Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe
-
Size
454KB
-
MD5
461470b4af3eecdfe0353a10b7114339
-
SHA1
f28906cfbcc6482783b7f3920f033e8127e2893c
-
SHA256
f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf
-
SHA512
4cbd68100dd8cde189a3d54fc29eb5381a4df4bc99e7d02f6d00dd0cfbb5aebb7b7934e690f75302696e4493943769b2be418c90bedac2405d8c45e1b698c3e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbew:q7Tc2NYHUrAwfMp3CDw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4916-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-1276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-1442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 732 lfrllfx.exe 2324 tnhhbb.exe 3772 1vpdv.exe 2172 lfffxxr.exe 1800 5hnnhh.exe 2020 hnhbbb.exe 456 pdpvp.exe 1044 bhbbbh.exe 512 rlllfff.exe 184 vvvvp.exe 3480 1xrllll.exe 4340 bbnhhh.exe 2756 btnhbt.exe 764 httthh.exe 4436 7fffxxx.exe 2800 hbbtbt.exe 4784 ddjdj.exe 3796 pppjv.exe 4936 ffrllff.exe 1680 ddddj.exe 2152 xllrlxr.exe 4676 dvdvp.exe 1568 xxffxxr.exe 4020 ddddv.exe 972 hbbhbn.exe 3996 flxrllf.exe 1872 dpvvv.exe 1644 hhhhbb.exe 1128 xllllll.exe 3676 vdppv.exe 1976 5lfxrrl.exe 4268 dpvvp.exe 1492 9lxrlfx.exe 1464 ppvvp.exe 1112 nhnnhn.exe 3604 vdjpj.exe 1536 frrffxx.exe 4756 hbthhh.exe 1432 dvppj.exe 3128 xxrrffx.exe 3752 nhhbnh.exe 4416 dpvpd.exe 2324 3lfxlfx.exe 4332 xrxrllf.exe 2172 bbbtnn.exe 3292 vpvpj.exe 2020 xxxxfrr.exe 2180 nbhbtt.exe 1368 dvvpj.exe 456 lrxrfll.exe 4412 hhnbhb.exe 556 tntnhh.exe 4420 5vpjd.exe 4900 3xrrllf.exe 3060 nbhbhb.exe 3048 jpjdd.exe 5028 xfxrllf.exe 1884 bhtnbt.exe 3628 tbtttt.exe 2208 jpvvd.exe 960 rlxlxrl.exe 1140 hhtnhh.exe 3808 pvjdp.exe 432 xrxlfff.exe -
resource yara_rule behavioral2/memory/4916-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-572-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 732 4916 f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe 83 PID 4916 wrote to memory of 732 4916 f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe 83 PID 4916 wrote to memory of 732 4916 f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe 83 PID 732 wrote to memory of 2324 732 lfrllfx.exe 84 PID 732 wrote to memory of 2324 732 lfrllfx.exe 84 PID 732 wrote to memory of 2324 732 lfrllfx.exe 84 PID 2324 wrote to memory of 3772 2324 tnhhbb.exe 85 PID 2324 wrote to memory of 3772 2324 tnhhbb.exe 85 PID 2324 wrote to memory of 3772 2324 tnhhbb.exe 85 PID 3772 wrote to memory of 2172 3772 1vpdv.exe 86 PID 3772 wrote to memory of 2172 3772 1vpdv.exe 86 PID 3772 wrote to memory of 2172 3772 1vpdv.exe 86 PID 2172 wrote to memory of 1800 2172 lfffxxr.exe 87 PID 2172 wrote to memory of 1800 2172 lfffxxr.exe 87 PID 2172 wrote to memory of 1800 2172 lfffxxr.exe 87 PID 1800 wrote to memory of 2020 1800 5hnnhh.exe 88 PID 1800 wrote to memory of 2020 1800 5hnnhh.exe 88 PID 1800 wrote to memory of 2020 1800 5hnnhh.exe 88 PID 2020 wrote to memory of 456 2020 hnhbbb.exe 89 PID 2020 wrote to memory of 456 2020 hnhbbb.exe 89 PID 2020 wrote to memory of 456 2020 hnhbbb.exe 89 PID 456 wrote to memory of 1044 456 pdpvp.exe 90 PID 456 wrote to memory of 1044 456 pdpvp.exe 90 PID 