Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
-
Size
454KB
-
MD5
873ed953b77349630cabbfc03dc01e30
-
SHA1
94771f7a2cd63462f1c1433ac99be6c86f381933
-
SHA256
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191
-
SHA512
b61816461d63ccfdb1c0ad64af29f7ce8dbc3f6f72e3c3b8433f1621fd9a176c9308d4a40657deb18e3d88aa1cb5e1c1c05511298513ca0d0558e590f8c41a03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4068-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-1171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-1190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-1311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-1315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 xlffxfx.exe 3764 xrrrlff.exe 4500 lxllfxf.exe 3500 hthbtn.exe 4864 xxlfrrl.exe 2492 jdvjd.exe 3608 tbhbbb.exe 4392 xllflfl.exe 4812 nhhbbt.exe 1496 fffrllf.exe 1696 jjdjd.exe 1992 tnnhbt.exe 3028 jddpj.exe 1852 pdjjd.exe 2484 djjdp.exe 2036 fxlxrlf.exe 232 hbhbtt.exe 4448 rflfllf.exe 4136 bhnttb.exe 4936 3vvvp.exe 4852 pvvvv.exe 2616 xrfffll.exe 3632 pdddp.exe 2540 tnbhht.exe 1172 ttbbbb.exe 4424 dddvv.exe 4520 btbbtb.exe 4832 jjpvv.exe 1988 btbbhh.exe 3580 rrlfxxr.exe 4808 xlxxxxx.exe 2912 9ppjj.exe 676 rfrxxfl.exe 1532 bntttt.exe 1404 9vjjd.exe 1212 3fxrllf.exe 4720 hbbbtn.exe 3136 1pvpv.exe 4544 llrrrxx.exe 3888 rlrrlll.exe 4692 tntnnh.exe 4640 jjdpj.exe 4292 lfxrxxr.exe 4524 btnnhb.exe 4068 5vpvp.exe 2644 3xrfxrx.exe 1492 hbbnhh.exe 2504 1jppp.exe 2328 rxfxrlf.exe 2632 ttbbbh.exe 4404 djvvv.exe 1188 lrxrrff.exe 1640 bntnnn.exe 4132 ttbthn.exe 3944 ppvpj.exe 2072 ffllxff.exe 2892 lxlffff.exe 3616 1ntttb.exe 1384 pjpvv.exe 1496 dpdvv.exe 640 7ffxfff.exe 920 nhhbbb.exe 4192 dvvvv.exe 2096 rlxlrlx.exe -
resource yara_rule behavioral2/memory/4068-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-1171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4068 wrote to memory of 2100 4068 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 82 PID 4068 wrote to memory of 2100 4068 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 82 PID 4068 wrote to memory of 2100 4068 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 82 PID 2100 wrote to memory of 3764 2100 xlffxfx.exe 83 PID 2100 wrote to memory of 3764 2100 xlffxfx.exe 83 PID 2100 wrote to memory of 3764 2100 xlffxfx.exe 83 PID 3764 wrote to memory of 4500 3764 xrrrlff.exe 84 PID 3764 wrote to memory of 4500 3764 xrrrlff.exe 84 PID 3764 wrote to memory of 4500 3764 xrrrlff.exe 84 PID 4500 wrote to memory of 3500 4500 lxllfxf.exe 85 PID 4500 wrote to memory of 3500 4500 lxllfxf.exe 85 PID 4500 wrote to memory of 3500 4500 lxllfxf.exe 85 PID 3500 wrote to memory of 4864 3500 hthbtn.exe 86 PID 3500 wrote to memory of 4864 3500 hthbtn.exe 86 PID 3500 wrote to memory of 4864 3500 hthbtn.exe 86 PID 4864 wrote to memory of 2492 4864 xxlfrrl.exe 87 PID 4864 wrote to memory of 2492 4864 xxlfrrl.exe 87 PID 4864 wrote to memory of 2492 4864 xxlfrrl.exe 87 PID 2492 wrote to memory of 3608 2492 jdvjd.exe 88 PID 2492 wrote to memory of 3608 2492 jdvjd.exe 88 PID 2492 wrote to memory of 3608 2492 jdvjd.exe 88 PID 3608 wrote to