Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe
-
Size
453KB
-
MD5
8ed18ab56af2ed7a15f895f87fd9ba8f
-
SHA1
6d028d5984cc852029e3c0c2877ba7d50328b020
-
SHA256
57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a
-
SHA512
f8b5b14f023948fd50a6c317a535bae1c0534f162a8ddb1479ea1bbdb8491121411c6a7575a397cd03f8a604dc501602bbf3e59281bd972bd77e83ad191b9c49
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3692-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-1115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 740 xrrlfxr.exe 3060 vpddd.exe 2368 lfffrrr.exe 1804 nhtttt.exe 4164 bhtnhh.exe 3080 vjddd.exe 1656 lfxxrff.exe 4812 btbbtb.exe 2304 nntnnt.exe 1284 lrfxrrl.exe 2320 5lffxxx.exe 4932 hbttbb.exe 2588 dddvp.exe 3392 llxxffr.exe 4432 hbtttt.exe 3604 hbhhbn.exe 3340 jvjvv.exe 4136 bttnbb.exe 2692 ddjdp.exe 3992 djdvd.exe 2192 hnttbb.exe 4736 xllfxxr.exe 4868 vpdvj.exe 4964 vvvjd.exe 2252 ntbnbt.exe 60 9ddvp.exe 4660 jvdvv.exe 888 lxllxxx.exe 2580 rllxxrl.exe 4652 5pvjd.exe 1696 1bbbtt.exe 2428 rlxxffx.exe 1332 nnbbtt.exe 1876 dpvpj.exe 1784 rxfxrlf.exe 4840 fxlflfr.exe 3428 7ntnhh.exe 5076 7pjdp.exe 3128 rllfrrl.exe 4084 rlrllfx.exe 4076 3tnnnn.exe 3800 vdpdj.exe 636 9nnbnn.exe 4536 7nnbnn.exe 208 lfrxrfx.exe 4636 httthh.exe 2368 7htnbb.exe 1936 jvdjv.exe 4564 rllxlfx.exe 3536 hnthbt.exe 4864 nhnhtn.exe 2020 pjdvj.exe 2836 xrlfrlf.exe 2652 tthbtn.exe 4860 dvddd.exe 4604 lflllfl.exe 2920 rxlxrlf.exe 3252 hhnhtt.exe 4844 5vvpd.exe 4196 rfrllll.exe 1104 xrlfrrx.exe 2684 nnttnh.exe 3460 ddjjv.exe 3924 9lxxxxx.exe -
resource yara_rule behavioral2/memory/3692-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-798-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3692 wrote to memory of 740 3692 57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe 82 PID 3692 wrote to memory of 740 3692 57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe 82 PID 3692 wrote to memory of 740 3692 57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe 82 PID 740 wrote to memory of 3060 740 xrrlfxr.exe 83 PID 740 wrote to memory of 3060 740 xrrlfxr.exe 83 PID 740 wrote to memory of 3060 740 xrrlfxr.exe 83 PID 3060 wrote to memory of 2368 3060 vpddd.exe 84 PID 3060 wrote to memory of 2368 3060 vpddd.exe 84 PID 3060 wrote to memory of 2368 3060 vpddd.exe 84 PID 2368 wrote to memory of 1804 2368 lfffrrr.exe 85 PID 2368 wrote to memory of 1804 2368 lfffrrr.exe 85 PID 2368 wrote to memory of 1804 2368 lfffrrr.exe 85 PID 1804 wrote to memory of 4164 1804 nhtttt.exe 86 PID 1804 wrote to memory of 4164 1804 nhtttt.exe 86 PID 1804 wrote to memory of 4164 1804 nhtttt.exe 86 PID 4164 wrote to memory of 3080 4164 bhtnhh.exe 87 PID 4164 wrote to memory of 3080 4164 bhtnhh.exe 87 PID 4164 wrote to memory of 3080 4164 bhtnhh.exe 87 PID 3080 wrote to memory of 1656 3080 vjddd.exe 88 PID 3080 wrote to memory of 1656 3080 vjddd.exe 88 PID 3080 wrote to memory of 1656 3080 vjddd.exe 88 PID 1656 wrote to memory of 4812 1656 lfxxrff.exe 89 PID 1656 wrote to memory of 4812 1656 lfxxrff.exe 89 PID 1656 wrote to memory of 4812 1656 lfxxrff.exe 89 PID 4812 wrote to memory