Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe
-
Size
454KB
-
MD5
6eb9a4596d14f5bd8e3d6403b3ee2012
-
SHA1
996feb705a86e00b5f1e17ef0dd5b6a6e43239d9
-
SHA256
6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7
-
SHA512
673e07ca57e01e4880f1efa1e6fb996a12b22178948e1e68496741e56c1adedd15699a4361110e5580621730257ce51ed896d816b44eac0be24ebb21d3c0dd20
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4248-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-1584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 408 vjjdd.exe 3408 lflfflf.exe 2776 btbtnn.exe 3276 dpppp.exe 2688 nnnnhb.exe 456 dvdvv.exe 2540 jjjdd.exe 3464 bthbhh.exe 3328 rrxxxxx.exe 1756 lffxrlr.exe 1268 tbtnnh.exe 2936 1djjd.exe 2792 vpvjd.exe 3432 xrxxffl.exe 4788 btbtnn.exe 4796 9ntnhh.exe 3392 dvvpj.exe 2868 bbhbbn.exe 1032 hnnnht.exe 1624 xflfxxr.exe 1492 pvppp.exe 2972 xrxxffl.exe 812 llxxllx.exe 4272 tthbhh.exe 1672 dpvvp.exe 4960 hnnhhh.exe 1716 nnbtbt.exe 2096 vjpjj.exe 1400 1jvvp.exe 2212 xrrlllf.exe 4340 hhbtnn.exe 3820 pdddv.exe 520 jpvpj.exe 1764 xrxxrrx.exe 4868 flrlrxr.exe 2272 bhnhbb.exe 4000 pvpdv.exe 4520 pvjdp.exe 4560 rflffxx.exe 3052 hbbtnn.exe 4728 nbnhbh.exe 2256 7vdpp.exe 3592 xrxlffx.exe 3004 rxxrrlf.exe 2816 9hhbtn.exe 3844 tnnhbb.exe 448 dvdvj.exe 772 fflxfxr.exe 4388 xxxrrrl.exe 4912 ddjdv.exe 860 lrxrrrr.exe 3172 xrxxrrr.exe 4144 bbttnn.exe 3880 pvddv.exe 4768 llrffxr.exe 1684 pdjdj.exe 1864 lrxrllf.exe 1984 nhttbt.exe 1272 vppjd.exe 1296 xlllrrr.exe 2704 lfrlfff.exe 232 btbhbn.exe 2756 xxlllll.exe 2804 thnnhh.exe -
resource yara_rule behavioral2/memory/4248-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-1238-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4248 wrote to memory of 408 4248 6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe 84 PID 4248 wrote to memory of 408 4248 6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe 84 PID 4248 wrote to memory of 408 4248 6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe 84 PID 408 wrote to memory of 3408 408 vjjdd.exe 85 PID 408 wrote to memory of 3408 408 vjjdd.exe 85 PID 408 wrote to memory of 3408 408 vjjdd.exe 85 PID 3408 wrote to memory of 2776 3408 lflfflf.exe 86 PID 3408 wrote to memory of 2776 3408 lflfflf.exe 86 PID 3408 wrote to memory of 2776 3408 lflfflf.exe 86 PID 2776 wrote to memory of 3276 2776 btbtnn.exe 87 PID 2776 wrote to memory of 3276 2776 btbtnn.exe 87 PID 2776 wrote to memory of 3276 2776 btbtnn.exe 87 PID 3276 wrote to memory of 2688 3276 dpppp.exe 88 PID 3276 wrote to memory of 2688 3276 dpppp.exe 88 PID 3276 wrote to memory of 2688 3276 dpppp.exe 88 PID 2688 wrote to memory of 456 2688 nnnnhb.exe 89 PID 2688 wrote to memory of 456 2688 nnnnhb.exe 89 PID 2688 wrote to memory of 456 2688 nnnnhb.exe 89 PID 456 wrote to memory of 2540 456 dvdvv.exe 90 PID 456 wrote to memory of 2540 456 dvdvv.exe 90 PID 456 wrote to memory of 2540 456 dvdvv.exe 90 PID 2540 wrote to memory of 3464 2540 jjjdd.exe 91 PID 2540 wrote to memory of 3464 2540 jjjdd.exe 91 PID 2540 wrote to memory of 3464 2540 jjjdd.exe 91 PID 3464 wrote to memory of 3328 3464 