memory of 4392 3608 tbhbbb.exe 89 PID 3608 wrote to memory of 4392 3608 tbhbbb.exe 89 PID 3608 wrote to memory of 4392 3608 tbhbbb.exe 89 PID 4392 wrote to memory of 4812 4392 xllflfl.exe 90 PID 4392 wrote to memory of 4812 4392 xllflfl.exe 90 PID 4392 wrote to memory of 4812 4392 xllflfl.exe 90 PID 4812 wrote to memory of 1496 4812 nhhbbt.exe 91 PID 4812 wrote to memory of 1496 4812 nhhbbt.exe 91 PID 4812 wrote to memory of 1496 4812 nhhbbt.exe 91 PID 1496 wrote to memory of 1696 1496 fffrllf.exe 92 PID 1496 wrote to memory of 1696 1496 fffrllf.exe 92 PID 1496 wrote to memory of 1696 1496 fffrllf.exe 92 PID 1696 wrote to memory of 1992 1696 jjdjd.exe 93 PID 1696 wrote to memory of 1992 1696 jjdjd.exe 93 PID 1696 wrote to memory of 1992 1696 jjdjd.exe 93 PID 1992 wrote to memory of 3028 1992 tnnhbt.exe 94 PID 1992 wrote to memory of 3028 1992 tnnhbt.exe 94 PID 1992 wrote to memory of 3028 1992 tnnhbt.exe 94 PID 3028 wrote to memory of 1852 3028 jddpj.exe 95 PID 3028 wrote to memory of 1852 3028 jddpj.exe 95 PID 3028 wrote to memory of 1852 3028 jddpj.exe 95 PID 1852 wrote to memory of 2484 1852 pdjjd.exe 96 PID 1852 wrote to memory of 2484 1852 pdjjd.exe 96 PID 1852 wrote to memory of 2484 1852 pdjjd.exe 96 PID 2484 wrote to memory of 2036 2484 djjdp.exe 97 PID 2484 wrote to memory of 2036 2484 djjdp.exe 97 PID 2484 wrote to memory of 2036 2484 djjdp.exe 97 PID 2036 wrote to memory of 232 2036 fxlxrlf.exe 98 PID 2036 wrote to memory of 232 2036 fxlxrlf.exe 98 PID 2036 wrote to memory of 232 2036 fxlxrlf.exe 98 PID 232 wrote to memory of 4448 232 hbhbtt.exe 99 PID 232 wrote to memory of 4448 232 hbhbtt.exe 99 PID 232 wrote to memory of 4448 232 hbhbtt.exe 99 PID 4448 wrote to memory of 4136 4448 rflfllf.exe 100 PID 4448 wrote to memory of 4136 4448 rflfllf.exe 100 PID 4448 wrote to memory of 4136 4448 rflfllf.exe 100 PID 4136 wrote to memory of 4936 4136 bhnttb.exe 101 PID 4136 wrote to memory of 4936 4136 bhnttb.exe 101 PID 4136 wrote to memory of 4936 4136 bhnttb.exe 101 PID 4936 wrote to memory of 4852 4936 3vvvp.exe 102 PID 4936 wrote to memory of 4852 4936 3vvvp.exe 102 PID 4936 wrote to memory of 4852 4936 3vvvp.exe 102 PID 4852 wrote to memory of 2616 4852 pvvvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\xlffxfx.exec:\xlffxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\xrrrlff.exec:\xrrrlff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\lxllfxf.exec:\lxllfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\hthbtn.exec:\hthbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\xxlfrrl.exec:\xxlfrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\jdvjd.exec:\jdvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\tbhbbb.exec:\tbhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\xllflfl.exec:\xllflfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\nhhbbt.exec:\nhhbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\fffrllf.exec:\fffrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\jjdjd.exec:\jjdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\tnnhbt.exec:\tnnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