Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe
-
Size
454KB
-
MD5
330d9748e78e07f66858e55df4cf5c10
-
SHA1
494cac1e46e2e253f174ce89b28deabfd8712719
-
SHA256
156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7c
-
SHA512
e03fdf218aaeb075ad1de0f24b6d2eb5ade58bb94ac42d1d013c8b138ab70d9f059f965288ee6ca1fc30ade5d27fab875ac422b1bb35690f233d0bf09601ff2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ4:q7Tc2NYHUrAwfMp3CDJ4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2876-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1752 rlrlfrr.exe 1612 3bnhbb.exe 4828 tbhbnh.exe 3848 djjvj.exe 3612 5pvvd.exe 4632 pddvj.exe 4600 bhntth.exe 4636 nhhnhh.exe 1892 1vpjd.exe 3880 lfrflff.exe 1528 httnhb.exe 3668 3vpdv.exe 4340 tnnnhh.exe 1492 pjdjv.exe 1028 dvjdp.exe 3472 jjdjd.exe 2212 rffxllr.exe 4176 9tnhbb.exe 4032 pddvp.exe 372 rllxrfx.exe 4020 7hhbnh.exe 3092 djppj.exe 3336 fxfxxrl.exe 4888 jpvvp.exe 736 5nthtn.exe 3992 rfflfxx.exe 1692 nttbht.exe 4624 vjdvp.exe 1104 rxfrxlf.exe 2944 3xrfxrx.exe 4264 pdpdd.exe 1532 1djdj.exe 224 5rlfxff.exe 2848 1bhbtt.exe 3432 pjpdd.exe 2880 xlllfrl.exe 2220 tnbttn.exe 4132 jppjv.exe 4052 lflfxfl.exe 4076 ffrxlrx.exe 3864 nhtnhh.exe 1640 rlfxrrx.exe 2916 btbbbb.exe 4924 vpdpp.exe 2712 flxffff.exe 4900 thnhbb.exe 3892 jpdjd.exe 4296 5djjp.exe 4300 1tttnt.exe 2876 jvppp.exe 380 fxlxlll.exe 1256 xxxxffl.exe 3592 5tbbbh.exe 4864 5dppd.exe 4752 7pppj.exe 1764 rfxlxfr.exe 4820 htnntt.exe 3612 5nnhhh.exe 4908 jvppv.exe 4632 frfxffl.exe 2268 hbhbtn.exe 3808 vvjdd.exe 716 frrrrrr.exe 2888 3ffxxxf.exe -
resource yara_rule behavioral2/memory/2876-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-593-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1752 2876 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 83 PID 2876 wrote to memory of 1752 2876 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 83 PID 2876 wrote to memory of 1752 2876 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 83 PID 1752 wrote to memory of 1612 1752 rlrlfrr.exe 84 PID 1752 wrote to memory of 1612 1752 rlrlfrr.exe 84 PID 1752 wrote to memory of 1612 1752 rlrlfrr.exe 84 PID 1612 wrote to memory of 4828 1612 3bnhbb.exe 85 PID 1612 wrote to memory of 4828 1612 3bnhbb.exe 85 PID 1612 wrote to memory of 4828 1612 3bnhbb.exe 85 PID 4828 wrote to memory of 3848 4828 tbhbnh.exe 86 PID 4828 wrote to memory of 3848 4828 tbhbnh.exe 86 PID 4828 wrote to memory of 3848 4828 tbhbnh.exe 86 PID 3848 wrote to memory of 3612 3848 djjvj.exe 87 PID 3848 wrote to memory of 3612 3848 djjvj.exe 87 PID 3848 wrote to memory of 3612 3848 djjvj.exe 87 PID 3612 wrote to memory of 4632 3612 5pvvd.exe 88 PID 3612 wrote to memory of 4632 3612 5pvvd.exe 88 PID 3612 wrote to memory of 4632 3612 5pvvd.exe 88 PID 4632 wrote to memory of 4600 4632 pddvj.exe 89 PID 4632 wrote to memory of 4600 4632 pddvj.exe 89 PID 4632 wrote to memory of 4600 4632 pddvj.exe 89 PID 4600 wrote to memory of 4636 4600 bhntth.exe 90 PID 4600 wrote to memory of 4636 4600 bhntth.exe 90 PID 4600 wrote to memory of 4636 4600 bhntth.exe 90 PID 4636 wrote to memory