Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe
-
Size
454KB
-
MD5
3ac79e2af248cf49b6c11e25f7c1dbd3
-
SHA1
94d4b8fa5be6deee40987970cba0f3f4bed18180
-
SHA256
1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06
-
SHA512
95f2b7efe0eba2d28129d9e294ce3e9856e055ad42e9a8ee5b6a659af79dab8a06087427ec5d405415dfa4cc975241a2df22a0f97ff88e8e8dfacf60b4839f0e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3204-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4524 xrrlffx.exe 2308 nntnnn.exe 2212 dppjd.exe 2488 rfxrrfx.exe 636 hbhbnh.exe 2984 bbhhnn.exe 4176 fxfflrr.exe 2364 jdppp.exe 2856 7fflrxf.exe 1544 7lxxfll.exe 1604 bhntbb.exe 2540 jjjdd.exe 4352 9pjjj.exe 3048 ffffllx.exe 1332 nbnntt.exe 1296 hthhtb.exe 1196 vvdpp.exe 2428 rflrrfx.exe 3452 rlrrxfx.exe 4944 ntnnbn.exe 224 tnhhhn.exe 4820 nbhhnt.exe 5072 vvjjp.exe 2236 bbhntb.exe 620 btnnnn.exe 5004 pvdvp.exe 1284 frffrfr.exe 3380 hhbthn.exe 1236 pvjvv.exe 3240 bnhbbn.exe 3332 ffffllr.exe 4608 nnhbtt.exe 4140 nttbtb.exe 1056 flxrxfr.exe 2424 1lrllll.exe 3808 rffxxff.exe 4320 ddvpj.exe 3784 ddpdd.exe 4288 xrlllxx.exe 768 7tbbbh.exe 4636 jvjjj.exe 4332 rrlxxll.exe 3604 9bbbbh.exe 4148 9pdvv.exe 3592 jjvjp.exe 2324 nhhhnn.exe 2728 hbtttb.exe 2212 vpvdp.exe 4512 frrrlrx.exe 4740 rlrrffl.exe 4036 hhtnnb.exe 1472 jjppv.exe 4780 rlxfffl.exe 4612 tbbhnt.exe 5080 hbhhhn.exe 2648 ppddj.exe 2492 fxffxxx.exe 3112 nbhntt.exe 1544 5tbnnn.exe 3088 ppvpj.exe 2332 xxlfrlx.exe 2540 hbtthh.exe 4580 vpppp.exe 3624 llxxrxx.exe -
resource yara_rule behavioral2/memory/3204-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-743-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 4524 3204 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 82 PID 3204 wrote to memory of 4524 3204 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 82 PID 3204 wrote to memory of 4524 3204 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 82 PID 4524 wrote to memory of 2308 4524 xrrlffx.exe 83 PID 4524 wrote to memory of 2308 4524 xrrlffx.exe 83 PID 4524 wrote to memory of 2308 4524 xrrlffx.exe 83 PID 2308 wrote to memory of 2212 2308 nntnnn.exe 84 PID 2308 wrote to memory of 2212 2308 nntnnn.exe 84 PID 2308 wrote to memory of 2212 2308 nntnnn.exe 84 PID 2212 wrote to memory of 2488 2212 dppjd.exe 85 PID 2212 wrote to memory of 2488 2212 dppjd.exe 85 PID 2212 wrote to memory of 2488 2212 dppjd.exe 85 PID 2488 wrote to memory of 636 2488 rfxrrfx.exe 86 PID 2488 wrote to memory of 636 2488 rfxrrfx.exe 86 PID 2488 wrote to memory of 636 2488 rfxrrfx.exe 86 PID 636 wrote to memory of 2984 636 hbhbnh.exe 87 PID 636 wrote to memory of 2984 636 hbhbnh.exe 87 PID 636 wrote to memory of 2984 636 hbhbnh.exe 87 PID 2984 wrote to memory of 4176 2984 bbhhnn.exe 88 PID 2984 wrote to memory of 4176 2984 bbhhnn.exe 88 PID 2984 wrote to memory of 4176 2984 bbhhnn.exe 88 PID 4176 wrote to memory of 2364 4176 fxfflrr.exe 89 PID 4176 wrote to memory of 2364 4176 fxfflrr.exe 89 PID 4176 wrote to memory of 2364 4176 fxfflrr.exe 89 PID 2364 wrote to memory of 2856 2364 jdppp.exe 90 PID 2364 wrote to memory of 2856 2364 jdppp.exe 90 PID 2364 wrote to