Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe
-
Size
454KB
-
MD5
fff8174ac6791aff7f1d0060ab0e9b80
-
SHA1
7810919cd2910614e9e5192a9d0f75f9c9e9b8a1
-
SHA256
771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6
-
SHA512
69b7f0bf2ea99749a93bfcf44d15ce15ed118f34d920ff418c357ad69e6b09bbcc1b48455fb31f68557c3a78f3a9007a8812dcd3de69f1565686d224a85e6348
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/2828-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-1206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2828 ppdpv.exe 736 rlrlffx.exe 4152 bbhtbt.exe 220 hntnbb.exe 2168 vdjjd.exe 2788 vjjvp.exe 2988 5vpdp.exe 4256 bnnhhh.exe 3828 nnthhb.exe 1848 fxrlrrl.exe 1472 nbhbtt.exe 3568 bnbttt.exe 4988 1llxrrl.exe 3592 bbnbhb.exe 2320 5vjvd.exe 4248 nnhnnb.exe 1244 xlflxrf.exe 3348 7tthnh.exe 968 rfrfrlx.exe 532 ttthbn.exe 4184 ffxlxlf.exe 2072 1jdpd.exe 1800 xxxlfxr.exe 3596 bbbbtb.exe 2780 9lxxflf.exe 2076 htbnnb.exe 2256 thnhtt.exe 4640 1rxrxxr.exe 1620 hhhnbt.exe 4820 1vvvp.exe 4752 bbtnnh.exe 4156 9hbntn.exe 2980 9rfxlfx.exe 3660 bhnbth.exe 4896 9jjvj.exe 1084 vjdjp.exe 2572 jvvjv.exe 3528 vvjdj.exe 3264 xfxlrlx.exe 3268 nbbnnh.exe 2212 xlfrfxl.exe 3840 bthbth.exe 4340 jpjdv.exe 1072 9llxlxl.exe 1004 7rlrfxl.exe 5040 bnhtbt.exe 3672 pjjjp.exe 4892 hhhtbt.exe 1368 vjjvp.exe 2200 xxflrfl.exe 4596 thnhhh.exe 5036 htbnnh.exe 1528 jvjjp.exe 5108 lffxllr.exe 3392 tntnhb.exe 1728 9pdvj.exe 3120 5dpdp.exe 1848 fflxrlf.exe 4856 hntnnn.exe 672 pppdj.exe 1152 lflxfxl.exe 448 5tnhbb.exe 1252 1dpdj.exe 4624 rfrrxrf.exe -
resource yara_rule behavioral2/memory/2828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-834-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfffl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2828 2848 771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe 82 PID 2848 wrote to memory of 2828 2848 771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe 82 PID 2848 wrote to memory of 2828 2848 771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe 82 PID 2828 wrote to memory of 736 2828 ppdpv.exe 83 PID 2828 wrote to memory of 736 2828 ppdpv.exe 83 PID 2828 wrote to memory of 736 2828 ppdpv.exe 83 PID 736 wrote to memory of 4152 736 rlrlffx.exe 84 PID 736 wrote to memory of 4152 736 rlrlffx.exe 84 PID 736 wrote to memory of 4152 736 rlrlffx.exe 84 PID 4152 wrote to memory of 220 4152 bbhtbt.exe 85 PID 4152 wrote to memory of 220 4152 bbhtbt.exe 85 PID 4152 wrote to memory of 220 4152 bbhtbt.exe 85 PID 220 wrote to memory of 2168 220 hntnbb.exe 86 PID 220 wrote to memory of 2168 220 hntnbb.exe 86 PID 220 wrote to memory of 2168 220 hntnbb.exe 86 PID 2168 wrote to memory of 2788 2168 vdjjd.exe 87 PID 2168 wrote to memory of 2788 2168 vdjjd.exe 87 PID 2168 wrote to memory of 2788 2168 vdjjd.exe 87 PID 2788 wrote to memory of 2988 2788 vjjvp.exe 88 PID 2788 wrote to memory of 2988 2788 vjjvp.exe 88 PID 2788 wrote to memory of 2988 2788 vjjvp.exe 88 PID 2988 wrote to memory of 4256 2988 5vpdp.exe 89 PID 2988 wrote to memory of 4256 2988 5vpdp.exe 89 PID 2988 wrote to memory of 4256 2988 5vpdp.exe 