Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe
-
Size
452KB
-
MD5
149534acc986cf8699dc39f999e3ac70
-
SHA1
c36c46766b495cdf3cd5e01fb60d22d54dec6f44
-
SHA256
8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78c
-
SHA512
0939aa90b45ccc8312db9bf82b417231af912ccc05db6ce14d9080d1902c8f841af7bbcc34ace0553b7ec9497c1723c0a8cdd213c15f68e6b033940d51d3e89d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1660-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-1205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-1234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-1430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-1452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4892 lrfffff.exe 1296 dpvpp.exe 1492 dvjdv.exe 2640 lflllll.exe 3596 nhnhbb.exe 3368 jdpjd.exe 1972 jdvpp.exe 1984 1lrlfff.exe 1936 hhtnnn.exe 4396 9tbbtb.exe 4072 htnhhh.exe 4016 pjjdd.exe 1696 lffxlfx.exe 556 1tthbh.exe 4896 btbtht.exe 4740 ddvpj.exe 4732 3xlffff.exe 2052 9jpjd.exe 5064 lxlfxrl.exe 3580 xrrllll.exe 468 3thtbb.exe 2496 pjjjp.exe 1328 btbnhh.exe 5012 ttttnt.exe 4360 5flfrrr.exe 3176 3ttnhh.exe 4452 pvdvv.exe 2440 lflfxxr.exe 4836 jdjdd.exe 2152 7bhbtt.exe 1148 dpppp.exe 2280 1bbttb.exe 732 rffxxxr.exe 652 nhhnhb.exe 708 7ddvv.exe 3924 vjvpp.exe 2068 3xxrllf.exe 2416 5bbtnn.exe 1076 vpjdp.exe 2764 rfllxxr.exe 2500 nhhbtt.exe 4412 jpppp.exe 3812 3ppjd.exe 2332 llffxff.exe 2956 hntnnn.exe 1488 5bbthh.exe 4532 jdpjj.exe 1252 frxxfff.exe 2084 xrlxrxr.exe 4920 htbtnn.exe 2216 jdpjj.exe 2884 rrxxxxx.exe 1292 bnnbtn.exe 1152 dpvdv.exe 4772 1vdvp.exe 448 xrxfffl.exe 5092 bhhbbb.exe 1528 jvdvp.exe 316 1jpdv.exe 1972 rrrlllf.exe 216 htbbbb.exe 3820 hbnhbt.exe 2728 1ddvp.exe 1936 fxxfffx.exe -
resource yara_rule behavioral2/memory/1660-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-721-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 4892 1660 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 83 PID 1660 wrote to memory of 4892 1660 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 83 PID 1660 wrote to memory of 4892 1660 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 83 PID 4892 wrote to memory of 1296 4892 lrfffff.exe 84 PID 4892 wrote to memory of 1296 4892 lrfffff.exe 84 PID 4892 wrote to memory of 1296 4892 lrfffff.exe 84 PID 1296 wrote to memory of 1492 1296 dpvpp.exe 85 PID 1296 wrote to memory of 1492 1296 dpvpp.exe 85 PID 1296 wrote to memory of 1492 1296 dpvpp.exe 85 PID 1492 wrote to memory of 2640 1492 dvjdv.exe 86 PID 1492 wrote to memory of 2640 1492 dvjdv.exe 86 PID 1492 wrote to memory of 2640 1492 dvjdv.exe 86 PID 2640 wrote to memory of 3596 2640 lflllll.exe 87 PID 2640 wrote to memory of 3596 2640 lflllll.exe 87 PID 2640 wrote to memory of 3596 2640 lflllll.exe 87 PID 3596 wrote to memory of 3368 3596 nhnhbb.exe 88 PID 3596 wrote to memory of 3368 3596 nhnhbb.exe 88 PID 3596 wrote to memory of 3368 3596 nhnhbb.exe 88 PID 3368 wrote to memory of 1972 3368 jdpjd.exe 89 PID 3368 wrote to memory of 1972 3368 jdpjd.exe 89 PID 3368 wrote to memory of 1972 3368 jdpjd.exe 89 PID 1972 wrote to memory of 1984 1972 jdvpp.exe 90 PID 1972 wrote to