Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe
-
Size
453KB
-
MD5
e63f4c3335ed2b30e85943c9d14e59a0
-
SHA1
7614c82578a00b8d2a719268f654cff6a9f2382a
-
SHA256
203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7
-
SHA512
031148bf410dc839871db171f261370f31ed087783ac78f9a45574cba1f5f4a82529f8d9663a3a6a4c048f19dfec0571d0b54cd60fc70a4ff091d1ef3a570f5f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3540-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-1006-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-1754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4240 lfllffx.exe 4716 1ddvv.exe 4420 fffxfxf.exe 3496 hbhbbb.exe 232 rrrrrxx.exe 3304 nbhnhb.exe 1244 xxfxrxr.exe 1140 9tnnnn.exe 224 hntnhh.exe 4756 hbbtnn.exe 3752 3llrlxr.exe 632 fxxrlfx.exe 4328 pvjjd.exe 3600 ddjjp.exe 3596 7htnnn.exe 448 ppvpj.exe 1480 fxxrllf.exe 2456 fxlfffx.exe 4512 3ddvj.exe 2988 nnthbb.exe 1096 pvdvp.exe 4704 7bbtnb.exe 4560 djvpp.exe 1764 jddpp.exe 2824 ffxrffr.exe 4944 pjpdv.exe 2484 fxflxrl.exe 432 1dvpj.exe 4220 jpjdv.exe 2200 fffrlxx.exe 2720 7xfrrrr.exe 2876 btbhhh.exe 1364 lfrlrfl.exe 2096 pjvpv.exe 2304 1fffxxx.exe 552 7ffxllf.exe 1660 nnnnhh.exe 1680 7vvpv.exe 3396 fxrlfxl.exe 2244 tbbttt.exe 1988 jjddv.exe 2204 rllxrrl.exe 3940 nntnhb.exe 2008 nnbttt.exe 3508 pjjjd.exe 676 xrrllff.exe 4684 xfrfxlx.exe 1344 ttttnn.exe 736 vjjjd.exe 5004 xfxlllr.exe 1064 bbttnb.exe 1612 vdddv.exe 2088 lxlfxrf.exe 1036 5lrxfxl.exe 2916 bhhbtt.exe 1456 5jjpd.exe 1092 llllfll.exe 1140 xrxrlfr.exe 3252 1jpdv.exe 4132 ppdvj.exe 1568 rlxrxxx.exe 1584 bbnbnh.exe 3324 vdjvp.exe 5064 9rrfxrl.exe -
resource yara_rule behavioral2/memory/3540-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-887-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4240 3540 203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe 83 PID 3540 wrote to memory of 4240 3540 203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe 83 PID 3540 wrote to memory of 4240 3540 203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe 83 PID 4240 wrote to memory of 4716 4240 lfllffx.exe 84 PID 4240 wrote to memory of 4716 4240 lfllffx.exe 84 PID 4240 wrote to memory of 4716 4240 lfllffx.exe 84 PID 4716 wrote to memory of 4420 4716 1ddvv.exe 85 PID 4716 wrote to memory of 4420 4716 1ddvv.exe 85 PID 4716 wrote to memory of 4420 4716 1ddvv.exe 85 PID 4420 wrote to memory of 3496 4420 fffxfxf.exe 86 PID 4420 wrote to memory of 3496 4420 fffxfxf.exe 86 PID 4420 wrote to memory of 3496 4420 fffxfxf.exe 86 PID 3496 wrote to memory of 232 3496 hbhbbb.exe 87 PID 3496 wrote to memory of 232 3496 hbhbbb.exe 87 PID 3496 wrote to memory of 232 3496 hbhbbb.exe 87 PID 232 wrote to memory of 3304 232 rrrrrxx.exe 88 PID 232 wrote to memory of 3304 232 rrrrrxx.exe 88 PID 232 wrote to memory of 3304 232 rrrrrxx.exe 88 PID 3304 wrote to memory of 1244 3304 nbhnhb.exe 89 PID 3304 wrote to memory of 1244 3304 nbhnhb.exe 89 PID 3304 wrote to memory of 1244 3304 nbhnhb.exe 89 PID 1244 wrote to memory of 1140 1244 xxfxrxr.exe 90 PID 1244 wrote to memory of 1140 1244 xxfxrxr.exe 90 PID 1244 wrote to memory of 1140 1244 