Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe
-
Size
455KB
-
MD5
3bdbc74e2652b7b492e9ac08389c5c4b
-
SHA1
a3211ac53589ae7b8f59c37699bf4753fdc3cddb
-
SHA256
465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8
-
SHA512
c9f66e562017c008fc1e535179fdfee72fe3c57f2e291eab26564df34290c530875f464ef4d0c9092635532100037ccdf5a2cdd93c91d4e7b81cd391695a7883
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRU:q7Tc2NYHUrAwfMp3CDRU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2096-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-1327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-1373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-1536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1724 ffflfxx.exe 2372 jvvjj.exe 3200 lfxrrll.exe 4860 nnhhbt.exe 4852 dpvpp.exe 2824 jdppv.exe 3640 fxxrflr.exe 2848 nhnnbh.exe 2136 dddvv.exe 764 rrrlflf.exe 1564 nhbbtn.exe 264 ddvpj.exe 2996 xrrlxrl.exe 3152 tnnhhh.exe 2376 1xffxfx.exe 4768 hnbbbn.exe 1584 ffllfff.exe 4632 btbbbb.exe 3336 vjjdv.exe 2404 bhbthb.exe 3292 pjjpj.exe 952 ntbhbb.exe 4264 rlxrxxf.exe 5068 ddjjd.exe 1496 pdjjd.exe 2276 hbbtnn.exe 3516 lrxrxxx.exe 3824 pddpv.exe 2748 xflxxlf.exe 3556 3ddvp.exe 4368 llrlxlx.exe 1672 jdpdp.exe 2772 xxfffff.exe 1916 nbtnhb.exe 4336 9jdvp.exe 2144 jddpd.exe 784 fffxrlx.exe 1052 3hbnhn.exe 812 jjjvd.exe 2572 ffffrrl.exe 3364 ttnhhb.exe 4752 btbnth.exe 2384 jvvvj.exe 2812 fxflfxr.exe 2260 hnhbhb.exe 3036 bntnnh.exe 4416 jjpjv.exe 3540 ffxffxx.exe 3412 tbbntn.exe 1724 5tthbt.exe 4988 jpjpd.exe 4964 xffrrlf.exe 4860 xfrfrfr.exe 2612 vpppj.exe 1428 dpdpj.exe 3640 lfrfrxr.exe 3496 5nbtbt.exe 3012 htnhnh.exe 1108 3pvpj.exe 2492 lfrfrlf.exe 2256 ttttnh.exe 2852 pjjjd.exe 3780 xrxrffr.exe 2040 nhbtbb.exe -
resource yara_rule behavioral2/memory/2096-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-872-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1724 2096 465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe 84 PID 2096 wrote to memory of 1724 2096 465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe 84 PID 2096 wrote to memory of 1724 2096 465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe 84 PID 1724 wrote to memory of 2372 1724 ffflfxx.exe 85 PID 1724 wrote to memory of 2372 1724 ffflfxx.exe 85 PID 1724 wrote to memory of 2372 1724 ffflfxx.exe 85 PID 2372 wrote to memory of 3200 2372 jvvjj.exe 86 PID 2372 wrote to memory of 3200 2372 jvvjj.exe 86 PID 2372 wrote to memory of 3200 2372 jvvjj.exe 86 PID 3200 wrote to memory of 4860 3200 lfxrrll.exe 87 PID 3200 wrote to memory of 4860 3200 lfxrrll.exe 87 PID 3200 wrote to memory of 4860 3200 lfxrrll.exe 87 PID 4860 wrote to memory of 4852 4860 nnhhbt.exe 88 PID 4860 wrote to memory of 4852 4860 nnhhbt.exe 88 PID 4860 wrote to memory of 4852 4860 nnhhbt.exe 88 PID 4852 wrote to memory of 2824 4852 dpvpp.exe 89 PID 4852 wrote to memory of 2824 4852 dpvpp.exe 89 PID 4852 wrote to memory of 2824 4852 dpvpp.exe 89 PID 2824 wrote to memory of 3640 2824 jdppv.exe 90 PID 2824 wrote to memory of 3640 2824 jdppv.exe 90 PID 2824 wrote to memory of 3640 2824 jdppv.exe 90 PID 3640 wrote to memory of 2848 3640 fxxrflr.exe 91 PID 3640 wrote