Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
-
Size
453KB
-
MD5
69d35afa0f8e66aef8d7de5d121e1f01
-
SHA1
95e2f0d62cf580a004e4458935e3469c434804ca
-
SHA256
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f
-
SHA512
bd7861a3164dd892c9fd23457e68ef7418582f6965587998e32019b3f315cc070b2a82def4d75fa2d69cdce119263089e368198de920f08e957d6d2894eeca2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetn:q7Tc2NYHUrAwfMp3CDtn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2432-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-1369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4568 xffxlfx.exe 884 vvppv.exe 5004 5xxrfxl.exe 2424 xrxrfxf.exe 5100 btnbtt.exe 2064 lffrlff.exe 1624 9bhttt.exe 2900 3jdpd.exe 2208 ttbnbn.exe 1700 lrrlfxr.exe 2268 hhtntn.exe 3660 fxrlxrl.exe 2280 rfxrfxl.exe 4408 vdppd.exe 320 htbtnh.exe 3948 jdvjv.exe 2380 xrllfrl.exe 2384 bntttn.exe 1752 vvdjj.exe 4556 dddpd.exe 4420 lllxlfx.exe 448 vjjvp.exe 4912 5vvpd.exe 4772 flrfrlf.exe 3996 lfxrfxl.exe 404 tnttnt.exe 944 jdvpd.exe 4032 3tbthh.exe 4488 rxfxlfx.exe 4044 htnbtn.exe 4612 5vvvp.exe 3408 fffxrlf.exe 3584 bbnbnh.exe 4592 jpdvp.exe 460 lllllll.exe 452 jvjjj.exe 2892 lxxlfxr.exe 4776 htnhnh.exe 2368 9jpdj.exe 4492 7rlfrlf.exe 3232 btbtnh.exe 3344 bthtbh.exe 4412 jjdvd.exe 1968 xfxrlfx.exe 3372 xlxlflr.exe 4164 nnbnbn.exe 2216 vpjdp.exe 3992 lfxfxfx.exe 2764 tbbtnh.exe 2424 htbttt.exe 4836 pdpdj.exe 3896 rfffflx.exe 2512 3rfxlfx.exe 2792 nbthnh.exe 4276 vjvjd.exe 2264 jjdpp.exe 2208 fflfxrl.exe 3068 1nhbtb.exe 2268 dppdp.exe 3660 jjdpj.exe 1400 5xlflrl.exe 344 3hthbn.exe 4380 9ddpj.exe 2816 xlrrlrl.exe -
resource yara_rule behavioral2/memory/2432-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-679-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lllfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 4568 2432 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 82 PID 2432 wrote to memory of 4568 2432 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 82 PID 2432 wrote to memory of 4568 2432 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 82 PID 4568 wrote to memory of 884 4568 xffxlfx.exe 83 PID 4568 wrote to memory of 884 4568 xffxlfx.exe 83 PID 4568 wrote to memory of 884 4568 xffxlfx.exe 83 PID 884 wrote to memory of 5004 884 vvppv.exe 84 PID 884 wrote to memory of 5004 884 vvppv.exe 84 PID 884 wrote to memory of 5004 884 vvppv.exe 84 PID 5004 wrote to memory of 2424 5004 5xxrfxl.exe 85 PID 5004 wrote to memory of 2424 5004 5xxrfxl.exe 85 PID 5004 wrote to memory of 2424 5004 5xxrfxl.exe 85 PID 2424 wrote to memory of 5100 2424 xrxrfxf.exe 86 PID 2424 wrote to memory of 5100 2424 xrxrfxf.exe 86 PID 2424 wrote to memory of 5100 2424 xrxrfxf.exe 86 PID 5100 wrote to memory of 2064 5100 btnbtt.exe 87 PID 5100 wrote to memory of 2064 5100 btnbtt.exe 87 PID 5100 wrote to memory of 2064 5100 btnbtt.exe 87 PID 2064 wrote to memory of 1624 2064 lffrlff.exe 88 PID 2064 wrote to memory of 1624 2064 lffrlff.exe 88 PID 2064 wrote to memory of 1624 2064 lffrlff.exe 88 PID 1624 wrote to memory of 2900 1624 9bhttt.exe 89 PID 1624 wrote to memory of 2900 1624 9bhttt.exe 89 PID 1624 wrote to