Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe
-
Size
454KB
-
MD5
657a8a5f91bb9333103592907a117eb0
-
SHA1
bedd052792e3e516363e05922c9c0f3c4cc7818e
-
SHA256
502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cf
-
SHA512
ad9ec23d0d6db306833a9672862f8f8d6587784941ef3d5a880f7607c506bb0ea01a8c8039361b1603fd20e51dd8880d8a7aeb8f2d52fd137d7307d754935350
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTj:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1476-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-1018-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-1613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1268 flxlxlx.exe 1216 jdjdv.exe 3964 3ffrllf.exe 1048 ddjjd.exe 964 lfrlfll.exe 3676 dvvdd.exe 3708 hnhhbh.exe 3820 1ffxxxr.exe 3112 jvpdv.exe 1160 hhbttt.exe 3772 rrxfrfr.exe 1416 ppppp.exe 4276 flrrxfl.exe 2304 fxffxff.exe 1864 flfffff.exe 2232 tbhhhh.exe 3116 jjppv.exe 2200 frflffx.exe 1604 9fllfff.exe 1492 dpvvp.exe 4812 xlrlfff.exe 2564 xrxffll.exe 3548 nhntnh.exe 3764 5jjjd.exe 428 vjvvv.exe 1676 xxxxffl.exe 3164 bnttnn.exe 3100 vjppp.exe 1716 vjvpj.exe 1336 5lrrlxx.exe 4888 htbnhb.exe 4620 bhtnhh.exe 4800 7llrfrr.exe 3376 3hhbbb.exe 3200 nnnnnn.exe 3788 jvdpj.exe 4344 9xlfrff.exe 3540 nnttbb.exe 5048 hbnhnn.exe 3704 jjvvd.exe 1880 pjdvd.exe 1320 5rrlfff.exe 764 tthtth.exe 1300 nbbtnn.exe 1892 ppddd.exe 4468 xlrrlff.exe 3860 hnhbtt.exe 708 tnnhhn.exe 4588 1jdvv.exe 3156 rlrffff.exe 2892 ntbbhn.exe 2112 vvddd.exe 4408 bbtnbh.exe 2224 nnbhhn.exe 1976 vdvpp.exe 4324 hthhbt.exe 1968 vvpvp.exe 1340 fxrffll.exe 1332 btbtbt.exe 652 pvppj.exe 964 rrrlffl.exe 4708 btbnhh.exe 5084 dvppp.exe 376 pdjdp.exe -
resource yara_rule behavioral2/memory/1476-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-762-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1268 1476 502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe 83 PID 1476 wrote to memory of 1268 1476 502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe 83 PID 1476 wrote to memory of 1268 1476 502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe 83 PID 1268 wrote to memory of 1216 1268 flxlxlx.exe 84 PID 1268 wrote to memory of 1216 1268 flxlxlx.exe 84 PID 1268 wrote to memory of 1216 1268 flxlxlx.exe 84 PID 1216 wrote to memory of 3964 1216 jdjdv.exe 85 PID 1216 wrote to memory of 3964 1216 jdjdv.exe 85 PID 1216 wrote to memory of 3964 1216 jdjdv.exe 85 PID 3964 wrote to memory of 1048 3964 3ffrllf.exe 86 PID 3964 wrote to memory of 1048 3964 3ffrllf.exe 86 PID 3964 wrote to memory of 1048 3964 3ffrllf.exe 86 PID 1048 wrote to memory of 964 1048 ddjjd.exe 87 PID 1048 wrote to memory of 964 1048 ddjjd.exe 87 PID 1048 wrote to memory of 964 1048 ddjjd.exe 87 PID 964 wrote to memory of 3676 964 lfrlfll.exe 88 PID 964 wrote to memory of 3676 964 lfrlfll.exe 88 PID 964 wrote to memory of 3676 964 lfrlfll.exe 88 PID 3676 wrote to memory of 3708 3676 dvvdd.exe 89 PID 3676 wrote to memory of 3708 3676 dvvdd.exe 89 PID 3676 wrote to memory of 3708 3676 dvvdd.exe 89 PID 3708 wrote to memory of 3820 3708 hnhhbh.exe 90 PID 3708 wrote to memory of 3820 3708 hnhhbh.exe 