bthbhh.exe 92 PID 3464 wrote to memory of 3328 3464 bthbhh.exe 92 PID 3464 wrote to memory of 3328 3464 bthbhh.exe 92 PID 3328 wrote to memory of 1756 3328 rrxxxxx.exe 93 PID 3328 wrote to memory of 1756 3328 rrxxxxx.exe 93 PID 3328 wrote to memory of 1756 3328 rrxxxxx.exe 93 PID 1756 wrote to memory of 1268 1756 lffxrlr.exe 94 PID 1756 wrote to memory of 1268 1756 lffxrlr.exe 94 PID 1756 wrote to memory of 1268 1756 lffxrlr.exe 94 PID 1268 wrote to memory of 2936 1268 tbtnnh.exe 95 PID 1268 wrote to memory of 2936 1268 tbtnnh.exe 95 PID 1268 wrote to memory of 2936 1268 tbtnnh.exe 95 PID 2936 wrote to memory of 2792 2936 1djjd.exe 96 PID 2936 wrote to memory of 2792 2936 1djjd.exe 96 PID 2936 wrote to memory of 2792 2936 1djjd.exe 96 PID 2792 wrote to memory of 3432 2792 vpvjd.exe 97 PID 2792 wrote to memory of 3432 2792 vpvjd.exe 97 PID 2792 wrote to memory of 3432 2792 vpvjd.exe 97 PID 3432 wrote to memory of 4788 3432 xrxxffl.exe 98 PID 3432 wrote to memory of 4788 3432 xrxxffl.exe 98 PID 3432 wrote to memory of 4788 3432 xrxxffl.exe 98 PID 4788 wrote to memory of 4796 4788 btbtnn.exe 99 PID 4788 wrote to memory of 4796 4788 btbtnn.exe 99 PID 4788 wrote to memory of 4796 4788 btbtnn.exe 99 PID 4796 wrote to memory of 3392 4796 9ntnhh.exe 100 PID 4796 wrote to memory of 3392 4796 9ntnhh.exe 100 PID 4796 wrote to memory of 3392 4796 9ntnhh.exe 100 PID 3392 wrote to memory of 2868 3392 dvvpj.exe 101 PID 3392 wrote to memory of 2868 3392 dvvpj.exe 101 PID 3392 wrote to memory of 2868 3392 dvvpj.exe 101 PID 2868 wrote to memory of 1032 2868 bbhbbn.exe 102 PID 2868 wrote to memory of 1032 2868 bbhbbn.exe 102 PID 2868 wrote to memory of 1032 2868 bbhbbn.exe 102 PID 1032 wrote to memory of 1624 1032 hnnnht.exe 103 PID 1032 wrote to memory of 1624 1032 hnnnht.exe 103 PID 1032 wrote to memory of 1624 1032 hnnnht.exe 103 PID 1624 wrote to memory of 1492 1624 xflfxxr.exe 104 PID 1624 wrote to memory of 1492 1624 xflfxxr.exe 104 PID 1624 wrote to memory of 1492 1624 xflfxxr.exe 104 PID 1492 wrote to memory of 2972 1492 pvppp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe"C:\Users\Admin\AppData\Local\Temp\6cd650fbce79f4bb30bea7757fa13f9cf889c23a8b6bb4e54d6e78ebadaf5fe7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\vjjdd.exec:\vjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\lflfflf.exec:\lflfflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\btbtnn.exec:\btbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\dpppp.exec:\dpppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\nnnnhb.exec:\nnnnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\dvdvv.exec:\dvdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\jjjdd.exec:\jjjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\bthbhh.exec:\bthbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\lffxrlr.exec:\lffxrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\tbtnnh.exec:\tbtnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\1djjd.exec:\1djjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\vpvjd.exec:\vpvjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xrxxffl.exec:\xrxxffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\btbtnn.exec:\btbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\9ntnhh.exec:\9ntnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\dvvpj.exec:\dvvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\bbhbbn.exec:\bbhbbn.