memory of 2900 1624 9bhttt.exe 89 PID 2900 wrote to memory of 2208 2900 3jdpd.exe 90 PID 2900 wrote to memory of 2208 2900 3jdpd.exe 90 PID 2900 wrote to memory of 2208 2900 3jdpd.exe 90 PID 2208 wrote to memory of 1700 2208 ttbnbn.exe 91 PID 2208 wrote to memory of 1700 2208 ttbnbn.exe 91 PID 2208 wrote to memory of 1700 2208 ttbnbn.exe 91 PID 1700 wrote to memory of 2268 1700 lrrlfxr.exe 92 PID 1700 wrote to memory of 2268 1700 lrrlfxr.exe 92 PID 1700 wrote to memory of 2268 1700 lrrlfxr.exe 92 PID 2268 wrote to memory of 3660 2268 hhtntn.exe 93 PID 2268 wrote to memory of 3660 2268 hhtntn.exe 93 PID 2268 wrote to memory of 3660 2268 hhtntn.exe 93 PID 3660 wrote to memory of 2280 3660 fxrlxrl.exe 94 PID 3660 wrote to memory of 2280 3660 fxrlxrl.exe 94 PID 3660 wrote to memory of 2280 3660 fxrlxrl.exe 94 PID 2280 wrote to memory of 4408 2280 rfxrfxl.exe 95 PID 2280 wrote to memory of 4408 2280 rfxrfxl.exe 95 PID 2280 wrote to memory of 4408 2280 rfxrfxl.exe 95 PID 4408 wrote to memory of 320 4408 vdppd.exe 96 PID 4408 wrote to memory of 320 4408 vdppd.exe 96 PID 4408 wrote to memory of 320 4408 vdppd.exe 96 PID 320 wrote to memory of 3948 320 htbtnh.exe 97 PID 320 wrote to memory of 3948 320 htbtnh.exe 97 PID 320 wrote to memory of 3948 320 htbtnh.exe 97 PID 3948 wrote to memory of 2380 3948 jdvjv.exe 98 PID 3948 wrote to memory of 2380 3948 jdvjv.exe 98 PID 3948 wrote to memory of 2380 3948 jdvjv.exe 98 PID 2380 wrote to memory of 2384 2380 xrllfrl.exe 99 PID 2380 wrote to memory of 2384 2380 xrllfrl.exe 99 PID 2380 wrote to memory of 2384 2380 xrllfrl.exe 99 PID 2384 wrote to memory of 1752 2384 bntttn.exe 100 PID 2384 wrote to memory of 1752 2384 bntttn.exe 100 PID 2384 wrote to memory of 1752 2384 bntttn.exe 100 PID 1752 wrote to memory of 4556 1752 vvdjj.exe 101 PID 1752 wrote to memory of 4556 1752 vvdjj.exe 101 PID 1752 wrote to memory of 4556 1752 vvdjj.exe 101 PID 4556 wrote to memory of 4420 4556 dddpd.exe 102 PID 4556 wrote to memory of 4420 4556 dddpd.exe 102 PID 4556 wrote to memory of 4420 4556 dddpd.exe 102 PID 4420 wrote to memory of 448 4420 lllxlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\xffxlfx.exec:\xffxlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\vvppv.exec:\vvppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\5xxrfxl.exec:\5xxrfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\xrxrfxf.exec:\xrxrfxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\btnbtt.exec:\btnbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\lffrlff.exec:\lffrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\9bhttt.exec:\9bhttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\3jdpd.exec:\3jdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\ttbnbn.exec:\ttbnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\hhtntn.exec:\hhtntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\fxrlxrl.exec:\fxrlxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\rfxrfxl.exec:\rfxrfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\vdppd.exec:\vdppd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\htbtnh.exec:\htbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\jdvjv.exec:\jdvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\xrllfrl.exec:\xrllfrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\bntttn.exec:\bntttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\vvdjj.exec:\vvdjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\dddpd.exec:\dddpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\lllxlfx.exec:\lllxlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\vjjvp.exec:\vjjvp.