Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 20:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe
-
Size
453KB
-
MD5
51a96bedf6759a90bcc40ea80e72e9e4
-
SHA1
1366a83a0ba7213347a5925b45c4b307fe5aee70
-
SHA256
171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14
-
SHA512
e7d5867dd197433ce899f34dcbda6d62cc703d307a33ff6b1d1799479e89f82dcc0d9b38f490b76fbdfd34fc601eb331f37c9513baeae09cf773b19f0e12a2fe
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/2348-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-1378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2348 frxrrll.exe 3732 9nttnt.exe 1400 fxxrlll.exe 3224 pdpjd.exe 4904 7tbttt.exe 2460 pdvjd.exe 1784 bhnnnn.exe 2908 7rxlffr.exe 4876 xxlxrxl.exe 1388 7pjdp.exe 2324 3bbtnn.exe 1772 lfrxfxx.exe 4324 tbnhbb.exe 1464 dvjdj.exe 5016 1ttnnh.exe 3324 vpjvv.exe 5036 nhhnbt.exe 3708 bbhtth.exe 2784 lxfxlxl.exe 1904 pvvvj.exe 1916 rllfffx.exe 220 1pjvp.exe 444 1btnnn.exe 2292 5rlxrrf.exe 3356 dvppj.exe 1152 ffllllx.exe 2668 bnbhbh.exe 4060 ffrlrrl.exe 2332 7ntnhn.exe 4736 fxfxfxf.exe 1500 5tnnhn.exe 1432 nnbtnn.exe 4088 rllfxrl.exe 1636 thnnhb.exe 1236 jvdvj.exe 2764 rfflffx.exe 2948 1ntnnt.exe 2680 dvvpd.exe 536 vjpjv.exe 1652 lxlfrff.exe 1104 5hhhhn.exe 5080 jjvpv.exe 3448 dddvp.exe 4528 llrlffx.exe 5104 hhtnhb.exe 4760 dpvpj.exe 1844 1rfxlfx.exe 1608 thttnn.exe 1588 jvvjd.exe 1620 3rxrrrr.exe 1580 btbthb.exe 4552 nhnhtt.exe 1196 vpvpj.exe 4980 rfrllff.exe 3344 bnbbtb.exe 736 vjvpj.exe 2304 jdjdj.exe 1080 hbbbbh.exe 5112 jdjdv.exe 392 5fxrffx.exe 4244 jpdvv.exe 3204 vppjd.exe 2120 fxxxlrf.exe 1520 3nnhbt.exe -
resource yara_rule behavioral2/memory/3732-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-1126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-1343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-1378-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4192 wrote to memory of 2348 4192 171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe 82 PID 4192 wrote to memory of 2348 4192 171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe 82 PID 4192 wrote to memory of 2348 4192 171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe 82 PID 2348 wrote to memory of 3732 2348 frxrrll.exe 83 PID 2348 wrote to memory of 3732 2348 frxrrll.exe 83 PID 2348 wrote to memory of 3732 2348 frxrrll.exe 83 PID 3732 wrote to memory of 1400 3732 9nttnt.exe 84 PID 3732 wrote to memory of 1400 3732 9nttnt.exe 84 PID 3732 wrote to memory of 1400 3732 9nttnt.exe 84 PID 1400 wrote to memory of 3224 1400 fxxrlll.exe 85 PID 1400 wrote to memory of 3224 1400 fxxrlll.exe 85 PID 1400 wrote to memory of 3224 1400 fxxrlll.exe 85 PID 3224 wrote to memory of 4904 3224 pdpjd.exe 86 PID 3224 wrote to memory of 4904 3224 pdpjd.exe 86 PID 3224 wrote to memory of 4904 3224 pdpjd.exe 86 PID 4904 wrote to memory of 2460 4904 7tbttt.exe 87 PID 4904 wrote to memory of 2460 4904 7tbttt.exe 87 PID 4904 wrote to memory of 2460 4904 7tbttt.exe 87 PID 2460 wrote to memory of 1784 2460 pdvjd.exe 88 PID 2460 wrote to memory of 1784 2460 pdvjd.exe 88 PID 2460 wrote to memory of 1784 2460 pdvjd.exe 88 PID 1784 wrote to memory of 2908 1784 