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hnnnht.exec:\hnnnht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\xflfxxr.exec:\xflfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\pvppp.exec:\pvppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\xrxxffl.exec:\xrxxffl.exe23⤵
- Executes dropped EXE
PID:2972 -
\??\c:\llxxllx.exec:\llxxllx.exe24⤵
- Executes dropped EXE
PID:812 -
\??\c:\tthbhh.exec:\tthbhh.exe25⤵
- Executes dropped EXE
PID:4272 -
\??\c:\dpvvp.exec:\dpvvp.exe26⤵
- Executes dropped EXE
PID:1672 -
\??\c:\hnnhhh.exec:\hnnhhh.exe27⤵
- Executes dropped EXE
PID:4960 -
\??\c:\nnbtbt.exec:\nnbtbt.exe28⤵
- Executes dropped EXE
PID:1716 -
\??\c:\vjpjj.exec:\vjpjj.exe29⤵
- Executes dropped EXE
PID:2096 -
\??\c:\1jvvp.exec:\1jvvp.exe30⤵
- Executes dropped EXE
PID:1400 -
\??\c:\xrrlllf.exec:\xrrlllf.exe31⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hhbtnn.exec:\hhbtnn.exe32⤵
- Executes dropped EXE
PID:4340 -
\??\c:\pdddv.exec:\pdddv.exe33⤵
- Executes dropped EXE
PID:3820 -
\??\c:\jpvpj.exec:\jpvpj.exe34⤵
- Executes dropped EXE
PID:520 -
\??\c:\xrxxrrx.exec:\xrxxrrx.exe35⤵
- Executes dropped EXE
PID:1764 -
\??\c:\flrlrxr.exec:\flrlrxr.exe36⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bhnhbb.exec:\bhnhbb.exe37⤵
- Executes dropped EXE
PID:2272 -
\??\c:\pvpdv.exec:\pvpdv.exe38⤵
- Executes dropped EXE
PID:4000 -
\??\c:\pvjdp.exec:\pvjdp.exe39⤵
- Executes dropped EXE
PID:4520 -
\??\c:\rflffxx.exec:\rflffxx.exe40⤵
- Executes dropped EXE
PID:4560 -
\??\c:\hbbtnn.exec:\hbbtnn.exe41⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nbnhbh.exec:\nbnhbh.exe42⤵
- Executes dropped EXE
PID:4728 -
\??\c:\7vdpp.exec:\7vdpp.exe43⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xrxlffx.exec:\xrxlffx.exe44⤵
- Executes dropped EXE
PID:3592 -
\??\c:\rxxrrlf.exec:\rxxrrlf.exe45⤵
- Executes dropped EXE
PID:3004 -
\??\c:\9hhbtn.exec:\9hhbtn.exe46⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tnnhbb.exec:\tnnhbb.exe47⤵
- Executes dropped EXE
PID:3844 -
\??\c:\dvdvj.exec:\dvdvj.exe48⤵
- Executes dropped EXE
PID:448 -
\??\c:\fflxfxr.exec:\fflxfxr.exe49⤵
- Executes dropped EXE
PID:772 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe50⤵
- Executes dropped EXE
PID:4388 -
\??\c:\ddjdv.exec:\ddjdv.exe51⤵
- Executes dropped EXE
PID:4912 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe52⤵
- Executes dropped EXE
PID:860 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe53⤵
- Executes dropped EXE
PID:3172 -
\??\c:\bbttnn.exec:\bbttnn.exe54⤵
- Executes dropped EXE
PID:4144 -
\??\c:\pvddv.exec:\pvddv.exe55⤵
- Executes dropped EXE
PID:3880 -
\??\c:\llrffxr.exec:\llrffxr.exe56⤵
- Executes dropped EXE
PID:4768 -
\??\c:\pdjdj.exec:\pdjdj.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\lrxrllf.exec:\lrxrllf.exe58⤵
