Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe
-
Size
455KB
-
MD5
503b529a3e435e72201e90abd74f3650
-
SHA1
04b4b0ecc574d9d1bb299b049746515eb37f7510
-
SHA256
af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078
-
SHA512
efc2e6eaeb496513ebaa1ca31936274546be1454637e0060368f004a62e57f9001c943b56353f1c60b92e92b6e0fea531101f4962ebe6a3a0c37e0538540e8e9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJB:q7Tc2NYHUrAwfMp3CDJB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4072-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-1725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4008 rxrrlrr.exe 524 tthbnn.exe 1912 dvvpj.exe 4172 xffrlfx.exe 2432 hbhhbb.exe 3744 fxfxxrr.exe 4820 vpjdd.exe 1652 5hthbn.exe 2696 jvvvp.exe 1000 fxflffx.exe 4004 ttnhbt.exe 3788 lxfxrrl.exe 8 vvdvj.exe 4036 xflfxxr.exe 4928 jvdpp.exe 3796 llflrxf.exe 2908 dppjj.exe 4936 1fxlfff.exe 3756 7ntnnb.exe 2856 ttbtth.exe 3604 fffllll.exe 3044 nhbttn.exe 3748 djjdj.exe 4688 9hnbnb.exe 3560 xrfrffl.exe 960 tbnhbb.exe 2428 ddvjj.exe 4504 tbnhtt.exe 2216 5jdvp.exe 3704 xlrrrrr.exe 1012 bbnhbb.exe 3028 vvdpj.exe 1332 bbthhn.exe 5048 pjjvd.exe 3332 xxlflfx.exe 3528 tnnhnn.exe 3368 ddjpj.exe 4712 rflrlfl.exe 2236 djjpp.exe 2688 lrrlllf.exe 3192 lfrfrlx.exe 5080 tnbttt.exe 3376 xxfflff.exe 4680 1frlllf.exe 4528 bttnht.exe 820 vppdd.exe 4072 ffffrfl.exe 1268 bhhtht.exe 1592 pjdpj.exe 1912 lxrllll.exe 2364 1nbtnh.exe 1392 pdjvp.exe 2848 pdjdv.exe 2112 nhbnhb.exe 3744 pjpdd.exe 32 xxxlrff.exe 452 bntntb.exe 912 dppjd.exe 4968 xxfrllf.exe 2696 5bhbnt.exe 3992 3vjdv.exe 2316 rxlxrlx.exe 2108 xrxrxrx.exe 2324 9ttnhb.exe -
resource yara_rule behavioral2/memory/4072-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-725-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 4008 4072 af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe 82 PID 4072 wrote to memory of 4008 4072 af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe 82 PID 4072 wrote to memory of 4008 4072 af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe 82 PID 4008 wrote to memory of 524 4008 rxrrlrr.exe 83 PID 4008 wrote to memory of 524 4008 rxrrlrr.exe 83 PID 4008 wrote to memory of 524 4008 rxrrlrr.exe 83 PID 524 wrote to memory of 1912 524 tthbnn.exe 84 PID 524 wrote to memory of 1912 524 tthbnn.exe 84 PID 524 wrote to memory of 1912 524 tthbnn.exe 84 PID 1912 wrote to memory of 4172 1912 dvvpj.exe 85 PID 1912 wrote to memory of 4172 1912 dvvpj.exe 85 PID 1912 wrote to memory of 4172 1912 dvvpj.exe 85 PID 4172 wrote to memory of 2432 4172 xffrlfx.exe 86 PID 4172 wrote to memory of 2432 4172 xffrlfx.exe 86 PID 4172 wrote to memory of 2432 4172 xffrlfx.exe 86 PID 2432 wrote to memory of 3744 2432 hbhhbb.exe 87 PID 2432 wrote to memory of 3744 2432 hbhhbb.exe 87 PID 2432 wrote to memory of 3744 2432 hbhhbb.exe 87 PID 3744 wrote to memory of 4820 3744 fxfxxrr.exe 88 PID 3744 wrote to memory of 4820 3744 fxfxxrr.exe 88 PID 3744 wrote to memory of 4820 3744 fxfxxrr.exe 88 PID 4820 wrote to memory of 1652 4820 vpjdd.exe 89 PID 4820 wrote to memory of 1652 4820 vpjdd.exe 89 PID 4820 