to memory of 2848 3640 fxxrflr.exe 91 PID 3640 wrote to memory of 2848 3640 fxxrflr.exe 91 PID 2848 wrote to memory of 2136 2848 nhnnbh.exe 92 PID 2848 wrote to memory of 2136 2848 nhnnbh.exe 92 PID 2848 wrote to memory of 2136 2848 nhnnbh.exe 92 PID 2136 wrote to memory of 764 2136 dddvv.exe 93 PID 2136 wrote to memory of 764 2136 dddvv.exe 93 PID 2136 wrote to memory of 764 2136 dddvv.exe 93 PID 764 wrote to memory of 1564 764 rrrlflf.exe 94 PID 764 wrote to memory of 1564 764 rrrlflf.exe 94 PID 764 wrote to memory of 1564 764 rrrlflf.exe 94 PID 1564 wrote to memory of 264 1564 nhbbtn.exe 95 PID 1564 wrote to memory of 264 1564 nhbbtn.exe 95 PID 1564 wrote to memory of 264 1564 nhbbtn.exe 95 PID 264 wrote to memory of 2996 264 ddvpj.exe 96 PID 264 wrote to memory of 2996 264 ddvpj.exe 96 PID 264 wrote to memory of 2996 264 ddvpj.exe 96 PID 2996 wrote to memory of 3152 2996 xrrlxrl.exe 97 PID 2996 wrote to memory of 3152 2996 xrrlxrl.exe 97 PID 2996 wrote to memory of 3152 2996 xrrlxrl.exe 97 PID 3152 wrote to memory of 2376 3152 tnnhhh.exe 98 PID 3152 wrote to memory of 2376 3152 tnnhhh.exe 98 PID 3152 wrote to memory of 2376 3152 tnnhhh.exe 98 PID 2376 wrote to memory of 4768 2376 1xffxfx.exe 99 PID 2376 wrote to memory of 4768 2376 1xffxfx.exe 99 PID 2376 wrote to memory of 4768 2376 1xffxfx.exe 99 PID 4768 wrote to memory of 1584 4768 hnbbbn.exe 100 PID 4768 wrote to memory of 1584 4768 hnbbbn.exe 100 PID 4768 wrote to memory of 1584 4768 hnbbbn.exe 100 PID 1584 wrote to memory of 4632 1584 ffllfff.exe 101 PID 1584 wrote to memory of 4632 1584 ffllfff.exe 101 PID 1584 wrote to memory of 4632 1584 ffllfff.exe 101 PID 4632 wrote to memory of 3336 4632 btbbbb.exe 102 PID 4632 wrote to memory of 3336 4632 btbbbb.exe 102 PID 4632 wrote to memory of 3336 4632 btbbbb.exe 102 PID 3336 wrote to memory of 2404 3336 vjjdv.exe 103 PID 3336 wrote to memory of 2404 3336 vjjdv.exe 103 PID 3336 wrote to memory of 2404 3336 vjjdv.exe 103 PID 2404 wrote to memory of 3292 2404 bhbthb.exe 104 PID 2404 wrote to memory of 3292 2404 bhbthb.exe 104 PID 2404 wrote to memory of 3292 2404 bhbthb.exe 104 PID 3292 wrote to memory of 952 3292 pjjpj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe"C:\Users\Admin\AppData\Local\Temp\465090978fe86ba232e951e0c5716bca7b6a6b82950dcbf16cc6c7f62c7e25e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\ffflfxx.exec:\ffflfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\jvvjj.exec:\jvvjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\lfxrrll.exec:\lfxrrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\nnhhbt.exec:\nnhhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\dpvpp.exec:\dpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\jdppv.exec:\jdppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\fxxrflr.exec:\fxxrflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\nhnnbh.exec:\nhnnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\dddvv.exec:\dddvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\rrrlflf.exec:\rrrlflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\nhbbtn.exec:\nhbbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\ddvpj.exec:\ddvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\tnnhhh.exec:\tnnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\1xffxfx.exec:\1xffxfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\hnbbbn.exec:\hnbbbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\ffllfff.exec:\ffllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\btbbbb.exec:\btbbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\vjjdv.exec:\vjjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\bhbthb.exec:\bhbthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\pjjpj.exec:\pjjpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\ntbhbb.exec:\ntbhbb.exe23⤵
- Executes dropped EXE
PID:952 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe24⤵
- Executes dropped EXE
PID:4264 -
\??\c:\ddjjd.exec:\ddjjd.exe25⤵
- Executes dropped EXE
PID:5068 -
\??\c:\pdjjd.exec:\pdjjd.exe26⤵
- Executes dropped EXE
PID:1496 -
\??\c:\hbbtnn.exec:\hbbtnn.exe27⤵
- Executes dropped EXE
PID:2276 -
\??\c:\lrxrxxx.exec:\lrxrxxx.exe28⤵
- Executes dropped EXE
PID:3516 -
\??\c:\pddpv.exec:\pddpv.exe29⤵
- Executes dropped EXE
PID:3824 -
\??\c:\xflxxlf.exec:\xflxxlf.exe30⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3ddvp.exec:\3ddvp.exe31⤵
- Executes dropped EXE
PID:3556 -
\??\c:\llrlxlx.exec:\llrlxlx.exe32⤵
- Executes dropped EXE
PID:4368 -
\??\c:\jdpdp.exec:\jdpdp.exe33⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xxfffff.exec:\xxfffff.exe34⤵
- Executes dropped EXE
PID:2772 -
\??\c:\nbtnhb.exec:\nbtnhb.exe35⤵
- Executes dropped EXE
PID:1916 -
\??\c:\9jdvp.exec:\9jdvp.exe36⤵
- Executes dropped EXE
PID:4336 -
\??\c:\jddpd.exec:\jddpd.exe37⤵
- Executes dropped EXE
PID:2144 -
\??\c:\fffxrlx.exec:\fffxrlx.exe38⤵
- Executes dropped EXE
PID:784 -
\??\c:\3hbnhn.exec:\3hbnhn.exe39⤵
- Executes dropped EXE
PID:1052 -
\??\c:\jjjvd.exec:\jjjvd.exe40⤵
- Executes dropped EXE
PID:812 -
\??\c:\ffffrrl.exec:\ffffrrl.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ttnhhb.exec:\ttnhhb.exe42⤵
- Executes dropped EXE
PID:3364 -
\??\c:\btbnth.exec:\btbnth.exe43⤵
- Executes dropped EXE
PID:4752 -
\??\c:\jvvvj.exec:\jvvvj.exe44⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fxflfxr.exec:\fxflfxr.exe45⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hnhbhb.exec:\hnhbhb.exe46⤵
- Executes dropped EXE
PID:2260 -
\??\c:\bntnnh.exec:\bntnnh.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\jjpjv.exec:\jjpjv.exe48⤵
- Executes dropped EXE
PID:4416 -
\??\c:\ffxffxx.exec:\ffxffxx.exe49⤵
- Executes dropped EXE
PID:3540 -
\??\c:\tbbntn.exec:\tbbntn.exe50⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5tthbt.exec:\5tthbt.exe51⤵
- Executes dropped EXE
PID:1724 -
\??\c:\jpjpd.exec:\jpjpd.exe52⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xffrrlf.exec:\xffrrlf.exe53⤵
- Executes dropped EXE
PID:4964 -
\??\c:\xfrfrfr.exec:\xfrfrfr.exe54⤵
- Executes dropped EXE
PID:4860 -
\??\c:\vpppj.exec:\vpppj.exe55⤵
- Executes dropped EXE
PID:2612 -
\??\c:\dpdpj.exec:\dpdpj.exe56⤵
- Executes dropped EXE
PID:1428 -
\??\c:\lfrfrxr.exec:\lfrfrxr.exe57⤵
- Executes dropped EXE
PID:3640 -
\??\c:\5nbtbt.exec:\5nbtbt.exe58⤵
- Executes dropped EXE
PID:3496 -
