Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe
-
Size
454KB
-
MD5
8e20e60a640e12c24ebbd12f1af7dcef
-
SHA1
bdfa5ba3f44d81bde4ca89d270e538cbf63f9485
-
SHA256
d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e
-
SHA512
97290083b3e40a43d3a15517d62349f3b704bbd64aa35e0c7d3c21597ff2cf02d0c38ce0b072f4e21f55814f07bf7a97772952df65743e9ab20c4daf268ef20a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/796-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-1225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-1623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2084 jjpjd.exe 864 nhbhhb.exe 2308 xflfxff.exe 4884 flfrllr.exe 1056 jdvvp.exe 180 rfllllr.exe 1504 xlrllff.exe 516 vppjj.exe 2316 3rxrxxf.exe 3172 3jppj.exe 408 7ffrlrl.exe 3236 htbtnh.exe 4048 xllfxxr.exe 3136 jpppj.exe 2836 llrlfll.exe 3184 jvjjp.exe 3616 fxfrlfx.exe 3300 lxlfxxr.exe 3244 lflfxxx.exe 3980 rflfxrl.exe 4200 flllffx.exe 2356 jdjdd.exe 1084 1rlfxrl.exe 1356 bttthn.exe 3912 9pjjj.exe 2372 1vdvd.exe 4820 ddjdj.exe 3232 nntttt.exe 1720 flxrrxr.exe 1008 hbnntt.exe 4900 xllllrx.exe 3524 btnhtt.exe 5052 xflfxrr.exe 3880 nbthbt.exe 2212 jjdvp.exe 2620 lxrllff.exe 4816 3ttnnn.exe 1792 jvvvp.exe 1204 rxflffx.exe 4068 hnthhb.exe 2828 nbbbbb.exe 4424 djjpp.exe 4444 frllfff.exe 2544 hhtnhh.exe 244 dvddj.exe 828 rlfxllf.exe 2392 bhhhbb.exe 1428 jpjpd.exe 1500 frrlxxl.exe 4708 7fxrffx.exe 4892 nbnntt.exe 2308 jddvj.exe 4884 3llfxxr.exe 32 thhhbb.exe 4528 9vdvv.exe 3872 7ppvv.exe 4832 xfrlrxf.exe 1480 tnbhbb.exe 4904 pvvpj.exe 3172 1xxxrxr.exe 2724 btttnn.exe 3368 hbhthb.exe 1688 3vvpp.exe 1844 1xrfrfx.exe -
resource yara_rule behavioral2/memory/796-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-977-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 796 wrote to memory of 2084 796 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 83 PID 796 wrote to memory of 2084 796 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 83 PID 796 wrote to memory of 2084 796 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 83 PID 2084 wrote to memory of 864 2084 jjpjd.exe 84 PID 2084 wrote to memory of 864 2084 jjpjd.exe 84 PID 2084 wrote to memory of 864 2084 jjpjd.exe 84 PID 864 wrote to memory of 2308 864 nhbhhb.exe 85 PID 864 wrote to memory of 2308 864 nhbhhb.exe 85 PID 864 wrote to memory of 2308 864 nhbhhb.exe 85 PID 2308 wrote to memory of 4884 2308 xflfxff.exe 86 PID 2308 wrote to memory of 4884 2308 xflfxff.exe 86 PID 2308 wrote to memory of 4884 2308 xflfxff.exe 86 PID 4884 wrote to memory of 1056 4884 flfrllr.exe 87 PID 4884 wrote to memory of 1056 4884 flfrllr.exe 87 PID 4884 wrote to memory of 1056 4884 flfrllr.exe 87 PID 1056 wrote to memory of 180 1056 jdvvp.exe 88 PID 1056 wrote to memory of 180 1056 jdvvp.exe 88 PID 1056 wrote to memory of 180 1056 jdvvp.exe 88 PID 180 wrote to memory of 1504 180 rfllllr.exe 89 PID 180 wrote to memory of 1504 180 rfllllr.exe 89 PID 180 wrote to memory of 1504 180 rfllllr.exe 89 PID 1504 wrote to memory of 516 1504 xlrllff.exe 90 PID 1504 wrote to memory of 516 1504 xlrllff.exe 90 PID 1504 wrote to memory of 516 