Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe
-
Size
455KB
-
MD5
78bfed5b815582c768bd18dce3241f67
-
SHA1
14898a99e3a33ad92668e36adbb569066b473909
-
SHA256
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9
-
SHA512
98e1ae6dfefd0e9d7d5a8abfc7bffb256aeb6a9bf2e3b0b340ac908bf2433cdd4ad3085fe5d613b6738eac386d4f854bae7942e160406cd725b270abe29614d6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3868-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1096-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-1147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-1674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-1690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2800 ffxrrrl.exe 3868 bbnntb.exe 3304 5bbttt.exe 3092 jjpvv.exe 2764 tnbnhn.exe 4124 jpppp.exe 3664 xlllxxr.exe 4880 5pjvv.exe 3652 rlfxxxr.exe 1508 xllfxlf.exe 1140 5hbbtt.exe 1904 frxfrfl.exe 3100 3rrlffx.exe 4596 jjjdv.exe 1276 rlllfff.exe 528 3ttthh.exe 3784 vjdvj.exe 3888 rfllfxf.exe 2276 5bnttt.exe 4728 xxlrrrr.exe 4276 lffxrrr.exe 2360 jvdvj.exe 1028 7flfrrl.exe 5048 dvvpd.exe 3368 pdjdd.exe 400 rflffll.exe 336 3pjdv.exe 2500 dppjd.exe 4436 dpvpj.exe 548 vdvpj.exe 4120 1htnht.exe 4420 ffllfxf.exe 2060 fflllll.exe 1468 thbtnh.exe 3600 3vjvp.exe 2896 thhbbt.exe 3208 9flrfll.exe 3388 lfxxxxr.exe 2132 hbnhnn.exe 4540 ppjvp.exe 1852 3fxrffx.exe 5100 lffxrrl.exe 2696 thnhhh.exe 1036 djpdv.exe 4352 fxrlfxx.exe 1900 fllxlfr.exe 3392 bbthbn.exe 1420 dvjvv.exe 1932 rffrlxx.exe 4884 xlfrfrl.exe 4452 ththhb.exe 2728 pjvvp.exe 2236 xxrlxxr.exe 3844 tbhhbb.exe 2800 7jjvj.exe 1112 7rlxllf.exe 4524 xlxrxrf.exe 2484 hnhthb.exe 456 3jpjd.exe 3092 xllxffr.exe 3692 rfxlxrl.exe 1432 httnbt.exe 2028 jjdjv.exe 112 lrxrxrl.exe -
resource yara_rule behavioral2/memory/2800-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-702-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2800 2304 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 82 PID 2304 wrote to memory of 2800 2304 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 82 PID 2304 wrote to memory of 2800 2304 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 82 PID 2800 wrote to memory of 3868 2800 ffxrrrl.exe 83 PID 2800 wrote to memory of 3868 2800 ffxrrrl.exe 83 PID 2800 wrote to memory of 3868 2800 ffxrrrl.exe 83 PID 3868 wrote to memory of 3304 3868 bbnntb.exe 84 PID 3868 wrote to memory of 3304 3868 bbnntb.exe 84 PID 3868 wrote to memory of 3304 3868 bbnntb.exe 84 PID 3304 wrote to memory of 3092 3304 5bbttt.exe 85 PID 3304 wrote to memory of 3092 3304 5bbttt.exe 85 PID 3304 wrote to memory of 3092 3304 5bbttt.exe 85 PID 3092 wrote to memory of 2764 3092 jjpvv.exe 86 PID 3092 wrote to memory of 2764 3092 jjpvv.exe 86 PID 3092 wrote to memory of 2764 3092 jjpvv.exe 86 PID 2764 wrote to memory of 4124 2764 tnbnhn.exe 87 PID 2764 wrote to memory of 4124 2764 tnbnhn.exe 87 PID 2764 wrote to memory of 4124 2764 tnbnhn.exe 87 PID 4124 wrote to memory of 3664 4124 jpppp.exe 88 PID 4124 wrote to memory of 3664 4124 jpppp.exe 88 PID 4124 wrote to memory of 3664 4124 jpppp.exe 88 PID 3664 wrote to memory of 4880 3664 