Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe
-
Size
458KB
-
MD5
8c3536d2885392ac1eb909d9cc40d073
-
SHA1
2209cc5e589f8f0687dd1618afee5569ce236184
-
SHA256
5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2
-
SHA512
142d95d144714db6556519dc63d98f4045e4fa019773b9fb06c71cafb3a55450b42145c477f912ebe9cb6127fa15cec5c2e0b060582da53066168d1814c2a63f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3320-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5768-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6140-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5924-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5696-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5736-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5892-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5476-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5772-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5848-1372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3264 llxlfxr.exe 5768 tttnbb.exe 556 btthbb.exe 3260 ppvvd.exe 3364 nnbnhh.exe 1256 pvpjd.exe 6140 xrllffx.exe 3152 rlrlffx.exe 4632 xxxxxxx.exe 4708 hnbnbh.exe 4752 vpvdj.exe 4888 rxlflll.exe 5924 dpjjj.exe 1808 jdvvp.exe 5776 1rxrlrl.exe 5084 pjvvp.exe 4912 lrflffx.exe 5696 9nnhbb.exe 5012 1rrlfxr.exe 3620 xrxrllf.exe 776 rlllflf.exe 5736 lxrlfrl.exe 1612 nhnhhh.exe 1192 rrrrlll.exe 5848 vpdvp.exe 2376 lffxllf.exe 184 nbnhtt.exe 5892 1fflxxr.exe 2148 3vvpj.exe 4244 7hhbnn.exe 2316 jpdvp.exe 4204 rlxfffr.exe 1456 dvvvp.exe 1044 djpjd.exe 5032 frxxrxr.exe 2884 bttbbb.exe 2844 7pjpd.exe 5000 lffxrxr.exe 752 ntbtnn.exe 60 rllfxxx.exe 4444 vdddp.exe 1600 fxfrlxr.exe 2076 hbtntt.exe 736 dvjdd.exe 3272 lxlfxxr.exe 4332 9ttnhh.exe 244 thtnhb.exe 3744 vpvpp.exe 5388 fxxrlxx.exe 1924 7ttnhh.exe 4212 7hbnhb.exe 3664 vdjvp.exe 3888 llrlffx.exe 2952 hbhhbb.exe 2328 jvpjd.exe 5168 jddvp.exe 6136 lxxlffx.exe 2472 tntttb.exe 4544 hthbtt.exe 368 jvvvp.exe 700 3frxrxr.exe 2360 tnhbtt.exe 4800 vppjd.exe 5112 xlrlxxr.exe -
resource yara_rule behavioral2/memory/3320-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5768-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6140-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5924-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5696-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5736-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5892-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5476-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5772-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-946-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3320 wrote to memory of 3264 3320 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 86 PID 3320 wrote to memory of 3264 3320 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 86 PID 3320 wrote to memory of 3264 3320 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 86 PID 3264 wrote to memory of 5768 3264 llxlfxr.exe 87 PID 3264 wrote to memory of 5768 3264 llxlfxr.exe 87 PID 3264 wrote to memory of 5768 3264 llxlfxr.exe 87 PID 5768 wrote to memory of 556 5768 tttnbb.exe 88 PID 5768 wrote to memory of 556 5768 tttnbb.exe 88 PID 5768 wrote to memory of 556 5768 tttnbb.exe 88 PID 556 wrote to memory of 3260 556 btthbb.exe 89 PID 556 wrote to memory of 3260 556 btthbb.exe 89 PID 556 