Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
-
Size
454KB
-
MD5
114e100b2c654b36c590d8ce7c024311
-
SHA1
ff2061252792bb59729fd0ac1b1c4fd63cf04842
-
SHA256
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46
-
SHA512
789affbea2bb088847b8a189fad3cf6f54bc46f704bdee9fd9671422f19142d7203c9ffb934fbbe891f1a049fadf02d78a3f0fe337fb7a77dfc077a98b84cc6e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1224-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-1115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-1412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 tthhbb.exe 3488 lrlfxff.exe 1356 vpvpj.exe 2316 tnbbhh.exe 1392 xxfffff.exe 2044 pppjd.exe 1508 rfrrrrr.exe 4048 dvdvv.exe 1644 pdjpp.exe 4340 hbhthh.exe 4776 rflllrr.exe 4944 bhbnnn.exe 1132 ddpjv.exe 5052 rllfxrl.exe 4520 5dddd.exe 1984 jpvjj.exe 3592 pjjdv.exe 2892 bhnnnt.exe 3908 dpvjj.exe 4092 ffrrflx.exe 312 vvjjj.exe 768 jjvvv.exe 1580 1bbthb.exe 1664 llxxxxx.exe 2020 3pdvp.exe 2100 rllffff.exe 4692 jdppd.exe 1928 pppvv.exe 4644 jvjjj.exe 1156 rrfrxxr.exe 2740 hthhnn.exe 3172 pvdvd.exe 3452 lxrrlrr.exe 4624 rxxrlff.exe 3624 nhnhhh.exe 4904 7vpdp.exe 2992 7rrfrrl.exe 4552 ntbthn.exe 4896 bbhhtb.exe 4576 vddvj.exe 4352 xlrxxfx.exe 4296 3ttnnh.exe 436 dpddv.exe 2192 fflfxxx.exe 3796 frffffx.exe 396 9ttnbb.exe 3924 vdvpp.exe 2420 ppjjp.exe 4924 xxlfxxl.exe 4988 1bbhhn.exe 1352 nbntnn.exe 3372 jpvjd.exe 4792 rrffrrl.exe 2784 tnhbnh.exe 1424 pjvjj.exe 4548 rxfxlrr.exe 2744 hhtbht.exe 4104 pjpjv.exe 3944 7jpjp.exe 4052 xfllxff.exe 448 1hnbnn.exe 1392 vjpdv.exe 536 fxxlxxl.exe 5060 nthhbh.exe -
resource yara_rule behavioral2/memory/1224-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-834-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2184 1224 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 83 PID 1224 wrote to memory of 2184 1224 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 83 PID 1224 wrote to memory of 2184 1224 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 83 PID 2184 wrote to memory of 3488 2184 tthhbb.exe 84 PID 2184 wrote to memory of 3488 2184 tthhbb.exe 84 PID 2184 wrote to memory of 3488 2184 tthhbb.exe 84 PID 3488 wrote to memory of 1356 3488 lrlfxff.exe 85 PID 3488 wrote to memory of 1356 3488 lrlfxff.exe 85 PID 3488 wrote to memory of 1356 3488 lrlfxff.exe 85 PID 1356 wrote to memory of 2316 1356 vpvpj.exe 86 PID 1356 wrote to memory of 2316 1356 vpvpj.exe 86 PID 1356 wrote to memory of 2316 1356 vpvpj.exe 86 PID 2316 wrote to memory of 1392 2316 tnbbhh.exe 87 PID 2316 wrote to memory of 1392 2316 tnbbhh.exe 87 PID 2316 wrote to memory of 1392 2316 tnbbhh.exe 87 PID 1392 wrote to memory of 2044 1392 xxfffff.exe 88 PID 1392 wrote to memory of 2044 1392 xxfffff.exe 88 PID 1392 wrote to memory of 2044 1392 xxfffff.exe 88 PID 2044 wrote to memory of 1508 2044 pppjd.exe 89 PID 2044 wrote to memory of 1508 2044 pppjd.exe 89 PID 2044 wrote to memory of 1508 2044 pppjd.exe 89 PID 1508 wrote to memory of 4048 1508 rfrrrrr.exe 90 PID 1508 wrote to memory of 4048 1508 rfrrrrr.exe 90 PID 1508 wrote