Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 21:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe
-
Size
453KB
-
MD5
7247a54e4b333bc6e6c3a0e04c2474a0
-
SHA1
f27081034eede9e67f4f7fd7e9707f04e8ffb581
-
SHA256
4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45
-
SHA512
312198ef82d281066be2757ee2eef2d44cb104e643078dd58b67bedc8e925ec818516d2cff2e80bf2314d3e62469b24d2c06ebd9f83f66378b98d67cb5cf8a93
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1912-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-1225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-1573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1376 lfrllll.exe 1172 pjjdp.exe 3564 9jjdv.exe 4160 vvvpp.exe 3884 lxfllrr.exe 4716 nhttbt.exe 4708 7btnhh.exe 2860 3jpdd.exe 3336 dvvpp.exe 1044 rllfxrr.exe 3000 lfxrlfx.exe 4816 nhbbtb.exe 1876 vpddj.exe 1000 fflfrrf.exe 2004 bhhbtn.exe 2856 rlrlxxl.exe 4888 djjdv.exe 3196 1pddv.exe 1468 rxlfxrl.exe 1244 hhnhbt.exe 2948 httnhh.exe 1544 pddvp.exe 388 xrffrxr.exe 4164 ttnhbb.exe 4060 ntnhhb.exe 2168 dvvjd.exe 748 lxrrxxr.exe 3680 bnnnhn.exe 4584 pjvvv.exe 916 vjjjd.exe 3460 rlxrllf.exe 2848 rlrlrlr.exe 2348 nnhntn.exe 4156 7dpjv.exe 316 xlrrxll.exe 4216 tttnbb.exe 3984 jdpdp.exe 2480 pppjp.exe 4808 flxrffx.exe 2184 hbthth.exe 640 3hbhbh.exe 3004 jdpjj.exe 1016 rlrfxrf.exe 544 rlfrfrl.exe 1336 bnbntn.exe 4300 dvddp.exe 4312 pdjjd.exe 2420 3ffxrrf.exe 1632 thtntt.exe 3892 pjvpj.exe 4928 llrxxxr.exe 3900 hhbbnn.exe 4580 vjdjj.exe 1212 pvddv.exe 452 rxrrlfx.exe 3868 btntht.exe 3356 vvvjd.exe 4436 bnhbtn.exe 2916 pdjdv.exe 116 lffxllx.exe 1296 fxffrxl.exe 4536 ntbhbn.exe 4468 jpdvv.exe 2796 rlfrlfx.exe -
resource yara_rule behavioral2/memory/1912-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-711-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1912 wrote to memory of 1376 1912 4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe 83 PID 1912 wrote to memory of 1376 1912 4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe 83 PID 1912 wrote to memory of 1376 1912 4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe 83 PID 1376 wrote to memory of 1172 1376 lfrllll.exe 84 PID 1376 wrote to memory of 1172 1376 lfrllll.exe 84 PID 1376 wrote to memory of 1172 1376 lfrllll.exe 84 PID 1172 wrote to memory of 3564 1172 pjjdp.exe 85 PID 1172 wrote to memory of 3564 1172 pjjdp.exe 85 PID 1172 wrote to memory of 3564 1172 pjjdp.exe 85 PID 3564 wrote to memory of 4160 3564 9jjdv.exe 86 PID 3564 wrote to memory of 4160 3564 9jjdv.exe 86 PID 3564 wrote to memory of 4160 3564 9jjdv.exe 86 PID 4160 wrote to memory of 3884 4160 vvvpp.exe 87 PID 4160 wrote to memory of 3884 4160 vvvpp.exe 87 PID 4160 wrote to memory of 3884 4160 vvvpp.exe 87 PID 3884 wrote to memory of 4716 3884 lxfllrr.exe 88 PID 3884 wrote to memory of 4716 3884 lxfllrr.exe 88 PID 3884 wrote to memory of 4716 3884 lxfllrr.exe 88 PID 4716 wrote to memory of 4708 4716 nhttbt.exe 89 PID 4716 wrote to memory of 4708 4716 nhttbt.exe 89 PID 4716 wrote to memory of 4708 4716 nhttbt.exe 89 PID 4708 wrote to memory of 2860 4708 7btnhh.exe 90 PID 4708 wrote to memory of 2860 4708 7btnhh.exe 90 PID 4708 wrote to memory of 2860 4708 7btnhh.exe 