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\5vvpd.exec:\5vvpd.exe24⤵
- Executes dropped EXE
PID:4912 -
\??\c:\flrfrlf.exec:\flrfrlf.exe25⤵
- Executes dropped EXE
PID:4772 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe26⤵
- Executes dropped EXE
PID:3996 -
\??\c:\tnttnt.exec:\tnttnt.exe27⤵
- Executes dropped EXE
PID:404 -
\??\c:\jdvpd.exec:\jdvpd.exe28⤵
- Executes dropped EXE
PID:944 -
\??\c:\3tbthh.exec:\3tbthh.exe29⤵
- Executes dropped EXE
PID:4032 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe30⤵
- Executes dropped EXE
PID:4488 -
\??\c:\htnbtn.exec:\htnbtn.exe31⤵
- Executes dropped EXE
PID:4044 -
\??\c:\5vvvp.exec:\5vvvp.exe32⤵
- Executes dropped EXE
PID:4612 -
\??\c:\fffxrlf.exec:\fffxrlf.exe33⤵
- Executes dropped EXE
PID:3408 -
\??\c:\bbnbnh.exec:\bbnbnh.exe34⤵
- Executes dropped EXE
PID:3584 -
\??\c:\jpdvp.exec:\jpdvp.exe35⤵
- Executes dropped EXE
PID:4592 -
\??\c:\lllllll.exec:\lllllll.exe36⤵
- Executes dropped EXE
PID:460 -
\??\c:\jvjjj.exec:\jvjjj.exe37⤵
- Executes dropped EXE
PID:452 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe38⤵
- Executes dropped EXE
PID:2892 -
\??\c:\htnhnh.exec:\htnhnh.exe39⤵
- Executes dropped EXE
PID:4776 -
\??\c:\9jpdj.exec:\9jpdj.exe40⤵
- Executes dropped EXE
PID:2368 -
\??\c:\7rlfrlf.exec:\7rlfrlf.exe41⤵
- Executes dropped EXE
PID:4492 -
\??\c:\btbtnh.exec:\btbtnh.exe42⤵
- Executes dropped EXE
PID:3232 -
\??\c:\bthtbh.exec:\bthtbh.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3344 -
\??\c:\jjdvd.exec:\jjdvd.exe44⤵
- Executes dropped EXE
PID:4412 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe45⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xlxlflr.exec:\xlxlflr.exe46⤵
- Executes dropped EXE
PID:3372 -
\??\c:\nnbnbn.exec:\nnbnbn.exe47⤵
- Executes dropped EXE
PID:4164 -
\??\c:\vpjdp.exec:\vpjdp.exe48⤵
- Executes dropped EXE
PID:2216 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe49⤵
- Executes dropped EXE
PID:3992 -
\??\c:\tbbtnh.exec:\tbbtnh.exe50⤵
- Executes dropped EXE
PID:2764 -
\??\c:\htbttt.exec:\htbttt.exe51⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pdpdj.exec:\pdpdj.exe52⤵
- Executes dropped EXE
PID:4836 -
\??\c:\rfffflx.exec:\rfffflx.exe53⤵
- Executes dropped EXE
PID:3896 -
\??\c:\3rfxlfx.exec:\3rfxlfx.exe54⤵
- Executes dropped EXE
PID:2512 -
\??\c:\nbthnh.exec:\nbthnh.exe55⤵
- Executes dropped EXE
PID:2792 -
\??\c:\vjvjd.exec:\vjvjd.exe56⤵
- Executes dropped EXE
PID:4276 -
\??\c:\jjdpp.exec:\jjdpp.exe57⤵
- Executes dropped EXE
PID:2264 -
\??\c:\fflfxrl.exec:\fflfxrl.exe58⤵
- Executes dropped EXE
PID:2208 -
\??\c:\1nhbtb.exec:\1nhbtb.exe59⤵
- Executes dropped EXE
PID:3068 -
\??\c:\dppdp.exec:\dppdp.exe60⤵
- Executes dropped EXE
