Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe
-
Size
453KB
-
MD5
4fdd10b459c02e3e888e9a53edb64d72
-
SHA1
691f618d57a8f9e4b037d95b6e902ae19b1a46c1
-
SHA256
5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244
-
SHA512
86f3d01e99750799753c8240fb9f635f70447d13609766eaedb192cc203dcd730517d7beef2b6d849d3d4e8e88a54e7e2a9b8bbceb86d67ac6dbfa9e79073825
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet1:q7Tc2NYHUrAwfMp3CDt1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/404-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/260-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-969-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-1190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-1761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3044 frrlfxr.exe 3972 btnhbb.exe 5116 xlxrrlf.exe 3632 xxfxffl.exe 3552 tnbtnn.exe 3584 nhhtnh.exe 4560 djpdv.exe 2960 frrrxxr.exe 2228 7xlllrr.exe 64 pppjj.exe 1800 tnhhhh.exe 3412 dpdvp.exe 1768 rlxlrxx.exe 2976 tthttt.exe 4960 tbbttt.exe 4456 tntnnn.exe 5068 dpdvj.exe 3604 nttnnt.exe 2108 fxrxflr.exe 3608 pvjjd.exe 4736 5ffrlrl.exe 4356 1hhbbb.exe 4844 vppjd.exe 2136 hbhbbt.exe 4724 dvvvv.exe 3156 5xxxxxx.exe 2724 3bbbtt.exe 2764 vvdvv.exe 1672 xlxrxfx.exe 3540 nnbttt.exe 8 vpvvp.exe 5028 1xllrxf.exe 2388 hhnhtt.exe 756 rlxxlrr.exe 1584 flrrlrr.exe 544 nnbbbb.exe 1888 ppddv.exe 3128 ttnhbh.exe 260 dddvp.exe 4944 rxrrlll.exe 3944 bttnbb.exe 4540 9jjjd.exe 5020 fxrlxxr.exe 4840 btttnh.exe 4156 jjvdj.exe 3464 vvddv.exe 60 3xlfxrl.exe 2984 tthbhh.exe 1392 jpdvj.exe 4396 dvjjj.exe 4392 xxffxff.exe 2716 5btthn.exe 1048 jvvjv.exe 3524 xllfxrl.exe 5080 fxfffff.exe 1132 nbbnhh.exe 2560 jddvp.exe 3704 rxlfxfl.exe 4640 fxrlxxx.exe 3620 nbnnhh.exe 2652 3vdvj.exe 2856 rlxxrxx.exe 3244 3xxxrxr.exe 3712 5hnhhh.exe -
resource yara_rule behavioral2/memory/404-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/260-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-722-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 3044 404 5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe 82 PID 404 wrote to memory of 3044 404 5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe 82 PID 404 wrote to memory of 3044 404 5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe 82 PID 3044 wrote to memory of 3972 3044 frrlfxr.exe 83 PID 3044 wrote to memory of 3972 3044 frrlfxr.exe 83 PID 3044 wrote to memory of 3972 3044 frrlfxr.exe 83 PID 3972 wrote to memory of 5116 3972 btnhbb.exe 84 PID 3972 wrote to memory of 5116 3972 btnhbb.exe 84 PID 3972 wrote to memory of 5116 3972 btnhbb.exe 84 PID 5116 wrote to memory of 3632 5116 xlxrrlf.exe 85 PID 5116 wrote to memory of 3632 5116 xlxrrlf.exe 85 PID 5116 wrote to memory of 3632 5116 xlxrrlf.exe 85 PID 3632 wrote to memory of 3552 3632 xxfxffl.exe 86 PID 3632 wrote to memory of 3552 3632 xxfxffl.exe 86 PID 3632 wrote to memory of 3552 3632 xxfxffl.exe 86 PID 3552 wrote to memory of 3584 3552 tnbtnn.exe 87 PID 3552 wrote to memory of 3584 3552 tnbtnn.exe 87 PID 3552 wrote to memory of 3584 3552 tnbtnn.exe 87 PID 3584 wrote to memory of 4560 3584 nhhtnh.exe 88 PID 3584 wrote to memory of 4560 3584 nhhtnh.exe 88 PID 3584 wrote to