90 PID 2860 wrote to memory of 3336 2860 3jpdd.exe 91 PID 2860 wrote to memory of 3336 2860 3jpdd.exe 91 PID 2860 wrote to memory of 3336 2860 3jpdd.exe 91 PID 3336 wrote to memory of 1044 3336 dvvpp.exe 92 PID 3336 wrote to memory of 1044 3336 dvvpp.exe 92 PID 3336 wrote to memory of 1044 3336 dvvpp.exe 92 PID 1044 wrote to memory of 3000 1044 rllfxrr.exe 93 PID 1044 wrote to memory of 3000 1044 rllfxrr.exe 93 PID 1044 wrote to memory of 3000 1044 rllfxrr.exe 93 PID 3000 wrote to memory of 4816 3000 lfxrlfx.exe 94 PID 3000 wrote to memory of 4816 3000 lfxrlfx.exe 94 PID 3000 wrote to memory of 4816 3000 lfxrlfx.exe 94 PID 4816 wrote to memory of 1876 4816 nhbbtb.exe 95 PID 4816 wrote to memory of 1876 4816 nhbbtb.exe 95 PID 4816 wrote to memory of 1876 4816 nhbbtb.exe 95 PID 1876 wrote to memory of 1000 1876 vpddj.exe 96 PID 1876 wrote to memory of 1000 1876 vpddj.exe 96 PID 1876 wrote to memory of 1000 1876 vpddj.exe 96 PID 1000 wrote to memory of 2004 1000 fflfrrf.exe 97 PID 1000 wrote to memory of 2004 1000 fflfrrf.exe 97 PID 1000 wrote to memory of 2004 1000 fflfrrf.exe 97 PID 2004 wrote to memory of 2856 2004 bhhbtn.exe 98 PID 2004 wrote to memory of 2856 2004 bhhbtn.exe 98 PID 2004 wrote to memory of 2856 2004 bhhbtn.exe 98 PID 2856 wrote to memory of 4888 2856 rlrlxxl.exe 99 PID 2856 wrote to memory of 4888 2856 rlrlxxl.exe 99 PID 2856 wrote to memory of 4888 2856 rlrlxxl.exe 99 PID 4888 wrote to memory of 3196 4888 djjdv.exe 100 PID 4888 wrote to memory of 3196 4888 djjdv.exe 100 PID 4888 wrote to memory of 3196 4888 djjdv.exe 100 PID 3196 wrote to memory of 1468 3196 1pddv.exe 101 PID 3196 wrote to memory of 1468 3196 1pddv.exe 101 PID 3196 wrote to memory of 1468 3196 1pddv.exe 101 PID 1468 wrote to memory of 1244 1468 rxlfxrl.exe 102 PID 1468 wrote to memory of 1244 1468 rxlfxrl.exe 102 PID 1468 wrote to memory of 1244 1468 rxlfxrl.exe 102 PID 1244 wrote to memory of 2948 1244 hhnhbt.exe 103 PID 1244 wrote to memory of 2948 1244 hhnhbt.exe 103 PID 1244 wrote to memory of 2948 1244 hhnhbt.exe 103 PID 2948 wrote to memory of 1544 2948 httnhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe"C:\Users\Admin\AppData\Local\Temp\4b76c597a4bf6ec9e802f1654f3f6a2e75f1159c73e0370193ef02ea63725b45N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\lfrllll.exec:\lfrllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\pjjdp.exec:\pjjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\9jjdv.exec:\9jjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\vvvpp.exec:\vvvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\lxfllrr.exec:\lxfllrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\nhttbt.exec:\nhttbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\7btnhh.exec:\7btnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\3jpdd.exec:\3jpdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\dvvpp.exec:\dvvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\rllfxrr.exec:\rllfxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\nhbbtb.exec:\nhbbtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\vpddj.exec:\vpddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\fflfrrf.exec:\fflfrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\bhhbtn.exec:\bhhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\rlrlxxl.exec:\rlrlxxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\djjdv.exec:\djjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\1pddv.exec:\1pddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\rxlfxrl.exec:\rxlfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\hhnhbt.exec:\hhnhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\httnhh.exec:\httnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\pddvp.exec:\pddvp.exe23⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xrffrxr.exec:\xrffrxr.exe24⤵
- Executes dropped EXE
PID:388 -
\??\c:\ttnhbb.exec:\ttnhbb.exe25⤵
- Executes dropped EXE
PID:4164 -
\??\c:\ntnhhb.exec:\ntnhhb.exe26⤵
- Executes dropped EXE
PID:4060 -
\??\c:\dvvjd.exec:\dvvjd.exe27⤵
- Executes dropped EXE
PID:2168 -
\??\c:\lxrrxxr.exec:\lxrrxxr.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\bnnnhn.exec:\bnnnhn.exe29⤵
- Executes dropped EXE
PID:3680 -
\??\c:\pjvvv.exec:\pjvvv.exe30⤵
- Executes dropped EXE
PID:4584 -
\??\c:\vjjjd.exec:\vjjjd.exe31⤵
- Executes dropped EXE
PID:916 -
\??\c:\rlxrllf.exec:\rlxrllf.exe32⤵
- Executes dropped EXE
PID:3460 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe33⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nnhntn.exec:\nnhntn.exe34⤵
- Executes dropped EXE
PID:2348 -
\??\c:\7dpjv.exec:\7dpjv.exe35⤵
- Executes dropped EXE
PID:4156 -
\??\c:\xlrrxll.exec:\xlrrxll.exe36⤵
- Executes dropped EXE
PID:316 -
\??\c:\tttnbb.exec:\tttnbb.exe37⤵
- Executes dropped EXE
PID:4216 -
\??\c:\jdpdp.exec:\jdpdp.exe38⤵
- Executes dropped EXE
PID:3984 -
\??\c:\pppjp.exec:\pppjp.exe39⤵
- Executes dropped EXE
PID:2480 -
\??\c:\flxrffx.exec:\flxrffx.exe40⤵
- Executes dropped EXE
PID:4808 -
\??\c:\hbthth.exec:\hbthth.exe41⤵
- Executes dropped EXE
PID:2184 -
\??\c:\3hbhbh.exec:\3hbhbh.exe42⤵
- Executes dropped EXE
PID:640 -
\??\c:\jdpjj.exec:\jdpjj.exe43⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rlrfxrf.exec:\rlrfxrf.exe44⤵
- Executes dropped EXE
PID:1016 -
\??\c:\rlfrfrl.exec:\rlfrfrl.exe45⤵
- Executes dropped EXE
PID:544 -
\??\c:\bnbntn.exec:\bnbntn.exe46⤵
- Executes dropped EXE
PID:1336 -
\??\c:\dvddp.exec:\dvddp.exe47⤵
- Executes dropped EXE
PID:4300 -
\??\c:\pdjjd.exec:\pdjjd.exe48⤵
- Executes dropped EXE
PID:4312 -
\??\c:\3ffxrrf.exec:\3ffxrrf.exe49⤵
- Executes dropped EXE
PID:2420 -
\??\c:\thtntt.exec:\thtntt.exe50⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pjvpj.exec:\pjvpj.exe51⤵
- Executes dropped EXE
PID:3892 -
\??\c:\llrxxxr.exec:\llrxxxr.exe52⤵
- Executes dropped EXE
PID:4928 -
\??\c:\hhbbnn.exec:\hhbbnn.exe53⤵
- Executes dropped EXE
PID:3900 -
\??\c:\vjdjj.exec:\vjdjj.exe54⤵
- Executes dropped EXE
PID:4580 -
\??\c:\pvddv.exec:\pvddv.exe55⤵
- Executes dropped EXE
PID:1212 -
\??\c:\rxrrlfx.exec:\rxrrlfx.exe56⤵
- Executes dropped EXE
PID:452 -
\??\c:\btntht.exec:\btntht.exe57⤵
- Executes dropped EXE
PID:3868 -
\??\c:\vvvjd.exec:\vvvjd.exe58⤵
- Executes dropped EXE
PID:3356 -
\??\c:\bnhbtn.exec:\bnhbtn.exe59⤵
- Executes dropped EXE
PID:4436 -
\??\c:\pdjdv.exec:\pdjdv.exe60⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lffxllx.exec:\lffxllx.exe61⤵
