Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe
-
Size
453KB
-
MD5
aa50a9422ef3c3e770fc6df958f6d5f6
-
SHA1
5727000564274a33e402b2132deb06520c89ea8c
-
SHA256
a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300
-
SHA512
b72a49e4e4d46fae0d981487ef985f924e7d07d79476fc0e4a74be34caf9756f52e935cd2f095e832fad9ea9fae3c5fd8a8643e8996f8c00ddd82b3106e563a4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetD:q7Tc2NYHUrAwfMp3CDtD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2712-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-1186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-1440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-1906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3140 fxfxrrl.exe 4188 jjvvp.exe 4260 xxlrxfl.exe 3808 7nthnn.exe 1200 5vpjj.exe 4736 lllfxxr.exe 1168 hbbnhb.exe 1016 htbtnh.exe 4288 vvjvp.exe 2500 flffxxx.exe 1460 hbtnnh.exe 2896 bnbtnt.exe 2556 jjpvp.exe 4216 fxlflfr.exe 3064 9jjdp.exe 4140 jvdvp.exe 1664 rrlfrrr.exe 2224 bbhbbb.exe 2172 dvvpj.exe 1672 xxfrrlf.exe 3308 jpvvp.exe 3284 5vjvv.exe 4988 5rxxrxr.exe 1188 nthbtn.exe 3488 nhtttt.exe 4500 jjdvp.exe 628 3vjdp.exe 3604 7lfxrrl.exe 1364 btntnn.exe 3764 frxrlrl.exe 2628 nhhbbt.exe 372 tbhbbb.exe 2272 ddddj.exe 2108 7xxlfrl.exe 3880 hbbtnn.exe 2408 jdpvj.exe 3116 pjvjd.exe 3364 lxxfrrr.exe 2476 nthtnn.exe 1432 hntnnn.exe 1492 frxrfff.exe 4560 bhtnhh.exe 728 7htnbb.exe 3956 vjjpd.exe 4408 rfrrrrx.exe 3976 htbbtt.exe 4328 nhnnhh.exe 3044 jjdvp.exe 3004 pjpjj.exe 3396 llxrlff.exe 3820 nhhthh.exe 3904 jddvj.exe 4360 rfffffx.exe 4908 nthhbt.exe 3508 hntnhb.exe 1532 vdjdv.exe 2140 rllfrrl.exe 1732 5bnhbb.exe 3908 hhbtnn.exe 4996 vvpjp.exe 4288 lxrlffx.exe 3192 nntntt.exe 2500 1vdvp.exe 5016 vpvpd.exe -
resource yara_rule behavioral2/memory/2712-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 3140 2712 a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe 82 PID 2712 wrote to memory of 3140 2712 a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe 82 PID 2712 wrote to memory of 3140 2712 a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe 82 PID 3140 wrote to memory of 4188 3140 fxfxrrl.exe 83 PID 3140 wrote to memory of 4188 3140 fxfxrrl.exe 83 PID 3140 wrote to memory of 4188 3140 fxfxrrl.exe 83 PID 4188 wrote to memory of 4260 4188 jjvvp.exe 84 PID 4188 wrote to memory of 4260 4188 jjvvp.exe 84 PID 4188 wrote to memory of 4260 4188 jjvvp.exe 84 PID 4260 wrote to memory of 3808 4260 xxlrxfl.exe 85 PID 4260 wrote to memory of 3808 4260 xxlrxfl.exe 85 PID 4260 wrote to memory of 3808 4260 xxlrxfl.exe 85 PID 3808 wrote to memory of 1200 3808 7nthnn.exe 86 PID 3808 wrote to memory of 1200 3808 7nthnn.exe 86 PID 3808 wrote to memory of 1200 3808 7nthnn.exe 86 PID 1200 wrote to memory of 4736 1200 5vpjj.exe 87 PID 1200 wrote to memory of 4736 1200 5vpjj.exe 87 PID 1200 wrote to memory of 4736 1200 5vpjj.exe 87 PID 4736 wrote to memory of 1168 4736 lllfxxr.exe 88 PID 4736 wrote to memory of 1168 4736 lllfxxr.exe 88 PID 4736 wrote to memory of 1168 4736 lllfxxr.exe 88 PID 1168 wrote to memory of 1016 1168 hbbnhb.exe 89 PID 1168 wrote to memory