Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe
-
Size
453KB
-
MD5
7cdad160b1451e26a37a9b4282022c4a
-
SHA1
0382b1fdf59df4875c22f19633db94b338848b9b
-
SHA256
fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76
-
SHA512
d848807da1f8cb50125be62849a19409f4871d14237f2b8c60e22ace601b8d89e819524423ed306b18692dc762596d764197fa5bbec1a00b67e00f4f71eecf12
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3512-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-1047-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-1565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-1900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2444 fllfrxr.exe 4252 jjdpj.exe 4824 nhnhtt.exe 3884 htbhtn.exe 2136 rlxrrll.exe 1332 hbbthb.exe 60 rllfxlx.exe 4724 vjjdv.exe 4932 tthbtt.exe 720 lrrlfxr.exe 5072 9ntntt.exe 2652 jvvpj.exe 2524 5bnbnh.exe 552 9dvvp.exe 2248 fxxrlfx.exe 2856 btthbt.exe 3636 fxxrflx.exe 1836 1tbtnn.exe 1964 nbhhhb.exe 2028 ppdpd.exe 2500 9fxfxlf.exe 2240 nhbthb.exe 808 dvvjp.exe 716 9jjjv.exe 4856 hhbttn.exe 3928 jvjdj.exe 2872 lllfxrl.exe 3292 xrlrflf.exe 3508 pddvp.exe 4520 5tbttt.exe 4404 ppjdv.exe 3000 9bthbt.exe 3404 bhhbtn.exe 884 vjppv.exe 1120 jdpvd.exe 1036 lllrfxr.exe 3572 bbbbnt.exe 220 vjvpv.exe 3136 5btnhh.exe 4540 xfllfll.exe 676 hhhbtn.exe 4756 jvvpd.exe 2192 xxfxxrx.exe 1476 bnthbb.exe 4164 jdjpj.exe 4204 xlxrfxr.exe 2992 nbtnhh.exe 1088 7nbnbt.exe 1792 dvppd.exe 5060 ffxrllf.exe 4308 nhbthh.exe 2424 vjvvj.exe 3512 7llfxxr.exe 2444 htbtnh.exe 4252 ppjvj.exe 840 lffxlxr.exe 4988 bnnhth.exe 3408 bnbtbb.exe 2924 5pvvp.exe 1640 5xlfxrl.exe 3524 nhhbtt.exe 1332 bttttt.exe 2876 jddvv.exe 4828 5flfffl.exe -
resource yara_rule behavioral2/memory/3512-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 2444 3512 fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe 82 PID 3512 wrote to memory of 2444 3512 fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe 82 PID 3512 wrote to memory of 2444 3512 fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe 82 PID 2444 wrote to memory of 4252 2444 fllfrxr.exe 83 PID 2444 wrote to memory of 4252 2444 fllfrxr.exe 83 PID 2444 wrote to memory of 4252 2444 fllfrxr.exe 83 PID 4252 wrote to memory of 4824 4252 jjdpj.exe 84 PID 4252 wrote to memory of 4824 4252 jjdpj.exe 84 PID 4252 wrote to memory of 4824 4252 jjdpj.exe 84 PID 4824 wrote to memory of 3884 4824 nhnhtt.exe 85 PID 4824 wrote to memory of 3884 4824 nhnhtt.exe 85 PID 4824 wrote to memory of 3884 4824 nhnhtt.exe 85 PID 3884 wrote to memory of 2136 3884 htbhtn.exe 86 PID 3884 wrote to memory of 2136 3884 htbhtn.exe 86 PID 3884 wrote to memory of 2136 3884 htbhtn.exe 86 PID 2136 wrote to memory of 1332 2136 rlxrrll.exe 87 PID 2136 wrote to memory of 1332 2136 rlxrrll.exe 87 PID 2136 wrote to memory of 1332 2136 rlxrrll.exe 87 PID 1332 wrote to memory of 60 1332 hbbthb.exe 88 PID 1332 wrote to memory of 60 1332 hbbthb.exe 88 PID 1332 wrote to memory of 60 1332 hbbthb.exe 88 PID 60 wrote to memory of 4724 60 rllfxlx.exe 89 PID 60 wrote to memory of 4724 60 rllfxlx.exe 89 PID 60 wrote to memory