xlllxxr.exe 89 PID 3664 wrote to memory of 4880 3664 xlllxxr.exe 89 PID 3664 wrote to memory of 4880 3664 xlllxxr.exe 89 PID 4880 wrote to memory of 3652 4880 5pjvv.exe 90 PID 4880 wrote to memory of 3652 4880 5pjvv.exe 90 PID 4880 wrote to memory of 3652 4880 5pjvv.exe 90 PID 3652 wrote to memory of 1508 3652 rlfxxxr.exe 91 PID 3652 wrote to memory of 1508 3652 rlfxxxr.exe 91 PID 3652 wrote to memory of 1508 3652 rlfxxxr.exe 91 PID 1508 wrote to memory of 1140 1508 xllfxlf.exe 92 PID 1508 wrote to memory of 1140 1508 xllfxlf.exe 92 PID 1508 wrote to memory of 1140 1508 xllfxlf.exe 92 PID 1140 wrote to memory of 1904 1140 5hbbtt.exe 93 PID 1140 wrote to memory of 1904 1140 5hbbtt.exe 93 PID 1140 wrote to memory of 1904 1140 5hbbtt.exe 93 PID 1904 wrote to memory of 3100 1904 frxfrfl.exe 94 PID 1904 wrote to memory of 3100 1904 frxfrfl.exe 94 PID 1904 wrote to memory of 3100 1904 frxfrfl.exe 94 PID 3100 wrote to memory of 4596 3100 3rrlffx.exe 95 PID 3100 wrote to memory of 4596 3100 3rrlffx.exe 95 PID 3100 wrote to memory of 4596 3100 3rrlffx.exe 95 PID 4596 wrote to memory of 1276 4596 jjjdv.exe 96 PID 4596 wrote to memory of 1276 4596 jjjdv.exe 96 PID 4596 wrote to memory of 1276 4596 jjjdv.exe 96 PID 1276 wrote to memory of 528 1276 rlllfff.exe 97 PID 1276 wrote to memory of 528 1276 rlllfff.exe 97 PID 1276 wrote to memory of 528 1276 rlllfff.exe 97 PID 528 wrote to memory of 3784 528 3ttthh.exe 98 PID 528 wrote to memory of 3784 528 3ttthh.exe 98 PID 528 wrote to memory of 3784 528 3ttthh.exe 98 PID 3784 wrote to memory of 3888 3784 vjdvj.exe 99 PID 3784 wrote to memory of 3888 3784 vjdvj.exe 99 PID 3784 wrote to memory of 3888 3784 vjdvj.exe 99 PID 3888 wrote to memory of 2276 3888 rfllfxf.exe 100 PID 3888 wrote to memory of 2276 3888 rfllfxf.exe 100 PID 3888 wrote to memory of 2276 3888 rfllfxf.exe 100 PID 2276 wrote to memory of 4728 2276 5bnttt.exe 101 PID 2276 wrote to memory of 4728 2276 5bnttt.exe 101 PID 2276 wrote to memory of 4728 2276 5bnttt.exe 101 PID 4728 wrote to memory of 4276 4728 xxlrrrr.exe 102 PID 4728 wrote to memory of 4276 4728 xxlrrrr.exe 102 PID 4728 wrote to memory of 4276 4728 xxlrrrr.exe 102 PID 4276 wrote to memory of 2360 4276 lffxrrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe"C:\Users\Admin\AppData\Local\Temp\4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\ffxrrrl.exec:\ffxrrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\bbnntb.exec:\bbnntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\5bbttt.exec:\5bbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\jjpvv.exec:\jjpvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\tnbnhn.exec:\tnbnhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\jpppp.exec:\jpppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\xlllxxr.exec:\xlllxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\5pjvv.exec:\5pjvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\xllfxlf.exec:\xllfxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\5hbbtt.exec:\5hbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\frxfrfl.exec:\frxfrfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\3rrlffx.exec:\3rrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\rlllfff.exec:\rlllfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\3ttthh.exec:\3ttthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\vjdvj.exec:\vjdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\rfllfxf.exec:\rfllfxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\5bnttt.exec:\5bnttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\xxlrrrr.exec:\xxlrrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\lffxrrr.exec:\lffxrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\jvdvj.exec:\jvdvj.exe23⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7flfrrl.exec:\7flfrrl.exe24⤵
- Executes dropped EXE
PID:1028 -
\??\c:\dvvpd.exec:\dvvpd.exe25⤵
- Executes dropped EXE
PID:5048 -
\??\c:\pdjdd.exec:\pdjdd.exe26⤵
- Executes dropped EXE
PID:3368 -
\??\c:\rflffll.exec:\rflffll.exe27⤵
- Executes dropped EXE
PID:400 -
\??\c:\3pjdv.exec:\3pjdv.exe28⤵
- Executes dropped EXE
PID:336 -
\??\c:\dppjd.exec:\dppjd.exe29⤵
- Executes dropped EXE
PID:2500 -
\??\c:\dpvpj.exec:\dpvpj.exe30⤵
- Executes dropped EXE
PID:4436 -
\??\c:\vdvpj.exec:\vdvpj.exe31⤵
- Executes dropped EXE
PID:548 -
\??\c:\1htnht.exec:\1htnht.exe32⤵
- Executes dropped EXE
PID:4120 -
\??\c:\ffllfxf.exec:\ffllfxf.exe33⤵
- Executes dropped EXE
PID:4420 -
\??\c:\fflllll.exec:\fflllll.exe34⤵
- Executes dropped EXE
PID:2060 -
\??\c:\thbtnh.exec:\thbtnh.exe35⤵
- Executes dropped EXE
PID:1468 -
\??\c:\3vjvp.exec:\3vjvp.exe36⤵
- Executes dropped EXE
PID:3600 -
\??\c:\thhbbt.exec:\thhbbt.exe37⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9flrfll.exec:\9flrfll.exe38⤵
- Executes dropped EXE
PID:3208 -
\??\c:\lfxxxxr.exec:\lfxxxxr.exe39⤵
- Executes dropped EXE
PID:3388 -
\??\c:\hbnhnn.exec:\hbnhnn.exe40⤵
- Executes dropped EXE
PID:2132 -
\??\c:\ppjvp.exec:\ppjvp.exe41⤵
- Executes dropped EXE
PID:4540 -
\??\c:\3fxrffx.exec:\3fxrffx.exe42⤵
- Executes dropped EXE
PID:1852 -
\??\c:\lffxrrl.exec:\lffxrrl.exe43⤵
- Executes dropped EXE
PID:5100 -
\??\c:\thnhhh.exec:\thnhhh.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\djpdv.exec:\djpdv.exe45⤵
- Executes dropped EXE
PID:1036 -
\??\c:\fxrlfxx.exec:\fxrlfxx.exe46⤵
- Executes dropped EXE
PID:4352 -
\??\c:\fllxlfr.exec:\fllxlfr.exe47⤵
- Executes dropped EXE
PID:1900 -
\??\c:\bbthbn.exec:\bbthbn.exe48⤵
- Executes dropped EXE
PID:3392 -
\??\c:\dvjvv.exec:\dvjvv.exe49⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rffrlxx.exec:\rffrlxx.exe50⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xlfrfrl.exec:\xlfrfrl.exe51⤵
- Executes dropped EXE
PID:4884 -
\??\c:\ththhb.exec:\ththhb.exe52⤵
- Executes dropped EXE
PID:4452 -
\??\c:\pjvvp.exec:\pjvvp.exe53⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xxrlxxr.exec:\xxrlxxr.exe54⤵
- Executes dropped EXE
PID:2236 -
\??\c:\9llxlfr.exec:\9llxlfr.exe55⤵PID:624
-
\??\c:\tbhhbb.exec:\tbhhbb.exe56⤵
- Executes dropped EXE
PID:3844 -
\??\c:\7jjvj.exec:\7jjvj.exe57⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7rlxllf.exec:\7rlxllf.exe58⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xlxrxrf.exec:\xlxrxrf.exe59⤵