of 1016 1168 hbbnhb.exe 89 PID 1168 wrote to memory of 1016 1168 hbbnhb.exe 89 PID 1016 wrote to memory of 4288 1016 htbtnh.exe 90 PID 1016 wrote to memory of 4288 1016 htbtnh.exe 90 PID 1016 wrote to memory of 4288 1016 htbtnh.exe 90 PID 4288 wrote to memory of 2500 4288 vvjvp.exe 91 PID 4288 wrote to memory of 2500 4288 vvjvp.exe 91 PID 4288 wrote to memory of 2500 4288 vvjvp.exe 91 PID 2500 wrote to memory of 1460 2500 flffxxx.exe 92 PID 2500 wrote to memory of 1460 2500 flffxxx.exe 92 PID 2500 wrote to memory of 1460 2500 flffxxx.exe 92 PID 1460 wrote to memory of 2896 1460 hbtnnh.exe 93 PID 1460 wrote to memory of 2896 1460 hbtnnh.exe 93 PID 1460 wrote to memory of 2896 1460 hbtnnh.exe 93 PID 2896 wrote to memory of 2556 2896 bnbtnt.exe 94 PID 2896 wrote to memory of 2556 2896 bnbtnt.exe 94 PID 2896 wrote to memory of 2556 2896 bnbtnt.exe 94 PID 2556 wrote to memory of 4216 2556 jjpvp.exe 95 PID 2556 wrote to memory of 4216 2556 jjpvp.exe 95 PID 2556 wrote to memory of 4216 2556 jjpvp.exe 95 PID 4216 wrote to memory of 3064 4216 fxlflfr.exe 96 PID 4216 wrote to memory of 3064 4216 fxlflfr.exe 96 PID 4216 wrote to memory of 3064 4216 fxlflfr.exe 96 PID 3064 wrote to memory of 4140 3064 9jjdp.exe 97 PID 3064 wrote to memory of 4140 3064 9jjdp.exe 97 PID 3064 wrote to memory of 4140 3064 9jjdp.exe 97 PID 4140 wrote to memory of 1664 4140 jvdvp.exe 98 PID 4140 wrote to memory of 1664 4140 jvdvp.exe 98 PID 4140 wrote to memory of 1664 4140 jvdvp.exe 98 PID 1664 wrote to memory of 2224 1664 rrlfrrr.exe 99 PID 1664 wrote to memory of 2224 1664 rrlfrrr.exe 99 PID 1664 wrote to memory of 2224 1664 rrlfrrr.exe 99 PID 2224 wrote to memory of 2172 2224 bbhbbb.exe 100 PID 2224 wrote to memory of 2172 2224 bbhbbb.exe 100 PID 2224 wrote to memory of 2172 2224 bbhbbb.exe 100 PID 2172 wrote to memory of 1672 2172 dvvpj.exe 101 PID 2172 wrote to memory of 1672 2172 dvvpj.exe 101 PID 2172 wrote to memory of 1672 2172 dvvpj.exe 101 PID 1672 wrote to memory of 3308 1672 xxfrrlf.exe 102 PID 1672 wrote to memory of 3308 1672 xxfrrlf.exe 102 PID 1672 wrote to memory of 3308 1672 xxfrrlf.exe 102 PID 3308 wrote to memory of 3284 3308 jpvvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe"C:\Users\Admin\AppData\Local\Temp\a6574ceae9ab44b1a7e6068b2b5c73c8a322d3fd0dd23b016f3d20a8bf87b300.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\jjvvp.exec:\jjvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\xxlrxfl.exec:\xxlrxfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\7nthnn.exec:\7nthnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\5vpjj.exec:\5vpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\lllfxxr.exec:\lllfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\hbbnhb.exec:\hbbnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\htbtnh.exec:\htbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\vvjvp.exec:\vvjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\flffxxx.exec:\flffxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\hbtnnh.exec:\hbtnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\bnbtnt.exec:\bnbtnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\jjpvp.exec:\jjpvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\fxlflfr.exec:\fxlflfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\9jjdp.exec:\9jjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\jvdvp.exec:\jvdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\rrlfrrr.exec:\rrlfrrr.