456 wrote to memory of 1044 456 pdpvp.exe 90 PID 1044 wrote to memory of 512 1044 bhbbbh.exe 91 PID 1044 wrote to memory of 512 1044 bhbbbh.exe 91 PID 1044 wrote to memory of 512 1044 bhbbbh.exe 91 PID 512 wrote to memory of 184 512 rlllfff.exe 92 PID 512 wrote to memory of 184 512 rlllfff.exe 92 PID 512 wrote to memory of 184 512 rlllfff.exe 92 PID 184 wrote to memory of 3480 184 vvvvp.exe 93 PID 184 wrote to memory of 3480 184 vvvvp.exe 93 PID 184 wrote to memory of 3480 184 vvvvp.exe 93 PID 3480 wrote to memory of 4340 3480 1xrllll.exe 94 PID 3480 wrote to memory of 4340 3480 1xrllll.exe 94 PID 3480 wrote to memory of 4340 3480 1xrllll.exe 94 PID 4340 wrote to memory of 2756 4340 bbnhhh.exe 95 PID 4340 wrote to memory of 2756 4340 bbnhhh.exe 95 PID 4340 wrote to memory of 2756 4340 bbnhhh.exe 95 PID 2756 wrote to memory of 764 2756 btnhbt.exe 96 PID 2756 wrote to memory of 764 2756 btnhbt.exe 96 PID 2756 wrote to memory of 764 2756 btnhbt.exe 96 PID 764 wrote to memory of 4436 764 httthh.exe 97 PID 764 wrote to memory of 4436 764 httthh.exe 97 PID 764 wrote to memory of 4436 764 httthh.exe 97 PID 4436 wrote to memory of 2800 4436 7fffxxx.exe 98 PID 4436 wrote to memory of 2800 4436 7fffxxx.exe 98 PID 4436 wrote to memory of 2800 4436 7fffxxx.exe 98 PID 2800 wrote to memory of 4784 2800 hbbtbt.exe 99 PID 2800 wrote to memory of 4784 2800 hbbtbt.exe 99 PID 2800 wrote to memory of 4784 2800 hbbtbt.exe 99 PID 4784 wrote to memory of 3796 4784 ddjdj.exe 100 PID 4784 wrote to memory of 3796 4784 ddjdj.exe 100 PID 4784 wrote to memory of 3796 4784 ddjdj.exe 100 PID 3796 wrote to memory of 4936 3796 pppjv.exe 101 PID 3796 wrote to memory of 4936 3796 pppjv.exe 101 PID 3796 wrote to memory of 4936 3796 pppjv.exe 101 PID 4936 wrote to memory of 1680 4936 ffrllff.exe 102 PID 4936 wrote to memory of 1680 4936 ffrllff.exe 102 PID 4936 wrote to memory of 1680 4936 ffrllff.exe 102 PID 1680 wrote to memory of 2152 1680 ddddj.exe 103 PID 1680 wrote to memory of 2152 1680 ddddj.exe 103 PID 1680 wrote to memory of 2152 1680 ddddj.exe 103 PID 2152 wrote to memory of 4676 2152 xllrlxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe"C:\Users\Admin\AppData\Local\Temp\f54f12a8bdbe8a71dd3d90f2197f708f734b822fe849d4ac823f31671318fdaf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\lfrllfx.exec:\lfrllfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\tnhhbb.exec:\tnhhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\1vpdv.exec:\1vpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\lfffxxr.exec:\lfffxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\5hnnhh.exec:\5hnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\hnhbbb.exec:\hnhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\pdpvp.exec:\pdpvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\bhbbbh.exec:\bhbbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\rlllfff.exec:\rlllfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\vvvvp.exec:\vvvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\1xrllll.exec:\1xrllll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\bbnhhh.exec:\bbnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\btnhbt.exec:\btnhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\httthh.exec:\httthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\7fffxxx.exec:\7fffxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\hbbtbt.exec:\hbbtbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\ddjdj.exec:\ddjdj.