Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 20:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe
-
Size
454KB
-
MD5
ddc2edbcfadbf0fba0dfef67551b3dcf
-
SHA1
2f1f1c0037361eeeb20de50ec4fd809166a25e9d
-
SHA256
2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956
-
SHA512
dd0d730ede188ae4222dc43bb03ccd9da40d91e98c143416d411b16b598b65913ad598ae2a415921306e1efec0b1967022546f1b2ce773d3872d9c7e1b0f77a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5072-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-1183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-1364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4436 pjpjp.exe 3092 fxlxffl.exe 1980 3xxxrll.exe 4576 nhnhbb.exe 1640 dpvpj.exe 1092 3thbnn.exe 2932 1pdvj.exe 3180 pddvj.exe 2196 nnnnhn.exe 2004 pjdvp.exe 2064 hbhtnb.exe 2316 ddpvv.exe 1756 fxllllf.exe 1852 nhnhhb.exe 4020 flrfrxf.exe 4296 hhtnhn.exe 3988 3vvpd.exe 1680 rlrlfff.exe 2236 7tnbht.exe 4648 xrrlffl.exe 1536 1xrlllf.exe 3996 jjjjv.exe 4824 frfxlxf.exe 4912 hnbnhb.exe 636 lrllfxr.exe 3212 bnnhhb.exe 4372 lfrlllr.exe 3664 llrlflf.exe 5116 ddjdd.exe 5008 ttnhbb.exe 5004 hbbbtn.exe 2208 xffxllx.exe 4752 hbnhhb.exe 2972 jddvp.exe 1976 fxxrlfx.exe 4464 tbbbth.exe 4604 ppdjj.exe 1232 frrfxrl.exe 3272 bhnhth.exe 3452 7tnnhh.exe 4792 vpddj.exe 2224 ddpdv.exe 1408 rfxlxlf.exe 1240 1nhtnt.exe 1824 7pvjv.exe 1760 flrlfxr.exe 2440 7lfrfrf.exe 3508 nnhbnb.exe 4068 jvvjd.exe 3112 rffxlxr.exe 4044 thnbnn.exe 3500 pppjd.exe 3064 xffxxrl.exe 940 btttnn.exe 1548 jvvpj.exe 4052 fxfxxrr.exe 1056 ntbthh.exe 2400 vpvpp.exe 1292 9ppjj.exe 4756 flrlxxr.exe 1060 nbnhhb.exe 3172 jjppv.exe 4804 rflffff.exe 1344 nttnbt.exe -
resource yara_rule behavioral2/memory/5072-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-906-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5httbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4436 5072 2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe 82 PID 5072 wrote to memory of 4436 5072 2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe 82 PID 5072 wrote to memory of 4436 5072 2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe 82 PID 4436 wrote to memory of 3092 4436 pjpjp.exe 83 PID 4436 wrote to memory of 3092 4436 pjpjp.exe 83 PID 4436 wrote to memory of 3092 4436 pjpjp.exe 83 PID 3092 wrote to memory of 1980 3092 fxlxffl.exe 84 PID 3092 wrote to memory of 1980 3092 fxlxffl.exe 84 PID 3092 wrote to memory of 1980 3092 fxlxffl.exe 84 PID 1980 wrote to memory of 4576 1980 3xxxrll.exe 85 PID 1980 wrote to memory of 4576 1980 3xxxrll.exe 85 PID 1980 wrote to memory of 4576 1980 3xxxrll.exe 85 PID 4576 wrote to memory of 1640 4576 nhnhbb.exe 86 PID 4576 wrote to memory of 1640 4576 nhnhbb.exe 86 PID 4576 wrote to memory of 1640 4576 nhnhbb.exe 86 PID 1640 wrote to memory of 1092 1640 dpvpj.exe 87 PID 1640 wrote to memory of 1092 1640 dpvpj.exe 87 PID 1640 wrote to memory of 1092 1640 dpvpj.exe 87 PID 1092 wrote to memory of 2932 1092 3thbnn.exe 88 PID 1092 wrote to memory of 2932 1092 3thbnn.exe 88 PID 1092 wrote to memory of 2932 1092 3thbnn.exe 88 PID 2932 wrote to memory of 3180 2932 1pdvj.exe 89 PID 