to memory of 4048 1508 rfrrrrr.exe 90 PID 4048 wrote to memory of 1644 4048 dvdvv.exe 91 PID 4048 wrote to memory of 1644 4048 dvdvv.exe 91 PID 4048 wrote to memory of 1644 4048 dvdvv.exe 91 PID 1644 wrote to memory of 4340 1644 pdjpp.exe 92 PID 1644 wrote to memory of 4340 1644 pdjpp.exe 92 PID 1644 wrote to memory of 4340 1644 pdjpp.exe 92 PID 4340 wrote to memory of 4776 4340 hbhthh.exe 93 PID 4340 wrote to memory of 4776 4340 hbhthh.exe 93 PID 4340 wrote to memory of 4776 4340 hbhthh.exe 93 PID 4776 wrote to memory of 4944 4776 rflllrr.exe 94 PID 4776 wrote to memory of 4944 4776 rflllrr.exe 94 PID 4776 wrote to memory of 4944 4776 rflllrr.exe 94 PID 4944 wrote to memory of 1132 4944 bhbnnn.exe 95 PID 4944 wrote to memory of 1132 4944 bhbnnn.exe 95 PID 4944 wrote to memory of 1132 4944 bhbnnn.exe 95 PID 1132 wrote to memory of 5052 1132 ddpjv.exe 96 PID 1132 wrote to memory of 5052 1132 ddpjv.exe 96 PID 1132 wrote to memory of 5052 1132 ddpjv.exe 96 PID 5052 wrote to memory of 4520 5052 rllfxrl.exe 97 PID 5052 wrote to memory of 4520 5052 rllfxrl.exe 97 PID 5052 wrote to memory of 4520 5052 rllfxrl.exe 97 PID 4520 wrote to memory of 1984 4520 5dddd.exe 98 PID 4520 wrote to memory of 1984 4520 5dddd.exe 98 PID 4520 wrote to memory of 1984 4520 5dddd.exe 98 PID 1984 wrote to memory of 3592 1984 jpvjj.exe 99 PID 1984 wrote to memory of 3592 1984 jpvjj.exe 99 PID 1984 wrote to memory of 3592 1984 jpvjj.exe 99 PID 3592 wrote to memory of 2892 3592 pjjdv.exe 100 PID 3592 wrote to memory of 2892 3592 pjjdv.exe 100 PID 3592 wrote to memory of 2892 3592 pjjdv.exe 100 PID 2892 wrote to memory of 3908 2892 bhnnnt.exe 101 PID 2892 wrote to memory of 3908 2892 bhnnnt.exe 101 PID 2892 wrote to memory of 3908 2892 bhnnnt.exe 101 PID 3908 wrote to memory of 4092 3908 dpvjj.exe 102 PID 3908 wrote to memory of 4092 3908 dpvjj.exe 102 PID 3908 wrote to memory of 4092 3908 dpvjj.exe 102 PID 4092 wrote to memory of 312 4092 ffrrflx.exe 103 PID 4092 wrote to memory of 312 4092 ffrrflx.exe 103 PID 4092 wrote to memory of 312 4092 ffrrflx.exe 103 PID 312 wrote to memory of 768 312 vvjjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\tthhbb.exec:\tthhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\lrlfxff.exec:\lrlfxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\vpvpj.exec:\vpvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\tnbbhh.exec:\tnbbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\xxfffff.exec:\xxfffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\pppjd.exec:\pppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\rfrrrrr.exec:\rfrrrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\dvdvv.exec:\dvdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\pdjpp.exec:\pdjpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\hbhthh.exec:\hbhthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\rflllrr.exec:\rflllrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\bhbnnn.exec:\bhbnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\ddpjv.exec:\ddpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