Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe
-
Size
456KB
-
MD5
bea6539d0a0597d9ed4a36085739c712
-
SHA1
c96dff2b19a4b7dac61df753bb3b8ec51046b600
-
SHA256
fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de
-
SHA512
f33fbf85be614a0f04993d0c40ada3977e47d518e043918fe9278d5bb4ab955303b30cea934a8521f7426903c4c9a1014b041cf9b64a146bb8f5faf43031381b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3420-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-1175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-1233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3076 bnthhb.exe 752 vjdvv.exe 1004 frxrlfx.exe 4876 xlrlllf.exe 4864 nhhnhb.exe 1296 vppvj.exe 5100 vppjd.exe 644 7rlfxxr.exe 4028 tntnbt.exe 4648 tnttbt.exe 2192 lrlfxrf.exe 3240 tbhtnh.exe 2760 vpvdj.exe 3284 jdjdd.exe 1924 htnntb.exe 1332 vppjv.exe 3992 jpvjd.exe 4308 fxxxlfx.exe 3752 nbbtnb.exe 2320 hnttnn.exe 2524 dppjp.exe 5068 3rxlxlf.exe 4964 1rrlxrl.exe 212 thttnh.exe 388 pjvpj.exe 2100 7rflxlx.exe 1860 pdvpj.exe 4036 jvvpd.exe 4216 lrrrrlf.exe 4112 hnhtnn.exe 4120 djjjd.exe 2136 lxxrllf.exe 4720 hbhtnn.exe 1800 nbbnnh.exe 3012 jjjdp.exe 4056 rrfxrfx.exe 3648 thhbnt.exe 1224 pddvj.exe 3248 xrllfff.exe 3392 lrrlffx.exe 348 nbtttt.exe 2468 pjdvp.exe 4788 fxfxrxl.exe 4324 7fxrffx.exe 4104 tnttnn.exe 4356 vjdvj.exe 4856 pvdvp.exe 3420 lxxlxrl.exe 1180 7bbbtb.exe 1052 thnhbb.exe 32 jdvpp.exe 2128 vjvpp.exe 1908 rllxrrf.exe 4212 nttnbt.exe 3540 jjpvd.exe 1036 lxlxrlf.exe 412 lxxlxfr.exe 4032 7tnhtt.exe 3096 jjdpd.exe 2856 xrrfxxl.exe 3196 rfxlfrf.exe 3424 hbthtb.exe 812 nhnntn.exe 2192 vjpjd.exe -
resource yara_rule behavioral2/memory/3420-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-958-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3420 wrote to memory of 3076 3420 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 82 PID 3420 wrote to memory of 3076 3420 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 82 PID 3420 wrote to memory of 3076 3420 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 82 PID 3076 wrote to memory of 752 3076 bnthhb.exe 83 PID 3076 wrote to memory of 752 3076 bnthhb.exe 83 PID 3076 wrote to memory of 752 3076 bnthhb.exe 83 PID 752 wrote to memory of 1004 752 vjdvv.exe 84 PID 752 wrote to memory of 1004 752 vjdvv.exe 84 PID 752 wrote to memory of 1004 752 vjdvv.exe 84 PID 1004 wrote to memory of 4876 1004 frxrlfx.exe 85 PID 1004 wrote to memory of 4876 1004 frxrlfx.exe 85 PID 1004 wrote to memory of 4876 1004 frxrlfx.exe 85 PID 4876 wrote to memory of 4864 4876 xlrlllf.exe 86 PID 4876 wrote to memory of 4864 4876 xlrlllf.exe 86 PID 4876 wrote to memory of 4864 4876 xlrlllf.exe 86 PID 4864 wrote to memory of 1296 4864 nhhnhb.exe 87 PID 4864 wrote to memory of 1296 4864 nhhnhb.exe 87 PID 4864 wrote to memory of 1296 4864 nhhnhb.exe 87 PID 1296 wrote to memory of 5100 1296 vppvj.exe 88 PID 1296 wrote to memory of 5100 1296 vppvj.exe 88 PID 1296 wrote to memory of 5100 1296 vppvj.exe 88 PID 5100 wrote to memory of 644 5100 vppjd.exe 89 PID 5100 wrote to memory of 644 5100 vppjd.exe 89 PID 5100 wrote to