wrote to memory of 1652 4820 vpjdd.exe 89 PID 1652 wrote to memory of 2696 1652 5hthbn.exe 90 PID 1652 wrote to memory of 2696 1652 5hthbn.exe 90 PID 1652 wrote to memory of 2696 1652 5hthbn.exe 90 PID 2696 wrote to memory of 1000 2696 jvvvp.exe 91 PID 2696 wrote to memory of 1000 2696 jvvvp.exe 91 PID 2696 wrote to memory of 1000 2696 jvvvp.exe 91 PID 1000 wrote to memory of 4004 1000 fxflffx.exe 92 PID 1000 wrote to memory of 4004 1000 fxflffx.exe 92 PID 1000 wrote to memory of 4004 1000 fxflffx.exe 92 PID 4004 wrote to memory of 3788 4004 ttnhbt.exe 93 PID 4004 wrote to memory of 3788 4004 ttnhbt.exe 93 PID 4004 wrote to memory of 3788 4004 ttnhbt.exe 93 PID 3788 wrote to memory of 8 3788 lxfxrrl.exe 94 PID 3788 wrote to memory of 8 3788 lxfxrrl.exe 94 PID 3788 wrote to memory of 8 3788 lxfxrrl.exe 94 PID 8 wrote to memory of 4036 8 vvdvj.exe 95 PID 8 wrote to memory of 4036 8 vvdvj.exe 95 PID 8 wrote to memory of 4036 8 vvdvj.exe 95 PID 4036 wrote to memory of 4928 4036 xflfxxr.exe 96 PID 4036 wrote to memory of 4928 4036 xflfxxr.exe 96 PID 4036 wrote to memory of 4928 4036 xflfxxr.exe 96 PID 4928 wrote to memory of 3796 4928 jvdpp.exe 97 PID 4928 wrote to memory of 3796 4928 jvdpp.exe 97 PID 4928 wrote to memory of 3796 4928 jvdpp.exe 97 PID 3796 wrote to memory of 2908 3796 llflrxf.exe 98 PID 3796 wrote to memory of 2908 3796 llflrxf.exe 98 PID 3796 wrote to memory of 2908 3796 llflrxf.exe 98 PID 2908 wrote to memory of 4936 2908 dppjj.exe 99 PID 2908 wrote to memory of 4936 2908 dppjj.exe 99 PID 2908 wrote to memory of 4936 2908 dppjj.exe 99 PID 4936 wrote to memory of 3756 4936 1fxlfff.exe 100 PID 4936 wrote to memory of 3756 4936 1fxlfff.exe 100 PID 4936 wrote to memory of 3756 4936 1fxlfff.exe 100 PID 3756 wrote to memory of 2856 3756 7ntnnb.exe 101 PID 3756 wrote to memory of 2856 3756 7ntnnb.exe 101 PID 3756 wrote to memory of 2856 3756 7ntnnb.exe 101 PID 2856 wrote to memory of 3604 2856 ttbtth.exe 102 PID 2856 wrote to memory of 3604 2856 ttbtth.exe 102 PID 2856 wrote to memory of 3604 2856 ttbtth.exe 102 PID 3604 wrote to memory of 3044 3604 fffllll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe"C:\Users\Admin\AppData\Local\Temp\af78e48fef3a8e61bcaa9572c96bb9b26349dd3ff2de2c75e02de817198c5078.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\rxrrlrr.exec:\rxrrlrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\tthbnn.exec:\tthbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\dvvpj.exec:\dvvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\xffrlfx.exec:\xffrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\hbhhbb.exec:\hbhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\vpjdd.exec:\vpjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\5hthbn.exec:\5hthbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\jvvvp.exec:\jvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\fxflffx.exec:\fxflffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\ttnhbt.exec:\ttnhbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\vvdvj.exec:\vvdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\xflfxxr