Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe
-
Size
454KB
-
MD5
274a1fcae472dba4b609fb93f6bff0f2
-
SHA1
e9d7de4676f38184195d19ae4d26c034b79c956d
-
SHA256
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae
-
SHA512
f0ad51de354726370bf6e8696c38e9b9316d056af559809c2de2346c8a99d14f8ceee3fce2f15cfea48abf0b98cda99889037ac792d347fa55cafb26b0a6e2c2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4816-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-1391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-1437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2528 rlrllfl.exe 5032 flffffx.exe 1712 vvdvv.exe 1188 vpvvp.exe 4908 fflfxxx.exe 1980 fflrllf.exe 4048 xfllxfr.exe 1932 jdpjj.exe 2316 xrfxffx.exe 1248 rrrfrlf.exe 3036 jdvjd.exe 4176 lxrlrlf.exe 3376 dvdvp.exe 1592 tbhthb.exe 716 dvvpj.exe 116 rllrlrl.exe 4764 bbhthb.exe 4856 nbthbt.exe 4628 dppvj.exe 4344 flrfxrf.exe 1236 hhtnhb.exe 3104 nhtnht.exe 1380 7bnbnn.exe 5016 thbthb.exe 832 djpjd.exe 4996 fllxrlx.exe 1196 ntbttt.exe 3736 jddpj.exe 1092 htthtn.exe 2380 djpdp.exe 1868 nbbbnb.exe 1740 pjjdv.exe 3048 pvjvj.exe 3964 pdjvp.exe 4736 rxlfrrl.exe 1752 nbtnbb.exe 1604 jjpdp.exe 4208 dppdv.exe 1544 rrlfrll.exe 5012 btnhtn.exe 400 jjpjj.exe 4740 fffflff.exe 4860 thbnbt.exe 1128 vpvjp.exe 3032 llfxxrl.exe 3788 xrlfxrx.exe 3252 bntbnn.exe 2644 ddvjv.exe 2012 lxfrlfx.exe 3864 thnbth.exe 4408 pjvdv.exe 4708 nbhbtt.exe 4204 nbbthh.exe 5028 rfxlfxl.exe 2740 lrfllff.exe 3452 btbbbb.exe 1712 vdddp.exe 2044 rlfxlxr.exe 2708 htbnbt.exe 4352 thnnhh.exe 4100 jdjpj.exe 3920 lffxxfx.exe 1164 nnthtn.exe 2592 hbhtnb.exe -
resource yara_rule behavioral2/memory/4816-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2528 4816 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 82 PID 4816 wrote to memory of 2528 4816 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 82 PID 4816 wrote to memory of 2528 4816 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 82 PID 2528 wrote to memory of 5032 2528 rlrllfl.exe 83 PID 2528 wrote to memory of 5032 2528 rlrllfl.exe 83 PID 2528 wrote to memory of 5032 2528 rlrllfl.exe 83 PID 5032 wrote to memory of 1712 5032 flffffx.exe 84 PID 5032 wrote to memory of 1712 5032 flffffx.exe 84 PID 5032 wrote to memory of 1712 5032 flffffx.exe 84 PID 1712 wrote to memory of 1188 1712 vvdvv.exe 85 PID 1712 wrote to memory of 1188 1712 vvdvv.exe 85 PID 1712 wrote to memory of 1188 1712 vvdvv.exe 85 PID 1188 wrote to memory of 4908 1188 vpvvp.exe 86 PID 1188 wrote to memory of 4908 1188 vpvvp.exe 86 PID 1188 wrote to memory of 4908 1188 vpvvp.exe 86 PID 4908 wrote to memory of 1980 4908 fflfxxx.exe 87 PID 4908 wrote to memory of 1980 4908 fflfxxx.exe 87 PID 4908 wrote to memory of 1980 4908 fflfxxx.exe 87 PID 1980 wrote to memory of 4048 1980 fflrllf.exe 88 PID 1980 wrote to memory of 4048 1980 fflrllf.exe 88 PID 1980 wrote to memory of 4048 1980 fflrllf.exe 88 PID 4048 wrote to memory of 1932 4048 xfllxfr.exe 89 PID 4048 wrote to memory of 1932 4048 xfllxfr.exe 89 PID 4048 wrote to memory of 1932 4048 xfllxfr.exe 89 PID 1932 wrote to memory of 2316 1932 jdpjj.exe 90 PID 