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\bbhbbb.exec:\bbhbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\dvvpj.exec:\dvvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\xxfrrlf.exec:\xxfrrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\jpvvp.exec:\jpvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\5vjvv.exec:\5vjvv.exe23⤵
- Executes dropped EXE
PID:3284 -
\??\c:\5rxxrxr.exec:\5rxxrxr.exe24⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nthbtn.exec:\nthbtn.exe25⤵
- Executes dropped EXE
PID:1188 -
\??\c:\nhtttt.exec:\nhtttt.exe26⤵
- Executes dropped EXE
PID:3488 -
\??\c:\jjdvp.exec:\jjdvp.exe27⤵
- Executes dropped EXE
PID:4500 -
\??\c:\3vjdp.exec:\3vjdp.exe28⤵
- Executes dropped EXE
PID:628 -
\??\c:\7lfxrrl.exec:\7lfxrrl.exe29⤵
- Executes dropped EXE
PID:3604 -
\??\c:\btntnn.exec:\btntnn.exe30⤵
- Executes dropped EXE
PID:1364 -
\??\c:\frxrlrl.exec:\frxrlrl.exe31⤵
- Executes dropped EXE
PID:3764 -
\??\c:\nhhbbt.exec:\nhhbbt.exe32⤵
- Executes dropped EXE
PID:2628 -
\??\c:\tbhbbb.exec:\tbhbbb.exe33⤵
- Executes dropped EXE
PID:372 -
\??\c:\ddddj.exec:\ddddj.exe34⤵
- Executes dropped EXE
PID:2272 -
\??\c:\7xxlfrl.exec:\7xxlfrl.exe35⤵
- Executes dropped EXE
PID:2108 -
\??\c:\hbbtnn.exec:\hbbtnn.exe36⤵
- Executes dropped EXE
PID:3880 -
\??\c:\jdpvj.exec:\jdpvj.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pjvjd.exec:\pjvjd.exe38⤵
- Executes dropped EXE
PID:3116 -
\??\c:\lxxfrrr.exec:\lxxfrrr.exe39⤵
- Executes dropped EXE
PID:3364 -
\??\c:\nthtnn.exec:\nthtnn.exe40⤵
- Executes dropped EXE
PID:2476 -
\??\c:\hntnnn.exec:\hntnnn.exe41⤵
- Executes dropped EXE
PID:1432 -
\??\c:\frxrfff.exec:\frxrfff.exe42⤵
- Executes dropped EXE
PID:1492 -
\??\c:\bhtnhh.exec:\bhtnhh.exe43⤵
- Executes dropped EXE
PID:4560 -
\??\c:\7htnbb.exec:\7htnbb.exe44⤵
- Executes dropped EXE
PID:728 -
\??\c:\vjjpd.exec:\vjjpd.exe45⤵
- Executes dropped EXE
PID:3956 -
\??\c:\rfrrrrx.exec:\rfrrrrx.exe46⤵
- Executes dropped EXE
PID:4408 -
\??\c:\htbbtt.exec:\htbbtt.exe47⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nhnnhh.exec:\nhnnhh.exe48⤵
- Executes dropped EXE
PID:4328 -
\??\c:\jjdvp.exec:\jjdvp.exe49⤵
- Executes dropped EXE
PID:3044 -
\??\c:\pjpjj.exec:\pjpjj.exe50⤵
- Executes dropped EXE
PID:3004 -
\??\c:\llxrlff.exec:\llxrlff.exe51⤵
- Executes dropped EXE
PID:3396 -
\??\c:\nhhthh.exec:\nhhthh.exe52⤵
- Executes dropped EXE
PID:3820 -
\??\c:\jddvj.exec:\jddvj.exe53⤵
- Executes dropped EXE
PID:3904 -
\??\c:\rfffffx.exec:\rfffffx.exe54⤵
- Executes dropped EXE
PID:4360 -
\??\c:\nthhbt.exec:\nthhbt.exe55⤵
- Executes dropped EXE
PID:4908 -
\??\c:\hntnhb.exec:\hntnhb.exe56⤵
- Executes dropped EXE
PID:3508 -
\??\c:\vdjdv.exec:\vdjdv.exe57⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rllfrrl.exec:\rllfrrl.exe58⤵