\jddpj.exec:\jddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\pdjjd.exec:\pdjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\djjdp.exec:\djjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\fxlxrlf.exec:\fxlxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\hbhbtt.exec:\hbhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\rflfllf.exec:\rflfllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\bhnttb.exec:\bhnttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\3vvvp.exec:\3vvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\pvvvv.exec:\pvvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\xrfffll.exec:\xrfffll.exe23⤵
- Executes dropped EXE
PID:2616 -
\??\c:\pdddp.exec:\pdddp.exe24⤵
- Executes dropped EXE
PID:3632 -
\??\c:\tnbhht.exec:\tnbhht.exe25⤵
- Executes dropped EXE
PID:2540 -
\??\c:\ttbbbb.exec:\ttbbbb.exe26⤵
- Executes dropped EXE
PID:1172 -
\??\c:\dddvv.exec:\dddvv.exe27⤵
- Executes dropped EXE
PID:4424 -
\??\c:\btbbtb.exec:\btbbtb.exe28⤵
- Executes dropped EXE
PID:4520 -
\??\c:\jjpvv.exec:\jjpvv.exe29⤵
- Executes dropped EXE
PID:4832 -
\??\c:\btbbhh.exec:\btbbhh.exe30⤵
- Executes dropped EXE
PID:1988 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe31⤵
- Executes dropped EXE
PID:3580 -
\??\c:\xlxxxxx.exec:\xlxxxxx.exe32⤵
- Executes dropped EXE
PID:4808 -
\??\c:\9ppjj.exec:\9ppjj.exe33⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rfrxxfl.exec:\rfrxxfl.exe34⤵
- Executes dropped EXE
PID:676 -
\??\c:\bntttt.exec:\bntttt.exe35⤵
- Executes dropped EXE
PID:1532 -
\??\c:\9vjjd.exec:\9vjjd.exe36⤵
- Executes dropped EXE
PID:1404 -
\??\c:\3fxrllf.exec:\3fxrllf.exe37⤵
- Executes dropped EXE
PID:1212 -
\??\c:\hbbbtn.exec:\hbbbtn.exe38⤵
- Executes dropped EXE
PID:4720 -
\??\c:\1pvpv.exec:\1pvpv.exe39⤵
- Executes dropped EXE
PID:3136 -
\??\c:\llrrrxx.exec:\llrrrxx.exe40⤵
- Executes dropped EXE
PID:4544 -
\??\c:\rlrrlll.exec:\rlrrlll.exe41⤵
- Executes dropped EXE
PID:3888 -
\??\c:\tntnnh.exec:\tntnnh.exe42⤵
- Executes dropped EXE
PID:4692 -
\??\c:\jjdpj.exec:\jjdpj.exe43⤵
- Executes dropped EXE
PID:4640 -
\??\c:\lfxrxxr.exec:\lfxrxxr.exe44⤵
- Executes dropped EXE
PID:4292 -
\??\c:\btnnhb.exec:\btnnhb.exe45⤵
- Executes dropped EXE
PID:4524 -
\??\c:\5vpvp.exec:\5vpvp.exe46⤵
- Executes dropped EXE
PID:4068 -
\??\c:\3xrfxrx.exec:\3xrfxrx.exe47⤵
- Executes dropped EXE
PID:2644 -
\??\c:\hbbnhh.exec:\hbbnhh.exe48⤵
- Executes dropped EXE
PID:1492 -
\??\c:\1jppp.exec:\1jppp.exe49⤵
- Executes dropped EXE
PID:2504 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe50⤵
- Executes dropped EXE
PID:2328 -
\??\c:\ttbbbh.exec:\ttbbbh.exe51⤵
- Executes dropped EXE
PID:2632 -
\??\c:\djvvv.exec:\djvvv.exe52⤵
- Executes dropped EXE
PID:4404 -
\??\c:\lrxrrff.exec:\lrxrrff.exe53⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bntnnn.exec:\bntnnn.exe54⤵
- Executes dropped EXE
PID:1640 -
\??\c:\ttbthn.exec:\ttbthn.exe55⤵
- Executes dropped EXE
PID:4132 -
\??\c:\ppvpj.exec:\ppvpj.exe56⤵
- Executes dropped EXE
PID:3944 -
\??\c:\ffllxff.exec:\ffllxff.exe57⤵
- Executes dropped EXE
PID:2072 -
\??\c:\lxlffff.exec:\lxlffff.exe58⤵
- Executes dropped EXE