memory of 1984 1972 jdvpp.exe 90 PID 1972 wrote to memory of 1984 1972 jdvpp.exe 90 PID 1984 wrote to memory of 1936 1984 1lrlfff.exe 91 PID 1984 wrote to memory of 1936 1984 1lrlfff.exe 91 PID 1984 wrote to memory of 1936 1984 1lrlfff.exe 91 PID 1936 wrote to memory of 4396 1936 hhtnnn.exe 92 PID 1936 wrote to memory of 4396 1936 hhtnnn.exe 92 PID 1936 wrote to memory of 4396 1936 hhtnnn.exe 92 PID 4396 wrote to memory of 4072 4396 9tbbtb.exe 93 PID 4396 wrote to memory of 4072 4396 9tbbtb.exe 93 PID 4396 wrote to memory of 4072 4396 9tbbtb.exe 93 PID 4072 wrote to memory of 4016 4072 htnhhh.exe 94 PID 4072 wrote to memory of 4016 4072 htnhhh.exe 94 PID 4072 wrote to memory of 4016 4072 htnhhh.exe 94 PID 4016 wrote to memory of 1696 4016 pjjdd.exe 95 PID 4016 wrote to memory of 1696 4016 pjjdd.exe 95 PID 4016 wrote to memory of 1696 4016 pjjdd.exe 95 PID 1696 wrote to memory of 556 1696 lffxlfx.exe 96 PID 1696 wrote to memory of 556 1696 lffxlfx.exe 96 PID 1696 wrote to memory of 556 1696 lffxlfx.exe 96 PID 556 wrote to memory of 4896 556 1tthbh.exe 97 PID 556 wrote to memory of 4896 556 1tthbh.exe 97 PID 556 wrote to memory of 4896 556 1tthbh.exe 97 PID 4896 wrote to memory of 4740 4896 btbtht.exe 98 PID 4896 wrote to memory of 4740 4896 btbtht.exe 98 PID 4896 wrote to memory of 4740 4896 btbtht.exe 98 PID 4740 wrote to memory of 4732 4740 ddvpj.exe 99 PID 4740 wrote to memory of 4732 4740 ddvpj.exe 99 PID 4740 wrote to memory of 4732 4740 ddvpj.exe 99 PID 4732 wrote to memory of 2052 4732 3xlffff.exe 100 PID 4732 wrote to memory of 2052 4732 3xlffff.exe 100 PID 4732 wrote to memory of 2052 4732 3xlffff.exe 100 PID 2052 wrote to memory of 5064 2052 9jpjd.exe 101 PID 2052 wrote to memory of 5064 2052 9jpjd.exe 101 PID 2052 wrote to memory of 5064 2052 9jpjd.exe 101 PID 5064 wrote to memory of 3580 5064 lxlfxrl.exe 102 PID 5064 wrote to memory of 3580 5064 lxlfxrl.exe 102 PID 5064 wrote to memory of 3580 5064 lxlfxrl.exe 102 PID 3580 wrote to memory of 468 3580 xrrllll.exe 103 PID 3580 wrote to memory of 468 3580 xrrllll.exe 103 PID 3580 wrote to memory of 468 3580 xrrllll.exe 103 PID 468 wrote to memory of 2496 468 3thtbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe"C:\Users\Admin\AppData\Local\Temp\8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\lrfffff.exec:\lrfffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\dpvpp.exec:\dpvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\dvjdv.exec:\dvjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\lflllll.exec:\lflllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\nhnhbb.exec:\nhnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\jdpjd.exec:\jdpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\jdvpp.exec:\jdvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\1lrlfff.exec:\1lrlfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\hhtnnn.exec:\hhtnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\9tbbtb.exec:\9tbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\htnhhh.exec:\htnhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\pjjdd.exec:\pjjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