Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe
-
Size
456KB
-
MD5
46c337bdd40d51b105801753017cabed
-
SHA1
5d8bda2facb4d8c7e4ef37aa8598f9c1d0820186
-
SHA256
744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d
-
SHA512
546f8a904c8f2ecd3b520c5e6065937013452b716464698e78eb8f1a6e7f21ba271ccc0075e727d561ac90aba9c6be77643c587102b1e9fc6a128c4d956d9ba6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRs:q7Tc2NYHUrAwfMp3CDRs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4688-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3076 9ffrxlf.exe 2052 dppvj.exe 4516 llffrxl.exe 4164 pjdpj.exe 3752 bbhttn.exe 2148 fffflfr.exe 4720 7ffrfrf.exe 1984 7ppdj.exe 4740 btbtht.exe 1636 pdvjv.exe 2808 xrxlfxx.exe 1748 nhhtnh.exe 532 pdvjv.exe 3360 ttnhbt.exe 912 9jdvj.exe 3356 vjdvd.exe 4436 5nnbbt.exe 3960 frrlfrl.exe 4200 tbbthn.exe 1544 pdjvp.exe 4472 rllflfl.exe 4184 frlfrll.exe 4652 3pdvj.exe 1912 jdvjd.exe 716 3bthbt.exe 4208 pdjpv.exe 2780 rxlrflr.exe 1160 7llfffr.exe 3944 hnnbhb.exe 852 djjvd.exe 1716 tnnbtn.exe 5040 dpjdv.exe 740 bnbthb.exe 1072 vpjdp.exe 4628 pvjvj.exe 2260 rffrfxr.exe 4044 rxfxllx.exe 4948 tbbtnh.exe 384 9dvpj.exe 4376 xxlfxrl.exe 2456 rfxrfxl.exe 4936 bhhtnh.exe 3452 jjpdv.exe 560 pvdvj.exe 1808 lxfxlrr.exe 2312 hbnhtn.exe 4668 7pjdv.exe 4140 lrrffxr.exe 2104 bhtnhh.exe 1864 djjdv.exe 1772 1ddpd.exe 2324 xrxlrlf.exe 4396 3hhhtt.exe 2400 5bbbbb.exe 3544 3frflfr.exe 3368 thbthb.exe 5060 3pjdv.exe 208 jdjvp.exe 4516 rfrrllf.exe 3736 5bhhbb.exe 3536 7pjdp.exe 3752 rrrlxfx.exe 2148 hhntnt.exe 1300 hbbbnn.exe -
resource yara_rule behavioral2/memory/4688-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-949-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-948-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 3076 4688 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 82 PID 4688 wrote to memory of 3076 4688 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 82 PID 4688 wrote to memory of 3076 4688 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 82 PID 3076 wrote to memory of 2052 3076 9ffrxlf.exe 83 PID 3076 wrote to memory of 2052 3076 9ffrxlf.exe 83 PID 3076 wrote to memory of 2052 3076 9ffrxlf.exe 83 PID 2052 wrote to memory of 4516 2052 dppvj.exe 84 PID 2052 wrote to memory of 4516 2052 dppvj.exe 84 PID 2052 wrote to memory of 4516 2052 dppvj.exe 84 PID 4516 wrote to memory of 4164 4516 llffrxl.exe 85 PID 4516 wrote to memory of 4164 4516 llffrxl.exe 85 PID 4516 wrote to memory of 4164 4516 llffrxl.exe 85 PID 4164 wrote to memory of 3752 4164 pjdpj.exe 86 PID 4164 wrote to memory of 3752 4164 pjdpj.exe 86 PID 4164 wrote to memory of 3752 4164 pjdpj.exe 86 PID 3752 wrote to memory of 2148 3752 bbhttn.exe 87 PID 3752 wrote to memory of 2148 3752 bbhttn.exe 87 PID 3752 wrote to memory of 2148 3752 bbhttn.exe 87 PID 2148 wrote to memory of 4720 2148 fffflfr.exe 88 PID 2148 wrote to memory of 4720 2148 fffflfr.exe 88 PID 2148 wrote to memory of 4720 2148 fffflfr.exe 88 PID 4720 wrote to memory of 1984 4720 7ffrfrf.exe 89 PID 4720 wrote to memory of 1984 4720 7ffrfrf.exe 89 PID 4720 wrote to memory of 1984 4720 7ffrfrf.exe 89 PID 1984 wrote to