1504 xlrllff.exe 90 PID 516 wrote to memory of 2316 516 vppjj.exe 91 PID 516 wrote to memory of 2316 516 vppjj.exe 91 PID 516 wrote to memory of 2316 516 vppjj.exe 91 PID 2316 wrote to memory of 3172 2316 3rxrxxf.exe 92 PID 2316 wrote to memory of 3172 2316 3rxrxxf.exe 92 PID 2316 wrote to memory of 3172 2316 3rxrxxf.exe 92 PID 3172 wrote to memory of 408 3172 3jppj.exe 93 PID 3172 wrote to memory of 408 3172 3jppj.exe 93 PID 3172 wrote to memory of 408 3172 3jppj.exe 93 PID 408 wrote to memory of 3236 408 7ffrlrl.exe 94 PID 408 wrote to memory of 3236 408 7ffrlrl.exe 94 PID 408 wrote to memory of 3236 408 7ffrlrl.exe 94 PID 3236 wrote to memory of 4048 3236 htbtnh.exe 95 PID 3236 wrote to memory of 4048 3236 htbtnh.exe 95 PID 3236 wrote to memory of 4048 3236 htbtnh.exe 95 PID 4048 wrote to memory of 3136 4048 xllfxxr.exe 96 PID 4048 wrote to memory of 3136 4048 xllfxxr.exe 96 PID 4048 wrote to memory of 3136 4048 xllfxxr.exe 96 PID 3136 wrote to memory of 2836 3136 jpppj.exe 97 PID 3136 wrote to memory of 2836 3136 jpppj.exe 97 PID 3136 wrote to memory of 2836 3136 jpppj.exe 97 PID 2836 wrote to memory of 3184 2836 llrlfll.exe 98 PID 2836 wrote to memory of 3184 2836 llrlfll.exe 98 PID 2836 wrote to memory of 3184 2836 llrlfll.exe 98 PID 3184 wrote to memory of 3616 3184 jvjjp.exe 99 PID 3184 wrote to memory of 3616 3184 jvjjp.exe 99 PID 3184 wrote to memory of 3616 3184 jvjjp.exe 99 PID 3616 wrote to memory of 3300 3616 fxfrlfx.exe 100 PID 3616 wrote to memory of 3300 3616 fxfrlfx.exe 100 PID 3616 wrote to memory of 3300 3616 fxfrlfx.exe 100 PID 3300 wrote to memory of 3244 3300 lxlfxxr.exe 101 PID 3300 wrote to memory of 3244 3300 lxlfxxr.exe 101 PID 3300 wrote to memory of 3244 3300 lxlfxxr.exe 101 PID 3244 wrote to memory of 3980 3244 lflfxxx.exe 102 PID 3244 wrote to memory of 3980 3244 lflfxxx.exe 102 PID 3244 wrote to memory of 3980 3244 lflfxxx.exe 102 PID 3980 wrote to memory of 4200 3980 rflfxrl.exe 103 PID 3980 wrote to memory of 4200 3980 rflfxrl.exe 103 PID 3980 wrote to memory of 4200 3980 rflfxrl.exe 103 PID 4200 wrote to memory of 2356 4200 flllffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe"C:\Users\Admin\AppData\Local\Temp\d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\jjpjd.exec:\jjpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\nhbhhb.exec:\nhbhhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\xflfxff.exec:\xflfxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\flfrllr.exec:\flfrllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\jdvvp.exec:\jdvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\rfllllr.exec:\rfllllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\xlrllff.exec:\xlrllff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\vppjj.exec:\vppjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\3rxrxxf.exec:\3rxrxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\3jppj.exec:\3jppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\7ffrlrl.exec:\7ffrlrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\htbtnh.exec:\htbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