Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe
-
Size
454KB
-
MD5
a665cc6203e7c92f90676d458e9dffb1
-
SHA1
9e10bb4afdf9c4e79485da562ec15223a65a4ef5
-
SHA256
7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41
-
SHA512
1301250d8939359f8af928ecda718341b0352bc6a4b211f48c5c758443f747b62edb8f88b4ff3f68be000be964fbf513912e31815228e26bf3defeb97da1eec7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4184-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-1351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-1517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3752 lllfxrr.exe 3452 3jdvv.exe 1216 xrrlxrl.exe 1952 nhhtnn.exe 3576 vdpjd.exe 4008 fxfxxrr.exe 1196 3lrlfff.exe 4520 ttbtnb.exe 5036 jdjdv.exe 1176 rlrlffx.exe 2844 ntbtnh.exe 1852 hbbbtn.exe 3808 vpvdp.exe 1640 llxfxfl.exe 2384 lfrlffr.exe 2020 1tbnbt.exe 5052 xffxlrf.exe 5048 dppdv.exe 1128 rxxrlfx.exe 1136 3tnhtn.exe 3348 ffrrlrx.exe 2368 httnhh.exe 4728 vjpjv.exe 624 9rlxlfx.exe 2672 hnthbt.exe 4532 pjjdp.exe 5080 xrxlrrl.exe 4872 hhbthb.exe 704 pdvpd.exe 2364 pjjdp.exe 2196 rfxxxxx.exe 4636 tnnhbt.exe 3240 jvvpj.exe 1932 xlrlffr.exe 4236 htthbt.exe 3496 vdpjd.exe 2852 5rxrllx.exe 4476 nhbthb.exe 1660 7pdvj.exe 3748 fllfrlf.exe 2884 bnnhtn.exe 4884 jvdpj.exe 1036 pdjdv.exe 3588 fxllxrl.exe 220 httnbb.exe 3252 bnbtnt.exe 4760 vjjvj.exe 4016 llfxrrl.exe 440 lfrrffx.exe 4004 btbtnh.exe 4392 pdpdd.exe 1048 lfrlffx.exe 776 hntnhb.exe 4756 pvjvd.exe 4436 vppjv.exe 3752 rllfllf.exe 1336 nhhhbt.exe 4852 3jdpd.exe 1484 fxlxllf.exe 1788 rfrlrll.exe 1196 ntbbnh.exe 3708 jvjvd.exe 2376 jdjdp.exe 3704 llfrflx.exe -
resource yara_rule behavioral2/memory/4184-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-736-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4184 wrote to memory of 3752 4184 7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe 82 PID 4184 wrote to memory of 3752 4184 7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe 82 PID 4184 wrote to memory of 3752 4184 7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe 82 PID 3752 wrote to memory of 3452 3752 lllfxrr.exe 83 PID 3752 wrote to memory of 3452 3752 lllfxrr.exe 83 PID 3752 wrote to memory of 3452 3752 lllfxrr.exe 83 PID 3452 wrote to memory of 1216 3452 3jdvv.exe 84 PID 3452 wrote to memory of 1216 3452 3jdvv.exe 84 PID 3452 wrote to memory of 1216 3452 3jdvv.exe 84 PID 1216 wrote to memory of 1952 1216 xrrlxrl.exe 85 PID 1216 wrote to memory of 1952 1216 xrrlxrl.exe 85 PID 1216 wrote to memory of 1952 1216 xrrlxrl.exe 85 PID 1952 wrote to memory of 3576 1952 nhhtnn.exe 86 PID 1952 wrote to memory of 3576 1952 nhhtnn.exe 86 PID 1952 wrote to memory of 3576 1952 nhhtnn.exe 86 PID 3576 wrote to memory of 4008 3576 vdpjd.exe 87 PID 3576 wrote to memory of 4008 3576 vdpjd.exe 87 PID 3576 wrote to memory of 4008 3576 vdpjd.exe 87 PID 4008 wrote to memory of 1196 4008 fxfxxrr.exe 88 PID 4008 wrote to memory of 1196 4008 fxfxxrr.exe 88 PID 4008 wrote to memory of 1196 4008 fxfxxrr.exe 88 PID 1196 wrote to memory of 4520 1196 3lrlfff.exe 89 PID 1196 wrote to memory of 4520 1196 3lrlfff.exe 