Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:30
Behavioral task
behavioral1
Sample
1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe
-
Size
335KB
-
MD5
14b86b9fc5f491f969665534c2b67103
-
SHA1
7c6d184d1bba120766ba381109974bdd9d7b1303
-
SHA256
1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f
-
SHA512
350bab38b87e9e9d66723ba19cddbbe7eb97ac12832eecf9026c03044f165dfed164486690ef41580b0b0bf084f199e810fd6ee580fd40f4e200c17f4ebd90cb
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRr:R4wFHoSHYHUrAwfMp3CDRr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4820-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2872-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3020-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1684-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-643-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-862-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4840 lfllfff.exe 5016 5jdvv.exe 1728 xxxrllf.exe 3900 fxlfxrl.exe 3076 bhthbb.exe 3836 dvddv.exe 2268 xlllrrl.exe 532 hbhbhb.exe 5048 tbnbtt.exe 4212 jvpjj.exe 4884 5lrlflf.exe 4928 nbbbbt.exe 4916 tntnht.exe 2872 vddvp.exe 3732 pppjp.exe 396 rrllllf.exe 1776 jjdvj.exe 3032 3hbbtb.exe 1076 pdjjj.exe 2344 frllfxr.exe 1904 fffxxxx.exe 4448 bhhtbb.exe 4392 jjddv.exe 5088 fxlllrx.exe 3020 nbhhnh.exe 1220 pjjpj.exe 2604 pjdvv.exe 3692 xfrrrrr.exe 1792 pdpjj.exe 1104 ffllffx.exe 3484 nntnnn.exe 5052 ttbtbb.exe 4616 1pppj.exe 2408 vvddv.exe 1376 lffxrrr.exe 2748 rffxxxr.exe 2168 3bttnn.exe 1712 frxxrxr.exe 1924 lfllrrx.exe 2600 jjpjj.exe 1068 ddppv.exe 2336 ttnnnn.exe 1684 lxrlrrl.exe 1236 bnttnt.exe 3440 jdvdd.exe 5064 lfllfxr.exe 2828 xrfxrxr.exe 3048 jjddd.exe 3872 htbbhh.exe 4844 vpddd.exe 544 rxfxxxr.exe 1548 tnttnt.exe 1692 rxfrxlr.exe 2488 ntbtnn.exe 2532 ttbnht.exe 2996 pjpjd.exe 3324 dvppj.exe 2984 xrrlfrf.exe 4560 hntntn.exe 1688 jjjdv.exe 1700 fflrlll.exe 1728 rlrlfrr.exe 1720 thhbth.exe 388 jjjdj.exe -
resource yara_rule behavioral2/memory/4820-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c5f-3.dat upx behavioral2/memory/4820-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4840-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cc6-9.dat upx behavioral2/memory/1728-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-15.dat upx behavioral2/memory/5016-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-20.dat upx behavioral2/memory/3900-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-25.dat upx behavioral2/files/0x0007000000023cce-30.dat upx behavioral2/files/0x0007000000023ccf-34.dat upx behavioral2/memory/2268-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd0-40.dat upx behavioral2/files/0x0007000000023cd1-44.dat upx behavioral2/memory/5048-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-49.dat upx behavioral2/files/0x0007000000023cd5-64.dat upx behavioral2/memory/4916-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2872-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-70.dat upx behavioral2/memory/4928-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd4-60.dat upx behavioral2/memory/4884-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd3-55.dat