Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 03:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe
-
Size
453KB
-
MD5
753e78eb26b54a8d471d347345294786
-
SHA1
020f2bb342784d9937dc914f976f96cc763c3117
-
SHA256
d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559
-
SHA512
ba519fa5e6c919f1672e8f6032fdb9376647bc21fef68abade486b7ea93acf47e0600d86a41c44c400286c78222d2cd42872630f65428957a83ad95f254c2ea9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4032-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-1104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4796 tnttnn.exe 5044 fflxlxr.exe 4676 60086.exe 2776 88420.exe 1356 604860.exe 2584 0080864.exe 3356 c466000.exe 4248 8064820.exe 1840 4440820.exe 4952 jvddp.exe 5080 9jvjv.exe 1396 2284808.exe 3696 680442.exe 4468 c080822.exe 1140 m2204.exe 2696 422660.exe 3272 644220.exe 4904 fffrfrl.exe 2432 4406622.exe 3208 04048.exe 4404 8888844.exe 2664 lllfrlf.exe 1584 u422084.exe 2468 7llxxrx.exe 1708 446420.exe 4492 rfxlxrr.exe 3988 9jjvj.exe 2480 204226.exe 2448 dvdpv.exe 3032 o880264.exe 4812 1fxrxrf.exe 2164 jvpdp.exe 4680 840460.exe 3940 dpjvd.exe 2440 nbnbbn.exe 748 262204.exe 1724 m4086.exe 1776 7tbnhh.exe 4716 1nhthb.exe 1716 7lrlffx.exe 2548 6604264.exe 2840 842084.exe 3268 bhbnht.exe 1400 42428.exe 5048 xrlxfrl.exe 4824 tbbtht.exe 316 64606.exe 3548 hnhbnh.exe 4524 nttnhb.exe 2260 bbhtnh.exe 4340 vdvjv.exe 3360 1hbnbn.exe 1016 htbntn.exe 1960 dpvjj.exe 552 bnnbnh.exe 2352 5lxlxlf.exe 3036 1lrfxrr.exe 396 28820.exe 2604 lfxlxlx.exe 1512 1xrxlfx.exe 2592 dvddv.exe 4248 rrffrrf.exe 4884 vdjdp.exe 3844 2042042.exe -
resource yara_rule behavioral2/memory/4032-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-843-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8444468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c660826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 4796 4032 d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe 85 PID 4032 wrote to memory of 4796 4032 d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe 85 PID 4032 wrote to memory of 4796 4032 d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe 85 PID 4796 wrote to memory of 5044 4796 tnttnn.exe 86 PID 4796 wrote to memory of 5044 4796 tnttnn.exe 86 PID 4796 wrote to memory of 5044 4796 tnttnn.exe 86 PID 5044 wrote to memory of 4676 5044 fflxlxr.exe 87 PID 5044 wrote to memory of 4676 5044 fflxlxr.exe 87 PID 5044 wrote to memory of 4676 5044 fflxlxr.exe 87 PID 4676 wrote to memory of 2776 4676 60086.exe 88 PID 4676 wrote to memory of 2776 4676 60086.exe 88 PID 4676 wrote to memory of 2776 4676 60086.exe 88 PID 2776 wrote to memory of 1356 2776 88420.exe 89 PID 2776 wrote to memory of 1356 2776 88420.exe 89 PID 2776 wrote to memory of 1356 2776 88420.exe 89 PID 1356 wrote to memory of 2584 1356 604860.exe 90 PID 1356 wrote to memory of 2584 1356 604860.exe 90 PID 1356 wrote to memory of 2584 1356 604860.exe 90 PID 2584 wrote to memory of 3356 2584 0080864.exe 91 PID 2584 wrote to memory of 3356 2584 0080864.exe 91 PID 2584 wrote to memory of 3356 2584 0080864.exe 91 PID 3356 wrote to memory of 4248 3356 c466000.exe 92 PID 3356 wrote to memory of 4248 3356 c466000.exe 92 PID 