- Executes dropped EXE
PID:1864 -
\??\c:\nhttbt.exec:\nhttbt.exe59⤵
- Executes dropped EXE
PID:1984 -
\??\c:\vppjd.exec:\vppjd.exe60⤵
- Executes dropped EXE
PID:1272 -
\??\c:\xlllrrr.exec:\xlllrrr.exe61⤵
- Executes dropped EXE
PID:1296 -
\??\c:\lfrlfff.exec:\lfrlfff.exe62⤵
- Executes dropped EXE
PID:2704 -
\??\c:\btbhbn.exec:\btbhbn.exe63⤵
- Executes dropped EXE
PID:232 -
\??\c:\xxlllll.exec:\xxlllll.exe64⤵
- Executes dropped EXE
PID:2756 -
\??\c:\thnnhh.exec:\thnnhh.exe65⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nhtnth.exec:\nhtnth.exe66⤵PID:2188
-
\??\c:\djjjd.exec:\djjjd.exe67⤵PID:1300
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe68⤵PID:1268
-
\??\c:\bthhhh.exec:\bthhhh.exe69⤵PID:344
-
\??\c:\vvjjv.exec:\vvjjv.exe70⤵PID:3012
-
\??\c:\frfxxxx.exec:\frfxxxx.exe71⤵PID:4132
-
\??\c:\dpdvp.exec:\dpdvp.exe72⤵PID:4788
-
\??\c:\9rrlfff.exec:\9rrlfff.exe73⤵PID:4056
-
\??\c:\bhtnhh.exec:\bhtnhh.exe74⤵PID:4756
-
\??\c:\jvvpp.exec:\jvvpp.exe75⤵PID:4112
-
\??\c:\llxrxxr.exec:\llxrxxr.exe76⤵PID:3692
-
\??\c:\nbnnhh.exec:\nbnnhh.exe77⤵PID:4864
-
\??\c:\nttttt.exec:\nttttt.exe78⤵PID:212
-
\??\c:\djddv.exec:\djddv.exe79⤵PID:836
-
\??\c:\frxrxxr.exec:\frxrxxr.exe80⤵PID:3616
-
\??\c:\3hhbtt.exec:\3hhbtt.exe81⤵PID:4488
-
\??\c:\jvvjd.exec:\jvvjd.exe82⤵PID:2976
-
\??\c:\pjdpj.exec:\pjdpj.exe83⤵PID:1408
-
\??\c:\5rlfxxr.exec:\5rlfxxr.exe84⤵PID:3504
-
\??\c:\bnnhtb.exec:\bnnhtb.exe85⤵PID:4780
-
\??\c:\vjvpp.exec:\vjvpp.exe86⤵PID:1124
-
\??\c:\xfrlfxx.exec:\xfrlfxx.exe87⤵PID:2380
-
\??\c:\xffxrlf.exec:\xffxrlf.exe88⤵PID:3280
-
\??\c:\nhbtnh.exec:\nhbtnh.exe89⤵PID:1192
-
\??\c:\dvvdv.exec:\dvvdv.exe90⤵PID:3352
-
\??\c:\flxxxxx.exec:\flxxxxx.exe91⤵PID:1044
-
\??\c:\bttntt.exec:\bttntt.exe92⤵PID:1808
-
\??\c:\nhtthn.exec:\nhtthn.exe93⤵PID:4080
-
\??\c:\pjdvv.exec:\pjdvv.exe94⤵PID:2392
-
\??\c:\xxfxfxf.exec:\xxfxfxf.exe95⤵PID:1784
-
\??\c:\1fffrrl.exec:\1fffrrl.exe96⤵PID:2044
-
\??\c:\thnbbb.exec:\thnbbb.exe97⤵PID:4560
-
\??\c:\dvppp.exec:\dvppp.exe98⤵PID:1368
-
\??\c:\rlrlffx.exec:\rlrlffx.exe99⤵PID:4060
-
\??\c:\bnbthb.exec:\bnbthb.exe100⤵PID:1116
-
\??\c:\vjjdp.exec:\vjjdp.exe101⤵PID:5100
-
\??\c:\llxflxf.exec:\llxflxf.exe102⤵PID:5104
-
\??\c:\bnnhhn.exec:\bnnhhn.exe103⤵PID:5020
-
\??\c:\ppppv.exec:\ppppv.exe104⤵PID:792
-
\??\c:\djvjv.exec:\djvjv.exe105⤵PID:2924
-
\??\c:\3rlxllx.exec:\3rlxllx.exe106⤵PID:2460
-
\??\c:\9nthtn.exec:\9nthtn.exe107⤵PID:4720
-
\??\c:\jddvp.exec:\jddvp.exe108⤵PID:3920
-
\??\c:\rlfrllf.exec:\rlfrllf.exe109⤵PID:632
-
\??\c:\hntnnn.exec:\hntnnn.exe110⤵PID:4360
-
\??\c:\bnbthh.exec:\bnbthh.exe111⤵PID:4388
-
\??\c:\vjpdp.exec:\vjpdp.exe112⤵PID:2852
-
\??\c:\fxlfllr.exec:\fxlfllr.exe113⤵PID:2248
-
\??\c:\lfllrrx.exec:\lfllrrx.exe114⤵PID:1276
-
\??\c:\bhtnhh.exec:\bhtnhh.exe115⤵PID:3408
-
\??\c:\vvvvp.exec:\vvvvp.exe116⤵PID:2184
-
\??\c:\lrflrxr.exec:\lrflrxr.exe117⤵PID:2324
-
\??\c:\nnnnnn.exec:\nnnnnn.exe118⤵PID:1684
-
\??\c:\pdvpv.exec:\pdvpv.exe119⤵PID:600
-
\??\c:\9jjdv.exec:\9jjdv.exe120⤵PID:1324
-
\??\c:\rxxlxxl.exec:\rxxlxxl.exe121⤵PID:3688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-