90 PID 3708 wrote to memory of 3820 3708 hnhhbh.exe 90 PID 3820 wrote to memory of 3112 3820 1ffxxxr.exe 91 PID 3820 wrote to memory of 3112 3820 1ffxxxr.exe 91 PID 3820 wrote to memory of 3112 3820 1ffxxxr.exe 91 PID 3112 wrote to memory of 1160 3112 jvpdv.exe 92 PID 3112 wrote to memory of 1160 3112 jvpdv.exe 92 PID 3112 wrote to memory of 1160 3112 jvpdv.exe 92 PID 1160 wrote to memory of 3772 1160 hhbttt.exe 93 PID 1160 wrote to memory of 3772 1160 hhbttt.exe 93 PID 1160 wrote to memory of 3772 1160 hhbttt.exe 93 PID 3772 wrote to memory of 1416 3772 rrxfrfr.exe 94 PID 3772 wrote to memory of 1416 3772 rrxfrfr.exe 94 PID 3772 wrote to memory of 1416 3772 rrxfrfr.exe 94 PID 1416 wrote to memory of 4276 1416 ppppp.exe 95 PID 1416 wrote to memory of 4276 1416 ppppp.exe 95 PID 1416 wrote to memory of 4276 1416 ppppp.exe 95 PID 4276 wrote to memory of 2304 4276 flrrxfl.exe 96 PID 4276 wrote to memory of 2304 4276 flrrxfl.exe 96 PID 4276 wrote to memory of 2304 4276 flrrxfl.exe 96 PID 2304 wrote to memory of 1864 2304 fxffxff.exe 97 PID 2304 wrote to memory of 1864 2304 fxffxff.exe 97 PID 2304 wrote to memory of 1864 2304 fxffxff.exe 97 PID 1864 wrote to memory of 2232 1864 flfffff.exe 98 PID 1864 wrote to memory of 2232 1864 flfffff.exe 98 PID 1864 wrote to memory of 2232 1864 flfffff.exe 98 PID 2232 wrote to memory of 3116 2232 tbhhhh.exe 99 PID 2232 wrote to memory of 3116 2232 tbhhhh.exe 99 PID 2232 wrote to memory of 3116 2232 tbhhhh.exe 99 PID 3116 wrote to memory of 2200 3116 jjppv.exe 100 PID 3116 wrote to memory of 2200 3116 jjppv.exe 100 PID 3116 wrote to memory of 2200 3116 jjppv.exe 100 PID 2200 wrote to memory of 1604 2200 frflffx.exe 101 PID 2200 wrote to memory of 1604 2200 frflffx.exe 101 PID 2200 wrote to memory of 1604 2200 frflffx.exe 101 PID 1604 wrote to memory of 1492 1604 9fllfff.exe 102 PID 1604 wrote to memory of 1492 1604 9fllfff.exe 102 PID 1604 wrote to memory of 1492 1604 9fllfff.exe 102 PID 1492 wrote to memory of 4812 1492 dpvvp.exe 103 PID 1492 wrote to memory of 4812 1492 dpvvp.exe 103 PID 1492 wrote to memory of 4812 1492 dpvvp.exe 103 PID 4812 wrote to memory of 2564 4812 xlrlfff.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe"C:\Users\Admin\AppData\Local\Temp\502c9ddf90c94ebf4f36659ddafaff6de3fb72cb819cfe512a70c1e87720f3cfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\flxlxlx.exec:\flxlxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\jdjdv.exec:\jdjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\3ffrllf.exec:\3ffrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\ddjjd.exec:\ddjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\lfrlfll.exec:\lfrlfll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\dvvdd.exec:\dvvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\hnhhbh.exec:\hnhhbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\1ffxxxr.exec:\1ffxxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\jvpdv.exec:\jvpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\hhbttt.exec:\hhbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\rrxfrfr.exec:\rrxfrfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\ppppp.exec:\ppppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\flrrxfl.exec:\flrrxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\fxffxff.exec:\fxffxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\flfffff.exec:\flfffff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\tbhhhh.exec:\tbhhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jjppv.exec:\jjppv.