89 PID 4256 wrote to memory of 3828 4256 bnnhhh.exe 90 PID 4256 wrote to memory of 3828 4256 bnnhhh.exe 90 PID 4256 wrote to memory of 3828 4256 bnnhhh.exe 90 PID 3828 wrote to memory of 1848 3828 nnthhb.exe 91 PID 3828 wrote to memory of 1848 3828 nnthhb.exe 91 PID 3828 wrote to memory of 1848 3828 nnthhb.exe 91 PID 1848 wrote to memory of 1472 1848 fxrlrrl.exe 92 PID 1848 wrote to memory of 1472 1848 fxrlrrl.exe 92 PID 1848 wrote to memory of 1472 1848 fxrlrrl.exe 92 PID 1472 wrote to memory of 3568 1472 nbhbtt.exe 93 PID 1472 wrote to memory of 3568 1472 nbhbtt.exe 93 PID 1472 wrote to memory of 3568 1472 nbhbtt.exe 93 PID 3568 wrote to memory of 4988 3568 bnbttt.exe 94 PID 3568 wrote to memory of 4988 3568 bnbttt.exe 94 PID 3568 wrote to memory of 4988 3568 bnbttt.exe 94 PID 4988 wrote to memory of 3592 4988 1llxrrl.exe 95 PID 4988 wrote to memory of 3592 4988 1llxrrl.exe 95 PID 4988 wrote to memory of 3592 4988 1llxrrl.exe 95 PID 3592 wrote to memory of 2320 3592 bbnbhb.exe 96 PID 3592 wrote to memory of 2320 3592 bbnbhb.exe 96 PID 3592 wrote to memory of 2320 3592 bbnbhb.exe 96 PID 2320 wrote to memory of 4248 2320 5vjvd.exe 97 PID 2320 wrote to memory of 4248 2320 5vjvd.exe 97 PID 2320 wrote to memory of 4248 2320 5vjvd.exe 97 PID 4248 wrote to memory of 1244 4248 nnhnnb.exe 98 PID 4248 wrote to memory of 1244 4248 nnhnnb.exe 98 PID 4248 wrote to memory of 1244 4248 nnhnnb.exe 98 PID 1244 wrote to memory of 3348 1244 xlflxrf.exe 99 PID 1244 wrote to memory of 3348 1244 xlflxrf.exe 99 PID 1244 wrote to memory of 3348 1244 xlflxrf.exe 99 PID 3348 wrote to memory of 968 3348 7tthnh.exe 100 PID 3348 wrote to memory of 968 3348 7tthnh.exe 100 PID 3348 wrote to memory of 968 3348 7tthnh.exe 100 PID 968 wrote to memory of 532 968 rfrfrlx.exe 101 PID 968 wrote to memory of 532 968 rfrfrlx.exe 101 PID 968 wrote to memory of 532 968 rfrfrlx.exe 101 PID 532 wrote to memory of 4184 532 ttthbn.exe 102 PID 532 wrote to memory of 4184 532 ttthbn.exe 102 PID 532 wrote to memory of 4184 532 ttthbn.exe 102 PID 4184 wrote to memory of 2072 4184 ffxlxlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe"C:\Users\Admin\AppData\Local\Temp\771bbed5bc02a626fda50b0882a51ad808022524168fe48a8cd6223fb8c10ff6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\ppdpv.exec:\ppdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\rlrlffx.exec:\rlrlffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\bbhtbt.exec:\bbhtbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\hntnbb.exec:\hntnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\vdjjd.exec:\vdjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\vjjvp.exec:\vjjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\5vpdp.exec:\5vpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\bnnhhh.exec:\bnnhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\nnthhb.exec:\nnthhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\fxrlrrl.exec:\fxrlrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\nbhbtt.exec:\nbhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\bnbttt.exec:\bnbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\1llxrrl.exec:\1llxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\bbnbhb.exec:\bbnbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\5vjvd.exec:\5vjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\nnhnnb.exec:\nnhnnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\xlflxrf.exec:\xlflxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\7tthnh.exec:\7tthnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\rfrfrlx.exec:\rfrfrlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\ttthbn.exec:\ttthbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\ffxlxlf.exec:\ffxlxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\1jdpd.exec:\1jdpd.exe23⤵
- Executes dropped EXE
PID:2072 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe24⤵
- Executes dropped EXE
PID:1800 -
\??\c:\bbbbtb.exec:\bbbbtb.exe25⤵
- Executes dropped EXE
PID:3596 -
\??\c:\9lxxflf.exec:\9lxxflf.exe26⤵
- Executes dropped EXE
PID:2780 -
\??\c:\htbnnb.exec:\htbnnb.exe27⤵
- Executes dropped EXE
PID:2076 -
\??\c:\thnhtt.exec:\thnhtt.exe28⤵
- Executes dropped EXE
PID:2256 -
\??\c:\1rxrxxr.exec:\1rxrxxr.exe29⤵
- Executes dropped EXE
PID:4640 -
\??\c:\hhhnbt.exec:\hhhnbt.exe30⤵
- Executes dropped EXE
PID:1620 -
\??\c:\1vvvp.exec:\1vvvp.exe31⤵
- Executes dropped EXE
PID:4820 -
\??\c:\bbtnnh.exec:\bbtnnh.exe32⤵
- Executes dropped EXE
PID:4752 -
\??\c:\9hbntn.exec:\9hbntn.exe33⤵
- Executes dropped EXE
PID:4156 -
\??\c:\9rfxlfx.exec:\9rfxlfx.exe34⤵
- Executes dropped EXE
PID:2980 -
\??\c:\bhnbth.exec:\bhnbth.exe35⤵
- Executes dropped EXE
PID:3660 -
\??\c:\9jjvj.exec:\9jjvj.exe36⤵
- Executes dropped EXE
PID:4896 -
\??\c:\vjdjp.exec:\vjdjp.exe37⤵
- Executes dropped EXE
PID:1084 -
\??\c:\jvvjv.exec:\jvvjv.exe38⤵
- Executes dropped EXE
PID:2572 -
\??\c:\vvjdj.exec:\vvjdj.exe39⤵
- Executes dropped EXE
PID:3528 -
\??\c:\xfxlrlx.exec:\xfxlrlx.exe40⤵
- Executes dropped EXE
PID:3264 -
\??\c:\nbbnnh.exec:\nbbnnh.exe41⤵
- Executes dropped EXE
PID:3268 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bthbth.exec:\bthbth.exe43⤵
- Executes dropped EXE
PID:3840 -
\??\c:\jpjdv.exec:\jpjdv.exe44⤵
- Executes dropped EXE
PID:4340 -
\??\c:\9llxlxl.exec:\9llxlxl.exe45⤵
- Executes dropped EXE
PID:1072 -
\??\c:\7rlrfxl.exec:\7rlrfxl.exe46⤵
- Executes dropped EXE
PID:1004 -
\??\c:\bnhtbt.exec:\bnhtbt.exe47⤵
- Executes dropped EXE
PID:5040 -
\??\c:\pjjjp.exec:\pjjjp.exe48⤵
- Executes dropped EXE
PID:3672 -
\??\c:\hhhtbt.exec:\hhhtbt.exe49⤵
- Executes dropped EXE
PID:4892 -
\??\c:\vjjvp.exec:\vjjvp.exe50⤵
- Executes dropped EXE
PID:1368 -
\??\c:\xxflrfl.exec:\xxflrfl.exe51⤵
- Executes dropped EXE
PID:2200 -
\??\c:\thnhhh.exec:\thnhhh.exe52⤵
- Executes dropped EXE
PID:4596 -
\??\c:\htbnnh.exec:\htbnnh.exe53⤵
- Executes dropped EXE
PID:5036 -
\??\c:\jvjjp.exec:\jvjjp.exe54⤵
- Executes dropped EXE
PID:1528 -
\??\c:\lffxllr.exec:\lffxllr.exe55⤵
- Executes dropped EXE
PID:5108 -
\??\c:\tntnhb.exec:\tntnhb.exe56⤵
- Executes dropped EXE
PID:3392 -
\??\c:\9pdvj.exec:\9pdvj.exe57⤵
- Executes dropped EXE
PID:1728 -
\??\c:\5dpdp.exec:\5dpdp.exe58⤵
