Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 04:49
Behavioral task
behavioral1
Sample
77ac26e278ceb0b8adad7d14d9d0c590N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
77ac26e278ceb0b8adad7d14d9d0c590N.exe
-
Size
371KB
-
MD5
77ac26e278ceb0b8adad7d14d9d0c590
-
SHA1
21bec9557e25c47db9c23490064859f3e3ddb02f
-
SHA256
e3ce0fba8b108b248009c675cf57c681866c6b95021070e97f5e24e207f580e5
-
SHA512
baa9d562c11863064ab4a8a4fe5ecea4362b188c839a4ebbf2fcf7097595b5cd28ebab9ff86c60b70f6faecb62ec33a57c3b1652830bac793c62fc95ad29f9dc
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpSwp9OD0Ibss:y4wFHoS3eFaKHpNKbbss
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4768-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-481-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3776-650-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-708-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-754-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-1139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-1192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-1287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4768 1lxrrrl.exe 3560 htbhbt.exe 3988 dppjd.exe 4772 rffffll.exe 5016 bnbhbn.exe 1096 7tnnhb.exe 4664 dpjjv.exe 3952 flxxxrr.exe 3436 rllrlrf.exe 4556 djpjj.exe 1596 rxxrfxr.exe 5116 btbtbb.exe 4800 rlxrfrf.exe 1288 llrrrll.exe 3660 llfrllf.exe 2556 htnbbt.exe 3984 1pddv.exe 1488 jdvpj.exe 2656 jvvpd.exe 1564 lrxrlfx.exe 1888 htbtnt.exe 1044 lflfrrl.exe 4836 ttbbbb.exe 2452 nhnhtt.exe 1468 dpjpp.exe 3376 xxlfxff.exe 2028 fxlfxxr.exe 4472 3jjpj.exe 2376 dvdpv.exe 2108 rllxfrl.exe 2112 rlxxlrf.exe 3992 nhttnt.exe 4492 hbnhbt.exe 4768 djpjd.exe 3560 pjpjj.exe 3156 xlrlxxr.exe 2484 bhnhtt.exe 2184 9bbthh.exe 1268 pvdjd.exe 2828 llfxlrl.exe 1452 hnntnt.exe 4432 dpvvj.exe 4660 jppdp.exe 1092 frxrxxr.exe 3888 tbhbtt.exe 4460 vdjdp.exe 520 3djdj.exe 2104 3lrfxrl.exe 3884 xxrlffx.exe 1612 hntnbt.exe 3536 vjpdv.exe 1112 vppdv.exe 5100 frxlfxx.exe 3416 bbtnhh.exe 3572 bnnhtt.exe 3188 jdddv.exe 5024 9vvvp.exe 4732 frxxllf.exe 2664 hhnhnn.exe 2160 tnnhtt.exe 1564 9dpjd.exe 516 rlfxxxr.exe 2784 rflfxrl.exe 4888 htbtnn.exe -
resource yara_rule behavioral2/memory/3332-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023429-3.dat upx behavioral2/memory/4768-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3332-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023434-11.dat upx behavioral2/files/0x0007000000023438-13.dat upx behavioral2/memory/3988-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023439-22.dat upx behavioral2/files/0x000700000002343a-28.dat upx behavioral2/memory/5016-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343b-33.dat upx behavioral2/memory/1096-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3560-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343c-39.dat upx behavioral2/memory/1096-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4664-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343d-47.dat upx behavioral2/files/0x000700000002343e-51.dat upx behavioral2/memory/3952-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023440-57.dat upx behavioral2/memory/3436-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023441-63.dat