\xllfxxr.exec:\xllfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\jpppj.exec:\jpppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\llrlfll.exec:\llrlfll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\jvjjp.exec:\jvjjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\fxfrlfx.exec:\fxfrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\lflfxxx.exec:\lflfxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\rflfxrl.exec:\rflfxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\flllffx.exec:\flllffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\jdjdd.exec:\jdjdd.exe23⤵
- Executes dropped EXE
PID:2356 -
\??\c:\1rlfxrl.exec:\1rlfxrl.exe24⤵
- Executes dropped EXE
PID:1084 -
\??\c:\bttthn.exec:\bttthn.exe25⤵
- Executes dropped EXE
PID:1356 -
\??\c:\9pjjj.exec:\9pjjj.exe26⤵
- Executes dropped EXE
PID:3912 -
\??\c:\1vdvd.exec:\1vdvd.exe27⤵
- Executes dropped EXE
PID:2372 -
\??\c:\ddjdj.exec:\ddjdj.exe28⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nntttt.exec:\nntttt.exe29⤵
- Executes dropped EXE
PID:3232 -
\??\c:\flxrrxr.exec:\flxrrxr.exe30⤵
- Executes dropped EXE
PID:1720 -
\??\c:\hbnntt.exec:\hbnntt.exe31⤵
- Executes dropped EXE
PID:1008 -
\??\c:\xllllrx.exec:\xllllrx.exe32⤵
- Executes dropped EXE
PID:4900 -
\??\c:\btnhtt.exec:\btnhtt.exe33⤵
- Executes dropped EXE
PID:3524 -
\??\c:\xflfxrr.exec:\xflfxrr.exe34⤵
- Executes dropped EXE
PID:5052 -
\??\c:\nbthbt.exec:\nbthbt.exe35⤵
- Executes dropped EXE
PID:3880 -
\??\c:\jjdvp.exec:\jjdvp.exe36⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lxrllff.exec:\lxrllff.exe37⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3ttnnn.exec:\3ttnnn.exe38⤵
- Executes dropped EXE
PID:4816 -
\??\c:\jvvvp.exec:\jvvvp.exe39⤵
- Executes dropped EXE
PID:1792 -
\??\c:\rxflffx.exec:\rxflffx.exe40⤵
- Executes dropped EXE
PID:1204 -
\??\c:\hnthhb.exec:\hnthhb.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4068 -
\??\c:\nbbbbb.exec:\nbbbbb.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\djjpp.exec:\djjpp.exe43⤵
- Executes dropped EXE
PID:4424 -
\??\c:\frllfff.exec:\frllfff.exe44⤵
- Executes dropped EXE
PID:4444 -
\??\c:\hhtnhh.exec:\hhtnhh.exe45⤵
- Executes dropped EXE
PID:2544 -
\??\c:\dvddj.exec:\dvddj.exe46⤵
- Executes dropped EXE
PID:244 -
\??\c:\jjvpv.exec:\jjvpv.exe47⤵PID:2660
-
\??\c:\rlfxllf.exec:\rlfxllf.exe48⤵
- Executes dropped EXE
PID:828 -
\??\c:\bhhhbb.exec:\bhhhbb.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\jpjpd.exec:\jpjpd.exe50⤵
- Executes dropped EXE
PID:1428 -
\??\c:\frrlxxl.exec:\frrlxxl.exe51⤵
- Executes dropped EXE
PID:1500 -
\??\c:\7fxrffx.exec:\7fxrffx.exe52⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nbnntt.exec:\nbnntt.exe53⤵
- Executes dropped EXE
PID:4892 -
\??\c:\jddvj.exec:\jddvj.exe54⤵
- Executes dropped EXE
PID:2308 -
\??\c:\3llfxxr.exec:\3llfxxr.exe55⤵
- Executes dropped EXE
PID:4884 -
\??\c:\thhhbb.exec:\thhhbb.exe56⤵
- Executes dropped EXE
PID:32 -
\??\c:\9vdvv.exec:\9vdvv.exe57⤵
- Executes dropped EXE
PID:4528 -
\??\c:\7ppvv.exec:\7ppvv.exe58⤵
- Executes dropped EXE
PID:3872 -