memory of 4560 3584 nhhtnh.exe 88 PID 4560 wrote to memory of 2960 4560 djpdv.exe 89 PID 4560 wrote to memory of 2960 4560 djpdv.exe 89 PID 4560 wrote to memory of 2960 4560 djpdv.exe 89 PID 2960 wrote to memory of 2228 2960 frrrxxr.exe 90 PID 2960 wrote to memory of 2228 2960 frrrxxr.exe 90 PID 2960 wrote to memory of 2228 2960 frrrxxr.exe 90 PID 2228 wrote to memory of 64 2228 7xlllrr.exe 91 PID 2228 wrote to memory of 64 2228 7xlllrr.exe 91 PID 2228 wrote to memory of 64 2228 7xlllrr.exe 91 PID 64 wrote to memory of 1800 64 pppjj.exe 92 PID 64 wrote to memory of 1800 64 pppjj.exe 92 PID 64 wrote to memory of 1800 64 pppjj.exe 92 PID 1800 wrote to memory of 3412 1800 tnhhhh.exe 93 PID 1800 wrote to memory of 3412 1800 tnhhhh.exe 93 PID 1800 wrote to memory of 3412 1800 tnhhhh.exe 93 PID 3412 wrote to memory of 1768 3412 dpdvp.exe 94 PID 3412 wrote to memory of 1768 3412 dpdvp.exe 94 PID 3412 wrote to memory of 1768 3412 dpdvp.exe 94 PID 1768 wrote to memory of 2976 1768 rlxlrxx.exe 95 PID 1768 wrote to memory of 2976 1768 rlxlrxx.exe 95 PID 1768 wrote to memory of 2976 1768 rlxlrxx.exe 95 PID 2976 wrote to memory of 4960 2976 tthttt.exe 96 PID 2976 wrote to memory of 4960 2976 tthttt.exe 96 PID 2976 wrote to memory of 4960 2976 tthttt.exe 96 PID 4960 wrote to memory of 4456 4960 tbbttt.exe 97 PID 4960 wrote to memory of 4456 4960 tbbttt.exe 97 PID 4960 wrote to memory of 4456 4960 tbbttt.exe 97 PID 4456 wrote to memory of 5068 4456 tntnnn.exe 98 PID 4456 wrote to memory of 5068 4456 tntnnn.exe 98 PID 4456 wrote to memory of 5068 4456 tntnnn.exe 98 PID 5068 wrote to memory of 3604 5068 dpdvj.exe 99 PID 5068 wrote to memory of 3604 5068 dpdvj.exe 99 PID 5068 wrote to memory of 3604 5068 dpdvj.exe 99 PID 3604 wrote to memory of 2108 3604 nttnnt.exe 100 PID 3604 wrote to memory of 2108 3604 nttnnt.exe 100 PID 3604 wrote to memory of 2108 3604 nttnnt.exe 100 PID 2108 wrote to memory of 3608 2108 fxrxflr.exe 101 PID 2108 wrote to memory of 3608 2108 fxrxflr.exe 101 PID 2108 wrote to memory of 3608 2108 fxrxflr.exe 101 PID 3608 wrote to memory of 4736 3608 pvjjd.exe 102 PID 3608 wrote to memory of 4736 3608 pvjjd.exe 102 PID 3608 wrote to memory of 4736 3608 pvjjd.exe 102 PID 4736 wrote to memory of 4356 4736 5ffrlrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe"C:\Users\Admin\AppData\Local\Temp\5466800ebaa2eca1d67bb17c6dba2f17afef84ea64b81134a6450b6e2b4ad244.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\frrlfxr.exec:\frrlfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\btnhbb.exec:\btnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\xlxrrlf.exec:\xlxrrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\xxfxffl.exec:\xxfxffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\tnbtnn.exec:\tnbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\nhhtnh.exec:\nhhtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\djpdv.exec:\djpdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\frrrxxr.exec:\frrrxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\7xlllrr.exec:\7xlllrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\pppjj.exec:\pppjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\tnhhhh.exec:\tnhhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\dpdvp.exec:\dpdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\rlxlrxx.exec:\rlxlrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\tthttt.exec:\tthttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\tbbttt.exec:\tbbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\tntnnn.exec:\tntnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\dpdvj.exec:\dpdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\nttnnt.exec:\nttnnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\fxrxflr.exec:\fxrxflr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\pvjjd.exec:\pvjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\5ffrlrl.exec:\5ffrlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\1hhbbb.exec:\1hhbbb.exe23⤵
- Executes dropped EXE
PID:4356 -
\??\c:\vppjd.exec:\vppjd.exe24⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hbhbbt.exec:\hbhbbt.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\dvvvv.exec:\dvvvv.exe26⤵
- Executes dropped EXE
PID:4724 -
\??\c:\5xxxxxx.exec:\5xxxxxx.exe27⤵
- Executes dropped EXE
PID:3156 -
\??\c:\3bbbtt.exec:\3bbbtt.exe28⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vvdvv.exec:\vvdvv.exe29⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xlxrxfx.exec:\xlxrxfx.exe30⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nnbttt.exec:\nnbttt.exe31⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vpvvp.exec:\vpvvp.exe32⤵
- Executes dropped EXE
PID:8 -
\??\c:\1xllrxf.exec:\1xllrxf.exe33⤵
- Executes dropped EXE
PID:5028 -
\??\c:\hhnhtt.exec:\hhnhtt.exe34⤵
- Executes dropped EXE
PID:2388 -
\??\c:\rlxxlrr.exec:\rlxxlrr.exe35⤵
- Executes dropped EXE
PID:756 -
\??\c:\flrrlrr.exec:\flrrlrr.exe36⤵
- Executes dropped EXE
PID:1584 -
\??\c:\nnbbbb.exec:\nnbbbb.exe37⤵
- Executes dropped EXE
PID:544 -
\??\c:\ppddv.exec:\ppddv.exe38⤵
- Executes dropped EXE
PID:1888 -
\??\c:\ttnhbh.exec:\ttnhbh.exe39⤵
- Executes dropped EXE
PID:3128 -
\??\c:\dddvp.exec:\dddvp.exe40⤵
- Executes dropped EXE
PID:260 -
\??\c:\rxrrlll.exec:\rxrrlll.exe41⤵
- Executes dropped EXE
PID:4944 -
\??\c:\bttnbb.exec:\bttnbb.exe42⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9jjjd.exec:\9jjjd.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe44⤵
- Executes dropped EXE
PID:5020 -
\??\c:\btttnh.exec:\btttnh.exe45⤵
- Executes dropped EXE
PID:4840 -
\??\c:\jjvdj.exec:\jjvdj.exe46⤵
- Executes dropped EXE
PID:4156 -
\??\c:\vvddv.exec:\vvddv.exe47⤵
- Executes dropped EXE
PID:3464 -
\??\c:\3xlfxrl.exec:\3xlfxrl.exe48⤵
- Executes dropped EXE
PID:60 -
\??\c:\tthbhh.exec:\tthbhh.exe49⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jpdvj.exec:\jpdvj.exe50⤵
- Executes dropped EXE
PID:1392 -
\??\c:\dvjjj.exec:\dvjjj.exe51⤵
- Executes dropped EXE
PID:4396 -
\??\c:\xxffxff.exec:\xxffxff.exe52⤵
- Executes dropped EXE
PID:4392 -
\??\c:\5btthn.exec:\5btthn.exe53⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jvvjv.exec:\jvvjv.exe54⤵
- Executes dropped EXE
PID:1048 -
\??\c:\xllfxrl.exec:\xllfxrl.exe55⤵
- Executes dropped EXE
PID:3524 -
\??\c:\fxfffff.exec:\fxfffff.exe56⤵
- Executes dropped EXE
PID:5080 -
\??\c:\nbbnhh.exec:\nbbnhh.exe57⤵