wrote to memory of 3260 556 btthbb.exe 89 PID 3260 wrote to memory of 3364 3260 ppvvd.exe 90 PID 3260 wrote to memory of 3364 3260 ppvvd.exe 90 PID 3260 wrote to memory of 3364 3260 ppvvd.exe 90 PID 3364 wrote to memory of 1256 3364 nnbnhh.exe 91 PID 3364 wrote to memory of 1256 3364 nnbnhh.exe 91 PID 3364 wrote to memory of 1256 3364 nnbnhh.exe 91 PID 1256 wrote to memory of 6140 1256 pvpjd.exe 92 PID 1256 wrote to memory of 6140 1256 pvpjd.exe 92 PID 1256 wrote to memory of 6140 1256 pvpjd.exe 92 PID 6140 wrote to memory of 3152 6140 xrllffx.exe 94 PID 6140 wrote to memory of 3152 6140 xrllffx.exe 94 PID 6140 wrote to memory of 3152 6140 xrllffx.exe 94 PID 3152 wrote to memory of 4632 3152 rlrlffx.exe 95 PID 3152 wrote to memory of 4632 3152 rlrlffx.exe 95 PID 3152 wrote to memory of 4632 3152 rlrlffx.exe 95 PID 4632 wrote to memory of 4708 4632 xxxxxxx.exe 96 PID 4632 wrote to memory of 4708 4632 xxxxxxx.exe 96 PID 4632 wrote to memory of 4708 4632 xxxxxxx.exe 96 PID 4708 wrote to memory of 4752 4708 hnbnbh.exe 97 PID 4708 wrote to memory of 4752 4708 hnbnbh.exe 97 PID 4708 wrote to memory of 4752 4708 hnbnbh.exe 97 PID 4752 wrote to memory of 4888 4752 vpvdj.exe 98 PID 4752 wrote to memory of 4888 4752 vpvdj.exe 98 PID 4752 wrote to memory of 4888 4752 vpvdj.exe 98 PID 4888 wrote to memory of 5924 4888 rxlflll.exe 99 PID 4888 wrote to memory of 5924 4888 rxlflll.exe 99 PID 4888 wrote to memory of 5924 4888 rxlflll.exe 99 PID 5924 wrote to memory of 1808 5924 dpjjj.exe 101 PID 5924 wrote to memory of 1808 5924 dpjjj.exe 101 PID 5924 wrote to memory of 1808 5924 dpjjj.exe 101 PID 1808 wrote to memory of 5776 1808 jdvvp.exe 102 PID 1808 wrote to memory of 5776 1808 jdvvp.exe 102 PID 1808 wrote to memory of 5776 1808 jdvvp.exe 102 PID 5776 wrote to memory of 5084 5776 1rxrlrl.exe 103 PID 5776 wrote to memory of 5084 5776 1rxrlrl.exe 103 PID 5776 wrote to memory of 5084 5776 1rxrlrl.exe 103 PID 5084 wrote to memory of 4912 5084 pjvvp.exe 104 PID 5084 wrote to memory of 4912 5084 pjvvp.exe 104 PID 5084 wrote to memory of 4912 5084 pjvvp.exe 104 PID 4912 wrote to memory of 5696 4912 lrflffx.exe 105 PID 4912 wrote to memory of 5696 4912 lrflffx.exe 105 PID 4912 wrote to memory of 5696 4912 lrflffx.exe 105 PID 5696 wrote to memory of 5012 5696 9nnhbb.exe 106 PID 5696 wrote to memory of 5012 5696 9nnhbb.exe 106 PID 5696 wrote to memory of 5012 5696 9nnhbb.exe 106 PID 5012 wrote to memory of 3620 5012 1rrlfxr.exe 107 PID 5012 wrote to memory of 3620 5012 1rrlfxr.exe 107 PID 5012 wrote to memory of 3620 5012 1rrlfxr.exe 107 PID 3620 wrote to memory of 776 3620 xrxrllf.exe 109 PID 3620 wrote to memory of 776 3620 xrxrllf.exe 109 PID 3620 wrote to memory of 776 3620 xrxrllf.exe 109 PID 776 wrote to memory of 5736 776 rlllflf.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe"C:\Users\Admin\AppData\Local\Temp\5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\llxlfxr.exec:\llxlfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\tttnbb.exec:\tttnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5768 -
\??\c:\btthbb.exec:\btthbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\ppvvd.exec:\ppvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\nnbnhh.exec:\nnbnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\pvpjd.exec:\pvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\xrllffx.exec:\xrllffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6140 -