2932 wrote to memory of 3180 2932 1pdvj.exe 89 PID 2932 wrote to memory of 3180 2932 1pdvj.exe 89 PID 3180 wrote to memory of 2196 3180 pddvj.exe 90 PID 3180 wrote to memory of 2196 3180 pddvj.exe 90 PID 3180 wrote to memory of 2196 3180 pddvj.exe 90 PID 2196 wrote to memory of 2004 2196 nnnnhn.exe 91 PID 2196 wrote to memory of 2004 2196 nnnnhn.exe 91 PID 2196 wrote to memory of 2004 2196 nnnnhn.exe 91 PID 2004 wrote to memory of 2064 2004 pjdvp.exe 92 PID 2004 wrote to memory of 2064 2004 pjdvp.exe 92 PID 2004 wrote to memory of 2064 2004 pjdvp.exe 92 PID 2064 wrote to memory of 2316 2064 hbhtnb.exe 93 PID 2064 wrote to memory of 2316 2064 hbhtnb.exe 93 PID 2064 wrote to memory of 2316 2064 hbhtnb.exe 93 PID 2316 wrote to memory of 1756 2316 ddpvv.exe 94 PID 2316 wrote to memory of 1756 2316 ddpvv.exe 94 PID 2316 wrote to memory of 1756 2316 ddpvv.exe 94 PID 1756 wrote to memory of 1852 1756 fxllllf.exe 95 PID 1756 wrote to memory of 1852 1756 fxllllf.exe 95 PID 1756 wrote to memory of 1852 1756 fxllllf.exe 95 PID 1852 wrote to memory of 4020 1852 nhnhhb.exe 96 PID 1852 wrote to memory of 4020 1852 nhnhhb.exe 96 PID 1852 wrote to memory of 4020 1852 nhnhhb.exe 96 PID 4020 wrote to memory of 4296 4020 flrfrxf.exe 97 PID 4020 wrote to memory of 4296 4020 flrfrxf.exe 97 PID 4020 wrote to memory of 4296 4020 flrfrxf.exe 97 PID 4296 wrote to memory of 3988 4296 hhtnhn.exe 98 PID 4296 wrote to memory of 3988 4296 hhtnhn.exe 98 PID 4296 wrote to memory of 3988 4296 hhtnhn.exe 98 PID 3988 wrote to memory of 1680 3988 3vvpd.exe 99 PID 3988 wrote to memory of 1680 3988 3vvpd.exe 99 PID 3988 wrote to memory of 1680 3988 3vvpd.exe 99 PID 1680 wrote to memory of 2236 1680 rlrlfff.exe 100 PID 1680 wrote to memory of 2236 1680 rlrlfff.exe 100 PID 1680 wrote to memory of 2236 1680 rlrlfff.exe 100 PID 2236 wrote to memory of 4648 2236 7tnbht.exe 101 PID 2236 wrote to memory of 4648 2236 7tnbht.exe 101 PID 2236 wrote to memory of 4648 2236 7tnbht.exe 101 PID 4648 wrote to memory of 1536 4648 xrrlffl.exe 102 PID 4648 wrote to memory of 1536 4648 xrrlffl.exe 102 PID 4648 wrote to memory of 1536 4648 xrrlffl.exe 102 PID 1536 wrote to memory of 3996 1536 1xrlllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe"C:\Users\Admin\AppData\Local\Temp\2540835520d4d3024cbc3074a61ab8c91b5314b207771a5e75d3230c7cc72956.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\pjpjp.exec:\pjpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\fxlxffl.exec:\fxlxffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\3xxxrll.exec:\3xxxrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\nhnhbb.exec:\nhnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\dpvpj.exec:\dpvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\3thbnn.exec:\3thbnn.