3356 wrote to memory of 4248 3356 c466000.exe 92 PID 4248 wrote to memory of 1840 4248 8064820.exe 93 PID 4248 wrote to memory of 1840 4248 8064820.exe 93 PID 4248 wrote to memory of 1840 4248 8064820.exe 93 PID 1840 wrote to memory of 4952 1840 4440820.exe 94 PID 1840 wrote to memory of 4952 1840 4440820.exe 94 PID 1840 wrote to memory of 4952 1840 4440820.exe 94 PID 4952 wrote to memory of 5080 4952 jvddp.exe 95 PID 4952 wrote to memory of 5080 4952 jvddp.exe 95 PID 4952 wrote to memory of 5080 4952 jvddp.exe 95 PID 5080 wrote to memory of 1396 5080 9jvjv.exe 149 PID 5080 wrote to memory of 1396 5080 9jvjv.exe 149 PID 5080 wrote to memory of 1396 5080 9jvjv.exe 149 PID 1396 wrote to memory of 3696 1396 2284808.exe 97 PID 1396 wrote to memory of 3696 1396 2284808.exe 97 PID 1396 wrote to memory of 3696 1396 2284808.exe 97 PID 3696 wrote to memory of 4468 3696 680442.exe 98 PID 3696 wrote to memory of 4468 3696 680442.exe 98 PID 3696 wrote to memory of 4468 3696 680442.exe 98 PID 4468 wrote to memory of 1140 4468 c080822.exe 99 PID 4468 wrote to memory of 1140 4468 c080822.exe 99 PID 4468 wrote to memory of 1140 4468 c080822.exe 99 PID 1140 wrote to memory of 2696 1140 m2204.exe 100 PID 1140 wrote to memory of 2696 1140 m2204.exe 100 PID 1140 wrote to memory of 2696 1140 m2204.exe 100 PID 2696 wrote to memory of 3272 2696 422660.exe 101 PID 2696 wrote to memory of 3272 2696 422660.exe 101 PID 2696 wrote to memory of 3272 2696 422660.exe 101 PID 3272 wrote to memory of 4904 3272 644220.exe 102 PID 3272 wrote to memory of 4904 3272 644220.exe 102 PID 3272 wrote to memory of 4904 3272 644220.exe 102 PID 4904 wrote to memory of 2432 4904 fffrfrl.exe 103 PID 4904 wrote to memory of 2432 4904 fffrfrl.exe 103 PID 4904 wrote to memory of 2432 4904 fffrfrl.exe 103 PID 2432 wrote to memory of 3208 2432 4406622.exe 104 PID 2432 wrote to memory of 3208 2432 4406622.exe 104 PID 2432 wrote to memory of 3208 2432 4406622.exe 104 PID 3208 wrote to memory of 4404 3208 04048.exe 105 PID 3208 wrote to memory of 4404 3208 04048.exe 105 PID 3208 wrote to memory of 4404 3208 04048.exe 105 PID 4404 wrote to memory of 2664 4404 8888844.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe"C:\Users\Admin\AppData\Local\Temp\d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\tnttnn.exec:\tnttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\fflxlxr.exec:\fflxlxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\60086.exec:\60086.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\88420.exec:\88420.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\604860.exec:\604860.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\0080864.exec:\0080864.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\c466000.exec:\c466000.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\8064820.exec:\8064820.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\4440820.exec:\4440820.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\jvddp.exec:\jvddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\9jvjv.exec:\9jvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\2284808.exec:\2284808.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\680442.exec:\680442.