of 4724 60 rllfxlx.exe 89 PID 4724 wrote to memory of 4932 4724 vjjdv.exe 90 PID 4724 wrote to memory of 4932 4724 vjjdv.exe 90 PID 4724 wrote to memory of 4932 4724 vjjdv.exe 90 PID 4932 wrote to memory of 720 4932 tthbtt.exe 91 PID 4932 wrote to memory of 720 4932 tthbtt.exe 91 PID 4932 wrote to memory of 720 4932 tthbtt.exe 91 PID 720 wrote to memory of 5072 720 lrrlfxr.exe 92 PID 720 wrote to memory of 5072 720 lrrlfxr.exe 92 PID 720 wrote to memory of 5072 720 lrrlfxr.exe 92 PID 5072 wrote to memory of 2652 5072 9ntntt.exe 93 PID 5072 wrote to memory of 2652 5072 9ntntt.exe 93 PID 5072 wrote to memory of 2652 5072 9ntntt.exe 93 PID 2652 wrote to memory of 2524 2652 jvvpj.exe 94 PID 2652 wrote to memory of 2524 2652 jvvpj.exe 94 PID 2652 wrote to memory of 2524 2652 jvvpj.exe 94 PID 2524 wrote to memory of 552 2524 5bnbnh.exe 95 PID 2524 wrote to memory of 552 2524 5bnbnh.exe 95 PID 2524 wrote to memory of 552 2524 5bnbnh.exe 95 PID 552 wrote to memory of 2248 552 9dvvp.exe 96 PID 552 wrote to memory of 2248 552 9dvvp.exe 96 PID 552 wrote to memory of 2248 552 9dvvp.exe 96 PID 2248 wrote to memory of 2856 2248 fxxrlfx.exe 97 PID 2248 wrote to memory of 2856 2248 fxxrlfx.exe 97 PID 2248 wrote to memory of 2856 2248 fxxrlfx.exe 97 PID 2856 wrote to memory of 3636 2856 btthbt.exe 98 PID 2856 wrote to memory of 3636 2856 btthbt.exe 98 PID 2856 wrote to memory of 3636 2856 btthbt.exe 98 PID 3636 wrote to memory of 1836 3636 fxxrflx.exe 99 PID 3636 wrote to memory of 1836 3636 fxxrflx.exe 99 PID 3636 wrote to memory of 1836 3636 fxxrflx.exe 99 PID 1836 wrote to memory of 1964 1836 1tbtnn.exe 100 PID 1836 wrote to memory of 1964 1836 1tbtnn.exe 100 PID 1836 wrote to memory of 1964 1836 1tbtnn.exe 100 PID 1964 wrote to memory of 2028 1964 nbhhhb.exe 101 PID 1964 wrote to memory of 2028 1964 nbhhhb.exe 101 PID 1964 wrote to memory of 2028 1964 nbhhhb.exe 101 PID 2028 wrote to memory of 2500 2028 ppdpd.exe 102 PID 2028 wrote to memory of 2500 2028 ppdpd.exe 102 PID 2028 wrote to memory of 2500 2028 ppdpd.exe 102 PID 2500 wrote to memory of 2240 2500 9fxfxlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe"C:\Users\Admin\AppData\Local\Temp\fb6dd5a6e953e85501e4650956fc6b61bf0c0d95f4d5c3421a248d0631544c76.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\fllfrxr.exec:\fllfrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\jjdpj.exec:\jjdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\nhnhtt.exec:\nhnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\htbhtn.exec:\htbhtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\rlxrrll.exec:\rlxrrll.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\hbbthb.exec:\hbbthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\rllfxlx.exec:\rllfxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\vjjdv.exec:\vjjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\tthbtt.exec:\tthbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\9ntntt.exec:\9ntntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\jvvpj.exec:\jvvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