upx behavioral2/memory/4212-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/532-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3836-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3076-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd7-74.dat upx behavioral2/memory/2872-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3732-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-81.dat upx behavioral2/files/0x0007000000023cd9-86.dat upx behavioral2/memory/396-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cc7-89.dat upx behavioral2/files/0x0007000000023cda-94.dat upx behavioral2/memory/1076-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdd-102.dat upx behavioral2/memory/2344-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cde-108.dat upx behavioral2/files/0x0007000000023cdc-99.dat upx behavioral2/files/0x0007000000023ce0-118.dat upx behavioral2/files/0x0007000000023ce1-122.dat upx behavioral2/files/0x0007000000023ce2-128.dat upx behavioral2/files/0x0007000000023ce3-132.dat upx behavioral2/memory/2604-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3020-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4448-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdf-112.dat upx behavioral2/memory/4392-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce4-136.dat upx behavioral2/files/0x0007000000023ce5-140.dat upx behavioral2/memory/3692-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce6-145.dat upx behavioral2/memory/1792-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce7-150.dat upx behavioral2/files/0x0007000000023ce8-154.dat upx behavioral2/memory/2408-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4616-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4616-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5052-157-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4840 4820 1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe 83 PID 4820 wrote to memory of 4840 4820 1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe 83 PID 4820 wrote to memory of 4840 4820 1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe 83 PID 4840 wrote to memory of 5016 4840 lfllfff.exe 84 PID 4840 wrote to memory of 5016 4840 lfllfff.exe 84 PID 4840 wrote to memory of 5016 4840 lfllfff.exe 84 PID 5016 wrote to memory of 1728 5016 5jdvv.exe 85 PID 5016 wrote to memory of 1728 5016 5jdvv.exe 85 PID 5016 wrote to memory of 1728 5016 5jdvv.exe 85 PID 1728 wrote to memory of 3900 1728 xxxrllf.exe 86 PID 1728 wrote to memory of 3900 1728 xxxrllf.exe 86 PID 1728 wrote to memory of 3900 1728 xxxrllf.exe 86 PID 3900 wrote to memory of 3076 3900 fxlfxrl.exe 87 PID 3900 wrote to memory of 3076 3900 fxlfxrl.exe 87 PID 3900 wrote to memory of 3076 3900 fxlfxrl.exe 87 PID 3076 wrote to memory of 3836 3076 bhthbb.exe 88 PID 3076 wrote to memory of 3836 3076 bhthbb.exe 88 PID 3076 wrote to memory of 3836 3076 bhthbb.exe 88 PID 3836 wrote to memory of 2268 3836 dvddv.exe 89 PID 3836 wrote to memory of 2268 3836 dvddv.exe 89 PID 3836 wrote to memory of 2268 3836 dvddv.exe 89 PID 2268 wrote to memory of 532 2268 xlllrrl.exe 90 PID 2268 wrote to memory of 532 2268 