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\c080822.exec:\c080822.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\m2204.exec:\m2204.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\422660.exec:\422660.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\644220.exec:\644220.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\fffrfrl.exec:\fffrfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\4406622.exec:\4406622.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\04048.exec:\04048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\8888844.exec:\8888844.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\lllfrlf.exec:\lllfrlf.exe23⤵
- Executes dropped EXE
PID:2664 -
\??\c:\u422084.exec:\u422084.exe24⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7llxxrx.exec:\7llxxrx.exe25⤵
- Executes dropped EXE
PID:2468 -
\??\c:\446420.exec:\446420.exe26⤵
- Executes dropped EXE
PID:1708 -
\??\c:\rfxlxrr.exec:\rfxlxrr.exe27⤵
- Executes dropped EXE
PID:4492 -
\??\c:\9jjvj.exec:\9jjvj.exe28⤵
- Executes dropped EXE
PID:3988 -
\??\c:\204226.exec:\204226.exe29⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dvdpv.exec:\dvdpv.exe30⤵
- Executes dropped EXE
PID:2448 -
\??\c:\o880264.exec:\o880264.exe31⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1fxrxrf.exec:\1fxrxrf.exe32⤵
- Executes dropped EXE
PID:4812 -
\??\c:\jvpdp.exec:\jvpdp.exe33⤵
- Executes dropped EXE
PID:2164 -
\??\c:\840460.exec:\840460.exe34⤵
- Executes dropped EXE
PID:4680 -
\??\c:\dpjvd.exec:\dpjvd.exe35⤵
- Executes dropped EXE
PID:3940 -
\??\c:\nbnbbn.exec:\nbnbbn.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\262204.exec:\262204.exe37⤵
- Executes dropped EXE
PID:748 -
\??\c:\m4086.exec:\m4086.exe38⤵
- Executes dropped EXE
PID:1724 -
\??\c:\7tbnhh.exec:\7tbnhh.exe39⤵
- Executes dropped EXE
PID:1776 -
\??\c:\1nhthb.exec:\1nhthb.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716 -
\??\c:\7lrlffx.exec:\7lrlffx.exe41⤵
- Executes dropped EXE
PID:1716 -
\??\c:\6604264.exec:\6604264.exe42⤵
- Executes dropped EXE
PID:2548 -
\??\c:\842084.exec:\842084.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\bhbnht.exec:\bhbnht.exe44⤵
- Executes dropped EXE
PID:3268 -
\??\c:\42428.exec:\42428.exe45⤵
- Executes dropped EXE
PID:1400 -
\??\c:\xrlxfrl.exec:\xrlxfrl.exe46⤵
- Executes dropped EXE
PID:5048 -
\??\c:\tbbtht.exec:\tbbtht.exe47⤵
- Executes dropped EXE
PID:4824 -
\??\c:\64606.exec:\64606.exe48⤵
- Executes dropped EXE
PID:316 -
\??\c:\hnhbnh.exec:\hnhbnh.exe49⤵
- Executes dropped EXE
PID:3548 -
\??\c:\nttnhb.exec:\nttnhb.exe50⤵
- Executes dropped EXE
PID:4524 -
\??\c:\bbhtnh.exec:\bbhtnh.exe51⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vdvjv.exec:\vdvjv.exe52⤵
- Executes dropped EXE
PID:4340 -
\??\c:\1hbnbn.exec:\1hbnbn.exe53⤵
- Executes dropped EXE
PID:3360 -
\??\c:\htbntn.exec:\htbntn.exe54⤵
- Executes dropped EXE
PID:1016 -
\??\c:\dpvjj.exec:\dpvjj.exe55⤵
- Executes dropped EXE
PID:1960 -
\??\c:\bnnbnh.exec:\bnnbnh.exe56⤵
- Executes dropped EXE
PID:552 -
\??\c:\5lxlxlf.exec:\5lxlxlf.exe57⤵
- Executes dropped EXE
PID:2352 -
\??\c:\1lrfxrr.exec:\1lrfxrr.exe58⤵
- Executes dropped EXE
PID:3036 -
\??\c:\28820.exec:\28820.exe59⤵