- Executes dropped EXE
PID:1132 -
\??\c:\jddvp.exec:\jddvp.exe58⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rxlfxfl.exec:\rxlfxfl.exe59⤵
- Executes dropped EXE
PID:3704 -
\??\c:\fxrlxxx.exec:\fxrlxxx.exe60⤵
- Executes dropped EXE
PID:4640 -
\??\c:\nbnnhh.exec:\nbnnhh.exe61⤵
- Executes dropped EXE
PID:3620 -
\??\c:\3vdvj.exec:\3vdvj.exe62⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rlxxrxx.exec:\rlxxrxx.exe63⤵
- Executes dropped EXE
PID:2856 -
\??\c:\3xxxrxr.exec:\3xxxrxr.exe64⤵
- Executes dropped EXE
PID:3244 -
\??\c:\5hnhhh.exec:\5hnhhh.exe65⤵
- Executes dropped EXE
PID:3712 -
\??\c:\1dvpp.exec:\1dvpp.exe66⤵PID:3132
-
\??\c:\9vddd.exec:\9vddd.exe67⤵PID:2912
-
\??\c:\lrxlffx.exec:\lrxlffx.exe68⤵PID:4808
-
\??\c:\nhtntt.exec:\nhtntt.exe69⤵PID:116
-
\??\c:\3tnntb.exec:\3tnntb.exe70⤵PID:4420
-
\??\c:\vdjvj.exec:\vdjvj.exe71⤵PID:1316
-
\??\c:\hhntbh.exec:\hhntbh.exe72⤵PID:2020
-
\??\c:\hnnnnn.exec:\hnnnnn.exe73⤵PID:2616
-
\??\c:\vvpjv.exec:\vvpjv.exe74⤵PID:1752
-
\??\c:\xrxllfl.exec:\xrxllfl.exe75⤵PID:4968
-
\??\c:\1hnhhh.exec:\1hnhhh.exe76⤵PID:4756
-
\??\c:\vddvp.exec:\vddvp.exe77⤵PID:2172
-
\??\c:\7lxrlfx.exec:\7lxrlfx.exe78⤵PID:5068
-
\??\c:\bthbhb.exec:\bthbhb.exe79⤵PID:892
-
\??\c:\hbnnnn.exec:\hbnnnn.exe80⤵PID:4860
-
\??\c:\jvvpd.exec:\jvvpd.exe81⤵PID:4300
-
\??\c:\frxrllf.exec:\frxrllf.exe82⤵PID:3204
-
\??\c:\ntbbbb.exec:\ntbbbb.exe83⤵PID:4660
-
\??\c:\vjddd.exec:\vjddd.exe84⤵PID:2732
-
\??\c:\rlrllfr.exec:\rlrllfr.exe85⤵PID:2772
-
\??\c:\llffllx.exec:\llffllx.exe86⤵PID:844
-
\??\c:\hbnhtn.exec:\hbnhtn.exe87⤵PID:1332
-
\??\c:\jvjjj.exec:\jvjjj.exe88⤵PID:4836
-
\??\c:\xxrrlrr.exec:\xxrrlrr.exe89⤵
- System Location Discovery: System Language Discovery
PID:2972 -
\??\c:\nbnnnn.exec:\nbnnnn.exe90⤵PID:3136
-
\??\c:\bthhhn.exec:\bthhhn.exe91⤵PID:1608
-
\??\c:\pjvpv.exec:\pjvpv.exe92⤵PID:2724
-
\??\c:\7flxfrr.exec:\7flxfrr.exe93⤵PID:2480
-
\??\c:\fffffff.exec:\fffffff.exe94⤵PID:2728
-
\??\c:\jdpjj.exec:\jdpjj.exe95⤵PID:3336
-
\??\c:\ddjdd.exec:\ddjdd.exe96⤵PID:100
-
\??\c:\frflxrf.exec:\frflxrf.exe97⤵PID:3544
-
\??\c:\hhnbtn.exec:\hhnbtn.exe98⤵PID:3796
-
\??\c:\dddpd.exec:\dddpd.exe99⤵PID:4940
-
\??\c:\llfxxrx.exec:\llfxxrx.exe100⤵PID:4684
-
\??\c:\hhbbhh.exec:\hhbbhh.exe101⤵PID:1620
-
\??\c:\vjvpd.exec:\vjvpd.exe102⤵PID:3184
-
\??\c:\fxlffxf.exec:\fxlffxf.exe103⤵PID:2372
-
\??\c:\tnbbbb.exec:\tnbbbb.exe104⤵PID:3456
-
\??\c:\1ppvp.exec:\1ppvp.exe105⤵PID:260
-
\??\c:\9frlxxr.exec:\9frlxxr.exe106⤵PID:784
-
\??\c:\nbbthb.exec:\nbbthb.exe107⤵PID:3944
-
\??\c:\ttbbhn.exec:\ttbbhn.exe108⤵PID:4540
-
\??\c:\vddvp.exec:\vddvp.exe109⤵PID:5020
-
\??\c:\xllllrx.exec:\xllllrx.exe110⤵PID:2284
-
\??\c:\3bbbbh.exec:\3bbbbh.exe111⤵PID:4156
-
\??\c:\jjpjv.exec:\jjpjv.exe112⤵PID:1576
-
\??\c:\9rxxrxr.exec:\9rxxrxr.exe113⤵PID:2068
-
\??\c:\hbnttt.exec:\hbnttt.exe114⤵PID:4368
-
\??\c:\bnbtnt.exec:\bnbtnt.exe115⤵PID:1392
-
\??\c:\7vvpd.exec:\7vvpd.exe116⤵PID:3292
-
\??\c:\3lrrlll.exec:\3lrrlll.exe117⤵PID:4392
-
\??\c:\5ttnnh.exec:\5ttnnh.exe118⤵PID:3496
-
\??\c:\pppdp.exec:\pppdp.exe119⤵PID:1548
-
\??\c:\dpvpp.exec:\dpvpp.exe120⤵PID:5084
-
\??\c:\rlffxll.exec:\rlffxll.exe121⤵PID:5104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-