of 2304 4812 btbbtb.exe 90 PID 4812 wrote to memory of 2304 4812 btbbtb.exe 90 PID 4812 wrote to memory of 2304 4812 btbbtb.exe 90 PID 2304 wrote to memory of 1284 2304 nntnnt.exe 91 PID 2304 wrote to memory of 1284 2304 nntnnt.exe 91 PID 2304 wrote to memory of 1284 2304 nntnnt.exe 91 PID 1284 wrote to memory of 2320 1284 lrfxrrl.exe 92 PID 1284 wrote to memory of 2320 1284 lrfxrrl.exe 92 PID 1284 wrote to memory of 2320 1284 lrfxrrl.exe 92 PID 2320 wrote to memory of 4932 2320 5lffxxx.exe 93 PID 2320 wrote to memory of 4932 2320 5lffxxx.exe 93 PID 2320 wrote to memory of 4932 2320 5lffxxx.exe 93 PID 4932 wrote to memory of 2588 4932 hbttbb.exe 94 PID 4932 wrote to memory of 2588 4932 hbttbb.exe 94 PID 4932 wrote to memory of 2588 4932 hbttbb.exe 94 PID 2588 wrote to memory of 3392 2588 dddvp.exe 95 PID 2588 wrote to memory of 3392 2588 dddvp.exe 95 PID 2588 wrote to memory of 3392 2588 dddvp.exe 95 PID 3392 wrote to memory of 4432 3392 llxxffr.exe 96 PID 3392 wrote to memory of 4432 3392 llxxffr.exe 96 PID 3392 wrote to memory of 4432 3392 llxxffr.exe 96 PID 4432 wrote to memory of 3604 4432 hbtttt.exe 97 PID 4432 wrote to memory of 3604 4432 hbtttt.exe 97 PID 4432 wrote to memory of 3604 4432 hbtttt.exe 97 PID 3604 wrote to memory of 3340 3604 hbhhbn.exe 98 PID 3604 wrote to memory of 3340 3604 hbhhbn.exe 98 PID 3604 wrote to memory of 3340 3604 hbhhbn.exe 98 PID 3340 wrote to memory of 4136 3340 jvjvv.exe 99 PID 3340 wrote to memory of 4136 3340 jvjvv.exe 99 PID 3340 wrote to memory of 4136 3340 jvjvv.exe 99 PID 4136 wrote to memory of 2692 4136 bttnbb.exe 100 PID 4136 wrote to memory of 2692 4136 bttnbb.exe 100 PID 4136 wrote to memory of 2692 4136 bttnbb.exe 100 PID 2692 wrote to memory of 3992 2692 ddjdp.exe 101 PID 2692 wrote to memory of 3992 2692 ddjdp.exe 101 PID 2692 wrote to memory of 3992 2692 ddjdp.exe 101 PID 3992 wrote to memory of 2192 3992 djdvd.exe 102 PID 3992 wrote to memory of 2192 3992 djdvd.exe 102 PID 3992 wrote to memory of 2192 3992 djdvd.exe 102 PID 2192 wrote to memory of 4736 2192 hnttbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe"C:\Users\Admin\AppData\Local\Temp\57929f594d0f8f3ba4ae818e0d80c5f8b031178e6b85f5b82e723615e2d8459a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\vpddd.exec:\vpddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\lfffrrr.exec:\lfffrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\nhtttt.exec:\nhtttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\bhtnhh.exec:\bhtnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\vjddd.exec:\vjddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\lfxxrff.exec:\lfxxrff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\btbbtb.exec:\btbbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\nntnnt.exec:\nntnnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\5lffxxx.exec:\5lffxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\hbttbb.exec:\hbttbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\dddvp.exec:\dddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\llxxffr.exec:\llxxffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