Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe
-
Size
453KB
-
MD5
82c5a1984d8977c15aa3831d1182ca00
-
SHA1
c528d8c95361a21e56516d9b00ddbec595d7b1e5
-
SHA256
d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1
-
SHA512
497765cebbda74a128e7b4505469a614428682c48b7588819c2e459b0d55ccf4723ffdb6dce1ff5b958991afcd782f072c150c1f7abe35e7025e2110d868d958
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3788-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-1074-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-1114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-1427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-1653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-1894-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1908 flrlffx.exe 1272 nnbthh.exe 1572 jjpdv.exe 2496 vdppj.exe 1008 rxfxrxx.exe 2980 tnnntt.exe 4868 vjjjd.exe 1056 xrrrllf.exe 468 llxrfrf.exe 3592 jvpdd.exe 1068 bnbbtn.exe 2652 5ffxxxr.exe 4332 9rlrflf.exe 5008 hhhbtn.exe 2400 vdjdd.exe 2728 xlrfxfx.exe 3828 7hnhhh.exe 1720 3jddv.exe 4480 1jvpj.exe 4524 1rfrlfx.exe 1756 pvdjv.exe 3488 dpvpj.exe 2240 9xrlllf.exe 4772 xfrflll.exe 1612 llrrxrl.exe 4856 nhntbn.exe 2972 xllflfx.exe 4836 vdjjd.exe 3428 hhhntt.exe 1780 xllfxrr.exe 4904 btnhbh.exe 4424 djppv.exe 5012 nttnnt.exe 2128 pjpjj.exe 2804 rxllfxx.exe 232 tbtbhn.exe 3088 jpjvd.exe 3384 tnnhbb.exe 516 jvpjj.exe 4636 fflffff.exe 3048 nnttnn.exe 4492 jvddd.exe 4640 lflllff.exe 392 llxxxxl.exe 2896 hhnbbb.exe 4516 3djdv.exe 4312 1xfxrrl.exe 548 bhnnhn.exe 2812 ddvjp.exe 4152 llfffff.exe 3624 tnnhht.exe 2672 pjvdv.exe 5028 pppjp.exe 3760 frfrxxx.exe 4316 nbbbbn.exe 3304 dvjjj.exe 2392 rxxllff.exe 316 nhhbtt.exe 3200 dvvvd.exe 4780 rxfxrrl.exe 2432 ttbtbb.exe 840 jjddd.exe 4120 xrrrlll.exe 4388 tnttnn.exe -
resource yara_rule behavioral2/memory/3788-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-808-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 1908 3788 d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe 82 PID 3788 wrote to memory of 1908 3788 d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe 82 PID 3788 wrote to memory of 1908 3788 d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe 82 PID 1908 wrote to memory of 1272 1908 flrlffx.exe 83 PID 1908 wrote to memory of 1272 1908 flrlffx.exe 83 PID 1908 wrote to memory of 1272 1908 flrlffx.exe 83 PID 1272 wrote to memory of 1572 1272 nnbthh.exe 84 PID 1272 wrote to memory of 1572 1272 nnbthh.exe 84 PID 1272 wrote to memory of 1572 1272 nnbthh.exe 84 PID 1572 wrote to memory of 2496 1572 jjpdv.exe 85 PID 1572 wrote to memory of 2496 1572 jjpdv.exe 85 PID 1572 wrote to memory of 2496 1572 jjpdv.exe 85 PID 2496 wrote to memory of 1008 2496 vdppj.exe 86 PID 2496 wrote to memory of 1008 2496 vdppj.exe 86 PID 2496 wrote to memory of 1008 2496 vdppj.exe 86 PID 1008 wrote to memory of 2980 1008 rxfxrxx.exe 87 PID 1008 wrote to memory of 2980 1008 rxfxrxx.exe 87 PID 1008 wrote to memory of 2980 1008 rxfxrxx.exe 87 PID 2980 wrote to memory of 4868 2980 tnnntt.exe 88 PID 2980 wrote to memory of 4868 2980 tnnntt.exe 88 PID 2980 wrote to memory of 4868 2980 tnnntt.exe 88 PID 4868 wrote to memory of 1056 4868 vjjjd.exe 89 PID 4868 