Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe
-
Size
454KB
-
MD5
2704c12738a490782606030e0da88d9c
-
SHA1
e3b8f4417a385cae75ffcff8f8abd3a4cf4e02bf
-
SHA256
afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef
-
SHA512
b96e4894df39b8ccc3ab116c2764bdbd510ebac38f21a5a13136ef9faa3370f146c538c6e180294fb1d827e8dc6552b8714b4bdfec87b47eba68bf9725231cfb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTx:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3312-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-1006-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3920 flrlllf.exe 3292 9nnhbb.exe 4580 1jjdj.exe 3828 fxlflrx.exe 4980 rlxxfxf.exe 4540 9bbtnn.exe 1080 nhbtbb.exe 2784 vvdjp.exe 2544 xffxxrl.exe 3400 3tbtnb.exe 1620 ddpvj.exe 32 lrxffff.exe 4176 lrlfxxx.exe 2092 bhtbtt.exe 2540 dvppj.exe 2228 lfllfff.exe 1732 xflfxxr.exe 2488 hththt.exe 1100 pdjjp.exe 2956 pjjdp.exe 2632 5lxrllf.exe 1880 1tttnt.exe 752 bttnhb.exe 2616 vdpjv.exe 2732 rllfxxr.exe 3892 lxfxxxf.exe 8 7bbtnn.exe 4028 xflfxxr.exe 2876 5bnnhh.exe 3036 btnhnb.exe 3460 7vvpj.exe 4948 5xxffff.exe 744 bntnhb.exe 1084 5ddvj.exe 1652 dpvpj.exe 4620 lffxrrr.exe 4720 htbtnn.exe 4608 7bnnhn.exe 740 jvdvp.exe 4344 xlrlrlf.exe 1520 lllfxfx.exe 952 bnhbbb.exe 728 vdddd.exe 1044 vvjjd.exe 3716 rlxxxxf.exe 5028 bhhhnn.exe 4920 thnhbb.exe 3172 jpdvv.exe 1160 1rrllrl.exe 2528 lxfxrlf.exe 4396 bbnnbt.exe 3576 vppjj.exe 2864 vppjd.exe 4456 1xffllr.exe 4504 7hnnhn.exe 4580 nhnnhn.exe 1096 7jjdd.exe 1220 rxffxxr.exe 1332 bttnhb.exe 3932 thbnbt.exe 2204 vpvdv.exe 4736 xrrlllf.exe 4820 thtntt.exe 1928 tnnnnh.exe -
resource yara_rule behavioral2/memory/3312-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-900-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3312 wrote to memory of 3920 3312 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 82 PID 3312 wrote to memory of 3920 3312 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 82 PID 3312 wrote to memory of 3920 3312 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 82 PID 3920 wrote to memory of 3292 3920 flrlllf.exe 83 PID 3920 wrote to memory of 3292 3920 flrlllf.exe 83 PID 3920 wrote to memory of 3292 3920 flrlllf.exe 83 PID 3292 wrote to memory of 4580 3292 9nnhbb.exe 84 PID 3292 wrote to memory of 4580 3292 9nnhbb.exe 84 PID 3292 wrote to memory of 4580 3292 9nnhbb.exe 84 PID 4580 wrote to memory of 3828 4580 1jjdj.exe 85 PID 4580 wrote to memory of 3828 4580 1jjdj.exe 85 PID 4580 wrote to memory of 3828 4580 1jjdj.exe 85 PID 3828 wrote to memory of 4980 3828 fxlflrx.exe 86 PID 3828 wrote to memory of 4980 3828 fxlflrx.exe 86 PID 3828 wrote to memory of 4980 3828 fxlflrx.exe 86 PID 4980 wrote to memory of 4540 4980 rlxxfxf.exe 87 PID 4980 wrote to memory of 4540 4980 rlxxfxf.exe 87 PID 4980 wrote to memory of 4540 4980 rlxxfxf.exe 87 PID 4540 wrote to memory of 1080 4540 9bbtnn.exe 88 PID 4540 wrote to memory of 1080 4540 9bbtnn.exe 88 PID 4540 wrote to memory of 1080 4540 9bbtnn.exe 88 PID 1080 wrote to memory of 2784 1080 nhbtbb.exe 89 PID 1080 wrote to memory of 2784 