\rllfxrl.exec:\rllfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\5dddd.exec:\5dddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\jpvjj.exec:\jpvjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\pjjdv.exec:\pjjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bhnnnt.exec:\bhnnnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\dpvjj.exec:\dpvjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\ffrrflx.exec:\ffrrflx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\vvjjj.exec:\vvjjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\jjvvv.exec:\jjvvv.exe23⤵
- Executes dropped EXE
PID:768 -
\??\c:\1bbthb.exec:\1bbthb.exe24⤵
- Executes dropped EXE
PID:1580 -
\??\c:\llxxxxx.exec:\llxxxxx.exe25⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3pdvp.exec:\3pdvp.exe26⤵
- Executes dropped EXE
PID:2020 -
\??\c:\rllffff.exec:\rllffff.exe27⤵
- Executes dropped EXE
PID:2100 -
\??\c:\jdppd.exec:\jdppd.exe28⤵
- Executes dropped EXE
PID:4692 -
\??\c:\pppvv.exec:\pppvv.exe29⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jvjjj.exec:\jvjjj.exe30⤵
- Executes dropped EXE
PID:4644 -
\??\c:\rrfrxxr.exec:\rrfrxxr.exe31⤵
- Executes dropped EXE
PID:1156 -
\??\c:\hthhnn.exec:\hthhnn.exe32⤵
- Executes dropped EXE
PID:2740 -
\??\c:\pvdvd.exec:\pvdvd.exe33⤵
- Executes dropped EXE
PID:3172 -
\??\c:\lxrrlrr.exec:\lxrrlrr.exe34⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rxxrlff.exec:\rxxrlff.exe35⤵
- Executes dropped EXE
PID:4624 -
\??\c:\nhnhhh.exec:\nhnhhh.exe36⤵
- Executes dropped EXE
PID:3624 -
\??\c:\7vpdp.exec:\7vpdp.exe37⤵
- Executes dropped EXE
PID:4904 -
\??\c:\7rrfrrl.exec:\7rrfrrl.exe38⤵
- Executes dropped EXE
PID:2992 -
\??\c:\ntbthn.exec:\ntbthn.exe39⤵
- Executes dropped EXE
PID:4552 -
\??\c:\bbhhtb.exec:\bbhhtb.exe40⤵
- Executes dropped EXE
PID:4896 -
\??\c:\vddvj.exec:\vddvj.exe41⤵
- Executes dropped EXE
PID:4576 -
\??\c:\xlrxxfx.exec:\xlrxxfx.exe42⤵
- Executes dropped EXE
PID:4352 -
\??\c:\3ttnnh.exec:\3ttnnh.exe43⤵
- Executes dropped EXE
PID:4296 -
\??\c:\dpddv.exec:\dpddv.exe44⤵
- Executes dropped EXE
PID:436 -
\??\c:\fflfxxx.exec:\fflfxxx.exe45⤵
- Executes dropped EXE
PID:2192 -
\??\c:\frffffx.exec:\frffffx.exe46⤵
- Executes dropped EXE
PID:3796 -
\??\c:\9ttnbb.exec:\9ttnbb.exe47⤵
- Executes dropped EXE
PID:396 -
\??\c:\vdvpp.exec:\vdvpp.exe48⤵
- Executes dropped EXE
PID:3924 -
\??\c:\ppjjp.exec:\ppjjp.exe49⤵
- Executes dropped EXE
PID:2420 -
\??\c:\xxlfxxl.exec:\xxlfxxl.exe50⤵
- Executes dropped EXE
PID:4924 -
\??\c:\1bbhhn.exec:\1bbhhn.exe51⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nbntnn.exec:\nbntnn.exe52⤵
- Executes dropped EXE
PID:1352 -
\??\c:\jpvjd.exec:\jpvjd.exe53⤵
- Executes dropped EXE
PID:3372 -
\??\c:\rrffrrl.exec:\rrffrrl.exe54⤵
- Executes dropped EXE
PID:4792 -
\??\c:\tnhbnh.exec:\tnhbnh.exe55⤵
- Executes dropped EXE
PID:2784 -
\??\c:\pjvjj.exec:\pjvjj.exe56⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rxfxlrr.exec:\rxfxlrr.exe57⤵
- Executes dropped EXE
PID:4548 -
\??\c:\hhtbht.exec:\hhtbht.exe58⤵
- Executes dropped EXE
