Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe
-
Size
454KB
-
MD5
cb44d12bed4d2308ac57804dad74c860
-
SHA1
344b3cbfaf0756fbe228181578da754296b27977
-
SHA256
5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90
-
SHA512
057b2acdf4aec8b2bb2788eae4c28427a72dc48b93a0bb6b6cdf010af02b674e4f2d08430bb6e4389eaf6cb7f58f2252dcfbd4d02bcbe5836889db11b2cd328b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/4376-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-1129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4416 5hbtnn.exe 376 fllxfff.exe 1700 5llfxrf.exe 4560 lfxlffx.exe 3120 frxlfrl.exe 2024 9jjjd.exe 860 7btntt.exe 316 dvpjp.exe 4024 hnbbtt.exe 4112 nbbnhh.exe 2456 vpddd.exe 212 rrlfffx.exe 3340 pdddv.exe 2084 nhthhb.exe 3184 rlxrrrr.exe 4612 bttnnn.exe 3300 lrxrrlf.exe 1688 pjpjv.exe 2756 rlfrlfr.exe 2124 ttnhbb.exe 1632 1lfffff.exe 1860 tbhbhh.exe 2260 vjdjv.exe 4468 xlxxrrx.exe 1976 fffxxxx.exe 4004 nntnhn.exe 4284 hnbtbb.exe 3996 ntnbbt.exe 2428 fxffffx.exe 3108 dvjpv.exe 3464 thnhhh.exe 1432 jdppv.exe 1388 fxffxxx.exe 3320 vpvpj.exe 3284 jdjdd.exe 4736 bbnhhh.exe 1904 jdjdp.exe 4108 rlxrxfx.exe 2092 hbhhhb.exe 4104 3ttttt.exe 3600 rrfflrl.exe 5052 7ntnbt.exe 3236 vvdvv.exe 4944 lfrlfxr.exe 1852 lrlxlfr.exe 3564 hhhhbb.exe 1968 djjjj.exe 3160 ffxrffr.exe 4464 hnnhhh.exe 2332 ddppv.exe 3948 jjpjj.exe 1032 xxffxff.exe 384 bnbhtt.exe 4548 jdjdd.exe 1700 5jpjj.exe 3500 lfflflf.exe 4396 htnbtn.exe 672 vvvjp.exe 1620 lxlflll.exe 5012 bthbhb.exe 4336 1djdd.exe 736 5xlfffx.exe 1656 hhbbbn.exe 2248 bnttnh.exe -
resource yara_rule behavioral2/memory/4376-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-1129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-1472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-1892-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4416 4376 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 82 PID 4376 wrote to memory of 4416 4376 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 82 PID 4376 wrote to memory of 4416 4376 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 82 PID 4416 wrote to memory of 376 4416 5hbtnn.exe 83 PID 4416 wrote to memory of 376 4416 5hbtnn.exe 83 PID 4416 wrote to memory of 376 4416 5hbtnn.exe 83 PID 376 wrote to memory of 1700 376 fllxfff.exe 84 PID 376 wrote to memory of 1700 376 fllxfff.exe 84 PID 376 wrote to memory of 1700 376 fllxfff.exe 84 PID 1700 wrote to memory of 4560 1700 5llfxrf.exe 85 PID 1700 wrote to memory of 4560 1700 5llfxrf.exe 85 PID 1700 wrote to memory of 4560 1700 5llfxrf.exe 85 PID 4560 wrote to memory of 3120 4560 lfxlffx.exe 86 PID 4560 wrote to memory of 3120 4560 lfxlffx.exe 86 PID 4560 wrote to memory of 3120 4560 lfxlffx.exe 86 PID 3120 wrote to memory of 2024 3120 frxlfrl.exe 87 PID 3120 wrote to memory of 2024 3120 frxlfrl.exe 87 PID 3120 wrote to memory of 2024 3120 frxlfrl.exe 87 PID 2024 wrote to memory of 860 2024 9jjjd.exe 88 PID 2024 wrote to memory of 860 2024 9jjjd.exe 88 PID 2024 wrote to memory of 860 2024 9jjjd.exe 88 PID 860 wrote to memory of 316 860 7btntt.exe 89 PID 860 wrote to memory of 316 