Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe
-
Size
453KB
-
MD5
b6f648b8637a1ed82ab482a4113b8850
-
SHA1
42a2c38d25444334d5f2cb78a4f764782f9da0e4
-
SHA256
abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1
-
SHA512
a66d9ea0a65b018c9f0d89fc21dc428a6901483e11584ec5f6c3efcc5d1d91466e6dd6ae979db44a325b39dadfb962c721e42c15d907b121b1df0f0b270acd60
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1888-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/420-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2596 fffrfrl.exe 4804 vjdpd.exe 4064 djjdp.exe 1860 flfrlfr.exe 4488 frfrfxl.exe 420 vpjvp.exe 3676 3tthbb.exe 3088 hnhbnh.exe 3056 7jdpd.exe 2920 7tbnnh.exe 4948 xrlxrll.exe 1760 nbbbth.exe 1176 pjpjd.exe 384 9llllll.exe 2364 5rrxrrl.exe 4016 9xrrffx.exe 2264 pdddv.exe 3772 llxrlff.exe 5064 tnthbb.exe 4400 jpdvp.exe 1540 fflfxxr.exe 4384 bnhhbb.exe 5016 3vvpj.exe 4548 rllfrrl.exe 3044 ppvpv.exe 3952 bhnhbb.exe 2020 dddvp.exe 1476 ddjdj.exe 64 tthhhh.exe 2776 lxrrllf.exe 2824 3rxrrfx.exe 4900 pjdvd.exe 1680 jjvvd.exe 4256 lflfffx.exe 1740 nhhbtt.exe 1640 dvjvv.exe 4296 lrxxrrl.exe 3604 9llfxxr.exe 2904 tbnhnn.exe 4824 dppjd.exe 1448 vpppj.exe 836 9rrlffx.exe 3040 nnnhbb.exe 4912 dpvpj.exe 2144 rlxrxlf.exe 4636 fxfxffl.exe 3112 7nnhbb.exe 4520 vpdvj.exe 3016 frxrffx.exe 1888 xlrlfxx.exe 3164 5bnhbb.exe 4552 dpdvp.exe 1356 fxfxlll.exe 2236 9nnbtt.exe 436 dvdpd.exe 4544 pppjd.exe 1076 frrlxxx.exe 5020 1nhbtb.exe 4696 ddvvp.exe 1580 xxrxxrf.exe 3704 ttbtbb.exe 3056 jdjdv.exe 1120 xxxrlll.exe 1444 nhttnn.exe -
resource yara_rule behavioral2/memory/1888-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/420-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-700-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2596 1888 abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe 83 PID 1888 wrote to memory of 2596 1888 abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe 83 PID 1888 wrote to memory of 2596 1888 abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe 83 PID 2596 wrote to memory of 4804 2596 fffrfrl.exe 84 PID 2596 wrote to memory of 4804 2596 fffrfrl.exe 84 PID 2596 wrote to memory of 4804 2596 fffrfrl.exe 84 PID 4804 wrote to memory of 4064 4804 vjdpd.exe 85 PID 4804 wrote to memory of 4064 4804 vjdpd.exe 85 PID 4804 wrote to memory of 4064 4804 vjdpd.exe 85 PID 4064 wrote to memory of 1860 4064 djjdp.exe 86 PID 4064 wrote to memory of 1860 4064 djjdp.exe 86 PID 4064 wrote to memory of 1860 4064 djjdp.exe 86 PID 1860 wrote to memory of 4488 1860 flfrlfr.exe 87 PID 1860 wrote to memory of 4488 1860 flfrlfr.exe 87 PID 1860 wrote to memory of 4488 1860 flfrlfr.exe 87 PID 4488 wrote to memory of 420 4488 frfrfxl.exe 88 PID 4488 wrote to memory of 420 4488 frfrfxl.exe 88 PID 4488 wrote to memory of 420 4488 frfrfxl.exe 88 PID 420 wrote to memory of 3676 420 vpjvp.exe 89 PID 420 wrote to memory of 3676 420 vpjvp.exe 89 PID 420 wrote to memory of 3676 420 vpjvp.exe 89 PID 3676 wrote to memory of 3088 3676 3tthbb.exe 90 PID 3676 wrote to memory of 3088 3676 3tthbb.exe 90 PID 3676 wrote to memory of 3088 3676 3tthbb.exe 90 PID 3088 wrote