xlllrrl.exe 90 PID 2268 wrote to memory of 532 2268 xlllrrl.exe 90 PID 532 wrote to memory of 5048 532 hbhbhb.exe 91 PID 532 wrote to memory of 5048 532 hbhbhb.exe 91 PID 532 wrote to memory of 5048 532 hbhbhb.exe 91 PID 5048 wrote to memory of 4212 5048 tbnbtt.exe 92 PID 5048 wrote to memory of 4212 5048 tbnbtt.exe 92 PID 5048 wrote to memory of 4212 5048 tbnbtt.exe 92 PID 4212 wrote to memory of 4884 4212 jvpjj.exe 93 PID 4212 wrote to memory of 4884 4212 jvpjj.exe 93 PID 4212 wrote to memory of 4884 4212 jvpjj.exe 93 PID 4884 wrote to memory of 4928 4884 5lrlflf.exe 94 PID 4884 wrote to memory of 4928 4884 5lrlflf.exe 94 PID 4884 wrote to memory of 4928 4884 5lrlflf.exe 94 PID 4928 wrote to memory of 4916 4928 nbbbbt.exe 95 PID 4928 wrote to memory of 4916 4928 nbbbbt.exe 95 PID 4928 wrote to memory of 4916 4928 nbbbbt.exe 95 PID 4916 wrote to memory of 2872 4916 tntnht.exe 96 PID 4916 wrote to memory of 2872 4916 tntnht.exe 96 PID 4916 wrote to memory of 2872 4916 tntnht.exe 96 PID 2872 wrote to memory of 3732 2872 vddvp.exe 97 PID 2872 wrote to memory of 3732 2872 vddvp.exe 97 PID 2872 wrote to memory of 3732 2872 vddvp.exe 97 PID 3732 wrote to memory of 396 3732 pppjp.exe 98 PID 3732 wrote to memory of 396 3732 pppjp.exe 98 PID 3732 wrote to memory of 396 3732 pppjp.exe 98 PID 396 wrote to memory of 1776 396 rrllllf.exe 99 PID 396 wrote to memory of 1776 396 rrllllf.exe 99 PID 396 wrote to memory of 1776 396 rrllllf.exe 99 PID 1776 wrote to memory of 3032 1776 jjdvj.exe 100 PID 1776 wrote to memory of 3032 1776 jjdvj.exe 100 PID 1776 wrote to memory of 3032 1776 jjdvj.exe 100 PID 3032 wrote to memory of 1076 3032 3hbbtb.exe 101 PID 3032 wrote to memory of 1076 3032 3hbbtb.exe 101 PID 3032 wrote to memory of 1076 3032 3hbbtb.exe 101 PID 1076 wrote to memory of 2344 1076 pdjjj.exe 102 PID 1076 wrote to memory of 2344 1076 pdjjj.exe 102 PID 1076 wrote to memory of 2344 1076 pdjjj.exe 102 PID 2344 wrote to memory of 1904 2344 frllfxr.exe 103 PID 2344 wrote to memory of 1904 2344 frllfxr.exe 103 PID 2344 wrote to memory of 1904 2344 frllfxr.exe 103 PID 1904 wrote to memory of 4448 1904 fffxxxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe"C:\Users\Admin\AppData\Local\Temp\1b46ca2796918f9cc170c11a37edc6e1703031ea1fcc6f59c330173c5c17af2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\lfllfff.exec:\lfllfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\5jdvv.exec:\5jdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\xxxrllf.exec:\xxxrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\bhthbb.exec:\bhthbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\dvddv.exec:\dvddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\xlllrrl.exec:\xlllrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\hbhbhb.exec:\hbhbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\tbnbtt.exec:\tbnbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\jvpjj.exec:\jvpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\5lrlflf.exec:\5lrlflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\nbbbbt.exec:\nbbbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\tntnht.exec:\tntnht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