Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe
-
Size
453KB
-
MD5
1feb7adf0928fe9be0bdb6cfc3cd56f7
-
SHA1
4dcc4316405af06879fec8f6447773862ab0c276
-
SHA256
215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612
-
SHA512
ad18daa185f67116eac2b4a53754c9921151883de6aff8fc7a59bd3169d85df46b53f1cb830098d2db8dcc081aa67a8bcd32c095ea77b3f34be73d0d50c7521d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4788-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2680 djvpj.exe 2604 xffffrx.exe 2044 llflflf.exe 3724 hbbttn.exe 1916 htbttn.exe 1084 jpvvp.exe 2528 tbbnhb.exe 1164 xllxlfx.exe 2760 bnthhb.exe 4824 xxfxllf.exe 3892 httnbb.exe 1004 xrllffx.exe 1076 pjdvp.exe 1632 lflfxxx.exe 644 jdvjd.exe 4832 llrlfxr.exe 3648 jvvvp.exe 2032 pjdvp.exe 4700 xrlrfxl.exe 1492 tbbnbt.exe 5016 vjpjj.exe 2560 lxxrxxr.exe 3168 htnhbb.exe 2212 1dvdv.exe 5052 5xlflfx.exe 2352 3hbthb.exe 4936 pjvjj.exe 3420 xrrlxrf.exe 3464 nhnbtn.exe 3300 ddvpj.exe 4992 fllxlfr.exe 4688 hthbtn.exe 1480 xfxrfxr.exe 3160 thnhbb.exe 2780 jpvpv.exe 1256 xxfxlfx.exe 1228 lfxrfxl.exe 3260 nhhhtt.exe 1628 jvvjd.exe 1684 5flxfxl.exe 1184 1hhbhb.exe 1420 pdvpd.exe 4508 xxxlxrl.exe 3124 5thbth.exe 3932 flrlxxr.exe 3536 rlrlllf.exe 4100 nbnhbt.exe 1500 dpppd.exe 2880 frrrxxl.exe 3708 htnttt.exe 4668 jdpdp.exe 4412 lffrxlx.exe 3100 tbbntn.exe 3156 nbbnhb.exe 2364 vpvjv.exe 896 pdvjv.exe 972 3rxllll.exe 4764 nnbtnb.exe 4596 vjpjv.exe 4976 9ppvj.exe 1824 lflflff.exe 1792 rfxrfxl.exe 2412 nbbnnt.exe 3264 pdpjv.exe -
resource yara_rule behavioral2/memory/4788-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-632-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4788 wrote to memory of 2680 4788 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 82 PID 4788 wrote to memory of 2680 4788 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 82 PID 4788 wrote to memory of 2680 4788 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 82 PID 2680 wrote to memory of 2604 2680 djvpj.exe 83 PID 2680 wrote to memory of 2604 2680 djvpj.exe 83 PID 2680 wrote to memory of 2604 2680 djvpj.exe 83 PID 2604 wrote to memory of 2044 2604 xffffrx.exe 84 PID 2604 wrote to memory of 2044 2604 xffffrx.exe 84 PID 2604 wrote to memory of 2044 2604 xffffrx.exe 84 PID 2044 wrote to memory of 3724 2044 llflflf.exe 85 PID 2044 wrote to memory of 3724 2044 llflflf.exe 85 PID 2044 wrote to memory of 3724 2044 llflflf.exe 85 PID 3724 wrote to memory of 1916 3724 hbbttn.exe 86 PID 3724 wrote to memory of 1916 3724 hbbttn.exe 86 PID 3724 wrote to memory of 1916 3724 hbbttn.exe 86 PID 1916 wrote to memory of 1084 1916 htbttn.exe 87 PID 1916 wrote to memory of 1084 1916 htbttn.exe 87 PID 1916 wrote to memory of 1084 1916 htbttn.exe 87 PID 1084 wrote to memory of 2528 1084 jpvvp.exe 88 PID 1084 wrote to memory of 2528 1084 jpvvp.exe 88 PID 1084 wrote to memory of 2528 1084 jpvvp.exe 88 PID 2528 wrote to memory of 1164 2528 tbbnhb.exe 89 PID 2528 wrote to memory of 1164 2528 tbbnhb.exe 89 PID 2528 wrote to memory of 1164 2528 tbbnhb.exe 89 PID 1164 wrote to memory of 2760 1164 xllxlfx.exe 90 PID 1164 