Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 21:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe
-
Size
454KB
-
MD5
8bc6bbb8b8e2f2375732fb110ca9f6ec
-
SHA1
1e4cd5513ce1fb6a3f1de378c75c26db3296a5db
-
SHA256
fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2
-
SHA512
9a39c12d6cede91b3e8c180ccf26f5f8472eecf02070587dd1f680332a7c522dfd6943ee3b32ad36e707eb9e996708879d3e8a7468b4c059441a23c57b887830
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1616-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1172 rlrlfff.exe 1292 ppvjp.exe 2552 xllfxxf.exe 3652 hhhbtt.exe 5088 flfxfxr.exe 3388 ppvjj.exe 1972 lxlffff.exe 4840 vjjdp.exe 2852 tnhhhn.exe 4220 3jjdj.exe 456 jjdvp.exe 3928 xrrxrlf.exe 1120 rlxrrrr.exe 3528 1hnhbh.exe 848 vjpjd.exe 3800 rlxxffx.exe 4048 nhhbtb.exe 1676 xxxrlrr.exe 3504 ppvvd.exe 4780 rrxrlfx.exe 264 ntbttt.exe 4572 bnnttn.exe 2540 dpddv.exe 1328 xrffllx.exe 752 fxlfxxx.exe 4360 bhtttt.exe 840 vpvvv.exe 4788 9pvpp.exe 3396 5lxxflr.exe 3084 bnbbtt.exe 4516 bntnnh.exe 4568 jjdvj.exe 996 lrfffff.exe 2156 frfxxxf.exe 2280 btnhht.exe 3296 jvjvj.exe 2832 7vjdv.exe 1864 3xrrffx.exe 3452 frrrllf.exe 2860 tnttnn.exe 1384 vpdvv.exe 1596 jpddp.exe 1080 fxxrrrl.exe 3268 nhbtnn.exe 3676 ppvpj.exe 2500 pjpjj.exe 3612 fxfrxrl.exe 4724 tnnbtn.exe 4760 9bbtnn.exe 2268 9vpdp.exe 4416 frxrfxl.exe 1660 ththhh.exe 1388 vpdvp.exe 4440 tttnhb.exe 2664 pppjp.exe 1124 xxrfrfr.exe 2448 nthbbt.exe 1668 1vdvd.exe 448 flxxrrr.exe 5092 hbtnnn.exe 1956 dpjjj.exe 3368 9ffxxxr.exe 4728 vpddj.exe 3872 dvddd.exe -
resource yara_rule behavioral2/memory/1616-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-966-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1172 1616 fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe 83 PID 1616 wrote to memory of 1172 1616 fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe 83 PID 1616 wrote to memory of 1172 1616 fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe 83 PID 1172 wrote to memory of 1292 1172 rlrlfff.exe 84 PID 1172 wrote to memory of 1292 1172 rlrlfff.exe 84 PID 1172 wrote to memory of 1292 1172 rlrlfff.exe 84 PID 1292 wrote to memory of 2552 1292 ppvjp.exe 85 PID 1292 wrote to memory of 2552 1292 ppvjp.exe 85 PID 1292 wrote to memory of 2552 1292 ppvjp.exe 85 PID 2552 wrote to memory of 3652 2552 xllfxxf.exe 86 PID 2552 wrote to memory of 3652 2552 xllfxxf.exe 86 PID 2552 wrote to memory of 3652 2552 xllfxxf.exe 86 PID 3652 wrote to memory of 5088 3652 hhhbtt.exe 87 PID 3652 wrote to memory of 5088 3652 hhhbtt.exe 87 PID 3652 wrote to memory of 5088 3652 hhhbtt.exe 87 PID 5088 wrote to memory of 3388 5088 flfxfxr.exe 88 PID 5088 wrote to memory of 3388 5088 flfxfxr.exe 88 PID 5088 wrote to memory of 3388 5088 flfxfxr.exe 88 PID 3388 wrote to memory of 1972 3388 ppvjj.exe 89 PID 3388 wrote to memory of 1972 3388 ppvjj.exe 89 PID 3388 wrote to memory of 1972 3388 ppvjj.exe 89 PID 1972 wrote to memory of 4840 1972 lxlffff.exe 90 PID 1972 wrote to memory of 4840 1972 lxlffff.exe 90 PID 1972 wrote to memory of 4840 1972 lxlffff.exe 90 PID 4840 wrote to