- Executes dropped EXE
PID:4524 -
\??\c:\hnhthb.exec:\hnhthb.exe60⤵
- Executes dropped EXE
PID:2484 -
\??\c:\3jpjd.exec:\3jpjd.exe61⤵
- Executes dropped EXE
PID:456 -
\??\c:\xllxffr.exec:\xllxffr.exe62⤵
- Executes dropped EXE
PID:3092 -
\??\c:\rfxlxrl.exec:\rfxlxrl.exe63⤵
- Executes dropped EXE
PID:3692 -
\??\c:\httnbt.exec:\httnbt.exe64⤵
- Executes dropped EXE
PID:1432 -
\??\c:\jjdjv.exec:\jjdjv.exe65⤵
- Executes dropped EXE
PID:2028 -
\??\c:\lrxrxrl.exec:\lrxrxrl.exe66⤵
- Executes dropped EXE
PID:112 -
\??\c:\rxxrxrf.exec:\rxxrxrf.exe67⤵PID:3764
-
\??\c:\ntbnbn.exec:\ntbnbn.exe68⤵PID:5000
-
\??\c:\nnnntn.exec:\nnnntn.exe69⤵PID:4716
-
\??\c:\pdjjv.exec:\pdjjv.exe70⤵PID:2192
-
\??\c:\rfxfxrr.exec:\rfxfxrr.exe71⤵PID:3860
-
\??\c:\7tttnn.exec:\7tttnn.exe72⤵PID:1464
-
\??\c:\vjpdp.exec:\vjpdp.exe73⤵PID:1880
-
\??\c:\9ffxlff.exec:\9ffxlff.exe74⤵PID:2128
-
\??\c:\frfrlfr.exec:\frfrlfr.exe75⤵PID:4232
-
\??\c:\nhtnhh.exec:\nhtnhh.exe76⤵PID:1600
-
\??\c:\dvvpd.exec:\dvvpd.exe77⤵PID:2344
-
\??\c:\1rrfrll.exec:\1rrfrll.exe78⤵PID:1444
-
\??\c:\btnhbt.exec:\btnhbt.exe79⤵PID:3508
-
\??\c:\vppdj.exec:\vppdj.exe80⤵PID:4244
-
\??\c:\1llflxl.exec:\1llflxl.exe81⤵PID:1956
-
\??\c:\rrxlxlx.exec:\rrxlxlx.exe82⤵PID:1736
-
\??\c:\htnhht.exec:\htnhht.exe83⤵PID:2004
-
\??\c:\nbnthn.exec:\nbnthn.exe84⤵PID:2336
-
\??\c:\vdjvp.exec:\vdjvp.exe85⤵PID:1460
-
\??\c:\lllxrlx.exec:\lllxrlx.exe86⤵PID:1664
-
\??\c:\ntthtn.exec:\ntthtn.exe87⤵PID:3864
-
\??\c:\3jjdd.exec:\3jjdd.exe88⤵PID:716
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe89⤵PID:4364
-
\??\c:\nntntt.exec:\nntntt.exe90⤵PID:5048
-
\??\c:\vjpdj.exec:\vjpdj.exe91⤵PID:1728
-
\??\c:\rllxlxl.exec:\rllxlxl.exe92⤵PID:1636
-
\??\c:\lrrfrfr.exec:\lrrfrfr.exe93⤵PID:3128
-
\??\c:\nhtnhb.exec:\nhtnhb.exe94⤵PID:336
-
\??\c:\ddvjp.exec:\ddvjp.exe95⤵PID:2000
-
\??\c:\vjdjv.exec:\vjdjv.exe96⤵
- System Location Discovery: System Language Discovery
PID:2020 -
\??\c:\frrfxxr.exec:\frrfxxr.exe97⤵PID:4668
-
\??\c:\7hbthb.exec:\7hbthb.exe98⤵PID:2300
-
\??\c:\vpjpd.exec:\vpjpd.exe99⤵PID:3540
-
\??\c:\9ppdj.exec:\9ppdj.exe100⤵PID:1868
-
\??\c:\rrxlrlr.exec:\rrxlrlr.exe101⤵PID:1492
-
\??\c:\thhthb.exec:\thhthb.exe102⤵PID:448
-
\??\c:\hhhnbt.exec:\hhhnbt.exe103⤵PID:1468
-
\??\c:\dddpd.exec:\dddpd.exe104⤵PID:1228
-
\??\c:\lxxrffx.exec:\lxxrffx.exe105⤵PID:232
-
\??\c:\ttnntt.exec:\ttnntt.exe106⤵PID:2684
-
\??\c:\nhthnh.exec:\nhthnh.exe107⤵PID:3208
-
\??\c:\dvpjd.exec:\dvpjd.exe108⤵PID:1772
-
\??\c:\ffxlxrl.exec:\ffxlxrl.exe109⤵PID:2532
-
\??\c:\thttht.exec:\thttht.exe110⤵PID:2240
-
\??\c:\3pjdp.exec:\3pjdp.exe111⤵PID:1524
-
\??\c:\xrxrffx.exec:\xrxrffx.exe112⤵PID:3788
-
\??\c:\hhbbtt.exec:\hhbbtt.exe113⤵PID:3952
-
\??\c:\tbhtth.exec:\tbhtth.exe114⤵PID:3280
-
\??\c:\jddvj.exec:\jddvj.exe115⤵PID:4352
-
\??\c:\5ffxllf.exec:\5ffxllf.exe116⤵PID:1504
-
\??\c:\hntnbb.exec:\hntnbb.exe117⤵PID:4192
-
\??\c:\pvvpv.exec:\pvvpv.exe118⤵PID:1092
-
\??\c:\rffxrll.exec:\rffxrll.exe119⤵PID:4604
-
\??\c:\nbhtnt.exec:\nbhtnt.exe120⤵PID:4860
-
\??\c:\9pvdp.exec:\9pvdp.exe121⤵PID:8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-