\vddvp.exec:\vddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\pppjp.exec:\pppjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\rrllllf.exec:\rrllllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\jjdvj.exec:\jjdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\3hbbtb.exec:\3hbbtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\pdjjj.exec:\pdjjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\frllfxr.exec:\frllfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\fffxxxx.exec:\fffxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\bhhtbb.exec:\bhhtbb.exe23⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jjddv.exec:\jjddv.exe24⤵
- Executes dropped EXE
PID:4392 -
\??\c:\fxlllrx.exec:\fxlllrx.exe25⤵
- Executes dropped EXE
PID:5088 -
\??\c:\nbhhnh.exec:\nbhhnh.exe26⤵
- Executes dropped EXE
PID:3020 -
\??\c:\pjjpj.exec:\pjjpj.exe27⤵
- Executes dropped EXE
PID:1220 -
\??\c:\pjdvv.exec:\pjdvv.exe28⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xfrrrrr.exec:\xfrrrrr.exe29⤵
- Executes dropped EXE
PID:3692 -
\??\c:\pdpjj.exec:\pdpjj.exe30⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffllffx.exec:\ffllffx.exe31⤵
- Executes dropped EXE
PID:1104 -
\??\c:\nntnnn.exec:\nntnnn.exe32⤵
- Executes dropped EXE
PID:3484 -
\??\c:\ttbtbb.exec:\ttbtbb.exe33⤵
- Executes dropped EXE
PID:5052 -
\??\c:\1pppj.exec:\1pppj.exe34⤵
- Executes dropped EXE
PID:4616 -
\??\c:\vvddv.exec:\vvddv.exe35⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lffxrrr.exec:\lffxrrr.exe36⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rffxxxr.exec:\rffxxxr.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3bttnn.exec:\3bttnn.exe38⤵
- Executes dropped EXE
PID:2168 -
\??\c:\frxxrxr.exec:\frxxrxr.exe39⤵
- Executes dropped EXE
PID:1712 -
\??\c:\lfllrrx.exec:\lfllrrx.exe40⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jjpjj.exec:\jjpjj.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\ddppv.exec:\ddppv.exe42⤵
- Executes dropped EXE
PID:1068 -
\??\c:\ttnnnn.exec:\ttnnnn.exe43⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lxrlrrl.exec:\lxrlrrl.exe44⤵
- Executes dropped EXE
PID:1684 -
\??\c:\bnttnt.exec:\bnttnt.exe45⤵
- Executes dropped EXE
PID:1236 -
\??\c:\jdvdd.exec:\jdvdd.exe46⤵
- Executes dropped EXE
PID:3440 -
\??\c:\lfllfxr.exec:\lfllfxr.exe47⤵
- Executes dropped EXE
PID:5064 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe48⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jjddd.exec:\jjddd.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
\??\c:\htbbhh.exec:\htbbhh.exe50⤵
- Executes dropped EXE
PID:3872 -
\??\c:\vpddd.exec:\vpddd.exe51⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rxfxxxr.exec:\rxfxxxr.exe52⤵
- Executes dropped EXE
PID:544 -
\??\c:\tnttnt.exec:\tnttnt.exe53⤵
- Executes dropped EXE
PID:1548 -
\??\c:\rxfrxlr.exec:\rxfrxlr.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\ntbtnn.exec:\ntbtnn.exe55⤵
- Executes dropped EXE
PID:2488 -
\??\c:\ttbnht.exec:\ttbnht.exe56⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pjpjd.exec:\pjpjd.exe57⤵
- Executes dropped EXE
PID:2996 -
\??\c:\dvppj.exec:\dvppj.exe58⤵