\??\c:\xfrlrxf.exec:\xfrlrxf.exe59⤵
- Executes dropped EXE
PID:4832 -
\??\c:\tnbhbb.exec:\tnbhbb.exe60⤵
- Executes dropped EXE
PID:1480 -
\??\c:\pvvpj.exec:\pvvpj.exe61⤵
- Executes dropped EXE
PID:4904 -
\??\c:\1xxxrxr.exec:\1xxxrxr.exe62⤵
- Executes dropped EXE
PID:3172 -
\??\c:\btttnn.exec:\btttnn.exe63⤵
- Executes dropped EXE
PID:2724 -
\??\c:\hbhthb.exec:\hbhthb.exe64⤵
- Executes dropped EXE
PID:3368 -
\??\c:\3vvpp.exec:\3vvpp.exe65⤵
- Executes dropped EXE
PID:1688 -
\??\c:\1xrfrfx.exec:\1xrfrfx.exe66⤵
- Executes dropped EXE
PID:1844 -
\??\c:\nhnhnn.exec:\nhnhnn.exe67⤵PID:3020
-
\??\c:\5pddv.exec:\5pddv.exe68⤵PID:4496
-
\??\c:\5dvjp.exec:\5dvjp.exe69⤵PID:2804
-
\??\c:\llrfrlf.exec:\llrfrlf.exe70⤵PID:4920
-
\??\c:\5bnbnn.exec:\5bnbnn.exe71⤵PID:3192
-
\??\c:\3dpdp.exec:\3dpdp.exe72⤵PID:4960
-
\??\c:\lrlflfx.exec:\lrlflfx.exe73⤵PID:372
-
\??\c:\nhbbtt.exec:\nhbbtt.exe74⤵PID:4504
-
\??\c:\nbhhhh.exec:\nbhhhh.exe75⤵PID:3684
-
\??\c:\9pdvj.exec:\9pdvj.exe76⤵PID:5088
-
\??\c:\xlxxrlx.exec:\xlxxrlx.exe77⤵PID:4500
-
\??\c:\bntnnh.exec:\bntnnh.exe78⤵PID:3120
-
\??\c:\3vvjv.exec:\3vvjv.exe79⤵PID:436
-
\??\c:\fffrfxr.exec:\fffrfxr.exe80⤵PID:2684
-
\??\c:\nttnhb.exec:\nttnhb.exe81⤵PID:1816
-
\??\c:\btbthh.exec:\btbthh.exe82⤵PID:4000
-
\??\c:\vdjdj.exec:\vdjdj.exe83⤵PID:216
-
\??\c:\xrfxffl.exec:\xrfxffl.exe84⤵PID:2152
-
\??\c:\nnbtnt.exec:\nnbtnt.exe85⤵PID:2372
-
\??\c:\pvddj.exec:\pvddj.exe86⤵PID:2652
-
\??\c:\1rxlfxf.exec:\1rxlfxf.exe87⤵PID:1832
-
\??\c:\7bnnhh.exec:\7bnnhh.exe88⤵PID:4428
-
\??\c:\bttthn.exec:\bttthn.exe89⤵PID:1316
-
\??\c:\jjpvp.exec:\jjpvp.exe90⤵PID:1008
-
\??\c:\flrfrrf.exec:\flrfrrf.exe91⤵PID:1628
-
\??\c:\hbbbtt.exec:\hbbbtt.exe92⤵PID:4576
-
\??\c:\bhnhbt.exec:\bhnhbt.exe93⤵PID:3524
-
\??\c:\jjddv.exec:\jjddv.exe94⤵PID:5052
-
\??\c:\xflffxx.exec:\xflffxx.exe95⤵PID:4780
-
\??\c:\3rrrllr.exec:\3rrrllr.exe96⤵PID:2860
-
\??\c:\thnhtt.exec:\thnhtt.exe97⤵PID:1076
-
\??\c:\pdjdv.exec:\pdjdv.exe98⤵PID:4084
-
\??\c:\djvjd.exec:\djvjd.exe99⤵PID:1792
-
\??\c:\5fxrllf.exec:\5fxrllf.exe100⤵PID:1204
-
\??\c:\thnbnh.exec:\thnbnh.exe101⤵PID:4068
-
\??\c:\pvvvj.exec:\pvvvj.exe102⤵PID:2408
-
\??\c:\vpvpp.exec:\vpvpp.exe103⤵PID:3012
-
\??\c:\flrrxxf.exec:\flrrxxf.exe104⤵PID:2556
-
\??\c:\ttttnn.exec:\ttttnn.exe105⤵PID:3292
-
\??\c:\btbtnh.exec:\btbtnh.exe106⤵PID:5008
-
\??\c:\pdjdd.exec:\pdjdd.exe107⤵PID:3312
-
\??\c:\ffrrlfr.exec:\ffrrlfr.exe108⤵PID:2868
-
\??\c:\hthbtt.exec:\hthbtt.exe109⤵PID:4732
-
\??\c:\hhtnhb.exec:\hhtnhb.exe110⤵PID:4608
-
\??\c:\ddpjj.exec:\ddpjj.exe111⤵PID:4776
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe112⤵
- System Location Discovery: System Language Discovery
PID:4712 -
\??\c:\bttnhb.exec:\bttnhb.exe113⤵PID:1068
-
\??\c:\bnttnb.exec:\bnttnb.exe114⤵PID:4524
-
\??\c:\vjjdp.exec:\vjjdp.exe115⤵PID:2308
-
\??\c:\fxfxrrx.exec:\fxfxrrx.exe116⤵PID:4124
-
\??\c:\rlfrffr.exec:\rlfrffr.exe117⤵PID:1072
-
\??\c:\5hbnbb.exec:\5hbnbb.exe118⤵PID:2892
-
\??\c:\pjddp.exec:\pjddp.exe119⤵PID:1504
-
\??\c:\3ffxllf.exec:\3ffxllf.exe120⤵PID:996
-
\??\c:\btnhtn.exec:\btnhtn.exe121⤵PID:404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-