PID:2892 -
\??\c:\1ntttb.exec:\1ntttb.exe59⤵
- Executes dropped EXE
PID:3616 -
\??\c:\pjpvv.exec:\pjpvv.exe60⤵
- Executes dropped EXE
PID:1384 -
\??\c:\dpdvv.exec:\dpdvv.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\7ffxfff.exec:\7ffxfff.exe62⤵
- Executes dropped EXE
PID:640 -
\??\c:\nhhbbb.exec:\nhhbbb.exe63⤵
- Executes dropped EXE
PID:920 -
\??\c:\dvvvv.exec:\dvvvv.exe64⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rlxlrlx.exec:\rlxlrlx.exe65⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9nnhbt.exec:\9nnhbt.exe66⤵PID:364
-
\??\c:\ddjdv.exec:\ddjdv.exe67⤵PID:2452
-
\??\c:\1lxrfxl.exec:\1lxrfxl.exe68⤵PID:2204
-
\??\c:\nhnhhh.exec:\nhnhhh.exe69⤵PID:592
-
\??\c:\3bttbb.exec:\3bttbb.exe70⤵PID:4992
-
\??\c:\pdjjd.exec:\pdjjd.exe71⤵PID:232
-
\??\c:\fxlxllf.exec:\fxlxllf.exe72⤵PID:4448
-
\??\c:\tnbhht.exec:\tnbhht.exe73⤵PID:3164
-
\??\c:\hbnnnn.exec:\hbnnnn.exe74⤵PID:2392
-
\??\c:\vpjpv.exec:\vpjpv.exe75⤵PID:3460
-
\??\c:\5xxxlrr.exec:\5xxxlrr.exe76⤵PID:2640
-
\??\c:\httttn.exec:\httttn.exe77⤵PID:3620
-
\??\c:\jdjdv.exec:\jdjdv.exe78⤵PID:2332
-
\??\c:\9xfrfxr.exec:\9xfrfxr.exe79⤵PID:972
-
\??\c:\tbnbtn.exec:\tbnbtn.exe80⤵PID:3364
-
\??\c:\hhnhhh.exec:\hhnhhh.exe81⤵PID:1616
-
\??\c:\jdjdv.exec:\jdjdv.exe82⤵PID:4400
-
\??\c:\lfrlfll.exec:\lfrlfll.exe83⤵PID:4520
-
\??\c:\nbbthh.exec:\nbbthh.exe84⤵PID:516
-
\??\c:\3pvvd.exec:\3pvvd.exe85⤵PID:3636
-
\??\c:\fflffff.exec:\fflffff.exe86⤵
- System Location Discovery: System Language Discovery
PID:1908 -
\??\c:\flrllfx.exec:\flrllfx.exe87⤵PID:3212
-
\??\c:\nbhbtt.exec:\nbhbtt.exe88⤵PID:4716
-
\??\c:\ddjjj.exec:\ddjjj.exe89⤵PID:4588
-
\??\c:\lfxrllf.exec:\lfxrllf.exe90⤵PID:3872
-
\??\c:\9thhbh.exec:\9thhbh.exe91⤵PID:1776
-
\??\c:\hbhbbb.exec:\hbhbbb.exe92⤵PID:1504
-
\??\c:\vdjdv.exec:\vdjdv.exe93⤵PID:372
-
\??\c:\rffxrrl.exec:\rffxrrl.exe94⤵PID:2816
-
\??\c:\hbhnhn.exec:\hbhnhn.exe95⤵PID:4932
-
\??\c:\nhttbb.exec:\nhttbb.exe96⤵PID:4532
-
\??\c:\jpdvp.exec:\jpdvp.exe97⤵PID:1412
-
\??\c:\xlrfxxr.exec:\xlrfxxr.exe98⤵PID:4540
-
\??\c:\hhttbb.exec:\hhttbb.exe99⤵PID:3000
-
\??\c:\jjppp.exec:\jjppp.exe100⤵PID:4276
-
\??\c:\lrllfff.exec:\lrllfff.exe101⤵PID:1400
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe102⤵PID:3304
-
\??\c:\bnbttt.exec:\bnbttt.exe103⤵PID:3280
-
\??\c:\jjvvp.exec:\jjvvp.exe104⤵PID:2724
-
\??\c:\3xllrxx.exec:\3xllrxx.exe105⤵PID:4068
-
\??\c:\fxlllll.exec:\fxlllll.exe106⤵PID:2592
-
\??\c:\btnbbh.exec:\btnbbh.exe107⤵PID:4496
-
\??\c:\9vdjd.exec:\9vdjd.exe108⤵PID:5104
-
\??\c:\7vddv.exec:\7vddv.exe109⤵PID:3712
-
\??\c:\xlffxfl.exec:\xlffxfl.exe110⤵PID:2328
-
\??\c:\ttbbtb.exec:\ttbbtb.exe111⤵PID:4904
-
\??\c:\7pjvp.exec:\7pjvp.exe112⤵PID:1596
-
\??\c:\vvjjp.exec:\vvjjp.exe113⤵PID:2520
-
\??\c:\ffrxrxx.exec:\ffrxrxx.exe114⤵PID:1584
-
\??\c:\bbtttb.exec:\bbtttb.exe115⤵PID:3464
-
\??\c:\vvjjd.exec:\vvjjd.exe116⤵PID:888
-
\??\c:\dppjd.exec:\dppjd.exe117⤵PID:3468
-
\??\c:\xrlrlrr.exec:\xrlrlrr.exe118⤵PID:4888
-
\??\c:\bbnbtn.exec:\bbnbtn.exe119⤵PID:1008
-
\??\c:\hbhhbb.exec:\hbhhbb.exe120⤵PID:4272
-
\??\c:\vdjdv.exec:\vdjdv.exe121⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-