Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2024, 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe
-
Size
453KB
-
MD5
dda859c1e7986cab886e126bdff21813
-
SHA1
391e2761ea9d2ed0f5d83f2c986dfbb393661ab8
-
SHA256
acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582
-
SHA512
2577c49c10aa950b1d2b7c2b6003ee5b5b8ef11b8afdde8ad75a19d1fc5f1876c087db40d11720e2d8a0369c4c1be8e4167c826c94114450bd2a348b27a1706d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2936-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-1013-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-1098-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-1396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3488 7jjvp.exe 3992 9fxlflf.exe 1304 3tnhtt.exe 2388 jdjjj.exe 1036 frlfrlx.exe 4892 dpvpd.exe 4452 7flrrfx.exe 3900 htbtnh.exe 2344 btthtn.exe 2260 btbbnn.exe 2964 3jjvp.exe 820 tbnhbt.exe 4208 thhbtt.exe 2496 dvjvv.exe 4052 flffffx.exe 3044 1bhbtn.exe 3724 fxrlrrx.exe 2980 pvddv.exe 4044 bttnhb.exe 3244 pjvjp.exe 2860 rflrflf.exe 5040 jvdvp.exe 2624 lfrflxl.exe 3572 ddjpd.exe 4792 fxllxrl.exe 1240 nttntn.exe 3880 xfrfrrl.exe 4812 bttnhn.exe 2956 tbbthb.exe 4828 lffxrlf.exe 2108 rxfxlfr.exe 4764 jvdvv.exe 3368 thhtbb.exe 4280 7tnhtt.exe 4696 5jvdp.exe 4432 rffxrlf.exe 1908 xxllffl.exe 2232 tttnhb.exe 4136 djppv.exe 4392 rflxfxx.exe 1800 hbtntn.exe 3380 vppdj.exe 3248 ffxxffx.exe 2800 7fxrffr.exe 4740 9tttnn.exe 2572 pdddv.exe 3604 fflrxfr.exe 548 nttthb.exe 3528 1vvpj.exe 428 nnnbtn.exe 3616 5hhthh.exe 2952 7dvvj.exe 4104 fffrxlf.exe 2940 flxlffx.exe 460 hbthbb.exe 4448 jjpdp.exe 2864 frfrlfx.exe 2964 lffxrrl.exe 1100 tnttbb.exe 820 vvpjd.exe 1904 xxfxffl.exe 4668 tbbtnn.exe 1496 jjdvp.exe 3868 vjdvj.exe -
resource yara_rule behavioral2/memory/2936-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-670-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 3488 2936 acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe 82 PID 2936 wrote to memory of 3488 2936 acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe 82 PID 2936 wrote to memory of 3488 2936 acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe 82 PID 3488 wrote to memory of 3992 3488 7jjvp.exe 83 PID 3488 wrote to memory of 3992 3488 7jjvp.exe 83 PID 3488 wrote to memory of 3992 3488 7jjvp.exe 83 PID 3992 wrote to memory of 1304 3992 9fxlflf.exe 84 PID 3992 wrote to memory of 1304 3992 9fxlflf.exe 84 PID 3992 wrote to memory of 1304 3992 9fxlflf.exe 84 PID 1304 wrote to memory of 2388 1304 3tnhtt.exe 85 PID 1304 wrote to memory of 2388 1304 3tnhtt.exe 85 PID 1304 wrote to memory of 2388 1304 3tnhtt.exe 85 PID 2388 wrote to memory of 1036 2388 jdjjj.exe 86 PID 2388 wrote to memory of 1036 2388 jdjjj.exe 86 PID 2388 wrote to memory of 1036 2388 jdjjj.exe 86 PID 1036 wrote to memory of 4892 1036 frlfrlx.exe 87 PID 1036 wrote to memory of 4892 1036 frlfrlx.exe 87 PID 1036 wrote to memory of 4892 1036 frlfrlx.exe 87 PID 4892 wrote to memory of 4452 4892 dpvpd.exe 88 PID 4892 wrote to memory of 4452 4892 dpvpd.exe 88 PID 4892 wrote to memory of 4452 4892 dpvpd.exe 88 PID 4452 wrote to memory of 3900 4452 7flrrfx.exe 89 PID 4452 wrote to memory of 3900 