\5bnbnh.exec:\5bnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\9dvvp.exec:\9dvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\btthbt.exec:\btthbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\fxxrflx.exec:\fxxrflx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\1tbtnn.exec:\1tbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\nbhhhb.exec:\nbhhhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\ppdpd.exec:\ppdpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\9fxfxlf.exec:\9fxfxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\nhbthb.exec:\nhbthb.exe23⤵
- Executes dropped EXE
PID:2240 -
\??\c:\dvvjp.exec:\dvvjp.exe24⤵
- Executes dropped EXE
PID:808 -
\??\c:\9jjjv.exec:\9jjjv.exe25⤵
- Executes dropped EXE
PID:716 -
\??\c:\hhbttn.exec:\hhbttn.exe26⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jvjdj.exec:\jvjdj.exe27⤵
- Executes dropped EXE
PID:3928 -
\??\c:\lllfxrl.exec:\lllfxrl.exe28⤵
- Executes dropped EXE
PID:2872 -
\??\c:\xrlrflf.exec:\xrlrflf.exe29⤵
- Executes dropped EXE
PID:3292 -
\??\c:\pddvp.exec:\pddvp.exe30⤵
- Executes dropped EXE
PID:3508 -
\??\c:\5tbttt.exec:\5tbttt.exe31⤵
- Executes dropped EXE
PID:4520 -
\??\c:\ppjdv.exec:\ppjdv.exe32⤵
- Executes dropped EXE
PID:4404 -
\??\c:\9bthbt.exec:\9bthbt.exe33⤵
- Executes dropped EXE
PID:3000 -
\??\c:\bhhbtn.exec:\bhhbtn.exe34⤵
- Executes dropped EXE
PID:3404 -
\??\c:\vjppv.exec:\vjppv.exe35⤵
- Executes dropped EXE
PID:884 -
\??\c:\jdpvd.exec:\jdpvd.exe36⤵
- Executes dropped EXE
PID:1120 -
\??\c:\lllrfxr.exec:\lllrfxr.exe37⤵
- Executes dropped EXE
PID:1036 -
\??\c:\bbbbnt.exec:\bbbbnt.exe38⤵
- Executes dropped EXE
PID:3572 -
\??\c:\vjvpv.exec:\vjvpv.exe39⤵
- Executes dropped EXE
PID:220 -
\??\c:\5btnhh.exec:\5btnhh.exe40⤵
- Executes dropped EXE
PID:3136 -
\??\c:\xfllfll.exec:\xfllfll.exe41⤵
- Executes dropped EXE
PID:4540 -
\??\c:\hhhbtn.exec:\hhhbtn.exe42⤵
- Executes dropped EXE
PID:676 -
\??\c:\jvvpd.exec:\jvvpd.exe43⤵
- Executes dropped EXE
PID:4756 -
\??\c:\xxfxxrx.exec:\xxfxxrx.exe44⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bnthbb.exec:\bnthbb.exe45⤵
- Executes dropped EXE
PID:1476 -
\??\c:\jdjpj.exec:\jdjpj.exe46⤵
- Executes dropped EXE
PID:4164 -
\??\c:\xlxrfxr.exec:\xlxrfxr.exe47⤵
- Executes dropped EXE
PID:4204 -
\??\c:\nbtnhh.exec:\nbtnhh.exe48⤵
- Executes dropped EXE
PID:2992 -
\??\c:\7nbnbt.exec:\7nbnbt.exe49⤵
- Executes dropped EXE
PID:1088 -
\??\c:\dvppd.exec:\dvppd.exe50⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffxrllf.exec:\ffxrllf.exe51⤵
- Executes dropped EXE
PID:5060 -
\??\c:\nhbthh.exec:\nhbthh.exe52⤵
- Executes dropped EXE
PID:4308 -
\??\c:\vjvvj.exec:\vjvvj.exe53⤵
- Executes dropped EXE
PID:2424 -
\??\c:\7llfxxr.exec:\7llfxxr.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3512 -
\??\c:\htbtnh.exec:\htbtnh.exe55⤵
- Executes dropped EXE
PID:2444 -
\??\c:\ppjvj.exec:\ppjvj.exe56⤵
- Executes dropped EXE
PID:4252 -
\??\c:\lffxlxr.exec:\lffxlxr.exe57⤵
- Executes dropped EXE
PID:840 -
\??\c:\bnnhth.exec:\bnnhth.exe58⤵
- Executes dropped EXE
PID:4988 -
\??\c:\bnbtbb.exec:\bnbtbb.exe59⤵