1080 nhbtbb.exe 89 PID 1080 wrote to memory of 2784 1080 nhbtbb.exe 89 PID 2784 wrote to memory of 2544 2784 vvdjp.exe 90 PID 2784 wrote to memory of 2544 2784 vvdjp.exe 90 PID 2784 wrote to memory of 2544 2784 vvdjp.exe 90 PID 2544 wrote to memory of 3400 2544 xffxxrl.exe 91 PID 2544 wrote to memory of 3400 2544 xffxxrl.exe 91 PID 2544 wrote to memory of 3400 2544 xffxxrl.exe 91 PID 3400 wrote to memory of 1620 3400 3tbtnb.exe 92 PID 3400 wrote to memory of 1620 3400 3tbtnb.exe 92 PID 3400 wrote to memory of 1620 3400 3tbtnb.exe 92 PID 1620 wrote to memory of 32 1620 ddpvj.exe 93 PID 1620 wrote to memory of 32 1620 ddpvj.exe 93 PID 1620 wrote to memory of 32 1620 ddpvj.exe 93 PID 32 wrote to memory of 4176 32 lrxffff.exe 94 PID 32 wrote to memory of 4176 32 lrxffff.exe 94 PID 32 wrote to memory of 4176 32 lrxffff.exe 94 PID 4176 wrote to memory of 2092 4176 lrlfxxx.exe 95 PID 4176 wrote to memory of 2092 4176 lrlfxxx.exe 95 PID 4176 wrote to memory of 2092 4176 lrlfxxx.exe 95 PID 2092 wrote to memory of 2540 2092 bhtbtt.exe 96 PID 2092 wrote to memory of 2540 2092 bhtbtt.exe 96 PID 2092 wrote to memory of 2540 2092 bhtbtt.exe 96 PID 2540 wrote to memory of 2228 2540 dvppj.exe 97 PID 2540 wrote to memory of 2228 2540 dvppj.exe 97 PID 2540 wrote to memory of 2228 2540 dvppj.exe 97 PID 2228 wrote to memory of 1732 2228 lfllfff.exe 98 PID 2228 wrote to memory of 1732 2228 lfllfff.exe 98 PID 2228 wrote to memory of 1732 2228 lfllfff.exe 98 PID 1732 wrote to memory of 2488 1732 xflfxxr.exe 99 PID 1732 wrote to memory of 2488 1732 xflfxxr.exe 99 PID 1732 wrote to memory of 2488 1732 xflfxxr.exe 99 PID 2488 wrote to memory of 1100 2488 hththt.exe 100 PID 2488 wrote to memory of 1100 2488 hththt.exe 100 PID 2488 wrote to memory of 1100 2488 hththt.exe 100 PID 1100 wrote to memory of 2956 1100 pdjjp.exe 101 PID 1100 wrote to memory of 2956 1100 pdjjp.exe 101 PID 1100 wrote to memory of 2956 1100 pdjjp.exe 101 PID 2956 wrote to memory of 2632 2956 pjjdp.exe 102 PID 2956 wrote to memory of 2632 2956 pjjdp.exe 102 PID 2956 wrote to memory of 2632 2956 pjjdp.exe 102 PID 2632 wrote to memory of 1880 2632 5lxrllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe"C:\Users\Admin\AppData\Local\Temp\afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\flrlllf.exec:\flrlllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\9nnhbb.exec:\9nnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\1jjdj.exec:\1jjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\fxlflrx.exec:\fxlflrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\9bbtnn.exec:\9bbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\nhbtbb.exec:\nhbtbb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\vvdjp.exec:\vvdjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\xffxxrl.exec:\xffxxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\3tbtnb.exec:\3tbtnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\ddpvj.exec:\ddpvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\lrxffff.exec:\lrxffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