery
PID:4972 -
\??\c:\xrrrlfx.exec:\xrrrlfx.exe71⤵PID:4476
-
\??\c:\btthhb.exec:\btthhb.exe72⤵PID:60
-
\??\c:\vppdv.exec:\vppdv.exe73⤵PID:2940
-
\??\c:\rlfrxlr.exec:\rlfrxlr.exe74⤵PID:1260
-
\??\c:\hbnhtt.exec:\hbnhtt.exe75⤵PID:3052
-
\??\c:\9jjvp.exec:\9jjvp.exe76⤵PID:2356
-
\??\c:\pddpd.exec:\pddpd.exe77⤵PID:3260
-
\??\c:\xlfxrlx.exec:\xlfxrlx.exe78⤵PID:2172
-
\??\c:\hnttnn.exec:\hnttnn.exe79⤵PID:4964
-
\??\c:\jvdpd.exec:\jvdpd.exe80⤵PID:3640
-
\??\c:\5xlrflf.exec:\5xlrflf.exe81⤵PID:4468
-
\??\c:\rfrlxxl.exec:\rfrlxxl.exe82⤵PID:2108
-
\??\c:\dppdv.exec:\dppdv.exe83⤵PID:5100
-
\??\c:\jddvd.exec:\jddvd.exe84⤵PID:4720
-
\??\c:\llxxxxx.exec:\llxxxxx.exe85⤵PID:4852
-
\??\c:\hbbthb.exec:\hbbthb.exe86⤵PID:2816
-
\??\c:\htnbnb.exec:\htnbnb.exe87⤵
- System Location Discovery: System Language Discovery
PID:4572 -
\??\c:\pjdvd.exec:\pjdvd.exe88⤵PID:4460
-
\??\c:\ddpjv.exec:\ddpjv.exe89⤵PID:2312
-
\??\c:\llxfllx.exec:\llxfllx.exe90⤵PID:924
-
\??\c:\3bbnbn.exec:\3bbnbn.exe91⤵PID:116
-
\??\c:\vdjpj.exec:\vdjpj.exe92⤵PID:820
-
\??\c:\1llxlfx.exec:\1llxlfx.exe93⤵PID:3236
-
\??\c:\lxxlflx.exec:\lxxlflx.exe94⤵PID:2196
-
\??\c:\htthth.exec:\htthth.exe95⤵PID:740
-
\??\c:\pvvjv.exec:\pvvjv.exe96⤵PID:4648
-
\??\c:\lxlxxxx.exec:\lxlxxxx.exe97⤵PID:4612
-
\??\c:\1xfxrlf.exec:\1xfxrlf.exe98⤵PID:2964
-
\??\c:\hhhhbn.exec:\hhhhbn.exe99⤵PID:4424
-
\??\c:\pvdvj.exec:\pvdvj.exe100⤵PID:3688
-
\??\c:\fllxlfx.exec:\fllxlfx.exe101⤵
- System Location Discovery: System Language Discovery
PID:4792 -
\??\c:\5lfxlfr.exec:\5lfxlfr.exe102⤵PID:4832
-
\??\c:\htbthb.exec:\htbthb.exe103⤵PID:216
-
\??\c:\pjjvd.exec:\pjjvd.exe104⤵PID:4584
-
\??\c:\7jvvj.exec:\7jvvj.exe105⤵PID:548
-
\??\c:\5llxrrx.exec:\5llxrrx.exe106⤵PID:1908
-
\??\c:\fxfrllr.exec:\fxfrllr.exe107⤵PID:2712
-
\??\c:\nnhbnb.exec:\nnhbnb.exe108⤵PID:3384
-
\??\c:\dddvd.exec:\dddvd.exe109⤵PID:4456
-
\??\c:\xllxllf.exec:\xllxllf.exe110⤵
- System Location Discovery: System Language Discovery
PID:2252 -
\??\c:\5rrlxfx.exec:\5rrlxfx.exe111⤵PID:1636
-
\??\c:\tbbtnn.exec:\tbbtnn.exe112⤵PID:4708
-
\??\c:\jvvjd.exec:\jvvjd.exe113⤵PID:3048
-
\??\c:\vvvjp.exec:\vvvjp.exe114⤵PID:4396
-
\??\c:\lfxlfxx.exec:\lfxlfxx.exe115⤵PID:1720
-
\??\c:\ntthhb.exec:\ntthhb.exe116⤵PID:4508
-
\??\c:\dpppd.exec:\dpppd.exe117⤵
- System Location Discovery: System Language Discovery
PID:1480 -
\??\c:\9ddpv.exec:\9ddpv.exe118⤵PID:2944
-
\??\c:\xxfrlfr.exec:\xxfrlfr.exe119⤵PID:396
-
\??\c:\bbthnh.exec:\bbthnh.exe120⤵PID:2020
-
\??\c:\hbtnbt.exec:\hbtnbt.exe121⤵PID:3172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-