- Executes dropped EXE
PID:2140 -
\??\c:\5bnhbb.exec:\5bnhbb.exe59⤵
- Executes dropped EXE
PID:1732 -
\??\c:\hhbtnn.exec:\hhbtnn.exe60⤵
- Executes dropped EXE
PID:3908 -
\??\c:\vvpjp.exec:\vvpjp.exe61⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lxrlffx.exec:\lxrlffx.exe62⤵
- Executes dropped EXE
PID:4288 -
\??\c:\nntntt.exec:\nntntt.exe63⤵
- Executes dropped EXE
PID:3192 -
\??\c:\1vdvp.exec:\1vdvp.exe64⤵
- Executes dropped EXE
PID:2500 -
\??\c:\vpvpd.exec:\vpvpd.exe65⤵
- Executes dropped EXE
PID:5016 -
\??\c:\rllffxx.exec:\rllffxx.exe66⤵PID:1976
-
\??\c:\hbhbtn.exec:\hbhbtn.exe67⤵PID:4704
-
\??\c:\nhnhtt.exec:\nhnhtt.exe68⤵PID:2976
-
\??\c:\1ppjd.exec:\1ppjd.exe69⤵PID:4796
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe70⤵PID:3856
-
\??\c:\5tnhbt.exec:\5tnhbt.exe71⤵PID:2692
-
\??\c:\vddpj.exec:\vddpj.exe72⤵PID:4428
-
\??\c:\7djdd.exec:\7djdd.exe73⤵PID:2276
-
\??\c:\rflfxrl.exec:\rflfxrl.exe74⤵PID:5104
-
\??\c:\xxfxxxf.exec:\xxfxxxf.exe75⤵PID:1624
-
\??\c:\dvjpj.exec:\dvjpj.exe76⤵PID:2148
-
\??\c:\pddpj.exec:\pddpj.exe77⤵PID:4952
-
\??\c:\3fxrlff.exec:\3fxrlff.exe78⤵PID:440
-
\??\c:\lrflffx.exec:\lrflffx.exe79⤵PID:1064
-
\??\c:\ttbbbt.exec:\ttbbbt.exe80⤵PID:2172
-
\??\c:\7ddpj.exec:\7ddpj.exe81⤵PID:4856
-
\??\c:\lflfrfx.exec:\lflfrfx.exe82⤵PID:1596
-
\??\c:\fffxrlx.exec:\fffxrlx.exe83⤵PID:5032
-
\??\c:\nhhbtt.exec:\nhhbtt.exe84⤵PID:4684
-
\??\c:\djpvp.exec:\djpvp.exe85⤵PID:2296
-
\??\c:\rxrlxfl.exec:\rxrlxfl.exe86⤵PID:1308
-
\??\c:\tthhhb.exec:\tthhhb.exe87⤵PID:2056
-
\??\c:\pvjdv.exec:\pvjdv.exe88⤵PID:4708
-
\??\c:\9ffxlll.exec:\9ffxlll.exe89⤵PID:2152
-
\??\c:\9hbnhh.exec:\9hbnhh.exe90⤵PID:880
-
\??\c:\ttbtnn.exec:\ttbtnn.exe91⤵PID:1584
-
\??\c:\dddvp.exec:\dddvp.exe92⤵PID:4196
-
\??\c:\9ffxxfx.exec:\9ffxxfx.exe93⤵PID:1440
-
\??\c:\thhhtt.exec:\thhhtt.exe94⤵PID:3532
-
\??\c:\jppjd.exec:\jppjd.exe95⤵PID:5056
-
\??\c:\jvddj.exec:\jvddj.exe96⤵PID:3720
-
\??\c:\rlrlfff.exec:\rlrlfff.exe97⤵PID:2320
-
\??\c:\1hhbbb.exec:\1hhbbb.exe98⤵PID:3564
-
\??\c:\9vpjd.exec:\9vpjd.exe99⤵PID:4860
-
\??\c:\pjpjj.exec:\pjpjj.exe100⤵PID:2272
-
\??\c:\rflxllx.exec:\rflxllx.exe101⤵PID:4404
-
\??\c:\bhbbnn.exec:\bhbbnn.exe102⤵PID:3812
-
\??\c:\pjjdv.exec:\pjjdv.exe103⤵PID:2540
-
\??\c:\lffxrll.exec:\lffxrll.exe104⤵PID:3076
-
\??\c:\xllrllx.exec:\xllrllx.exe105⤵PID:1908
-
\??\c:\tbbnbt.exec:\tbbnbt.exe106⤵PID:2092
-
\??\c:\pjjdv.exec:\pjjdv.exe107⤵PID:5112
-
\??\c:\llrlrrr.exec:\llrlrrr.exe108⤵PID:4120
-
\??\c:\lfflxrf.exec:\lfflxrf.exe109⤵
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\ttbnbt.exec:\ttbnbt.exe110⤵PID:3492
-
\??\c:\dppdv.exec:\dppdv.exe111⤵PID:3884
-
\??\c:\jddjd.exec:\jddjd.exe112⤵PID:5092
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe113⤵PID:3556
-
\??\c:\3hbtbh.exec:\3hbtbh.exe114⤵PID:3976
-
\??\c:\vvdpd.exec:\vvdpd.exe115⤵PID:3000
-
\??\c:\vpvpj.exec:\vpvpj.exe116⤵PID:3044
-
\??\c:\frlfrlf.exec:\frlfrlf.exe117⤵PID:2640
-
\??\c:\btbthb.exec:\btbthb.exe118⤵PID:1972
-
\??\c:\9nnbtn.exec:\9nnbtn.exe119⤵PID:376
-
\??\c:\dppjd.exec:\dppjd.exe120⤵PID:1000
-
\??\c:\rflxlfr.exec:\rflxlfr.exe121⤵PID:2908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-