memory of 2852 4840 vjjdp.exe 91 PID 4840 wrote to memory of 2852 4840 vjjdp.exe 91 PID 4840 wrote to memory of 2852 4840 vjjdp.exe 91 PID 2852 wrote to memory of 4220 2852 tnhhhn.exe 92 PID 2852 wrote to memory of 4220 2852 tnhhhn.exe 92 PID 2852 wrote to memory of 4220 2852 tnhhhn.exe 92 PID 4220 wrote to memory of 456 4220 3jjdj.exe 93 PID 4220 wrote to memory of 456 4220 3jjdj.exe 93 PID 4220 wrote to memory of 456 4220 3jjdj.exe 93 PID 456 wrote to memory of 3928 456 jjdvp.exe 94 PID 456 wrote to memory of 3928 456 jjdvp.exe 94 PID 456 wrote to memory of 3928 456 jjdvp.exe 94 PID 3928 wrote to memory of 1120 3928 xrrxrlf.exe 95 PID 3928 wrote to memory of 1120 3928 xrrxrlf.exe 95 PID 3928 wrote to memory of 1120 3928 xrrxrlf.exe 95 PID 1120 wrote to memory of 3528 1120 rlxrrrr.exe 96 PID 1120 wrote to memory of 3528 1120 rlxrrrr.exe 96 PID 1120 wrote to memory of 3528 1120 rlxrrrr.exe 96 PID 3528 wrote to memory of 848 3528 1hnhbh.exe 97 PID 3528 wrote to memory of 848 3528 1hnhbh.exe 97 PID 3528 wrote to memory of 848 3528 1hnhbh.exe 97 PID 848 wrote to memory of 3800 848 vjpjd.exe 98 PID 848 wrote to memory of 3800 848 vjpjd.exe 98 PID 848 wrote to memory of 3800 848 vjpjd.exe 98 PID 3800 wrote to memory of 4048 3800 rlxxffx.exe 99 PID 3800 wrote to memory of 4048 3800 rlxxffx.exe 99 PID 3800 wrote to memory of 4048 3800 rlxxffx.exe 99 PID 4048 wrote to memory of 1676 4048 nhhbtb.exe 100 PID 4048 wrote to memory of 1676 4048 nhhbtb.exe 100 PID 4048 wrote to memory of 1676 4048 nhhbtb.exe 100 PID 1676 wrote to memory of 3504 1676 xxxrlrr.exe 101 PID 1676 wrote to memory of 3504 1676 xxxrlrr.exe 101 PID 1676 wrote to memory of 3504 1676 xxxrlrr.exe 101 PID 3504 wrote to memory of 4780 3504 ppvvd.exe 102 PID 3504 wrote to memory of 4780 3504 ppvvd.exe 102 PID 3504 wrote to memory of 4780 3504 ppvvd.exe 102 PID 4780 wrote to memory of 264 4780 rrxrlfx.exe 103 PID 4780 wrote to memory of 264 4780 rrxrlfx.exe 103 PID 4780 wrote to memory of 264 4780 rrxrlfx.exe 103 PID 264 wrote to memory of 4572 264 ntbttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe"C:\Users\Admin\AppData\Local\Temp\fe130f207f478b30f7eeaf99a7a2d2668fbcdccfdf28a8a70d9c6b1f73cb82c2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\rlrlfff.exec:\rlrlfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\ppvjp.exec:\ppvjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\xllfxxf.exec:\xllfxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\hhhbtt.exec:\hhhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\flfxfxr.exec:\flfxfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\ppvjj.exec:\ppvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\lxlffff.exec:\lxlffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\vjjdp.exec:\vjjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\tnhhhn.exec:\tnhhhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\3jjdj.exec:\3jjdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\jjdvp.exec:\jjdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\xrrxrlf.exec:\xrrxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