Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe
-
Size
455KB
-
MD5
2aa10351042c1c275e202bcbfaa936ab
-
SHA1
6a37b3189a38345ebb88917f4ed8b6b93ae91846
-
SHA256
214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1
-
SHA512
c6bb954350530837b3de73ef696a7dbd5c9ae2f798449a2a8990202727ab5af34b4d0e7d984bb457cc7f9bb7a419806648321db9fb5d2ad97213cb9b77ecc8fa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3324-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-1238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-1260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3324 jjjdp.exe 4716 llflffx.exe 3956 nnttnt.exe 4904 vvdvj.exe 5000 tnnbbt.exe 4324 frxrlff.exe 4612 dvddd.exe 2264 jjvjv.exe 1392 jppdv.exe 2708 lrllxlf.exe 4976 vddvp.exe 3316 7fflffr.exe 1272 htnnhn.exe 232 pdjdd.exe 1960 xxxrrrr.exe 916 9rlfffx.exe 4688 nhhbhn.exe 4732 xrxxrxx.exe 5076 nntbhh.exe 4848 jpdvp.exe 2688 frrrrrr.exe 3748 hbhbbb.exe 3620 vvdvv.exe 1916 fffffll.exe 4260 htbttt.exe 4708 pjppv.exe 4092 fxxrffx.exe 4600 rflfxxf.exe 3988 1ttttt.exe 3276 lllffff.exe 3688 fxlllll.exe 4244 frxxrrr.exe 2988 pjpjd.exe 884 jjvvv.exe 4376 hbhbht.exe 432 vjjvj.exe 1472 pjdvd.exe 3776 1nhhht.exe 1980 jjppd.exe 4428 llrrffr.exe 2652 dpjdp.exe 2620 xlrlfrf.exe 4924 tbtnhn.exe 4908 jvjdd.exe 3364 rxlllxr.exe 2720 rlllllr.exe 4944 htthbt.exe 4608 jpvvv.exe 2908 5rxrrxr.exe 3976 3ntnhh.exe 2976 vdddv.exe 4528 llfllll.exe 2108 flffxxx.exe 1924 9tthtt.exe 2468 jjjjd.exe 4816 fxrlrxx.exe 2864 fllfxrl.exe 3956 nbhttb.exe 2336 dvdpd.exe 392 fxxlfxr.exe 4212 bnbtnn.exe 1692 nhnhhn.exe 4820 1jvpj.exe 2972 xfrrlfl.exe -
resource yara_rule behavioral2/memory/3324-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 3324 4988 214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe 82 PID 4988 wrote to memory of 3324 4988 214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe 82 PID 4988 wrote to memory of 3324 4988 214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe 82 PID 3324 wrote to memory of 4716 3324 jjjdp.exe 83 PID 3324 wrote to memory of 4716 3324 jjjdp.exe 83 PID 3324 wrote to memory of 4716 3324 jjjdp.exe 83 PID 4716 wrote to memory of 3956 4716 llflffx.exe 84 PID 4716 wrote to memory of 3956 4716 llflffx.exe 84 PID 4716 wrote to memory of 3956 4716 llflffx.exe 84 PID 3956 wrote to memory of 4904 3956 nnttnt.exe 85 PID 3956 wrote to memory of 4904 3956 nnttnt.exe 85 PID 3956 wrote to memory of 4904 3956 nnttnt.exe 85 PID 4904 wrote to memory of 5000 4904 vvdvj.exe 86 PID 4904 wrote to memory of 5000 4904 vvdvj.exe 86 PID 4904 wrote to memory of 5000 4904 vvdvj.exe 86 PID 5000 wrote to memory of 4324 5000 tnnbbt.exe 87 PID 5000 wrote to memory of 4324 5000 tnnbbt.exe 87 PID 5000 wrote to memory of 4324 5000 tnnbbt.exe 87 PID 4324 wrote to memory of 4612 4324 frxrlff.exe 88 PID 4324 wrote to memory of 4612 4324 frxrlff.exe 88 PID 4324 wrote to memory of 4612 4324 frxrlff.exe 88 PID 4612 wrote to memory of 2264 4612 dvddd.exe 89 PID 4612 wrote to memory of 2264 4612 dvddd.exe 89 PID 4612 wrote to memory of 2264 4612 dvddd.exe 89 PID 2264 wrote to memory of 1392 