Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe
-
Size
454KB
-
MD5
12051df08edd9f228d3a691cc512d3e8
-
SHA1
ac2da967dc845ef0138f42f63e80152782ff2f9b
-
SHA256
b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766
-
SHA512
378dfe12a849616d4087ad6f07e572227e80c104b627a5b8a98bf403af18780f2497d91e8f1909fcd3b6eea084b0c64dcff4cdd1ebafb5623685d068908f68ae
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbePI:q7Tc2NYHUrAwfMp3CDw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4036-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-1647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5072 5lrlrxf.exe 1876 3jpdd.exe 756 xxlflrx.exe 384 bbhbtt.exe 3032 9fffxff.exe 3144 frxrlff.exe 4812 bhbbtb.exe 640 vvjdp.exe 1404 7jddv.exe 1804 flrlfff.exe 4804 bbbtnh.exe 2712 dpvpj.exe 1076 rfffrrl.exe 2116 rflfxrl.exe 4780 jdjjd.exe 1072 lrrxxlr.exe 3640 lxxlffx.exe 2044 nhbbtt.exe 4736 xflxxxr.exe 1608 nbbbtt.exe 4456 7dpvv.exe 3148 xrfxrll.exe 1776 bnnhbb.exe 4836 tnnhbn.exe 1056 pdppj.exe 64 7rxrlfx.exe 1504 1ffxrrl.exe 564 thnhbh.exe 3104 pdvpp.exe 3720 3vdvj.exe 3180 7fxrfxx.exe 3632 hbbtnn.exe 452 nhbbnn.exe 1068 dvvpv.exe 4920 pdjvv.exe 4512 lrxrllf.exe 3980 hhtnbt.exe 2936 thnhbn.exe 368 vpvjd.exe 4680 1rxrxxf.exe 4508 xrlxlfx.exe 4908 hbhtnn.exe 488 tbthbt.exe 2984 pjvvp.exe 4188 fflffrr.exe 4040 lxlffrr.exe 1100 thnhbb.exe 4016 pvdjj.exe 4132 vppjd.exe 4972 xxfxrrl.exe 5044 bthbtt.exe 4284 hhbbtb.exe 636 rllffxx.exe 4772 ttthhb.exe 2968 pdjdp.exe 4892 lflrllx.exe 1672 bbbtnt.exe 4012 djdvj.exe 1084 3ffffff.exe 2092 pddjd.exe 4428 1lfxfxf.exe 1712 tbttnt.exe 4828 nhbttb.exe 3288 rrxrllr.exe -
resource yara_rule behavioral2/memory/4036-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-869-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4036 wrote to memory of 5072 4036 b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe 82 PID 4036 wrote to memory of 5072 4036 b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe 82 PID 4036 wrote to memory of 5072 4036 b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe 82 PID 5072 wrote to memory of 1876 5072 5lrlrxf.exe 83 PID 5072 wrote to memory of 1876 5072 5lrlrxf.exe 83 PID 5072 wrote to memory of 1876 5072 5lrlrxf.exe 83 PID 1876 wrote to memory of 756 1876 3jpdd.exe 84 PID 1876 wrote to memory of 756 1876 3jpdd.exe 84 PID 1876 wrote to memory of 756 1876 3jpdd.exe 84 PID 756 wrote to memory of 384 756 xxlflrx.exe 85 PID 756 wrote to memory of 384 756 xxlflrx.exe 85 PID 756 wrote to memory of 384 756 xxlflrx.exe 85 PID 384 wrote to memory of 3032 384 bbhbtt.exe 86 PID 384 wrote to memory of 3032 384 bbhbtt.exe 86 PID 384 wrote to memory of 3032 384 bbhbtt.exe 86 PID 3032 wrote to memory of 3144 3032 9fffxff.exe 87 PID 3032 wrote to memory of 3144 3032 9fffxff.exe 87 PID 3032 wrote to memory of 3144 3032 9fffxff.exe 87 PID 3144 wrote to memory of 4812 3144 frxrlff.exe 88 PID 3144 wrote to memory of 4812 3144 frxrlff.exe 88 PID 3144 wrote to memory of 4812 3144 frxrlff.exe 88 PID 4812 wrote to memory of 640 4812 bhbbtb.exe 89 PID 4812 wrote to memory of 640 4812 bhbbtb.exe 89 PID 4812 wrote to memory of 640 4812 