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\frflffx.exec:\frflffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\9fllfff.exec:\9fllfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\dpvvp.exec:\dpvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\xlrlfff.exec:\xlrlfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\xrxffll.exec:\xrxffll.exe23⤵
- Executes dropped EXE
PID:2564 -
\??\c:\nhntnh.exec:\nhntnh.exe24⤵
- Executes dropped EXE
PID:3548 -
\??\c:\5jjjd.exec:\5jjjd.exe25⤵
- Executes dropped EXE
PID:3764 -
\??\c:\vjvvv.exec:\vjvvv.exe26⤵
- Executes dropped EXE
PID:428 -
\??\c:\xxxxffl.exec:\xxxxffl.exe27⤵
- Executes dropped EXE
PID:1676 -
\??\c:\bnttnn.exec:\bnttnn.exe28⤵
- Executes dropped EXE
PID:3164 -
\??\c:\vjppp.exec:\vjppp.exe29⤵
- Executes dropped EXE
PID:3100 -
\??\c:\vjvpj.exec:\vjvpj.exe30⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5lrrlxx.exec:\5lrrlxx.exe31⤵
- Executes dropped EXE
PID:1336 -
\??\c:\htbnhb.exec:\htbnhb.exe32⤵
- Executes dropped EXE
PID:4888 -
\??\c:\bhtnhh.exec:\bhtnhh.exe33⤵
- Executes dropped EXE
PID:4620 -
\??\c:\7llrfrr.exec:\7llrfrr.exe34⤵
- Executes dropped EXE
PID:4800 -
\??\c:\3hhbbb.exec:\3hhbbb.exe35⤵
- Executes dropped EXE
PID:3376 -
\??\c:\nnnnnn.exec:\nnnnnn.exe36⤵
- Executes dropped EXE
PID:3200 -
\??\c:\jvdpj.exec:\jvdpj.exe37⤵
- Executes dropped EXE
PID:3788 -
\??\c:\9xlfrff.exec:\9xlfrff.exe38⤵
- Executes dropped EXE
PID:4344 -
\??\c:\nnttbb.exec:\nnttbb.exe39⤵
- Executes dropped EXE
PID:3540 -
\??\c:\hbnhnn.exec:\hbnhnn.exe40⤵
- Executes dropped EXE
PID:5048 -
\??\c:\jjvvd.exec:\jjvvd.exe41⤵
- Executes dropped EXE
PID:3704 -
\??\c:\pjdvd.exec:\pjdvd.exe42⤵
- Executes dropped EXE
PID:1880 -
\??\c:\5rrlfff.exec:\5rrlfff.exe43⤵
- Executes dropped EXE
PID:1320 -
\??\c:\tthtth.exec:\tthtth.exe44⤵
- Executes dropped EXE
PID:764 -
\??\c:\nbbtnn.exec:\nbbtnn.exe45⤵
- Executes dropped EXE
PID:1300 -
\??\c:\ppddd.exec:\ppddd.exe46⤵
- Executes dropped EXE
PID:1892 -
\??\c:\xlrrlff.exec:\xlrrlff.exe47⤵
- Executes dropped EXE
PID:4468 -
\??\c:\hnhbtt.exec:\hnhbtt.exe48⤵
- Executes dropped EXE
PID:3860 -
\??\c:\tnnhhn.exec:\tnnhhn.exe49⤵
- Executes dropped EXE
PID:708 -
\??\c:\1jdvv.exec:\1jdvv.exe50⤵
- Executes dropped EXE
PID:4588 -
\??\c:\rlrffff.exec:\rlrffff.exe51⤵
- Executes dropped EXE
PID:3156 -
\??\c:\ntbbhn.exec:\ntbbhn.exe52⤵
- Executes dropped EXE
PID:2892 -
\??\c:\vvddd.exec:\vvddd.exe53⤵
- Executes dropped EXE
PID:2112 -
\??\c:\bbtnbh.exec:\bbtnbh.exe54⤵
- Executes dropped EXE
PID:4408 -
\??\c:\nnbhhn.exec:\nnbhhn.exe55⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vdvpp.exec:\vdvpp.exe56⤵
- Executes dropped EXE
PID:1976 -