\lffxlfx.exec:\lffxlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\1tthbh.exec:\1tthbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\btbtht.exec:\btbtht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\ddvpj.exec:\ddvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\3xlffff.exec:\3xlffff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\9jpjd.exec:\9jpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\xrrllll.exec:\xrrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\3thtbb.exec:\3thtbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\pjjjp.exec:\pjjjp.exe23⤵
- Executes dropped EXE
PID:2496 -
\??\c:\btbnhh.exec:\btbnhh.exe24⤵
- Executes dropped EXE
PID:1328 -
\??\c:\ttttnt.exec:\ttttnt.exe25⤵
- Executes dropped EXE
PID:5012 -
\??\c:\5flfrrr.exec:\5flfrrr.exe26⤵
- Executes dropped EXE
PID:4360 -
\??\c:\3ttnhh.exec:\3ttnhh.exe27⤵
- Executes dropped EXE
PID:3176 -
\??\c:\pvdvv.exec:\pvdvv.exe28⤵
- Executes dropped EXE
PID:4452 -
\??\c:\lflfxxr.exec:\lflfxxr.exe29⤵
- Executes dropped EXE
PID:2440 -
\??\c:\jdjdd.exec:\jdjdd.exe30⤵
- Executes dropped EXE
PID:4836 -
\??\c:\7bhbtt.exec:\7bhbtt.exe31⤵
- Executes dropped EXE
PID:2152 -
\??\c:\dpppp.exec:\dpppp.exe32⤵
- Executes dropped EXE
PID:1148 -
\??\c:\1bbttb.exec:\1bbttb.exe33⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rffxxxr.exec:\rffxxxr.exe34⤵
- Executes dropped EXE
PID:732 -
\??\c:\nhhnhb.exec:\nhhnhb.exe35⤵
- Executes dropped EXE
PID:652 -
\??\c:\7ddvv.exec:\7ddvv.exe36⤵
- Executes dropped EXE
PID:708 -
\??\c:\vjvpp.exec:\vjvpp.exe37⤵
- Executes dropped EXE
PID:3924 -
\??\c:\3xxrllf.exec:\3xxrllf.exe38⤵
- Executes dropped EXE
PID:2068 -
\??\c:\5bbtnn.exec:\5bbtnn.exe39⤵
- Executes dropped EXE
PID:2416 -
\??\c:\vpjdp.exec:\vpjdp.exe40⤵
- Executes dropped EXE
PID:1076 -
\??\c:\rfllxxr.exec:\rfllxxr.exe41⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nhhbtt.exec:\nhhbtt.exe42⤵
- Executes dropped EXE
PID:2500 -
\??\c:\jpppp.exec:\jpppp.exe43⤵
- Executes dropped EXE
PID:4412 -
\??\c:\3ppjd.exec:\3ppjd.exe44⤵
- Executes dropped EXE
PID:3812 -
\??\c:\llffxff.exec:\llffxff.exe45⤵
- Executes dropped EXE
PID:2332 -
\??\c:\hntnnn.exec:\hntnnn.exe46⤵
- Executes dropped EXE
PID:2956 -
\??\c:\5bbthh.exec:\5bbthh.exe47⤵
- Executes dropped EXE
PID:1488 -
\??\c:\jdpjj.exec:\jdpjj.exe48⤵
- Executes dropped EXE
PID:4532 -
\??\c:\frxxfff.exec:\frxxfff.exe49⤵
- Executes dropped EXE
PID:1252 -
\??\c:\xrlxrxr.exec:\xrlxrxr.exe50⤵
- Executes dropped EXE
PID:2084 -
\??\c:\htbtnn.exec:\htbtnn.exe51⤵
- Executes dropped EXE
PID:4920 -
\??\c:\jdpjj.exec:\jdpjj.exe52⤵
- Executes dropped EXE
PID:2216 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe53⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bnnbtn.exec:\bnnbtn.exe54⤵
- Executes dropped EXE
PID:1292 -
\??\c:\dpvdv.exec:\dpvdv.exe55⤵
- Executes dropped EXE
PID:1152 -
\??\c:\1vdvp.exec:\1vdvp.exe56⤵
- Executes dropped EXE
PID:4772 -
\??\c:\xrxfffl.exec:\xrxfffl.exe57⤵
- Executes dropped EXE
PID:448 -
\??\c:\bhhbbb.exec:\bhhbbb.exe58⤵
- Executes dropped EXE
PID:5092 -
\??\c:\jvdvp.exec:\jvdvp.exe59⤵
- Executes dropped EXE
PID:1528 -