memory of 644 5100 vppjd.exe 89 PID 644 wrote to memory of 4028 644 7rlfxxr.exe 90 PID 644 wrote to memory of 4028 644 7rlfxxr.exe 90 PID 644 wrote to memory of 4028 644 7rlfxxr.exe 90 PID 4028 wrote to memory of 4648 4028 tntnbt.exe 91 PID 4028 wrote to memory of 4648 4028 tntnbt.exe 91 PID 4028 wrote to memory of 4648 4028 tntnbt.exe 91 PID 4648 wrote to memory of 2192 4648 tnttbt.exe 92 PID 4648 wrote to memory of 2192 4648 tnttbt.exe 92 PID 4648 wrote to memory of 2192 4648 tnttbt.exe 92 PID 2192 wrote to memory of 3240 2192 lrlfxrf.exe 93 PID 2192 wrote to memory of 3240 2192 lrlfxrf.exe 93 PID 2192 wrote to memory of 3240 2192 lrlfxrf.exe 93 PID 3240 wrote to memory of 2760 3240 tbhtnh.exe 94 PID 3240 wrote to memory of 2760 3240 tbhtnh.exe 94 PID 3240 wrote to memory of 2760 3240 tbhtnh.exe 94 PID 2760 wrote to memory of 3284 2760 vpvdj.exe 95 PID 2760 wrote to memory of 3284 2760 vpvdj.exe 95 PID 2760 wrote to memory of 3284 2760 vpvdj.exe 95 PID 3284 wrote to memory of 1924 3284 jdjdd.exe 96 PID 3284 wrote to memory of 1924 3284 jdjdd.exe 96 PID 3284 wrote to memory of 1924 3284 jdjdd.exe 96 PID 1924 wrote to memory of 1332 1924 htnntb.exe 97 PID 1924 wrote to memory of 1332 1924 htnntb.exe 97 PID 1924 wrote to memory of 1332 1924 htnntb.exe 97 PID 1332 wrote to memory of 3992 1332 vppjv.exe 98 PID 1332 wrote to memory of 3992 1332 vppjv.exe 98 PID 1332 wrote to memory of 3992 1332 vppjv.exe 98 PID 3992 wrote to memory of 4308 3992 jpvjd.exe 99 PID 3992 wrote to memory of 4308 3992 jpvjd.exe 99 PID 3992 wrote to memory of 4308 3992 jpvjd.exe 99 PID 4308 wrote to memory of 3752 4308 fxxxlfx.exe 100 PID 4308 wrote to memory of 3752 4308 fxxxlfx.exe 100 PID 4308 wrote to memory of 3752 4308 fxxxlfx.exe 100 PID 3752 wrote to memory of 2320 3752 nbbtnb.exe 101 PID 3752 wrote to memory of 2320 3752 nbbtnb.exe 101 PID 3752 wrote to memory of 2320 3752 nbbtnb.exe 101 PID 2320 wrote to memory of 2524 2320 hnttnn.exe 102 PID 2320 wrote to memory of 2524 2320 hnttnn.exe 102 PID 2320 wrote to memory of 2524 2320 hnttnn.exe 102 PID 2524 wrote to memory of 5068 2524 dppjp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe"C:\Users\Admin\AppData\Local\Temp\fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\bnthhb.exec:\bnthhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\vjdvv.exec:\vjdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\frxrlfx.exec:\frxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\xlrlllf.exec:\xlrlllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\nhhnhb.exec:\nhhnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\vppvj.exec:\vppvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\vppjd.exec:\vppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\tntnbt.exec:\tntnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\tnttbt.exec:\tnttbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\lrlfxrf.exec:\lrlfxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\tbhtnh.exec:\tbhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\vpvdj.exec:\vpvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