860 7btntt.exe 89 PID 860 wrote to memory of 316 860 7btntt.exe 89 PID 316 wrote to memory of 4024 316 dvpjp.exe 90 PID 316 wrote to memory of 4024 316 dvpjp.exe 90 PID 316 wrote to memory of 4024 316 dvpjp.exe 90 PID 4024 wrote to memory of 4112 4024 hnbbtt.exe 91 PID 4024 wrote to memory of 4112 4024 hnbbtt.exe 91 PID 4024 wrote to memory of 4112 4024 hnbbtt.exe 91 PID 4112 wrote to memory of 2456 4112 nbbnhh.exe 92 PID 4112 wrote to memory of 2456 4112 nbbnhh.exe 92 PID 4112 wrote to memory of 2456 4112 nbbnhh.exe 92 PID 2456 wrote to memory of 212 2456 vpddd.exe 93 PID 2456 wrote to memory of 212 2456 vpddd.exe 93 PID 2456 wrote to memory of 212 2456 vpddd.exe 93 PID 212 wrote to memory of 3340 212 rrlfffx.exe 94 PID 212 wrote to memory of 3340 212 rrlfffx.exe 94 PID 212 wrote to memory of 3340 212 rrlfffx.exe 94 PID 3340 wrote to memory of 2084 3340 pdddv.exe 95 PID 3340 wrote to memory of 2084 3340 pdddv.exe 95 PID 3340 wrote to memory of 2084 3340 pdddv.exe 95 PID 2084 wrote to memory of 3184 2084 nhthhb.exe 96 PID 2084 wrote to memory of 3184 2084 nhthhb.exe 96 PID 2084 wrote to memory of 3184 2084 nhthhb.exe 96 PID 3184 wrote to memory of 4612 3184 rlxrrrr.exe 97 PID 3184 wrote to memory of 4612 3184 rlxrrrr.exe 97 PID 3184 wrote to memory of 4612 3184 rlxrrrr.exe 97 PID 4612 wrote to memory of 3300 4612 bttnnn.exe 98 PID 4612 wrote to memory of 3300 4612 bttnnn.exe 98 PID 4612 wrote to memory of 3300 4612 bttnnn.exe 98 PID 3300 wrote to memory of 1688 3300 lrxrrlf.exe 99 PID 3300 wrote to memory of 1688 3300 lrxrrlf.exe 99 PID 3300 wrote to memory of 1688 3300 lrxrrlf.exe 99 PID 1688 wrote to memory of 2756 1688 pjpjv.exe 100 PID 1688 wrote to memory of 2756 1688 pjpjv.exe 100 PID 1688 wrote to memory of 2756 1688 pjpjv.exe 100 PID 2756 wrote to memory of 2124 2756 rlfrlfr.exe 101 PID 2756 wrote to memory of 2124 2756 rlfrlfr.exe 101 PID 2756 wrote to memory of 2124 2756 rlfrlfr.exe 101 PID 2124 wrote to memory of 1632 2124 ttnhbb.exe 102 PID 2124 wrote to memory of 1632 2124 ttnhbb.exe 102 PID 2124 wrote to memory of 1632 2124 ttnhbb.exe 102 PID 1632 wrote to memory of 1860 1632 1lfffff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe"C:\Users\Admin\AppData\Local\Temp\5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\5hbtnn.exec:\5hbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\fllxfff.exec:\fllxfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\5llfxrf.exec:\5llfxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\lfxlffx.exec:\lfxlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\frxlfrl.exec:\frxlfrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\9jjjd.exec:\9jjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\7btntt.exec:\7btntt.