wrote to memory of 2760 1164 xllxlfx.exe 90 PID 1164 wrote to memory of 2760 1164 xllxlfx.exe 90 PID 2760 wrote to memory of 4824 2760 bnthhb.exe 91 PID 2760 wrote to memory of 4824 2760 bnthhb.exe 91 PID 2760 wrote to memory of 4824 2760 bnthhb.exe 91 PID 4824 wrote to memory of 3892 4824 xxfxllf.exe 92 PID 4824 wrote to memory of 3892 4824 xxfxllf.exe 92 PID 4824 wrote to memory of 3892 4824 xxfxllf.exe 92 PID 3892 wrote to memory of 1004 3892 httnbb.exe 93 PID 3892 wrote to memory of 1004 3892 httnbb.exe 93 PID 3892 wrote to memory of 1004 3892 httnbb.exe 93 PID 1004 wrote to memory of 1076 1004 xrllffx.exe 94 PID 1004 wrote to memory of 1076 1004 xrllffx.exe 94 PID 1004 wrote to memory of 1076 1004 xrllffx.exe 94 PID 1076 wrote to memory of 1632 1076 pjdvp.exe 95 PID 1076 wrote to memory of 1632 1076 pjdvp.exe 95 PID 1076 wrote to memory of 1632 1076 pjdvp.exe 95 PID 1632 wrote to memory of 644 1632 lflfxxx.exe 96 PID 1632 wrote to memory of 644 1632 lflfxxx.exe 96 PID 1632 wrote to memory of 644 1632 lflfxxx.exe 96 PID 644 wrote to memory of 4832 644 jdvjd.exe 97 PID 644 wrote to memory of 4832 644 jdvjd.exe 97 PID 644 wrote to memory of 4832 644 jdvjd.exe 97 PID 4832 wrote to memory of 3648 4832 llrlfxr.exe 98 PID 4832 wrote to memory of 3648 4832 llrlfxr.exe 98 PID 4832 wrote to memory of 3648 4832 llrlfxr.exe 98 PID 3648 wrote to memory of 2032 3648 jvvvp.exe 99 PID 3648 wrote to memory of 2032 3648 jvvvp.exe 99 PID 3648 wrote to memory of 2032 3648 jvvvp.exe 99 PID 2032 wrote to memory of 4700 2032 pjdvp.exe 100 PID 2032 wrote to memory of 4700 2032 pjdvp.exe 100 PID 2032 wrote to memory of 4700 2032 pjdvp.exe 100 PID 4700 wrote to memory of 1492 4700 xrlrfxl.exe 101 PID 4700 wrote to memory of 1492 4700 xrlrfxl.exe 101 PID 4700 wrote to memory of 1492 4700 xrlrfxl.exe 101 PID 1492 wrote to memory of 5016 1492 tbbnbt.exe 102 PID 1492 wrote to memory of 5016 1492 tbbnbt.exe 102 PID 1492 wrote to memory of 5016 1492 tbbnbt.exe 102 PID 5016 wrote to memory of 2560 5016 vjpjj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe"C:\Users\Admin\AppData\Local\Temp\215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\djvpj.exec:\djvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xffffrx.exec:\xffffrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\llflflf.exec:\llflflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\hbbttn.exec:\hbbttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\htbttn.exec:\htbttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\jpvvp.exec:\jpvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\tbbnhb.exec:\tbbnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\xllxlfx.exec:\xllxlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\bnthhb.exec:\bnthhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\xxfxllf.exec:\xxfxllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\httnbb.exec:\httnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\xrllffx.exec:\xrllffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\pjdvp.exec:\pjdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