\jdjdd.exec:\jdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\htnntb.exec:\htnntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\vppjv.exec:\vppjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\jpvjd.exec:\jpvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\fxxxlfx.exec:\fxxxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\nbbtnb.exec:\nbbtnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\hnttnn.exec:\hnttnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\dppjp.exec:\dppjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\3rxlxlf.exec:\3rxlxlf.exe23⤵
- Executes dropped EXE
PID:5068 -
\??\c:\1rrlxrl.exec:\1rrlxrl.exe24⤵
- Executes dropped EXE
PID:4964 -
\??\c:\thttnh.exec:\thttnh.exe25⤵
- Executes dropped EXE
PID:212 -
\??\c:\pjvpj.exec:\pjvpj.exe26⤵
- Executes dropped EXE
PID:388 -
\??\c:\7rflxlx.exec:\7rflxlx.exe27⤵
- Executes dropped EXE
PID:2100 -
\??\c:\pdvpj.exec:\pdvpj.exe28⤵
- Executes dropped EXE
PID:1860 -
\??\c:\jvvpd.exec:\jvvpd.exe29⤵
- Executes dropped EXE
PID:4036 -
\??\c:\lrrrrlf.exec:\lrrrrlf.exe30⤵
- Executes dropped EXE
PID:4216 -
\??\c:\hnhtnn.exec:\hnhtnn.exe31⤵
- Executes dropped EXE
PID:4112 -
\??\c:\djjjd.exec:\djjjd.exe32⤵
- Executes dropped EXE
PID:4120 -
\??\c:\lxxrllf.exec:\lxxrllf.exe33⤵
- Executes dropped EXE
PID:2136 -
\??\c:\hbhtnn.exec:\hbhtnn.exe34⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nbbnnh.exec:\nbbnnh.exe35⤵
- Executes dropped EXE
PID:1800 -
\??\c:\jjjdp.exec:\jjjdp.exe36⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rrfxrfx.exec:\rrfxrfx.exe37⤵
- Executes dropped EXE
PID:4056 -
\??\c:\thhbnt.exec:\thhbnt.exe38⤵
- Executes dropped EXE
PID:3648 -
\??\c:\pddvj.exec:\pddvj.exe39⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xrllfff.exec:\xrllfff.exe40⤵
- Executes dropped EXE
PID:3248 -
\??\c:\lrrlffx.exec:\lrrlffx.exe41⤵
- Executes dropped EXE
PID:3392 -
\??\c:\nbtttt.exec:\nbtttt.exe42⤵
- Executes dropped EXE
PID:348 -
\??\c:\pjdvp.exec:\pjdvp.exe43⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxfxrxl.exec:\fxfxrxl.exe44⤵
- Executes dropped EXE
PID:4788 -
\??\c:\7fxrffx.exec:\7fxrffx.exe45⤵
- Executes dropped EXE
PID:4324 -
\??\c:\tnttnn.exec:\tnttnn.exe46⤵
- Executes dropped EXE
PID:4104 -
\??\c:\vjdvj.exec:\vjdvj.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\pvdvp.exec:\pvdvp.exe48⤵
- Executes dropped EXE
PID:4856 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe49⤵
- Executes dropped EXE
PID:3420 -
\??\c:\7bbbtb.exec:\7bbbtb.exe50⤵
- Executes dropped EXE
PID:1180 -
\??\c:\thnhbb.exec:\thnhbb.exe51⤵
- Executes dropped EXE
PID:1052 -
\??\c:\jdvpp.exec:\jdvpp.exe52⤵
- Executes dropped EXE
PID:32 -
\??\c:\vjvpp.exec:\vjvpp.exe53⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rllxrrf.exec:\rllxrrf.exe54⤵
- Executes dropped EXE
PID:1908 -
\??\c:\nttnbt.exec:\nttnbt.exe55⤵
- Executes dropped EXE
PID:4212 -
\??\c:\jjpvd.exec:\jjpvd.exe56⤵
- Executes dropped EXE
PID:3540 -
\??\c:\lxlxrlf.exec:\lxlxrlf.exe57⤵
- Executes dropped EXE
PID:1036 -
\??\c:\lxxlxfr.exec:\lxxlxfr.exe58⤵