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\dvpjp.exec:\dvpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\hnbbtt.exec:\hnbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\nbbnhh.exec:\nbbnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\vpddd.exec:\vpddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\rrlfffx.exec:\rrlfffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\pdddv.exec:\pdddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\nhthhb.exec:\nhthhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\bttnnn.exec:\bttnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\lrxrrlf.exec:\lrxrrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\pjpjv.exec:\pjpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\ttnhbb.exec:\ttnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\1lfffff.exec:\1lfffff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\tbhbhh.exec:\tbhbhh.exe23⤵
- Executes dropped EXE
PID:1860 -
\??\c:\vjdjv.exec:\vjdjv.exe24⤵
- Executes dropped EXE
PID:2260 -
\??\c:\xlxxrrx.exec:\xlxxrrx.exe25⤵
- Executes dropped EXE
PID:4468 -
\??\c:\fffxxxx.exec:\fffxxxx.exe26⤵
- Executes dropped EXE
PID:1976 -
\??\c:\nntnhn.exec:\nntnhn.exe27⤵
- Executes dropped EXE
PID:4004 -
\??\c:\hnbtbb.exec:\hnbtbb.exe28⤵
- Executes dropped EXE
PID:4284 -
\??\c:\ntnbbt.exec:\ntnbbt.exe29⤵
- Executes dropped EXE
PID:3996 -
\??\c:\fxffffx.exec:\fxffffx.exe30⤵
- Executes dropped EXE
PID:2428 -
\??\c:\dvjpv.exec:\dvjpv.exe31⤵
- Executes dropped EXE
PID:3108 -
\??\c:\thnhhh.exec:\thnhhh.exe32⤵
- Executes dropped EXE
PID:3464 -
\??\c:\jdppv.exec:\jdppv.exe33⤵
- Executes dropped EXE
PID:1432 -
\??\c:\fxffxxx.exec:\fxffxxx.exe34⤵
- Executes dropped EXE
PID:1388 -
\??\c:\vpvpj.exec:\vpvpj.exe35⤵
- Executes dropped EXE
PID:3320 -
\??\c:\jdjdd.exec:\jdjdd.exe36⤵
- Executes dropped EXE
PID:3284 -
\??\c:\bbnhhh.exec:\bbnhhh.exe37⤵
- Executes dropped EXE
PID:4736 -
\??\c:\jdjdp.exec:\jdjdp.exe38⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rlxrxfx.exec:\rlxrxfx.exe39⤵
- Executes dropped EXE
PID:4108 -
\??\c:\hbhhhb.exec:\hbhhhb.exe40⤵
- Executes dropped EXE
PID:2092 -
\??\c:\3ttttt.exec:\3ttttt.exe41⤵
- Executes dropped EXE
PID:4104 -
\??\c:\rrfflrl.exec:\rrfflrl.exe42⤵
- Executes dropped EXE
PID:3600 -
\??\c:\7ntnbt.exec:\7ntnbt.exe43⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vvdvv.exec:\vvdvv.exe44⤵
- Executes dropped EXE
PID:3236 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe45⤵
- Executes dropped EXE
PID:4944 -
\??\c:\lrlxlfr.exec:\lrlxlfr.exe46⤵
- Executes dropped EXE
PID:1852 -
\??\c:\hhhhbb.exec:\hhhhbb.exe47⤵
- Executes dropped EXE
PID:3564 -
\??\c:\djjjj.exec:\djjjj.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ffxrffr.exec:\ffxrffr.exe49⤵
- Executes dropped EXE
PID:3160 -
\??\c:\hnnhhh.exec:\hnnhhh.exe50⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ddppv.exec:\ddppv.exe51⤵
- Executes dropped EXE
PID:2332 -
\??\c:\jjpjj.exec:\jjpjj.exe52⤵
- Executes dropped EXE
PID:3948 -
\??\c:\xxffxff.exec:\xxffxff.exe53⤵
- Executes dropped EXE
PID:1032 -
\??\c:\bnbhtt.exec:\bnbhtt.exe54⤵
- Executes dropped EXE
PID:384 -
\??\c:\jdjdd.exec:\jdjdd.exe55⤵
- Executes dropped EXE
PID:4548 -
\??\c:\5jpjj.exec:\5jpjj.exe56⤵
- Executes dropped EXE
PID:1700 -
\??\c:\lfflflf.exec:\lfflflf.exe57⤵
- Executes dropped EXE
PID:3500 -
\??\c:\htnbtn.exec:\htnbtn.exe58⤵
- Executes dropped EXE
PID:4396 -
\??\c:\vvvjp.exec:\vvvjp.exe59⤵
- Executes dropped EXE