\lrlfxxx.exec:\lrlfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\bhtbtt.exec:\bhtbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\dvppj.exec:\dvppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\lfllfff.exec:\lfllfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\xflfxxr.exec:\xflfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\hththt.exec:\hththt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\pdjjp.exec:\pdjjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\pjjdp.exec:\pjjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\5lxrllf.exec:\5lxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\1tttnt.exec:\1tttnt.exe23⤵
- Executes dropped EXE
PID:1880 -
\??\c:\bttnhb.exec:\bttnhb.exe24⤵
- Executes dropped EXE
PID:752 -
\??\c:\vdpjv.exec:\vdpjv.exe25⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rllfxxr.exec:\rllfxxr.exe26⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe27⤵
- Executes dropped EXE
PID:3892 -
\??\c:\7bbtnn.exec:\7bbtnn.exe28⤵
- Executes dropped EXE
PID:8 -
\??\c:\xflfxxr.exec:\xflfxxr.exe29⤵
- Executes dropped EXE
PID:4028 -
\??\c:\5bnnhh.exec:\5bnnhh.exe30⤵
- Executes dropped EXE
PID:2876 -
\??\c:\btnhnb.exec:\btnhnb.exe31⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7vvpj.exec:\7vvpj.exe32⤵
- Executes dropped EXE
PID:3460 -
\??\c:\5xxffff.exec:\5xxffff.exe33⤵
- Executes dropped EXE
PID:4948 -
\??\c:\bntnhb.exec:\bntnhb.exe34⤵
- Executes dropped EXE
PID:744 -
\??\c:\5ddvj.exec:\5ddvj.exe35⤵
- Executes dropped EXE
PID:1084 -
\??\c:\dpvpj.exec:\dpvpj.exe36⤵
- Executes dropped EXE
PID:1652 -
\??\c:\lffxrrr.exec:\lffxrrr.exe37⤵
- Executes dropped EXE
PID:4620 -
\??\c:\htbtnn.exec:\htbtnn.exe38⤵
- Executes dropped EXE
PID:4720 -
\??\c:\7bnnhn.exec:\7bnnhn.exe39⤵
- Executes dropped EXE
PID:4608 -
\??\c:\jvdvp.exec:\jvdvp.exe40⤵
- Executes dropped EXE
PID:740 -
\??\c:\xlrlrlf.exec:\xlrlrlf.exe41⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lllfxfx.exec:\lllfxfx.exe42⤵
- Executes dropped EXE
PID:1520 -
\??\c:\bnhbbb.exec:\bnhbbb.exe43⤵
- Executes dropped EXE
PID:952 -
\??\c:\vdddd.exec:\vdddd.exe44⤵
- Executes dropped EXE
PID:728 -
\??\c:\vvjjd.exec:\vvjjd.exe45⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe46⤵
- Executes dropped EXE
PID:3716 -
\??\c:\bhhhnn.exec:\bhhhnn.exe47⤵
- Executes dropped EXE
PID:5028 -
\??\c:\thnhbb.exec:\thnhbb.exe48⤵
- Executes dropped EXE
PID:4920 -
\??\c:\jpdvv.exec:\jpdvv.exe49⤵
- Executes dropped EXE
PID:3172 -
\??\c:\1rrllrl.exec:\1rrllrl.exe50⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe51⤵
- Executes dropped EXE
PID:2528 -
\??\c:\bbnnbt.exec:\bbnnbt.exe52⤵
- Executes dropped EXE
PID:4396 -
\??\c:\vppjj.exec:\vppjj.exe53⤵
- Executes dropped EXE
PID:3576 -
\??\c:\vppjd.exec:\vppjd.exe54⤵
- Executes dropped EXE
PID:2864 -
\??\c:\1xffllr.exec:\1xffllr.exe55⤵
- Executes dropped EXE
PID:4456 -
\??\c:\7hnnhn.exec:\7hnnhn.exe56⤵
- Executes dropped EXE
PID:4504 -
\??\c:\nhnnhn.exec:\nhnnhn.exe57⤵
- Executes dropped EXE
PID:4580 -
\??\c:\7jjdd.exec:\7jjdd.exe58⤵
- Executes dropped EXE