to memory of 3056 3088 hnhbnh.exe 91 PID 3088 wrote to memory of 3056 3088 hnhbnh.exe 91 PID 3088 wrote to memory of 3056 3088 hnhbnh.exe 91 PID 3056 wrote to memory of 2920 3056 7jdpd.exe 92 PID 3056 wrote to memory of 2920 3056 7jdpd.exe 92 PID 3056 wrote to memory of 2920 3056 7jdpd.exe 92 PID 2920 wrote to memory of 4948 2920 7tbnnh.exe 93 PID 2920 wrote to memory of 4948 2920 7tbnnh.exe 93 PID 2920 wrote to memory of 4948 2920 7tbnnh.exe 93 PID 4948 wrote to memory of 1760 4948 xrlxrll.exe 94 PID 4948 wrote to memory of 1760 4948 xrlxrll.exe 94 PID 4948 wrote to memory of 1760 4948 xrlxrll.exe 94 PID 1760 wrote to memory of 1176 1760 nbbbth.exe 95 PID 1760 wrote to memory of 1176 1760 nbbbth.exe 95 PID 1760 wrote to memory of 1176 1760 nbbbth.exe 95 PID 1176 wrote to memory of 384 1176 pjpjd.exe 96 PID 1176 wrote to memory of 384 1176 pjpjd.exe 96 PID 1176 wrote to memory of 384 1176 pjpjd.exe 96 PID 384 wrote to memory of 2364 384 9llllll.exe 97 PID 384 wrote to memory of 2364 384 9llllll.exe 97 PID 384 wrote to memory of 2364 384 9llllll.exe 97 PID 2364 wrote to memory of 4016 2364 5rrxrrl.exe 98 PID 2364 wrote to memory of 4016 2364 5rrxrrl.exe 98 PID 2364 wrote to memory of 4016 2364 5rrxrrl.exe 98 PID 4016 wrote to memory of 2264 4016 9xrrffx.exe 99 PID 4016 wrote to memory of 2264 4016 9xrrffx.exe 99 PID 4016 wrote to memory of 2264 4016 9xrrffx.exe 99 PID 2264 wrote to memory of 3772 2264 pdddv.exe 100 PID 2264 wrote to memory of 3772 2264 pdddv.exe 100 PID 2264 wrote to memory of 3772 2264 pdddv.exe 100 PID 3772 wrote to memory of 5064 3772 llxrlff.exe 101 PID 3772 wrote to memory of 5064 3772 llxrlff.exe 101 PID 3772 wrote to memory of 5064 3772 llxrlff.exe 101 PID 5064 wrote to memory of 4400 5064 tnthbb.exe 102 PID 5064 wrote to memory of 4400 5064 tnthbb.exe 102 PID 5064 wrote to memory of 4400 5064 tnthbb.exe 102 PID 4400 wrote to memory of 1540 4400 jpdvp.exe 103 PID 4400 wrote to memory of 1540 4400 jpdvp.exe 103 PID 4400 wrote to memory of 1540 4400 jpdvp.exe 103 PID 1540 wrote to memory of 4384 1540 fflfxxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe"C:\Users\Admin\AppData\Local\Temp\abf5d520564d1998b5f5f8070ef1e466edc8403fda93fb9e48766948ef8407f1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\fffrfrl.exec:\fffrfrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vjdpd.exec:\vjdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\djjdp.exec:\djjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\flfrlfr.exec:\flfrlfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\frfrfxl.exec:\frfrfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\vpjvp.exec:\vpjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420 -