- Executes dropped EXE
PID:116 -
\??\c:\fxffrxl.exec:\fxffrxl.exe62⤵
- Executes dropped EXE
PID:1296 -
\??\c:\ntbhbn.exec:\ntbhbn.exe63⤵
- Executes dropped EXE
PID:4536 -
\??\c:\jpdvv.exec:\jpdvv.exe64⤵
- Executes dropped EXE
PID:4468 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe65⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rxfxrrx.exec:\rxfxrrx.exe66⤵PID:2096
-
\??\c:\nnbnnh.exec:\nnbnnh.exe67⤵PID:744
-
\??\c:\lflrlfx.exec:\lflrlfx.exe68⤵
- System Location Discovery: System Language Discovery
PID:4916 -
\??\c:\7hbhbb.exec:\7hbhbb.exe69⤵PID:3956
-
\??\c:\pdpdd.exec:\pdpdd.exe70⤵PID:3020
-
\??\c:\fflflxx.exec:\fflflxx.exe71⤵PID:4868
-
\??\c:\ntnhnb.exec:\ntnhnb.exe72⤵PID:4972
-
\??\c:\hhbhnn.exec:\hhbhnn.exe73⤵PID:3176
-
\??\c:\dvvjv.exec:\dvvjv.exe74⤵PID:4888
-
\??\c:\xfffxxr.exec:\xfffxxr.exe75⤵PID:3196
-
\??\c:\nhhbbb.exec:\nhhbbb.exe76⤵PID:2896
-
\??\c:\fxlflfr.exec:\fxlflfr.exe77⤵PID:4336
-
\??\c:\bbhbtt.exec:\bbhbtt.exe78⤵PID:2792
-
\??\c:\vvjvd.exec:\vvjvd.exe79⤵PID:2372
-
\??\c:\jjddv.exec:\jjddv.exe80⤵PID:2296
-
\??\c:\ntbtnh.exec:\ntbtnh.exe81⤵PID:2760
-
\??\c:\xxlxrrl.exec:\xxlxrrl.exe82⤵PID:1896
-
\??\c:\hbhbtb.exec:\hbhbtb.exe83⤵PID:624
-
\??\c:\5jpjv.exec:\5jpjv.exe84⤵PID:5040
-
\??\c:\1xrlfxf.exec:\1xrlfxf.exe85⤵PID:2144
-
\??\c:\htnhbt.exec:\htnhbt.exe86⤵PID:1804
-
\??\c:\pvpdv.exec:\pvpdv.exe87⤵PID:2140
-
\??\c:\xfflxrl.exec:\xfflxrl.exe88⤵PID:2052
-
\??\c:\bbbhbt.exec:\bbbhbt.exe89⤵PID:2564
-
\??\c:\jdjdj.exec:\jdjdj.exe90⤵PID:1492
-
\??\c:\9llfxlf.exec:\9llfxlf.exe91⤵PID:3464
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe92⤵PID:1368
-
\??\c:\hhbtnn.exec:\hhbtnn.exe93⤵PID:2272
-
\??\c:\9vvpd.exec:\9vvpd.exe94⤵
- System Location Discovery: System Language Discovery
PID:3648 -
\??\c:\xxflxrf.exec:\xxflxrf.exe95⤵PID:412
-
\??\c:\5tthhb.exec:\5tthhb.exe96⤵PID:4784
-
\??\c:\hbtbnh.exec:\hbtbnh.exe97⤵PID:2592
-
\??\c:\1vpvp.exec:\1vpvp.exe98⤵PID:4156
-
\??\c:\fxrlflf.exec:\fxrlflf.exe99⤵PID:3692
-
\??\c:\hbbthb.exec:\hbbthb.exe100⤵PID:4280
-
\??\c:\pjdvp.exec:\pjdvp.exe101⤵PID:2156
-
\??\c:\vjvdp.exec:\vjvdp.exe102⤵PID:1652
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe103⤵PID:2132
-
\??\c:\5bbnbb.exec:\5bbnbb.exe104⤵PID:2376
-
\??\c:\dppdp.exec:\dppdp.exe105⤵PID:4872
-
\??\c:\lflffxf.exec:\lflffxf.exe106⤵PID:4132
-
\??\c:\9xllxfx.exec:\9xllxfx.exe107⤵PID:1780
-
\??\c:\nnnhtn.exec:\nnnhtn.exe108⤵PID:3992
-
\??\c:\pjvjj.exec:\pjvjj.exe109⤵PID:4508
-
\??\c:\lrrllll.exec:\lrrllll.exe110⤵
- System Location Discovery: System Language Discovery
PID:4320 -
\??\c:\rfxrrlr.exec:\rfxrrlr.exe111⤵PID:4316
-
\??\c:\htthtn.exec:\htthtn.exe112⤵PID:2340
-
\??\c:\pjdvd.exec:\pjdvd.exe113⤵PID:3668
-
\??\c:\frrrfrr.exec:\frrrfrr.exe114⤵PID:2420
-
\??\c:\nhbnbb.exec:\nhbnbb.exe115⤵PID:4576
-
\??\c:\ntbnbn.exec:\ntbnbn.exe116⤵
- System Location Discovery: System Language Discovery
PID:3236 -
\??\c:\dvpjd.exec:\dvpjd.exe117⤵PID:3172
-
\??\c:\rfxlxlf.exec:\rfxlxlf.exe118⤵PID:2092
-
\??\c:\bttnht.exec:\bttnht.exe119⤵PID:2016
-
\??\c:\vjvjv.exec:\vjvjv.exe120⤵PID:4248
-
\??\c:\frllxlf.exec:\frllxlf.exe121⤵PID:4944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-