bhbbtb.exe 89 PID 640 wrote to memory of 1404 640 vvjdp.exe 90 PID 640 wrote to memory of 1404 640 vvjdp.exe 90 PID 640 wrote to memory of 1404 640 vvjdp.exe 90 PID 1404 wrote to memory of 1804 1404 7jddv.exe 91 PID 1404 wrote to memory of 1804 1404 7jddv.exe 91 PID 1404 wrote to memory of 1804 1404 7jddv.exe 91 PID 1804 wrote to memory of 4804 1804 flrlfff.exe 92 PID 1804 wrote to memory of 4804 1804 flrlfff.exe 92 PID 1804 wrote to memory of 4804 1804 flrlfff.exe 92 PID 4804 wrote to memory of 2712 4804 bbbtnh.exe 93 PID 4804 wrote to memory of 2712 4804 bbbtnh.exe 93 PID 4804 wrote to memory of 2712 4804 bbbtnh.exe 93 PID 2712 wrote to memory of 1076 2712 dpvpj.exe 94 PID 2712 wrote to memory of 1076 2712 dpvpj.exe 94 PID 2712 wrote to memory of 1076 2712 dpvpj.exe 94 PID 1076 wrote to memory of 2116 1076 rfffrrl.exe 95 PID 1076 wrote to memory of 2116 1076 rfffrrl.exe 95 PID 1076 wrote to memory of 2116 1076 rfffrrl.exe 95 PID 2116 wrote to memory of 4780 2116 rflfxrl.exe 96 PID 2116 wrote to memory of 4780 2116 rflfxrl.exe 96 PID 2116 wrote to memory of 4780 2116 rflfxrl.exe 96 PID 4780 wrote to memory of 1072 4780 jdjjd.exe 97 PID 4780 wrote to memory of 1072 4780 jdjjd.exe 97 PID 4780 wrote to memory of 1072 4780 jdjjd.exe 97 PID 1072 wrote to memory of 3640 1072 lrrxxlr.exe 98 PID 1072 wrote to memory of 3640 1072 lrrxxlr.exe 98 PID 1072 wrote to memory of 3640 1072 lrrxxlr.exe 98 PID 3640 wrote to memory of 2044 3640 lxxlffx.exe 99 PID 3640 wrote to memory of 2044 3640 lxxlffx.exe 99 PID 3640 wrote to memory of 2044 3640 lxxlffx.exe 99 PID 2044 wrote to memory of 4736 2044 nhbbtt.exe 100 PID 2044 wrote to memory of 4736 2044 nhbbtt.exe 100 PID 2044 wrote to memory of 4736 2044 nhbbtt.exe 100 PID 4736 wrote to memory of 1608 4736 xflxxxr.exe 101 PID 4736 wrote to memory of 1608 4736 xflxxxr.exe 101 PID 4736 wrote to memory of 1608 4736 xflxxxr.exe 101 PID 1608 wrote to memory of 4456 1608 nbbbtt.exe 102 PID 1608 wrote to memory of 4456 1608 nbbbtt.exe 102 PID 1608 wrote to memory of 4456 1608 nbbbtt.exe 102 PID 4456 wrote to memory of 3148 4456 7dpvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe"C:\Users\Admin\AppData\Local\Temp\b00d05f5dd57b2b99670ef31b4f3854a891ce9e678bd7eb35d25dd4888a98766.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\5lrlrxf.exec:\5lrlrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\3jpdd.exec:\3jpdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\xxlflrx.exec:\xxlflrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\bbhbtt.exec:\bbhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\9fffxff.exec:\9fffxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\frxrlff.exec:\frxrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\bhbbtb.exec:\bhbbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\vvjdp.exec:\vvjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\7jddv.exec:\7jddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\flrlfff.exec:\flrlfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\bbbtnh.exec:\bbbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\dpvpj.exec:\dpvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