Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 00:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe
-
Size
454KB
-
MD5
ddbb08113a08f4e24b27d944c03a9245
-
SHA1
e7b0d4617d16e760c72661a6c6e4d77e58bb7fc2
-
SHA256
81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6
-
SHA512
a7e756d20231933cbf8131bc238299c95a7f108db41565c5632cf15abdc55cad10daed9e7d9d7bef52e41175c0b2e48bc1107eb0b7c77027a47f918bdab1c2a5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT2:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1520-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-1082-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-1358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-1604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4404 5bhbtt.exe 4204 3rrrlfx.exe 2104 hhnnhh.exe 1952 rrfrllr.exe 1580 dppjj.exe 4476 ntbbtt.exe 4716 5bhtnn.exe 740 xxlfllr.exe 2436 jdjdd.exe 3004 nthnbb.exe 4984 rlrlllf.exe 4076 9ttnhb.exe 3136 vpddv.exe 1124 7tnbhb.exe 1144 lxfrlll.exe 644 rffxrrl.exe 3892 ttttnb.exe 4796 xrrlxxx.exe 972 3bhbhh.exe 2356 7lfxlfx.exe 2940 3bbhbb.exe 1056 pppjd.exe 4884 5lrllrr.exe 316 vpvvp.exe 1648 1llllff.exe 2924 pjpjv.exe 3988 xllffff.exe 2428 3pppp.exe 2072 lfrlxxf.exe 696 1xllrrx.exe 4300 vvdvp.exe 2144 rffxxxr.exe 1604 tnbhth.exe 1028 dpvpp.exe 4592 nnbnth.exe 720 5dvjp.exe 5096 pjjdv.exe 956 rxlxllf.exe 1732 bhhtnn.exe 2200 vpvdj.exe 4236 xlrfrlf.exe 216 pdvpd.exe 4968 dvpdj.exe 4036 7lrlffr.exe 3920 hnnbtn.exe 4444 dddvd.exe 2032 ffxlxlf.exe 1008 xxlxlfr.exe 4524 tnhthh.exe 1996 5pdpd.exe 1468 lfxfrlx.exe 3256 hbhbth.exe 2948 ntnhbt.exe 3060 pdjdd.exe 4516 flxxfrf.exe 3724 xxfrfxl.exe 1120 btnhtn.exe 440 5pjjv.exe 4316 lrfrfxl.exe 2436 fllflfx.exe 3948 9tthnh.exe 3008 jjjvj.exe 4176 5pjvd.exe 2280 lflfrll.exe -
resource yara_rule behavioral2/memory/1520-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 4404 1520 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 82 PID 1520 wrote to memory of 4404 1520 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 82 PID 1520 wrote to memory of 4404 1520 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 82 PID 4404 wrote to memory of 4204 4404 5bhbtt.exe 83 PID 4404 wrote to memory of 4204 4404 5bhbtt.exe 83 PID 4404 wrote to memory of 4204 4404 5bhbtt.exe 83 PID 4204 wrote to memory of 2104 4204 3rrrlfx.exe 84 PID 4204 wrote to memory of 2104 4204 3rrrlfx.exe 84 PID 4204 wrote to memory of 2104 4204 3rrrlfx.exe 84 PID 2104 wrote to memory of 1952 2104 hhnnhh.exe 85 PID 2104 wrote to memory of 1952 2104 hhnnhh.exe 85 PID 2104 wrote to memory of 1952 2104 hhnnhh.exe 85 PID 1952 wrote to memory of 1580 1952 rrfrllr.exe 86 PID 1952 wrote to memory of 1580 1952 rrfrllr.exe 86 PID 1952 wrote to memory of 1580 1952 rrfrllr.exe 86 PID 1580 wrote to memory of 4476 1580 dppjj.exe 87 PID 1580 wrote to memory of 4476 1580 dppjj.exe 87 PID 1580 wrote to memory of 4476 1580 dppjj.exe 87 PID 4476 wrote to memory of 4716 4476 ntbbtt.exe 88 PID 4476 wrote to memory of 4716 4476 ntbbtt.exe 88 PID 4476 wrote to memory of 4716 4476 ntbbtt.exe 88 PID 4716 wrote to memory of 740 4716 5bhtnn.exe 89 PID 4716 wrote