PID:1096 -
\??\c:\rxffxxr.exec:\rxffxxr.exe59⤵
- Executes dropped EXE
PID:1220 -
\??\c:\bttnhb.exec:\bttnhb.exe60⤵
- Executes dropped EXE
PID:1332 -
\??\c:\thbnbt.exec:\thbnbt.exe61⤵
- Executes dropped EXE
PID:3932 -
\??\c:\vpvdv.exec:\vpvdv.exe62⤵
- Executes dropped EXE
PID:2204 -
\??\c:\xrrlllf.exec:\xrrlllf.exe63⤵
- Executes dropped EXE
PID:4736 -
\??\c:\thtntt.exec:\thtntt.exe64⤵
- Executes dropped EXE
PID:4820 -
\??\c:\tnnnnh.exec:\tnnnnh.exe65⤵
- Executes dropped EXE
PID:1928 -
\??\c:\vvvvp.exec:\vvvvp.exe66⤵PID:3228
-
\??\c:\7fflfff.exec:\7fflfff.exe67⤵PID:1400
-
\??\c:\hbhbbb.exec:\hbhbbb.exe68⤵PID:3900
-
\??\c:\pjddv.exec:\pjddv.exe69⤵PID:2480
-
\??\c:\lfrlffx.exec:\lfrlffx.exe70⤵PID:5052
-
\??\c:\tnnntn.exec:\tnnntn.exe71⤵PID:3948
-
\??\c:\vvvpp.exec:\vvvpp.exe72⤵PID:5104
-
\??\c:\rflfffx.exec:\rflfffx.exe73⤵PID:3876
-
\??\c:\ttbhhn.exec:\ttbhhn.exe74⤵PID:1812
-
\??\c:\vdvpj.exec:\vdvpj.exe75⤵PID:1528
-
\??\c:\xllffxx.exec:\xllffxx.exe76⤵PID:4004
-
\??\c:\nbbtnt.exec:\nbbtnt.exe77⤵PID:1128
-
\??\c:\jdppp.exec:\jdppp.exe78⤵PID:1664
-
\??\c:\bbtbnb.exec:\bbtbnb.exe79⤵PID:4012
-
\??\c:\bhnhhh.exec:\bhnhhh.exe80⤵PID:3892
-
\??\c:\5btbht.exec:\5btbht.exe81⤵PID:8
-
\??\c:\3dpjv.exec:\3dpjv.exe82⤵PID:1952
-
\??\c:\1rrlxxr.exec:\1rrlxxr.exe83⤵PID:4668
-
\??\c:\pppjd.exec:\pppjd.exe84⤵PID:4868
-
\??\c:\lfffxfx.exec:\lfffxfx.exe85⤵PID:1776
-
\??\c:\7hbnbb.exec:\7hbnbb.exe86⤵PID:3668
-
\??\c:\dvvvp.exec:\dvvvp.exe87⤵PID:1056
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe88⤵PID:1768
-
\??\c:\nhbbtt.exec:\nhbbtt.exe89⤵PID:4620
-
\??\c:\lxfrxrl.exec:\lxfrxrl.exe90⤵PID:1788
-
\??\c:\hhbhth.exec:\hhbhth.exe91⤵PID:2868
-
\??\c:\xfrlxxr.exec:\xfrlxxr.exe92⤵PID:676
-
\??\c:\hhhbtb.exec:\hhhbtb.exe93⤵PID:1308
-
\??\c:\nttnbh.exec:\nttnbh.exe94⤵PID:3004
-
\??\c:\nbhtnh.exec:\nbhtnh.exe95⤵PID:1004
-
\??\c:\pjppv.exec:\pjppv.exe96⤵PID:2292
-
\??\c:\9ppjp.exec:\9ppjp.exe97⤵PID:1688
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe98⤵PID:3184
-
\??\c:\jjjvp.exec:\jjjvp.exe99⤵PID:4132
-
\??\c:\7xxrlrl.exec:\7xxrlrl.exe100⤵PID:712
-
\??\c:\dddvp.exec:\dddvp.exe101⤵PID:2768
-
\??\c:\dddpj.exec:\dddpj.exe102⤵PID:2852
-
\??\c:\ffffxlx.exec:\ffffxlx.exe103⤵PID:3596
-
\??\c:\7bbtnh.exec:\7bbtnh.exe104⤵PID:4648
-
\??\c:\tnbtnh.exec:\tnbtnh.exe105⤵PID:4364
-
\??\c:\dvvjd.exec:\dvvjd.exe106⤵PID:4376
-
\??\c:\lfllxfl.exec:\lfllxfl.exe107⤵PID:4232
-
\??\c:\bthbbt.exec:\bthbbt.exe108⤵PID:628
-
\??\c:\bbhbhh.exec:\bbhbhh.exe109⤵PID:4996
-
\??\c:\jddpj.exec:\jddpj.exe110⤵PID:4388
-
\??\c:\flrfxrx.exec:\flrfxrx.exe111⤵PID:4536
-
\??\c:\bttnnh.exec:\bttnnh.exe112⤵PID:468
-
\??\c:\djjdp.exec:\djjdp.exe113⤵PID:920
-
\??\c:\1xlfxxl.exec:\1xlfxxl.exe114⤵PID:5000
-
\??\c:\xxxxllx.exec:\xxxxllx.exe115⤵PID:3612
-
\??\c:\thhbtb.exec:\thhbtb.exe116⤵PID:3860
-
\??\c:\bhnbnh.exec:\bhnbnh.exe117⤵PID:1332
-
\??\c:\7vjdp.exec:\7vjdp.exe118⤵PID:3932
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe119⤵PID:4652
-
\??\c:\tntnnh.exec:\tntnnh.exe120⤵PID:2804
-
\??\c:\bhbtbt.exec:\bhbtbt.exe121⤵PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-