Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe
-
Size
453KB
-
MD5
05cc8c9b93771edbff5e58349ed98780
-
SHA1
930a593528ebce93b103df9377f6943d14a72a8b
-
SHA256
78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17
-
SHA512
2dacbd7dd930434c1da44d6595b5498388d678d236f3c7cf034eb62b984d821c92d85149db1cdc556cf6b0a9aa1b70424bff1e30af9a4882085bfabc27ab1372
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4240-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4504 llrrlfx.exe 2612 pjppp.exe 4976 lxlllll.exe 1452 1htnnb.exe 5040 fxxxflr.exe 1984 rlfffxl.exe 4788 7fffxff.exe 2188 3bbbhh.exe 852 ppppv.exe 3568 lfrrxxf.exe 3456 xffffll.exe 4108 nnhttb.exe 1420 jjjvv.exe 4864 htnttb.exe 4012 lxlxrrl.exe 1816 ppjjp.exe 208 5dddd.exe 1212 5ffxxrx.exe 232 fxxrrlf.exe 488 ppvdj.exe 3776 ttbtnh.exe 1732 nhtttt.exe 2784 frxrrxf.exe 2216 tnbbbb.exe 4104 5btnhb.exe 3708 jpjpp.exe 3864 fxlllrr.exe 4660 9dvpp.exe 4128 5ntnbh.exe 3476 jjjpj.exe 2896 ttnhtt.exe 2004 rflfxrl.exe 1748 5hbnbb.exe 3632 jdjpj.exe 1616 jjjjd.exe 3680 7fxrlfx.exe 2432 hbhhbb.exe 3120 dpjjd.exe 2696 xrfrfxx.exe 4260 fxlflfl.exe 2256 btbbtb.exe 2212 7vpdv.exe 1124 rllrlfx.exe 2492 tbnbtn.exe 4392 1vddd.exe 4572 fxfxrrl.exe 880 nthbbt.exe 716 dvvpd.exe 2612 rxlxrrl.exe 2288 nbtnhb.exe 4004 btbtnn.exe 1592 9vddp.exe 1452 pvjdp.exe 2484 3llfxxf.exe 4568 nhtbbh.exe 1604 vvdjd.exe 1524 dvjjp.exe 3096 xrxrfff.exe 3948 bnbhbt.exe 4860 jdjdd.exe 2476 jvvjj.exe 2736 rflfrrl.exe 3960 hbhbtt.exe 816 vvvdv.exe -
resource yara_rule behavioral2/memory/4240-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-797-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4504 4240 78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe 82 PID 4240 wrote to memory of 4504 4240 78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe 82 PID 4240 wrote to memory of 4504 4240 78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe 82 PID 4504 wrote to memory of 2612 4504 llrrlfx.exe 83 PID 4504 wrote to memory of 2612 4504 llrrlfx.exe 83 PID 4504 wrote to memory of 2612 4504 llrrlfx.exe 83 PID 2612 wrote to memory of 4976 2612 pjppp.exe 84 PID 2612 wrote to memory of 4976 2612 pjppp.exe 84 PID 2612 wrote to memory of 4976 2612 pjppp.exe 84 PID 4976 wrote to memory of 1452 4976 lxlllll.exe 85 PID 4976 wrote to memory of 1452 4976 lxlllll.exe 85 PID 4976 wrote to memory of 1452 4976 lxlllll.exe 85 PID 1452 wrote to memory of 5040 1452 1htnnb.exe 86 PID 1452 wrote to memory of 5040 1452 1htnnb.exe 86 PID 1452 wrote to memory of 5040 1452 1htnnb.exe 86 PID 5040 wrote to memory of 1984 5040 fxxxflr.exe 87 PID 5040 wrote to memory of 1984 5040 fxxxflr.exe 87 PID 5040 wrote to memory of 1984 5040 fxxxflr.exe 87 PID 1984 wrote to memory of 4788 1984 rlfffxl.exe 88 PID 1984 wrote to memory of 4788 1984 rlfffxl.exe 88 PID 1984 wrote to memory of 4788 1984 rlfffxl.exe 88 PID 4788 wrote to memory of 2188 4788 7fffxff.exe 89 PID 4788 wrote to memory of 2188 4788 7fffxff.exe 89 PID 4788 wrote to memory of 2188 4788 7fffxff.exe 89 PID 2188 wrote to memory of 852 2188 