- Executes dropped EXE
PID:412 -
\??\c:\7tnhtt.exec:\7tnhtt.exe59⤵
- Executes dropped EXE
PID:4032 -
\??\c:\jjdpd.exec:\jjdpd.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096 -
\??\c:\xrrfxxl.exec:\xrrfxxl.exe61⤵
- Executes dropped EXE
PID:2856 -
\??\c:\rfxlfrf.exec:\rfxlfrf.exe62⤵
- Executes dropped EXE
PID:3196 -
\??\c:\hbthtb.exec:\hbthtb.exe63⤵
- Executes dropped EXE
PID:3424 -
\??\c:\nhnntn.exec:\nhnntn.exe64⤵
- Executes dropped EXE
PID:812 -
\??\c:\vjpjd.exec:\vjpjd.exe65⤵
- Executes dropped EXE
PID:2192 -
\??\c:\fxxlxxf.exec:\fxxlxxf.exe66⤵PID:4072
-
\??\c:\9lllfff.exec:\9lllfff.exe67⤵PID:2188
-
\??\c:\5vpjv.exec:\5vpjv.exe68⤵PID:244
-
\??\c:\vdjpj.exec:\vdjpj.exe69⤵PID:2456
-
\??\c:\rffxxff.exec:\rffxxff.exe70⤵PID:4880
-
\??\c:\bbhbhh.exec:\bbhbhh.exe71⤵PID:316
-
\??\c:\7nnhbt.exec:\7nnhbt.exe72⤵PID:1244
-
\??\c:\9vddd.exec:\9vddd.exe73⤵PID:3060
-
\??\c:\xxxrlxr.exec:\xxxrlxr.exe74⤵PID:2380
-
\??\c:\rfxlfll.exec:\rfxlfll.exe75⤵PID:1964
-
\??\c:\nnthbt.exec:\nnthbt.exe76⤵PID:4492
-
\??\c:\jjjdd.exec:\jjjdd.exe77⤵PID:1712
-
\??\c:\jdjjd.exec:\jdjjd.exe78⤵PID:3588
-
\??\c:\fxxrxrx.exec:\fxxrxrx.exe79⤵PID:3500
-
\??\c:\hbhnnn.exec:\hbhnnn.exe80⤵PID:4740
-
\??\c:\hhttht.exec:\hhttht.exe81⤵PID:2344
-
\??\c:\7jjjd.exec:\7jjjd.exe82⤵PID:3896
-
\??\c:\vvjdv.exec:\vvjdv.exe83⤵PID:4652
-
\??\c:\rrxrllf.exec:\rrxrllf.exe84⤵PID:4756
-
\??\c:\hhtbbh.exec:\hhtbbh.exe85⤵PID:932
-
\??\c:\hbtnhb.exec:\hbtnhb.exe86⤵PID:1660
-
\??\c:\ddvpp.exec:\ddvpp.exe87⤵PID:4252
-
\??\c:\dpvjd.exec:\dpvjd.exe88⤵PID:4216
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe89⤵PID:3244
-
\??\c:\bnbtnn.exec:\bnbtnn.exe90⤵PID:3148
-
\??\c:\tnnbtt.exec:\tnnbtt.exe91⤵PID:3888
-
\??\c:\dvvvj.exec:\dvvvj.exe92⤵PID:2808
-
\??\c:\dvvvj.exec:\dvvvj.exe93⤵PID:4720
-
\??\c:\fffxrrl.exec:\fffxrrl.exe94⤵PID:3064
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe95⤵PID:5044
-
\??\c:\nbnnth.exec:\nbnnth.exe96⤵PID:3288
-
\??\c:\jjpdd.exec:\jjpdd.exe97⤵PID:3444
-
\??\c:\5vvpd.exec:\5vvpd.exe98⤵PID:2704
-
\??\c:\7fxrlfx.exec:\7fxrlfx.exe99⤵PID:2092
-
\??\c:\3rrlffx.exec:\3rrlffx.exe100⤵PID:2016
-
\??\c:\tbbtnn.exec:\tbbtnn.exe101⤵PID:2736
-
\??\c:\dvvjp.exec:\dvvjp.exe102⤵PID:3392
-
\??\c:\9pvjj.exec:\9pvjj.exe103⤵PID:348
-
\??\c:\xxlxrlf.exec:\xxlxrlf.exe104⤵PID:3924
-
\??\c:\3xxrllx.exec:\3xxrllx.exe105⤵PID:764
-
\??\c:\tnhtnh.exec:\tnhtnh.exe106⤵PID:3508
-
\??\c:\djpjd.exec:\djpjd.exe107⤵PID:940
-
\??\c:\jddvj.exec:\jddvj.exe108⤵PID:3480
-
\??\c:\rllrlfx.exec:\rllrlfx.exe109⤵PID:1556
-
\??\c:\xflxrfx.exec:\xflxrfx.exe110⤵PID:1676
-
\??\c:\btbtnn.exec:\btbtnn.exe111⤵PID:3996
-
\??\c:\dppjd.exec:\dppjd.exe112⤵PID:4416
-
\??\c:\flrlxxr.exec:\flrlxxr.exe113⤵PID:3948
-
\??\c:\rfffxxx.exec:\rfffxxx.exe114⤵PID:2868
-
\??\c:\tnnhhb.exec:\tnnhhb.exe115⤵PID:2324
-
\??\c:\jppjv.exec:\jppjv.exe116⤵PID:1004
-
\??\c:\dvvdd.exec:\dvvdd.exe117⤵PID:4780
-
\??\c:\fxlxxrx.exec:\fxlxxrx.exe118⤵PID:392
-
\??\c:\pddvp.exec:\pddvp.exe119⤵PID:1708
-
\??\c:\vjpdj.exec:\vjpdj.exe120⤵PID:1468
-
\??\c:\rflfrrl.exec:\rflfrrl.exe121⤵PID:4132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-