\lflfxxx.exec:\lflfxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\jdvjd.exec:\jdvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\llrlfxr.exec:\llrlfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\jvvvp.exec:\jvvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\pjdvp.exec:\pjdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\xrlrfxl.exec:\xrlrfxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\tbbnbt.exec:\tbbnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\vjpjj.exec:\vjpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\lxxrxxr.exec:\lxxrxxr.exe23⤵
- Executes dropped EXE
PID:2560 -
\??\c:\htnhbb.exec:\htnhbb.exe24⤵
- Executes dropped EXE
PID:3168 -
\??\c:\1dvdv.exec:\1dvdv.exe25⤵
- Executes dropped EXE
PID:2212 -
\??\c:\5xlflfx.exec:\5xlflfx.exe26⤵
- Executes dropped EXE
PID:5052 -
\??\c:\3hbthb.exec:\3hbthb.exe27⤵
- Executes dropped EXE
PID:2352 -
\??\c:\pjvjj.exec:\pjvjj.exe28⤵
- Executes dropped EXE
PID:4936 -
\??\c:\xrrlxrf.exec:\xrrlxrf.exe29⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nhnbtn.exec:\nhnbtn.exe30⤵
- Executes dropped EXE
PID:3464 -
\??\c:\ddvpj.exec:\ddvpj.exe31⤵
- Executes dropped EXE
PID:3300 -
\??\c:\fllxlfr.exec:\fllxlfr.exe32⤵
- Executes dropped EXE
PID:4992 -
\??\c:\hthbtn.exec:\hthbtn.exe33⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xfxrfxr.exec:\xfxrfxr.exe34⤵
- Executes dropped EXE
PID:1480 -
\??\c:\thnhbb.exec:\thnhbb.exe35⤵
- Executes dropped EXE
PID:3160 -
\??\c:\jpvpv.exec:\jpvpv.exe36⤵
- Executes dropped EXE
PID:2780 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe37⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe38⤵
- Executes dropped EXE
PID:1228 -
\??\c:\nhhhtt.exec:\nhhhtt.exe39⤵
- Executes dropped EXE
PID:3260 -
\??\c:\jvvjd.exec:\jvvjd.exe40⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5flxfxl.exec:\5flxfxl.exe41⤵
- Executes dropped EXE
PID:1684 -
\??\c:\1hhbhb.exec:\1hhbhb.exe42⤵
- Executes dropped EXE
PID:1184 -
\??\c:\pdvpd.exec:\pdvpd.exe43⤵
- Executes dropped EXE
PID:1420 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\5thbth.exec:\5thbth.exe45⤵
- Executes dropped EXE
PID:3124 -
\??\c:\flrlxxr.exec:\flrlxxr.exe46⤵
- Executes dropped EXE
PID:3932 -
\??\c:\rlrlllf.exec:\rlrlllf.exe47⤵
- Executes dropped EXE
PID:3536 -
\??\c:\nbnhbt.exec:\nbnhbt.exe48⤵
- Executes dropped EXE
PID:4100 -
\??\c:\dpppd.exec:\dpppd.exe49⤵
- Executes dropped EXE
PID:1500 -
\??\c:\frrrxxl.exec:\frrrxxl.exe50⤵
- Executes dropped EXE
PID:2880 -
\??\c:\htnttt.exec:\htnttt.exe51⤵
- Executes dropped EXE
PID:3708 -
\??\c:\jdpdp.exec:\jdpdp.exe52⤵
- Executes dropped EXE
PID:4668 -
\??\c:\lffrxlx.exec:\lffrxlx.exe53⤵
- Executes dropped EXE
PID:4412 -
\??\c:\tbbntn.exec:\tbbntn.exe54⤵
- Executes dropped EXE
PID:3100 -
\??\c:\nbbnhb.exec:\nbbnhb.exe55⤵
- Executes dropped EXE
PID:3156 -
\??\c:\vpvjv.exec:\vpvjv.exe56⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pdvjv.exec:\pdvjv.exe57⤵
- Executes dropped EXE
PID:896 -
\??\c:\3rxllll.exec:\3rxllll.exe58⤵
- Executes dropped EXE
PID:972 -
\??\c:\nnbtnb.exec:\nnbtnb.exe59⤵