3bbbhh.exe 90 PID 2188 wrote to memory of 852 2188 3bbbhh.exe 90 PID 2188 wrote to memory of 852 2188 3bbbhh.exe 90 PID 852 wrote to memory of 3568 852 ppppv.exe 91 PID 852 wrote to memory of 3568 852 ppppv.exe 91 PID 852 wrote to memory of 3568 852 ppppv.exe 91 PID 3568 wrote to memory of 3456 3568 lfrrxxf.exe 92 PID 3568 wrote to memory of 3456 3568 lfrrxxf.exe 92 PID 3568 wrote to memory of 3456 3568 lfrrxxf.exe 92 PID 3456 wrote to memory of 4108 3456 xffffll.exe 93 PID 3456 wrote to memory of 4108 3456 xffffll.exe 93 PID 3456 wrote to memory of 4108 3456 xffffll.exe 93 PID 4108 wrote to memory of 1420 4108 nnhttb.exe 94 PID 4108 wrote to memory of 1420 4108 nnhttb.exe 94 PID 4108 wrote to memory of 1420 4108 nnhttb.exe 94 PID 1420 wrote to memory of 4864 1420 jjjvv.exe 95 PID 1420 wrote to memory of 4864 1420 jjjvv.exe 95 PID 1420 wrote to memory of 4864 1420 jjjvv.exe 95 PID 4864 wrote to memory of 4012 4864 htnttb.exe 96 PID 4864 wrote to memory of 4012 4864 htnttb.exe 96 PID 4864 wrote to memory of 4012 4864 htnttb.exe 96 PID 4012 wrote to memory of 1816 4012 lxlxrrl.exe 97 PID 4012 wrote to memory of 1816 4012 lxlxrrl.exe 97 PID 4012 wrote to memory of 1816 4012 lxlxrrl.exe 97 PID 1816 wrote to memory of 208 1816 ppjjp.exe 98 PID 1816 wrote to memory of 208 1816 ppjjp.exe 98 PID 1816 wrote to memory of 208 1816 ppjjp.exe 98 PID 208 wrote to memory of 1212 208 5dddd.exe 99 PID 208 wrote to memory of 1212 208 5dddd.exe 99 PID 208 wrote to memory of 1212 208 5dddd.exe 99 PID 1212 wrote to memory of 232 1212 5ffxxrx.exe 100 PID 1212 wrote to memory of 232 1212 5ffxxrx.exe 100 PID 1212 wrote to memory of 232 1212 5ffxxrx.exe 100 PID 232 wrote to memory of 488 232 fxxrrlf.exe 101 PID 232 wrote to memory of 488 232 fxxrrlf.exe 101 PID 232 wrote to memory of 488 232 fxxrrlf.exe 101 PID 488 wrote to memory of 3776 488 ppvdj.exe 102 PID 488 wrote to memory of 3776 488 ppvdj.exe 102 PID 488 wrote to memory of 3776 488 ppvdj.exe 102 PID 3776 wrote to memory of 1732 3776 ttbtnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe"C:\Users\Admin\AppData\Local\Temp\78eb4210ce27ca7e8ba760cbb540b29a89ed1edc1f09cada067124a9c7ef0c17N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\llrrlfx.exec:\llrrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\pjppp.exec:\pjppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\lxlllll.exec:\lxlllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\1htnnb.exec:\1htnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\fxxxflr.exec:\fxxxflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\rlfffxl.exec:\rlfffxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\7fffxff.exec:\7fffxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\3bbbhh.exec:\3bbbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\ppppv.exec:\ppppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\xffffll.exec:\xffffll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\nnhttb.exec:\nnhttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\jjjvv.exec:\jjjvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\htnttb.exec:\htnttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\ppjjp.exec:\ppjjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\5dddd.exec:\5dddd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\5ffxxrx.exec:\5ffxxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ppvdj.exec:\ppvdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