\??\c:\1jpdv.exec:\1jpdv.exe60⤵
- Executes dropped EXE
PID:316 -
\??\c:\rrrlllf.exec:\rrrlllf.exe61⤵
- Executes dropped EXE
PID:1972 -
\??\c:\htbbbb.exec:\htbbbb.exe62⤵
- Executes dropped EXE
PID:216 -
\??\c:\hbnhbt.exec:\hbnhbt.exe63⤵
- Executes dropped EXE
PID:3820 -
\??\c:\1ddvp.exec:\1ddvp.exe64⤵
- Executes dropped EXE
PID:2728 -
\??\c:\fxxfffx.exec:\fxxfffx.exe65⤵
- Executes dropped EXE
PID:1936 -
\??\c:\nhtttt.exec:\nhtttt.exe66⤵PID:3972
-
\??\c:\tnttbt.exec:\tnttbt.exe67⤵PID:2804
-
\??\c:\vjdvp.exec:\vjdvp.exe68⤵PID:2104
-
\??\c:\lrfxrll.exec:\lrfxrll.exe69⤵PID:4136
-
\??\c:\tnhhhh.exec:\tnhhhh.exe70⤵PID:2376
-
\??\c:\jdjdd.exec:\jdjdd.exe71⤵PID:4744
-
\??\c:\pdddv.exec:\pdddv.exe72⤵PID:4292
-
\??\c:\hbbbtt.exec:\hbbbtt.exe73⤵PID:848
-
\??\c:\hbnbtt.exec:\hbnbtt.exe74⤵PID:5016
-
\??\c:\jvvpj.exec:\jvvpj.exe75⤵PID:4012
-
\??\c:\rxffrrl.exec:\rxffrrl.exe76⤵PID:3504
-
\??\c:\tbhhbt.exec:\tbhhbt.exe77⤵PID:3588
-
\??\c:\nhhbtn.exec:\nhhbtn.exe78⤵PID:3052
-
\??\c:\pdddp.exec:\pdddp.exe79⤵PID:2780
-
\??\c:\5rfxxfl.exec:\5rfxxfl.exe80⤵PID:3220
-
\??\c:\7tnhtt.exec:\7tnhtt.exe81⤵
- System Location Discovery: System Language Discovery
PID:60 -
\??\c:\vdjdp.exec:\vdjdp.exe82⤵PID:1600
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe83⤵PID:1140
-
\??\c:\tbhbtn.exec:\tbhbtn.exe84⤵PID:1552
-
\??\c:\ntbthh.exec:\ntbthh.exe85⤵PID:2888
-
\??\c:\5djdp.exec:\5djdp.exe86⤵PID:840
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe87⤵PID:1732
-
\??\c:\nntnhh.exec:\nntnhh.exe88⤵
- System Location Discovery: System Language Discovery
PID:2724 -
\??\c:\ntbbtt.exec:\ntbbtt.exe89⤵PID:1356
-
\??\c:\vdvdv.exec:\vdvdv.exe90⤵PID:5080
-
\??\c:\xlfxrll.exec:\xlfxrll.exe91⤵PID:4516
-
\??\c:\3bbbnb.exec:\3bbbnb.exe92⤵PID:4472
-
\??\c:\ppvpd.exec:\ppvpd.exe93⤵PID:2152
-
\??\c:\rrxlxrx.exec:\rrxlxrx.exe94⤵PID:1148
-
\??\c:\9xxrlfr.exec:\9xxrlfr.exe95⤵PID:1876
-
\??\c:\bbnhhh.exec:\bbnhhh.exe96⤵PID:5044
-
\??\c:\dddpj.exec:\dddpj.exe97⤵PID:2160
-
\??\c:\vppjv.exec:\vppjv.exe98⤵PID:2860
-
\??\c:\3llffff.exec:\3llffff.exe99⤵PID:1316
-
\??\c:\9hbhhb.exec:\9hbhhb.exe100⤵PID:1596
-
\??\c:\tnnhbb.exec:\tnnhbb.exe101⤵PID:4672
-
\??\c:\pdjdv.exec:\pdjdv.exe102⤵PID:4388
-
\??\c:\xflfrfr.exec:\xflfrfr.exe103⤵PID:1076
-
\??\c:\httthh.exec:\httthh.exe104⤵PID:2128
-
\??\c:\jdppp.exec:\jdppp.exe105⤵PID:1288
-
\??\c:\fflfrrr.exec:\fflfrrr.exe106⤵PID:4412
-
\??\c:\xlfxxrl.exec:\xlfxxrl.exe107⤵PID:4172
-
\??\c:\hnbhbt.exec:\hnbhbt.exe108⤵PID:2332
-
\??\c:\jpvvj.exec:\jpvvj.exe109⤵
- System Location Discovery: System Language Discovery
PID:3684 -
\??\c:\xxxrxrx.exec:\xxxrxrx.exe110⤵PID:4592
-
\??\c:\9hnbtb.exec:\9hnbtb.exe111⤵PID:4312
-
\??\c:\vpvpd.exec:\vpvpd.exe112⤵PID:4296
-
\??\c:\dpvpd.exec:\dpvpd.exe113⤵PID:4300
-
\??\c:\rlfxllf.exec:\rlfxllf.exe114⤵PID:1660
-
\??\c:\tnhtnb.exec:\tnhtnb.exe115⤵PID:3200
-
\??\c:\vjdpj.exec:\vjdpj.exe116⤵PID:1020
-
\??\c:\dpppj.exec:\dpppj.exe117⤵PID:1556
-
\??\c:\xlxrfxx.exec:\xlxrfxx.exe118⤵PID:3652
-
\??\c:\btbnhb.exec:\btbnhb.exe119⤵PID:4784
-
\??\c:\pdjdv.exec:\pdjdv.exe120⤵PID:776
-
\??\c:\1jjdv.exec:\1jjdv.exe121⤵PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-