Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe
-
Size
453KB
-
MD5
0fe2187cb558d7370cf21c3d181fce54
-
SHA1
d0e83b3b3278cb34ca72d963c9e25274f89e3790
-
SHA256
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb
-
SHA512
2f5fc673b3ef95ee5c3ccc6f0524eab6f34a456a3bfe2a100f84e6e74a4d7bd6ac96aa93d0b5043505428c9b42555847a3ceb3351ad4df54b14b4051c0d8b892
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4148-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1320 xxrfrlx.exe 400 btthtn.exe 3952 dppdp.exe 4932 vjjvj.exe 3396 3xxlxlf.exe 4248 pvdvv.exe 5004 lxlfrlr.exe 1636 vvdvv.exe 4588 nttnnn.exe 3540 ddpjv.exe 2336 lxlxfxf.exe 2096 ttthtn.exe 3652 bnttnn.exe 2004 jvvjv.exe 2728 hbnthn.exe 4740 dvdpj.exe 1424 1rlfrfr.exe 2356 hththt.exe 3788 jpjdp.exe 2372 vvvjv.exe 4408 frxfflf.exe 4688 thbnbn.exe 4100 vvddj.exe 1900 xrlrxlr.exe 4756 pvvjd.exe 748 lxxrfrl.exe 2052 vdpjd.exe 4392 lxrflfr.exe 2960 frlxrrf.exe 2416 hthtnh.exe 3412 lxfxxlr.exe 2136 xxxlxrl.exe 3300 3vpdp.exe 940 3hhtht.exe 1008 7jvjv.exe 3692 xxfrxrf.exe 1756 xffxllf.exe 1852 hbnbht.exe 4872 dpjvd.exe 3684 jjjvj.exe 1388 5fxlxlx.exe 1308 thbthb.exe 2812 5hthnh.exe 4508 jvpdj.exe 4360 rlrlxlx.exe 3888 fxlfxlx.exe 1632 bhhtht.exe 4448 thbnbt.exe 3536 vjjpp.exe 4116 xlfrlfl.exe 1180 nbthtn.exe 376 thhttn.exe 3172 jjjvd.exe 3356 rflxfrl.exe 3720 1bbnhb.exe 3280 bbbnhb.exe 4708 vjpdj.exe 2840 lrrxlxl.exe 4536 lllfrfr.exe 2060 hbbntt.exe 780 pddjv.exe 1044 fffxfrf.exe 1356 lrflxll.exe 5072 hhhtbn.exe -
resource yara_rule behavioral2/memory/4148-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-604-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4148 wrote to memory of 1320 4148 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 83 PID 4148 wrote to memory of 1320 4148 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 83 PID 4148 wrote to memory of 1320 4148 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 83 PID 1320 wrote to memory of 400 1320 xxrfrlx.exe 84 PID 1320 wrote to memory of 400 1320 xxrfrlx.exe 84 PID 1320 wrote to memory of 400 1320 xxrfrlx.exe 84 PID 400 wrote to memory of 3952 400 btthtn.exe 85 PID 400 wrote to memory of 3952 400 btthtn.exe 85 PID 400 wrote to memory of 3952 400 btthtn.exe 85 PID 3952 wrote to memory of 4932 3952 dppdp.exe 86 PID 3952 wrote to memory of 4932 3952 dppdp.exe 86 PID 3952 wrote to memory of 4932 3952 dppdp.exe 86 PID 4932 wrote to memory of 3396 4932 vjjvj.exe 87 PID 4932 wrote to memory of 3396 4932 vjjvj.exe 87 PID 4932 wrote to memory of 3396 4932 vjjvj.exe 87 PID 3396 wrote to memory of 4248 3396 3xxlxlf.exe 88 PID 3396 wrote to memory of 4248 3396 3xxlxlf.exe 88 PID 3396 wrote to memory of 4248 3396 3xxlxlf.exe 88 PID 4248 wrote to memory of 5004 4248 pvdvv.exe 89 PID 4248 wrote to memory of 5004 4248 pvdvv.exe 89 PID 4248 wrote to memory of 5004 4248 pvdvv.exe 89 PID 5004 wrote to memory of 1636 5004 lxlfrlr.exe 90 PID 5004 wrote to memory of 1636 5004 lxlfrlr.exe 90 PID 5004 wrote to memory of 1636 5004 lxlfrlr.exe 90 PID 1636 wrote to memory of 4588 1636 vvdvv.exe 91 PID 