bhnnnn.exe 89 PID 1784 wrote to memory of 2908 1784 bhnnnn.exe 89 PID 1784 wrote to memory of 2908 1784 bhnnnn.exe 89 PID 2908 wrote to memory of 4876 2908 7rxlffr.exe 90 PID 2908 wrote to memory of 4876 2908 7rxlffr.exe 90 PID 2908 wrote to memory of 4876 2908 7rxlffr.exe 90 PID 4876 wrote to memory of 1388 4876 xxlxrxl.exe 91 PID 4876 wrote to memory of 1388 4876 xxlxrxl.exe 91 PID 4876 wrote to memory of 1388 4876 xxlxrxl.exe 91 PID 1388 wrote to memory of 2324 1388 7pjdp.exe 92 PID 1388 wrote to memory of 2324 1388 7pjdp.exe 92 PID 1388 wrote to memory of 2324 1388 7pjdp.exe 92 PID 2324 wrote to memory of 1772 2324 3bbtnn.exe 93 PID 2324 wrote to memory of 1772 2324 3bbtnn.exe 93 PID 2324 wrote to memory of 1772 2324 3bbtnn.exe 93 PID 1772 wrote to memory of 4324 1772 lfrxfxx.exe 94 PID 1772 wrote to memory of 4324 1772 lfrxfxx.exe 94 PID 1772 wrote to memory of 4324 1772 lfrxfxx.exe 94 PID 4324 wrote to memory of 1464 4324 tbnhbb.exe 95 PID 4324 wrote to memory of 1464 4324 tbnhbb.exe 95 PID 4324 wrote to memory of 1464 4324 tbnhbb.exe 95 PID 1464 wrote to memory of 5016 1464 dvjdj.exe 96 PID 1464 wrote to memory of 5016 1464 dvjdj.exe 96 PID 1464 wrote to memory of 5016 1464 dvjdj.exe 96 PID 5016 wrote to memory of 3324 5016 1ttnnh.exe 97 PID 5016 wrote to memory of 3324 5016 1ttnnh.exe 97 PID 5016 wrote to memory of 3324 5016 1ttnnh.exe 97 PID 3324 wrote to memory of 5036 3324 vpjvv.exe 98 PID 3324 wrote to memory of 5036 3324 vpjvv.exe 98 PID 3324 wrote to memory of 5036 3324 vpjvv.exe 98 PID 5036 wrote to memory of 3708 5036 nhhnbt.exe 99 PID 5036 wrote to memory of 3708 5036 nhhnbt.exe 99 PID 5036 wrote to memory of 3708 5036 nhhnbt.exe 99 PID 3708 wrote to memory of 2784 3708 bbhtth.exe 100 PID 3708 wrote to memory of 2784 3708 bbhtth.exe 100 PID 3708 wrote to memory of 2784 3708 bbhtth.exe 100 PID 2784 wrote to memory of 1904 2784 lxfxlxl.exe 101 PID 2784 wrote to memory of 1904 2784 lxfxlxl.exe 101 PID 2784 wrote to memory of 1904 2784 lxfxlxl.exe 101 PID 1904 wrote to memory of 1916 1904 pvvvj.exe 102 PID 1904 wrote to memory of 1916 1904 pvvvj.exe 102 PID 1904 wrote to memory of 1916 1904 pvvvj.exe 102 PID 1916 wrote to memory of 220 1916 rllfffx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe"C:\Users\Admin\AppData\Local\Temp\171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\frxrrll.exec:\frxrrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\9nttnt.exec:\9nttnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\fxxrlll.exec:\fxxrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\pdpjd.exec:\pdpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\7tbttt.exec:\7tbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\pdvjd.exec:\pdvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\bhnnnn.exec:\bhnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\7rxlffr.exec:\7rxlffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\xxlxrxl.exec:\xxlxrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\7pjdp.exec:\7pjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\3bbtnn.exec:\3bbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\lfrxfxx.exec:\lfrxfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\tbnhbb.exec:\tbnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\dvjdj.exec:\dvjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\1ttnnh.exec:\1ttnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\vpjvv.exec:\vpjvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\nhhnbt.exec:\nhhnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\bbhtth.exec:\bbhtth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\lxfxlxl.exec:\lxfxlxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\pvvvj.exec:\pvvvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\rllfffx.exec:\rllfffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\1pjvp.exec:\1pjvp.exe23⤵
- Executes dropped EXE
PID:220 -
\??\c:\1btnnn.exec:\1btnnn.exe24⤵
- Executes dropped EXE
PID:444 -
\??\c:\5rlxrrf.exec:\5rlxrrf.exe25⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dvppj.exec:\dvppj.exe26⤵
- Executes dropped EXE
PID:3356 -
\??\c:\ffllllx.exec:\ffllllx.exe27⤵
- Executes dropped EXE
PID:1152 -
\??\c:\bnbhbh.exec:\bnbhbh.exe28⤵
- Executes dropped EXE
PID:2668 -
\??\c:\ffrlrrl.exec:\ffrlrrl.exe29⤵
- Executes dropped EXE
PID:4060 -
\??\c:\7ntnhn.exec:\7ntnhn.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe31⤵
- Executes dropped EXE
PID:4736 -
\??\c:\5tnnhn.exec:\5tnnhn.exe32⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nnbtnn.exec:\nnbtnn.exe33⤵
- Executes dropped EXE
PID:1432 -
\??\c:\rllfxrl.exec:\rllfxrl.exe34⤵
- Executes dropped EXE
PID:4088 -
\??\c:\thnnhb.exec:\thnnhb.exe35⤵
- Executes dropped EXE
PID:1636 -
\??\c:\jvdvj.exec:\jvdvj.exe36⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rfflffx.exec:\rfflffx.exe37⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1ntnnt.exec:\1ntnnt.exe38⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dvvpd.exec:\dvvpd.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vjpjv.exec:\vjpjv.exe40⤵
- Executes dropped EXE
PID:536 -
\??\c:\lxlfrff.exec:\lxlfrff.exe41⤵
- Executes dropped EXE
PID:1652 -
\??\c:\5hhhhn.exec:\5hhhhn.exe42⤵
- Executes dropped EXE
PID:1104 -
\??\c:\jjvpv.exec:\jjvpv.exe43⤵
- Executes dropped EXE
PID:5080 -
\??\c:\dddvp.exec:\dddvp.exe44⤵
- Executes dropped EXE
PID:3448 -
\??\c:\llrlffx.exec:\llrlffx.exe45⤵
- Executes dropped EXE
PID:4528 -
\??\c:\hhtnhb.exec:\hhtnhb.exe46⤵
- Executes dropped EXE
PID:5104 -
\??\c:\dpvpj.exec:\dpvpj.exe47⤵
- Executes dropped EXE
PID:4760 -
\??\c:\1rfxlfx.exec:\1rfxlfx.exe48⤵
- Executes dropped EXE
PID:1844 -
\??\c:\thttnn.exec:\thttnn.exe49⤵
- Executes dropped EXE
PID:1608 -
\??\c:\jvvjd.exec:\jvvjd.exe50⤵
- Executes dropped EXE
PID:1588 -
\??\c:\3rxrrrr.exec:\3rxrrrr.exe51⤵
- Executes dropped EXE
PID:1620 -
\??\c:\btbthb.exec:\btbthb.exe52⤵
- Executes dropped EXE
PID:1580 -
\??\c:\nhnhtt.exec:\nhnhtt.exe53⤵
- Executes dropped EXE
PID:4552 -
\??\c:\vpvpj.exec:\vpvpj.exe54⤵
- Executes dropped EXE
PID:1196 -
\??\c:\rfrllff.exec:\rfrllff.exe55⤵
- Executes dropped EXE
PID:4980 -
\??\c:\bnbbtb.exec:\bnbbtb.exe56⤵
- Executes dropped EXE
PID:3344 -
\??\c:\vjvpj.exec:\vjvpj.exe57⤵
- Executes dropped EXE
PID:736 -
\??\c:\jdjdj.exec:\jdjdj.exe58⤵
- Executes dropped EXE