upx behavioral2/memory/4556-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023442-69.dat upx behavioral2/files/0x0007000000023443-75.dat upx behavioral2/memory/5116-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4800-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023444-80.dat upx behavioral2/memory/4800-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023445-85.dat upx behavioral2/files/0x0007000000023446-90.dat upx behavioral2/memory/3660-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023447-96.dat upx behavioral2/memory/2556-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3984-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023435-102.dat upx behavioral2/files/0x0007000000023449-108.dat upx behavioral2/files/0x000700000002344a-114.dat upx behavioral2/memory/1564-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344b-120.dat upx behavioral2/memory/1888-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344c-126.dat upx behavioral2/files/0x000700000002344d-130.dat upx behavioral2/memory/4836-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1044-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344e-138.dat upx behavioral2/files/0x000700000002344f-142.dat upx behavioral2/memory/1468-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023450-149.dat upx behavioral2/memory/3376-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023451-155.dat upx behavioral2/memory/2028-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023452-161.dat upx behavioral2/files/0x0007000000023453-166.dat upx behavioral2/memory/2376-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023454-171.dat upx behavioral2/memory/2108-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023455-178.dat upx behavioral2/files/0x0007000000023456-184.dat upx behavioral2/memory/2112-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3992-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4768-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3156-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2484-207-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3332 wrote to memory of 4768 3332 77ac26e278ceb0b8adad7d14d9d0c590N.exe 84 PID 3332 wrote to memory of 4768 3332 77ac26e278ceb0b8adad7d14d9d0c590N.exe 84 PID 3332 wrote to memory of 4768 3332 77ac26e278ceb0b8adad7d14d9d0c590N.exe 84 PID 4768 wrote to memory of 3560 4768 1lxrrrl.exe 85 PID 4768 wrote to memory of 3560 4768 1lxrrrl.exe 85 PID 4768 wrote to memory of 3560 4768 1lxrrrl.exe 85 PID 3560 wrote to memory of 3988 3560 htbhbt.exe 86 PID 3560 wrote to memory of 3988 3560 htbhbt.exe 86 PID 3560 wrote to memory of 3988 3560 htbhbt.exe 86 PID 3988 wrote to memory of 4772 3988 dppjd.exe 87 PID 3988 wrote to memory of 4772 3988 dppjd.exe 87 PID 3988 wrote to memory of 4772 3988 dppjd.exe 87 PID 4772 wrote to memory of 5016 4772 rffffll.exe 88 PID 4772 wrote to memory of 5016 4772 rffffll.exe 88 PID 4772 wrote to memory of 5016 4772 rffffll.exe 88 PID 5016 wrote to memory of 1096 5016 bnbhbn.exe 89 PID 5016 wrote to memory of 1096 5016 bnbhbn.exe 89 PID 5016 wrote to memory of 1096 5016 bnbhbn.exe 89 PID 1096 wrote to memory of 