2264 jjvjv.exe 90 PID 2264 wrote to memory of 1392 2264 jjvjv.exe 90 PID 2264 wrote to memory of 1392 2264 jjvjv.exe 90 PID 1392 wrote to memory of 2708 1392 jppdv.exe 91 PID 1392 wrote to memory of 2708 1392 jppdv.exe 91 PID 1392 wrote to memory of 2708 1392 jppdv.exe 91 PID 2708 wrote to memory of 4976 2708 lrllxlf.exe 92 PID 2708 wrote to memory of 4976 2708 lrllxlf.exe 92 PID 2708 wrote to memory of 4976 2708 lrllxlf.exe 92 PID 4976 wrote to memory of 3316 4976 vddvp.exe 93 PID 4976 wrote to memory of 3316 4976 vddvp.exe 93 PID 4976 wrote to memory of 3316 4976 vddvp.exe 93 PID 3316 wrote to memory of 1272 3316 7fflffr.exe 94 PID 3316 wrote to memory of 1272 3316 7fflffr.exe 94 PID 3316 wrote to memory of 1272 3316 7fflffr.exe 94 PID 1272 wrote to memory of 232 1272 htnnhn.exe 95 PID 1272 wrote to memory of 232 1272 htnnhn.exe 95 PID 1272 wrote to memory of 232 1272 htnnhn.exe 95 PID 232 wrote to memory of 1960 232 pdjdd.exe 96 PID 232 wrote to memory of 1960 232 pdjdd.exe 96 PID 232 wrote to memory of 1960 232 pdjdd.exe 96 PID 1960 wrote to memory of 916 1960 xxxrrrr.exe 97 PID 1960 wrote to memory of 916 1960 xxxrrrr.exe 97 PID 1960 wrote to memory of 916 1960 xxxrrrr.exe 97 PID 916 wrote to memory of 4688 916 9rlfffx.exe 98 PID 916 wrote to memory of 4688 916 9rlfffx.exe 98 PID 916 wrote to memory of 4688 916 9rlfffx.exe 98 PID 4688 wrote to memory of 4732 4688 nhhbhn.exe 99 PID 4688 wrote to memory of 4732 4688 nhhbhn.exe 99 PID 4688 wrote to memory of 4732 4688 nhhbhn.exe 99 PID 4732 wrote to memory of 5076 4732 xrxxrxx.exe 100 PID 4732 wrote to memory of 5076 4732 xrxxrxx.exe 100 PID 4732 wrote to memory of 5076 4732 xrxxrxx.exe 100 PID 5076 wrote to memory of 4848 5076 nntbhh.exe 101 PID 5076 wrote to memory of 4848 5076 nntbhh.exe 101 PID 5076 wrote to memory of 4848 5076 nntbhh.exe 101 PID 4848 wrote to memory of 2688 4848 jpdvp.exe 102 PID 4848 wrote to memory of 2688 4848 jpdvp.exe 102 PID 4848 wrote to memory of 2688 4848 jpdvp.exe 102 PID 2688 wrote to memory of 3748 2688 frrrrrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe"C:\Users\Admin\AppData\Local\Temp\214dda02c358719bca968f965f15dc572619c3f140e581bac155eb09a9b946b1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\jjjdp.exec:\jjjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\llflffx.exec:\llflffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\nnttnt.exec:\nnttnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\vvdvj.exec:\vvdvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\tnnbbt.exec:\tnnbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\frxrlff.exec:\frxrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\dvddd.exec:\dvddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\jjvjv.exec:\jjvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\jppdv.exec:\jppdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\lrllxlf.exec:\lrllxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\vddvp.exec:\vddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\7fflffr.exec:\7fflffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\htnnhn.exec:\htnnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\pdjdd.exec:\pdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\9rlfffx.exec:\9rlfffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\nhhbhn.exec:\nhhbhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\nntbhh.exec:\nntbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\jpdvp.exec:\jpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\frrrrrr.exec:\frrrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\hbhbbb.exec:\hbhbbb.exe23⤵
- Executes dropped EXE
PID:3748 -
\??\c:\vvdvv.exec:\vvdvv.exe24⤵
- Executes dropped EXE
PID:3620 -
\??\c:\fffffll.exec:\fffffll.exe25⤵
- Executes dropped EXE
PID:1916 -
\??\c:\htbttt.exec:\htbttt.exe26⤵
- Executes dropped EXE
PID:4260 -
\??\c:\pjppv.exec:\pjppv.exe27⤵
- Executes dropped EXE
PID:4708 -
\??\c:\fxxrffx.exec:\fxxrffx.exe28⤵
- Executes dropped EXE
PID:4092 -
\??\c:\rflfxxf.exec:\rflfxxf.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600 -
\??\c:\1ttttt.exec:\1ttttt.exe30⤵
- Executes dropped EXE
PID:3988 -
\??\c:\lllffff.exec:\lllffff.exe31⤵
- Executes dropped EXE
PID:3276 -
\??\c:\fxlllll.exec:\fxlllll.exe32⤵
- Executes dropped EXE
PID:3688 -
\??\c:\frxxrrr.exec:\frxxrrr.exe33⤵
- Executes dropped EXE
PID:4244 -
\??\c:\pjpjd.exec:\pjpjd.exe34⤵
- Executes dropped EXE
PID:2988 -
\??\c:\jjvvv.exec:\jjvvv.exe35⤵
- Executes dropped EXE
PID:884 -
\??\c:\hbhbht.exec:\hbhbht.exe36⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vjjvj.exec:\vjjvj.exe37⤵
- Executes dropped EXE
PID:432 -
\??\c:\pjdvd.exec:\pjdvd.exe38⤵
- Executes dropped EXE
PID:1472 -
\??\c:\1nhhht.exec:\1nhhht.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3776 -
\??\c:\jjppd.exec:\jjppd.exe40⤵
- Executes dropped EXE
PID:1980 -
\??\c:\llrrffr.exec:\llrrffr.exe41⤵
- Executes dropped EXE
PID:4428 -
\??\c:\dpjdp.exec:\dpjdp.exe42⤵
- Executes dropped EXE
PID:2652 -
\??\c:\xlrlfrf.exec:\xlrlfrf.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\tbtnhn.exec:\tbtnhn.exe44⤵
- Executes dropped EXE
PID:4924 -
\??\c:\jvjdd.exec:\jvjdd.exe45⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rxlllxr.exec:\rxlllxr.exe46⤵
- Executes dropped EXE
PID:3364 -
\??\c:\rlllllr.exec:\rlllllr.exe47⤵
- Executes dropped EXE
PID:2720 -
\??\c:\htthbt.exec:\htthbt.exe48⤵
- Executes dropped EXE
PID:4944 -
\??\c:\jpvvv.exec:\jpvvv.exe49⤵
- Executes dropped EXE
PID:4608 -
\??\c:\5rxrrxr.exec:\5rxrrxr.exe50⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3ntnhh.exec:\3ntnhh.exe51⤵
- Executes dropped EXE
PID:3976 -
\??\c:\vdddv.exec:\vdddv.exe52⤵
- Executes dropped EXE
PID:2976 -
\??\c:\llfllll.exec:\llfllll.exe53⤵
- Executes dropped EXE
PID:4528 -
\??\c:\flffxxx.exec:\flffxxx.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\9tthtt.exec:\9tthtt.exe55⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jjjjd.exec:\jjjjd.exe56⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxrlrxx.exec:\fxrlrxx.exe57⤵
- Executes dropped EXE
PID:4816 -
\??\c:\fllfxrl.exec:\fllfxrl.exe58⤵
- Executes dropped EXE
PID:2864 -
\??\c:\nbhttb.exec:\nbhttb.exe59⤵
- Executes dropped EXE