to memory of 740 4716 5bhtnn.exe 89 PID 4716 wrote to memory of 740 4716 5bhtnn.exe 89 PID 740 wrote to memory of 2436 740 xxlfllr.exe 90 PID 740 wrote to memory of 2436 740 xxlfllr.exe 90 PID 740 wrote to memory of 2436 740 xxlfllr.exe 90 PID 2436 wrote to memory of 3004 2436 jdjdd.exe 91 PID 2436 wrote to memory of 3004 2436 jdjdd.exe 91 PID 2436 wrote to memory of 3004 2436 jdjdd.exe 91 PID 3004 wrote to memory of 4984 3004 nthnbb.exe 92 PID 3004 wrote to memory of 4984 3004 nthnbb.exe 92 PID 3004 wrote to memory of 4984 3004 nthnbb.exe 92 PID 4984 wrote to memory of 4076 4984 rlrlllf.exe 93 PID 4984 wrote to memory of 4076 4984 rlrlllf.exe 93 PID 4984 wrote to memory of 4076 4984 rlrlllf.exe 93 PID 4076 wrote to memory of 3136 4076 9ttnhb.exe 94 PID 4076 wrote to memory of 3136 4076 9ttnhb.exe 94 PID 4076 wrote to memory of 3136 4076 9ttnhb.exe 94 PID 3136 wrote to memory of 1124 3136 vpddv.exe 95 PID 3136 wrote to memory of 1124 3136 vpddv.exe 95 PID 3136 wrote to memory of 1124 3136 vpddv.exe 95 PID 1124 wrote to memory of 1144 1124 7tnbhb.exe 96 PID 1124 wrote to memory of 1144 1124 7tnbhb.exe 96 PID 1124 wrote to memory of 1144 1124 7tnbhb.exe 96 PID 1144 wrote to memory of 644 1144 lxfrlll.exe 97 PID 1144 wrote to memory of 644 1144 lxfrlll.exe 97 PID 1144 wrote to memory of 644 1144 lxfrlll.exe 97 PID 644 wrote to memory of 3892 644 rffxrrl.exe 98 PID 644 wrote to memory of 3892 644 rffxrrl.exe 98 PID 644 wrote to memory of 3892 644 rffxrrl.exe 98 PID 3892 wrote to memory of 4796 3892 ttttnb.exe 99 PID 3892 wrote to memory of 4796 3892 ttttnb.exe 99 PID 3892 wrote to memory of 4796 3892 ttttnb.exe 99 PID 4796 wrote to memory of 972 4796 xrrlxxx.exe 100 PID 4796 wrote to memory of 972 4796 xrrlxxx.exe 100 PID 4796 wrote to memory of 972 4796 xrrlxxx.exe 100 PID 972 wrote to memory of 2356 972 3bhbhh.exe 101 PID 972 wrote to memory of 2356 972 3bhbhh.exe 101 PID 972 wrote to memory of 2356 972 3bhbhh.exe 101 PID 2356 wrote to memory of 2940 2356 7lfxlfx.exe 102 PID 2356 wrote to memory of 2940 2356 7lfxlfx.exe 102 PID 2356 wrote to memory of 2940 2356 7lfxlfx.exe 102 PID 2940 wrote to memory of 1056 2940 3bbhbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe"C:\Users\Admin\AppData\Local\Temp\81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\5bhbtt.exec:\5bhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\3rrrlfx.exec:\3rrrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\hhnnhh.exec:\hhnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\rrfrllr.exec:\rrfrllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\dppjj.exec:\dppjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\ntbbtt.exec:\ntbbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\5bhtnn.exec:\5bhtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\xxlfllr.exec:\xxlfllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\jdjdd.exec:\jdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\nthnbb.exec:\nthnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\rlrlllf.exec:\rlrlllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\9ttnhb.exec:\9ttnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\vpddv.exec:\vpddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\7tnbhb.exec:\7tnbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\lxfrlll.exec:\lxfrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\rffxrrl.exec:\rffxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\ttttnb.exec:\ttttnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\xrrlxxx.exec:\xrrlxxx.