4664 1096 7tnnhb.exe 90 PID 1096 wrote to memory of 4664 1096 7tnnhb.exe 90 PID 1096 wrote to memory of 4664 1096 7tnnhb.exe 90 PID 4664 wrote to memory of 3952 4664 dpjjv.exe 91 PID 4664 wrote to memory of 3952 4664 dpjjv.exe 91 PID 4664 wrote to memory of 3952 4664 dpjjv.exe 91 PID 3952 wrote to memory of 3436 3952 flxxxrr.exe 93 PID 3952 wrote to memory of 3436 3952 flxxxrr.exe 93 PID 3952 wrote to memory of 3436 3952 flxxxrr.exe 93 PID 3436 wrote to memory of 4556 3436 rllrlrf.exe 94 PID 3436 wrote to memory of 4556 3436 rllrlrf.exe 94 PID 3436 wrote to memory of 4556 3436 rllrlrf.exe 94 PID 4556 wrote to memory of 1596 4556 djpjj.exe 95 PID 4556 wrote to memory of 1596 4556 djpjj.exe 95 PID 4556 wrote to memory of 1596 4556 djpjj.exe 95 PID 1596 wrote to memory of 5116 1596 rxxrfxr.exe 96 PID 1596 wrote to memory of 5116 1596 rxxrfxr.exe 96 PID 1596 wrote to memory of 5116 1596 rxxrfxr.exe 96 PID 5116 wrote to memory of 4800 5116 btbtbb.exe 97 PID 5116 wrote to memory of 4800 5116 btbtbb.exe 97 PID 5116 wrote to memory of 4800 5116 btbtbb.exe 97 PID 4800 wrote to memory of 1288 4800 rlxrfrf.exe 99 PID 4800 wrote to memory of 1288 4800 rlxrfrf.exe 99 PID 4800 wrote to memory of 1288 4800 rlxrfrf.exe 99 PID 1288 wrote to memory of 3660 1288 llrrrll.exe 100 PID 1288 wrote to memory of 3660 1288 llrrrll.exe 100 PID 1288 wrote to memory of 3660 1288 llrrrll.exe 100 PID 3660 wrote to memory of 2556 3660 llfrllf.exe 101 PID 3660 wrote to memory of 2556 3660 llfrllf.exe 101 PID 3660 wrote to memory of 2556 3660 llfrllf.exe 101 PID 2556 wrote to memory of 3984 2556 htnbbt.exe 103 PID 2556 wrote to memory of 3984 2556 htnbbt.exe 103 PID 2556 wrote to memory of 3984 2556 htnbbt.exe 103 PID 3984 wrote to memory of 1488 3984 1pddv.exe 104 PID 3984 wrote to memory of 1488 3984 1pddv.exe 104 PID 3984 wrote to memory of 1488 3984 1pddv.exe 104 PID 1488 wrote to memory of 2656 1488 jdvpj.exe 105 PID 1488 wrote to memory of 2656 1488 jdvpj.exe 105 PID 1488 wrote to memory of 2656 1488 jdvpj.exe 105 PID 2656 wrote to memory of 1564 2656 jvvpd.exe 106 PID 2656 wrote to memory of 1564 2656 jvvpd.exe 106 PID 2656 wrote to memory of 1564 2656 jvvpd.exe 106 PID 1564 wrote to memory of 1888 1564 lrxrlfx.exe 107 PID 1564 wrote to memory of 1888 1564 lrxrlfx.exe 107 PID 1564 wrote to memory of 1888 1564 lrxrlfx.exe 107 PID 1888 wrote to memory of 1044 1888 htbtnt.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ac26e278ceb0b8adad7d14d9d0c590N.exe"C:\Users\Admin\AppData\Local\Temp\77ac26e278ceb0b8adad7d14d9d0c590N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\1lxrrrl.exec:\1lxrrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\htbhbt.exec:\htbhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\dppjd.exec:\dppjd.