.exec:\xflfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\jvdpp.exec:\jvdpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\llflrxf.exec:\llflrxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\dppjj.exec:\dppjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\1fxlfff.exec:\1fxlfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\7ntnnb.exec:\7ntnnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\ttbtth.exec:\ttbtth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\fffllll.exec:\fffllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\nhbttn.exec:\nhbttn.exe23⤵
- Executes dropped EXE
PID:3044 -
\??\c:\djjdj.exec:\djjdj.exe24⤵
- Executes dropped EXE
PID:3748 -
\??\c:\9hnbnb.exec:\9hnbnb.exe25⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xrfrffl.exec:\xrfrffl.exe26⤵
- Executes dropped EXE
PID:3560 -
\??\c:\tbnhbb.exec:\tbnhbb.exe27⤵
- Executes dropped EXE
PID:960 -
\??\c:\ddvjj.exec:\ddvjj.exe28⤵
- Executes dropped EXE
PID:2428 -
\??\c:\tbnhtt.exec:\tbnhtt.exe29⤵
- Executes dropped EXE
PID:4504 -
\??\c:\5jdvp.exec:\5jdvp.exe30⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe31⤵
- Executes dropped EXE
PID:3704 -
\??\c:\bbnhbb.exec:\bbnhbb.exe32⤵
- Executes dropped EXE
PID:1012 -
\??\c:\vvdpj.exec:\vvdpj.exe33⤵
- Executes dropped EXE
PID:3028 -
\??\c:\bbthhn.exec:\bbthhn.exe34⤵
- Executes dropped EXE
PID:1332 -
\??\c:\pjjvd.exec:\pjjvd.exe35⤵
- Executes dropped EXE
PID:5048 -
\??\c:\xxlflfx.exec:\xxlflfx.exe36⤵
- Executes dropped EXE
PID:3332 -
\??\c:\tnnhnn.exec:\tnnhnn.exe37⤵
- Executes dropped EXE
PID:3528 -
\??\c:\ddjpj.exec:\ddjpj.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3368 -
\??\c:\rflrlfl.exec:\rflrlfl.exe39⤵
- Executes dropped EXE
PID:4712 -
\??\c:\djjpp.exec:\djjpp.exe40⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lrrlllf.exec:\lrrlllf.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lfrfrlx.exec:\lfrfrlx.exe42⤵
- Executes dropped EXE
PID:3192 -
\??\c:\tnbttt.exec:\tnbttt.exe43⤵
- Executes dropped EXE
PID:5080 -
\??\c:\xxfflff.exec:\xxfflff.exe44⤵
- Executes dropped EXE
PID:3376 -
\??\c:\1frlllf.exec:\1frlllf.exe45⤵
- Executes dropped EXE
PID:4680 -
\??\c:\bttnht.exec:\bttnht.exe46⤵
- Executes dropped EXE
PID:4528 -
\??\c:\vppdd.exec:\vppdd.exe47⤵
- Executes dropped EXE
PID:820 -
\??\c:\ffffrfl.exec:\ffffrfl.exe48⤵
- Executes dropped EXE
PID:4072 -
\??\c:\bhhtht.exec:\bhhtht.exe49⤵
- Executes dropped EXE
PID:1268 -
\??\c:\pjdpj.exec:\pjdpj.exe50⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lxrllll.exec:\lxrllll.exe51⤵
- Executes dropped EXE
PID:1912 -
\??\c:\1nbtnh.exec:\1nbtnh.exe52⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pdjvp.exec:\pdjvp.exe53⤵
- Executes dropped EXE
PID:1392 -
\??\c:\pdjdv.exec:\pdjdv.exe54⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nhbnhb.exec:\nhbnhb.exe55⤵
- Executes dropped EXE
PID:2112 -
\??\c:\pjpdd.exec:\pjpdd.exe56⤵
- Executes dropped EXE
PID:3744 -
\??\c:\xxxlrff.exec:\xxxlrff.exe57⤵
- Executes dropped EXE
PID:32 -
\??\c:\bntntb.exec:\bntntb.exe58⤵
- Executes dropped EXE
PID:452 -
\??\c:\dppjd.exec:\dppjd.exe59⤵
- Executes dropped EXE
PID:912 -
\??\c:\xxfrllf.exec:\xxfrllf.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4968 -
\??\c:\5bhbnt.exec:\5bhbnt.exe61⤵
- Executes dropped EXE
PID:2696 -
\??\c:\3vjdv.exec:\3vjdv.exe62⤵
- Executes dropped EXE
PID:3992 -
\??\c:\rxlxrlx.exec:\rxlxrlx.exe63⤵
- Executes dropped EXE
PID:2316 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe64⤵
- Executes dropped EXE
PID:2108 -
\??\c:\9ttnhb.exec:\9ttnhb.exe65⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vpddd.exec:\vpddd.exe66⤵PID:4908
-
\??\c:\flxrllr.exec:\flxrllr.exe67⤵PID:3588
-
\??\c:\9bttnn.exec:\9bttnn.exe68⤵PID:3972
-
\??\c:\pjdvp.exec:\pjdvp.exe69⤵PID:648
-
\??\c:\frxxfrf.exec:\frxxfrf.exe70⤵PID:372
-
\??\c:\tttbtn.exec:\tttbtn.exe71⤵PID:2908
-
\??\c:\3jpjp.exec:\3jpjp.exe72⤵PID:2104
-
\??\c:\flflrlr.exec:\flflrlr.exe73⤵PID:4988
-
\??\c:\hntttt.exec:\hntttt.exe74⤵PID:3900
-
\??\c:\ppdvp.exec:\ppdvp.exe75⤵PID:2448
-
\??\c:\1pvpp.exec:\1pvpp.exe76⤵PID:3116
-
\??\c:\5rrrlfx.exec:\5rrrlfx.exe77⤵PID:2624
-
\??\c:\bbhhnh.exec:\bbhhnh.exe78⤵PID:2176
-
\??\c:\5vvdj.exec:\5vvdj.exe79⤵PID:4624
-
\??\c:\pppjd.exec:\pppjd.exe80⤵PID:1664
-
\??\c:\lflfffx.exec:\lflfffx.exe81⤵PID:5068
-
\??\c:\1tbbbh.exec:\1tbbbh.exe82⤵PID:4776
-
\??\c:\dvdpj.exec:\dvdpj.exe83⤵PID:960
-
\??\c:\xllflrf.exec:\xllflrf.exe84⤵PID:1916
-
\??\c:\xrlffxx.exec:\xrlffxx.exe85⤵PID:3720
-
\??\c:\hbhbhn.exec:\hbhbhn.exe86⤵PID:3628
-
\??\c:\3vpjj.exec:\3vpjj.exe87⤵PID:5052
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe88⤵PID:3280
-
\??\c:\hthbtn.exec:\hthbtn.exe89⤵PID:3704
-
\??\c:\nhnhbt.exec:\nhnhbt.exe90⤵PID:2544
-
\??\c:\jppdp.exec:\jppdp.exe91⤵PID:3024
-
\??\c:\rffflff.exec:\rffflff.exe92⤵PID:1688
-
\??\c:\tbbtnn.exec:\tbbtnn.exe93⤵PID:3312
-
\??\c:\vdjvj.exec:\vdjvj.exe94⤵PID:1644
-
\??\c:\llxxxxl.exec:\llxxxxl.exe95⤵PID:1860
-
\??\c:\nhnnth.exec:\nhnnth.exe96⤵PID:3196
-
\??\c:\dvvjj.exec:\dvvjj.exe97⤵PID:4248
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe98⤵PID:1564
-
\??\c:\rffrlff.exec:\rffrlff.exe99⤵PID:2636
-
\??\c:\httntt.exec:\httntt.exe100⤵PID:3256
-
\??\c:\vdddv.exec:\vdddv.exe101⤵PID:3192
-
\??\c:\rlllflf.exec:\rlllflf.exe102⤵PID:736
-
\??\c:\nhhbtt.exec:\nhhbtt.exe103⤵PID:2968
-
\??\c:\vjpjj.exec:\vjpjj.exe104⤵PID:4372
-
\??\c:\3xxrxrl.exec:\3xxrxrl.exe105⤵PID:4176
-
\??\c:\xxrflfx.exec:\xxrflfx.exe106⤵PID:3608
-
\??\c:\hhhtnh.exec:\hhhtnh.exe107⤵PID:2388
-
\??\c:\vdjdv.exec:\vdjdv.exe108⤵PID:1640
-
\??\c:\lrfxllf.exec:\lrfxllf.exe109⤵PID:2384
-
\??\c:\lrlfrrl.exec:\lrlfrrl.exe110⤵PID:4172
-
\??\c:\hhtbth.exec:\hhtbth.exe111⤵PID:2876
-
\??\c:\dddpp.exec:\dddpp.exe112⤵PID:1808
-
\??\c:\llrrllx.exec:\llrrllx.exe113⤵PID:2848
-
\??\c:\httnbb.exec:\httnbb.exe114⤵PID:2112
-
\??\c:\pvvvv.exec:\pvvvv.exe115⤵PID:3536
-
\??\c:\7pvjd.exec:\7pvjd.exe116⤵PID:1652
-
\??\c:\1xfxxlr.exec:\1xfxxlr.exe117⤵PID:2040
-
\??\c:\htttnh.exec:\htttnh.exe118⤵PID:912
-
\??\c:\9vdpj.exec:\9vdpj.exe119⤵PID:3172
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe120⤵PID:1180
-
\??\c:\bhbtnh.exec:\bhbtnh.exe121⤵PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-