Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe
-
Size
454KB
-
MD5
9b75724fbeca4f69021aa0b85dab37c0
-
SHA1
11d83416871bcbc8633c9459a878d7018fa7e543
-
SHA256
9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e
-
SHA512
dfd37a1ad16dac7a32311183238406d0a80ff0239cac7626640812f9ff8a784825e5c3f74fb3ff951b1cb8b7064b10537b1b14adefb6d844467aeaf084748228
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT8:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2204-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-1733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 1ffrlfx.exe 540 5nhthh.exe 4828 jpvdp.exe 436 flflflx.exe 4860 pvvjv.exe 1696 jdjvv.exe 2656 frlxfxl.exe 3260 5jjvj.exe 1240 5nntht.exe 2140 xlrfrfr.exe 1900 bnnhhb.exe 812 flrxlfr.exe 2600 rfxlxrf.exe 4088 tbnbtn.exe 1384 fllfxxr.exe 3496 5nhbhb.exe 5088 ppdvd.exe 4512 dddpd.exe 3432 5hnnbt.exe 3556 7nbnbt.exe 2208 vjdvp.exe 1324 ntbthb.exe 2108 vdvjv.exe 744 xrlfrff.exe 112 nbhtbt.exe 936 5pdpd.exe 4120 rxxrfxl.exe 4616 nnhbnh.exe 456 5hbthb.exe 2384 pvvjd.exe 2196 nbbbhb.exe 2304 lflxrxr.exe 3448 rlrffxr.exe 2792 pvdpd.exe 3240 lrfrfrf.exe 4940 tthnbt.exe 2900 5pvdd.exe 3660 flxlxrf.exe 1168 thhbnh.exe 2884 jjjdv.exe 228 lllxlrr.exe 3564 tbhttt.exe 4696 djpjd.exe 4720 jddpv.exe 3924 frxlxrl.exe 3472 bthbhn.exe 1336 vjdvj.exe 2448 5xfxrrl.exe 3620 ntnnbb.exe 4160 vjdvp.exe 540 1lxrfxr.exe 4832 lflflfl.exe 1272 hnnhbn.exe 1744 vpvjv.exe 4580 lxxrlfx.exe 4248 bttttb.exe 4740 jjpjd.exe 3236 pjvpp.exe 4836 lrlrrxf.exe 2888 9nbthh.exe 2180 5xxrxxl.exe 5096 tbbthb.exe 4912 thbthb.exe 3412 3vdvj.exe -
resource yara_rule behavioral2/memory/2204-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-721-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2184 2204 9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe 82 PID 2204 wrote to memory of 2184 2204 9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe 82 PID 2204 wrote to memory of 2184 2204 9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe 82 PID 2184 wrote to memory of 540 2184 1ffrlfx.exe 83 PID 2184 wrote to memory of 540 2184 1ffrlfx.exe 83 PID 2184 wrote to memory of 540 2184 1ffrlfx.exe 83 PID 540 wrote to memory of 4828 540 5nhthh.exe 84 PID 540 wrote to memory of 4828 540 5nhthh.exe 84 PID 540 wrote to memory of 4828 540 5nhthh.exe 84 PID 4828 wrote to memory of 436 4828 jpvdp.exe 85 PID 4828 wrote to memory of 436 4828 jpvdp.exe 85 PID 4828 wrote to memory of 436 4828 jpvdp.exe 85 PID 436 wrote to memory of 4860 436 flflflx.exe 86 PID 436 wrote to memory of 4860 436 flflflx.exe 86 PID 436 wrote to memory of 4860 436 flflflx.exe 86 PID 4860 wrote to memory of 1696 4860 pvvjv.exe 87 PID 4860 wrote to memory of 1696 4860 pvvjv.exe 87 PID 4860 wrote to memory of 1696 4860 pvvjv.exe 87 PID 1696 wrote to memory of 2656 1696 jdjvv.exe 88 PID 1696 wrote to memory of 2656 1696 jdjvv.exe 88 PID 1696 wrote to memory of 2656 1696 jdjvv.exe 88 PID 2656 wrote to memory of 3260 2656 frlxfxl.exe 89 PID 2656 wrote to memory of 3260 2656 frlxfxl.exe 89 PID 2656 wrote to memory of 3260 2656 frlxfxl.exe 89 PID 3260 wrote