\??\c:\htnhnh.exec:\htnhnh.exe59⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3pvpj.exec:\3pvpj.exe60⤵
- Executes dropped EXE
PID:1108 -
\??\c:\lfrfrlf.exec:\lfrfrlf.exe61⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ttttnh.exec:\ttttnh.exe62⤵
- Executes dropped EXE
PID:2256 -
\??\c:\pjjjd.exec:\pjjjd.exe63⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xrxrffr.exec:\xrxrffr.exe64⤵
- Executes dropped EXE
PID:3780 -
\??\c:\nhbtbb.exec:\nhbtbb.exe65⤵
- Executes dropped EXE
PID:2040 -
\??\c:\5bnbnb.exec:\5bnbnb.exe66⤵PID:1920
-
\??\c:\pdddj.exec:\pdddj.exe67⤵PID:2204
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe68⤵PID:4172
-
\??\c:\hhnntn.exec:\hhnntn.exe69⤵PID:5008
-
\??\c:\vvvjp.exec:\vvvjp.exe70⤵PID:4104
-
\??\c:\1xrrffx.exec:\1xrrffx.exe71⤵PID:2380
-
\??\c:\xlrffrf.exec:\xlrffrf.exe72⤵PID:4020
-
\??\c:\1nbhnh.exec:\1nbhnh.exe73⤵PID:5036
-
\??\c:\dvvpp.exec:\dvvpp.exe74⤵
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\fxrlxxl.exec:\fxrlxxl.exe75⤵PID:3348
-
\??\c:\lffxlxl.exec:\lffxlxl.exe76⤵PID:4024
-
\??\c:\nttnbt.exec:\nttnbt.exe77⤵PID:2752
-
\??\c:\jpjdj.exec:\jpjdj.exe78⤵PID:4500
-
\??\c:\xrllrlr.exec:\xrllrlr.exe79⤵PID:1156
-
\??\c:\xrlxlfr.exec:\xrlxlfr.exe80⤵PID:1700
-
\??\c:\thntnh.exec:\thntnh.exe81⤵PID:956
-
\??\c:\dddpd.exec:\dddpd.exe82⤵PID:1984
-
\??\c:\fflfrrl.exec:\fflfrrl.exe83⤵PID:1028
-
\??\c:\lrrrfrf.exec:\lrrrfrf.exe84⤵PID:468
-
\??\c:\hnhhbt.exec:\hnhhbt.exe85⤵PID:2832
-
\??\c:\3dvjp.exec:\3dvjp.exe86⤵PID:1496
-
\??\c:\lllxfrf.exec:\lllxfrf.exe87⤵PID:2276
-
\??\c:\httnbt.exec:\httnbt.exe88⤵PID:4092
-
\??\c:\hbbhtn.exec:\hbbhtn.exe89⤵PID:3592
-
\??\c:\dvvpd.exec:\dvvpd.exe90⤵PID:2976
-
\??\c:\lxxrlll.exec:\lxxrlll.exe91⤵PID:3968
-
\??\c:\htthbb.exec:\htthbb.exe92⤵PID:748
-
\??\c:\vvdjp.exec:\vvdjp.exe93⤵PID:1904
-
\??\c:\jpvjp.exec:\jpvjp.exe94⤵PID:5028
-
\??\c:\lfrlxfx.exec:\lfrlxfx.exe95⤵PID:1672
-
\??\c:\5tthtn.exec:\5tthtn.exe96⤵PID:2772
-
\??\c:\jppjv.exec:\jppjv.exe97⤵PID:5064
-
\??\c:\vvvdv.exec:\vvvdv.exe98⤵PID:2012
-
\??\c:\xxlfrlf.exec:\xxlfrlf.exe99⤵PID:2144
-
\??\c:\5nhtnh.exec:\5nhtnh.exe100⤵PID:784
-
\??\c:\ddjvj.exec:\ddjvj.exe101⤵PID:1588
-
\??\c:\flrfrrf.exec:\flrfrrf.exe102⤵PID:2556
-
\??\c:\xffxrfr.exec:\xffxrfr.exe103⤵PID:1928
-
\??\c:\tnnhbn.exec:\tnnhbn.exe104⤵PID:2504
-
\??\c:\jdjpp.exec:\jdjpp.exe105⤵PID:4824
-
\??\c:\pppdv.exec:\pppdv.exe106⤵
- System Location Discovery: System Language Discovery
PID:2392 -
\??\c:\7lfrxrl.exec:\7lfrxrl.exe107⤵PID:4880
-
\??\c:\tbbtbt.exec:\tbbtbt.exe108⤵PID:4980
-
\??\c:\jjjjp.exec:\jjjjp.exe109⤵PID:4396
-
\??\c:\lxfrlff.exec:\lxfrlff.exe110⤵PID:4608
-
\??\c:\5xxrxfr.exec:\5xxrxfr.exe111⤵PID:1692
-
\??\c:\bntttt.exec:\bntttt.exe112⤵PID:3508
-
\??\c:\vdjvj.exec:\vdjvj.exe113⤵PID:2876
-
\??\c:\1lfxllf.exec:\1lfxllf.exe114⤵PID:3332
-
\??\c:\bhnbth.exec:\bhnbth.exe115⤵PID:2860
-
\??\c:\1bthtn.exec:\1bthtn.exe116⤵PID:4964
-
\??\c:\dvdpj.exec:\dvdpj.exe117⤵PID:4860
-
\??\c:\rfxlxrx.exec:\rfxlxrx.exe118⤵PID:2496
-
\??\c:\llrfrlf.exec:\llrfrlf.exe119⤵PID:2824
-
\??\c:\hntnth.exec:\hntnth.exe120⤵PID:2688
-
\??\c:\jpvvp.exec:\jpvvp.exe121⤵PID:3496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-