Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe
-
Size
453KB
-
MD5
32500d63eb95885c48b38d3534f413fd
-
SHA1
c63cf5a0003ded9dd5996aa594c15bfb8bff8fbd
-
SHA256
552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121
-
SHA512
c2b2e8f74c3f2198c44356eacc6fffd5ca0d337b8a645f1a134f47bfe698eb08f92adfc40b391d9d9668d076e9219d62f646066dbe6cc73ec90abc11d9adb034
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/964-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-1017-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-1227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-1276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-1406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2956 frfrfll.exe 3436 jvpdp.exe 4156 jpvpj.exe 3836 rffrlrl.exe 4608 tthbbh.exe 2140 pddvd.exe 1168 dppjd.exe 4784 lrrxfxx.exe 3648 thhtnb.exe 4716 pdvjp.exe 940 flffxrx.exe 440 dpjvp.exe 2624 9rxlxlx.exe 996 bnhtht.exe 1336 pdpdv.exe 672 tbtbhn.exe 3592 3xlflfl.exe 2400 1nthnn.exe 4536 jjvpj.exe 3364 xxxrlxl.exe 4352 jddpd.exe 2192 1lxrxrf.exe 2952 jppdp.exe 2768 pdpjv.exe 4560 rfxlrlf.exe 644 5tnhbt.exe 3500 vjvpj.exe 1612 3xlxrlx.exe 1292 hnhtnh.exe 1604 dvvjv.exe 2092 thhntt.exe 4296 nttthb.exe 624 7fxlxrf.exe 1456 htbthb.exe 2924 vpjdp.exe 3780 3xfrllr.exe 2128 bhbnbt.exe 3444 vpjpv.exe 2776 3jdjp.exe 1696 1llxlfr.exe 2564 1nnhbt.exe 5116 5vjvp.exe 2292 ddjvj.exe 1780 fxxfrlf.exe 3224 3ffrrlx.exe 3672 nbthth.exe 1536 jppvj.exe 3980 lrlxrll.exe 1680 nnthbt.exe 3436 9bbnhh.exe 2448 jvvjp.exe 4548 3xrlrrf.exe 4420 bnhtnh.exe 1432 llfrfxf.exe 756 7xlxxrx.exe 3704 hhnhht.exe 2108 jvdvj.exe 4784 djpdp.exe 3988 1ffllfl.exe 556 1nhtht.exe 1048 5jddv.exe 4264 lfrfrlx.exe 1376 btbtbn.exe 628 dvdpj.exe -
resource yara_rule behavioral2/memory/964-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 2956 964 552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe 82 PID 964 wrote to memory of 2956 964 552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe 82 PID 964 wrote to memory of 2956 964 552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe 82 PID 2956 wrote to memory of 3436 2956 frfrfll.exe 83 PID 2956 wrote to memory of 3436 2956 frfrfll.exe 83 PID 2956 wrote to memory of 3436 2956 frfrfll.exe 83 PID 3436 wrote to memory of 4156 3436 jvpdp.exe 84 PID 3436 wrote to memory of 4156 3436 jvpdp.exe 84 PID 3436 wrote to memory of 4156 3436 jvpdp.exe 84 PID 4156 wrote to memory of 3836 4156 jpvpj.exe 85 PID 4156 wrote to memory of 3836 4156 jpvpj.exe 85 PID 4156 wrote to memory of 3836 4156 jpvpj.exe 85 PID 3836 wrote to memory of 4608 3836 rffrlrl.exe 86 PID 3836 wrote to memory of 4608 3836 rffrlrl.exe 86 PID 3836 wrote to memory of 4608 3836 rffrlrl.exe 86 PID 4608 wrote to memory of 2140 4608 tthbbh.exe 87 PID 4608 wrote to memory of 2140 4608 tthbbh.exe 87 PID 4608 wrote to memory of 2140 4608 tthbbh.exe 87 PID 2140 wrote to memory of 1168 2140 pddvd.exe 88 PID 2140 wrote to memory of 1168 2140 pddvd.exe 88 PID 2140 wrote to memory of 1168 2140 pddvd.exe 88 PID 1168 wrote to memory of 4784 1168 dppjd.exe 89 PID 1168 wrote to memory of 4784 1168 dppjd.exe 89 PID 1168 wrote to memory of 