1932 wrote to memory of 2316 1932 jdpjj.exe 90 PID 1932 wrote to memory of 2316 1932 jdpjj.exe 90 PID 2316 wrote to memory of 1248 2316 xrfxffx.exe 91 PID 2316 wrote to memory of 1248 2316 xrfxffx.exe 91 PID 2316 wrote to memory of 1248 2316 xrfxffx.exe 91 PID 1248 wrote to memory of 3036 1248 rrrfrlf.exe 92 PID 1248 wrote to memory of 3036 1248 rrrfrlf.exe 92 PID 1248 wrote to memory of 3036 1248 rrrfrlf.exe 92 PID 3036 wrote to memory of 4176 3036 jdvjd.exe 93 PID 3036 wrote to memory of 4176 3036 jdvjd.exe 93 PID 3036 wrote to memory of 4176 3036 jdvjd.exe 93 PID 4176 wrote to memory of 3376 4176 lxrlrlf.exe 94 PID 4176 wrote to memory of 3376 4176 lxrlrlf.exe 94 PID 4176 wrote to memory of 3376 4176 lxrlrlf.exe 94 PID 3376 wrote to memory of 1592 3376 dvdvp.exe 95 PID 3376 wrote to memory of 1592 3376 dvdvp.exe 95 PID 3376 wrote to memory of 1592 3376 dvdvp.exe 95 PID 1592 wrote to memory of 716 1592 tbhthb.exe 96 PID 1592 wrote to memory of 716 1592 tbhthb.exe 96 PID 1592 wrote to memory of 716 1592 tbhthb.exe 96 PID 716 wrote to memory of 116 716 dvvpj.exe 97 PID 716 wrote to memory of 116 716 dvvpj.exe 97 PID 716 wrote to memory of 116 716 dvvpj.exe 97 PID 116 wrote to memory of 4764 116 rllrlrl.exe 98 PID 116 wrote to memory of 4764 116 rllrlrl.exe 98 PID 116 wrote to memory of 4764 116 rllrlrl.exe 98 PID 4764 wrote to memory of 4856 4764 bbhthb.exe 99 PID 4764 wrote to memory of 4856 4764 bbhthb.exe 99 PID 4764 wrote to memory of 4856 4764 bbhthb.exe 99 PID 4856 wrote to memory of 4628 4856 nbthbt.exe 100 PID 4856 wrote to memory of 4628 4856 nbthbt.exe 100 PID 4856 wrote to memory of 4628 4856 nbthbt.exe 100 PID 4628 wrote to memory of 4344 4628 dppvj.exe 101 PID 4628 wrote to memory of 4344 4628 dppvj.exe 101 PID 4628 wrote to memory of 4344 4628 dppvj.exe 101 PID 4344 wrote to memory of 1236 4344 flrfxrf.exe 102 PID 4344 wrote to memory of 1236 4344 flrfxrf.exe 102 PID 4344 wrote to memory of 1236 4344 flrfxrf.exe 102 PID 1236 wrote to memory of 3104 1236 hhtnhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe"C:\Users\Admin\AppData\Local\Temp\ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\rlrllfl.exec:\rlrllfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\flffffx.exec:\flffffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\vvdvv.exec:\vvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\vpvvp.exec:\vpvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\fflfxxx.exec:\fflfxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\fflrllf.exec:\fflrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\xfllxfr.exec:\xfllxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\jdpjj.exec:\jdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\xrfxffx.exec:\xrfxffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\jdvjd.exec:\jdvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\lxrlrlf.exec:\lxrlrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\dvdvp.exec:\dvdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\tbhthb.exec:\tbhthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\dvvpj.exec:\dvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\rllrlrl.exec:\rllrlrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\bbhthb.exec:\bbhthb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\nbthbt.exec:\nbthbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\dppvj.exec:\dppvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\flrfxrf.exec:\flrfxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\hhtnhb.exec:\hhtnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\nhtnht.exec:\nhtnht.exe23⤵
- Executes dropped EXE
PID:3104 -
\??\c:\7bnbnn.exec:\7bnbnn.exe24⤵
- Executes dropped EXE
PID:1380 -
\??\c:\thbthb.exec:\thbthb.exe25⤵
- Executes dropped EXE
PID:5016 -
\??\c:\djpjd.exec:\djpjd.exe26⤵
- Executes dropped EXE
PID:832 -
\??\c:\fllxrlx.exec:\fllxrlx.exe27⤵
- Executes dropped EXE
PID:4996 -
\??\c:\ntbttt.exec:\ntbttt.exe28⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jddpj.exec:\jddpj.exe29⤵
- Executes dropped EXE
PID:3736 -
\??\c:\htthtn.exec:\htthtn.exe30⤵
- Executes dropped EXE
PID:1092 -
\??\c:\djpdp.exec:\djpdp.exe31⤵
- Executes dropped EXE
PID:2380 -
\??\c:\nbbbnb.exec:\nbbbnb.exe32⤵
- Executes dropped EXE
PID:1868 -
\??\c:\pjjdv.exec:\pjjdv.exe33⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pvjvj.exec:\pvjvj.exe34⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pdjvp.exec:\pdjvp.exe35⤵
- Executes dropped EXE
PID:3964 -
\??\c:\rxlfrrl.exec:\rxlfrrl.exe36⤵
- Executes dropped EXE
PID:4736 -
\??\c:\nbtnbb.exec:\nbtnbb.exe37⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jjpdp.exec:\jjpdp.exe38⤵
- Executes dropped EXE
PID:1604 -
\??\c:\dppdv.exec:\dppdv.exe39⤵
- Executes dropped EXE
PID:4208 -
\??\c:\rrlfrll.exec:\rrlfrll.exe40⤵
- Executes dropped EXE
PID:1544 -
\??\c:\btnhtn.exec:\btnhtn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5012 -
\??\c:\jjpjj.exec:\jjpjj.exe42⤵
- Executes dropped EXE
PID:400 -
\??\c:\fffflff.exec:\fffflff.exe43⤵
- Executes dropped EXE
PID:4740 -
\??\c:\thbnbt.exec:\thbnbt.exe44⤵
- Executes dropped EXE
PID:4860 -
\??\c:\vpvjp.exec:\vpvjp.exe45⤵
- Executes dropped EXE
PID:1128 -
\??\c:\llfxxrl.exec:\llfxxrl.exe46⤵
- Executes dropped EXE
PID:3032 -
\??\c:\xrlfxrx.exec:\xrlfxrx.exe47⤵
- Executes dropped EXE
PID:3788 -
\??\c:\bntbnn.exec:\bntbnn.exe48⤵
- Executes dropped EXE
PID:3252 -
\??\c:\ddvjv.exec:\ddvjv.exe49⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe50⤵
- Executes dropped EXE
PID:2012 -
\??\c:\thnbth.exec:\thnbth.exe51⤵
- Executes dropped EXE
PID:3864 -
\??\c:\pjvdv.exec:\pjvdv.exe52⤵
- Executes dropped EXE
PID:4408 -
\??\c:\nbhbtt.exec:\nbhbtt.exe53⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nbbthh.exec:\nbbthh.exe54⤵
- Executes dropped EXE
PID:4204 -
\??\c:\rfxlfxl.exec:\rfxlfxl.exe55⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lrfllff.exec:\lrfllff.exe56⤵
- Executes dropped EXE
PID:2740 -
\??\c:\btbbbb.exec:\btbbbb.exe57⤵
- Executes dropped EXE
PID:3452 -
\??\c:\vdddp.exec:\vdddp.exe58⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rlfxlxr.exec:\rlfxlxr.exe59⤵
- Executes dropped EXE
PID:2044 -
\??\c:\htbnbt.exec:\htbnbt.exe60⤵
- Executes dropped EXE
PID:2708 -