1636 wrote to memory of 4588 1636 vvdvv.exe 91 PID 1636 wrote to memory of 4588 1636 vvdvv.exe 91 PID 4588 wrote to memory of 3540 4588 nttnnn.exe 92 PID 4588 wrote to memory of 3540 4588 nttnnn.exe 92 PID 4588 wrote to memory of 3540 4588 nttnnn.exe 92 PID 3540 wrote to memory of 2336 3540 ddpjv.exe 93 PID 3540 wrote to memory of 2336 3540 ddpjv.exe 93 PID 3540 wrote to memory of 2336 3540 ddpjv.exe 93 PID 2336 wrote to memory of 2096 2336 lxlxfxf.exe 94 PID 2336 wrote to memory of 2096 2336 lxlxfxf.exe 94 PID 2336 wrote to memory of 2096 2336 lxlxfxf.exe 94 PID 2096 wrote to memory of 3652 2096 ttthtn.exe 95 PID 2096 wrote to memory of 3652 2096 ttthtn.exe 95 PID 2096 wrote to memory of 3652 2096 ttthtn.exe 95 PID 3652 wrote to memory of 2004 3652 bnttnn.exe 96 PID 3652 wrote to memory of 2004 3652 bnttnn.exe 96 PID 3652 wrote to memory of 2004 3652 bnttnn.exe 96 PID 2004 wrote to memory of 2728 2004 jvvjv.exe 97 PID 2004 wrote to memory of 2728 2004 jvvjv.exe 97 PID 2004 wrote to memory of 2728 2004 jvvjv.exe 97 PID 2728 wrote to memory of 4740 2728 hbnthn.exe 98 PID 2728 wrote to memory of 4740 2728 hbnthn.exe 98 PID 2728 wrote to memory of 4740 2728 hbnthn.exe 98 PID 4740 wrote to memory of 1424 4740 dvdpj.exe 99 PID 4740 wrote to memory of 1424 4740 dvdpj.exe 99 PID 4740 wrote to memory of 1424 4740 dvdpj.exe 99 PID 1424 wrote to memory of 2356 1424 1rlfrfr.exe 100 PID 1424 wrote to memory of 2356 1424 1rlfrfr.exe 100 PID 1424 wrote to memory of 2356 1424 1rlfrfr.exe 100 PID 2356 wrote to memory of 3788 2356 hththt.exe 101 PID 2356 wrote to memory of 3788 2356 hththt.exe 101 PID 2356 wrote to memory of 3788 2356 hththt.exe 101 PID 3788 wrote to memory of 2372 3788 jpjdp.exe 102 PID 3788 wrote to memory of 2372 3788 jpjdp.exe 102 PID 3788 wrote to memory of 2372 3788 jpjdp.exe 102 PID 2372 wrote to memory of 4408 2372 vvvjv.exe 103 PID 2372 wrote to memory of 4408 2372 vvvjv.exe 103 PID 2372 wrote to memory of 4408 2372 vvvjv.exe 103 PID 4408 wrote to memory of 4688 4408 frxfflf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe"C:\Users\Admin\AppData\Local\Temp\facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\xxrfrlx.exec:\xxrfrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\btthtn.exec:\btthtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\dppdp.exec:\dppdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\vjjvj.exec:\vjjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\3xxlxlf.exec:\3xxlxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\pvdvv.exec:\pvdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\lxlfrlr.exec:\lxlfrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\vvdvv.exec:\vvdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\nttnnn.exec:\nttnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\ddpjv.exec:\ddpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\lxlxfxf.exec:\lxlxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\ttthtn.exec:\ttthtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\bnttnn.exec:\bnttnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