xxfxrxr.exe 90 PID 1140 wrote to memory of 224 1140 9tnnnn.exe 91 PID 1140 wrote to memory of 224 1140 9tnnnn.exe 91 PID 1140 wrote to memory of 224 1140 9tnnnn.exe 91 PID 224 wrote to memory of 4756 224 hntnhh.exe 92 PID 224 wrote to memory of 4756 224 hntnhh.exe 92 PID 224 wrote to memory of 4756 224 hntnhh.exe 92 PID 4756 wrote to memory of 3752 4756 hbbtnn.exe 93 PID 4756 wrote to memory of 3752 4756 hbbtnn.exe 93 PID 4756 wrote to memory of 3752 4756 hbbtnn.exe 93 PID 3752 wrote to memory of 632 3752 3llrlxr.exe 94 PID 3752 wrote to memory of 632 3752 3llrlxr.exe 94 PID 3752 wrote to memory of 632 3752 3llrlxr.exe 94 PID 632 wrote to memory of 4328 632 fxxrlfx.exe 95 PID 632 wrote to memory of 4328 632 fxxrlfx.exe 95 PID 632 wrote to memory of 4328 632 fxxrlfx.exe 95 PID 4328 wrote to memory of 3600 4328 pvjjd.exe 96 PID 4328 wrote to memory of 3600 4328 pvjjd.exe 96 PID 4328 wrote to memory of 3600 4328 pvjjd.exe 96 PID 3600 wrote to memory of 3596 3600 ddjjp.exe 97 PID 3600 wrote to memory of 3596 3600 ddjjp.exe 97 PID 3600 wrote to memory of 3596 3600 ddjjp.exe 97 PID 3596 wrote to memory of 448 3596 7htnnn.exe 98 PID 3596 wrote to memory of 448 3596 7htnnn.exe 98 PID 3596 wrote to memory of 448 3596 7htnnn.exe 98 PID 448 wrote to memory of 1480 448 ppvpj.exe 99 PID 448 wrote to memory of 1480 448 ppvpj.exe 99 PID 448 wrote to memory of 1480 448 ppvpj.exe 99 PID 1480 wrote to memory of 2456 1480 fxxrllf.exe 100 PID 1480 wrote to memory of 2456 1480 fxxrllf.exe 100 PID 1480 wrote to memory of 2456 1480 fxxrllf.exe 100 PID 2456 wrote to memory of 4512 2456 fxlfffx.exe 101 PID 2456 wrote to memory of 4512 2456 fxlfffx.exe 101 PID 2456 wrote to memory of 4512 2456 fxlfffx.exe 101 PID 4512 wrote to memory of 2988 4512 3ddvj.exe 102 PID 4512 wrote to memory of 2988 4512 3ddvj.exe 102 PID 4512 wrote to memory of 2988 4512 3ddvj.exe 102 PID 2988 wrote to memory of 1096 2988 nnthbb.exe 103 PID 2988 wrote to memory of 1096 2988 nnthbb.exe 103 PID 2988 wrote to memory of 1096 2988 nnthbb.exe 103 PID 1096 wrote to memory of 4704 1096 pvdvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe"C:\Users\Admin\AppData\Local\Temp\203a73351e8256492dfb17a90e9ac5d7eb9003382daf89d8277382f387d0b2b7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\lfllffx.exec:\lfllffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\1ddvv.exec:\1ddvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\fffxfxf.exec:\fffxfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\hbhbbb.exec:\hbhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\rrrrrxx.exec:\rrrrrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\nbhnhb.exec:\nbhnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\xxfxrxr.exec:\xxfxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\9tnnnn.exec:\9tnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\hntnhh.exec:\hntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\hbbtnn.exec:\hbbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\3llrlxr.exec:\3llrlxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\pvjjd.exec:\pvjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