memory of 2856 2364 jdppp.exe 90 PID 2856 wrote to memory of 1544 2856 7fflrxf.exe 91 PID 2856 wrote to memory of 1544 2856 7fflrxf.exe 91 PID 2856 wrote to memory of 1544 2856 7fflrxf.exe 91 PID 1544 wrote to memory of 1604 1544 7lxxfll.exe 92 PID 1544 wrote to memory of 1604 1544 7lxxfll.exe 92 PID 1544 wrote to memory of 1604 1544 7lxxfll.exe 92 PID 1604 wrote to memory of 2540 1604 bhntbb.exe 93 PID 1604 wrote to memory of 2540 1604 bhntbb.exe 93 PID 1604 wrote to memory of 2540 1604 bhntbb.exe 93 PID 2540 wrote to memory of 4352 2540 jjjdd.exe 94 PID 2540 wrote to memory of 4352 2540 jjjdd.exe 94 PID 2540 wrote to memory of 4352 2540 jjjdd.exe 94 PID 4352 wrote to memory of 3048 4352 9pjjj.exe 95 PID 4352 wrote to memory of 3048 4352 9pjjj.exe 95 PID 4352 wrote to memory of 3048 4352 9pjjj.exe 95 PID 3048 wrote to memory of 1332 3048 ffffllx.exe 96 PID 3048 wrote to memory of 1332 3048 ffffllx.exe 96 PID 3048 wrote to memory of 1332 3048 ffffllx.exe 96 PID 1332 wrote to memory of 1296 1332 nbnntt.exe 97 PID 1332 wrote to memory of 1296 1332 nbnntt.exe 97 PID 1332 wrote to memory of 1296 1332 nbnntt.exe 97 PID 1296 wrote to memory of 1196 1296 hthhtb.exe 98 PID 1296 wrote to memory of 1196 1296 hthhtb.exe 98 PID 1296 wrote to memory of 1196 1296 hthhtb.exe 98 PID 1196 wrote to memory of 2428 1196 vvdpp.exe 99 PID 1196 wrote to memory of 2428 1196 vvdpp.exe 99 PID 1196 wrote to memory of 2428 1196 vvdpp.exe 99 PID 2428 wrote to memory of 3452 2428 rflrrfx.exe 100 PID 2428 wrote to memory of 3452 2428 rflrrfx.exe 100 PID 2428 wrote to memory of 3452 2428 rflrrfx.exe 100 PID 3452 wrote to memory of 4944 3452 rlrrxfx.exe 101 PID 3452 wrote to memory of 4944 3452 rlrrxfx.exe 101 PID 3452 wrote to memory of 4944 3452 rlrrxfx.exe 101 PID 4944 wrote to memory of 224 4944 ntnnbn.exe 102 PID 4944 wrote to memory of 224 4944 ntnnbn.exe 102 PID 4944 wrote to memory of 224 4944 ntnnbn.exe 102 PID 224 wrote to memory of 4820 224 tnhhhn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe"C:\Users\Admin\AppData\Local\Temp\1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\xrrlffx.exec:\xrrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\nntnnn.exec:\nntnnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\dppjd.exec:\dppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\rfxrrfx.exec:\rfxrrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\hbhbnh.exec:\hbhbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\bbhhnn.exec:\bbhhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\fxfflrr.exec:\fxfflrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\jdppp.exec:\jdppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\7fflrxf.exec:\7fflrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\7lxxfll.exec:\7lxxfll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\bhntbb.exec:\bhntbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\jjjdd.exec:\jjjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\9pjjj.exec:\9pjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\ffffllx.exec:\ffffllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\nbnntt.exec:\nbnntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\hthhtb.exec:\hthhtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\vvdpp.exec:\vvdpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\rflrrfx.exec:\rflrrfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\rlrrxfx.exec:\rlrrxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\ntnnbn.exec:\ntnnbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\tnhhhn.exec:\tnhhhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\nbhhnt.exec:\nbhhnt.exe23⤵
- Executes dropped EXE
PID:4820 -
\??\c:\vvjjp.exec:\vvjjp.exe24⤵
- Executes dropped EXE
PID:5072 -
\??\c:\bbhntb.exec:\bbhntb.exe25⤵
- Executes dropped EXE
PID:2236 -
\??\c:\btnnnn.exec:\btnnnn.exe26⤵
- Executes dropped EXE
PID:620 -
\??\c:\pvdvp.exec:\pvdvp.exe27⤵
- Executes dropped EXE
PID:5004 -
\??\c:\frffrfr.exec:\frffrfr.exe28⤵
- Executes dropped EXE
PID:1284 -
\??\c:\hhbthn.exec:\hhbthn.exe29⤵
- Executes dropped EXE
PID:3380 -
\??\c:\pvjvv.exec:\pvjvv.exe30⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bnhbbn.exec:\bnhbbn.exe31⤵
- Executes dropped EXE
PID:3240 -
\??\c:\ffffllr.exec:\ffffllr.exe32⤵
- Executes dropped EXE
PID:3332 -
\??\c:\nnhbtt.exec:\nnhbtt.exe33⤵
- Executes dropped EXE
PID:4608 -
\??\c:\nttbtb.exec:\nttbtb.exe34⤵
- Executes dropped EXE
PID:4140 -
\??\c:\flxrxfr.exec:\flxrxfr.exe35⤵
- Executes dropped EXE
PID:1056 -
\??\c:\1lrllll.exec:\1lrllll.exe36⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rffxxff.exec:\rffxxff.exe37⤵
- Executes dropped EXE
PID:3808 -
\??\c:\ddvpj.exec:\ddvpj.exe38⤵
- Executes dropped EXE
PID:4320 -
\??\c:\ddpdd.exec:\ddpdd.exe39⤵
- Executes dropped EXE
PID:3784 -
\??\c:\xrlllxx.exec:\xrlllxx.exe40⤵
- Executes dropped EXE
PID:4288 -
\??\c:\7tbbbh.exec:\7tbbbh.exe41⤵
- Executes dropped EXE
PID:768 -
\??\c:\jvjjj.exec:\jvjjj.exe42⤵
- Executes dropped EXE
PID:4636 -
\??\c:\rrlxxll.exec:\rrlxxll.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\9bbbbh.exec:\9bbbbh.exe44⤵
- Executes dropped EXE
PID:3604 -
\??\c:\9pdvv.exec:\9pdvv.exe45⤵
- Executes dropped EXE
PID:4148 -
\??\c:\jjvjp.exec:\jjvjp.exe46⤵
- Executes dropped EXE
PID:3592 -
\??\c:\nhhhnn.exec:\nhhhnn.exe47⤵
- Executes dropped EXE
PID:2324 -
\??\c:\hbtttb.exec:\hbtttb.exe48⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vpvdp.exec:\vpvdp.exe49⤵
- Executes dropped EXE
PID:2212 -
\??\c:\frrrlrx.exec:\frrrlrx.exe50⤵
- Executes dropped EXE
PID:4512 -
\??\c:\rlrrffl.exec:\rlrrffl.exe51⤵
- Executes dropped EXE
PID:4740 -
\??\c:\hhtnnb.exec:\hhtnnb.exe52⤵
- Executes dropped EXE
PID:4036 -
\??\c:\jjppv.exec:\jjppv.exe53⤵
- Executes dropped EXE
PID:1472 -
\??\c:\rlxfffl.exec:\rlxfffl.exe54⤵
- Executes dropped EXE
PID:4780 -
\??\c:\tbbhnt.exec:\tbbhnt.exe55⤵
- Executes dropped EXE
PID:4612 -
\??\c:\hbhhhn.exec:\hbhhhn.exe56⤵
- Executes dropped EXE
PID:5080 -
\??\c:\ppddj.exec:\ppddj.exe57⤵
- Executes dropped EXE
PID:2648 -
\??\c:\fxffxxx.exec:\fxffxxx.exe58⤵
- Executes dropped EXE
PID:2492 -
\??\c:\nbhntt.exec:\nbhntt.exe59⤵
- Executes dropped EXE
PID:3112 -
\??\c:\5tbnnn.exec:\5tbnnn.exe60⤵
- Executes dropped EXE
PID:1544 -
