Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe
-
Size
455KB
-
MD5
772c232ea5224bedac0fca1e518d7b22
-
SHA1
a65c5994814a23b4e3e81e690106a6721b7a7a40
-
SHA256
63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57
-
SHA512
b603a7185083125cc149fd4935c2dca351309ffd92667a347bad6b3e816b92bfd4012aca19988e5a21a0464f4436ef59c069d2328d8ca02d48e21e8e7798366e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTI:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4844-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-1494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-1814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-1827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-1867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4844 xfrfxrl.exe 3040 tnnbtb.exe 3660 pddvj.exe 3084 fxrlfxr.exe 4516 ffrflrl.exe 4428 9fxxrrl.exe 3284 pdpjp.exe 3316 thhtbt.exe 1588 vdvpd.exe 2272 xrllflf.exe 4804 thbbhn.exe 1844 9flxxxx.exe 4968 xllxllx.exe 1920 7tntnh.exe 4864 frlxrlx.exe 4996 bbbnhb.exe 5084 7bhbnn.exe 4020 pjjvp.exe 4976 htnhtt.exe 1372 7jpjj.exe 4324 rxfrlfr.exe 5100 fxfrfxr.exe 4728 9flfllr.exe 556 xxrffll.exe 4168 bnbnnn.exe 5040 tbttht.exe 564 hbttnn.exe 3104 jjdvp.exe 3720 5llxllx.exe 3412 hhnhhh.exe 2312 ddpdv.exe 3204 tntnhh.exe 3732 9nnnnn.exe 1984 dppdv.exe 2936 9lrlfff.exe 2864 tttthh.exe 4680 pdvjd.exe 1156 lrfrlff.exe 208 9hntnn.exe 2064 hnbbtt.exe 1664 dvvdv.exe 2580 ffrfxxl.exe 744 nnbnnh.exe 3132 vjpjv.exe 5060 rxxrrfx.exe 1568 tnnhbt.exe 4060 1bbhtn.exe 2316 5rxrrxx.exe 5028 nbnhbt.exe 2980 dvpjj.exe 4400 fflfxxr.exe 2524 3xlffxl.exe 4892 nhhbtt.exe 816 pjpvp.exe 3596 llxrrrr.exe 944 tnbtnh.exe 4280 pddvj.exe 4812 5vjvv.exe 4112 ffxxrrl.exe 1512 nntnhh.exe 3912 hhnntb.exe 1292 jdpjd.exe 3312 ffxrlff.exe 1180 jvpdv.exe -
resource yara_rule behavioral2/memory/3040-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-690-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4844 4956 63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe 82 PID 4956 wrote to memory of 4844 4956 63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe 82 PID 4956 wrote to memory of 4844 4956 63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe 82 PID 4844 wrote to memory of 3040 4844 xfrfxrl.exe 83 PID 4844 wrote to memory of 3040 4844 xfrfxrl.exe 83 PID 4844 wrote to memory of 3040 4844 xfrfxrl.exe 83 PID 3040 wrote to memory of 3660 3040 tnnbtb.exe 84 PID 3040 wrote to memory of 3660 3040 tnnbtb.exe 84 PID 3040 wrote to memory of 3660 3040 tnnbtb.exe 84 PID 3660 wrote to memory of 3084 3660 pddvj.exe 85 PID 3660 wrote to memory of 3084 3660 pddvj.exe 85 PID 3660 wrote to memory of 3084 3660 pddvj.exe 85 PID 3084 wrote to memory of 4516 3084 fxrlfxr.exe 86 PID 3084 wrote to memory of 4516 3084 fxrlfxr.exe 86 PID 3084 wrote to memory of 4516 3084 fxrlfxr.exe 86 PID 4516 wrote to memory of 4428 4516 ffrflrl.exe 87 PID 4516 wrote to memory of 4428 4516 ffrflrl.exe 87 PID 4516 wrote to memory of 4428 4516 ffrflrl.exe 87 PID 4428 wrote to memory of 3284 4428 9fxxrrl.exe 88 PID 4428 wrote to memory of 3284 4428 9fxxrrl.exe 88 PID 4428 wrote to memory of 3284 4428 9fxxrrl.exe 