\ddjjp.exec:\ddjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\7htnnn.exec:\7htnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\ppvpj.exec:\ppvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\fxxrllf.exec:\fxxrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\fxlfffx.exec:\fxlfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\3ddvj.exec:\3ddvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\nnthbb.exec:\nnthbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\pvdvp.exec:\pvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\7bbtnb.exec:\7bbtnb.exe23⤵
- Executes dropped EXE
PID:4704 -
\??\c:\djvpp.exec:\djvpp.exe24⤵
- Executes dropped EXE
PID:4560 -
\??\c:\jddpp.exec:\jddpp.exe25⤵
- Executes dropped EXE
PID:1764 -
\??\c:\ffxrffr.exec:\ffxrffr.exe26⤵
- Executes dropped EXE
PID:2824 -
\??\c:\pjpdv.exec:\pjpdv.exe27⤵
- Executes dropped EXE
PID:4944 -
\??\c:\fxflxrl.exec:\fxflxrl.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1dvpj.exec:\1dvpj.exe29⤵
- Executes dropped EXE
PID:432 -
\??\c:\jpjdv.exec:\jpjdv.exe30⤵
- Executes dropped EXE
PID:4220 -
\??\c:\fffrlxx.exec:\fffrlxx.exe31⤵
- Executes dropped EXE
PID:2200 -
\??\c:\7xfrrrr.exec:\7xfrrrr.exe32⤵
- Executes dropped EXE
PID:2720 -
\??\c:\btbhhh.exec:\btbhhh.exe33⤵
- Executes dropped EXE
PID:2876 -
\??\c:\lfrlrfl.exec:\lfrlrfl.exe34⤵
- Executes dropped EXE
PID:1364 -
\??\c:\pjvpv.exec:\pjvpv.exe35⤵
- Executes dropped EXE
PID:2096 -
\??\c:\1fffxxx.exec:\1fffxxx.exe36⤵
- Executes dropped EXE
PID:2304 -
\??\c:\7ffxllf.exec:\7ffxllf.exe37⤵
- Executes dropped EXE
PID:552 -
\??\c:\nnnnhh.exec:\nnnnhh.exe38⤵
- Executes dropped EXE
PID:1660 -
\??\c:\7vvpv.exec:\7vvpv.exe39⤵
- Executes dropped EXE
PID:1680 -
\??\c:\fxrlfxl.exec:\fxrlfxl.exe40⤵
- Executes dropped EXE
PID:3396 -
\??\c:\tbbttt.exec:\tbbttt.exe41⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jjddv.exec:\jjddv.exe42⤵
- Executes dropped EXE
PID:1988 -
\??\c:\rllxrrl.exec:\rllxrrl.exe43⤵
- Executes dropped EXE
PID:2204 -
\??\c:\nntnhb.exec:\nntnhb.exe44⤵
- Executes dropped EXE
PID:3940 -
\??\c:\nnbttt.exec:\nnbttt.exe45⤵
- Executes dropped EXE
PID:2008 -
\??\c:\pjjjd.exec:\pjjjd.exe46⤵
- Executes dropped EXE
PID:3508 -
\??\c:\xrrllff.exec:\xrrllff.exe47⤵
- Executes dropped EXE
PID:676 -
\??\c:\xfrfxlx.exec:\xfrfxlx.exe48⤵
- Executes dropped EXE
PID:4684 -
\??\c:\ttttnn.exec:\ttttnn.exe49⤵
- Executes dropped EXE
PID:1344 -
\??\c:\vjjjd.exec:\vjjjd.exe50⤵
- Executes dropped EXE
PID:736 -
\??\c:\xfxlllr.exec:\xfxlllr.exe51⤵
- Executes dropped EXE
PID:5004 -
\??\c:\bbttnb.exec:\bbttnb.exe52⤵
- Executes dropped EXE
PID:1064 -
\??\c:\vdddv.exec:\vdddv.exe53⤵
- Executes dropped EXE
PID:1612 -
\??\c:\lxlfxrf.exec:\lxlfxrf.exe54⤵
- Executes dropped EXE
PID:2088 -
\??\c:\5lrxfxl.exec:\5lrxfxl.exe55⤵
- Executes dropped EXE
PID:1036 -
\??\c:\bhhbtt.exec:\bhhbtt.exe56⤵
- Executes dropped EXE
PID:2916 -
\??\c:\5jjpd.exec:\5jjpd.exe57⤵
- Executes dropped EXE
PID:1456 -
\??\c:\llllfll.exec:\llllfll.exe58⤵
- Executes dropped EXE
PID:1092 -
\??\c:\xrxrlfr.exec:\xrxrlfr.exe59⤵
- Executes dropped EXE
PID:1140 -