\hbtttt.exec:\hbtttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\hbhhbn.exec:\hbhhbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\jvjvv.exec:\jvjvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\bttnbb.exec:\bttnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\ddjdp.exec:\ddjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\djdvd.exec:\djdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\hnttbb.exec:\hnttbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\xllfxxr.exec:\xllfxxr.exe23⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vpdvj.exec:\vpdvj.exe24⤵
- Executes dropped EXE
PID:4868 -
\??\c:\vvvjd.exec:\vvvjd.exe25⤵
- Executes dropped EXE
PID:4964 -
\??\c:\ntbnbt.exec:\ntbnbt.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
\??\c:\9ddvp.exec:\9ddvp.exe27⤵
- Executes dropped EXE
PID:60 -
\??\c:\jvdvv.exec:\jvdvv.exe28⤵
- Executes dropped EXE
PID:4660 -
\??\c:\lxllxxx.exec:\lxllxxx.exe29⤵
- Executes dropped EXE
PID:888 -
\??\c:\rllxxrl.exec:\rllxxrl.exe30⤵
- Executes dropped EXE
PID:2580 -
\??\c:\5pvjd.exec:\5pvjd.exe31⤵
- Executes dropped EXE
PID:4652 -
\??\c:\1bbbtt.exec:\1bbbtt.exe32⤵
- Executes dropped EXE
PID:1696 -
\??\c:\rlxxffx.exec:\rlxxffx.exe33⤵
- Executes dropped EXE
PID:2428 -
\??\c:\nnbbtt.exec:\nnbbtt.exe34⤵
- Executes dropped EXE
PID:1332 -
\??\c:\dpvpj.exec:\dpvpj.exe35⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe36⤵
- Executes dropped EXE
PID:1784 -
\??\c:\fxlflfr.exec:\fxlflfr.exe37⤵
- Executes dropped EXE
PID:4840 -
\??\c:\7ntnhh.exec:\7ntnhh.exe38⤵
- Executes dropped EXE
PID:3428 -
\??\c:\7pjdp.exec:\7pjdp.exe39⤵
- Executes dropped EXE
PID:5076 -
\??\c:\rllfrrl.exec:\rllfrrl.exe40⤵
- Executes dropped EXE
PID:3128 -
\??\c:\rlrllfx.exec:\rlrllfx.exe41⤵
- Executes dropped EXE
PID:4084 -
\??\c:\3tnnnn.exec:\3tnnnn.exe42⤵
- Executes dropped EXE
PID:4076 -
\??\c:\vdpdj.exec:\vdpdj.exe43⤵
- Executes dropped EXE
PID:3800 -
\??\c:\9nnbnn.exec:\9nnbnn.exe44⤵
- Executes dropped EXE
PID:636 -
\??\c:\7nnbnn.exec:\7nnbnn.exe45⤵
- Executes dropped EXE
PID:4536 -
\??\c:\jdjdp.exec:\jdjdp.exe46⤵PID:3932
-
\??\c:\lfrxrfx.exec:\lfrxrfx.exe47⤵
- Executes dropped EXE
PID:208 -
\??\c:\httthh.exec:\httthh.exe48⤵
- Executes dropped EXE
PID:4636 -
\??\c:\7htnbb.exec:\7htnbb.exe49⤵
- Executes dropped EXE
PID:2368 -
\??\c:\jvdjv.exec:\jvdjv.exe50⤵
- Executes dropped EXE
PID:1936 -
\??\c:\rllxlfx.exec:\rllxlfx.exe51⤵
- Executes dropped EXE
PID:4564 -
\??\c:\hnthbt.exec:\hnthbt.exe52⤵
- Executes dropped EXE
PID:3536 -
\??\c:\nhnhtn.exec:\nhnhtn.exe53⤵
- Executes dropped EXE
PID:4864 -
\??\c:\pjdvj.exec:\pjdvj.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe55⤵
- Executes dropped EXE
PID:2836 -
\??\c:\tthbtn.exec:\tthbtn.exe56⤵
- Executes dropped EXE
PID:2652 -
\??\c:\dvddd.exec:\dvddd.exe57⤵
- Executes dropped EXE
PID:4860 -
\??\c:\lflllfl.exec:\lflllfl.exe58⤵
- Executes dropped EXE
PID:4604 -
\??\c:\rxlxrlf.exec:\rxlxrlf.exe59⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hhnhtt.exec:\hhnhtt.exe60⤵
- Executes dropped EXE
PID:3252 -