to memory of 1240 3260 5jjvj.exe 90 PID 3260 wrote to memory of 1240 3260 5jjvj.exe 90 PID 3260 wrote to memory of 1240 3260 5jjvj.exe 90 PID 1240 wrote to memory of 2140 1240 5nntht.exe 91 PID 1240 wrote to memory of 2140 1240 5nntht.exe 91 PID 1240 wrote to memory of 2140 1240 5nntht.exe 91 PID 2140 wrote to memory of 1900 2140 xlrfrfr.exe 92 PID 2140 wrote to memory of 1900 2140 xlrfrfr.exe 92 PID 2140 wrote to memory of 1900 2140 xlrfrfr.exe 92 PID 1900 wrote to memory of 812 1900 bnnhhb.exe 93 PID 1900 wrote to memory of 812 1900 bnnhhb.exe 93 PID 1900 wrote to memory of 812 1900 bnnhhb.exe 93 PID 812 wrote to memory of 2600 812 flrxlfr.exe 94 PID 812 wrote to memory of 2600 812 flrxlfr.exe 94 PID 812 wrote to memory of 2600 812 flrxlfr.exe 94 PID 2600 wrote to memory of 4088 2600 rfxlxrf.exe 95 PID 2600 wrote to memory of 4088 2600 rfxlxrf.exe 95 PID 2600 wrote to memory of 4088 2600 rfxlxrf.exe 95 PID 4088 wrote to memory of 1384 4088 tbnbtn.exe 96 PID 4088 wrote to memory of 1384 4088 tbnbtn.exe 96 PID 4088 wrote to memory of 1384 4088 tbnbtn.exe 96 PID 1384 wrote to memory of 3496 1384 fllfxxr.exe 97 PID 1384 wrote to memory of 3496 1384 fllfxxr.exe 97 PID 1384 wrote to memory of 3496 1384 fllfxxr.exe 97 PID 3496 wrote to memory of 5088 3496 5nhbhb.exe 98 PID 3496 wrote to memory of 5088 3496 5nhbhb.exe 98 PID 3496 wrote to memory of 5088 3496 5nhbhb.exe 98 PID 5088 wrote to memory of 4512 5088 ppdvd.exe 99 PID 5088 wrote to memory of 4512 5088 ppdvd.exe 99 PID 5088 wrote to memory of 4512 5088 ppdvd.exe 99 PID 4512 wrote to memory of 3432 4512 dddpd.exe 100 PID 4512 wrote to memory of 3432 4512 dddpd.exe 100 PID 4512 wrote to memory of 3432 4512 dddpd.exe 100 PID 3432 wrote to memory of 3556 3432 5hnnbt.exe 101 PID 3432 wrote to memory of 3556 3432 5hnnbt.exe 101 PID 3432 wrote to memory of 3556 3432 5hnnbt.exe 101 PID 3556 wrote to memory of 2208 3556 7nbnbt.exe 102 PID 3556 wrote to memory of 2208 3556 7nbnbt.exe 102 PID 3556 wrote to memory of 2208 3556 7nbnbt.exe 102 PID 2208 wrote to memory of 1324 2208 vjdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe"C:\Users\Admin\AppData\Local\Temp\9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\1ffrlfx.exec:\1ffrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\5nhthh.exec:\5nhthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\jpvdp.exec:\jpvdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\flflflx.exec:\flflflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\pvvjv.exec:\pvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\jdjvv.exec:\jdjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\frlxfxl.exec:\frlxfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\5jjvj.exec:\5jjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\5nntht.exec:\5nntht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\xlrfrfr.exec:\xlrfrfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\bnnhhb.exec:\bnnhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\flrxlfr.exec:\flrxlfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\rfxlxrf.exec:\rfxlxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\tbnbtn.exec:\tbnbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\fllfxxr.exec:\fllfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\5nhbhb.exec:\5nhbhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\ppdvd.exec:\ppdvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\dddpd.exec:\dddpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\5hnnbt.exec:\5hnnbt.