- Executes dropped EXE
PID:3120 -
\??\c:\fflxrlf.exec:\fflxrlf.exe59⤵
- Executes dropped EXE
PID:1848 -
\??\c:\hntnnn.exec:\hntnnn.exe60⤵
- Executes dropped EXE
PID:4856 -
\??\c:\pppdj.exec:\pppdj.exe61⤵
- Executes dropped EXE
PID:672 -
\??\c:\lflxfxl.exec:\lflxfxl.exe62⤵
- Executes dropped EXE
PID:1152 -
\??\c:\5tnhbb.exec:\5tnhbb.exe63⤵
- Executes dropped EXE
PID:448 -
\??\c:\1dpdj.exec:\1dpdj.exe64⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rfrrxrf.exec:\rfrrxrf.exe65⤵
- Executes dropped EXE
PID:4624 -
\??\c:\xxxlxrr.exec:\xxxlxrr.exe66⤵PID:3280
-
\??\c:\thbntn.exec:\thbntn.exe67⤵PID:1484
-
\??\c:\dpjvj.exec:\dpjvj.exe68⤵PID:2096
-
\??\c:\vppjd.exec:\vppjd.exe69⤵PID:2000
-
\??\c:\3rlxfxl.exec:\3rlxfxl.exe70⤵PID:3748
-
\??\c:\hhnnhh.exec:\hhnnhh.exe71⤵PID:4028
-
\??\c:\vdvdj.exec:\vdvdj.exe72⤵PID:1244
-
\??\c:\pddpv.exec:\pddpv.exe73⤵PID:4832
-
\??\c:\rxxrffx.exec:\rxxrffx.exe74⤵
- System Location Discovery: System Language Discovery
PID:3348 -
\??\c:\bhbnbh.exec:\bhbnbh.exe75⤵PID:2216
-
\??\c:\jjjdj.exec:\jjjdj.exe76⤵PID:2144
-
\??\c:\ddddj.exec:\ddddj.exe77⤵PID:4352
-
\??\c:\xflflfx.exec:\xflflfx.exe78⤵PID:4556
-
\??\c:\hthtnb.exec:\hthtnb.exe79⤵PID:4184
-
\??\c:\1vpdj.exec:\1vpdj.exe80⤵PID:2072
-
\??\c:\dppdp.exec:\dppdp.exe81⤵PID:1688
-
\??\c:\xlrxlrf.exec:\xlrxlrf.exe82⤵PID:4080
-
\??\c:\hntnhn.exec:\hntnhn.exe83⤵PID:3016
-
\??\c:\3jvpd.exec:\3jvpd.exe84⤵PID:2536
-
\??\c:\1dpvj.exec:\1dpvj.exe85⤵PID:4904
-
\??\c:\7fxflfr.exec:\7fxflfr.exe86⤵PID:1920
-
\??\c:\hnttht.exec:\hnttht.exe87⤵PID:4508
-
\??\c:\jpvpd.exec:\jpvpd.exe88⤵PID:2256
-
\??\c:\3pdpv.exec:\3pdpv.exe89⤵PID:972
-
\??\c:\frlxfxl.exec:\frlxfxl.exe90⤵PID:2700
-
\??\c:\9nnhbb.exec:\9nnhbb.exe91⤵PID:3172
-
\??\c:\jvvpj.exec:\jvvpj.exe92⤵PID:2664
-
\??\c:\xrlrfxf.exec:\xrlrfxf.exe93⤵PID:1344
-
\??\c:\1xxlxrf.exec:\1xxlxrf.exe94⤵PID:4540
-
\??\c:\thbttn.exec:\thbttn.exe95⤵PID:4156
-
\??\c:\jvjvd.exec:\jvjvd.exe96⤵PID:4972
-
\??\c:\lfxlrlx.exec:\lfxlrlx.exe97⤵PID:924
-
\??\c:\flrlfxx.exec:\flrlfxx.exe98⤵PID:5060
-
\??\c:\bnntnh.exec:\bnntnh.exe99⤵PID:2372
-
\??\c:\pppdv.exec:\pppdv.exe100⤵PID:2420
-
\??\c:\pjpdd.exec:\pjpdd.exe101⤵PID:1940
-
\??\c:\rxxfrfr.exec:\rxxfrfr.exe102⤵PID:4064
-
\??\c:\hbhbtt.exec:\hbhbtt.exe103⤵PID:4780
-
\??\c:\9ddpv.exec:\9ddpv.exe104⤵PID:5032
-
\??\c:\7pjpd.exec:\7pjpd.exe105⤵PID:5004
-
\??\c:\rllfxrr.exec:\rllfxrr.exe106⤵PID:3316
-
\??\c:\3tthbt.exec:\3tthbt.exe107⤵PID:768
-
\??\c:\ttthhb.exec:\ttthhb.exe108⤵PID:2424
-
\??\c:\dpjvv.exec:\dpjvv.exe109⤵PID:3588
-
\??\c:\rrlffff.exec:\rrlffff.exe110⤵PID:2960
-
\??\c:\hbnbnb.exec:\hbnbnb.exe111⤵PID:2964
-
\??\c:\nbhnbb.exec:\nbhnbb.exe112⤵PID:228
-
\??\c:\vpjvp.exec:\vpjvp.exe113⤵PID:2920
-
\??\c:\lrrflfr.exec:\lrrflfr.exe114⤵PID:4512
-
\??\c:\ntbthh.exec:\ntbthh.exe115⤵PID:2360
-
\??\c:\nntbht.exec:\nntbht.exe116⤵PID:2444
-
\??\c:\rrxrrll.exec:\rrxrrll.exe117⤵PID:4192
-
\??\c:\rllxrlx.exec:\rllxrlx.exe118⤵PID:1492
-
\??\c:\7bbtht.exec:\7bbtht.exe119⤵PID:732
-
\??\c:\pjvjd.exec:\pjvjd.exe120⤵PID:2888
-
\??\c:\lfxlxrl.exec:\lfxlxrl.exe121⤵PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-