\rfffrrl.exec:\rfffrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\rflfxrl.exec:\rflfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\jdjjd.exec:\jdjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\lrrxxlr.exec:\lrrxxlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\lxxlffx.exec:\lxxlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\nhbbtt.exec:\nhbbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\xflxxxr.exec:\xflxxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\nbbbtt.exec:\nbbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\7dpvv.exec:\7dpvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\xrfxrll.exec:\xrfxrll.exe23⤵
- Executes dropped EXE
PID:3148 -
\??\c:\bnnhbb.exec:\bnnhbb.exe24⤵
- Executes dropped EXE
PID:1776 -
\??\c:\tnnhbn.exec:\tnnhbn.exe25⤵
- Executes dropped EXE
PID:4836 -
\??\c:\pdppj.exec:\pdppj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
\??\c:\7rxrlfx.exec:\7rxrlfx.exe27⤵
- Executes dropped EXE
PID:64 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe28⤵
- Executes dropped EXE
PID:1504 -
\??\c:\thnhbh.exec:\thnhbh.exe29⤵
- Executes dropped EXE
PID:564 -
\??\c:\pdvpp.exec:\pdvpp.exe30⤵
- Executes dropped EXE
PID:3104 -
\??\c:\3vdvj.exec:\3vdvj.exe31⤵
- Executes dropped EXE
PID:3720 -
\??\c:\7fxrfxx.exec:\7fxrfxx.exe32⤵
- Executes dropped EXE
PID:3180 -
\??\c:\hbbtnn.exec:\hbbtnn.exe33⤵
- Executes dropped EXE
PID:3632 -
\??\c:\nhbbnn.exec:\nhbbnn.exe34⤵
- Executes dropped EXE
PID:452 -
\??\c:\dvvpv.exec:\dvvpv.exe35⤵
- Executes dropped EXE
PID:1068 -
\??\c:\pdjvv.exec:\pdjvv.exe36⤵
- Executes dropped EXE
PID:4920 -
\??\c:\lrxrllf.exec:\lrxrllf.exe37⤵
- Executes dropped EXE
PID:4512 -
\??\c:\hhtnbt.exec:\hhtnbt.exe38⤵
- Executes dropped EXE
PID:3980 -
\??\c:\thnhbn.exec:\thnhbn.exe39⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vpvjd.exec:\vpvjd.exe40⤵
- Executes dropped EXE
PID:368 -
\??\c:\1rxrxxf.exec:\1rxrxxf.exe41⤵
- Executes dropped EXE
PID:4680 -
\??\c:\xrlxlfx.exec:\xrlxlfx.exe42⤵
- Executes dropped EXE
PID:4508 -
\??\c:\hbhtnn.exec:\hbhtnn.exe43⤵
- Executes dropped EXE
PID:4908 -
\??\c:\tbthbt.exec:\tbthbt.exe44⤵
- Executes dropped EXE
PID:488 -
\??\c:\pjvvp.exec:\pjvvp.exe45⤵
- Executes dropped EXE
PID:2984 -
\??\c:\fflffrr.exec:\fflffrr.exe46⤵
- Executes dropped EXE
PID:4188 -
\??\c:\lxlffrr.exec:\lxlffrr.exe47⤵
- Executes dropped EXE
PID:4040 -
\??\c:\thnhbb.exec:\thnhbb.exe48⤵
- Executes dropped EXE
PID:1100 -
\??\c:\pvdjj.exec:\pvdjj.exe49⤵
- Executes dropped EXE
PID:4016 -
\??\c:\vppjd.exec:\vppjd.exe50⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe51⤵
- Executes dropped EXE
PID:4972 -
\??\c:\bthbtt.exec:\bthbtt.exe52⤵
- Executes dropped EXE
PID:5044 -
\??\c:\hhbbtb.exec:\hhbbtb.exe53⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rllffxx.exec:\rllffxx.exe54⤵
- Executes dropped EXE
PID:636 -
\??\c:\ttthhb.exec:\ttthhb.exe55⤵
- Executes dropped EXE
PID:4772 -
\??\c:\pdjdp.exec:\pdjdp.exe56⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lflrllx.exec:\lflrllx.exe57⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bbbtnt.exec:\bbbtnt.exe58⤵
- Executes dropped EXE