\jvvjv.exec:\jvvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\hbnthn.exec:\hbnthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\dvdpj.exec:\dvdpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\1rlfrfr.exec:\1rlfrfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\hththt.exec:\hththt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\jpjdp.exec:\jpjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\vvvjv.exec:\vvvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\frxfflf.exec:\frxfflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\thbnbn.exec:\thbnbn.exe23⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vvddj.exec:\vvddj.exe24⤵
- Executes dropped EXE
PID:4100 -
\??\c:\xrlrxlr.exec:\xrlrxlr.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pvvjd.exec:\pvvjd.exe26⤵
- Executes dropped EXE
PID:4756 -
\??\c:\lxxrfrl.exec:\lxxrfrl.exe27⤵
- Executes dropped EXE
PID:748 -
\??\c:\vdpjd.exec:\vdpjd.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\lxrflfr.exec:\lxrflfr.exe29⤵
- Executes dropped EXE
PID:4392 -
\??\c:\frlxrrf.exec:\frlxrrf.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\hthtnh.exec:\hthtnh.exe31⤵
- Executes dropped EXE
PID:2416 -
\??\c:\lxfxxlr.exec:\lxfxxlr.exe32⤵
- Executes dropped EXE
PID:3412 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe33⤵
- Executes dropped EXE
PID:2136 -
\??\c:\3vpdp.exec:\3vpdp.exe34⤵
- Executes dropped EXE
PID:3300 -
\??\c:\3hhtht.exec:\3hhtht.exe35⤵
- Executes dropped EXE
PID:940 -
\??\c:\7jvjv.exec:\7jvjv.exe36⤵
- Executes dropped EXE
PID:1008 -
\??\c:\xxfrxrf.exec:\xxfrxrf.exe37⤵
- Executes dropped EXE
PID:3692 -
\??\c:\xffxllf.exec:\xffxllf.exe38⤵
- Executes dropped EXE
PID:1756 -
\??\c:\hbnbht.exec:\hbnbht.exe39⤵
- Executes dropped EXE
PID:1852 -
\??\c:\dpjvd.exec:\dpjvd.exe40⤵
- Executes dropped EXE
PID:4872 -
\??\c:\jjjvj.exec:\jjjvj.exe41⤵
- Executes dropped EXE
PID:3684 -
\??\c:\5fxlxlx.exec:\5fxlxlx.exe42⤵
- Executes dropped EXE
PID:1388 -
\??\c:\thbthb.exec:\thbthb.exe43⤵
- Executes dropped EXE
PID:1308 -
\??\c:\5hthnh.exec:\5hthnh.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jvpdj.exec:\jvpdj.exe45⤵
- Executes dropped EXE
PID:4508 -
\??\c:\rlrlxlx.exec:\rlrlxlx.exe46⤵
- Executes dropped EXE
PID:4360 -
\??\c:\fxlfxlx.exec:\fxlfxlx.exe47⤵
- Executes dropped EXE
PID:3888 -
\??\c:\bhhtht.exec:\bhhtht.exe48⤵
- Executes dropped EXE
PID:1632 -
\??\c:\thbnbt.exec:\thbnbt.exe49⤵
- Executes dropped EXE
PID:4448 -
\??\c:\vjjpp.exec:\vjjpp.exe50⤵
- Executes dropped EXE
PID:3536 -
\??\c:\xlfrlfl.exec:\xlfrlfl.exe51⤵
- Executes dropped EXE
PID:4116 -
\??\c:\nbthtn.exec:\nbthtn.exe52⤵
- Executes dropped EXE
PID:1180 -
\??\c:\thhttn.exec:\thhttn.exe53⤵
- Executes dropped EXE
PID:376 -
\??\c:\jjjvd.exec:\jjjvd.exe54⤵
- Executes dropped EXE
PID:3172 -
\??\c:\rflxfrl.exec:\rflxfrl.exe55⤵
- Executes dropped EXE
PID:3356 -
\??\c:\1bbnhb.exec:\1bbnhb.exe56⤵
- Executes dropped EXE
PID:3720 -
\??\c:\bbbnhb.exec:\bbbnhb.exe57⤵
- Executes dropped EXE
PID:3280 -
\??\c:\vjpdj.exec:\vjpdj.exe58⤵
- Executes dropped EXE