\1hnhbh.exec:\1hnhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\vjpjd.exec:\vjpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\rlxxffx.exec:\rlxxffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\nhhbtb.exec:\nhhbtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\xxxrlrr.exec:\xxxrlrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\ppvvd.exec:\ppvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\ntbttt.exec:\ntbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\bnnttn.exec:\bnnttn.exe23⤵
- Executes dropped EXE
PID:4572 -
\??\c:\dpddv.exec:\dpddv.exe24⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xrffllx.exec:\xrffllx.exe25⤵
- Executes dropped EXE
PID:1328 -
\??\c:\fxlfxxx.exec:\fxlfxxx.exe26⤵
- Executes dropped EXE
PID:752 -
\??\c:\bhtttt.exec:\bhtttt.exe27⤵
- Executes dropped EXE
PID:4360 -
\??\c:\vpvvv.exec:\vpvvv.exe28⤵
- Executes dropped EXE
PID:840 -
\??\c:\9pvpp.exec:\9pvpp.exe29⤵
- Executes dropped EXE
PID:4788 -
\??\c:\5lxxflr.exec:\5lxxflr.exe30⤵
- Executes dropped EXE
PID:3396 -
\??\c:\bnbbtt.exec:\bnbbtt.exe31⤵
- Executes dropped EXE
PID:3084 -
\??\c:\bntnnh.exec:\bntnnh.exe32⤵
- Executes dropped EXE
PID:4516 -
\??\c:\jjdvj.exec:\jjdvj.exe33⤵
- Executes dropped EXE
PID:4568 -
\??\c:\lrfffff.exec:\lrfffff.exe34⤵
- Executes dropped EXE
PID:996 -
\??\c:\frfxxxf.exec:\frfxxxf.exe35⤵
- Executes dropped EXE
PID:2156 -
\??\c:\btnhht.exec:\btnhht.exe36⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jvjvj.exec:\jvjvj.exe37⤵
- Executes dropped EXE
PID:3296 -
\??\c:\7vjdv.exec:\7vjdv.exe38⤵
- Executes dropped EXE
PID:2832 -
\??\c:\3xrrffx.exec:\3xrrffx.exe39⤵
- Executes dropped EXE
PID:1864 -
\??\c:\frrrllf.exec:\frrrllf.exe40⤵
- Executes dropped EXE
PID:3452 -
\??\c:\tnttnn.exec:\tnttnn.exe41⤵
- Executes dropped EXE
PID:2860 -
\??\c:\vpdvv.exec:\vpdvv.exe42⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jpddp.exec:\jpddp.exe43⤵
- Executes dropped EXE
PID:1596 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe44⤵
- Executes dropped EXE
PID:1080 -
\??\c:\nhbtnn.exec:\nhbtnn.exe45⤵
- Executes dropped EXE
PID:3268 -
\??\c:\ppvpj.exec:\ppvpj.exe46⤵
- Executes dropped EXE
PID:3676 -
\??\c:\pjpjj.exec:\pjpjj.exe47⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fxfrxrl.exec:\fxfrxrl.exe48⤵
- Executes dropped EXE
PID:3612 -
\??\c:\tnnbtn.exec:\tnnbtn.exe49⤵
- Executes dropped EXE
PID:4724 -
\??\c:\9bbtnn.exec:\9bbtnn.exe50⤵
- Executes dropped EXE
PID:4760 -
\??\c:\9vpdp.exec:\9vpdp.exe51⤵
- Executes dropped EXE
PID:2268 -
\??\c:\frxrfxl.exec:\frxrfxl.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416 -
\??\c:\ththhh.exec:\ththhh.exe53⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vpdvp.exec:\vpdvp.exe54⤵
- Executes dropped EXE
PID:1388 -
\??\c:\tttnhb.exec:\tttnhb.exe55⤵
- Executes dropped EXE
PID:4440 -
\??\c:\pppjp.exec:\pppjp.exe56⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xxrfrfr.exec:\xxrfrfr.exe57⤵
- Executes dropped EXE
PID:1124 -
\??\c:\nthbbt.exec:\nthbbt.exe58⤵
- Executes dropped EXE
PID:2448 -