\??\c:\rlrlffx.exec:\rlrlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\hnbnbh.exec:\hnbnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\vpvdj.exec:\vpvdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\rxlflll.exec:\rxlflll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\dpjjj.exec:\dpjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5924 -
\??\c:\jdvvp.exec:\jdvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\1rxrlrl.exec:\1rxrlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5776 -
\??\c:\pjvvp.exec:\pjvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\lrflffx.exec:\lrflffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\9nnhbb.exec:\9nnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5696 -
\??\c:\1rrlfxr.exec:\1rrlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\xrxrllf.exec:\xrxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\rlllflf.exec:\rlllflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\lxrlfrl.exec:\lxrlfrl.exe23⤵
- Executes dropped EXE
PID:5736 -
\??\c:\nhnhhh.exec:\nhnhhh.exe24⤵
- Executes dropped EXE
PID:1612 -
\??\c:\rrrrlll.exec:\rrrrlll.exe25⤵
- Executes dropped EXE
PID:1192 -
\??\c:\vpdvp.exec:\vpdvp.exe26⤵
- Executes dropped EXE
PID:5848 -
\??\c:\lffxllf.exec:\lffxllf.exe27⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbnhtt.exec:\nbnhtt.exe28⤵
- Executes dropped EXE
PID:184 -
\??\c:\1fflxxr.exec:\1fflxxr.exe29⤵
- Executes dropped EXE
PID:5892 -
\??\c:\3vvpj.exec:\3vvpj.exe30⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7hhbnn.exec:\7hhbnn.exe31⤵
- Executes dropped EXE
PID:4244 -
\??\c:\jpdvp.exec:\jpdvp.exe32⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rlxfffr.exec:\rlxfffr.exe33⤵
- Executes dropped EXE
PID:4204 -
\??\c:\dvvvp.exec:\dvvvp.exe34⤵
- Executes dropped EXE
PID:1456 -
\??\c:\djpjd.exec:\djpjd.exe35⤵
- Executes dropped EXE
PID:1044 -
\??\c:\frxxrxr.exec:\frxxrxr.exe36⤵
- Executes dropped EXE
PID:5032 -
\??\c:\bttbbb.exec:\bttbbb.exe37⤵
- Executes dropped EXE
PID:2884 -
\??\c:\7pjpd.exec:\7pjpd.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\lffxrxr.exec:\lffxrxr.exe39⤵
- Executes dropped EXE
PID:5000 -
\??\c:\ntbtnn.exec:\ntbtnn.exe40⤵
- Executes dropped EXE
PID:752 -
\??\c:\rllfxxx.exec:\rllfxxx.exe41⤵
- Executes dropped EXE
PID:60 -
\??\c:\vdddp.exec:\vdddp.exe42⤵
- Executes dropped EXE
PID:4444 -
\??\c:\fxfrlxr.exec:\fxfrlxr.exe43⤵
- Executes dropped EXE
PID:1600 -
\??\c:\hbtntt.exec:\hbtntt.exe44⤵
- Executes dropped EXE
PID:2076 -
\??\c:\dvjdd.exec:\dvjdd.exe45⤵
- Executes dropped EXE
PID:736 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe46⤵
- Executes dropped EXE
PID:3272 -
\??\c:\9ttnhh.exec:\9ttnhh.exe47⤵
- Executes dropped EXE
PID:4332 -
\??\c:\thtnhb.exec:\thtnhb.exe48⤵
- Executes dropped EXE
PID:244 -
\??\c:\vpvpp.exec:\vpvpp.exe49⤵
- Executes dropped EXE
PID:3744 -
\??\c:\fxxrlxx.exec:\fxxrlxx.exe50⤵
- Executes dropped EXE
PID:5388 -
\??\c:\7ttnhh.exec:\7ttnhh.exe51⤵
- Executes dropped EXE
PID:1924 -
\??\c:\7hbnhb.exec:\7hbnhb.exe52⤵
- Executes dropped EXE
PID:4212 -
\??\c:\vdjvp.exec:\vdjvp.exe53⤵
- Executes dropped EXE
PID:3664 -
\??\c:\llrlffx.exec:\llrlffx.exe54⤵
- Executes dropped EXE
PID:3888 -
\??\c:\hbhhbb.exec:\hbhhbb.exe55⤵