\??\c:\1jpdv.exec:\1jpdv.exe60⤵
- Executes dropped EXE
PID:3252 -
\??\c:\ppdvj.exec:\ppdvj.exe61⤵
- Executes dropped EXE
PID:4132 -
\??\c:\rlxrxxx.exec:\rlxrxxx.exe62⤵
- Executes dropped EXE
PID:1568 -
\??\c:\bbnbnh.exec:\bbnbnh.exe63⤵
- Executes dropped EXE
PID:1584 -
\??\c:\vdjvp.exec:\vdjvp.exe64⤵
- Executes dropped EXE
PID:3324 -
\??\c:\9rrfxrl.exec:\9rrfxrl.exe65⤵
- Executes dropped EXE
PID:5064 -
\??\c:\fxrffxx.exec:\fxrffxx.exe66⤵
- System Location Discovery: System Language Discovery
PID:4908 -
\??\c:\hnnnhh.exec:\hnnnhh.exe67⤵PID:2612
-
\??\c:\jvdvp.exec:\jvdvp.exe68⤵PID:4408
-
\??\c:\llffxrr.exec:\llffxrr.exe69⤵PID:1736
-
\??\c:\btttnn.exec:\btttnn.exe70⤵PID:3596
-
\??\c:\jvdvp.exec:\jvdvp.exe71⤵PID:3140
-
\??\c:\vppjd.exec:\vppjd.exe72⤵PID:1644
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe73⤵PID:3368
-
\??\c:\nhhtnn.exec:\nhhtnn.exe74⤵PID:4112
-
\??\c:\jvjvj.exec:\jvjvj.exe75⤵PID:3736
-
\??\c:\xrllllr.exec:\xrllllr.exe76⤵PID:4512
-
\??\c:\3nnnhh.exec:\3nnnhh.exe77⤵PID:3184
-
\??\c:\pjvvv.exec:\pjvvv.exe78⤵PID:3104
-
\??\c:\rlllxxr.exec:\rlllxxr.exe79⤵
- System Location Discovery: System Language Discovery
PID:1392 -
\??\c:\7nhthb.exec:\7nhthb.exe80⤵PID:2760
-
\??\c:\nbhtnh.exec:\nbhtnh.exe81⤵PID:1292
-
\??\c:\vjpjd.exec:\vjpjd.exe82⤵PID:2888
-
\??\c:\xxlfrrf.exec:\xxlfrrf.exe83⤵PID:4232
-
\??\c:\bbhbth.exec:\bbhbth.exe84⤵PID:1600
-
\??\c:\ttbnhh.exec:\ttbnhh.exe85⤵PID:3892
-
\??\c:\djpjv.exec:\djpjv.exe86⤵PID:3856
-
\??\c:\ffxrllf.exec:\ffxrllf.exe87⤵PID:620
-
\??\c:\bbttnn.exec:\bbttnn.exe88⤵PID:1716
-
\??\c:\dpvpj.exec:\dpvpj.exe89⤵PID:3952
-
\??\c:\9fffxxr.exec:\9fffxxr.exe90⤵PID:2708
-
\??\c:\nhnhhh.exec:\nhnhhh.exe91⤵PID:1124
-
\??\c:\nbnhnb.exec:\nbnhnb.exe92⤵PID:3948
-
\??\c:\vpdvp.exec:\vpdvp.exe93⤵PID:4220
-
\??\c:\rllxlfx.exec:\rllxlfx.exe94⤵PID:2200
-
\??\c:\nhnbtn.exec:\nhnbtn.exe95⤵PID:2224
-
\??\c:\dvvpp.exec:\dvvpp.exe96⤵PID:4592
-
\??\c:\fxrlrxf.exec:\fxrlrxf.exe97⤵PID:4896
-
\??\c:\tbhbhh.exec:\tbhbhh.exe98⤵PID:832
-
\??\c:\jvvjp.exec:\jvvjp.exe99⤵PID:2656
-
\??\c:\5jjdv.exec:\5jjdv.exe100⤵PID:1800
-
\??\c:\9rfrlrf.exec:\9rfrlrf.exe101⤵PID:516
-
\??\c:\tbbtnh.exec:\tbbtnh.exe102⤵PID:2144
-
\??\c:\9ppjv.exec:\9ppjv.exe103⤵PID:1572
-
\??\c:\ddpdp.exec:\ddpdp.exe104⤵PID:1596
-
\??\c:\xlrlxff.exec:\xlrlxff.exe105⤵PID:2244
-
\??\c:\1nnbnn.exec:\1nnbnn.exe106⤵PID:4464
-
\??\c:\5vpjv.exec:\5vpjv.exe107⤵PID:1428
-
\??\c:\7rrfxrf.exec:\7rrfxrf.exe108⤵PID:1732
-
\??\c:\ntbtnn.exec:\ntbtnn.exe109⤵PID:2008
-
\??\c:\pdvdp.exec:\pdvdp.exe110⤵PID:1932
-
\??\c:\5xfxlrr.exec:\5xfxlrr.exe111⤵PID:628
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe112⤵PID:452
-
\??\c:\7nhhtt.exec:\7nhhtt.exe113⤵PID:2208
-
\??\c:\vddpj.exec:\vddpj.exe114⤵PID:5008
-
\??\c:\fxxfrrr.exec:\fxxfrrr.exe115⤵PID:3572
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe116⤵PID:1804
-
\??\c:\thnhtb.exec:\thnhtb.exe117⤵PID:232
-
\??\c:\3jddv.exec:\3jddv.exe118⤵PID:3712
-
\??\c:\dvvjd.exec:\dvvjd.exe119⤵PID:3168
-
\??\c:\xxxfxfr.exec:\xxxfxfr.exe120⤵PID:1608
-
\??\c:\tnnhtb.exec:\tnnhtb.exe121⤵PID:4952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-