PID:1672 -
\??\c:\djdvj.exec:\djdvj.exe59⤵
- Executes dropped EXE
PID:4012 -
\??\c:\3ffffff.exec:\3ffffff.exe60⤵
- Executes dropped EXE
PID:1084 -
\??\c:\pddjd.exec:\pddjd.exe61⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1lfxfxf.exec:\1lfxfxf.exe62⤵
- Executes dropped EXE
PID:4428 -
\??\c:\tbttnt.exec:\tbttnt.exe63⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhbttb.exec:\nhbttb.exe64⤵
- Executes dropped EXE
PID:4828 -
\??\c:\rrxrllr.exec:\rrxrllr.exe65⤵
- Executes dropped EXE
PID:3288 -
\??\c:\5hnhbb.exec:\5hnhbb.exe66⤵PID:1588
-
\??\c:\jvjpj.exec:\jvjpj.exe67⤵PID:3312
-
\??\c:\xxxlflf.exec:\xxxlflf.exe68⤵PID:1524
-
\??\c:\vpvpd.exec:\vpvpd.exe69⤵PID:1544
-
\??\c:\pjpvv.exec:\pjpvv.exe70⤵PID:948
-
\??\c:\djddv.exec:\djddv.exe71⤵PID:3508
-
\??\c:\xxrllff.exec:\xxrllff.exe72⤵PID:3492
-
\??\c:\htnntt.exec:\htnntt.exe73⤵
- System Location Discovery: System Language Discovery
PID:5052 -
\??\c:\nbbbth.exec:\nbbbth.exe74⤵PID:3628
-
\??\c:\7dvvv.exec:\7dvvv.exe75⤵PID:2904
-
\??\c:\rflfxxr.exec:\rflfxxr.exe76⤵PID:2068
-
\??\c:\tttnbb.exec:\tttnbb.exe77⤵PID:4524
-
\??\c:\dpvpj.exec:\dpvpj.exe78⤵PID:4748
-
\??\c:\vjppj.exec:\vjppj.exe79⤵PID:1992
-
\??\c:\flxlfxx.exec:\flxlfxx.exe80⤵PID:3908
-
\??\c:\5tbbbb.exec:\5tbbbb.exe81⤵PID:4232
-
\??\c:\7jpdp.exec:\7jpdp.exe82⤵PID:3752
-
\??\c:\fffxrlf.exec:\fffxrlf.exe83⤵PID:1372
-
\??\c:\btbtnn.exec:\btbtnn.exe84⤵PID:3392
-
\??\c:\1vvdv.exec:\1vvdv.exe85⤵PID:556
-
\??\c:\frxrlll.exec:\frxrlll.exe86⤵PID:4448
-
\??\c:\lrfxrxr.exec:\lrfxrxr.exe87⤵PID:2112
-
\??\c:\hhtnht.exec:\hhtnht.exe88⤵PID:4912
-
\??\c:\jpvpj.exec:\jpvpj.exe89⤵PID:3036
-
\??\c:\vpdvp.exec:\vpdvp.exe90⤵PID:2648
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe91⤵PID:3652
-
\??\c:\bnhbbb.exec:\bnhbbb.exe92⤵PID:4300
-
\??\c:\tbhbnh.exec:\tbhbnh.exe93⤵PID:1620
-
\??\c:\vdjjd.exec:\vdjjd.exe94⤵PID:2312
-
\??\c:\xllfrrl.exec:\xllfrrl.exe95⤵PID:2492
-
\??\c:\bbbttt.exec:\bbbttt.exe96⤵PID:2628
-
\??\c:\vppjd.exec:\vppjd.exe97⤵PID:1748
-
\??\c:\pjjdv.exec:\pjjdv.exe98⤵PID:1008
-
\??\c:\djvpj.exec:\djvpj.exe99⤵PID:4504
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe100⤵PID:4128
-
\??\c:\hnbttn.exec:\hnbttn.exe101⤵PID:3620
-
\??\c:\tnnbtt.exec:\tnnbtt.exe102⤵PID:3524
-
\??\c:\dppjd.exec:\dppjd.exe103⤵PID:4420
-
\??\c:\frfxrll.exec:\frfxrll.exe104⤵PID:1668
-
\??\c:\tnhbnn.exec:\tnhbnn.exe105⤵PID:3400
-
\??\c:\9pppp.exec:\9pppp.exe106⤵PID:788
-
\??\c:\xrrxrxr.exec:\xrrxrxr.exe107⤵PID:3408
-
\??\c:\llxxffl.exec:\llxxffl.exe108⤵PID:4360
-
\??\c:\ntbbtt.exec:\ntbbtt.exe109⤵PID:3716
-
\??\c:\9ddpj.exec:\9ddpj.exe110⤵PID:1100
-
\??\c:\jjvpp.exec:\jjvpp.exe111⤵PID:2564
-
\??\c:\5lfxllf.exec:\5lfxllf.exe112⤵PID:2096
-
\??\c:\hbbnhb.exec:\hbbnhb.exe113⤵PID:4224
-
\??\c:\nnbtbb.exec:\nnbtbb.exe114⤵PID:3276
-
\??\c:\vpdvp.exec:\vpdvp.exe115⤵PID:2748
-
\??\c:\fxrllxr.exec:\fxrllxr.exe116⤵PID:4468
-
\??\c:\lxrlffx.exec:\lxrlffx.exe117⤵PID:2796
-
\??\c:\hbhhbt.exec:\hbhhbt.exe118⤵PID:4844
-
\??\c:\djpdv.exec:\djpdv.exe119⤵PID:1832
-
\??\c:\lffrfxl.exec:\lffrfxl.exe120⤵PID:1980
-
\??\c:\lffxrlf.exec:\lffxrlf.exe121⤵PID:4400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-