4452 7flrrfx.exe 89 PID 4452 wrote to memory of 3900 4452 7flrrfx.exe 89 PID 3900 wrote to memory of 2344 3900 htbtnh.exe 90 PID 3900 wrote to memory of 2344 3900 htbtnh.exe 90 PID 3900 wrote to memory of 2344 3900 htbtnh.exe 90 PID 2344 wrote to memory of 2260 2344 btthtn.exe 91 PID 2344 wrote to memory of 2260 2344 btthtn.exe 91 PID 2344 wrote to memory of 2260 2344 btthtn.exe 91 PID 2260 wrote to memory of 2964 2260 btbbnn.exe 92 PID 2260 wrote to memory of 2964 2260 btbbnn.exe 92 PID 2260 wrote to memory of 2964 2260 btbbnn.exe 92 PID 2964 wrote to memory of 820 2964 3jjvp.exe 93 PID 2964 wrote to memory of 820 2964 3jjvp.exe 93 PID 2964 wrote to memory of 820 2964 3jjvp.exe 93 PID 820 wrote to memory of 4208 820 tbnhbt.exe 94 PID 820 wrote to memory of 4208 820 tbnhbt.exe 94 PID 820 wrote to memory of 4208 820 tbnhbt.exe 94 PID 4208 wrote to memory of 2496 4208 thhbtt.exe 95 PID 4208 wrote to memory of 2496 4208 thhbtt.exe 95 PID 4208 wrote to memory of 2496 4208 thhbtt.exe 95 PID 2496 wrote to memory of 4052 2496 dvjvv.exe 96 PID 2496 wrote to memory of 4052 2496 dvjvv.exe 96 PID 2496 wrote to memory of 4052 2496 dvjvv.exe 96 PID 4052 wrote to memory of 3044 4052 flffffx.exe 97 PID 4052 wrote to memory of 3044 4052 flffffx.exe 97 PID 4052 wrote to memory of 3044 4052 flffffx.exe 97 PID 3044 wrote to memory of 3724 3044 1bhbtn.exe 98 PID 3044 wrote to memory of 3724 3044 1bhbtn.exe 98 PID 3044 wrote to memory of 3724 3044 1bhbtn.exe 98 PID 3724 wrote to memory of 2980 3724 fxrlrrx.exe 99 PID 3724 wrote to memory of 2980 3724 fxrlrrx.exe 99 PID 3724 wrote to memory of 2980 3724 fxrlrrx.exe 99 PID 2980 wrote to memory of 4044 2980 pvddv.exe 100 PID 2980 wrote to memory of 4044 2980 pvddv.exe 100 PID 2980 wrote to memory of 4044 2980 pvddv.exe 100 PID 4044 wrote to memory of 3244 4044 bttnhb.exe 101 PID 4044 wrote to memory of 3244 4044 bttnhb.exe 101 PID 4044 wrote to memory of 3244 4044 bttnhb.exe 101 PID 3244 wrote to memory of 2860 3244 pjvjp.exe 102 PID 3244 wrote to memory of 2860 3244 pjvjp.exe 102 PID 3244 wrote to memory of 2860 3244 pjvjp.exe 102 PID 2860 wrote to memory of 5040 2860 rflrflf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe"C:\Users\Admin\AppData\Local\Temp\acf4c30908e3dd4bfa3a7510fef2e33640569555e3b3f05503c3e2e0f2de3582.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\7jjvp.exec:\7jjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\9fxlflf.exec:\9fxlflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\3tnhtt.exec:\3tnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\jdjjj.exec:\jdjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\frlfrlx.exec:\frlfrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\dpvpd.exec:\dpvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\7flrrfx.exec:\7flrrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\htbtnh.exec:\htbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\btthtn.exec:\btthtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\btbbnn.exec:\btbbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\3jjvp.exec:\3jjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\tbnhbt.exec:\tbnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\thhbtt.exec:\thhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\dvjvv.exec:\dvjvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\flffffx.exec:\flffffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\1bhbtn.exec:\1bhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\fxrlrrx.exec:\fxrlrrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\pvddv.exec:\pvddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\bttnhb.exec:\bttnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\pjvjp.exec:\pjvjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\rflrflf.exec:\rflrflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\jvdvp.exec:\jvdvp.exe23⤵
- Executes dropped EXE
PID:5040 -
\??\c:\lfrflxl.exec:\lfrflxl.exe24⤵
- Executes dropped EXE
PID:2624 -
\??\c:\ddjpd.exec:\ddjpd.exe25⤵
- Executes dropped EXE
PID:3572 -
\??\c:\fxllxrl.exec:\fxllxrl.exe26⤵
- Executes dropped EXE
PID:4792 -
\??\c:\nttntn.exec:\nttntn.exe27⤵
- Executes dropped EXE
PID:1240 -
\??\c:\xfrfrrl.exec:\xfrfrrl.exe28⤵
- Executes dropped EXE
PID:3880 -
\??\c:\bttnhn.exec:\bttnhn.exe29⤵
- Executes dropped EXE
PID:4812 -
\??\c:\tbbthb.exec:\tbbthb.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\lffxrlf.exec:\lffxrlf.exe31⤵
- Executes dropped EXE
PID:4828 -
\??\c:\rxfxlfr.exec:\rxfxlfr.exe32⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jvdvv.exec:\jvdvv.exe33⤵
- Executes dropped EXE
PID:4764 -
\??\c:\thhtbb.exec:\thhtbb.exe34⤵
- Executes dropped EXE
PID:3368 -
\??\c:\7tnhtt.exec:\7tnhtt.exe35⤵
- Executes dropped EXE
PID:4280 -
\??\c:\5jvdp.exec:\5jvdp.exe36⤵
- Executes dropped EXE
PID:4696 -
\??\c:\rffxrlf.exec:\rffxrlf.exe37⤵
- Executes dropped EXE
PID:4432 -
\??\c:\xxllffl.exec:\xxllffl.exe38⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tttnhb.exec:\tttnhb.exe39⤵
- Executes dropped EXE
PID:2232 -
\??\c:\djppv.exec:\djppv.exe40⤵
- Executes dropped EXE
PID:4136 -
\??\c:\rflxfxx.exec:\rflxfxx.exe41⤵
- Executes dropped EXE
PID:4392 -
\??\c:\hbtntn.exec:\hbtntn.exe42⤵
- Executes dropped EXE
PID:1800 -
\??\c:\vppdj.exec:\vppdj.exe43⤵
- Executes dropped EXE
PID:3380 -
\??\c:\ffxxffx.exec:\ffxxffx.exe44⤵
- Executes dropped EXE
PID:3248 -
\??\c:\7fxrffr.exec:\7fxrffr.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\9tttnn.exec:\9tttnn.exe46⤵
- Executes dropped EXE
PID:4740 -
\??\c:\pdddv.exec:\pdddv.exe47⤵
- Executes dropped EXE
PID:2572 -
\??\c:\fflrxfr.exec:\fflrxfr.exe48⤵
- Executes dropped EXE
PID:3604 -
\??\c:\nttthb.exec:\nttthb.exe49⤵
- Executes dropped EXE
PID:548 -
\??\c:\1vvpj.exec:\1vvpj.exe50⤵
- Executes dropped EXE
PID:3528 -
\??\c:\nnnbtn.exec:\nnnbtn.exe51⤵
- Executes dropped EXE
PID:428 -
\??\c:\5hhthh.exec:\5hhthh.exe52⤵
- Executes dropped EXE
PID:3616 -
\??\c:\7dvvj.exec:\7dvvj.exe53⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fffrxlf.exec:\fffrxlf.exe54⤵
- Executes dropped EXE
PID:4104 -
\??\c:\flxlffx.exec:\flxlffx.exe55⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hbthbb.exec:\hbthbb.exe56⤵
- Executes dropped EXE
PID:460 -
\??\c:\jjpdp.exec:\jjpdp.exe57⤵
- Executes dropped EXE
PID:4448 -
\??\c:\frfrlfx.exec:\frfrlfx.exe58⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lffxrrl.exec:\lffxrrl.exe59⤵