\??\c:\ttbtnh.exec:\ttbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\nhtttt.exec:\nhtttt.exe23⤵
- Executes dropped EXE
PID:1732 -
\??\c:\frxrrxf.exec:\frxrrxf.exe24⤵
- Executes dropped EXE
PID:2784 -
\??\c:\tnbbbb.exec:\tnbbbb.exe25⤵
- Executes dropped EXE
PID:2216 -
\??\c:\5btnhb.exec:\5btnhb.exe26⤵
- Executes dropped EXE
PID:4104 -
\??\c:\jpjpp.exec:\jpjpp.exe27⤵
- Executes dropped EXE
PID:3708 -
\??\c:\fxlllrr.exec:\fxlllrr.exe28⤵
- Executes dropped EXE
PID:3864 -
\??\c:\9dvpp.exec:\9dvpp.exe29⤵
- Executes dropped EXE
PID:4660 -
\??\c:\5ntnbh.exec:\5ntnbh.exe30⤵
- Executes dropped EXE
PID:4128 -
\??\c:\jjjpj.exec:\jjjpj.exe31⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ttnhtt.exec:\ttnhtt.exe32⤵
- Executes dropped EXE
PID:2896 -
\??\c:\rflfxrl.exec:\rflfxrl.exe33⤵
- Executes dropped EXE
PID:2004 -
\??\c:\5hbnbb.exec:\5hbnbb.exe34⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jdjpj.exec:\jdjpj.exe35⤵
- Executes dropped EXE
PID:3632 -
\??\c:\jjjjd.exec:\jjjjd.exe36⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7fxrlfx.exec:\7fxrlfx.exe37⤵
- Executes dropped EXE
PID:3680 -
\??\c:\hbhhbb.exec:\hbhhbb.exe38⤵
- Executes dropped EXE
PID:2432 -
\??\c:\dpjjd.exec:\dpjjd.exe39⤵
- Executes dropped EXE
PID:3120 -
\??\c:\xrfrfxx.exec:\xrfrfxx.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\fxlflfl.exec:\fxlflfl.exe41⤵
- Executes dropped EXE
PID:4260 -
\??\c:\btbbtb.exec:\btbbtb.exe42⤵
- Executes dropped EXE
PID:2256 -
\??\c:\7vpdv.exec:\7vpdv.exe43⤵
- Executes dropped EXE
PID:2212 -
\??\c:\rllrlfx.exec:\rllrlfx.exe44⤵
- Executes dropped EXE
PID:1124 -
\??\c:\tbnbtn.exec:\tbnbtn.exe45⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1vddd.exec:\1vddd.exe46⤵
- Executes dropped EXE
PID:4392 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe47⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nthbbt.exec:\nthbbt.exe48⤵
- Executes dropped EXE
PID:880 -
\??\c:\dvvpd.exec:\dvvpd.exe49⤵
- Executes dropped EXE
PID:716 -
\??\c:\rxlxrrl.exec:\rxlxrrl.exe50⤵
- Executes dropped EXE
PID:2612 -
\??\c:\nbtnhb.exec:\nbtnhb.exe51⤵
- Executes dropped EXE
PID:2288 -
\??\c:\btbtnn.exec:\btbtnn.exe52⤵
- Executes dropped EXE
PID:4004 -
\??\c:\9vddp.exec:\9vddp.exe53⤵
- Executes dropped EXE
PID:1592 -
\??\c:\pvjdp.exec:\pvjdp.exe54⤵
- Executes dropped EXE
PID:1452 -
\??\c:\3llfxxf.exec:\3llfxxf.exe55⤵
- Executes dropped EXE
PID:2484 -
\??\c:\nhtbbh.exec:\nhtbbh.exe56⤵
- Executes dropped EXE
PID:4568 -
\??\c:\vvdjd.exec:\vvdjd.exe57⤵
- Executes dropped EXE
PID:1604 -
\??\c:\dvjjp.exec:\dvjjp.exe58⤵
- Executes dropped EXE
PID:1524 -
\??\c:\xrxrfff.exec:\xrxrfff.exe59⤵
- Executes dropped EXE
PID:3096 -