wrote to memory of 1056 4868 vjjjd.exe 89 PID 4868 wrote to memory of 1056 4868 vjjjd.exe 89 PID 1056 wrote to memory of 468 1056 xrrrllf.exe 90 PID 1056 wrote to memory of 468 1056 xrrrllf.exe 90 PID 1056 wrote to memory of 468 1056 xrrrllf.exe 90 PID 468 wrote to memory of 3592 468 llxrfrf.exe 91 PID 468 wrote to memory of 3592 468 llxrfrf.exe 91 PID 468 wrote to memory of 3592 468 llxrfrf.exe 91 PID 3592 wrote to memory of 1068 3592 jvpdd.exe 92 PID 3592 wrote to memory of 1068 3592 jvpdd.exe 92 PID 3592 wrote to memory of 1068 3592 jvpdd.exe 92 PID 1068 wrote to memory of 2652 1068 bnbbtn.exe 93 PID 1068 wrote to memory of 2652 1068 bnbbtn.exe 93 PID 1068 wrote to memory of 2652 1068 bnbbtn.exe 93 PID 2652 wrote to memory of 4332 2652 5ffxxxr.exe 94 PID 2652 wrote to memory of 4332 2652 5ffxxxr.exe 94 PID 2652 wrote to memory of 4332 2652 5ffxxxr.exe 94 PID 4332 wrote to memory of 5008 4332 9rlrflf.exe 95 PID 4332 wrote to memory of 5008 4332 9rlrflf.exe 95 PID 4332 wrote to memory of 5008 4332 9rlrflf.exe 95 PID 5008 wrote to memory of 2400 5008 hhhbtn.exe 96 PID 5008 wrote to memory of 2400 5008 hhhbtn.exe 96 PID 5008 wrote to memory of 2400 5008 hhhbtn.exe 96 PID 2400 wrote to memory of 2728 2400 vdjdd.exe 97 PID 2400 wrote to memory of 2728 2400 vdjdd.exe 97 PID 2400 wrote to memory of 2728 2400 vdjdd.exe 97 PID 2728 wrote to memory of 3828 2728 xlrfxfx.exe 98 PID 2728 wrote to memory of 3828 2728 xlrfxfx.exe 98 PID 2728 wrote to memory of 3828 2728 xlrfxfx.exe 98 PID 3828 wrote to memory of 1720 3828 7hnhhh.exe 99 PID 3828 wrote to memory of 1720 3828 7hnhhh.exe 99 PID 3828 wrote to memory of 1720 3828 7hnhhh.exe 99 PID 1720 wrote to memory of 4480 1720 3jddv.exe 100 PID 1720 wrote to memory of 4480 1720 3jddv.exe 100 PID 1720 wrote to memory of 4480 1720 3jddv.exe 100 PID 4480 wrote to memory of 4524 4480 1jvpj.exe 101 PID 4480 wrote to memory of 4524 4480 1jvpj.exe 101 PID 4480 wrote to memory of 4524 4480 1jvpj.exe 101 PID 4524 wrote to memory of 1756 4524 1rfrlfx.exe 102 PID 4524 wrote to memory of 1756 4524 1rfrlfx.exe 102 PID 4524 wrote to memory of 1756 4524 1rfrlfx.exe 102 PID 1756 wrote to memory of 3488 1756 pvdjv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe"C:\Users\Admin\AppData\Local\Temp\d09f37fb339dac734f1d7d52c5e47fb6a472070a6323c9373b12fffe71bc22d1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\flrlffx.exec:\flrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\nnbthh.exec:\nnbthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\jjpdv.exec:\jjpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\vdppj.exec:\vdppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\rxfxrxx.exec:\rxfxrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\tnnntt.exec:\tnnntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\vjjjd.exec:\vjjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\xrrrllf.exec:\xrrrllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\llxrfrf.exec:\llxrfrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\jvpdd.exec:\jvpdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bnbbtn.exec:\bnbbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\5ffxxxr.exec:\5ffxxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\9rlrflf.exec:\9rlrflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\hhhbtn.exec:\hhhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\vdjdd.exec:\vdjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\xlrfxfx.exec:\xlrfxfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\7hnhhh.exec:\7hnhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\3jddv.exec:\3jddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\1jvpj.exec:\1jvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\1rfrlfx.exec:\1rfrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\pvdjv.exec:\pvdjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\dpvpj.exec:\dpvpj.exe23⤵
- Executes dropped EXE
PID:3488 -
\??\c:\9xrlllf.exec:\9xrlllf.exe24⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xfrflll.exec:\xfrflll.exe25⤵
- Executes dropped EXE
PID:4772 -
\??\c:\llrrxrl.exec:\llrrxrl.exe26⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nhntbn.exec:\nhntbn.exe27⤵
- Executes dropped EXE
PID:4856 -
\??\c:\xllflfx.exec:\xllflfx.exe28⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vdjjd.exec:\vdjjd.exe29⤵
- Executes dropped EXE
PID:4836 -
\??\c:\hhhntt.exec:\hhhntt.exe30⤵
- Executes dropped EXE
PID:3428 -
\??\c:\xllfxrr.exec:\xllfxrr.exe31⤵
- Executes dropped EXE
PID:1780 -
\??\c:\btnhbh.exec:\btnhbh.exe32⤵
- Executes dropped EXE
PID:4904 -
\??\c:\djppv.exec:\djppv.exe33⤵
- Executes dropped EXE
PID:4424 -
\??\c:\nttnnt.exec:\nttnnt.exe34⤵
- Executes dropped EXE
PID:5012 -
\??\c:\pjpjj.exec:\pjpjj.exe35⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rxllfxx.exec:\rxllfxx.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\tbtbhn.exec:\tbtbhn.exe37⤵
- Executes dropped EXE
PID:232 -
\??\c:\jpjvd.exec:\jpjvd.exe38⤵
- Executes dropped EXE
PID:3088 -
\??\c:\tnnhbb.exec:\tnnhbb.exe39⤵
- Executes dropped EXE
PID:3384 -
\??\c:\jvpjj.exec:\jvpjj.exe40⤵
- Executes dropped EXE
PID:516 -
\??\c:\fflffff.exec:\fflffff.exe41⤵
- Executes dropped EXE
PID:4636 -
\??\c:\nnttnn.exec:\nnttnn.exe42⤵
- Executes dropped EXE
PID:3048 -
\??\c:\jvddd.exec:\jvddd.exe43⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lflllff.exec:\lflllff.exe44⤵
- Executes dropped EXE
PID:4640 -
\??\c:\llxxxxl.exec:\llxxxxl.exe45⤵
- Executes dropped EXE
PID:392 -
\??\c:\hhnbbb.exec:\hhnbbb.exe46⤵
- Executes dropped EXE
PID:2896 -
\??\c:\3djdv.exec:\3djdv.exe47⤵
- Executes dropped EXE
PID:4516 -
\??\c:\1xfxrrl.exec:\1xfxrrl.exe48⤵
- Executes dropped EXE
PID:4312 -
\??\c:\bhnnhn.exec:\bhnnhn.exe49⤵
- Executes dropped EXE
PID:548 -
\??\c:\ddvjp.exec:\ddvjp.exe50⤵
- Executes dropped EXE
PID:2812 -
\??\c:\llfffff.exec:\llfffff.exe51⤵
- Executes dropped EXE
PID:4152 -
\??\c:\tnnhht.exec:\tnnhht.exe52⤵
- Executes dropped EXE
PID:3624 -
\??\c:\pjvdv.exec:\pjvdv.exe53⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pppjp.exec:\pppjp.exe54⤵
- Executes dropped EXE
PID:5028 -
\??\c:\frfrxxx.exec:\frfrxxx.exe55⤵
- Executes dropped EXE
PID:3760 -
\??\c:\nbbbbn.exec:\nbbbbn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\dvjjj.exec:\dvjjj.exe57⤵
- Executes dropped EXE
PID:3304 -
\??\c:\rxxllff.exec:\rxxllff.exe58⤵
- Executes dropped EXE
PID:2392 -