- Executes dropped EXE
PID:2964 -
\??\c:\tnttbb.exec:\tnttbb.exe60⤵
- Executes dropped EXE
PID:1100 -
\??\c:\vvpjd.exec:\vvpjd.exe61⤵
- Executes dropped EXE
PID:820 -
\??\c:\xxfxffl.exec:\xxfxffl.exe62⤵
- Executes dropped EXE
PID:1904 -
\??\c:\tbbtnn.exec:\tbbtnn.exe63⤵
- Executes dropped EXE
PID:4668 -
\??\c:\jjdvp.exec:\jjdvp.exe64⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vjdvj.exec:\vjdvj.exe65⤵
- Executes dropped EXE
PID:3868 -
\??\c:\lflfffx.exec:\lflfffx.exe66⤵PID:3292
-
\??\c:\bnthbb.exec:\bnthbb.exe67⤵PID:3068
-
\??\c:\djppj.exec:\djppj.exe68⤵PID:3688
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe69⤵PID:3440
-
\??\c:\bnnnhn.exec:\bnnnhn.exe70⤵PID:3268
-
\??\c:\nnttnh.exec:\nnttnh.exe71⤵PID:2628
-
\??\c:\5djvp.exec:\5djvp.exe72⤵PID:4476
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe73⤵PID:4748
-
\??\c:\3hhbth.exec:\3hhbth.exe74⤵PID:1760
-
\??\c:\jvdvp.exec:\jvdvp.exe75⤵PID:2900
-
\??\c:\xrfllfx.exec:\xrfllfx.exe76⤵PID:380
-
\??\c:\1fxrlfr.exec:\1fxrlfr.exe77⤵PID:3740
-
\??\c:\thnnnn.exec:\thnnnn.exe78⤵PID:4512
-
\??\c:\jjvjv.exec:\jjvjv.exe79⤵PID:4444
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe80⤵PID:1112
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe81⤵PID:2744
-
\??\c:\httnnh.exec:\httnnh.exe82⤵PID:732
-
\??\c:\5vvjv.exec:\5vvjv.exe83⤵PID:212
-
\??\c:\9xfrrfx.exec:\9xfrrfx.exe84⤵PID:632
-
\??\c:\hnbnbh.exec:\hnbnbh.exe85⤵PID:2044
-
\??\c:\hbtnhh.exec:\hbtnhh.exe86⤵PID:4960
-
\??\c:\jvvjv.exec:\jvvjv.exe87⤵PID:2340
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe88⤵PID:3448
-
\??\c:\fllfxxr.exec:\fllfxxr.exe89⤵PID:4540
-
\??\c:\hnttnn.exec:\hnttnn.exe90⤵PID:3364
-
\??\c:\1pdjv.exec:\1pdjv.exe91⤵PID:4964
-
\??\c:\rllffff.exec:\rllffff.exe92⤵PID:792
-
\??\c:\3fflflf.exec:\3fflflf.exe93⤵PID:432
-
\??\c:\hhhhbb.exec:\hhhhbb.exe94⤵PID:4572
-
\??\c:\dvvjv.exec:\dvvjv.exe95⤵PID:464
-
\??\c:\vjpjv.exec:\vjpjv.exe96⤵PID:3368
-
\??\c:\xrxlrrf.exec:\xrxlrrf.exe97⤵PID:4172
-
\??\c:\5bhhbt.exec:\5bhhbt.exe98⤵PID:3536
-
\??\c:\5ppvd.exec:\5ppvd.exe99⤵PID:3820
-
\??\c:\pvjdv.exec:\pvjdv.exe100⤵PID:3940
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe101⤵PID:3884
-
\??\c:\9nnhbb.exec:\9nnhbb.exe102⤵PID:2172
-
\??\c:\vvvpj.exec:\vvvpj.exe103⤵PID:4284
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe104⤵PID:2936
-
\??\c:\tthbhh.exec:\tthbhh.exe105⤵PID:3488
-
\??\c:\hbbnnn.exec:\hbbnnn.exe106⤵PID:4680
-
\??\c:\7pppd.exec:\7pppd.exe107⤵PID:4876
-
\??\c:\rrrllff.exec:\rrrllff.exe108⤵PID:3992
-
\??\c:\lxrrlxr.exec:\lxrrlxr.exe109⤵PID:4936
-
\??\c:\bnbbnn.exec:\bnbbnn.exe110⤵PID:1256
-
\??\c:\7ddvp.exec:\7ddvp.exe111⤵PID:1092
-
\??\c:\xrllffx.exec:\xrllffx.exe112⤵PID:4816
-
\??\c:\tntnnn.exec:\tntnnn.exe113⤵PID:316
-
\??\c:\5nhhbn.exec:\5nhhbn.exe114⤵PID:344
-
\??\c:\vdjdv.exec:\vdjdv.exe115⤵PID:3608
-
\??\c:\lllfxrl.exec:\lllfxrl.exe116⤵PID:1360
-
\??\c:\5bthbb.exec:\5bthbb.exe117⤵PID:3828
-
\??\c:\dpvpd.exec:\dpvpd.exe118⤵PID:3420
-
\??\c:\xlfrxrf.exec:\xlfrxrf.exe119⤵PID:888
-
\??\c:\bbhbbb.exec:\bbhbbb.exe120⤵PID:2684
-
\??\c:\nhthnt.exec:\nhthnt.exe121⤵PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-