of 1892 4636 nhhnhh.exe 91 PID 4636 wrote to memory of 1892 4636 nhhnhh.exe 91 PID 4636 wrote to memory of 1892 4636 nhhnhh.exe 91 PID 1892 wrote to memory of 3880 1892 1vpjd.exe 92 PID 1892 wrote to memory of 3880 1892 1vpjd.exe 92 PID 1892 wrote to memory of 3880 1892 1vpjd.exe 92 PID 3880 wrote to memory of 1528 3880 lfrflff.exe 93 PID 3880 wrote to memory of 1528 3880 lfrflff.exe 93 PID 3880 wrote to memory of 1528 3880 lfrflff.exe 93 PID 1528 wrote to memory of 3668 1528 httnhb.exe 94 PID 1528 wrote to memory of 3668 1528 httnhb.exe 94 PID 1528 wrote to memory of 3668 1528 httnhb.exe 94 PID 3668 wrote to memory of 4340 3668 3vpdv.exe 95 PID 3668 wrote to memory of 4340 3668 3vpdv.exe 95 PID 3668 wrote to memory of 4340 3668 3vpdv.exe 95 PID 4340 wrote to memory of 1492 4340 tnnnhh.exe 96 PID 4340 wrote to memory of 1492 4340 tnnnhh.exe 96 PID 4340 wrote to memory of 1492 4340 tnnnhh.exe 96 PID 1492 wrote to memory of 1028 1492 pjdjv.exe 97 PID 1492 wrote to memory of 1028 1492 pjdjv.exe 97 PID 1492 wrote to memory of 1028 1492 pjdjv.exe 97 PID 1028 wrote to memory of 3472 1028 dvjdp.exe 98 PID 1028 wrote to memory of 3472 1028 dvjdp.exe 98 PID 1028 wrote to memory of 3472 1028 dvjdp.exe 98 PID 3472 wrote to memory of 2212 3472 jjdjd.exe 99 PID 3472 wrote to memory of 2212 3472 jjdjd.exe 99 PID 3472 wrote to memory of 2212 3472 jjdjd.exe 99 PID 2212 wrote to memory of 4176 2212 rffxllr.exe 100 PID 2212 wrote to memory of 4176 2212 rffxllr.exe 100 PID 2212 wrote to memory of 4176 2212 rffxllr.exe 100 PID 4176 wrote to memory of 4032 4176 9tnhbb.exe 101 PID 4176 wrote to memory of 4032 4176 9tnhbb.exe 101 PID 4176 wrote to memory of 4032 4176 9tnhbb.exe 101 PID 4032 wrote to memory of 372 4032 pddvp.exe 102 PID 4032 wrote to memory of 372 4032 pddvp.exe 102 PID 4032 wrote to memory of 372 4032 pddvp.exe 102 PID 372 wrote to memory of 4020 372 rllxrfx.exe 103 PID 372 wrote to memory of 4020 372 rllxrfx.exe 103 PID 372 wrote to memory of 4020 372 rllxrfx.exe 103 PID 4020 wrote to memory of 3092 4020 7hhbnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe"C:\Users\Admin\AppData\Local\Temp\156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\rlrlfrr.exec:\rlrlfrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\3bnhbb.exec:\3bnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\tbhbnh.exec:\tbhbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\djjvj.exec:\djjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\5pvvd.exec:\5pvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\pddvj.exec:\pddvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\bhntth.exec:\bhntth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\nhhnhh.exec:\nhhnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\1vpjd.exec:\1vpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\lfrflff.exec:\lfrflff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\httnhb.exec:\httnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\3vpdv.exec:\3vpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\tnnnhh.exec:\tnnnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