PID:2268 -
\??\c:\jjdpj.exec:\jjdpj.exe61⤵
- Executes dropped EXE
PID:3660 -
\??\c:\5xlflrl.exec:\5xlflrl.exe62⤵
- Executes dropped EXE
PID:1400 -
\??\c:\3hthbn.exec:\3hthbn.exe63⤵
- Executes dropped EXE
PID:344 -
\??\c:\9ddpj.exec:\9ddpj.exe64⤵
- Executes dropped EXE
PID:4380 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe65⤵
- Executes dropped EXE
PID:2816 -
\??\c:\9flfllx.exec:\9flfllx.exe66⤵PID:1488
-
\??\c:\hbbbtt.exec:\hbbbtt.exe67⤵PID:4680
-
\??\c:\jddvp.exec:\jddvp.exe68⤵PID:220
-
\??\c:\rllllll.exec:\rllllll.exe69⤵
- System Location Discovery: System Language Discovery
PID:2380 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe70⤵PID:4456
-
\??\c:\thbnhb.exec:\thbnhb.exe71⤵PID:2848
-
\??\c:\7jpdp.exec:\7jpdp.exe72⤵PID:3968
-
\??\c:\jppjv.exec:\jppjv.exe73⤵PID:3080
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe74⤵PID:4420
-
\??\c:\5bnhbt.exec:\5bnhbt.exe75⤵PID:4616
-
\??\c:\thtnbb.exec:\thtnbb.exe76⤵PID:1332
-
\??\c:\dppjd.exec:\dppjd.exe77⤵PID:4912
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe78⤵PID:4772
-
\??\c:\lfxrffx.exec:\lfxrffx.exe79⤵PID:3996
-
\??\c:\tnhbtt.exec:\tnhbtt.exe80⤵PID:3188
-
\??\c:\dvpvd.exec:\dvpvd.exe81⤵PID:1040
-
\??\c:\vddpj.exec:\vddpj.exe82⤵PID:4300
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe83⤵PID:2948
-
\??\c:\bnhbtt.exec:\bnhbtt.exe84⤵PID:4760
-
\??\c:\jdjvv.exec:\jdjvv.exe85⤵PID:2980
-
\??\c:\5ppjd.exec:\5ppjd.exe86⤵PID:2556
-
\??\c:\fffxlrf.exec:\fffxlrf.exe87⤵PID:1132
-
\??\c:\bbbbnn.exec:\bbbbnn.exe88⤵PID:3180
-
\??\c:\1jdvj.exec:\1jdvj.exe89⤵PID:4984
-
\??\c:\xflfxrl.exec:\xflfxrl.exe90⤵PID:3584
-
\??\c:\lxrfxrf.exec:\lxrfxrf.exe91⤵PID:1252
-
\??\c:\bhtnhb.exec:\bhtnhb.exe92⤵PID:4796
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe93⤵PID:3980
-
\??\c:\lxxrxxr.exec:\lxxrxxr.exe94⤵PID:2500
-
\??\c:\hbnthb.exec:\hbnthb.exe95⤵PID:1104
-
\??\c:\vvdvd.exec:\vvdvd.exe96⤵PID:3864
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe97⤵PID:808
-
\??\c:\9rlxrlf.exec:\9rlxrlf.exe98⤵PID:1880
-
\??\c:\nhnttt.exec:\nhnttt.exe99⤵PID:4656
-
\??\c:\pjvdd.exec:\pjvdd.exe100⤵PID:1664
-
\??\c:\rlflrfl.exec:\rlflrfl.exe101⤵PID:4412
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe102⤵PID:2432
-
\??\c:\hbtnbt.exec:\hbtnbt.exe103⤵PID:424
-
\??\c:\jjjvp.exec:\jjjvp.exe104⤵PID:4964
-
\??\c:\7vdpv.exec:\7vdpv.exe105⤵PID:980
-
\??\c:\bnhbnh.exec:\bnhbnh.exe106⤵PID:3852
-
\??\c:\vppjd.exec:\vppjd.exe107⤵PID:2864
-
\??\c:\lrlxfrx.exec:\lrlxfrx.exe108⤵PID:2316
-
\??\c:\nhhtht.exec:\nhhtht.exe109⤵PID:2180
-
\??\c:\dvjpv.exec:\dvjpv.exe110⤵PID:1624
-
\??\c:\lrrflfx.exec:\lrrflfx.exe111⤵PID:3224
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe112⤵PID:1908
-
\??\c:\bbhbnh.exec:\bbhbnh.exe113⤵PID:4816
-
\??\c:\3jjvj.exec:\3jjvj.exe114⤵PID:844
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe115⤵PID:3148
-
\??\c:\fllfrrl.exec:\fllfrrl.exe116⤵PID:1740
-
\??\c:\bnbthn.exec:\bnbthn.exe117⤵PID:3316
-
\??\c:\ddvpj.exec:\ddvpj.exe118⤵PID:3604
-
\??\c:\jdvjv.exec:\jdvjv.exe119⤵PID:4268
-
\??\c:\7xxrffr.exec:\7xxrffr.exe120⤵PID:4808
-
\??\c:\bhnnhb.exec:\bhnnhb.exe121⤵PID:4136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-