PID:672 -
\??\c:\lxlflll.exec:\lxlflll.exe60⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bthbhb.exec:\bthbhb.exe61⤵
- Executes dropped EXE
PID:5012 -
\??\c:\1djdd.exec:\1djdd.exe62⤵
- Executes dropped EXE
PID:4336 -
\??\c:\5xlfffx.exec:\5xlfffx.exe63⤵
- Executes dropped EXE
PID:736 -
\??\c:\hhbbbn.exec:\hhbbbn.exe64⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bnttnh.exec:\bnttnh.exe65⤵
- Executes dropped EXE
PID:2248 -
\??\c:\jjvpp.exec:\jjvpp.exe66⤵PID:4524
-
\??\c:\rlfrxxf.exec:\rlfrxxf.exe67⤵PID:3308
-
\??\c:\lflrllr.exec:\lflrllr.exe68⤵PID:2168
-
\??\c:\hbnhbb.exec:\hbnhbb.exe69⤵PID:760
-
\??\c:\ddppv.exec:\ddppv.exe70⤵PID:4404
-
\??\c:\xxflflf.exec:\xxflflf.exe71⤵PID:1728
-
\??\c:\rrxrllf.exec:\rrxrllf.exe72⤵PID:4852
-
\??\c:\bbhhnn.exec:\bbhhnn.exe73⤵PID:2764
-
\??\c:\vjppj.exec:\vjppj.exe74⤵PID:3184
-
\??\c:\lxrlffx.exec:\lxrlffx.exe75⤵PID:3212
-
\??\c:\bhhhhh.exec:\bhhhhh.exe76⤵PID:4860
-
\??\c:\hbbtnh.exec:\hbbtnh.exe77⤵PID:1756
-
\??\c:\ddpvp.exec:\ddpvp.exe78⤵PID:2044
-
\??\c:\rlxfxrr.exec:\rlxfxrr.exe79⤵PID:5076
-
\??\c:\9lxrrrr.exec:\9lxrrrr.exe80⤵PID:5036
-
\??\c:\nhbtnn.exec:\nhbtnn.exe81⤵PID:5092
-
\??\c:\vjvjj.exec:\vjvjj.exe82⤵PID:1452
-
\??\c:\lfrfxlf.exec:\lfrfxlf.exe83⤵PID:3164
-
\??\c:\xrfxxxf.exec:\xrfxxxf.exe84⤵PID:2944
-
\??\c:\nnhhhh.exec:\nnhhhh.exe85⤵PID:3248
-
\??\c:\vvvpp.exec:\vvvpp.exe86⤵PID:4940
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe87⤵PID:3596
-
\??\c:\frlfffx.exec:\frlfffx.exe88⤵PID:2320
-
\??\c:\nhnnnn.exec:\nhnnnn.exe89⤵PID:3556
-
\??\c:\jdpdd.exec:\jdpdd.exe90⤵PID:4004
-
\??\c:\7lllflf.exec:\7lllflf.exe91⤵PID:3456
-
\??\c:\bnbttt.exec:\bnbttt.exe92⤵PID:3760
-
\??\c:\ppppj.exec:\ppppj.exe93⤵PID:3996
-
\??\c:\vpdvp.exec:\vpdvp.exe94⤵PID:3540
-
\??\c:\flxrfff.exec:\flxrfff.exe95⤵PID:3816
-
\??\c:\btthhh.exec:\btthhh.exe96⤵PID:2176
-
\??\c:\jjvvd.exec:\jjvvd.exe97⤵PID:1160
-
\??\c:\lxfllxr.exec:\lxfllxr.exe98⤵PID:1432
-
\??\c:\lfrllff.exec:\lfrllff.exe99⤵PID:1388
-
\??\c:\bttntt.exec:\bttntt.exe100⤵PID:3412
-
\??\c:\jpjjv.exec:\jpjjv.exe101⤵PID:1524
-
\??\c:\flrfllx.exec:\flrfllx.exe102⤵PID:1844
-
\??\c:\hbhhhh.exec:\hbhhhh.exe103⤵PID:2520
-
\??\c:\vpvvp.exec:\vpvvp.exe104⤵PID:5104
-
\??\c:\xfrrrxl.exec:\xfrrrxl.exe105⤵PID:2940
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe106⤵PID:3940
-
\??\c:\bbnbtt.exec:\bbnbtt.exe107⤵PID:5028
-
\??\c:\vjvpp.exec:\vjvpp.exe108⤵PID:4820
-
\??\c:\djjdv.exec:\djjdv.exe109⤵PID:1148
-
\??\c:\rllrxll.exec:\rllrxll.exe110⤵PID:4944
-
\??\c:\hhttnt.exec:\hhttnt.exe111⤵PID:1664
-
\??\c:\7hhbbb.exec:\7hhbbb.exe112⤵PID:1952
-
\??\c:\5vpjd.exec:\5vpjd.exe113⤵PID:900
-
\??\c:\lrrrllx.exec:\lrrrllx.exe114⤵PID:4448
-
\??\c:\bhhhnn.exec:\bhhhnn.exe115⤵PID:5088
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe116⤵PID:4512
-
\??\c:\lfrrllr.exec:\lfrrllr.exe117⤵PID:3252
-
\??\c:\bhhbtt.exec:\bhhbtt.exe118⤵PID:1164
-
\??\c:\vvdvv.exec:\vvdvv.exe119⤵PID:1288
-
\??\c:\pvppv.exec:\pvppv.exe120⤵PID:4544
-
\??\c:\rfrffff.exec:\rfrffff.exe121⤵PID:2736
-
\??\c:\1ntnbt.exec:\1ntnbt.exe122⤵PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-