4784 1168 dppjd.exe 89 PID 4784 wrote to memory of 3648 4784 lrrxfxx.exe 90 PID 4784 wrote to memory of 3648 4784 lrrxfxx.exe 90 PID 4784 wrote to memory of 3648 4784 lrrxfxx.exe 90 PID 3648 wrote to memory of 4716 3648 thhtnb.exe 91 PID 3648 wrote to memory of 4716 3648 thhtnb.exe 91 PID 3648 wrote to memory of 4716 3648 thhtnb.exe 91 PID 4716 wrote to memory of 940 4716 pdvjp.exe 92 PID 4716 wrote to memory of 940 4716 pdvjp.exe 92 PID 4716 wrote to memory of 940 4716 pdvjp.exe 92 PID 940 wrote to memory of 440 940 flffxrx.exe 93 PID 940 wrote to memory of 440 940 flffxrx.exe 93 PID 940 wrote to memory of 440 940 flffxrx.exe 93 PID 440 wrote to memory of 2624 440 dpjvp.exe 94 PID 440 wrote to memory of 2624 440 dpjvp.exe 94 PID 440 wrote to memory of 2624 440 dpjvp.exe 94 PID 2624 wrote to memory of 996 2624 9rxlxlx.exe 95 PID 2624 wrote to memory of 996 2624 9rxlxlx.exe 95 PID 2624 wrote to memory of 996 2624 9rxlxlx.exe 95 PID 996 wrote to memory of 1336 996 bnhtht.exe 96 PID 996 wrote to memory of 1336 996 bnhtht.exe 96 PID 996 wrote to memory of 1336 996 bnhtht.exe 96 PID 1336 wrote to memory of 672 1336 pdpdv.exe 97 PID 1336 wrote to memory of 672 1336 pdpdv.exe 97 PID 1336 wrote to memory of 672 1336 pdpdv.exe 97 PID 672 wrote to memory of 3592 672 tbtbhn.exe 98 PID 672 wrote to memory of 3592 672 tbtbhn.exe 98 PID 672 wrote to memory of 3592 672 tbtbhn.exe 98 PID 3592 wrote to memory of 2400 3592 3xlflfl.exe 99 PID 3592 wrote to memory of 2400 3592 3xlflfl.exe 99 PID 3592 wrote to memory of 2400 3592 3xlflfl.exe 99 PID 2400 wrote to memory of 4536 2400 1nthnn.exe 100 PID 2400 wrote to memory of 4536 2400 1nthnn.exe 100 PID 2400 wrote to memory of 4536 2400 1nthnn.exe 100 PID 4536 wrote to memory of 3364 4536 jjvpj.exe 101 PID 4536 wrote to memory of 3364 4536 jjvpj.exe 101 PID 4536 wrote to memory of 3364 4536 jjvpj.exe 101 PID 3364 wrote to memory of 4352 3364 xxxrlxl.exe 102 PID 3364 wrote to memory of 4352 3364 xxxrlxl.exe 102 PID 3364 wrote to memory of 4352 3364 xxxrlxl.exe 102 PID 4352 wrote to memory of 2192 4352 jddpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe"C:\Users\Admin\AppData\Local\Temp\552f93e7b4e2c1d37b2aa6d6ebcc991690f830949a7658eceb7e8a1e9084c121.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\frfrfll.exec:\frfrfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\jvpdp.exec:\jvpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\jpvpj.exec:\jpvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\rffrlrl.exec:\rffrlrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\tthbbh.exec:\tthbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\pddvd.exec:\pddvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\dppjd.exec:\dppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\lrrxfxx.exec:\lrrxfxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\thhtnb.exec:\thhtnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\pdvjp.exec:\pdvjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\flffxrx.exec:\flffxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\dpjvp.exec:\dpjvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\9rxlxlx.exec:\9rxlxlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\bnhtht.exec:\bnhtht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\pdpdv.exec:\pdpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\tbtbhn.exec:\tbtbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\3xlflfl.exec:\3xlflfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\1nthnn.exec:\1nthnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\jjvpj.exec:\jjvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\xxxrlxl.exec:\xxxrlxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\jddpd.exec:\jddpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\1lxrxrf.exec:\1lxrxrf.exe23⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jppdp.exec:\jppdp.exe24⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pdpjv.exec:\pdpjv.exe25⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rfxlrlf.exec:\rfxlrlf.exe26⤵
- Executes dropped EXE
PID:4560 -
\??\c:\5tnhbt.exec:\5tnhbt.exe27⤵
- Executes dropped EXE
PID:644 -
\??\c:\vjvpj.exec:\vjvpj.exe28⤵
- Executes dropped EXE
PID:3500 -
\??\c:\3xlxrlx.exec:\3xlxrlx.exe29⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hnhtnh.exec:\hnhtnh.exe30⤵
- Executes dropped EXE
PID:1292 -
\??\c:\dvvjv.exec:\dvvjv.exe31⤵
- Executes dropped EXE
PID:1604 -
\??\c:\thhntt.exec:\thhntt.exe32⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nttthb.exec:\nttthb.exe33⤵
- Executes dropped EXE
PID:4296 -
\??\c:\7fxlxrf.exec:\7fxlxrf.exe34⤵
- Executes dropped EXE
PID:624 -
\??\c:\htbthb.exec:\htbthb.exe35⤵
- Executes dropped EXE
PID:1456 -
\??\c:\vpjdp.exec:\vpjdp.exe36⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3xfrllr.exec:\3xfrllr.exe37⤵
- Executes dropped EXE
PID:3780 -
\??\c:\bhbnbt.exec:\bhbnbt.exe38⤵
- Executes dropped EXE
PID:2128 -
\??\c:\vpjpv.exec:\vpjpv.exe39⤵
- Executes dropped EXE
PID:3444 -
\??\c:\3jdjp.exec:\3jdjp.exe40⤵
- Executes dropped EXE
PID:2776 -
\??\c:\1llxlfr.exec:\1llxlfr.exe41⤵
- Executes dropped EXE
PID:1696 -
\??\c:\1nnhbt.exec:\1nnhbt.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\5vjvp.exec:\5vjvp.exe43⤵
- Executes dropped EXE
PID:5116 -
\??\c:\ddjvj.exec:\ddjvj.exe44⤵
- Executes dropped EXE
PID:2292 -
\??\c:\fxxfrlf.exec:\fxxfrlf.exe45⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3ffrrlx.exec:\3ffrrlx.exe46⤵
- Executes dropped EXE
PID:3224 -
\??\c:\nbthth.exec:\nbthth.exe47⤵
- Executes dropped EXE
PID:3672 -
\??\c:\jppvj.exec:\jppvj.exe48⤵
- Executes dropped EXE
PID:1536 -
\??\c:\lrlxrll.exec:\lrlxrll.exe49⤵
- Executes dropped EXE
PID:3980 -
\??\c:\nnthbt.exec:\nnthbt.exe50⤵
- Executes dropped EXE
PID:1680 -
\??\c:\9bbnhh.exec:\9bbnhh.exe51⤵
- Executes dropped EXE
PID:3436 -
\??\c:\jvvjp.exec:\jvvjp.exe52⤵
- Executes dropped EXE
PID:2448 -
\??\c:\3xrlrrf.exec:\3xrlrrf.exe53⤵
- Executes dropped EXE
PID:4548 -
\??\c:\bnhtnh.exec:\bnhtnh.exe54⤵
- Executes dropped EXE
PID:4420 -
\??\c:\llfrfxf.exec:\llfrfxf.exe55⤵
- Executes dropped EXE
PID:1432 -
\??\c:\7xlxxrx.exec:\7xlxxrx.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756 -
\??\c:\hhnhht.exec:\hhnhht.exe57⤵
- Executes dropped EXE
PID:3704 -
\??\c:\jvdvj.exec:\jvdvj.exe58⤵