\pjdjv.exec:\pjdjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\dvjdp.exec:\dvjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\jjdjd.exec:\jjdjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\rffxllr.exec:\rffxllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\9tnhbb.exec:\9tnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\pddvp.exec:\pddvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\rllxrfx.exec:\rllxrfx.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\7hhbnh.exec:\7hhbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\djppj.exec:\djppj.exe23⤵
- Executes dropped EXE
PID:3092 -
\??\c:\fxfxxrl.exec:\fxfxxrl.exe24⤵
- Executes dropped EXE
PID:3336 -
\??\c:\jpvvp.exec:\jpvvp.exe25⤵
- Executes dropped EXE
PID:4888 -
\??\c:\5nthtn.exec:\5nthtn.exe26⤵
- Executes dropped EXE
PID:736 -
\??\c:\rfflfxx.exec:\rfflfxx.exe27⤵
- Executes dropped EXE
PID:3992 -
\??\c:\nttbht.exec:\nttbht.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\vjdvp.exec:\vjdvp.exe29⤵
- Executes dropped EXE
PID:4624 -
\??\c:\rxfrxlf.exec:\rxfrxlf.exe30⤵
- Executes dropped EXE
PID:1104 -
\??\c:\3xrfxrx.exec:\3xrfxrx.exe31⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pdpdd.exec:\pdpdd.exe32⤵
- Executes dropped EXE
PID:4264 -
\??\c:\1djdj.exec:\1djdj.exe33⤵
- Executes dropped EXE
PID:1532 -
\??\c:\5rlfxff.exec:\5rlfxff.exe34⤵
- Executes dropped EXE
PID:224 -
\??\c:\1bhbtt.exec:\1bhbtt.exe35⤵
- Executes dropped EXE
PID:2848 -
\??\c:\pjpdd.exec:\pjpdd.exe36⤵
- Executes dropped EXE
PID:3432 -
\??\c:\xlllfrl.exec:\xlllfrl.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\tnbttn.exec:\tnbttn.exe38⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jppjv.exec:\jppjv.exe39⤵
- Executes dropped EXE
PID:4132 -
\??\c:\lflfxfl.exec:\lflfxfl.exe40⤵
- Executes dropped EXE
PID:4052 -
\??\c:\ffrxlrx.exec:\ffrxlrx.exe41⤵
- Executes dropped EXE
PID:4076 -
\??\c:\nhtnhh.exec:\nhtnhh.exe42⤵
- Executes dropped EXE
PID:3864 -
\??\c:\rlfxrrx.exec:\rlfxrrx.exe43⤵
- Executes dropped EXE
PID:1640 -
\??\c:\btbbbb.exec:\btbbbb.exe44⤵
- Executes dropped EXE
PID:2916 -
\??\c:\vpdpp.exec:\vpdpp.exe45⤵
- Executes dropped EXE
PID:4924 -
\??\c:\flxffff.exec:\flxffff.exe46⤵
- Executes dropped EXE
PID:2712 -
\??\c:\thnhbb.exec:\thnhbb.exe47⤵
- Executes dropped EXE
PID:4900 -
\??\c:\jpdjd.exec:\jpdjd.exe48⤵
- Executes dropped EXE
PID:3892 -
\??\c:\5djjp.exec:\5djjp.exe49⤵
- Executes dropped EXE
PID:4296 -
\??\c:\1tttnt.exec:\1tttnt.exe50⤵
- Executes dropped EXE
PID:4300 -
\??\c:\jvppp.exec:\jvppp.exe51⤵
- Executes dropped EXE
PID:2876 -
\??\c:\fxlxlll.exec:\fxlxlll.exe52⤵
- Executes dropped EXE
PID:380 -
\??\c:\xxxxffl.exec:\xxxxffl.exe53⤵
- Executes dropped EXE
PID:1256 -
\??\c:\5tbbbh.exec:\5tbbbh.exe54⤵
- Executes dropped EXE
PID:3592 -
\??\c:\5dppd.exec:\5dppd.exe55⤵
- Executes dropped EXE
PID:4864 -
\??\c:\7pppj.exec:\7pppj.exe56⤵
- Executes dropped EXE
PID:4752 -
\??\c:\rfxlxfr.exec:\rfxlxfr.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\htnntt.exec:\htnntt.exe58⤵
- Executes dropped EXE
PID:4820 -