\??\c:\3tthbb.exec:\3tthbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\hnhbnh.exec:\hnhbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\7jdpd.exec:\7jdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\7tbnnh.exec:\7tbnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\xrlxrll.exec:\xrlxrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\nbbbth.exec:\nbbbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\pjpjd.exec:\pjpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\9llllll.exec:\9llllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\5rrxrrl.exec:\5rrxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\9xrrffx.exec:\9xrrffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\pdddv.exec:\pdddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\llxrlff.exec:\llxrlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\tnthbb.exec:\tnthbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\jpdvp.exec:\jpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\fflfxxr.exec:\fflfxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\bnhhbb.exec:\bnhhbb.exe23⤵
- Executes dropped EXE
PID:4384 -
\??\c:\3vvpj.exec:\3vvpj.exe24⤵
- Executes dropped EXE
PID:5016 -
\??\c:\rllfrrl.exec:\rllfrrl.exe25⤵
- Executes dropped EXE
PID:4548 -
\??\c:\ppvpv.exec:\ppvpv.exe26⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bhnhbb.exec:\bhnhbb.exe27⤵
- Executes dropped EXE
PID:3952 -
\??\c:\dddvp.exec:\dddvp.exe28⤵
- Executes dropped EXE
PID:2020 -
\??\c:\ddjdj.exec:\ddjdj.exe29⤵
- Executes dropped EXE
PID:1476 -
\??\c:\tthhhh.exec:\tthhhh.exe30⤵
- Executes dropped EXE
PID:64 -
\??\c:\lxrrllf.exec:\lxrrllf.exe31⤵
- Executes dropped EXE
PID:2776 -
\??\c:\3rxrrfx.exec:\3rxrrfx.exe32⤵
- Executes dropped EXE
PID:2824 -
\??\c:\pjdvd.exec:\pjdvd.exe33⤵
- Executes dropped EXE
PID:4900 -
\??\c:\jjvvd.exec:\jjvvd.exe34⤵
- Executes dropped EXE
PID:1680 -
\??\c:\lflfffx.exec:\lflfffx.exe35⤵
- Executes dropped EXE
PID:4256 -
\??\c:\nhhbtt.exec:\nhhbtt.exe36⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dvjvv.exec:\dvjvv.exe37⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lrxxrrl.exec:\lrxxrrl.exe38⤵
- Executes dropped EXE
PID:4296 -
\??\c:\9llfxxr.exec:\9llfxxr.exe39⤵
- Executes dropped EXE
PID:3604 -
\??\c:\tbnhnn.exec:\tbnhnn.exe40⤵
- Executes dropped EXE
PID:2904 -
\??\c:\dppjd.exec:\dppjd.exe41⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vpppj.exec:\vpppj.exe42⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9rrlffx.exec:\9rrlffx.exe43⤵
- Executes dropped EXE
PID:836 -
\??\c:\nnnhbb.exec:\nnnhbb.exe44⤵
- Executes dropped EXE
PID:3040 -
\??\c:\dpvpj.exec:\dpvpj.exe45⤵
- Executes dropped EXE
PID:4912 -
\??\c:\rlxrxlf.exec:\rlxrxlf.exe46⤵
- Executes dropped EXE
PID:2144 -
\??\c:\fxfxffl.exec:\fxfxffl.exe47⤵
- Executes dropped EXE
PID:4636 -
\??\c:\7nnhbb.exec:\7nnhbb.exe48⤵
- Executes dropped EXE
PID:3112 -
\??\c:\vpdvj.exec:\vpdvj.exe49⤵
- Executes dropped EXE
PID:4520 -
\??\c:\frxrffx.exec:\frxrffx.exe50⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe51⤵
- Executes dropped EXE
PID:1888 -
\??\c:\5bnhbb.exec:\5bnhbb.exe52⤵
- Executes dropped EXE
PID:3164 -
\??\c:\dpdvp.exec:\dpdvp.exe53⤵
- Executes dropped EXE
PID:4552 -
\??\c:\fxfxlll.exec:\fxfxlll.exe54⤵
- Executes dropped EXE
PID:1356 -
\??\c:\9nnbtt.exec:\9nnbtt.exe55⤵
- Executes dropped EXE
PID:2236 -
\??\c:\dvdpd.exec:\dvdpd.exe56⤵
- Executes dropped EXE
PID:436 -
\??\c:\pppjd.exec:\pppjd.exe57⤵
- Executes dropped EXE
PID:4544 -
\??\c:\frrlxxx.exec:\frrlxxx.exe58⤵
- Executes dropped EXE
PID:1076 -