- Executes dropped EXE
PID:4764 -
\??\c:\vjpjv.exec:\vjpjv.exe60⤵
- Executes dropped EXE
PID:4596 -
\??\c:\9ppvj.exec:\9ppvj.exe61⤵
- Executes dropped EXE
PID:4976 -
\??\c:\lflflff.exec:\lflflff.exe62⤵
- Executes dropped EXE
PID:1824 -
\??\c:\rfxrfxl.exec:\rfxrfxl.exe63⤵
- Executes dropped EXE
PID:1792 -
\??\c:\nbbnnt.exec:\nbbnnt.exe64⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pdpjv.exec:\pdpjv.exe65⤵
- Executes dropped EXE
PID:3264 -
\??\c:\xlfllxl.exec:\xlfllxl.exe66⤵PID:3424
-
\??\c:\xllfrrl.exec:\xllfrrl.exe67⤵PID:3316
-
\??\c:\bnnhbt.exec:\bnnhbt.exe68⤵PID:680
-
\??\c:\ppdpd.exec:\ppdpd.exe69⤵PID:2996
-
\??\c:\lxlxlfx.exec:\lxlxlfx.exe70⤵PID:2640
-
\??\c:\hnnbnb.exec:\hnnbnb.exe71⤵PID:1148
-
\??\c:\hnthbt.exec:\hnthbt.exe72⤵PID:956
-
\??\c:\vpjdp.exec:\vpjdp.exe73⤵PID:2064
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe74⤵PID:1004
-
\??\c:\tthtnb.exec:\tthtnb.exe75⤵PID:4432
-
\??\c:\7vpjd.exec:\7vpjd.exe76⤵PID:3004
-
\??\c:\vvdjv.exec:\vvdjv.exe77⤵PID:4444
-
\??\c:\rlllxxl.exec:\rlllxxl.exe78⤵PID:32
-
\??\c:\nhbtnh.exec:\nhbtnh.exe79⤵PID:1428
-
\??\c:\ddjdp.exec:\ddjdp.exe80⤵PID:3540
-
\??\c:\pjjpd.exec:\pjjpd.exe81⤵PID:220
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe82⤵PID:228
-
\??\c:\tnnbtb.exec:\tnnbtb.exe83⤵PID:5056
-
\??\c:\jdppj.exec:\jdppj.exe84⤵PID:60
-
\??\c:\vvddj.exec:\vvddj.exe85⤵PID:3012
-
\??\c:\5ffxxxr.exec:\5ffxxxr.exe86⤵PID:4236
-
\??\c:\thhhbt.exec:\thhhbt.exe87⤵PID:4988
-
\??\c:\pppvj.exec:\pppvj.exe88⤵PID:1436
-
\??\c:\frxlxrl.exec:\frxlxrl.exe89⤵PID:3788
-
\??\c:\htbnbt.exec:\htbnbt.exe90⤵PID:1852
-
\??\c:\djdvj.exec:\djdvj.exe91⤵PID:2268
-
\??\c:\dppdp.exec:\dppdp.exe92⤵PID:1588
-
\??\c:\fflfrrl.exec:\fflfrrl.exe93⤵PID:2352
-
\??\c:\tnhtbt.exec:\tnhtbt.exe94⤵PID:3480
-
\??\c:\nbhtbb.exec:\nbhtbb.exe95⤵PID:5048
-
\??\c:\dpvvd.exec:\dpvvd.exe96⤵PID:5032
-
\??\c:\lffxfxf.exec:\lffxfxf.exe97⤵PID:4616
-
\??\c:\frxrfrl.exec:\frxrfrl.exe98⤵PID:5028
-
\??\c:\hbhtnt.exec:\hbhtnt.exe99⤵PID:3080
-
\??\c:\vjdpv.exec:\vjdpv.exe100⤵PID:4344
-
\??\c:\dvdjv.exec:\dvdjv.exe101⤵PID:5108
-
\??\c:\fxrfrfx.exec:\fxrfrfx.exe102⤵PID:3512
-
\??\c:\bhbthb.exec:\bhbthb.exe103⤵PID:3740
-
\??\c:\7nbtbb.exec:\7nbtbb.exe104⤵PID:2780
-
\??\c:\vjjdj.exec:\vjjdj.exe105⤵PID:1256
-
\??\c:\lxxlxlx.exec:\lxxlxlx.exe106⤵PID:4524
-
\??\c:\tbbtnh.exec:\tbbtnh.exe107⤵PID:4132
-
\??\c:\vpjpd.exec:\vpjpd.exe108⤵
- System Location Discovery: System Language Discovery
PID:1232 -
\??\c:\dvpvd.exec:\dvpvd.exe109⤵PID:1800
-
\??\c:\1rrflfr.exec:\1rrflfr.exe110⤵PID:2076
-
\??\c:\tnbnbt.exec:\tnbnbt.exe111⤵PID:5100
-
\??\c:\jpdvj.exec:\jpdvj.exe112⤵PID:4408
-
\??\c:\lffxllf.exec:\lffxllf.exe113⤵PID:952
-
\??\c:\hbbtnh.exec:\hbbtnh.exe114⤵PID:4588
-
\??\c:\vppvd.exec:\vppvd.exe115⤵PID:4812
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe116⤵PID:2748
-
\??\c:\rlffrrf.exec:\rlffrrf.exe117⤵PID:3868
-
\??\c:\9btnhb.exec:\9btnhb.exe118⤵PID:4900
-
\??\c:\vvdpd.exec:\vvdpd.exe119⤵PID:4884
-
\??\c:\xrlrfxx.exec:\xrlrfxx.exe120⤵PID:4076
-
\??\c:\lxxrllf.exec:\lxxrllf.exe121⤵PID:4400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-