PID:2744 -
\??\c:\pjpjv.exec:\pjpjv.exe59⤵
- Executes dropped EXE
PID:4104 -
\??\c:\7jpjp.exec:\7jpjp.exe60⤵
- Executes dropped EXE
PID:3944 -
\??\c:\xfllxff.exec:\xfllxff.exe61⤵
- Executes dropped EXE
PID:4052 -
\??\c:\1hnbnn.exec:\1hnbnn.exe62⤵
- Executes dropped EXE
PID:448 -
\??\c:\vjpdv.exec:\vjpdv.exe63⤵
- Executes dropped EXE
PID:1392 -
\??\c:\fxxlxxl.exec:\fxxlxxl.exe64⤵
- Executes dropped EXE
PID:536 -
\??\c:\nthhbh.exec:\nthhbh.exe65⤵
- Executes dropped EXE
PID:5060 -
\??\c:\5jjdp.exec:\5jjdp.exe66⤵PID:4936
-
\??\c:\rrffflr.exec:\rrffflr.exe67⤵PID:2116
-
\??\c:\thhbtn.exec:\thhbtn.exe68⤵PID:1556
-
\??\c:\dvddv.exec:\dvddv.exe69⤵PID:212
-
\??\c:\7lrlxlf.exec:\7lrlxlf.exe70⤵PID:4340
-
\??\c:\ttbbth.exec:\ttbbth.exe71⤵PID:2068
-
\??\c:\1jjpp.exec:\1jjpp.exe72⤵PID:1656
-
\??\c:\rrxfxff.exec:\rrxfxff.exe73⤵PID:1132
-
\??\c:\tbnnhh.exec:\tbnnhh.exe74⤵PID:1516
-
\??\c:\vppjv.exec:\vppjv.exe75⤵PID:2920
-
\??\c:\jjvvv.exec:\jjvvv.exe76⤵PID:3240
-
\??\c:\ffxfxff.exec:\ffxfxff.exe77⤵PID:3528
-
\??\c:\bbnnhh.exec:\bbnnhh.exe78⤵PID:3592
-
\??\c:\vpppd.exec:\vpppd.exe79⤵PID:832
-
\??\c:\xrrrfrl.exec:\xrrrfrl.exe80⤵PID:2884
-
\??\c:\ntbbbb.exec:\ntbbbb.exe81⤵PID:4620
-
\??\c:\tnbbtt.exec:\tnbbtt.exe82⤵PID:2324
-
\??\c:\ppjdj.exec:\ppjdj.exe83⤵PID:324
-
\??\c:\1xxxxrr.exec:\1xxxxrr.exe84⤵PID:2916
-
\??\c:\tnttnn.exec:\tnttnn.exe85⤵PID:312
-
\??\c:\vjdvp.exec:\vjdvp.exe86⤵PID:4868
-
\??\c:\rllfxlf.exec:\rllfxlf.exe87⤵PID:1100
-
\??\c:\tnhbhh.exec:\tnhbhh.exe88⤵PID:3480
-
\??\c:\dpvjv.exec:\dpvjv.exe89⤵PID:1664
-
\??\c:\1djdj.exec:\1djdj.exe90⤵PID:3780
-
\??\c:\frfxxrl.exec:\frfxxrl.exe91⤵PID:3880
-
\??\c:\bhnhhh.exec:\bhnhhh.exe92⤵PID:5068
-
\??\c:\pjdvp.exec:\pjdvp.exe93⤵PID:3988
-
\??\c:\fxrlffx.exec:\fxrlffx.exe94⤵PID:2552
-
\??\c:\9nhhtt.exec:\9nhhtt.exe95⤵PID:3044
-
\??\c:\7thhbh.exec:\7thhbh.exe96⤵PID:2760
-
\??\c:\pddvp.exec:\pddvp.exe97⤵PID:1156
-
\??\c:\rrffrxl.exec:\rrffrxl.exe98⤵PID:2740
-
\??\c:\tnbbtb.exec:\tnbbtb.exe99⤵PID:4244
-
\??\c:\jvpdp.exec:\jvpdp.exe100⤵PID:2392
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe101⤵PID:3452
-
\??\c:\7bhbnh.exec:\7bhbnh.exe102⤵PID:3304
-
\??\c:\jvvpj.exec:\jvvpj.exe103⤵PID:3712
-
\??\c:\3djdv.exec:\3djdv.exe104⤵PID:4980
-
\??\c:\rrrlffr.exec:\rrrlffr.exe105⤵PID:4144
-
\??\c:\ntnhbb.exec:\ntnhbb.exe106⤵PID:600
-
\??\c:\hthhnn.exec:\hthhnn.exe107⤵PID:1740
-
\??\c:\3djpp.exec:\3djpp.exe108⤵PID:3896
-
\??\c:\lflxxrx.exec:\lflxxrx.exe109⤵PID:4268
-
\??\c:\bthnnn.exec:\bthnnn.exe110⤵PID:4708
-
\??\c:\dpvpp.exec:\dpvpp.exe111⤵PID:2064
-
\??\c:\ffxrlrr.exec:\ffxrlrr.exe112⤵PID:3404
-
\??\c:\1tbhbh.exec:\1tbhbh.exe113⤵PID:4188
-
\??\c:\nnbtnn.exec:\nnbtnn.exe114⤵PID:2008
-
\??\c:\jpvdp.exec:\jpvdp.exe115⤵PID:4240
-
\??\c:\rfrllrr.exec:\rfrllrr.exe116⤵PID:4824
-
\??\c:\tntnbb.exec:\tntnbb.exe117⤵PID:4880
-
\??\c:\bnbttt.exec:\bnbttt.exe118⤵PID:2124
-
\??\c:\pjjdv.exec:\pjjdv.exe119⤵PID:4872
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe120⤵PID:3036
-
\??\c:\hbbbbt.exec:\hbbbbt.exe121⤵PID:2496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-