89 PID 1196 wrote to memory of 4520 1196 3lrlfff.exe 89 PID 4520 wrote to memory of 5036 4520 ttbtnb.exe 90 PID 4520 wrote to memory of 5036 4520 ttbtnb.exe 90 PID 4520 wrote to memory of 5036 4520 ttbtnb.exe 90 PID 5036 wrote to memory of 1176 5036 jdjdv.exe 91 PID 5036 wrote to memory of 1176 5036 jdjdv.exe 91 PID 5036 wrote to memory of 1176 5036 jdjdv.exe 91 PID 1176 wrote to memory of 2844 1176 rlrlffx.exe 92 PID 1176 wrote to memory of 2844 1176 rlrlffx.exe 92 PID 1176 wrote to memory of 2844 1176 rlrlffx.exe 92 PID 2844 wrote to memory of 1852 2844 ntbtnh.exe 93 PID 2844 wrote to memory of 1852 2844 ntbtnh.exe 93 PID 2844 wrote to memory of 1852 2844 ntbtnh.exe 93 PID 1852 wrote to memory of 3808 1852 hbbbtn.exe 94 PID 1852 wrote to memory of 3808 1852 hbbbtn.exe 94 PID 1852 wrote to memory of 3808 1852 hbbbtn.exe 94 PID 3808 wrote to memory of 1640 3808 vpvdp.exe 95 PID 3808 wrote to memory of 1640 3808 vpvdp.exe 95 PID 3808 wrote to memory of 1640 3808 vpvdp.exe 95 PID 1640 wrote to memory of 2384 1640 llxfxfl.exe 96 PID 1640 wrote to memory of 2384 1640 llxfxfl.exe 96 PID 1640 wrote to memory of 2384 1640 llxfxfl.exe 96 PID 2384 wrote to memory of 2020 2384 lfrlffr.exe 97 PID 2384 wrote to memory of 2020 2384 lfrlffr.exe 97 PID 2384 wrote to memory of 2020 2384 lfrlffr.exe 97 PID 2020 wrote to memory of 5052 2020 1tbnbt.exe 98 PID 2020 wrote to memory of 5052 2020 1tbnbt.exe 98 PID 2020 wrote to memory of 5052 2020 1tbnbt.exe 98 PID 5052 wrote to memory of 5048 5052 xffxlrf.exe 99 PID 5052 wrote to memory of 5048 5052 xffxlrf.exe 99 PID 5052 wrote to memory of 5048 5052 xffxlrf.exe 99 PID 5048 wrote to memory of 1128 5048 dppdv.exe 100 PID 5048 wrote to memory of 1128 5048 dppdv.exe 100 PID 5048 wrote to memory of 1128 5048 dppdv.exe 100 PID 1128 wrote to memory of 1136 1128 rxxrlfx.exe 101 PID 1128 wrote to memory of 1136 1128 rxxrlfx.exe 101 PID 1128 wrote to memory of 1136 1128 rxxrlfx.exe 101 PID 1136 wrote to memory of 3348 1136 3tnhtn.exe 102 PID 1136 wrote to memory of 3348 1136 3tnhtn.exe 102 PID 1136 wrote to memory of 3348 1136 3tnhtn.exe 102 PID 3348 wrote to memory of 2368 3348 ffrrlrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe"C:\Users\Admin\AppData\Local\Temp\7d4e5a991dc90508f420573b7b3bfebeee329bf2b26d91bd972acd3327940e41.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\lllfxrr.exec:\lllfxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\3jdvv.exec:\3jdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\nhhtnn.exec:\nhhtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\vdpjd.exec:\vdpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\3lrlfff.exec:\3lrlfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\ttbtnb.exec:\ttbtnb.