- Executes dropped EXE
PID:2108 -
\??\c:\djpdp.exec:\djpdp.exe59⤵
- Executes dropped EXE
PID:4784 -
\??\c:\1ffllfl.exec:\1ffllfl.exe60⤵
- Executes dropped EXE
PID:3988 -
\??\c:\1nhtht.exec:\1nhtht.exe61⤵
- Executes dropped EXE
PID:556 -
\??\c:\5jddv.exec:\5jddv.exe62⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lfrfrlx.exec:\lfrfrlx.exe63⤵
- Executes dropped EXE
PID:4264 -
\??\c:\btbtbn.exec:\btbtbn.exe64⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dvdpj.exec:\dvdpj.exe65⤵
- Executes dropped EXE
PID:628 -
\??\c:\djjvp.exec:\djjvp.exe66⤵PID:1672
-
\??\c:\rxfrxxr.exec:\rxfrxxr.exe67⤵PID:2624
-
\??\c:\nnnhtn.exec:\nnnhtn.exe68⤵PID:2688
-
\??\c:\btnbnb.exec:\btnbnb.exe69⤵PID:4812
-
\??\c:\dppvv.exec:\dppvv.exe70⤵PID:3256
-
\??\c:\rrxlxlx.exec:\rrxlxlx.exe71⤵PID:1852
-
\??\c:\7bnhhb.exec:\7bnhhb.exe72⤵PID:1748
-
\??\c:\5hhtnh.exec:\5hhtnh.exe73⤵PID:3176
-
\??\c:\vjdvd.exec:\vjdvd.exe74⤵PID:400
-
\??\c:\flrxrlx.exec:\flrxrlx.exe75⤵PID:812
-
\??\c:\thbthb.exec:\thbthb.exe76⤵PID:4536
-
\??\c:\1bbhtn.exec:\1bbhtn.exe77⤵PID:3608
-
\??\c:\pjpdj.exec:\pjpdj.exe78⤵PID:2368
-
\??\c:\xlrxlfr.exec:\xlrxlfr.exe79⤵PID:1296
-
\??\c:\btthth.exec:\btthth.exe80⤵PID:5104
-
\??\c:\3hthtn.exec:\3hthtn.exe81⤵PID:1444
-
\??\c:\7dvpv.exec:\7dvpv.exe82⤵PID:4336
-
\??\c:\vddvv.exec:\vddvv.exe83⤵PID:640
-
\??\c:\llrfrlf.exec:\llrfrlf.exe84⤵PID:4440
-
\??\c:\nbthtn.exec:\nbthtn.exe85⤵PID:2208
-
\??\c:\pjjvj.exec:\pjjvj.exe86⤵PID:3500
-
\??\c:\llfrfxr.exec:\llfrfxr.exe87⤵PID:3392
-
\??\c:\rxxlxlx.exec:\rxxlxlx.exe88⤵
- System Location Discovery: System Language Discovery
PID:1452 -
\??\c:\nnnbtn.exec:\nnnbtn.exe89⤵PID:4396
-
\??\c:\5ddpv.exec:\5ddpv.exe90⤵PID:1604
-
\??\c:\lllxlfx.exec:\lllxlfx.exe91⤵PID:3680
-
\??\c:\xrlrlfx.exec:\xrlrlfx.exe92⤵PID:4492
-
\??\c:\pjjdp.exec:\pjjdp.exe93⤵PID:3644
-
\??\c:\jppdp.exec:\jppdp.exe94⤵PID:3740
-
\??\c:\xlfrffx.exec:\xlfrffx.exe95⤵PID:2100
-
\??\c:\nbtnbt.exec:\nbtnbt.exe96⤵PID:2120
-
\??\c:\dpdpd.exec:\dpdpd.exe97⤵PID:3820
-
\??\c:\jppjp.exec:\jppjp.exe98⤵PID:2128
-
\??\c:\rffrfrl.exec:\rffrfrl.exe99⤵PID:2068
-
\??\c:\bnnbnh.exec:\bnnbnh.exe100⤵PID:2200
-
\??\c:\vppjj.exec:\vppjj.exe101⤵PID:1696
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe102⤵PID:4988
-
\??\c:\btthbn.exec:\btthbn.exe103⤵PID:1520
-
\??\c:\3ntntt.exec:\3ntntt.exe104⤵PID:2292
-
\??\c:\ddjvp.exec:\ddjvp.exe105⤵PID:2036
-
\??\c:\lflfxxx.exec:\lflfxxx.exe106⤵PID:4744
-
\??\c:\nnthnn.exec:\nnthnn.exe107⤵PID:1228
-
\??\c:\bhbttt.exec:\bhbttt.exe108⤵PID:3156
-
\??\c:\1jjpj.exec:\1jjpj.exe109⤵PID:224
-
\??\c:\xxxlrrl.exec:\xxxlrrl.exe110⤵PID:3464
-
\??\c:\hntnhb.exec:\hntnhb.exe111⤵PID:3436
-
\??\c:\9btnht.exec:\9btnht.exe112⤵PID:5088
-
\??\c:\dvvjd.exec:\dvvjd.exe113⤵PID:4832
-
\??\c:\frxlxxl.exec:\frxlxxl.exe114⤵PID:2140
-
\??\c:\nbtnhh.exec:\nbtnhh.exe115⤵PID:3372
-
\??\c:\9jpjd.exec:\9jpjd.exe116⤵PID:2488
-
\??\c:\1jjvv.exec:\1jjvv.exe117⤵PID:2644
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe118⤵PID:5092
-
\??\c:\9tthbb.exec:\9tthbb.exe119⤵PID:3648
-
\??\c:\jdjjd.exec:\jdjjd.exe120⤵PID:1960
-
\??\c:\jddvp.exec:\jddvp.exe121⤵PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-