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\3bhbhh.exec:\3bhbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\7lfxlfx.exec:\7lfxlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\3bbhbb.exec:\3bbhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pppjd.exec:\pppjd.exe23⤵
- Executes dropped EXE
PID:1056 -
\??\c:\5lrllrr.exec:\5lrllrr.exe24⤵
- Executes dropped EXE
PID:4884 -
\??\c:\vpvvp.exec:\vpvvp.exe25⤵
- Executes dropped EXE
PID:316 -
\??\c:\1llllff.exec:\1llllff.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjpjv.exec:\pjpjv.exe27⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xllffff.exec:\xllffff.exe28⤵
- Executes dropped EXE
PID:3988 -
\??\c:\3pppp.exec:\3pppp.exe29⤵
- Executes dropped EXE
PID:2428 -
\??\c:\lfrlxxf.exec:\lfrlxxf.exe30⤵
- Executes dropped EXE
PID:2072 -
\??\c:\1xllrrx.exec:\1xllrrx.exe31⤵
- Executes dropped EXE
PID:696 -
\??\c:\vvdvp.exec:\vvdvp.exe32⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rffxxxr.exec:\rffxxxr.exe33⤵
- Executes dropped EXE
PID:2144 -
\??\c:\tnbhth.exec:\tnbhth.exe34⤵
- Executes dropped EXE
PID:1604 -
\??\c:\dpvpp.exec:\dpvpp.exe35⤵
- Executes dropped EXE
PID:1028 -
\??\c:\nnbnth.exec:\nnbnth.exe36⤵
- Executes dropped EXE
PID:4592 -
\??\c:\5dvjp.exec:\5dvjp.exe37⤵
- Executes dropped EXE
PID:720 -
\??\c:\pjjdv.exec:\pjjdv.exe38⤵
- Executes dropped EXE
PID:5096 -
\??\c:\rxlxllf.exec:\rxlxllf.exe39⤵
- Executes dropped EXE
PID:956 -
\??\c:\bhhtnn.exec:\bhhtnn.exe40⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vpvdj.exec:\vpvdj.exe41⤵
- Executes dropped EXE
PID:2200 -
\??\c:\xlrfrlf.exec:\xlrfrlf.exe42⤵
- Executes dropped EXE
PID:4236 -
\??\c:\pdvpd.exec:\pdvpd.exe43⤵
- Executes dropped EXE
PID:216 -
\??\c:\dvpdj.exec:\dvpdj.exe44⤵
- Executes dropped EXE
PID:4968 -
\??\c:\7lrlffr.exec:\7lrlffr.exe45⤵
- Executes dropped EXE
PID:4036 -
\??\c:\hnnbtn.exec:\hnnbtn.exe46⤵
- Executes dropped EXE
PID:3920 -
\??\c:\dddvd.exec:\dddvd.exe47⤵
- Executes dropped EXE
PID:4444 -
\??\c:\ffxlxlf.exec:\ffxlxlf.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\xxlxlfr.exec:\xxlxlfr.exe49⤵
- Executes dropped EXE
PID:1008 -
\??\c:\tnhthh.exec:\tnhthh.exe50⤵
- Executes dropped EXE
PID:4524 -
\??\c:\5pdpd.exec:\5pdpd.exe51⤵
- Executes dropped EXE
PID:1996 -
\??\c:\lfxfrlx.exec:\lfxfrlx.exe52⤵
- Executes dropped EXE
PID:1468 -
\??\c:\hbhbth.exec:\hbhbth.exe53⤵
- Executes dropped EXE
PID:3256 -
\??\c:\ntnhbt.exec:\ntnhbt.exe54⤵
- Executes dropped EXE
PID:2948 -
\??\c:\pdjdd.exec:\pdjdd.exe55⤵
- Executes dropped EXE
PID:3060 -
\??\c:\flxxfrf.exec:\flxxfrf.exe56⤵
- Executes dropped EXE
PID:4516 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe57⤵
- Executes dropped EXE
PID:3724 -
\??\c:\btnhtn.exec:\btnhtn.exe58⤵