\??\c:\ppvpj.exec:\ppvpj.exe61⤵
- Executes dropped EXE
PID:3088 -
\??\c:\xxlfrlx.exec:\xxlfrlx.exe62⤵
- Executes dropped EXE
PID:2332 -
\??\c:\hbtthh.exec:\hbtthh.exe63⤵
- Executes dropped EXE
PID:2540 -
\??\c:\vpppp.exec:\vpppp.exe64⤵
- Executes dropped EXE
PID:4580 -
\??\c:\llxxrxx.exec:\llxxrxx.exe65⤵
- Executes dropped EXE
PID:3624 -
\??\c:\llxffll.exec:\llxffll.exe66⤵PID:1452
-
\??\c:\hbhhnn.exec:\hbhhnn.exe67⤵PID:1332
-
\??\c:\jpjjp.exec:\jpjjp.exe68⤵PID:3008
-
\??\c:\rrffrxl.exec:\rrffrxl.exe69⤵PID:764
-
\??\c:\hbttbh.exec:\hbttbh.exe70⤵PID:4080
-
\??\c:\3tbnnb.exec:\3tbnnb.exe71⤵PID:1492
-
\??\c:\jpdvj.exec:\jpdvj.exe72⤵PID:4736
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe73⤵PID:700
-
\??\c:\bhtbhn.exec:\bhtbhn.exe74⤵
- System Location Discovery: System Language Discovery
PID:2684 -
\??\c:\3tbbbh.exec:\3tbbbh.exe75⤵PID:5000
-
\??\c:\jdpdj.exec:\jdpdj.exe76⤵
- System Location Discovery: System Language Discovery
PID:3280 -
\??\c:\xrlllrr.exec:\xrlllrr.exe77⤵PID:1012
-
\??\c:\tbhttb.exec:\tbhttb.exe78⤵PID:1744
-
\??\c:\7bhbbh.exec:\7bhbbh.exe79⤵PID:4660
-
\??\c:\ddjjj.exec:\ddjjj.exe80⤵PID:4432
-
\??\c:\bbnnnt.exec:\bbnnnt.exe81⤵PID:4732
-
\??\c:\bbnbtb.exec:\bbnbtb.exe82⤵PID:1736
-
\??\c:\vdpdp.exec:\vdpdp.exe83⤵PID:4640
-
\??\c:\xfllrrx.exec:\xfllrrx.exe84⤵PID:1872
-
\??\c:\xfllrff.exec:\xfllrff.exe85⤵PID:1136
-
\??\c:\ntbntt.exec:\ntbntt.exe86⤵PID:776
-
\??\c:\3jjjd.exec:\3jjjd.exe87⤵PID:436
-
\??\c:\llxxxrf.exec:\llxxxrf.exe88⤵PID:1236
-
\??\c:\nbntbh.exec:\nbntbh.exe89⤵PID:2300
-
\??\c:\nthtnn.exec:\nthtnn.exe90⤵PID:760
-
\??\c:\jdpjd.exec:\jdpjd.exe91⤵PID:3432
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe92⤵PID:544
-
\??\c:\hnhnbh.exec:\hnhnbh.exe93⤵PID:3332
-
\??\c:\vpjvd.exec:\vpjvd.exe94⤵PID:3040
-
\??\c:\ddjjp.exec:\ddjjp.exe95⤵PID:4812
-
\??\c:\rrrrxxx.exec:\rrrrxxx.exe96⤵PID:2956
-
\??\c:\btnhhb.exec:\btnhhb.exe97⤵PID:1972
-
\??\c:\5vddj.exec:\5vddj.exe98⤵PID:836
-
\??\c:\xlxrfxl.exec:\xlxrfxl.exe99⤵PID:1564
-
\??\c:\xxrxllf.exec:\xxrxllf.exe100⤵PID:3000
-
\??\c:\bnbnbn.exec:\bnbnbn.exe101⤵PID:3288
-
\??\c:\pvpjp.exec:\pvpjp.exe102⤵PID:64
-
\??\c:\rfrrfxr.exec:\rfrrfxr.exe103⤵PID:4336
-
\??\c:\thbnnt.exec:\thbnnt.exe104⤵PID:4636
-
\??\c:\bbnhnb.exec:\bbnhnb.exe105⤵PID:4840
-
\??\c:\jjvjj.exec:\jjvjj.exe106⤵PID:368
-
\??\c:\rxlxflf.exec:\rxlxflf.exe107⤵PID:2308
-
\??\c:\hntnnn.exec:\hntnnn.exe108⤵PID:3552
-
\??\c:\vpvpp.exec:\vpvpp.exe109⤵PID:4368
-
\??\c:\vvjjv.exec:\vvjjv.exe110⤵PID:3840
-
\??\c:\ntbttn.exec:\ntbttn.exe111⤵PID:3200
-
\??\c:\tnbbtt.exec:\tnbbtt.exe112⤵PID:2212
-
\??\c:\jvjdp.exec:\jvjdp.exe113⤵PID:3064
-
\??\c:\rrxxxff.exec:\rrxxxff.exe114⤵PID:4156
-
\??\c:\hnhtnn.exec:\hnhtnn.exe115⤵PID:3140
-
\??\c:\pjdvp.exec:\pjdvp.exe116⤵PID:1476
-
\??\c:\ffflrxl.exec:\ffflrxl.exe117⤵PID:4884
-
\??\c:\rrxfflr.exec:\rrxfflr.exe118⤵
- System Location Discovery: System Language Discovery
PID:4980 -
\??\c:\htnttt.exec:\htnttt.exe119⤵PID:1768
-
\??\c:\jjjpp.exec:\jjjpp.exe120⤵PID:2416
-
\??\c:\3jvvj.exec:\3jvvj.exe121⤵PID:2924
-
\??\c:\3llrllr.exec:\3llrllr.exe122⤵PID:3584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-