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\jdjdv.exec:\jdjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\rlrlffx.exec:\rlrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\ntbtnh.exec:\ntbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\hbbbtn.exec:\hbbbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\vpvdp.exec:\vpvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\llxfxfl.exec:\llxfxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\lfrlffr.exec:\lfrlffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\1tbnbt.exec:\1tbnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\xffxlrf.exec:\xffxlrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\dppdv.exec:\dppdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\3tnhtn.exec:\3tnhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\ffrrlrx.exec:\ffrrlrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\httnhh.exec:\httnhh.exe23⤵
- Executes dropped EXE
PID:2368 -
\??\c:\vjpjv.exec:\vjpjv.exe24⤵
- Executes dropped EXE
PID:4728 -
\??\c:\9rlxlfx.exec:\9rlxlfx.exe25⤵
- Executes dropped EXE
PID:624 -
\??\c:\hnthbt.exec:\hnthbt.exe26⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pjjdp.exec:\pjjdp.exe27⤵
- Executes dropped EXE
PID:4532 -
\??\c:\xrxlrrl.exec:\xrxlrrl.exe28⤵
- Executes dropped EXE
PID:5080 -
\??\c:\hhbthb.exec:\hhbthb.exe29⤵
- Executes dropped EXE
PID:4872 -
\??\c:\pdvpd.exec:\pdvpd.exe30⤵
- Executes dropped EXE
PID:704 -
\??\c:\pjjdp.exec:\pjjdp.exe31⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rfxxxxx.exec:\rfxxxxx.exe32⤵
- Executes dropped EXE
PID:2196 -
\??\c:\tnnhbt.exec:\tnnhbt.exe33⤵
- Executes dropped EXE
PID:4636 -
\??\c:\jvvpj.exec:\jvvpj.exe34⤵
- Executes dropped EXE
PID:3240 -
\??\c:\xlrlffr.exec:\xlrlffr.exe35⤵
- Executes dropped EXE
PID:1932 -
\??\c:\htthbt.exec:\htthbt.exe36⤵
- Executes dropped EXE
PID:4236 -
\??\c:\vdpjd.exec:\vdpjd.exe37⤵
- Executes dropped EXE
PID:3496 -
\??\c:\5rxrllx.exec:\5rxrllx.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\nhbthb.exec:\nhbthb.exe39⤵
- Executes dropped EXE
PID:4476 -
\??\c:\7pdvj.exec:\7pdvj.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fllfrlf.exec:\fllfrlf.exe41⤵
- Executes dropped EXE
PID:3748 -
\??\c:\bnnhtn.exec:\bnnhtn.exe42⤵
- Executes dropped EXE
PID:2884 -
\??\c:\jvdpj.exec:\jvdpj.exe43⤵
- Executes dropped EXE
PID:4884 -
\??\c:\pdjdv.exec:\pdjdv.exe44⤵
- Executes dropped EXE
PID:1036 -
\??\c:\fxllxrl.exec:\fxllxrl.exe45⤵
- Executes dropped EXE
PID:3588 -
\??\c:\httnbb.exec:\httnbb.exe46⤵
- Executes dropped EXE
PID:220 -
\??\c:\bnbtnt.exec:\bnbtnt.exe47⤵
- Executes dropped EXE
PID:3252 -
\??\c:\vjjvj.exec:\vjjvj.exe48⤵
- Executes dropped EXE
PID:4760 -
\??\c:\llfxrrl.exec:\llfxrrl.exe49⤵
- Executes dropped EXE
PID:4016 -
\??\c:\lfrrffx.exec:\lfrrffx.exe50⤵
- Executes dropped EXE
PID:440 -
\??\c:\btbtnh.exec:\btbtnh.exe51⤵
- Executes dropped EXE
PID:4004 -
\??\c:\pdpdd.exec:\pdpdd.exe52⤵
- Executes dropped EXE
PID:4392 -
\??\c:\lfrlffx.exec:\lfrlffx.exe53⤵
- Executes dropped EXE
PID:1048 -
\??\c:\hntnhb.exec:\hntnhb.exe54⤵
- Executes dropped EXE
PID:776 -
\??\c:\pvjvd.exec:\pvjvd.exe55⤵
- Executes dropped EXE
PID:4756 -
\??\c:\vppjv.exec:\vppjv.exe56⤵
- Executes dropped EXE
PID:4436 -
\??\c:\rllfllf.exec:\rllfllf.exe57⤵
- Executes dropped EXE
PID:3752 -
\??\c:\nhhhbt.exec:\nhhhbt.exe58⤵
- Executes dropped EXE
PID:1336 -
\??\c:\3jdpd.exec:\3jdpd.exe59⤵
- Executes dropped EXE
PID:4852 -