- Executes dropped EXE
PID:3324 -
\??\c:\xrrlfrf.exec:\xrrlfrf.exe59⤵
- Executes dropped EXE
PID:2984 -
\??\c:\hntntn.exec:\hntntn.exe60⤵
- Executes dropped EXE
PID:4560 -
\??\c:\jjjdv.exec:\jjjdv.exe61⤵
- Executes dropped EXE
PID:1688 -
\??\c:\fflrlll.exec:\fflrlll.exe62⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rlrlfrr.exec:\rlrlfrr.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
\??\c:\thhbth.exec:\thhbth.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jjjdj.exec:\jjjdj.exe65⤵
- Executes dropped EXE
PID:388 -
\??\c:\jjvpj.exec:\jjvpj.exe66⤵PID:4024
-
\??\c:\fflfxxr.exec:\fflfxxr.exe67⤵PID:1228
-
\??\c:\3tnbbn.exec:\3tnbbn.exe68⤵PID:4768
-
\??\c:\tbhtnn.exec:\tbhtnn.exe69⤵PID:540
-
\??\c:\pdpjd.exec:\pdpjd.exe70⤵PID:220
-
\??\c:\fxfxflf.exec:\fxfxflf.exe71⤵PID:3952
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe72⤵PID:1508
-
\??\c:\hhhbtt.exec:\hhhbtt.exe73⤵PID:3036
-
\??\c:\pvpvj.exec:\pvpvj.exe74⤵PID:2232
-
\??\c:\jdvpv.exec:\jdvpv.exe75⤵PID:1004
-
\??\c:\lflfffr.exec:\lflfffr.exe76⤵PID:3972
-
\??\c:\tttttt.exec:\tttttt.exe77⤵PID:4568
-
\??\c:\bhhnht.exec:\bhhnht.exe78⤵PID:3908
-
\??\c:\jdjjd.exec:\jdjjd.exe79⤵PID:2368
-
\??\c:\frxrllf.exec:\frxrllf.exe80⤵PID:2872
-
\??\c:\xxxxxxr.exec:\xxxxxxr.exe81⤵PID:3732
-
\??\c:\hbbbtn.exec:\hbbbtn.exe82⤵PID:1436
-
\??\c:\jvdvv.exec:\jvdvv.exe83⤵PID:5116
-
\??\c:\pvjdv.exec:\pvjdv.exe84⤵PID:3784
-
\??\c:\rlfllfx.exec:\rlfllfx.exe85⤵
- System Location Discovery: System Language Discovery
PID:3768 -
\??\c:\1xlfllf.exec:\1xlfllf.exe86⤵PID:4864
-
\??\c:\hhnnhb.exec:\hhnnhb.exe87⤵PID:3332
-
\??\c:\3vpjj.exec:\3vpjj.exe88⤵PID:2476
-
\??\c:\fxflffl.exec:\fxflffl.exe89⤵PID:2820
-
\??\c:\btnhhn.exec:\btnhhn.exe90⤵PID:1536
-
\??\c:\vvppj.exec:\vvppj.exe91⤵PID:4996
-
\??\c:\jppjd.exec:\jppjd.exe92⤵PID:3432
-
\??\c:\rllxrxl.exec:\rllxrxl.exe93⤵PID:2184
-
\??\c:\hbtnhn.exec:\hbtnhn.exe94⤵PID:1348
-
\??\c:\nbnhhn.exec:\nbnhhn.exe95⤵PID:2308
-
\??\c:\jjvjv.exec:\jjvjv.exe96⤵PID:2104
-
\??\c:\rrrllll.exec:\rrrllll.exe97⤵PID:2156
-
\??\c:\rrllrrr.exec:\rrllrrr.exe98⤵PID:4876
-
\??\c:\nbnntt.exec:\nbnntt.exe99⤵PID:2480
-
\??\c:\dpvvv.exec:\dpvvv.exe100⤵PID:3596
-
\??\c:\9pvvd.exec:\9pvvd.exe101⤵PID:4132
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe102⤵PID:4352
-
\??\c:\llllflf.exec:\llllflf.exe103⤵PID:2044
-
\??\c:\nntnnh.exec:\nntnnh.exe104⤵PID:4332
-
\??\c:\jdjpj.exec:\jdjpj.exe105⤵PID:3932
-
\??\c:\xrrfrlx.exec:\xrrfrlx.exe106⤵PID:2408
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe107⤵PID:4828
-
\??\c:\1nnnnn.exec:\1nnnnn.exe108⤵PID:1844
-
\??\c:\jjpjj.exec:\jjpjj.exe109⤵PID:3668
-
\??\c:\fxlfffl.exec:\fxlfffl.exe110⤵PID:4388
-
\??\c:\btbttt.exec:\btbttt.exe111⤵PID:1712
-
\??\c:\hbnhnn.exec:\hbnhnn.exe112⤵PID:1628
-
\??\c:\jddvv.exec:\jddvv.exe113⤵PID:2712
-
\??\c:\llrlfxx.exec:\llrlfxx.exe114⤵PID:1460
-
\??\c:\ffxxllx.exec:\ffxxllx.exe115⤵PID:1976
-
\??\c:\hnbbtt.exec:\hnbbtt.exe116⤵PID:3188
-
\??\c:\jjpjj.exec:\jjpjj.exe117⤵PID:3852
-
\??\c:\vpjpv.exec:\vpjpv.exe118⤵PID:1016
-
\??\c:\lrfxffr.exec:\lrfxffr.exe119⤵PID:2340
-
\??\c:\ttnhnn.exec:\ttnhnn.exe120⤵PID:1064
-
\??\c:\jdjdv.exec:\jdjdv.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-