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\1pdvj.exec:\1pdvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\pddvj.exec:\pddvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\nnnnhn.exec:\nnnnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\pjdvp.exec:\pjdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\hbhtnb.exec:\hbhtnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\ddpvv.exec:\ddpvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\fxllllf.exec:\fxllllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\nhnhhb.exec:\nhnhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\flrfrxf.exec:\flrfrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\hhtnhn.exec:\hhtnhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\3vvpd.exec:\3vvpd.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\rlrlfff.exec:\rlrlfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\7tnbht.exec:\7tnbht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\xrrlffl.exec:\xrrlffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\1xrlllf.exec:\1xrlllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\jjjjv.exec:\jjjjv.exe23⤵
- Executes dropped EXE
PID:3996 -
\??\c:\frfxlxf.exec:\frfxlxf.exe24⤵
- Executes dropped EXE
PID:4824 -
\??\c:\hnbnhb.exec:\hnbnhb.exe25⤵
- Executes dropped EXE
PID:4912 -
\??\c:\lrllfxr.exec:\lrllfxr.exe26⤵
- Executes dropped EXE
PID:636 -
\??\c:\bnnhhb.exec:\bnnhhb.exe27⤵
- Executes dropped EXE
PID:3212 -
\??\c:\lfrlllr.exec:\lfrlllr.exe28⤵
- Executes dropped EXE
PID:4372 -
\??\c:\llrlflf.exec:\llrlflf.exe29⤵
- Executes dropped EXE
PID:3664 -
\??\c:\ddjdd.exec:\ddjdd.exe30⤵
- Executes dropped EXE
PID:5116 -
\??\c:\ttnhbb.exec:\ttnhbb.exe31⤵
- Executes dropped EXE
PID:5008 -
\??\c:\hbbbtn.exec:\hbbbtn.exe32⤵
- Executes dropped EXE
PID:5004 -
\??\c:\xffxllx.exec:\xffxllx.exe33⤵
- Executes dropped EXE
PID:2208 -
\??\c:\hbnhhb.exec:\hbnhhb.exe34⤵
- Executes dropped EXE
PID:4752 -
\??\c:\jddvp.exec:\jddvp.exe35⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe36⤵
- Executes dropped EXE
PID:1976 -
\??\c:\tbbbth.exec:\tbbbth.exe37⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ppdjj.exec:\ppdjj.exe38⤵
- Executes dropped EXE
PID:4604 -
\??\c:\frrfxrl.exec:\frrfxrl.exe39⤵
- Executes dropped EXE
PID:1232 -
\??\c:\bhnhth.exec:\bhnhth.exe40⤵
- Executes dropped EXE
PID:3272 -
\??\c:\7tnnhh.exec:\7tnnhh.exe41⤵
- Executes dropped EXE
PID:3452 -
\??\c:\vpddj.exec:\vpddj.exe42⤵
- Executes dropped EXE
PID:4792 -
\??\c:\ddpdv.exec:\ddpdv.exe43⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rfxlxlf.exec:\rfxlxlf.exe44⤵
- Executes dropped EXE
PID:1408 -
\??\c:\1nhtnt.exec:\1nhtnt.exe45⤵
- Executes dropped EXE
PID:1240 -
\??\c:\7pvjv.exec:\7pvjv.exe46⤵
- Executes dropped EXE
PID:1824 -
\??\c:\flrlfxr.exec:\flrlfxr.exe47⤵
- Executes dropped EXE
PID:1760 -
\??\c:\7lfrfrf.exec:\7lfrfrf.exe48⤵
- Executes dropped EXE
PID:2440 -
\??\c:\nnhbnb.exec:\nnhbnb.exe49⤵
- Executes dropped EXE
PID:3508 -
\??\c:\jvvjd.exec:\jvvjd.exe50⤵
- Executes dropped EXE
PID:4068 -
\??\c:\rffxlxr.exec:\rffxlxr.exe51⤵
- Executes dropped EXE
PID:3112 -
\??\c:\thnbnn.exec:\thnbnn.exe52⤵
- Executes dropped EXE
PID:4044 -
\??\c:\pppjd.exec:\pppjd.exe53⤵
- Executes dropped EXE
PID:3500 -
\??\c:\xffxxrl.exec:\xffxxrl.exe54⤵
- Executes dropped EXE
PID:3064 -
\??\c:\btttnn.exec:\btttnn.exe55⤵
- Executes dropped EXE
PID:940 -
\??\c:\jvvpj.exec:\jvvpj.exe56⤵
- Executes dropped EXE
PID:1548 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe57⤵