memory of 4740 1984 7ppdj.exe 90 PID 1984 wrote to memory of 4740 1984 7ppdj.exe 90 PID 1984 wrote to memory of 4740 1984 7ppdj.exe 90 PID 4740 wrote to memory of 1636 4740 btbtht.exe 91 PID 4740 wrote to memory of 1636 4740 btbtht.exe 91 PID 4740 wrote to memory of 1636 4740 btbtht.exe 91 PID 1636 wrote to memory of 2808 1636 pdvjv.exe 92 PID 1636 wrote to memory of 2808 1636 pdvjv.exe 92 PID 1636 wrote to memory of 2808 1636 pdvjv.exe 92 PID 2808 wrote to memory of 1748 2808 xrxlfxx.exe 93 PID 2808 wrote to memory of 1748 2808 xrxlfxx.exe 93 PID 2808 wrote to memory of 1748 2808 xrxlfxx.exe 93 PID 1748 wrote to memory of 532 1748 nhhtnh.exe 94 PID 1748 wrote to memory of 532 1748 nhhtnh.exe 94 PID 1748 wrote to memory of 532 1748 nhhtnh.exe 94 PID 532 wrote to memory of 3360 532 pdvjv.exe 95 PID 532 wrote to memory of 3360 532 pdvjv.exe 95 PID 532 wrote to memory of 3360 532 pdvjv.exe 95 PID 3360 wrote to memory of 912 3360 ttnhbt.exe 96 PID 3360 wrote to memory of 912 3360 ttnhbt.exe 96 PID 3360 wrote to memory of 912 3360 ttnhbt.exe 96 PID 912 wrote to memory of 3356 912 9jdvj.exe 97 PID 912 wrote to memory of 3356 912 9jdvj.exe 97 PID 912 wrote to memory of 3356 912 9jdvj.exe 97 PID 3356 wrote to memory of 4436 3356 vjdvd.exe 98 PID 3356 wrote to memory of 4436 3356 vjdvd.exe 98 PID 3356 wrote to memory of 4436 3356 vjdvd.exe 98 PID 4436 wrote to memory of 3960 4436 5nnbbt.exe 99 PID 4436 wrote to memory of 3960 4436 5nnbbt.exe 99 PID 4436 wrote to memory of 3960 4436 5nnbbt.exe 99 PID 3960 wrote to memory of 4200 3960 frrlfrl.exe 100 PID 3960 wrote to memory of 4200 3960 frrlfrl.exe 100 PID 3960 wrote to memory of 4200 3960 frrlfrl.exe 100 PID 4200 wrote to memory of 1544 4200 tbbthn.exe 101 PID 4200 wrote to memory of 1544 4200 tbbthn.exe 101 PID 4200 wrote to memory of 1544 4200 tbbthn.exe 101 PID 1544 wrote to memory of 4472 1544 pdjvp.exe 102 PID 1544 wrote to memory of 4472 1544 pdjvp.exe 102 PID 1544 wrote to memory of 4472 1544 pdjvp.exe 102 PID 4472 wrote to memory of 4184 4472 rllflfl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe"C:\Users\Admin\AppData\Local\Temp\744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\9ffrxlf.exec:\9ffrxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\dppvj.exec:\dppvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\llffrxl.exec:\llffrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\pjdpj.exec:\pjdpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\bbhttn.exec:\bbhttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\fffflfr.exec:\fffflfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\7ffrfrf.exec:\7ffrfrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\7ppdj.exec:\7ppdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\btbtht.exec:\btbtht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\pdvjv.exec:\pdvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\xrxlfxx.exec:\xrxlfxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nhhtnh.exec:\nhhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\pdvjv.exec:\pdvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\ttnhbt.exec:\ttnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\9jdvj.exec:\9jdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\vjdvd.exec:\vjdvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\5nnbbt.exec:\5nnbbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\frrlfrl.exec:\frrlfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\tbbthn.exec:\tbbthn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\pdjvp.exec:\pdjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\rllflfl.exec:\rllflfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\frlfrll.exec:\frlfrll.exe23⤵
- Executes dropped EXE
PID:4184 -
\??\c:\3pdvj.exec:\3pdvj.exe24⤵
- Executes dropped EXE
PID:4652 -
\??\c:\jdvjd.exec:\jdvjd.exe25⤵
- Executes dropped EXE
PID:1912 -
\??\c:\3bthbt.exec:\3bthbt.exe26⤵
- Executes dropped EXE
PID:716 -
\??\c:\pdjpv.exec:\pdjpv.exe27⤵
- Executes dropped EXE
PID:4208 -
\??\c:\rxlrflr.exec:\rxlrflr.exe28⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7llfffr.exec:\7llfffr.exe29⤵
- Executes dropped EXE
PID:1160 -
\??\c:\hnnbhb.exec:\hnnbhb.exe30⤵
- Executes dropped EXE
PID:3944 -
\??\c:\djjvd.exec:\djjvd.exe31⤵
- Executes dropped EXE
PID:852 -
\??\c:\tnnbtn.exec:\tnnbtn.exe32⤵
- Executes dropped EXE
PID:1716 -
\??\c:\dpjdv.exec:\dpjdv.exe33⤵
- Executes dropped EXE
PID:5040 -
\??\c:\bnbthb.exec:\bnbthb.exe34⤵
- Executes dropped EXE
PID:740 -
\??\c:\vpjdp.exec:\vpjdp.exe35⤵
- Executes dropped EXE
PID:1072 -
\??\c:\pvjvj.exec:\pvjvj.exe36⤵
- Executes dropped EXE
PID:4628 -
\??\c:\rffrfxr.exec:\rffrfxr.exe37⤵
- Executes dropped EXE
PID:2260 -
\??\c:\rxfxllx.exec:\rxfxllx.exe38⤵
- Executes dropped EXE
PID:4044 -
\??\c:\tbbtnh.exec:\tbbtnh.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948 -
\??\c:\9dvpj.exec:\9dvpj.exe40⤵
- Executes dropped EXE
PID:384 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe41⤵
- Executes dropped EXE
PID:4376 -
\??\c:\rfxrfxl.exec:\rfxrfxl.exe42⤵
- Executes dropped EXE
PID:2456 -
\??\c:\bhhtnh.exec:\bhhtnh.exe43⤵
- Executes dropped EXE
PID:4936 -
\??\c:\jjpdv.exec:\jjpdv.exe44⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pvdvj.exec:\pvdvj.exe45⤵
- Executes dropped EXE
PID:560 -
\??\c:\lxfxlrr.exec:\lxfxlrr.exe46⤵
- Executes dropped EXE
PID:1808 -
\??\c:\hbnhtn.exec:\hbnhtn.exe47⤵
- Executes dropped EXE
PID:2312 -
\??\c:\7pjdv.exec:\7pjdv.exe48⤵
- Executes dropped EXE
PID:4668 -
\??\c:\lrrffxr.exec:\lrrffxr.exe49⤵
- Executes dropped EXE
PID:4140 -
\??\c:\bhtnhh.exec:\bhtnhh.exe50⤵
- Executes dropped EXE
PID:2104 -
\??\c:\djjdv.exec:\djjdv.exe51⤵
- Executes dropped EXE
PID:1864 -
\??\c:\1ddpd.exec:\1ddpd.exe52⤵
- Executes dropped EXE
PID:1772 -
\??\c:\xrxlrlf.exec:\xrxlrlf.exe53⤵
- Executes dropped EXE
PID:2324 -
\??\c:\3hhhtt.exec:\3hhhtt.exe54⤵
- Executes dropped EXE
PID:4396 -
\??\c:\5bbbbb.exec:\5bbbbb.exe55⤵
- Executes dropped EXE
PID:2400 -
\??\c:\3frflfr.exec:\3frflfr.exe56⤵
- Executes dropped EXE
PID:3544 -
\??\c:\thbthb.exec:\thbthb.exe57⤵
- Executes dropped EXE
PID:3368 -
\??\c:\3pjdv.exec:\3pjdv.exe58⤵
- Executes dropped EXE
PID:5060 -
\??\c:\jdjvp.exec:\jdjvp.exe59⤵
- Executes dropped EXE
PID:208 -
\??\c:\rfrrllf.exec:\rfrrllf.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