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\rffffll.exec:\rffffll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\bnbhbn.exec:\bnbhbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\7tnnhb.exec:\7tnnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\dpjjv.exec:\dpjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\flxxxrr.exec:\flxxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\rllrlrf.exec:\rllrlrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\djpjj.exec:\djpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\btbtbb.exec:\btbtbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\rlxrfrf.exec:\rlxrfrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\llrrrll.exec:\llrrrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\llfrllf.exec:\llfrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\htnbbt.exec:\htnbbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\1pddv.exec:\1pddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\jdvpj.exec:\jdvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\jvvpd.exec:\jvvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\htbtnt.exec:\htbtnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\lflfrrl.exec:\lflfrrl.exe23⤵
- Executes dropped EXE
PID:1044 -
\??\c:\ttbbbb.exec:\ttbbbb.exe24⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nhnhtt.exec:\nhnhtt.exe25⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dpjpp.exec:\dpjpp.exe26⤵
- Executes dropped EXE
PID:1468 -
\??\c:\xxlfxff.exec:\xxlfxff.exe27⤵
- Executes dropped EXE
PID:3376 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe28⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3jjpj.exec:\3jjpj.exe29⤵
- Executes dropped EXE
PID:4472 -
\??\c:\dvdpv.exec:\dvdpv.exe30⤵
- Executes dropped EXE
PID:2376 -
\??\c:\rllxfrl.exec:\rllxfrl.exe31⤵
- Executes dropped EXE
PID:2108 -
\??\c:\rlxxlrf.exec:\rlxxlrf.exe32⤵
- Executes dropped EXE
PID:2112 -
\??\c:\nhttnt.exec:\nhttnt.exe33⤵
- Executes dropped EXE
PID:3992 -
\??\c:\hbnhbt.exec:\hbnhbt.exe34⤵
- Executes dropped EXE
PID:4492 -
\??\c:\djpjd.exec:\djpjd.exe35⤵
- Executes dropped EXE
PID:4768 -
\??\c:\pjpjj.exec:\pjpjj.exe36⤵
- Executes dropped EXE
PID:3560 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe37⤵
- Executes dropped EXE
PID:3156 -
\??\c:\bhnhtt.exec:\bhnhtt.exe38⤵
- Executes dropped EXE
PID:2484 -
\??\c:\9bbthh.exec:\9bbthh.exe39⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pvdjd.exec:\pvdjd.exe40⤵
- Executes dropped EXE
PID:1268 -
\??\c:\llfxlrl.exec:\llfxlrl.exe41⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hnntnt.exec:\hnntnt.exe42⤵
- Executes dropped EXE
PID:1452 -
\??\c:\dpvvj.exec:\dpvvj.exe43⤵
- Executes dropped EXE
PID:4432 -
\??\c:\jppdp.exec:\jppdp.exe44⤵
- Executes dropped EXE
PID:4660 -
\??\c:\frxrxxr.exec:\frxrxxr.exe45⤵
- Executes dropped EXE
PID:1092 -
\??\c:\tbhbtt.exec:\tbhbtt.exe46⤵
- Executes dropped EXE
PID:3888 -
\??\c:\vdjdp.exec:\vdjdp.exe47⤵
- Executes dropped EXE
PID:4460 -
\??\c:\3djdj.exec:\3djdj.exe48⤵
- Executes dropped EXE
PID:520 -
\??\c:\3lrfxrl.exec:\3lrfxrl.exe49⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xxrlffx.exec:\xxrlffx.exe50⤵
- Executes dropped EXE
PID:3884 -
\??\c:\hntnbt.exec:\hntnbt.exe51⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vjpdv.exec:\vjpdv.exe52⤵
- Executes dropped EXE
PID:3536 -
\??\c:\vppdv.exec:\vppdv.exe53⤵
- Executes dropped EXE
PID:1112 -
\??\c:\frxlfxx.exec:\frxlfxx.exe54⤵
- Executes dropped EXE
PID:5100 -
\??\c:\bbtnhh.exec:\bbtnhh.exe55⤵
- Executes dropped EXE
PID:3416 -
\??\c:\bnnhtt.exec:\bnnhtt.exe56⤵
- Executes dropped EXE
PID:3572 -
\??\c:\jdddv.exec:\jdddv.exe57⤵