\??\c:\5nnhhh.exec:\5nnhhh.exe59⤵
- Executes dropped EXE
PID:3612 -
\??\c:\jvppv.exec:\jvppv.exe60⤵
- Executes dropped EXE
PID:4908 -
\??\c:\frfxffl.exec:\frfxffl.exe61⤵
- Executes dropped EXE
PID:4632 -
\??\c:\hbhbtn.exec:\hbhbtn.exe62⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vvjdd.exec:\vvjdd.exe63⤵
- Executes dropped EXE
PID:3808 -
\??\c:\frrrrrr.exec:\frrrrrr.exe64⤵
- Executes dropped EXE
PID:716 -
\??\c:\3ffxxxf.exec:\3ffxxxf.exe65⤵
- Executes dropped EXE
PID:2888 -
\??\c:\ttbnnn.exec:\ttbnnn.exe66⤵PID:2520
-
\??\c:\jdppp.exec:\jdppp.exe67⤵PID:1620
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe68⤵PID:4808
-
\??\c:\9nnnhh.exec:\9nnnhh.exe69⤵PID:952
-
\??\c:\jpvvp.exec:\jpvvp.exe70⤵PID:640
-
\??\c:\xrffrrr.exec:\xrffrrr.exe71⤵PID:1492
-
\??\c:\hnhhhh.exec:\hnhhhh.exe72⤵PID:3500
-
\??\c:\dvdpp.exec:\dvdpp.exe73⤵PID:5100
-
\??\c:\9fflxxx.exec:\9fflxxx.exe74⤵PID:4708
-
\??\c:\rfffxxl.exec:\rfffxxl.exe75⤵PID:2964
-
\??\c:\7hhhbb.exec:\7hhhbb.exe76⤵PID:3524
-
\??\c:\bbtntt.exec:\bbtntt.exe77⤵PID:1012
-
\??\c:\jjjjp.exec:\jjjjp.exe78⤵PID:372
-
\??\c:\xxrrflr.exec:\xxrrflr.exe79⤵PID:4256
-
\??\c:\nhhbtt.exec:\nhhbtt.exe80⤵PID:3004
-
\??\c:\ppppj.exec:\ppppj.exe81⤵PID:3232
-
\??\c:\ddvpj.exec:\ddvpj.exe82⤵PID:3844
-
\??\c:\xxlfxff.exec:\xxlfxff.exe83⤵PID:3336
-
\??\c:\thnhhh.exec:\thnhhh.exe84⤵PID:2936
-
\??\c:\vpjjp.exec:\vpjjp.exe85⤵PID:3584
-
\??\c:\ffffffx.exec:\ffffffx.exe86⤵PID:1368
-
\??\c:\7ttnnn.exec:\7ttnnn.exe87⤵PID:2476
-
\??\c:\ttnhnt.exec:\ttnhnt.exe88⤵PID:4412
-
\??\c:\vvvpp.exec:\vvvpp.exe89⤵PID:4108
-
\??\c:\fffxrrr.exec:\fffxrrr.exe90⤵PID:988
-
\??\c:\htnnbt.exec:\htnnbt.exe91⤵PID:2316
-
\??\c:\jvjdv.exec:\jvjdv.exe92⤵PID:4196
-
\??\c:\1rrlfxx.exec:\1rrlfxx.exe93⤵PID:64
-
\??\c:\lrrlrrl.exec:\lrrlrrl.exe94⤵PID:780
-
\??\c:\hhhbtt.exec:\hhhbtt.exe95⤵PID:3448
-
\??\c:\jdpdd.exec:\jdpdd.exe96⤵PID:224
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe97⤵PID:1588
-
\??\c:\5bhhbb.exec:\5bhhbb.exe98⤵PID:1204
-
\??\c:\pjvpj.exec:\pjvpj.exe99⤵PID:5096
-
\??\c:\pdpjd.exec:\pdpjd.exe100⤵PID:2220
-
\??\c:\7lrrllf.exec:\7lrrllf.exe101⤵PID:3964
-
\??\c:\bnbbbb.exec:\bnbbbb.exe102⤵PID:4832
-
\??\c:\9jvjd.exec:\9jvjd.exe103⤵PID:2036
-
\??\c:\xxlfxxx.exec:\xxlfxxx.exe104⤵PID:2052
-
\??\c:\nthbbb.exec:\nthbbb.exe105⤵PID:3148
-
\??\c:\5tnnhn.exec:\5tnnhn.exe106⤵PID:3684
-
\??\c:\pjpjd.exec:\pjpjd.exe107⤵PID:1536
-
\??\c:\1lxrrxf.exec:\1lxrrxf.exe108⤵PID:5092
-
\??\c:\hnttbb.exec:\hnttbb.exe109⤵PID:984
-
\??\c:\tnttnn.exec:\tnttnn.exe110⤵PID:3892
-
\??\c:\vpvdd.exec:\vpvdd.exe111⤵PID:4296
-
\??\c:\1rrxlrr.exec:\1rrxlrr.exe112⤵PID:4300
-
\??\c:\9hhbtt.exec:\9hhbtt.exe113⤵PID:2876
-
\??\c:\dvdvv.exec:\dvdvv.exe114⤵PID:2604
-
\??\c:\jddpp.exec:\jddpp.exe115⤵PID:1256
-
\??\c:\lfrlffl.exec:\lfrlffl.exe116⤵PID:4824
-
\??\c:\bbnnbb.exec:\bbnnbb.exe117⤵PID:4864
-
\??\c:\vdjvj.exec:\vdjvj.exe118⤵PID:2844
-
\??\c:\xxffxxr.exec:\xxffxxr.exe119⤵PID:4356
-
\??\c:\5xfllrl.exec:\5xfllrl.exe120⤵PID:1796
-
\??\c:\tnnhhb.exec:\tnnhhb.exe121⤵PID:2840
-
\??\c:\pdjjd.exec:\pdjjd.exe122⤵PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-