- Executes dropped EXE
PID:1120 -
\??\c:\5pjjv.exec:\5pjjv.exe59⤵
- Executes dropped EXE
PID:440 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe60⤵
- Executes dropped EXE
PID:4316 -
\??\c:\fllflfx.exec:\fllflfx.exe61⤵
- Executes dropped EXE
PID:2436 -
\??\c:\9tthnh.exec:\9tthnh.exe62⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jjjvj.exec:\jjjvj.exe63⤵
- Executes dropped EXE
PID:3008 -
\??\c:\5pjvd.exec:\5pjvd.exe64⤵
- Executes dropped EXE
PID:4176 -
\??\c:\lflfrll.exec:\lflfrll.exe65⤵
- Executes dropped EXE
PID:2280 -
\??\c:\htbnbt.exec:\htbnbt.exe66⤵PID:4076
-
\??\c:\vdvpd.exec:\vdvpd.exe67⤵PID:4824
-
\??\c:\7jdpd.exec:\7jdpd.exe68⤵PID:3864
-
\??\c:\xffxlfx.exec:\xffxlfx.exe69⤵PID:2552
-
\??\c:\tnhtnh.exec:\tnhtnh.exe70⤵PID:1776
-
\??\c:\htbtbn.exec:\htbtbn.exe71⤵PID:4460
-
\??\c:\vjpdp.exec:\vjpdp.exe72⤵PID:2532
-
\??\c:\frxlfxl.exec:\frxlfxl.exe73⤵PID:4424
-
\??\c:\9llxxrl.exec:\9llxxrl.exe74⤵PID:4796
-
\??\c:\7bhthb.exec:\7bhthb.exe75⤵PID:2972
-
\??\c:\3vvjp.exec:\3vvjp.exe76⤵PID:2556
-
\??\c:\rrrlrlx.exec:\rrrlrlx.exe77⤵PID:4624
-
\??\c:\5ttnbt.exec:\5ttnbt.exe78⤵PID:2940
-
\??\c:\5tnbnh.exec:\5tnbnh.exe79⤵PID:3628
-
\??\c:\pdpdp.exec:\pdpdp.exe80⤵PID:3736
-
\??\c:\rfrlffx.exec:\rfrlffx.exe81⤵PID:4980
-
\??\c:\tttbth.exec:\tttbth.exe82⤵PID:1764
-
\??\c:\7hhthb.exec:\7hhthb.exe83⤵
- System Location Discovery: System Language Discovery
PID:2000 -
\??\c:\pjjjv.exec:\pjjjv.exe84⤵PID:3288
-
\??\c:\fffrfrf.exec:\fffrfrf.exe85⤵PID:3836
-
\??\c:\bththb.exec:\bththb.exe86⤵PID:3988
-
\??\c:\9jjpd.exec:\9jjpd.exe87⤵PID:4564
-
\??\c:\5ppdp.exec:\5ppdp.exe88⤵PID:2072
-
\??\c:\7rrxrxr.exec:\7rrxrxr.exe89⤵PID:4648
-
\??\c:\bbnhtn.exec:\bbnhtn.exe90⤵PID:3980
-
\??\c:\hbthhb.exec:\hbthhb.exe91⤵PID:4560
-
\??\c:\5jvpd.exec:\5jvpd.exe92⤵PID:3560
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe93⤵PID:1436
-
\??\c:\hbthth.exec:\hbthth.exe94⤵PID:1068
-
\??\c:\bbbthh.exec:\bbbthh.exe95⤵PID:4592
-
\??\c:\5pjvj.exec:\5pjvj.exe96⤵PID:720
-
\??\c:\lffflfx.exec:\lffflfx.exe97⤵PID:1500
-
\??\c:\rflxrlf.exec:\rflxrlf.exe98⤵PID:464
-
\??\c:\hhtnhb.exec:\hhtnhb.exe99⤵PID:2312
-
\??\c:\vpjvp.exec:\vpjvp.exe100⤵PID:2200
-
\??\c:\vjjdp.exec:\vjjdp.exe101⤵PID:3524
-
\??\c:\frlfrlx.exec:\frlfrlx.exe102⤵PID:208
-
\??\c:\tnthht.exec:\tnthht.exe103⤵PID:2152
-
\??\c:\pjvjv.exec:\pjvjv.exe104⤵PID:3576
-
\??\c:\lllxlxr.exec:\lllxlxr.exe105⤵PID:2472
-
\??\c:\xflxxxl.exec:\xflxxxl.exe106⤵PID:4344
-
\??\c:\7tbnbt.exec:\7tbnbt.exe107⤵PID:2992
-
\??\c:\dvpjp.exec:\dvpjp.exe108⤵PID:220
-
\??\c:\7rrflfx.exec:\7rrflfx.exe109⤵PID:4524
-
\??\c:\lfxlfrf.exec:\lfxlfrf.exe110⤵PID:4840
-
\??\c:\thnbbt.exec:\thnbbt.exe111⤵PID:2676
-
\??\c:\5bhthh.exec:\5bhthh.exe112⤵PID:3256
-
\??\c:\pjjvd.exec:\pjjvd.exe113⤵PID:2948
-
\??\c:\xlrllfr.exec:\xlrllfr.exe114⤵PID:4760
-
\??\c:\7hbnhb.exec:\7hbnhb.exe115⤵PID:4516
-
\??\c:\tbbnbh.exec:\tbbnbh.exe116⤵PID:3724
-
\??\c:\dvdvp.exec:\dvdvp.exe117⤵PID:3440
-
\??\c:\xflfrfx.exec:\xflfrfx.exe118⤵PID:2508
-
\??\c:\7frxllx.exec:\7frxllx.exe119⤵PID:4316
-
\??\c:\jdvjv.exec:\jdvjv.exe120⤵PID:2436
-
\??\c:\5jdpd.exec:\5jdpd.exe121⤵PID:3948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-