\??\c:\hthhbt.exec:\hthhbt.exe57⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vvpvp.exec:\vvpvp.exe58⤵
- Executes dropped EXE
PID:1968 -
\??\c:\fxrffll.exec:\fxrffll.exe59⤵
- Executes dropped EXE
PID:1340 -
\??\c:\btbtbt.exec:\btbtbt.exe60⤵
- Executes dropped EXE
PID:1332 -
\??\c:\pvppj.exec:\pvppj.exe61⤵
- Executes dropped EXE
PID:652 -
\??\c:\rrrlffl.exec:\rrrlffl.exe62⤵
- Executes dropped EXE
PID:964 -
\??\c:\btbnhh.exec:\btbnhh.exe63⤵
- Executes dropped EXE
PID:4708 -
\??\c:\dvppp.exec:\dvppp.exe64⤵
- Executes dropped EXE
PID:5084 -
\??\c:\pdjdp.exec:\pdjdp.exe65⤵
- Executes dropped EXE
PID:376 -
\??\c:\1rrrlrl.exec:\1rrrlrl.exe66⤵PID:1136
-
\??\c:\5fxrlrl.exec:\5fxrlrl.exe67⤵PID:3056
-
\??\c:\jddvp.exec:\jddvp.exe68⤵PID:1600
-
\??\c:\pjvjp.exec:\pjvjp.exe69⤵PID:3696
-
\??\c:\9xxxrrr.exec:\9xxxrrr.exe70⤵PID:5088
-
\??\c:\bbhhbt.exec:\bbhhbt.exe71⤵PID:452
-
\??\c:\llllrrr.exec:\llllrrr.exe72⤵PID:4748
-
\??\c:\hbhhbh.exec:\hbhhbh.exe73⤵PID:4964
-
\??\c:\9fxrrlf.exec:\9fxrrlf.exe74⤵PID:2708
-
\??\c:\bnhbbb.exec:\bnhbbb.exe75⤵PID:2304
-
\??\c:\pvvpd.exec:\pvvpd.exe76⤵PID:448
-
\??\c:\btbnht.exec:\btbnht.exe77⤵PID:3724
-
\??\c:\5hnhth.exec:\5hnhth.exe78⤵PID:2232
-
\??\c:\vppvp.exec:\vppvp.exe79⤵PID:2428
-
\??\c:\9hbtnn.exec:\9hbtnn.exe80⤵PID:1536
-
\??\c:\3pvvp.exec:\3pvvp.exe81⤵PID:2356
-
\??\c:\tnnhbt.exec:\tnnhbt.exe82⤵PID:696
-
\??\c:\1bhtnn.exec:\1bhtnn.exe83⤵PID:3912
-
\??\c:\rfrfxxr.exec:\rfrfxxr.exe84⤵PID:64
-
\??\c:\rffxrll.exec:\rffxrll.exe85⤵PID:4444
-
\??\c:\7bhnhn.exec:\7bhnhn.exe86⤵PID:1896
-
\??\c:\jjjdd.exec:\jjjdd.exe87⤵PID:1676
-
\??\c:\flxfxlx.exec:\flxfxlx.exe88⤵PID:976
-
\??\c:\rllxrlx.exec:\rllxrlx.exe89⤵PID:2152
-
\??\c:\bntnhh.exec:\bntnhh.exe90⤵PID:1336
-
\??\c:\ddjvd.exec:\ddjvd.exe91⤵PID:1328
-
\??\c:\7lrlllr.exec:\7lrlllr.exe92⤵PID:4620
-
\??\c:\bbhbbb.exec:\bbhbbb.exe93⤵PID:3376
-
\??\c:\jpvpd.exec:\jpvpd.exe94⤵PID:4656
-
\??\c:\pvdvp.exec:\pvdvp.exe95⤵PID:3260
-
\??\c:\rlrlfff.exec:\rlrlfff.exe96⤵PID:1680
-
\??\c:\hhnhbt.exec:\hhnhbt.exe97⤵PID:2548
-
\??\c:\tntbtb.exec:\tntbtb.exe98⤵PID:4816
-
\??\c:\1jpjd.exec:\1jpjd.exe99⤵PID:2792
-
\??\c:\7rfrffx.exec:\7rfrffx.exe100⤵PID:3288
-
\??\c:\btbnhh.exec:\btbnhh.exe101⤵PID:1880
-
\??\c:\3vdvv.exec:\3vdvv.exe102⤵PID:1320
-
\??\c:\fffxrrl.exec:\fffxrrl.exe103⤵PID:3660
-
\??\c:\bnbttn.exec:\bnbttn.exe104⤵PID:3248
-
\??\c:\vjjjv.exec:\vjjjv.exe105⤵PID:1892
-
\??\c:\rxfxlxl.exec:\rxfxlxl.exe106⤵PID:4164
-
\??\c:\3bhhbt.exec:\3bhhbt.exe107⤵PID:2648
-
\??\c:\1jvpv.exec:\1jvpv.exe108⤵PID:2148
-
\??\c:\5frrfxx.exec:\5frrfxx.exe109⤵PID:636
-
\??\c:\xxlxrxx.exec:\xxlxrxx.exe110⤵PID:4368
-
\??\c:\tbbhbt.exec:\tbbhbt.exe111⤵PID:3372
-
\??\c:\jjjjp.exec:\jjjjp.exe112⤵PID:2592
-
\??\c:\rlxlfxr.exec:\rlxlfxr.exe113⤵PID:2276
-
\??\c:\bhhbtt.exec:\bhhbtt.exe114⤵PID:3408
-
\??\c:\3hbtnn.exec:\3hbtnn.exe115⤵PID:4384
-
\??\c:\vvvjp.exec:\vvvjp.exe116⤵PID:4408
-
\??\c:\lfffrxr.exec:\lfffrxr.exe117⤵PID:4280
-
\??\c:\ttttnn.exec:\ttttnn.exe118⤵PID:4980
-
\??\c:\bbbtnh.exec:\bbbtnh.exe119⤵PID:1844
-
\??\c:\jvdvp.exec:\jvdvp.exe120⤵PID:1216
-
\??\c:\rfxrffx.exec:\rfxrffx.exe121⤵PID:4320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-