88 PID 3284 wrote to memory of 3316 3284 pdpjp.exe 89 PID 3284 wrote to memory of 3316 3284 pdpjp.exe 89 PID 3284 wrote to memory of 3316 3284 pdpjp.exe 89 PID 3316 wrote to memory of 1588 3316 thhtbt.exe 90 PID 3316 wrote to memory of 1588 3316 thhtbt.exe 90 PID 3316 wrote to memory of 1588 3316 thhtbt.exe 90 PID 1588 wrote to memory of 2272 1588 vdvpd.exe 91 PID 1588 wrote to memory of 2272 1588 vdvpd.exe 91 PID 1588 wrote to memory of 2272 1588 vdvpd.exe 91 PID 2272 wrote to memory of 4804 2272 xrllflf.exe 92 PID 2272 wrote to memory of 4804 2272 xrllflf.exe 92 PID 2272 wrote to memory of 4804 2272 xrllflf.exe 92 PID 4804 wrote to memory of 1844 4804 thbbhn.exe 93 PID 4804 wrote to memory of 1844 4804 thbbhn.exe 93 PID 4804 wrote to memory of 1844 4804 thbbhn.exe 93 PID 1844 wrote to memory of 4968 1844 9flxxxx.exe 94 PID 1844 wrote to memory of 4968 1844 9flxxxx.exe 94 PID 1844 wrote to memory of 4968 1844 9flxxxx.exe 94 PID 4968 wrote to memory of 1920 4968 xllxllx.exe 95 PID 4968 wrote to memory of 1920 4968 xllxllx.exe 95 PID 4968 wrote to memory of 1920 4968 xllxllx.exe 95 PID 1920 wrote to memory of 4864 1920 7tntnh.exe 96 PID 1920 wrote to memory of 4864 1920 7tntnh.exe 96 PID 1920 wrote to memory of 4864 1920 7tntnh.exe 96 PID 4864 wrote to memory of 4996 4864 frlxrlx.exe 97 PID 4864 wrote to memory of 4996 4864 frlxrlx.exe 97 PID 4864 wrote to memory of 4996 4864 frlxrlx.exe 97 PID 4996 wrote to memory of 5084 4996 bbbnhb.exe 98 PID 4996 wrote to memory of 5084 4996 bbbnhb.exe 98 PID 4996 wrote to memory of 5084 4996 bbbnhb.exe 98 PID 5084 wrote to memory of 4020 5084 7bhbnn.exe 99 PID 5084 wrote to memory of 4020 5084 7bhbnn.exe 99 PID 5084 wrote to memory of 4020 5084 7bhbnn.exe 99 PID 4020 wrote to memory of 4976 4020 pjjvp.exe 100 PID 4020 wrote to memory of 4976 4020 pjjvp.exe 100 PID 4020 wrote to memory of 4976 4020 pjjvp.exe 100 PID 4976 wrote to memory of 1372 4976 htnhtt.exe 101 PID 4976 wrote to memory of 1372 4976 htnhtt.exe 101 PID 4976 wrote to memory of 1372 4976 htnhtt.exe 101 PID 1372 wrote to memory of 4324 1372 7jpjj.exe 102 PID 1372 wrote to memory of 4324 1372 7jpjj.exe 102 PID 1372 wrote to memory of 4324 1372 7jpjj.exe 102 PID 4324 wrote to memory of 5100 4324 rxfrlfr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe"C:\Users\Admin\AppData\Local\Temp\63b180ed7b0a57637360921d07196c9aec1bd4f354334fb3644543ef1790dc57.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\xfrfxrl.exec:\xfrfxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\tnnbtb.exec:\tnnbtb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\pddvj.exec:\pddvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\ffrflrl.exec:\ffrflrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\9fxxrrl.exec:\9fxxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\pdpjp.exec:\pdpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\thhtbt.exec:\thhtbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\vdvpd.exec:\vdvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\xrllflf.exec:\xrllflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\thbbhn.exec:\thbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