PID:4708 -
\??\c:\lrrxlxl.exec:\lrrxlxl.exe59⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lllfrfr.exec:\lllfrfr.exe60⤵
- Executes dropped EXE
PID:4536 -
\??\c:\hbbntt.exec:\hbbntt.exe61⤵
- Executes dropped EXE
PID:2060 -
\??\c:\pddjv.exec:\pddjv.exe62⤵
- Executes dropped EXE
PID:780 -
\??\c:\fffxfrf.exec:\fffxfrf.exe63⤵
- Executes dropped EXE
PID:1044 -
\??\c:\lrflxll.exec:\lrflxll.exe64⤵
- Executes dropped EXE
PID:1356 -
\??\c:\hhhtbn.exec:\hhhtbn.exe65⤵
- Executes dropped EXE
PID:5072 -
\??\c:\pjvjj.exec:\pjvjj.exe66⤵PID:4768
-
\??\c:\vjvjd.exec:\vjvjd.exe67⤵PID:3528
-
\??\c:\xffrxrf.exec:\xffrxrf.exe68⤵PID:2252
-
\??\c:\hbthbt.exec:\hbthbt.exe69⤵PID:2604
-
\??\c:\1vppj.exec:\1vppj.exe70⤵PID:228
-
\??\c:\lxxllff.exec:\lxxllff.exe71⤵PID:720
-
\??\c:\nnnhht.exec:\nnnhht.exe72⤵PID:2192
-
\??\c:\vjdpv.exec:\vjdpv.exe73⤵PID:3064
-
\??\c:\flrllfr.exec:\flrllfr.exe74⤵PID:1468
-
\??\c:\bhbtht.exec:\bhbtht.exe75⤵PID:3624
-
\??\c:\vvvjp.exec:\vvvjp.exe76⤵PID:4108
-
\??\c:\ppjvj.exec:\ppjvj.exe77⤵PID:2108
-
\??\c:\frlxfxl.exec:\frlxfxl.exe78⤵PID:924
-
\??\c:\7nhtnb.exec:\7nhtnb.exe79⤵PID:4908
-
\??\c:\thbntn.exec:\thbntn.exe80⤵PID:4880
-
\??\c:\jddpd.exec:\jddpd.exe81⤵
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\xfflrlx.exec:\xfflrlx.exe82⤵PID:1624
-
\??\c:\nnthth.exec:\nnthth.exe83⤵PID:4340
-
\??\c:\hnnbnb.exec:\hnnbnb.exe84⤵PID:2760
-
\??\c:\vpvdd.exec:\vpvdd.exe85⤵PID:4060
-
\??\c:\dpjpd.exec:\dpjpd.exe86⤵PID:2168
-
\??\c:\flrxxll.exec:\flrxxll.exe87⤵PID:3272
-
\??\c:\hnnbth.exec:\hnnbth.exe88⤵PID:3796
-
\??\c:\5pdpv.exec:\5pdpv.exe89⤵PID:2400
-
\??\c:\vddpj.exec:\vddpj.exe90⤵PID:3848
-
\??\c:\xlllrfr.exec:\xlllrfr.exe91⤵PID:3184
-
\??\c:\tbbhth.exec:\tbbhth.exe92⤵PID:916
-
\??\c:\dppdp.exec:\dppdp.exe93⤵PID:4484
-
\??\c:\vvvpd.exec:\vvvpd.exe94⤵PID:5020
-
\??\c:\xffffxl.exec:\xffffxl.exe95⤵PID:4356
-
\??\c:\bbnthb.exec:\bbnthb.exe96⤵PID:4440
-
\??\c:\pvvjp.exec:\pvvjp.exe97⤵PID:316
-
\??\c:\1xlxrlx.exec:\1xlxrlx.exe98⤵PID:976
-
\??\c:\3ttbnb.exec:\3ttbnb.exe99⤵PID:1488
-
\??\c:\vvdjv.exec:\vvdjv.exe100⤵PID:2332
-
\??\c:\7vjjp.exec:\7vjjp.exe101⤵PID:2480
-
\??\c:\5llxlrf.exec:\5llxlrf.exe102⤵PID:1892
-
\??\c:\hhbthb.exec:\hhbthb.exe103⤵PID:1584
-
\??\c:\5pjvj.exec:\5pjvj.exe104⤵PID:1312
-
\??\c:\3pdjp.exec:\3pdjp.exe105⤵PID:3152
-
\??\c:\5frfxrl.exec:\5frfxrl.exe106⤵PID:3992
-
\??\c:\nhnbnh.exec:\nhnbnh.exe107⤵PID:1336
-
\??\c:\9jpdp.exec:\9jpdp.exe108⤵PID:4912
-
\??\c:\lllxlxr.exec:\lllxlxr.exe109⤵PID:4800
-
\??\c:\lffrfxl.exec:\lffrfxl.exe110⤵PID:4396
-
\??\c:\nbbhhh.exec:\nbbhhh.exe111⤵PID:2128
-
\??\c:\1jvpd.exec:\1jvpd.exe112⤵PID:4148
-
\??\c:\ffxfxlx.exec:\ffxfxlx.exe113⤵PID:3564
-
\??\c:\lrxlfxl.exec:\lrxlfxl.exe114⤵PID:2660
-
\??\c:\bbhbtn.exec:\bbhbtn.exe115⤵PID:4116
-
\??\c:\pjvvp.exec:\pjvvp.exe116⤵PID:1180
-
\??\c:\lrrffxl.exec:\lrrffxl.exe117⤵PID:376
-
\??\c:\nhhtth.exec:\nhhtth.exe118⤵PID:2916
-
\??\c:\btbnbt.exec:\btbnbt.exe119⤵PID:3376
-
\??\c:\1jjvj.exec:\1jjvj.exe120⤵PID:4500
-
\??\c:\lllxlfr.exec:\lllxlfr.exe121⤵PID:2308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-