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\pppjv.exec:\pppjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\ffrllff.exec:\ffrllff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\ddddj.exec:\ddddj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\xllrlxr.exec:\xllrlxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\dvdvp.exec:\dvdvp.exe23⤵
- Executes dropped EXE
PID:4676 -
\??\c:\xxffxxr.exec:\xxffxxr.exe24⤵
- Executes dropped EXE
PID:1568 -
\??\c:\ddddv.exec:\ddddv.exe25⤵
- Executes dropped EXE
PID:4020 -
\??\c:\hbbhbn.exec:\hbbhbn.exe26⤵
- Executes dropped EXE
PID:972 -
\??\c:\flxrllf.exec:\flxrllf.exe27⤵
- Executes dropped EXE
PID:3996 -
\??\c:\dpvvv.exec:\dpvvv.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hhhhbb.exec:\hhhhbb.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\xllllll.exec:\xllllll.exe30⤵
- Executes dropped EXE
PID:1128 -
\??\c:\vdppv.exec:\vdppv.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676 -
\??\c:\5lfxrrl.exec:\5lfxrrl.exe32⤵
- Executes dropped EXE
PID:1976 -
\??\c:\dpvvp.exec:\dpvvp.exe33⤵
- Executes dropped EXE
PID:4268 -
\??\c:\9lxrlfx.exec:\9lxrlfx.exe34⤵
- Executes dropped EXE
PID:1492 -
\??\c:\ppvvp.exec:\ppvvp.exe35⤵
- Executes dropped EXE
PID:1464 -
\??\c:\nhnnhn.exec:\nhnnhn.exe36⤵
- Executes dropped EXE
PID:1112 -
\??\c:\vdjpj.exec:\vdjpj.exe37⤵
- Executes dropped EXE
PID:3604 -
\??\c:\frrffxx.exec:\frrffxx.exe38⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hbthhh.exec:\hbthhh.exe39⤵
- Executes dropped EXE
PID:4756 -
\??\c:\dvppj.exec:\dvppj.exe40⤵
- Executes dropped EXE
PID:1432 -
\??\c:\vjjvp.exec:\vjjvp.exe41⤵PID:3260
-
\??\c:\xxrrffx.exec:\xxrrffx.exe42⤵
- Executes dropped EXE
PID:3128 -
\??\c:\nhhbnh.exec:\nhhbnh.exe43⤵
- Executes dropped EXE
PID:3752 -
\??\c:\dpvpd.exec:\dpvpd.exe44⤵
- Executes dropped EXE
PID:4416 -
\??\c:\3lfxlfx.exec:\3lfxlfx.exe45⤵
- Executes dropped EXE
PID:2324 -
\??\c:\xrxrllf.exec:\xrxrllf.exe46⤵
- Executes dropped EXE
PID:4332 -
\??\c:\bbbtnn.exec:\bbbtnn.exe47⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vpvpj.exec:\vpvpj.exe48⤵
- Executes dropped EXE
PID:3292 -
\??\c:\xxxxfrr.exec:\xxxxfrr.exe49⤵
- Executes dropped EXE
PID:2020 -
\??\c:\nbhbtt.exec:\nbhbtt.exe50⤵
- Executes dropped EXE
PID:2180 -
\??\c:\dvvpj.exec:\dvvpj.exe51⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lrxrfll.exec:\lrxrfll.exe52⤵
- Executes dropped EXE
PID:456 -
\??\c:\hhnbhb.exec:\hhnbhb.exe53⤵
- Executes dropped EXE
PID:4412 -
\??\c:\tntnhh.exec:\tntnhh.exe54⤵
- Executes dropped EXE
PID:556 -
\??\c:\5vpjd.exec:\5vpjd.exe55⤵
- Executes dropped EXE
PID:4420 -
\??\c:\3xrrllf.exec:\3xrrllf.exe56⤵
- Executes dropped EXE
PID:4900 -
\??\c:\nbhbhb.exec:\nbhbhb.exe57⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jpjdd.exec:\jpjdd.exe58⤵