\??\c:\1nhbtb.exec:\1nhbtb.exe59⤵
- Executes dropped EXE
PID:5020 -
\??\c:\ddvvp.exec:\ddvvp.exe60⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xxrxxrf.exec:\xxrxxrf.exe61⤵
- Executes dropped EXE
PID:1580 -
\??\c:\ttbtbb.exec:\ttbtbb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704 -
\??\c:\jdjdv.exec:\jdjdv.exe63⤵
- Executes dropped EXE
PID:3056 -
\??\c:\xxxrlll.exec:\xxxrlll.exe64⤵
- Executes dropped EXE
PID:1120 -
\??\c:\nhttnn.exec:\nhttnn.exe65⤵
- Executes dropped EXE
PID:1444 -
\??\c:\1vvvp.exec:\1vvvp.exe66⤵PID:1000
-
\??\c:\5fxrrrl.exec:\5fxrrrl.exe67⤵PID:4680
-
\??\c:\1hnbtt.exec:\1hnbtt.exe68⤵PID:4968
-
\??\c:\5djvp.exec:\5djvp.exe69⤵PID:3884
-
\??\c:\lffxllf.exec:\lffxllf.exe70⤵PID:4372
-
\??\c:\frxrllf.exec:\frxrllf.exe71⤵PID:2364
-
\??\c:\tntnbt.exec:\tntnbt.exe72⤵PID:4888
-
\??\c:\jpjdv.exec:\jpjdv.exe73⤵PID:4444
-
\??\c:\rffxffx.exec:\rffxffx.exe74⤵PID:804
-
\??\c:\9rrlxxr.exec:\9rrlxxr.exe75⤵PID:2264
-
\??\c:\hhnhbb.exec:\hhnhbb.exe76⤵PID:2196
-
\??\c:\7ddpd.exec:\7ddpd.exe77⤵PID:3192
-
\??\c:\5llfxxx.exec:\5llfxxx.exe78⤵PID:1540
-
\??\c:\1rrrxfl.exec:\1rrrxfl.exe79⤵PID:3532
-
\??\c:\nhbtnn.exec:\nhbtnn.exe80⤵PID:3176
-
\??\c:\7vvpj.exec:\7vvpj.exe81⤵PID:1156
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe82⤵PID:4404
-
\??\c:\bnbtnn.exec:\bnbtnn.exe83⤵PID:1128
-
\??\c:\9jdvj.exec:\9jdvj.exe84⤵PID:3972
-
\??\c:\rlrlxfx.exec:\rlrlxfx.exe85⤵PID:3988
-
\??\c:\9xxrllf.exec:\9xxrllf.exe86⤵PID:3904
-
\??\c:\bthhtt.exec:\bthhtt.exe87⤵PID:3136
-
\??\c:\pvjdv.exec:\pvjdv.exe88⤵PID:1404
-
\??\c:\fxrlffx.exec:\fxrlffx.exe89⤵PID:1476
-
\??\c:\ffrlxxl.exec:\ffrlxxl.exe90⤵PID:4740
-
\??\c:\hnhbbt.exec:\hnhbbt.exe91⤵PID:4876
-
\??\c:\dvpjp.exec:\dvpjp.exe92⤵PID:4736
-
\??\c:\jvdvp.exec:\jvdvp.exe93⤵PID:1772
-
\??\c:\lxfrrfx.exec:\lxfrrfx.exe94⤵PID:4828
-
\??\c:\bbtnhh.exec:\bbtnhh.exe95⤵PID:4852
-
\??\c:\vvvjd.exec:\vvvjd.exe96⤵PID:3700
-
\??\c:\vjvpd.exec:\vjvpd.exe97⤵PID:4256
-
\??\c:\fflxlfx.exec:\fflxlfx.exe98⤵PID:2740
-
\??\c:\nbtnbb.exec:\nbtnbb.exe99⤵PID:4964
-
\??\c:\vpvjp.exec:\vpvjp.exe100⤵PID:1412
-
\??\c:\lxfxllf.exec:\lxfxllf.exe101⤵PID:532
-
\??\c:\rllfrrl.exec:\rllfrrl.exe102⤵PID:2904
-
\??\c:\hhbthb.exec:\hhbthb.exe103⤵PID:3064
-
\??\c:\jpddd.exec:\jpddd.exe104⤵
- System Location Discovery: System Language Discovery
PID:4312 -
\??\c:\vdddj.exec:\vdddj.exe105⤵PID:2104
-
\??\c:\5flfrll.exec:\5flfrll.exe106⤵PID:4036
-
\??\c:\nhnhhh.exec:\nhnhhh.exe107⤵PID:4912
-
\??\c:\vvpvv.exec:\vvpvv.exe108⤵PID:3748
-
\??\c:\llrlxrf.exec:\llrlxrf.exe109⤵PID:2384
-
\??\c:\lrxlfxl.exec:\lrxlfxl.exe110⤵PID:4500
-
\??\c:\bnthbb.exec:\bnthbb.exe111⤵PID:4176
-
\??\c:\jvdpd.exec:\jvdpd.exe112⤵PID:2360
-
\??\c:\1llxllf.exec:\1llxllf.exe113⤵PID:4136
-
\??\c:\3nnbnh.exec:\3nnbnh.exe114⤵PID:3540
-
\??\c:\ppvpj.exec:\ppvpj.exe115⤵PID:728
-
\??\c:\1rlxrxr.exec:\1rlxrxr.exe116⤵PID:2328
-
\??\c:\hhtntt.exec:\hhtntt.exe117⤵PID:520
-
\??\c:\hnnbtn.exec:\hnnbtn.exe118⤵PID:1268
-
\??\c:\vdjjd.exec:\vdjjd.exe119⤵PID:3184
-
\??\c:\xlfffxf.exec:\xlfffxf.exe120⤵PID:3672
-
\??\c:\3ttnhb.exec:\3ttnhb.exe121⤵PID:1076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-