\??\c:\5bhhbb.exec:\5bhhbb.exe61⤵
- Executes dropped EXE
PID:3736 -
\??\c:\7pjdp.exec:\7pjdp.exe62⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rrrlxfx.exec:\rrrlxfx.exe63⤵
- Executes dropped EXE
PID:3752 -
\??\c:\hhntnt.exec:\hhntnt.exe64⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hbbbnn.exec:\hbbbnn.exe65⤵
- Executes dropped EXE
PID:1300 -
\??\c:\djpjv.exec:\djpjv.exe66⤵PID:4720
-
\??\c:\xrfrrrr.exec:\xrfrrrr.exe67⤵
- System Location Discovery: System Language Discovery
PID:856 -
\??\c:\1ttnhh.exec:\1ttnhh.exe68⤵PID:3308
-
\??\c:\1bhbnn.exec:\1bhbnn.exe69⤵PID:4448
-
\??\c:\jddpv.exec:\jddpv.exe70⤵PID:1936
-
\??\c:\7lfrlrl.exec:\7lfrlrl.exe71⤵PID:1896
-
\??\c:\lflffxx.exec:\lflffxx.exe72⤵PID:3732
-
\??\c:\nnnhbb.exec:\nnnhbb.exe73⤵PID:3744
-
\??\c:\dvvvv.exec:\dvvvv.exe74⤵
- System Location Discovery: System Language Discovery
PID:4852 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe75⤵PID:3200
-
\??\c:\thbtnh.exec:\thbtnh.exe76⤵PID:2916
-
\??\c:\nbtnnh.exec:\nbtnnh.exe77⤵PID:832
-
\??\c:\dvvpd.exec:\dvvpd.exe78⤵
- System Location Discovery: System Language Discovery
PID:4980 -
\??\c:\9frfxrx.exec:\9frfxrx.exe79⤵PID:1484
-
\??\c:\hhbbhb.exec:\hhbbhb.exe80⤵PID:3356
-
\??\c:\jddvd.exec:\jddvd.exe81⤵PID:1152
-
\??\c:\djjjv.exec:\djjjv.exe82⤵PID:1500
-
\??\c:\3ffxllf.exec:\3ffxllf.exe83⤵PID:2468
-
\??\c:\9lrlfff.exec:\9lrlfff.exe84⤵PID:876
-
\??\c:\nnnnhh.exec:\nnnnhh.exe85⤵PID:652
-
\??\c:\9pjpp.exec:\9pjpp.exe86⤵PID:4472
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe87⤵PID:4320
-
\??\c:\ffrxrlf.exec:\ffrxrlf.exe88⤵PID:2028
-
\??\c:\tbttnh.exec:\tbttnh.exe89⤵PID:4652
-
\??\c:\pjdvj.exec:\pjdvj.exe90⤵PID:4520
-
\??\c:\1xfrrlr.exec:\1xfrrlr.exe91⤵PID:4808
-
\??\c:\hnhbtb.exec:\hnhbtb.exe92⤵PID:716
-
\??\c:\nnntnt.exec:\nnntnt.exe93⤵PID:4460
-
\??\c:\9vpjd.exec:\9vpjd.exe94⤵PID:3928
-
\??\c:\frrlxrl.exec:\frrlxrl.exe95⤵PID:2224
-
\??\c:\ffrlxxr.exec:\ffrlxxr.exe96⤵PID:1160
-
\??\c:\bthbhb.exec:\bthbhb.exe97⤵PID:1584
-
\??\c:\ppvpj.exec:\ppvpj.exe98⤵PID:4636
-
\??\c:\5lrfxrl.exec:\5lrfxrl.exe99⤵PID:3320
-
\??\c:\9fxrlfx.exec:\9fxrlfx.exe100⤵PID:4420
-
\??\c:\thnhbb.exec:\thnhbb.exe101⤵PID:4984
-
\??\c:\pjjdp.exec:\pjjdp.exe102⤵PID:924
-
\??\c:\xxfxlff.exec:\xxfxlff.exe103⤵PID:1012
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe104⤵PID:2844
-
\??\c:\nhbbtn.exec:\nhbbtn.exe105⤵PID:1624
-
\??\c:\nbhtnh.exec:\nbhtnh.exe106⤵PID:5036
-
\??\c:\3jjdv.exec:\3jjdv.exe107⤵PID:3668
-
\??\c:\xffxxxr.exec:\xffxxxr.exe108⤵PID:4304
-
\??\c:\hbtnhb.exec:\hbtnhb.exe109⤵PID:4632
-
\??\c:\hbbtnn.exec:\hbbtnn.exe110⤵PID:4376
-
\??\c:\1vdvp.exec:\1vdvp.exe111⤵PID:5092
-
\??\c:\3xrlffx.exec:\3xrlffx.exe112⤵PID:1908
-
\??\c:\lffxffx.exec:\lffxffx.exe113⤵PID:3656
-
\??\c:\thhhbt.exec:\thhhbt.exe114⤵PID:2532
-
\??\c:\jdjjd.exec:\jdjjd.exe115⤵PID:4944
-
\??\c:\3vdpd.exec:\3vdpd.exe116⤵PID:4016
-
\??\c:\flllfrl.exec:\flllfrl.exe117⤵PID:4668
-
\??\c:\thnhhh.exec:\thnhhh.exe118⤵PID:5056
-
\??\c:\tbhtnn.exec:\tbhtnn.exe119⤵PID:2104
-
\??\c:\jdjdv.exec:\jdjdv.exe120⤵PID:3492
-
\??\c:\xlxrllf.exec:\xlxrllf.exe121⤵PID:732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-