- Executes dropped EXE
PID:396 -
\??\c:\lfxlxlx.exec:\lfxlxlx.exe60⤵
- Executes dropped EXE
PID:2604 -
\??\c:\1xrxlfx.exec:\1xrxlfx.exe61⤵
- Executes dropped EXE
PID:1512 -
\??\c:\dvddv.exec:\dvddv.exe62⤵
- Executes dropped EXE
PID:2592 -
\??\c:\rrffrrf.exec:\rrffrrf.exe63⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vdjdp.exec:\vdjdp.exe64⤵
- Executes dropped EXE
PID:4884 -
\??\c:\2042042.exec:\2042042.exe65⤵
- Executes dropped EXE
PID:3844 -
\??\c:\64808.exec:\64808.exe66⤵PID:1396
-
\??\c:\3fxlxrf.exec:\3fxlxrf.exe67⤵PID:664
-
\??\c:\6404242.exec:\6404242.exe68⤵PID:4860
-
\??\c:\848608.exec:\848608.exe69⤵PID:5064
-
\??\c:\00686.exec:\00686.exe70⤵
- System Location Discovery: System Language Discovery
PID:2452 -
\??\c:\xffxrlf.exec:\xffxrlf.exe71⤵PID:1632
-
\??\c:\e48426.exec:\e48426.exe72⤵PID:5088
-
\??\c:\9ffrrll.exec:\9ffrrll.exe73⤵PID:2392
-
\??\c:\i282042.exec:\i282042.exe74⤵PID:4720
-
\??\c:\nhhbnn.exec:\nhhbnn.exe75⤵PID:3260
-
\??\c:\48608.exec:\48608.exe76⤵PID:2540
-
\??\c:\c808642.exec:\c808642.exe77⤵PID:224
-
\??\c:\rflrxrf.exec:\rflrxrf.exe78⤵PID:1936
-
\??\c:\w00860.exec:\w00860.exe79⤵PID:1708
-
\??\c:\42262.exec:\42262.exe80⤵PID:1128
-
\??\c:\402026.exec:\402026.exe81⤵PID:3988
-
\??\c:\ppjjv.exec:\ppjjv.exe82⤵PID:1312
-
\??\c:\ntnhhh.exec:\ntnhhh.exe83⤵PID:432
-
\??\c:\frxlrrf.exec:\frxlrrf.exe84⤵PID:4924
-
\??\c:\6608608.exec:\6608608.exe85⤵PID:800
-
\??\c:\xllxrll.exec:\xllxrll.exe86⤵PID:4504
-
\??\c:\3hhthb.exec:\3hhthb.exe87⤵PID:3940
-
\??\c:\2882048.exec:\2882048.exe88⤵PID:2440
-
\??\c:\2688880.exec:\2688880.exe89⤵PID:4672
-
\??\c:\u026482.exec:\u026482.exe90⤵PID:2576
-
\??\c:\3vdvj.exec:\3vdvj.exe91⤵PID:4484
-
\??\c:\6824642.exec:\6824642.exe92⤵PID:4364
-
\??\c:\nbthth.exec:\nbthth.exe93⤵PID:2132
-
\??\c:\tbnnbn.exec:\tbnnbn.exe94⤵PID:2800
-
\??\c:\8444468.exec:\8444468.exe95⤵
- System Location Discovery: System Language Discovery
PID:4684 -
\??\c:\48820.exec:\48820.exe96⤵PID:2052
-
\??\c:\nbbtnh.exec:\nbbtnh.exe97⤵PID:5048
-
\??\c:\4886060.exec:\4886060.exe98⤵PID:316
-
\??\c:\ddpjv.exec:\ddpjv.exe99⤵
- System Location Discovery: System Language Discovery
PID:2328 -
\??\c:\8040606.exec:\8040606.exe100⤵PID:4136
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe101⤵PID:3708
-
\??\c:\4208822.exec:\4208822.exe102⤵PID:3024
-
\??\c:\e44860.exec:\e44860.exe103⤵PID:3360
-
\??\c:\40824.exec:\40824.exe104⤵PID:1700
-
\??\c:\lllxrlf.exec:\lllxrlf.exe105⤵PID:552
-
\??\c:\84828.exec:\84828.exe106⤵PID:1932
-
\??\c:\088648.exec:\088648.exe107⤵PID:1644
-
\??\c:\i260484.exec:\i260484.exe108⤵PID:5092
-
\??\c:\q00204.exec:\q00204.exe109⤵PID:396
-
\??\c:\rrfxrlx.exec:\rrfxrlx.exe110⤵PID:3784
-
\??\c:\bttnhn.exec:\bttnhn.exe111⤵PID:2188
-
\??\c:\c286420.exec:\c286420.exe112⤵PID:1096
-
\??\c:\ntbhbb.exec:\ntbhbb.exe113⤵PID:2680
-
\??\c:\nhbhnt.exec:\nhbhnt.exe114⤵PID:1948
-
\??\c:\7bhtbt.exec:\7bhtbt.exe115⤵PID:3696
-
\??\c:\44882.exec:\44882.exe116⤵PID:1596
-
\??\c:\4664860.exec:\4664860.exe117⤵PID:664
-
\??\c:\7rffrlf.exec:\7rffrlf.exe118⤵PID:4788
-
\??\c:\jvpjd.exec:\jvpjd.exe119⤵PID:3900
-
\??\c:\ddddv.exec:\ddddv.exe120⤵PID:856
-
\??\c:\5llfrxl.exec:\5llfrxl.exe121⤵PID:1988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-