\9flxxxx.exec:\9flxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\xllxllx.exec:\xllxllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\7tntnh.exec:\7tntnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\frlxrlx.exec:\frlxrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\bbbnhb.exec:\bbbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\7bhbnn.exec:\7bhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\pjjvp.exec:\pjjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\htnhtt.exec:\htnhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\7jpjj.exec:\7jpjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe23⤵
- Executes dropped EXE
PID:5100 -
\??\c:\9flfllr.exec:\9flfllr.exe24⤵
- Executes dropped EXE
PID:4728 -
\??\c:\xxrffll.exec:\xxrffll.exe25⤵
- Executes dropped EXE
PID:556 -
\??\c:\bnbnnn.exec:\bnbnnn.exe26⤵
- Executes dropped EXE
PID:4168 -
\??\c:\tbttht.exec:\tbttht.exe27⤵
- Executes dropped EXE
PID:5040 -
\??\c:\hbttnn.exec:\hbttnn.exe28⤵
- Executes dropped EXE
PID:564 -
\??\c:\jjdvp.exec:\jjdvp.exe29⤵
- Executes dropped EXE
PID:3104 -
\??\c:\5llxllx.exec:\5llxllx.exe30⤵
- Executes dropped EXE
PID:3720 -
\??\c:\hhnhhh.exec:\hhnhhh.exe31⤵
- Executes dropped EXE
PID:3412 -
\??\c:\ddpdv.exec:\ddpdv.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\tntnhh.exec:\tntnhh.exe33⤵
- Executes dropped EXE
PID:3204 -
\??\c:\9nnnnn.exec:\9nnnnn.exe34⤵
- Executes dropped EXE
PID:3732 -
\??\c:\dppdv.exec:\dppdv.exe35⤵
- Executes dropped EXE
PID:1984 -
\??\c:\9lrlfff.exec:\9lrlfff.exe36⤵
- Executes dropped EXE
PID:2936 -
\??\c:\tttthh.exec:\tttthh.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\pdvjd.exec:\pdvjd.exe38⤵
- Executes dropped EXE
PID:4680 -
\??\c:\lrfrlff.exec:\lrfrlff.exe39⤵
- Executes dropped EXE
PID:1156 -
\??\c:\9hntnn.exec:\9hntnn.exe40⤵
- Executes dropped EXE
PID:208 -
\??\c:\hnbbtt.exec:\hnbbtt.exe41⤵
- Executes dropped EXE
PID:2064 -
\??\c:\dvvdv.exec:\dvvdv.exe42⤵
- Executes dropped EXE
PID:1664 -
\??\c:\ffrfxxl.exec:\ffrfxxl.exe43⤵
- Executes dropped EXE
PID:2580 -
\??\c:\nnbnnh.exec:\nnbnnh.exe44⤵
- Executes dropped EXE
PID:744 -
\??\c:\vjpjv.exec:\vjpjv.exe45⤵
- Executes dropped EXE
PID:3132 -
\??\c:\rxxrrfx.exec:\rxxrrfx.exe46⤵
- Executes dropped EXE
PID:5060 -
\??\c:\tnnhbt.exec:\tnnhbt.exe47⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1bbhtn.exec:\1bbhtn.exe48⤵
- Executes dropped EXE
PID:4060 -
\??\c:\jddpj.exec:\jddpj.exe49⤵PID:2180
-
\??\c:\5rxrrxx.exec:\5rxrrxx.exe50⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nbnhbt.exec:\nbnhbt.exe51⤵
- Executes dropped EXE
PID:5028 -
\??\c:\dvpjj.exec:\dvpjj.exe52⤵
- Executes dropped EXE
PID:2980 -
\??\c:\fflfxxr.exec:\fflfxxr.exe53⤵
- Executes dropped EXE
PID:4400 -
\??\c:\3xlffxl.exec:\3xlffxl.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
\??\c:\nhhbtt.exec:\nhhbtt.exe55⤵
- Executes dropped EXE
PID:4892 -
\??\c:\pjpvp.exec:\pjpvp.exe56⤵
- Executes dropped EXE
PID:816 -
\??\c:\llxrrrr.exec:\llxrrrr.exe57⤵
- Executes dropped EXE
PID:3596 -
\??\c:\tnbtnh.exec:\tnbtnh.exe58⤵
- Executes dropped EXE
PID:944 -
\??\c:\pddvj.exec:\pddvj.exe59⤵
- Executes dropped EXE
PID:4280 -
\??\c:\5vjvv.exec:\5vjvv.exe60⤵
- Executes dropped EXE
PID:4812 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe61⤵
- Executes dropped EXE
PID:4112 -
\??\c:\nntnhh.exec:\nntnhh.exe62⤵
- Executes dropped EXE
PID:1512 -
\??\c:\hhnntb.exec:\hhnntb.exe63⤵
- Executes dropped EXE
PID:3912 -
\??\c:\jdpjd.exec:\jdpjd.exe64⤵
- Executes dropped EXE
PID:1292 -
\??\c:\ffxrlff.exec:\ffxrlff.exe65⤵
- Executes dropped EXE
PID:3312 -
\??\c:\jvpdv.exec:\jvpdv.exe66⤵
- Executes dropped EXE
PID:1180 -
\??\c:\dvvpd.exec:\dvvpd.exe67⤵PID:3780
-
\??\c:\lffxrrl.exec:\lffxrrl.exe68⤵PID:1708
-
\??\c:\ttbthh.exec:\ttbthh.exe69⤵PID:784
-
\??\c:\5pjjv.exec:\5pjjv.exe70⤵PID:1616
-
\??\c:\lxfrffx.exec:\lxfrffx.exe71⤵PID:3492
-
\??\c:\bthbtn.exec:\bthbtn.exe72⤵PID:440
-
\??\c:\jpvvj.exec:\jpvvj.exe73⤵PID:212
-
\??\c:\dvjdj.exec:\dvjdj.exe74⤵PID:2068
-
\??\c:\lxrllrr.exec:\lxrllrr.exe75⤵PID:2896
-
\??\c:\htnhbt.exec:\htnhbt.exe76⤵PID:3648
-
\??\c:\pjjdp.exec:\pjjdp.exe77⤵PID:4748
-
\??\c:\jdjvp.exec:\jdjvp.exe78⤵PID:3464
-
\??\c:\lrlfrrl.exec:\lrlfrrl.exe79⤵PID:3520
-
\??\c:\9tnhbb.exec:\9tnhbb.exe80⤵PID:460
-
\??\c:\dppjj.exec:\dppjj.exe81⤵PID:5036
-
\??\c:\pdddd.exec:\pdddd.exe82⤵PID:4324
-
\??\c:\5flfxfx.exec:\5flfxfx.exe83⤵PID:4796
-
\??\c:\5nhbbb.exec:\5nhbbb.exe84⤵PID:4836
-
\??\c:\pjvdd.exec:\pjvdd.exe85⤵PID:4728
-
\??\c:\rllffff.exec:\rllffff.exe86⤵PID:984
-
\??\c:\xlrlfff.exec:\xlrlfff.exe87⤵PID:1436
-
\??\c:\hnbhhh.exec:\hnbhhh.exe88⤵PID:1976
-
\??\c:\vjjdv.exec:\vjjdv.exe89⤵
- System Location Discovery: System Language Discovery
PID:4992 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe90⤵PID:3456
-
\??\c:\nbbttt.exec:\nbbttt.exe91⤵PID:4744
-
\??\c:\dvpjd.exec:\dvpjd.exe92⤵PID:4024
-
\??\c:\vjjdp.exec:\vjjdp.exe93⤵PID:2336
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe94⤵PID:3720
-
\??\c:\hhhhbn.exec:\hhhhbn.exe95⤵PID:320
-
\??\c:\pddvj.exec:\pddvj.exe96⤵PID:1008
-
\??\c:\xrxxflr.exec:\xrxxflr.exe97⤵PID:2584
-
\??\c:\rrxfxxr.exec:\rrxfxxr.exe98⤵PID:1572
-
\??\c:\nbnhhh.exec:\nbnhhh.exe99⤵PID:3732
-
\??\c:\jppdv.exec:\jppdv.exe100⤵PID:1984
-
\??\c:\jjddp.exec:\jjddp.exe101⤵PID:2024
-
\??\c:\xflfxrx.exec:\xflfxrx.exe102⤵PID:2764
-
\??\c:\bbhbhb.exec:\bbhbhb.exe103⤵PID:1668
-
\??\c:\ddvvj.exec:\ddvvj.exe104⤵PID:4984
-
\??\c:\ddjdv.exec:\ddjdv.exe105⤵PID:2984
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe106⤵PID:3184
-
\??\c:\lxlflll.exec:\lxlflll.exe107⤵PID:3408
-
\??\c:\hbhbbt.exec:\hbhbbt.exe108⤵PID:3872
-
\??\c:\pdjdv.exec:\pdjdv.exe109⤵PID:4444
-
\??\c:\5rxlxxr.exec:\5rxlxxr.exe110⤵PID:4396
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe111⤵PID:980
-
\??\c:\nhhbtn.exec:\nhhbtn.exe112⤵PID:3512
-
\??\c:\3nthbb.exec:\3nthbb.exe113⤵PID:5032
-
\??\c:\5dddv.exec:\5dddv.exe114⤵PID:5072
-
\??\c:\rrfxxrr.exec:\rrfxxrr.exe115⤵PID:4772
-
\??\c:\bnnbhb.exec:\bnnbhb.exe116⤵PID:1672
-
\??\c:\hnhbbt.exec:\hnhbbt.exe117⤵PID:4776
-
\??\c:\jddvp.exec:\jddvp.exe118⤵PID:3480
-
\??\c:\lxfrffx.exec:\lxfrffx.exe119⤵PID:3660
-
\??\c:\5lrlxfx.exec:\5lrlxfx.exe120⤵PID:1840
-
\??\c:\nhtnnn.exec:\nhtnnn.exe121⤵PID:384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-