\??\c:\1vdvd.exec:\1vdvd.exe59⤵
- Executes dropped EXE
PID:1668 -
\??\c:\flxxrrr.exec:\flxxrrr.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\hbtnnn.exec:\hbtnnn.exe61⤵
- Executes dropped EXE
PID:5092 -
\??\c:\dpjjj.exec:\dpjjj.exe62⤵
- Executes dropped EXE
PID:1956 -
\??\c:\9ffxxxr.exec:\9ffxxxr.exe63⤵
- Executes dropped EXE
PID:3368 -
\??\c:\vpddj.exec:\vpddj.exe64⤵
- Executes dropped EXE
PID:4728 -
\??\c:\dvddd.exec:\dvddd.exe65⤵
- Executes dropped EXE
PID:3872 -
\??\c:\bnnbbt.exec:\bnnbbt.exe66⤵PID:2256
-
\??\c:\dpjvp.exec:\dpjvp.exe67⤵PID:2196
-
\??\c:\xxxlfxl.exec:\xxxlfxl.exe68⤵PID:1184
-
\??\c:\bhntnt.exec:\bhntnt.exe69⤵PID:1728
-
\??\c:\pppdd.exec:\pppdd.exe70⤵PID:4148
-
\??\c:\7nhbtn.exec:\7nhbtn.exe71⤵PID:1688
-
\??\c:\ntbtnn.exec:\ntbtnn.exe72⤵PID:4072
-
\??\c:\5vjdp.exec:\5vjdp.exe73⤵PID:456
-
\??\c:\xxfflrx.exec:\xxfflrx.exe74⤵PID:4980
-
\??\c:\3tbtnn.exec:\3tbtnn.exe75⤵PID:4052
-
\??\c:\5frlllf.exec:\5frlllf.exe76⤵PID:3528
-
\??\c:\xrxrrxr.exec:\xrxrrxr.exe77⤵PID:1580
-
\??\c:\nttnhb.exec:\nttnhb.exe78⤵
- System Location Discovery: System Language Discovery
PID:4012 -
\??\c:\xrrfxxr.exec:\xrrfxxr.exe79⤵PID:2116
-
\??\c:\tbhhhb.exec:\tbhhhb.exe80⤵PID:740
-
\??\c:\tbnhbh.exec:\tbnhbh.exe81⤵PID:1676
-
\??\c:\fflfxxx.exec:\fflfxxx.exe82⤵PID:3884
-
\??\c:\bbhbbb.exec:\bbhbbb.exe83⤵PID:1824
-
\??\c:\dvjjd.exec:\dvjjd.exe84⤵PID:3448
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe85⤵PID:4612
-
\??\c:\llrrrrr.exec:\llrrrrr.exe86⤵PID:5056
-
\??\c:\bbbbbb.exec:\bbbbbb.exe87⤵PID:4308
-
\??\c:\jdjvv.exec:\jdjvv.exe88⤵PID:752
-
\??\c:\1jpjj.exec:\1jpjj.exe89⤵PID:1756
-
\??\c:\bbnnht.exec:\bbnnht.exe90⤵PID:832
-
\??\c:\nntbtn.exec:\nntbtn.exe91⤵PID:4452
-
\??\c:\3djdv.exec:\3djdv.exe92⤵PID:4492
-
\??\c:\xrffrxr.exec:\xrffrxr.exe93⤵PID:4516
-
\??\c:\btnhtt.exec:\btnhtt.exe94⤵PID:2680
-
\??\c:\tnhbnn.exec:\tnhbnn.exe95⤵PID:996
-
\??\c:\3ppjp.exec:\3ppjp.exe96⤵PID:4952
-
\??\c:\fxlllll.exec:\fxlllll.exe97⤵PID:3936
-
\??\c:\bthbbb.exec:\bthbbb.exe98⤵PID:2832
-
\??\c:\jjjdv.exec:\jjjdv.exe99⤵PID:2424
-
\??\c:\vppjj.exec:\vppjj.exe100⤵PID:2124
-
\??\c:\rfxrlxr.exec:\rfxrlxr.exe101⤵PID:3924
-
\??\c:\1bhnnn.exec:\1bhnnn.exe102⤵PID:2364
-
\??\c:\hthhbh.exec:\hthhbh.exe103⤵PID:2020
-
\??\c:\jpdpp.exec:\jpdpp.exe104⤵PID:3888
-
\??\c:\rrrlfff.exec:\rrrlfff.exe105⤵PID:4004
-
\??\c:\thnnnn.exec:\thnnnn.exe106⤵PID:1704
-
\??\c:\7ppjd.exec:\7ppjd.exe107⤵PID:4084
-
\??\c:\lrxrllf.exec:\lrxrllf.exe108⤵PID:1644
-
\??\c:\lllrrxr.exec:\lllrrxr.exe109⤵PID:2504
-
\??\c:\bbbthh.exec:\bbbthh.exe110⤵PID:4724
-
\??\c:\jjpjj.exec:\jjpjj.exe111⤵PID:4484
-
\??\c:\1llfxxx.exec:\1llfxxx.exe112⤵PID:3500
-
\??\c:\bbnnhh.exec:\bbnnhh.exe113⤵PID:3604
-
\??\c:\vjvjd.exec:\vjvjd.exe114⤵PID:2004
-
\??\c:\1lfxlll.exec:\1lfxlll.exe115⤵PID:2260
-
\??\c:\nbbbtb.exec:\nbbbtb.exe116⤵PID:4296
-
\??\c:\nnbbnn.exec:\nnbbnn.exe117⤵PID:916
-
\??\c:\pjpjj.exec:\pjpjj.exe118⤵PID:1152
-
\??\c:\frxrfxx.exec:\frxrfxx.exe119⤵PID:1172
-
\??\c:\tbhhbb.exec:\tbhhbb.exe120⤵PID:4160
-
\??\c:\hthbhb.exec:\hthbhb.exe121⤵PID:4676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-