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\7nbnbt.exec:\7nbnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\vjdvp.exec:\vjdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\ntbthb.exec:\ntbthb.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\vdvjv.exec:\vdvjv.exe24⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xrlfrff.exec:\xrlfrff.exe25⤵
- Executes dropped EXE
PID:744 -
\??\c:\nbhtbt.exec:\nbhtbt.exe26⤵
- Executes dropped EXE
PID:112 -
\??\c:\5pdpd.exec:\5pdpd.exe27⤵
- Executes dropped EXE
PID:936 -
\??\c:\rxxrfxl.exec:\rxxrfxl.exe28⤵
- Executes dropped EXE
PID:4120 -
\??\c:\nnhbnh.exec:\nnhbnh.exe29⤵
- Executes dropped EXE
PID:4616 -
\??\c:\5hbthb.exec:\5hbthb.exe30⤵
- Executes dropped EXE
PID:456 -
\??\c:\pvvjd.exec:\pvvjd.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\nbbbhb.exec:\nbbbhb.exe32⤵
- Executes dropped EXE
PID:2196 -
\??\c:\lflxrxr.exec:\lflxrxr.exe33⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rlrffxr.exec:\rlrffxr.exe34⤵
- Executes dropped EXE
PID:3448 -
\??\c:\pvdpd.exec:\pvdpd.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\lrfrfrf.exec:\lrfrfrf.exe36⤵
- Executes dropped EXE
PID:3240 -
\??\c:\tthnbt.exec:\tthnbt.exe37⤵
- Executes dropped EXE
PID:4940 -
\??\c:\5pvdd.exec:\5pvdd.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\flxlxrf.exec:\flxlxrf.exe39⤵
- Executes dropped EXE
PID:3660 -
\??\c:\thhbnh.exec:\thhbnh.exe40⤵
- Executes dropped EXE
PID:1168 -
\??\c:\jjjdv.exec:\jjjdv.exe41⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lllxlrr.exec:\lllxlrr.exe42⤵
- Executes dropped EXE
PID:228 -
\??\c:\tbhttt.exec:\tbhttt.exe43⤵
- Executes dropped EXE
PID:3564 -
\??\c:\djpjd.exec:\djpjd.exe44⤵
- Executes dropped EXE
PID:4696 -
\??\c:\jddpv.exec:\jddpv.exe45⤵
- Executes dropped EXE
PID:4720 -
\??\c:\frxlxrl.exec:\frxlxrl.exe46⤵
- Executes dropped EXE
PID:3924 -
\??\c:\bthbhn.exec:\bthbhn.exe47⤵
- Executes dropped EXE
PID:3472 -
\??\c:\vjdvj.exec:\vjdvj.exe48⤵
- Executes dropped EXE
PID:1336 -
\??\c:\5xfxrrl.exec:\5xfxrrl.exe49⤵
- Executes dropped EXE
PID:2448 -
\??\c:\ntnnbb.exec:\ntnnbb.exe50⤵
- Executes dropped EXE
PID:3620 -
\??\c:\vjdvp.exec:\vjdvp.exe51⤵
- Executes dropped EXE
PID:4160 -
\??\c:\1lxrfxr.exec:\1lxrfxr.exe52⤵
- Executes dropped EXE
PID:540 -
\??\c:\lflflfl.exec:\lflflfl.exe53⤵
- Executes dropped EXE
PID:4832 -
\??\c:\hnnhbn.exec:\hnnhbn.exe54⤵
- Executes dropped EXE
PID:1272 -
\??\c:\vpvjv.exec:\vpvjv.exe55⤵
- Executes dropped EXE
PID:1744 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe56⤵
- Executes dropped EXE
PID:4580 -
\??\c:\bttttb.exec:\bttttb.exe57⤵
- Executes dropped EXE
PID:4248 -
\??\c:\jjpjd.exec:\jjpjd.exe58⤵
- Executes dropped EXE