\??\c:\fxlxllf.exec:\fxlxllf.exe60⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rfrlrll.exec:\rfrlrll.exe61⤵
- Executes dropped EXE
PID:1788 -
\??\c:\ntbbnh.exec:\ntbbnh.exe62⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jvjvd.exec:\jvjvd.exe63⤵
- Executes dropped EXE
PID:3708 -
\??\c:\jdjdp.exec:\jdjdp.exe64⤵
- Executes dropped EXE
PID:2376 -
\??\c:\llfrflx.exec:\llfrflx.exe65⤵
- Executes dropped EXE
PID:3704 -
\??\c:\hnthtb.exec:\hnthtb.exe66⤵PID:5036
-
\??\c:\jjpjd.exec:\jjpjd.exe67⤵PID:856
-
\??\c:\pddvj.exec:\pddvj.exe68⤵PID:2704
-
\??\c:\rflffrr.exec:\rflffrr.exe69⤵PID:2696
-
\??\c:\tbbtnh.exec:\tbbtnh.exe70⤵PID:3276
-
\??\c:\hnhtnn.exec:\hnhtnn.exe71⤵PID:2228
-
\??\c:\jvvdp.exec:\jvvdp.exe72⤵PID:3732
-
\??\c:\xlllxfx.exec:\xlllxfx.exe73⤵PID:1928
-
\??\c:\hbtnhh.exec:\hbtnhh.exe74⤵PID:324
-
\??\c:\ppdvd.exec:\ppdvd.exe75⤵PID:1640
-
\??\c:\rrxlxrf.exec:\rrxlxrf.exe76⤵PID:3392
-
\??\c:\frrfrlf.exec:\frrfrlf.exe77⤵PID:3212
-
\??\c:\ntbtnh.exec:\ntbtnh.exe78⤵PID:5044
-
\??\c:\dvpjv.exec:\dvpjv.exe79⤵PID:3440
-
\??\c:\rxfrflf.exec:\rxfrflf.exe80⤵PID:228
-
\??\c:\rllxrlf.exec:\rllxrlf.exe81⤵PID:1924
-
\??\c:\bbhhhh.exec:\bbhhhh.exe82⤵PID:1608
-
\??\c:\vjvjd.exec:\vjvjd.exe83⤵PID:880
-
\??\c:\frlxlfx.exec:\frlxlfx.exe84⤵
- System Location Discovery: System Language Discovery
PID:3244 -
\??\c:\7llxrlf.exec:\7llxrlf.exe85⤵PID:464
-
\??\c:\nttnhb.exec:\nttnhb.exe86⤵PID:1580
-
\??\c:\jvvpj.exec:\jvvpj.exe87⤵PID:1524
-
\??\c:\jjjdv.exec:\jjjdv.exe88⤵PID:1708
-
\??\c:\frrfrrf.exec:\frrfrrf.exe89⤵PID:2628
-
\??\c:\3tnhtt.exec:\3tnhtt.exe90⤵PID:2652
-
\??\c:\pvvvv.exec:\pvvvv.exe91⤵PID:1448
-
\??\c:\9fxlfxl.exec:\9fxlfxl.exe92⤵PID:1212
-
\??\c:\xlrlxrf.exec:\xlrlxrf.exe93⤵PID:1228
-
\??\c:\nbtnbt.exec:\nbtnbt.exe94⤵PID:2608
-
\??\c:\vppdp.exec:\vppdp.exe95⤵PID:1900
-
\??\c:\rrrfrrl.exec:\rrrfrrl.exe96⤵PID:2436
-
\??\c:\rxrfxxr.exec:\rxrfxxr.exe97⤵PID:2468
-
\??\c:\nhbtnh.exec:\nhbtnh.exe98⤵PID:1700
-
\??\c:\jpvjd.exec:\jpvjd.exe99⤵PID:2428
-
\??\c:\pddpj.exec:\pddpj.exe100⤵PID:4440
-
\??\c:\rffrlll.exec:\rffrlll.exe101⤵PID:1604
-
\??\c:\3nnbtn.exec:\3nnbtn.exe102⤵PID:4164
-
\??\c:\thhbnn.exec:\thhbnn.exe103⤵PID:3680
-
\??\c:\vdvpj.exec:\vdvpj.exe104⤵PID:3744
-
\??\c:\xlrfrlf.exec:\xlrfrlf.exe105⤵PID:896
-
\??\c:\nhnbnh.exec:\nhnbnh.exe106⤵PID:808
-
\??\c:\bbhthb.exec:\bbhthb.exe107⤵PID:4172
-
\??\c:\djvvj.exec:\djvvj.exe108⤵PID:3200
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe109⤵PID:2344
-
\??\c:\tbnbnb.exec:\tbnbnb.exe110⤵PID:1636
-
\??\c:\pvvjd.exec:\pvvjd.exe111⤵PID:2724
-
\??\c:\xffxlfx.exec:\xffxlfx.exe112⤵PID:852
-
\??\c:\nhhbtn.exec:\nhhbtn.exe113⤵PID:1388
-
\??\c:\jvjdj.exec:\jvjdj.exe114⤵PID:2760
-
\??\c:\dddvp.exec:\dddvp.exe115⤵PID:384
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe116⤵PID:3948
-
\??\c:\htthbt.exec:\htthbt.exe117⤵
- System Location Discovery: System Language Discovery
PID:4144 -
\??\c:\3dddp.exec:\3dddp.exe118⤵PID:1440
-
\??\c:\vpvpd.exec:\vpvpd.exe119⤵PID:4004
-
\??\c:\lfxlrrr.exec:\lfxlrrr.exe120⤵PID:4392
-
\??\c:\hbhbht.exec:\hbhbht.exe121⤵PID:4460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-