PID:3956 -
\??\c:\dvdpd.exec:\dvdpd.exe60⤵
- Executes dropped EXE
PID:2336 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe61⤵
- Executes dropped EXE
PID:392 -
\??\c:\bnbtnn.exec:\bnbtnn.exe62⤵
- Executes dropped EXE
PID:4212 -
\??\c:\nhnhhn.exec:\nhnhhn.exe63⤵
- Executes dropped EXE
PID:1692 -
\??\c:\1jvpj.exec:\1jvpj.exe64⤵
- Executes dropped EXE
PID:4820 -
\??\c:\xfrrlfl.exec:\xfrrlfl.exe65⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nntnnh.exec:\nntnnh.exe66⤵PID:4972
-
\??\c:\vdjdd.exec:\vdjdd.exe67⤵PID:2220
-
\??\c:\lfxxxxx.exec:\lfxxxxx.exe68⤵PID:2140
-
\??\c:\nhtbbt.exec:\nhtbbt.exe69⤵PID:1476
-
\??\c:\vjjvv.exec:\vjjvv.exe70⤵PID:4512
-
\??\c:\7llffxr.exec:\7llffxr.exe71⤵PID:2200
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe72⤵PID:2344
-
\??\c:\hhhbtt.exec:\hhhbtt.exe73⤵PID:2408
-
\??\c:\pdjdj.exec:\pdjdj.exe74⤵PID:3592
-
\??\c:\llfxrrl.exec:\llfxrrl.exe75⤵PID:3560
-
\??\c:\httbbn.exec:\httbbn.exe76⤵PID:1960
-
\??\c:\hnnhtn.exec:\hnnhtn.exe77⤵PID:4124
-
\??\c:\jddvj.exec:\jddvj.exe78⤵PID:1484
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe79⤵PID:4412
-
\??\c:\bhbbnh.exec:\bhbbnh.exe80⤵PID:1436
-
\??\c:\pppdv.exec:\pppdv.exe81⤵PID:2224
-
\??\c:\7xrfrlf.exec:\7xrfrlf.exe82⤵PID:5076
-
\??\c:\xrxffxx.exec:\xrxffxx.exe83⤵PID:3052
-
\??\c:\hhbnhn.exec:\hhbnhn.exe84⤵PID:3240
-
\??\c:\ddvvp.exec:\ddvvp.exe85⤵PID:4572
-
\??\c:\lxffrlx.exec:\lxffrlx.exe86⤵PID:3528
-
\??\c:\tnhbnh.exec:\tnhbnh.exe87⤵PID:2820
-
\??\c:\7jvvd.exec:\7jvvd.exe88⤵PID:2824
-
\??\c:\rrrlxrf.exec:\rrrlxrf.exe89⤵PID:3220
-
\??\c:\htnnnn.exec:\htnnnn.exe90⤵PID:4364
-
\??\c:\5jvdp.exec:\5jvdp.exe91⤵PID:1564
-
\??\c:\flrfrfx.exec:\flrfrfx.exe92⤵PID:1688
-
\??\c:\hnnbnb.exec:\hnnbnb.exe93⤵PID:1468
-
\??\c:\1dvdv.exec:\1dvdv.exe94⤵PID:4440
-
\??\c:\pjvjd.exec:\pjvjd.exe95⤵PID:3344
-
\??\c:\xlfrfrl.exec:\xlfrfrl.exe96⤵PID:3276
-
\??\c:\bntnnh.exec:\bntnnh.exe97⤵PID:3692
-
\??\c:\9jjvj.exec:\9jjvj.exe98⤵PID:744
-
\??\c:\1pjvd.exec:\1pjvd.exe99⤵PID:3616
-
\??\c:\llxllfl.exec:\llxllfl.exe100⤵PID:1128
-
\??\c:\bhnhbt.exec:\bhnhbt.exe101⤵
- System Location Discovery: System Language Discovery
PID:3832 -
\??\c:\pvvpj.exec:\pvvpj.exe102⤵PID:3380
-
\??\c:\vpdvv.exec:\vpdvv.exe103⤵PID:432
-
\??\c:\rrxrxrl.exec:\rrxrxrl.exe104⤵PID:4568
-
\??\c:\jdvpd.exec:\jdvpd.exe105⤵PID:1448
-
\??\c:\vdpjd.exec:\vdpjd.exe106⤵PID:1616
-
\??\c:\lfrlxfr.exec:\lfrlxfr.exe107⤵PID:2356
-
\??\c:\thbtnh.exec:\thbtnh.exe108⤵PID:1124
-
\??\c:\pvjjd.exec:\pvjjd.exe109⤵PID:3080
-
\??\c:\rxxrffr.exec:\rxxrffr.exe110⤵PID:2748
-
\??\c:\lffxfxf.exec:\lffxfxf.exe111⤵PID:3320
-
\??\c:\thbhbn.exec:\thbhbn.exe112⤵PID:4340
-
\??\c:\vvdpp.exec:\vvdpp.exe113⤵PID:4808
-
\??\c:\5lrfrlf.exec:\5lrfrlf.exe114⤵PID:3952
-
\??\c:\nhtnbt.exec:\nhtnbt.exe115⤵PID:868
-
\??\c:\pdpdp.exec:\pdpdp.exe116⤵PID:4768
-
\??\c:\djpjv.exec:\djpjv.exe117⤵PID:3116
-
\??\c:\llxxrlx.exec:\llxxrlx.exe118⤵PID:1828
-
\??\c:\tbnbbt.exec:\tbnbbt.exe119⤵PID:2976
-
\??\c:\jddpd.exec:\jddpd.exe120⤵PID:3100
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe121⤵PID:3332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-