\??\c:\thnnhh.exec:\thnnhh.exe61⤵
- Executes dropped EXE
PID:4352 -
\??\c:\jdjpj.exec:\jdjpj.exe62⤵
- Executes dropped EXE
PID:4100 -
\??\c:\lffxxfx.exec:\lffxxfx.exe63⤵
- Executes dropped EXE
PID:3920 -
\??\c:\nnthtn.exec:\nnthtn.exe64⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hbhtnb.exec:\hbhtnb.exe65⤵
- Executes dropped EXE
PID:2592 -
\??\c:\ddjvj.exec:\ddjvj.exe66⤵PID:2872
-
\??\c:\rlrffxx.exec:\rlrffxx.exe67⤵PID:2696
-
\??\c:\rfxflfl.exec:\rfxflfl.exe68⤵PID:2036
-
\??\c:\tbhbtn.exec:\tbhbtn.exe69⤵PID:1460
-
\??\c:\jdddp.exec:\jdddp.exe70⤵PID:2868
-
\??\c:\djpjd.exec:\djpjd.exe71⤵PID:3036
-
\??\c:\rrrlxrf.exec:\rrrlxrf.exe72⤵PID:4176
-
\??\c:\9hhbtt.exec:\9hhbtt.exe73⤵PID:3792
-
\??\c:\vjvpv.exec:\vjvpv.exe74⤵PID:4796
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe75⤵PID:620
-
\??\c:\btbtnh.exec:\btbtnh.exe76⤵PID:32
-
\??\c:\tnthtb.exec:\tnthtb.exe77⤵PID:4236
-
\??\c:\pjpjd.exec:\pjpjd.exe78⤵PID:1184
-
\??\c:\fxxxffx.exec:\fxxxffx.exe79⤵PID:4652
-
\??\c:\bnnbtn.exec:\bnnbtn.exe80⤵PID:1588
-
\??\c:\pjjdv.exec:\pjjdv.exe81⤵PID:4344
-
\??\c:\lfrlfff.exec:\lfrlfff.exe82⤵PID:1016
-
\??\c:\xrffxxl.exec:\xrffxxl.exe83⤵PID:5104
-
\??\c:\thnnhh.exec:\thnnhh.exe84⤵PID:3476
-
\??\c:\ddjvp.exec:\ddjvp.exe85⤵PID:1824
-
\??\c:\ffxrffx.exec:\ffxrffx.exe86⤵PID:1380
-
\??\c:\ntttnn.exec:\ntttnn.exe87⤵
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\pjjdv.exec:\pjjdv.exe88⤵PID:2940
-
\??\c:\fflfxrl.exec:\fflfxrl.exe89⤵PID:832
-
\??\c:\rrfxllx.exec:\rrfxllx.exe90⤵PID:1156
-
\??\c:\hbhtth.exec:\hbhtth.exe91⤵PID:4036
-
\??\c:\vdpjv.exec:\vdpjv.exe92⤵PID:2080
-
\??\c:\7lrlxfx.exec:\7lrlxfx.exe93⤵PID:3608
-
\??\c:\bttnnh.exec:\bttnnh.exe94⤵PID:1092
-
\??\c:\ntnbnh.exec:\ntnbnh.exe95⤵PID:4804
-
\??\c:\jddjv.exec:\jddjv.exe96⤵PID:4852
-
\??\c:\frxlxrr.exec:\frxlxrr.exe97⤵PID:1868
-
\??\c:\nbhtnh.exec:\nbhtnh.exe98⤵PID:3868
-
\??\c:\djpjd.exec:\djpjd.exe99⤵PID:388
-
\??\c:\pvdvd.exec:\pvdvd.exe100⤵PID:708
-
\??\c:\rllfrfr.exec:\rllfrfr.exe101⤵PID:3156
-
\??\c:\httbtb.exec:\httbtb.exe102⤵PID:3180
-
\??\c:\vdjdp.exec:\vdjdp.exe103⤵PID:3632
-
\??\c:\rfxrrlx.exec:\rfxrrlx.exe104⤵PID:3000
-
\??\c:\tnnnhn.exec:\tnnnhn.exe105⤵PID:3504
-
\??\c:\9dddd.exec:\9dddd.exe106⤵PID:3384
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe107⤵PID:5012
-
\??\c:\tntnhh.exec:\tntnhh.exe108⤵PID:400
-
\??\c:\thnbbt.exec:\thnbbt.exe109⤵PID:1920
-
\??\c:\vddvv.exec:\vddvv.exe110⤵PID:4868
-
\??\c:\xrlrfxr.exec:\xrlrfxr.exe111⤵PID:1128
-
\??\c:\htbthh.exec:\htbthh.exe112⤵PID:3032
-
\??\c:\pdjdv.exec:\pdjdv.exe113⤵
- System Location Discovery: System Language Discovery
PID:2156 -
\??\c:\rfffxxx.exec:\rfffxxx.exe114⤵PID:2356
-
\??\c:\btthbt.exec:\btthbt.exe115⤵
- System Location Discovery: System Language Discovery
PID:3664 -
\??\c:\hnnhbh.exec:\hnnhbh.exe116⤵PID:3448
-
\??\c:\pppjj.exec:\pppjj.exe117⤵PID:4292
-
\??\c:\lllrrxx.exec:\lllrrxx.exe118⤵PID:360
-
\??\c:\nbbnhb.exec:\nbbnhb.exe119⤵PID:4816
-
\??\c:\hthbbt.exec:\hthbbt.exe120⤵PID:4180
-
\??\c:\vpdvv.exec:\vpdvv.exe121⤵PID:3464
-
\??\c:\5llfxrr.exec:\5llfxrr.exe122⤵PID:5032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-