PID:4740 -
\??\c:\pjvpp.exec:\pjvpp.exe59⤵
- Executes dropped EXE
PID:3236 -
\??\c:\lrlrrxf.exec:\lrlrrxf.exe60⤵
- Executes dropped EXE
PID:4836 -
\??\c:\9nbthh.exec:\9nbthh.exe61⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5xxrxxl.exec:\5xxrxxl.exe62⤵
- Executes dropped EXE
PID:2180 -
\??\c:\tbbthb.exec:\tbbthb.exe63⤵
- Executes dropped EXE
PID:5096 -
\??\c:\thbthb.exec:\thbthb.exe64⤵
- Executes dropped EXE
PID:4912 -
\??\c:\3vdvj.exec:\3vdvj.exe65⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5rxlrxr.exec:\5rxlrxr.exe66⤵PID:4776
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe67⤵PID:4208
-
\??\c:\htnhth.exec:\htnhth.exe68⤵PID:3420
-
\??\c:\7vvpd.exec:\7vvpd.exe69⤵PID:1740
-
\??\c:\xrlfxrf.exec:\xrlfxrf.exe70⤵PID:5052
-
\??\c:\7fxlxxl.exec:\7fxlxxl.exe71⤵PID:400
-
\??\c:\1nbnbt.exec:\1nbnbt.exe72⤵PID:2528
-
\??\c:\1vpdp.exec:\1vpdp.exe73⤵PID:2468
-
\??\c:\pddpd.exec:\pddpd.exe74⤵PID:3484
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe75⤵PID:2128
-
\??\c:\3nbthb.exec:\3nbthb.exe76⤵PID:1432
-
\??\c:\5bhbnn.exec:\5bhbnn.exe77⤵PID:1812
-
\??\c:\3vpdj.exec:\3vpdj.exe78⤵PID:4240
-
\??\c:\xllxlfx.exec:\xllxlfx.exe79⤵PID:852
-
\??\c:\9lllxrr.exec:\9lllxrr.exe80⤵PID:2276
-
\??\c:\tnnhnh.exec:\tnnhnh.exe81⤵PID:920
-
\??\c:\jpvjv.exec:\jpvjv.exe82⤵PID:2620
-
\??\c:\1rrffxx.exec:\1rrffxx.exe83⤵PID:1920
-
\??\c:\tbhbnh.exec:\tbhbnh.exe84⤵PID:744
-
\??\c:\djpjd.exec:\djpjd.exe85⤵PID:3264
-
\??\c:\5xrrffx.exec:\5xrrffx.exe86⤵PID:1356
-
\??\c:\3rfxlxr.exec:\3rfxlxr.exe87⤵PID:4120
-
\??\c:\thbthb.exec:\thbthb.exe88⤵PID:4348
-
\??\c:\jvvjv.exec:\jvvjv.exe89⤵PID:2368
-
\??\c:\fxlffxr.exec:\fxlffxr.exe90⤵PID:4992
-
\??\c:\nttnbb.exec:\nttnbb.exe91⤵PID:456
-
\??\c:\bbhbnt.exec:\bbhbnt.exe92⤵PID:4228
-
\??\c:\1pjvj.exec:\1pjvj.exe93⤵PID:4060
-
\??\c:\frrflfx.exec:\frrflfx.exe94⤵PID:5040
-
\??\c:\bhhbnh.exec:\bhhbnh.exe95⤵PID:2408
-
\??\c:\hhhthb.exec:\hhhthb.exe96⤵PID:4928
-
\??\c:\9xxxlll.exec:\9xxxlll.exe97⤵PID:3308
-
\??\c:\xfrffff.exec:\xfrffff.exe98⤵PID:3512
-
\??\c:\nhhthn.exec:\nhhthn.exe99⤵PID:2844
-
\??\c:\ppvpp.exec:\ppvpp.exe100⤵PID:4268
-
\??\c:\xllxllx.exec:\xllxllx.exe101⤵PID:4244
-
\??\c:\nntnhh.exec:\nntnhh.exe102⤵PID:3504
-
\??\c:\hnnnhb.exec:\hnnnhb.exe103⤵PID:2920
-
\??\c:\jvdpd.exec:\jvdpd.exe104⤵PID:2916
-
\??\c:\9xxlrrf.exec:\9xxlrrf.exe105⤵PID:4956
-
\??\c:\hnhtnh.exec:\hnhtnh.exe106⤵PID:4216
-
\??\c:\vjpdd.exec:\vjpdd.exe107⤵PID:3788
-
\??\c:\djpjj.exec:\djpjj.exe108⤵PID:788
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe109⤵PID:3924
-
\??\c:\hbbnbb.exec:\hbbnbb.exe110⤵PID:3472
-
\??\c:\dvvjv.exec:\dvvjv.exe111⤵PID:4824
-
\??\c:\pvjvj.exec:\pvjvj.exe112⤵PID:2448
-
\??\c:\9xrfrfx.exec:\9xrfrfx.exe113⤵PID:1548
-
\??\c:\nbbthb.exec:\nbbthb.exe114⤵PID:4160
-
\??\c:\dpvdd.exec:\dpvdd.exe115⤵PID:1160
-
\??\c:\9rrfrxl.exec:\9rrfrxl.exe116⤵PID:4832
-
\??\c:\nttnbt.exec:\nttnbt.exe117⤵PID:1272
-
\??\c:\pdjdd.exec:\pdjdd.exe118⤵PID:3036
-
\??\c:\pdjvj.exec:\pdjvj.exe119⤵PID:4580
-
\??\c:\frlxfxl.exec:\frlxfxl.exe120⤵PID:4864
-
\??\c:\bnthtn.exec:\bnthtn.exe121⤵PID:4740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-