\??\c:\5vvpd.exec:\5vvpd.exe61⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rfrllll.exec:\rfrllll.exe62⤵
- Executes dropped EXE
PID:4196 -
\??\c:\xrlfrrx.exec:\xrlfrrx.exe63⤵
- Executes dropped EXE
PID:1104 -
\??\c:\nnttnh.exec:\nnttnh.exe64⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ddjjv.exec:\ddjjv.exe65⤵
- Executes dropped EXE
PID:3460 -
\??\c:\9lxxxxx.exec:\9lxxxxx.exe66⤵
- Executes dropped EXE
PID:3924 -
\??\c:\lxfffll.exec:\lxfffll.exe67⤵PID:988
-
\??\c:\hhnnhh.exec:\hhnnhh.exe68⤵PID:1940
-
\??\c:\vdddv.exec:\vdddv.exe69⤵PID:4176
-
\??\c:\ffrrfxr.exec:\ffrrfxr.exe70⤵PID:1484
-
\??\c:\hbhbhh.exec:\hbhbhh.exe71⤵PID:5100
-
\??\c:\tnnnhb.exec:\tnnnhb.exe72⤵PID:1616
-
\??\c:\1pvvj.exec:\1pvvj.exe73⤵PID:1776
-
\??\c:\9rxrxxx.exec:\9rxrxxx.exe74⤵PID:3432
-
\??\c:\bttnnn.exec:\bttnnn.exe75⤵PID:2164
-
\??\c:\3pvpv.exec:\3pvpv.exe76⤵PID:4896
-
\??\c:\xfrlxfx.exec:\xfrlxfx.exe77⤵PID:3792
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe78⤵PID:3156
-
\??\c:\hbhhhh.exec:\hbhhhh.exe79⤵PID:2104
-
\??\c:\1dpjj.exec:\1dpjj.exe80⤵PID:704
-
\??\c:\rffxllf.exec:\rffxllf.exe81⤵PID:4364
-
\??\c:\3ttttb.exec:\3ttttb.exe82⤵PID:2704
-
\??\c:\pjjdv.exec:\pjjdv.exe83⤵PID:1364
-
\??\c:\ffrlrrr.exec:\ffrlrrr.exe84⤵PID:60
-
\??\c:\lxxxrll.exec:\lxxxrll.exe85⤵PID:4660
-
\??\c:\tntnhh.exec:\tntnhh.exe86⤵PID:4972
-
\??\c:\jjjjd.exec:\jjjjd.exe87⤵PID:5060
-
\??\c:\xrxflxr.exec:\xrxflxr.exe88⤵PID:1872
-
\??\c:\hbhhbt.exec:\hbhhbt.exe89⤵PID:760
-
\??\c:\vpvpd.exec:\vpvpd.exe90⤵PID:3196
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe91⤵
- System Location Discovery: System Language Discovery
PID:3380 -
\??\c:\btbhht.exec:\btbhht.exe92⤵PID:2224
-
\??\c:\nhtntt.exec:\nhtntt.exe93⤵PID:1964
-
\??\c:\pvpdp.exec:\pvpdp.exe94⤵PID:2680
-
\??\c:\1flrrxr.exec:\1flrrxr.exe95⤵
- System Location Discovery: System Language Discovery
PID:1784 -
\??\c:\hhnbtn.exec:\hhnbtn.exe96⤵PID:1780
-
\??\c:\ppvjv.exec:\ppvjv.exe97⤵PID:2860
-
\??\c:\rrxxrxx.exec:\rrxxrxx.exe98⤵PID:4640
-
\??\c:\hhtttt.exec:\hhtttt.exe99⤵PID:2564
-
\??\c:\thnbtn.exec:\thnbtn.exe100⤵PID:2332
-
\??\c:\lfxrxxl.exec:\lfxrxxl.exe101⤵PID:3916
-
\??\c:\rllxrrx.exec:\rllxrrx.exe102⤵PID:2348
-
\??\c:\nbnhhh.exec:\nbnhhh.exe103⤵PID:4284
-
\??\c:\vjjpd.exec:\vjjpd.exe104⤵PID:3692
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe105⤵PID:3932
-
\??\c:\ntbtbb.exec:\ntbtbb.exe106⤵PID:208
-
\??\c:\pdpjp.exec:\pdpjp.exe107⤵PID:4656
-
\??\c:\dvjdd.exec:\dvjdd.exe108⤵
- System Location Discovery: System Language Discovery
PID:1476 -
\??\c:\ffffxfx.exec:\ffffxfx.exe109⤵PID:756
-
\??\c:\tbtttb.exec:\tbtttb.exe110⤵PID:2872
-
\??\c:\jjjdv.exec:\jjjdv.exe111⤵PID:4832
-
\??\c:\rxlfrrr.exec:\rxlfrrr.exe112⤵PID:4800
-
\??\c:\frxrlll.exec:\frxrlll.exe113⤵PID:3560
-
\??\c:\bnttnh.exec:\bnttnh.exe114⤵PID:2944
-
\??\c:\vvddd.exec:\vvddd.exe115⤵PID:5040
-
\??\c:\lfxfxfx.exec:\lfxfxfx.exe116⤵PID:3876
-
\??\c:\fxlfffl.exec:\fxlfffl.exe117⤵PID:396
-
\??\c:\hhbtnh.exec:\hhbtnh.exe118⤵PID:1500
-
\??\c:\pjvvp.exec:\pjvvp.exe119⤵PID:3576
-
\??\c:\1djdv.exec:\1djdv.exe120⤵PID:3372
-
\??\c:\thbbnh.exec:\thbbnh.exe121⤵PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-