- Executes dropped EXE
PID:3188 -
\??\c:\9vvvp.exec:\9vvvp.exe58⤵
- Executes dropped EXE
PID:5024 -
\??\c:\frxxllf.exec:\frxxllf.exe59⤵
- Executes dropped EXE
PID:4732 -
\??\c:\hhnhnn.exec:\hhnhnn.exe60⤵
- Executes dropped EXE
PID:2664 -
\??\c:\tnnhtt.exec:\tnnhtt.exe61⤵
- Executes dropped EXE
PID:2160 -
\??\c:\9dpjd.exec:\9dpjd.exe62⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe63⤵
- Executes dropped EXE
PID:516 -
\??\c:\rflfxrl.exec:\rflfxrl.exe64⤵
- Executes dropped EXE
PID:2784 -
\??\c:\htbtnn.exec:\htbtnn.exe65⤵
- Executes dropped EXE
PID:4888 -
\??\c:\djpjp.exec:\djpjp.exe66⤵PID:3744
-
\??\c:\vjvpj.exec:\vjvpj.exe67⤵PID:4072
-
\??\c:\llrlrlf.exec:\llrlrlf.exe68⤵PID:5104
-
\??\c:\pdjdv.exec:\pdjdv.exe69⤵PID:5044
-
\??\c:\7lffxfl.exec:\7lffxfl.exe70⤵PID:2156
-
\??\c:\xlxrlll.exec:\xlxrlll.exe71⤵PID:3636
-
\??\c:\7thbbb.exec:\7thbbb.exe72⤵PID:5112
-
\??\c:\vjppd.exec:\vjppd.exe73⤵PID:1856
-
\??\c:\fffxrrl.exec:\fffxrrl.exe74⤵PID:1152
-
\??\c:\tbbbbt.exec:\tbbbbt.exe75⤵PID:2108
-
\??\c:\pdvpd.exec:\pdvpd.exe76⤵PID:3332
-
\??\c:\3pvpj.exec:\3pvpj.exe77⤵PID:3468
-
\??\c:\xrrrffx.exec:\xrrrffx.exe78⤵PID:1380
-
\??\c:\frxxrxr.exec:\frxxrxr.exe79⤵PID:2332
-
\??\c:\nhbthb.exec:\nhbthb.exe80⤵PID:5012
-
\??\c:\9dvvp.exec:\9dvvp.exe81⤵PID:536
-
\??\c:\jpvpv.exec:\jpvpv.exe82⤵PID:624
-
\??\c:\xrrlllf.exec:\xrrlllf.exe83⤵PID:2484
-
\??\c:\tbhbhh.exec:\tbhbhh.exe84⤵PID:4516
-
\??\c:\3nhbnn.exec:\3nhbnn.exe85⤵PID:1680
-
\??\c:\ddpjd.exec:\ddpjd.exe86⤵PID:1096
-
\??\c:\fxxrffx.exec:\fxxrffx.exe87⤵PID:2628
-
\??\c:\9rfxxxf.exec:\9rfxxxf.exe88⤵PID:2200
-
\??\c:\bnbbhb.exec:\bnbbhb.exe89⤵PID:2256
-
\??\c:\nhnhbt.exec:\nhnhbt.exe90⤵PID:2840
-
\??\c:\pdjdp.exec:\pdjdp.exe91⤵PID:1092
-
\??\c:\flrlxrr.exec:\flrlxrr.exe92⤵PID:4556
-
\??\c:\3lrlfll.exec:\3lrlfll.exe93⤵PID:3476
-
\??\c:\bthtnt.exec:\bthtnt.exe94⤵PID:220
-
\??\c:\jddjp.exec:\jddjp.exe95⤵PID:3380
-
\??\c:\xllfrrl.exec:\xllfrrl.exe96⤵PID:3224
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe97⤵PID:1740
-
\??\c:\ththth.exec:\ththth.exe98⤵PID:860
-
\??\c:\9djvj.exec:\9djvj.exe99⤵
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\fxfxxxf.exec:\fxfxxxf.exe100⤵PID:3536
-
\??\c:\frrrlrl.exec:\frrrlrl.exe101⤵PID:772
-
\??\c:\btbtnn.exec:\btbtnn.exe102⤵PID:5100
-
\??\c:\hntnhh.exec:\hntnhh.exe103⤵PID:3608
-
\??\c:\jdjdd.exec:\jdjdd.exe104⤵PID:5080
-
\??\c:\lrxxllf.exec:\lrxxllf.exe105⤵
- System Location Discovery: System Language Discovery
PID:1516 -
\??\c:\flxrlll.exec:\flxrlll.exe106⤵PID:4524
-
\??\c:\hbtntn.exec:\hbtntn.exe107⤵PID:5024
-
\??\c:\djdvj.exec:\djdvj.exe108⤵PID:648
-
\??\c:\vjjjd.exec:\vjjjd.exe109⤵PID:3824
-
\??\c:\xrxflxx.exec:\xrxflxx.exe110⤵PID:4904
-
\??\c:\9fxrlfx.exec:\9fxrlfx.exe111⤵PID:1676
-
\??\c:\nbbtnh.exec:\nbbtnh.exe112⤵PID:1420
-
\??\c:\jvpjj.exec:\jvpjj.exe113⤵PID:2036
-
\??\c:\dpvpd.exec:\dpvpd.exe114⤵PID:1468
-
\??\c:\1fxfffx.exec:\1fxfffx.exe115⤵PID:1496
-
\??\c:\ttbtnt.exec:\ttbtnt.exe116⤵PID:932
-
\??\c:\tnnnbt.exec:\tnnnbt.exe117⤵PID:4548
-
\??\c:\1pvpp.exec:\1pvpp.exe118⤵PID:4820
-
\??\c:\jvpdp.exec:\jvpdp.exe119⤵PID:1152
-
\??\c:\fxxrffx.exec:\fxxrffx.exe120⤵PID:2108
-
\??\c:\bnthnh.exec:\bnthnh.exe121⤵PID:3532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-