\??\c:\nhhbtt.exec:\nhhbtt.exe59⤵
- Executes dropped EXE
PID:316 -
\??\c:\dvvvd.exec:\dvvvd.exe60⤵
- Executes dropped EXE
PID:3200 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe61⤵
- Executes dropped EXE
PID:4780 -
\??\c:\ttbtbb.exec:\ttbtbb.exe62⤵
- Executes dropped EXE
PID:2432 -
\??\c:\jjddd.exec:\jjddd.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\xrrrlll.exec:\xrrrlll.exe64⤵
- Executes dropped EXE
PID:4120 -
\??\c:\tnttnn.exec:\tnttnn.exe65⤵
- Executes dropped EXE
PID:4388 -
\??\c:\jdjjj.exec:\jdjjj.exe66⤵PID:1520
-
\??\c:\lxxlffx.exec:\lxxlffx.exe67⤵PID:412
-
\??\c:\nbhbtn.exec:\nbhbtn.exe68⤵PID:3576
-
\??\c:\hthbbt.exec:\hthbbt.exe69⤵PID:628
-
\??\c:\jdjdv.exec:\jdjdv.exe70⤵PID:1116
-
\??\c:\rlffxxr.exec:\rlffxxr.exe71⤵PID:4364
-
\??\c:\tnbttn.exec:\tnbttn.exe72⤵PID:468
-
\??\c:\pvdvp.exec:\pvdvp.exe73⤵PID:4248
-
\??\c:\xfrrrrr.exec:\xfrrrrr.exe74⤵PID:3592
-
\??\c:\bthbtn.exec:\bthbtn.exe75⤵PID:1192
-
\??\c:\9pvpj.exec:\9pvpj.exe76⤵PID:3180
-
\??\c:\9xrllfx.exec:\9xrllfx.exe77⤵PID:2524
-
\??\c:\lrxlfff.exec:\lrxlfff.exe78⤵PID:1356
-
\??\c:\ppvjv.exec:\ppvjv.exe79⤵PID:3052
-
\??\c:\xrlrlfx.exec:\xrlrlfx.exe80⤵PID:4608
-
\??\c:\ffxffrl.exec:\ffxffrl.exe81⤵PID:2280
-
\??\c:\nttbhb.exec:\nttbhb.exe82⤵PID:1416
-
\??\c:\jpvvp.exec:\jpvvp.exe83⤵PID:3944
-
\??\c:\xlflrrx.exec:\xlflrrx.exe84⤵PID:5100
-
\??\c:\xxrlrrr.exec:\xxrlrrr.exe85⤵PID:1964
-
\??\c:\nbnhhn.exec:\nbnhhn.exe86⤵PID:5108
-
\??\c:\jpvpv.exec:\jpvpv.exe87⤵PID:4356
-
\??\c:\lffxrll.exec:\lffxrll.exe88⤵PID:3652
-
\??\c:\1bhbtt.exec:\1bhbtt.exe89⤵PID:1756
-
\??\c:\btbtbt.exec:\btbtbt.exe90⤵PID:4916
-
\??\c:\3jjjd.exec:\3jjjd.exe91⤵PID:4176
-
\??\c:\lrrlfff.exec:\lrrlfff.exe92⤵PID:3144
-
\??\c:\1tbbhn.exec:\1tbbhn.exe93⤵PID:716
-
\??\c:\btbbbb.exec:\btbbbb.exe94⤵PID:3172
-
\??\c:\jdvpv.exec:\jdvpv.exe95⤵PID:1536
-
\??\c:\fxrllrf.exec:\fxrllrf.exe96⤵PID:1784
-
\??\c:\lrxxxlf.exec:\lrxxxlf.exe97⤵PID:2172
-
\??\c:\bhhtbb.exec:\bhhtbb.exe98⤵PID:4836
-
\??\c:\dvddd.exec:\dvddd.exe99⤵PID:3428
-
\??\c:\lrrrrxr.exec:\lrrrrxr.exe100⤵PID:3508
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe101⤵PID:3736
-
\??\c:\bbhttb.exec:\bbhttb.exe102⤵PID:3680
-
\??\c:\vvddv.exec:\vvddv.exe103⤵PID:1592
-
\??\c:\xxffxll.exec:\xxffxll.exe104⤵PID:3000
-
\??\c:\xrxrllf.exec:\xrxrllf.exe105⤵PID:2128
-
\??\c:\bnbttt.exec:\bnbttt.exe106⤵PID:4884
-
\??\c:\pjvjd.exec:\pjvjd.exe107⤵PID:4496
-
\??\c:\rlxrrxx.exec:\rlxrrxx.exe108⤵PID:636
-
\??\c:\nnbnhh.exec:\nnbnhh.exe109⤵PID:1688
-
\??\c:\3jjvv.exec:\3jjvv.exe110⤵PID:2232
-
\??\c:\rrxffff.exec:\rrxffff.exe111⤵PID:3204
-
\??\c:\lxllflf.exec:\lxllflf.exe112⤵PID:812
-
\??\c:\bnbhbb.exec:\bnbhbb.exe113⤵PID:4540
-
\??\c:\dvddd.exec:\dvddd.exe114⤵
- System Location Discovery: System Language Discovery
PID:4004 -
\??\c:\pjjjd.exec:\pjjjd.exe115⤵PID:4756
-
\??\c:\lxlrrll.exec:\lxlrrll.exe116⤵PID:2896
-
\??\c:\bbhbbb.exec:\bbhbbb.exe117⤵PID:4516
-
\??\c:\1pvpp.exec:\1pvpp.exe118⤵PID:4312
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe119⤵
- System Location Discovery: System Language Discovery
PID:548 -
\??\c:\1xrxrrl.exec:\1xrxrrl.exe120⤵PID:520
-
\??\c:\bnbtnn.exec:\bnbtnn.exe121⤵PID:3632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-