- Executes dropped EXE
PID:2952 -
\??\c:\jvpjd.exec:\jvpjd.exe56⤵
- Executes dropped EXE
PID:2328 -
\??\c:\jddvp.exec:\jddvp.exe57⤵
- Executes dropped EXE
PID:5168 -
\??\c:\lxxlffx.exec:\lxxlffx.exe58⤵
- Executes dropped EXE
PID:6136 -
\??\c:\tntttb.exec:\tntttb.exe59⤵
- Executes dropped EXE
PID:2472 -
\??\c:\hthbtt.exec:\hthbtt.exe60⤵
- Executes dropped EXE
PID:4544 -
\??\c:\jvvvp.exec:\jvvvp.exe61⤵
- Executes dropped EXE
PID:368 -
\??\c:\3frxrxr.exec:\3frxrxr.exe62⤵
- Executes dropped EXE
PID:700 -
\??\c:\tnhbtt.exec:\tnhbtt.exe63⤵
- Executes dropped EXE
PID:2360 -
\??\c:\vppjd.exec:\vppjd.exe64⤵
- Executes dropped EXE
PID:4800 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe65⤵
- Executes dropped EXE
PID:5112 -
\??\c:\3llrlll.exec:\3llrlll.exe66⤵PID:1492
-
\??\c:\7tbbtb.exec:\7tbbtb.exe67⤵PID:844
-
\??\c:\dvjdd.exec:\dvjdd.exe68⤵PID:408
-
\??\c:\lrxrffr.exec:\lrxrffr.exe69⤵PID:232
-
\??\c:\nhhbbb.exec:\nhhbbb.exe70⤵PID:1172
-
\??\c:\hnbthh.exec:\hnbthh.exe71⤵PID:3064
-
\??\c:\pvvpj.exec:\pvvpj.exe72⤵PID:6064
-
\??\c:\rlffxxr.exec:\rlffxxr.exe73⤵PID:216
-
\??\c:\tthhnt.exec:\tthhnt.exe74⤵PID:5452
-
\??\c:\vvpjv.exec:\vvpjv.exe75⤵PID:5180
-
\??\c:\5pjdp.exec:\5pjdp.exe76⤵PID:1200
-
\??\c:\xxrlllf.exec:\xxrlllf.exe77⤵PID:5184
-
\??\c:\nnnnhh.exec:\nnnnhh.exe78⤵PID:3140
-
\??\c:\vvjjp.exec:\vvjjp.exe79⤵PID:4668
-
\??\c:\7jddv.exec:\7jddv.exe80⤵PID:4648
-
\??\c:\flrlffx.exec:\flrlffx.exe81⤵PID:4892
-
\??\c:\tntnnh.exec:\tntnnh.exe82⤵PID:2136
-
\??\c:\jvvpp.exec:\jvvpp.exe83⤵PID:2420
-
\??\c:\xrffffl.exec:\xrffffl.exe84⤵PID:2248
-
\??\c:\llrllff.exec:\llrllff.exe85⤵PID:4628
-
\??\c:\nntnhb.exec:\nntnhb.exe86⤵PID:5776
-
\??\c:\vvjvp.exec:\vvjvp.exe87⤵PID:3500
-
\??\c:\9flfxlx.exec:\9flfxlx.exe88⤵PID:5056
-
\??\c:\nhtntt.exec:\nhtntt.exe89⤵PID:4852
-
\??\c:\hbnhnn.exec:\hbnhnn.exe90⤵PID:5488
-
\??\c:\vpdjd.exec:\vpdjd.exe91⤵PID:5384
-
\??\c:\lxlfffl.exec:\lxlfffl.exe92⤵PID:4948
-
\??\c:\btbtnn.exec:\btbtnn.exe93⤵PID:5764
-
\??\c:\5bbtnn.exec:\5bbtnn.exe94⤵PID:2184
-
\??\c:\jpvpj.exec:\jpvpj.exe95⤵PID:468
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe96⤵PID:3516
-
\??\c:\xrxrrll.exec:\xrxrrll.exe97⤵PID:1136
-
\??\c:\bbhhbb.exec:\bbhhbb.exe98⤵PID:4328
-
\??\c:\vjjdv.exec:\vjjdv.exe99⤵PID:412
-
\??\c:\xrrrrrl.exec:\xrrrrrl.exe100⤵PID:684
-
\??\c:\lrxlllf.exec:\lrxlllf.exe101⤵PID:6120
-
\??\c:\bttnht.exec:\bttnht.exe102⤵PID:6020
-
\??\c:\5vdvj.exec:\5vdvj.exe103⤵PID:5476
-
\??\c:\lxfxrrx.exec:\lxfxrrx.exe104⤵PID:5216
-
\??\c:\nbntnh.exec:\nbntnh.exe105⤵PID:5640
-
\??\c:\tnbtbt.exec:\tnbtbt.exe106⤵PID:3712
-
\??\c:\jvpjd.exec:\jvpjd.exe107⤵PID:3168
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe108⤵PID:5672
-
\??\c:\rxfxrll.exec:\rxfxrll.exe109⤵
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\hhhnhh.exec:\hhhnhh.exe110⤵PID:2548
-
\??\c:\jpvpj.exec:\jpvpj.exe111⤵PID:1456
-
\??\c:\xffxrlx.exec:\xffxrlx.exe112⤵PID:1440
-
\??\c:\fflffxl.exec:\fflffxl.exe113⤵PID:1732
-
\??\c:\tntnnn.exec:\tntnnn.exe114⤵PID:4476
-
\??\c:\3vvpj.exec:\3vvpj.exe115⤵PID:4436
-
\??\c:\vpjdp.exec:\vpjdp.exe116⤵PID:5416
-
\??\c:\frrlllr.exec:\frrlllr.exe117⤵PID:4532
-
\??\c:\hnbtnh.exec:\hnbtnh.exe118⤵PID:1728
-
\??\c:\tntnhb.exec:\tntnhb.exe119⤵PID:2912
-
\??\c:\pdjdv.exec:\pdjdv.exe120⤵PID:5772
-
\??\c:\rlxrfxx.exec:\rlxrfxx.exe121⤵PID:3984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-