- Executes dropped EXE
PID:4052 -
\??\c:\ntbthh.exec:\ntbthh.exe58⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vpvpp.exec:\vpvpp.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\9ppjj.exec:\9ppjj.exe60⤵
- Executes dropped EXE
PID:1292 -
\??\c:\flrlxxr.exec:\flrlxxr.exe61⤵
- Executes dropped EXE
PID:4756 -
\??\c:\nbnhhb.exec:\nbnhhb.exe62⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jjppv.exec:\jjppv.exe63⤵
- Executes dropped EXE
PID:3172 -
\??\c:\rflffff.exec:\rflffff.exe64⤵
- Executes dropped EXE
PID:4804 -
\??\c:\nttnbt.exec:\nttnbt.exe65⤵
- Executes dropped EXE
PID:1344 -
\??\c:\hhnhtb.exec:\hhnhtb.exe66⤵PID:628
-
\??\c:\3vjdp.exec:\3vjdp.exe67⤵PID:3124
-
\??\c:\5fxxrlx.exec:\5fxxrlx.exe68⤵PID:1104
-
\??\c:\nhhbtn.exec:\nhhbtn.exe69⤵PID:2372
-
\??\c:\vpdvp.exec:\vpdvp.exe70⤵PID:2056
-
\??\c:\xffrlfl.exec:\xffrlfl.exe71⤵PID:2832
-
\??\c:\bbbtnh.exec:\bbbtnh.exe72⤵PID:812
-
\??\c:\9bbtbt.exec:\9bbtbt.exe73⤵PID:3400
-
\??\c:\1jvjd.exec:\1jvjd.exe74⤵PID:3472
-
\??\c:\rxlfxrl.exec:\rxlfxrl.exe75⤵PID:3208
-
\??\c:\rlllfxr.exec:\rlllfxr.exe76⤵PID:4828
-
\??\c:\tbbnhb.exec:\tbbnhb.exe77⤵PID:1296
-
\??\c:\1ppjd.exec:\1ppjd.exe78⤵PID:3832
-
\??\c:\5jjjd.exec:\5jjjd.exe79⤵PID:4016
-
\??\c:\llrlflf.exec:\llrlflf.exe80⤵PID:4388
-
\??\c:\htbbnb.exec:\htbbnb.exe81⤵PID:736
-
\??\c:\jddjj.exec:\jddjj.exe82⤵PID:1464
-
\??\c:\9vvjp.exec:\9vvjp.exe83⤵PID:4088
-
\??\c:\3lrrlxr.exec:\3lrrlxr.exe84⤵PID:2072
-
\??\c:\tnthbb.exec:\tnthbb.exe85⤵PID:3396
-
\??\c:\bnhtbb.exec:\bnhtbb.exe86⤵PID:4912
-
\??\c:\jjvdp.exec:\jjvdp.exe87⤵PID:2120
-
\??\c:\xrrlffx.exec:\xrrlffx.exe88⤵PID:3100
-
\??\c:\ntnnnn.exec:\ntnnnn.exe89⤵PID:2344
-
\??\c:\dvjpp.exec:\dvjpp.exe90⤵PID:3468
-
\??\c:\fffxrlf.exec:\fffxrlf.exe91⤵PID:2176
-
\??\c:\3xffflr.exec:\3xffflr.exe92⤵PID:2824
-
\??\c:\nhhnnn.exec:\nhhnnn.exe93⤵PID:1200
-
\??\c:\1vdpj.exec:\1vdpj.exe94⤵PID:5008
-
\??\c:\xfxrlrl.exec:\xfxrlrl.exe95⤵PID:1000
-
\??\c:\7nhhhh.exec:\7nhhhh.exe96⤵PID:4652
-
\??\c:\3pvpj.exec:\3pvpj.exe97⤵PID:2916
-
\??\c:\dvjdj.exec:\dvjdj.exe98⤵PID:2100
-
\??\c:\xlllflf.exec:\xlllflf.exe99⤵PID:1768
-
\??\c:\1btnnn.exec:\1btnnn.exe100⤵PID:3128
-
\??\c:\hnhbtn.exec:\hnhbtn.exe101⤵PID:1124
-
\??\c:\7ddvp.exec:\7ddvp.exe102⤵PID:4000
-
\??\c:\fflflrx.exec:\fflflrx.exe103⤵PID:4604
-
\??\c:\tnnbtn.exec:\tnnbtn.exe104⤵PID:2896
-
\??\c:\9jjdj.exec:\9jjdj.exe105⤵PID:3272
-
\??\c:\rfxxlrf.exec:\rfxxlrf.exe106⤵PID:3392
-
\??\c:\btnhhb.exec:\btnhhb.exe107⤵PID:3184
-
\??\c:\tbbtnn.exec:\tbbtnn.exe108⤵PID:3812
-
\??\c:\pdjdp.exec:\pdjdp.exe109⤵PID:1576
-
\??\c:\rlffxxl.exec:\rlffxxl.exe110⤵PID:1160
-
\??\c:\tnnhhh.exec:\tnnhhh.exe111⤵PID:3976
-
\??\c:\dvdvv.exec:\dvdvv.exe112⤵PID:5072
-
\??\c:\dvvpj.exec:\dvvpj.exe113⤵PID:1760
-
\??\c:\rfxrrll.exec:\rfxrrll.exe114⤵PID:2440
-
\??\c:\pdpjd.exec:\pdpjd.exe115⤵PID:4136
-
\??\c:\dvvpj.exec:\dvvpj.exe116⤵PID:1372
-
\??\c:\fxlxrfx.exec:\fxlxrfx.exe117⤵PID:2776
-
\??\c:\5tthbh.exec:\5tthbh.exe118⤵PID:5036
-
\??\c:\vvpjd.exec:\vvpjd.exe119⤵PID:4132
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe120⤵PID:432
-
\??\c:\httnhh.exec:\httnhh.exe121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-