PID:2304 -
\??\c:\hbbbbh.exec:\hbbbbh.exe59⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jdjdv.exec:\jdjdv.exe60⤵
- Executes dropped EXE
PID:5112 -
\??\c:\5fxrffx.exec:\5fxrffx.exe61⤵
- Executes dropped EXE
PID:392 -
\??\c:\jpdvv.exec:\jpdvv.exe62⤵
- Executes dropped EXE
PID:4244 -
\??\c:\vppjd.exec:\vppjd.exe63⤵
- Executes dropped EXE
PID:3204 -
\??\c:\fxxxlrf.exec:\fxxxlrf.exe64⤵
- Executes dropped EXE
PID:2120 -
\??\c:\3nnhbt.exec:\3nnhbt.exe65⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dvvpj.exec:\dvvpj.exe66⤵PID:3600
-
\??\c:\7lxrlff.exec:\7lxrlff.exe67⤵PID:3840
-
\??\c:\bnhtbh.exec:\bnhtbh.exe68⤵PID:952
-
\??\c:\ddppv.exec:\ddppv.exe69⤵PID:4640
-
\??\c:\dppdp.exec:\dppdp.exe70⤵PID:2140
-
\??\c:\9lrrrlr.exec:\9lrrrlr.exe71⤵PID:4068
-
\??\c:\5tnnhh.exec:\5tnnhh.exe72⤵PID:216
-
\??\c:\pddvj.exec:\pddvj.exe73⤵PID:1956
-
\??\c:\jjpjj.exec:\jjpjj.exe74⤵PID:3332
-
\??\c:\hhnhtt.exec:\hhnhtt.exe75⤵PID:3324
-
\??\c:\httbbb.exec:\httbbb.exe76⤵PID:64
-
\??\c:\vddvp.exec:\vddvp.exe77⤵PID:2260
-
\??\c:\9frllll.exec:\9frllll.exe78⤵PID:372
-
\??\c:\hnnhtt.exec:\hnnhtt.exe79⤵PID:112
-
\??\c:\vpvpj.exec:\vpvpj.exe80⤵PID:3964
-
\??\c:\xfllfff.exec:\xfllfff.exe81⤵PID:1048
-
\??\c:\ntbbtt.exec:\ntbbtt.exe82⤵PID:2896
-
\??\c:\jjdvp.exec:\jjdvp.exe83⤵PID:4716
-
\??\c:\3rlxrlf.exec:\3rlxrlf.exe84⤵PID:920
-
\??\c:\hhbtbb.exec:\hhbtbb.exe85⤵PID:4840
-
\??\c:\ddvpd.exec:\ddvpd.exe86⤵PID:1476
-
\??\c:\xrlxrfx.exec:\xrlxrfx.exe87⤵PID:1408
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe88⤵PID:2488
-
\??\c:\1jjpj.exec:\1jjpj.exe89⤵PID:4520
-
\??\c:\fxxrfxl.exec:\fxxrfxl.exe90⤵PID:888
-
\??\c:\bhbnhh.exec:\bhbnhh.exe91⤵PID:2380
-
\??\c:\bbbbhb.exec:\bbbbhb.exe92⤵PID:4372
-
\??\c:\dddvp.exec:\dddvp.exe93⤵PID:4300
-
\??\c:\xrxrrll.exec:\xrxrrll.exe94⤵PID:4736
-
\??\c:\bbhhhh.exec:\bbhhhh.exe95⤵PID:4492
-
\??\c:\tthhth.exec:\tthhth.exe96⤵PID:2320
-
\??\c:\5jpjd.exec:\5jpjd.exe97⤵PID:4332
-
\??\c:\xfrlfff.exec:\xfrlfff.exe98⤵PID:2820
-
\??\c:\thnbtn.exec:\thnbtn.exe99⤵PID:4544
-
\??\c:\pddvd.exec:\pddvd.exe100⤵PID:3596
-
\??\c:\fxfxxrl.exec:\fxfxxrl.exe101⤵PID:4128
-
\??\c:\hbbbbt.exec:\hbbbbt.exe102⤵PID:4884
-
\??\c:\5tbttn.exec:\5tbttn.exe103⤵
- System Location Discovery: System Language Discovery
PID:1748 -
\??\c:\vvdvd.exec:\vvdvd.exe104⤵PID:2360
-
\??\c:\frfxxxr.exec:\frfxxxr.exe105⤵PID:1496
-
\??\c:\ttbbnn.exec:\ttbbnn.exe106⤵PID:1880
-
\??\c:\vpvpj.exec:\vpvpj.exe107⤵PID:4008
-
\??\c:\vppjj.exec:\vppjj.exe108⤵PID:880
-
\??\c:\xlfxrxl.exec:\xlfxrxl.exe109⤵PID:4468
-
\??\c:\7hbbtt.exec:\7hbbtt.exe110⤵PID:4452
-
\??\c:\vjpdv.exec:\vjpdv.exe111⤵PID:2256
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe112⤵PID:5104
-
\??\c:\bntnhh.exec:\bntnhh.exe113⤵PID:3544
-
\??\c:\nhbthb.exec:\nhbthb.exe114⤵PID:3440
-
\??\c:\vjjjd.exec:\vjjjd.exe115⤵PID:3552
-
\??\c:\xflxrrl.exec:\xflxrrl.exe116⤵PID:4568
-
\??\c:\hhhhbn.exec:\hhhhbn.exe117⤵PID:1400
-
\??\c:\vjvpj.exec:\vjvpj.exe118⤵PID:3592
-
\??\c:\pdddp.exec:\pdddp.exe119⤵PID:1256
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe120⤵PID:1872
-
\??\c:\nhnnbb.exec:\nhnnbb.exe121⤵PID:4360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-