- Executes dropped EXE
PID:3048 -
\??\c:\xfxrllf.exec:\xfxrllf.exe59⤵
- Executes dropped EXE
PID:5028 -
\??\c:\bhtnbt.exec:\bhtnbt.exe60⤵
- Executes dropped EXE
PID:1884 -
\??\c:\tbtttt.exec:\tbtttt.exe61⤵
- Executes dropped EXE
PID:3628 -
\??\c:\jpvvd.exec:\jpvvd.exe62⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rlxlxrl.exec:\rlxlxrl.exe63⤵
- Executes dropped EXE
PID:960 -
\??\c:\hhtnhh.exec:\hhtnhh.exe64⤵
- Executes dropped EXE
PID:1140 -
\??\c:\pvjdp.exec:\pvjdp.exe65⤵
- Executes dropped EXE
PID:3808 -
\??\c:\xrxlfff.exec:\xrxlfff.exe66⤵
- Executes dropped EXE
PID:432 -
\??\c:\3hnhtn.exec:\3hnhtn.exe67⤵PID:1764
-
\??\c:\thnhbt.exec:\thnhbt.exe68⤵PID:1636
-
\??\c:\jdjjd.exec:\jdjjd.exe69⤵PID:2448
-
\??\c:\xlxxlll.exec:\xlxxlll.exe70⤵PID:2304
-
\??\c:\tbbhht.exec:\tbbhht.exe71⤵PID:1948
-
\??\c:\7vpjp.exec:\7vpjp.exe72⤵PID:3052
-
\??\c:\pjpvp.exec:\pjpvp.exe73⤵PID:4312
-
\??\c:\5lllffx.exec:\5lllffx.exe74⤵PID:2752
-
\??\c:\tbtntt.exec:\tbtntt.exe75⤵PID:4384
-
\??\c:\7pjdp.exec:\7pjdp.exe76⤵PID:1684
-
\??\c:\vdddp.exec:\vdddp.exe77⤵PID:972
-
\??\c:\5flxffl.exec:\5flxffl.exe78⤵PID:3040
-
\??\c:\hhbnhb.exec:\hhbnhb.exe79⤵PID:3996
-
\??\c:\tbbtnn.exec:\tbbtnn.exe80⤵PID:5064
-
\??\c:\jjddj.exec:\jjddj.exe81⤵PID:2844
-
\??\c:\9lflfll.exec:\9lflfll.exe82⤵PID:4904
-
\??\c:\tnnhhb.exec:\tnnhhb.exe83⤵PID:744
-
\??\c:\dvvpp.exec:\dvvpp.exe84⤵PID:4156
-
\??\c:\vdpjd.exec:\vdpjd.exe85⤵PID:4844
-
\??\c:\rllllfx.exec:\rllllfx.exe86⤵PID:1760
-
\??\c:\3tnnhh.exec:\3tnnhh.exe87⤵PID:3228
-
\??\c:\5vddd.exec:\5vddd.exe88⤵PID:4816
-
\??\c:\vdddv.exec:\vdddv.exe89⤵PID:3180
-
\??\c:\xrxrllf.exec:\xrxrllf.exe90⤵PID:1724
-
\??\c:\nnnnnt.exec:\nnnnnt.exe91⤵PID:2092
-
\??\c:\pjjvj.exec:\pjjvj.exe92⤵PID:3512
-
\??\c:\fxxxllf.exec:\fxxxllf.exe93⤵PID:3640
-
\??\c:\rxfxxll.exec:\rxfxxll.exe94⤵PID:1980
-
\??\c:\bbbttn.exec:\bbbttn.exe95⤵PID:3116
-
\??\c:\dpjdp.exec:\dpjdp.exe96⤵PID:1036
-
\??\c:\xrfxrrf.exec:\xrfxrrf.exe97⤵PID:2288
-
\??\c:\hbhttn.exec:\hbhttn.exe98⤵PID:3388
-
\??\c:\nnhthb.exec:\nnhthb.exe99⤵PID:4424
-
\??\c:\ddvpj.exec:\ddvpj.exe100⤵PID:3984
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe101⤵PID:3692
-
\??\c:\9ttbnt.exec:\9ttbnt.exe102⤵PID:1996
-
\??\c:\jjjjd.exec:\jjjjd.exe103⤵PID:3772
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe104⤵PID:3316
-
\??\c:\llrrxfl.exec:\llrrxfl.exe105⤵PID:4748
-
\??\c:\5ththb.exec:\5ththb.exe106⤵PID:2560
-
\??\c:\ppjjd.exec:\ppjjd.exe107⤵PID:440
-
\??\c:\rffrfxl.exec:\rffrfxl.exe108⤵PID:4804
-
\??\c:\rrrrlrx.exec:\rrrrlrx.exe109⤵PID:208
-
\??\c:\hhhbtt.exec:\hhhbtt.exe110⤵PID:464
-
\??\c:\vppjd.exec:\vppjd.exe111⤵PID:1040
-
\??\c:\pjjjv.exec:\pjjjv.exe112⤵PID:852
-
\??\c:\xxxxllf.exec:\xxxxllf.exe113⤵PID:2000
-
\??\c:\tbtthh.exec:\tbtthh.exe114⤵PID:1768
-
\??\c:\3djdd.exec:\3djdd.exe115⤵PID:2408
-
\??\c:\jjjdv.exec:\jjjdv.exe116⤵PID:3016
-
\??\c:\rxrrlff.exec:\rxrrlff.exe117⤵PID:964
-
\??\c:\1bthtn.exec:\1bthtn.exe118⤵PID:848
-
\??\c:\dppjv.exec:\dppjv.exe119⤵PID:2804
-
\??\c:\dvjvp.exec:\dvjvp.exe120⤵PID:2320
-
\??\c:\llrfxlf.exec:\llrfxlf.exe121⤵PID:5012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-