\??\c:\bnbhbt.exec:\bnbhbt.exe60⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jdjdd.exec:\jdjdd.exe61⤵
- Executes dropped EXE
PID:4860 -
\??\c:\jvvjj.exec:\jvvjj.exe62⤵
- Executes dropped EXE
PID:2476 -
\??\c:\rflfrrl.exec:\rflfrrl.exe63⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hbhbtt.exec:\hbhbtt.exe64⤵
- Executes dropped EXE
PID:3960 -
\??\c:\vvvdv.exec:\vvvdv.exe65⤵
- Executes dropped EXE
PID:816 -
\??\c:\lfxrffr.exec:\lfxrffr.exe66⤵PID:3260
-
\??\c:\nnbbbb.exec:\nnbbbb.exe67⤵PID:4452
-
\??\c:\7pdvd.exec:\7pdvd.exe68⤵PID:2136
-
\??\c:\pjvpp.exec:\pjvpp.exe69⤵PID:3080
-
\??\c:\xrlffxr.exec:\xrlffxr.exe70⤵PID:2040
-
\??\c:\bbntbb.exec:\bbntbb.exe71⤵PID:5060
-
\??\c:\dvddv.exec:\dvddv.exe72⤵PID:3128
-
\??\c:\jdpdd.exec:\jdpdd.exe73⤵PID:4312
-
\??\c:\9fxrffl.exec:\9fxrffl.exe74⤵PID:208
-
\??\c:\9nnhbn.exec:\9nnhbn.exe75⤵PID:1956
-
\??\c:\thnhbb.exec:\thnhbb.exe76⤵PID:4656
-
\??\c:\jddjv.exec:\jddjv.exe77⤵PID:2344
-
\??\c:\lrxxlxr.exec:\lrxxlxr.exe78⤵PID:3100
-
\??\c:\bbbtnh.exec:\bbbtnh.exe79⤵PID:3776
-
\??\c:\tbthnh.exec:\tbthnh.exe80⤵PID:1732
-
\??\c:\jdpjd.exec:\jdpjd.exe81⤵PID:4672
-
\??\c:\rfrrrxr.exec:\rfrrrxr.exe82⤵PID:4212
-
\??\c:\ttnnnb.exec:\ttnnnb.exe83⤵PID:988
-
\??\c:\htbtnt.exec:\htbtnt.exe84⤵PID:1848
-
\??\c:\jvjdv.exec:\jvjdv.exe85⤵PID:1824
-
\??\c:\lxlfllx.exec:\lxlfllx.exe86⤵PID:3536
-
\??\c:\9bnbhh.exec:\9bnbhh.exe87⤵PID:4880
-
\??\c:\bbnnbn.exec:\bbnnbn.exe88⤵PID:740
-
\??\c:\jdpdd.exec:\jdpdd.exe89⤵PID:1556
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe90⤵PID:4356
-
\??\c:\ttbtnh.exec:\ttbtnh.exe91⤵PID:2592
-
\??\c:\5vvpp.exec:\5vvpp.exe92⤵PID:2868
-
\??\c:\rxrlffx.exec:\rxrlffx.exe93⤵
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\xfxffxr.exec:\xfxffxr.exe94⤵PID:4884
-
\??\c:\7hnbbh.exec:\7hnbbh.exe95⤵PID:3464
-
\??\c:\pdjjj.exec:\pdjjj.exe96⤵PID:3088
-
\??\c:\7lrrlll.exec:\7lrrlll.exe97⤵PID:3416
-
\??\c:\thnhbb.exec:\thnhbb.exe98⤵PID:2716
-
\??\c:\1tnnhn.exec:\1tnnhn.exe99⤵PID:3108
-
\??\c:\fxffxxx.exec:\fxffxxx.exe100⤵PID:3636
-
\??\c:\lrlfxxx.exec:\lrlfxxx.exe101⤵PID:928
-
\??\c:\hbhbtt.exec:\hbhbtt.exe102⤵PID:1208
-
\??\c:\7djdv.exec:\7djdv.exe103⤵PID:2688
-
\??\c:\flxxlll.exec:\flxxlll.exe104⤵PID:2720
-
\??\c:\btbttn.exec:\btbttn.exe105⤵PID:4512
-
\??\c:\7bnhbt.exec:\7bnhbt.exe106⤵PID:4600
-
\??\c:\pvjdd.exec:\pvjdd.exe107⤵PID:4316
-
\??\c:\lxlrflf.exec:\lxlrflf.exe108⤵PID:4436
-
\??\c:\lffxlll.exec:\lffxlll.exe109⤵PID:2408
-
\??\c:\9httnb.exec:\9httnb.exe110⤵PID:1724
-
\??\c:\ppvpd.exec:\ppvpd.exe111⤵PID:5096
-
\??\c:\9pvpj.exec:\9pvpj.exe112⤵PID:2012
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe113⤵PID:332
-
\??\c:\tnbbbb.exec:\tnbbbb.exe114⤵PID:2980
-
\??\c:\5hnttn.exec:\5hnttn.exe115⤵PID:4856
-
\??\c:\3jdvv.exec:\3jdvv.exe116⤵PID:4184
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe117⤵PID:4624
-
\??\c:\hhhhbb.exec:\hhhhbb.exe118⤵PID:2520
-
\??\c:\thnttn.exec:\thnttn.exe119⤵PID:116
-
\??\c:\9jvpj.exec:\9jvpj.exe120⤵PID:3520
-
\??\c:\vpdvd.exec:\vpdvd.exe121⤵PID:3568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-