- Executes dropped EXE
PID:3408 -
\??\c:\5pvvp.exec:\5pvvp.exe60⤵
- Executes dropped EXE
PID:2924 -
\??\c:\5xlfxrl.exec:\5xlfxrl.exe61⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nhhbtt.exec:\nhhbtt.exe62⤵
- Executes dropped EXE
PID:3524 -
\??\c:\bttttt.exec:\bttttt.exe63⤵
- Executes dropped EXE
PID:1332 -
\??\c:\jddvv.exec:\jddvv.exe64⤵
- Executes dropped EXE
PID:2876 -
\??\c:\5flfffl.exec:\5flfffl.exe65⤵
- Executes dropped EXE
PID:4828 -
\??\c:\dvvjd.exec:\dvvjd.exe66⤵PID:4724
-
\??\c:\5rxrrlr.exec:\5rxrrlr.exe67⤵PID:4448
-
\??\c:\bntnnh.exec:\bntnnh.exe68⤵PID:2932
-
\??\c:\jppjv.exec:\jppjv.exe69⤵PID:2372
-
\??\c:\lfrlfff.exec:\lfrlfff.exe70⤵PID:3056
-
\??\c:\htbthh.exec:\htbthh.exe71⤵PID:5072
-
\??\c:\pvjvj.exec:\pvjvj.exe72⤵PID:3180
-
\??\c:\lllfxfx.exec:\lllfxfx.exe73⤵PID:5008
-
\??\c:\nhnntt.exec:\nhnntt.exe74⤵PID:1356
-
\??\c:\bttttt.exec:\bttttt.exe75⤵PID:4632
-
\??\c:\ddpjj.exec:\ddpjj.exe76⤵PID:2632
-
\??\c:\llrrllf.exec:\llrrllf.exe77⤵PID:1720
-
\??\c:\nhnhbn.exec:\nhnhbn.exe78⤵PID:3636
-
\??\c:\dvpdv.exec:\dvpdv.exe79⤵PID:3644
-
\??\c:\lrxrfff.exec:\lrxrfff.exe80⤵PID:1836
-
\??\c:\ntnhtt.exec:\ntnhtt.exe81⤵PID:3952
-
\??\c:\pjvdv.exec:\pjvdv.exe82⤵PID:4804
-
\??\c:\vpjvp.exec:\vpjvp.exe83⤵PID:4524
-
\??\c:\5rllxrf.exec:\5rllxrf.exe84⤵PID:3476
-
\??\c:\ffxrfxr.exec:\ffxrfxr.exe85⤵PID:3960
-
\??\c:\3tbntt.exec:\3tbntt.exe86⤵PID:3312
-
\??\c:\pjpdp.exec:\pjpdp.exe87⤵PID:4176
-
\??\c:\xrxrrff.exec:\xrxrrff.exe88⤵PID:2440
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe89⤵PID:3876
-
\??\c:\hbbbbb.exec:\hbbbbb.exe90⤵PID:2972
-
\??\c:\dvvpj.exec:\dvvpj.exe91⤵PID:4736
-
\??\c:\rllflll.exec:\rllflll.exe92⤵PID:3864
-
\??\c:\fflfxlf.exec:\fflfxlf.exe93⤵PID:4320
-
\??\c:\9tbtnb.exec:\9tbtnb.exe94⤵PID:4376
-
\??\c:\pdjdp.exec:\pdjdp.exe95⤵PID:740
-
\??\c:\xrffffr.exec:\xrffffr.exe96⤵PID:4556
-
\??\c:\7fxrrrl.exec:\7fxrrrl.exe97⤵PID:1028
-
\??\c:\hbbttt.exec:\hbbttt.exe98⤵PID:2104
-
\??\c:\jpvvp.exec:\jpvvp.exe99⤵PID:4404
-
\??\c:\dvdvd.exec:\dvdvd.exe100⤵PID:2212
-
\??\c:\fxlfrrl.exec:\fxlfrrl.exe101⤵PID:2060
-
\??\c:\htbtnn.exec:\htbtnn.exe102⤵PID:1372
-
\??\c:\3bhhbh.exec:\3bhhbh.exe103⤵PID:3620
-
\??\c:\pjvpj.exec:\pjvpj.exe104⤵PID:4636
-
\??\c:\lfrlllr.exec:\lfrlllr.exe105⤵PID:3048
-
\??\c:\3nbbtt.exec:\3nbbtt.exe106⤵PID:3572
-
\??\c:\vjpvp.exec:\vjpvp.exe107⤵PID:220
-
\??\c:\rrxrflf.exec:\rrxrflf.exe108⤵PID:4940
-
\??\c:\rflfflf.exec:\rflfflf.exe109⤵PID:4004
-
\??\c:\hnttnn.exec:\hnttnn.exe110⤵PID:940
-
\??\c:\pvvpp.exec:\pvvpp.exe111⤵PID:1920
-
\??\c:\5xfxxxx.exec:\5xfxxxx.exe112⤵PID:3456
-
\??\c:\7xxrfff.exec:\7xxrfff.exe113⤵PID:1228
-
\??\c:\thhtnt.exec:\thhtnt.exe114⤵PID:4384
-
\??\c:\djppj.exec:\djppj.exe115⤵PID:3812
-
\??\c:\lfllrlr.exec:\lfllrlr.exe116⤵PID:3824
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe117⤵PID:1072
-
\??\c:\hnbttn.exec:\hnbttn.exe118⤵PID:3840
-
\??\c:\pvdvp.exec:\pvdvp.exe119⤵PID:1908
-
\??\c:\5rxrlll.exec:\5rxrlll.exe120⤵PID:1952
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe121⤵PID:4852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-