Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 08:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe
-
Size
80KB
-
MD5
f42bdfb526b25e30aa34398337dd8dfb
-
SHA1
38c9e3582e3cf1d352ea222408bae1aeb64ff429
-
SHA256
fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c
-
SHA512
bd68ced0d62e94f347e2561344b535a44a365b262186b6e389b39804b483716132364dad6eb1c32a8dccd4219e55b5d1a4e15a5acfa8c095c660ac046f2fb259
-
SSDEEP
1536:Y41JEOJzOhWlKXXCwsurYKnFNzofrst3ufT/FRxnd:Y49z/lKXXdFvN8Yt3ujFfd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3852-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-1209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-1300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-1407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3780 lfrrrrr.exe 2344 bnttnn.exe 1000 pvpdv.exe 1664 5xfrfxl.exe 4804 5lrllff.exe 904 3thtnb.exe 4872 5vjvp.exe 2140 xlrfrlx.exe 2288 rrlfrll.exe 4492 1hhtnh.exe 880 nnbnht.exe 3740 ttthhb.exe 2188 ppjdd.exe 448 7xrfrfr.exe 1108 thhttn.exe 1960 tbthnh.exe 4144 9dpvp.exe 2212 7fxfrlf.exe 804 nhnhtn.exe 1180 vpdjv.exe 4104 dvpjv.exe 4988 fllxlff.exe 3696 nhnhhh.exe 4028 lffrlfx.exe 4556 5htnbt.exe 3652 vvjdp.exe 5076 vpvjv.exe 3804 5rrlxrf.exe 2208 bhhbtn.exe 4368 btthbh.exe 4780 vdpjd.exe 3852 rflrllf.exe 1156 rlfrlfr.exe 4728 ntnhtn.exe 2072 5bnhbb.exe 3868 ddvpd.exe 1296 djjvj.exe 5024 rfxlxrl.exe 1572 bbnbht.exe 4896 thhbhb.exe 1688 7pdvp.exe 2636 ppjdp.exe 912 ffxlxrf.exe 4716 bhhnhn.exe 3244 tnbthh.exe 4968 vjvdv.exe 2320 ddvvp.exe 3256 flxrfrf.exe 5044 frfrflx.exe 1448 llxrlxr.exe 4172 bbtnnn.exe 3880 vppjv.exe 972 rllfxxl.exe 440 flllxxl.exe 3668 5nthbn.exe 2980 3nnnhh.exe 4464 9vpvj.exe 4212 vjjvd.exe 1428 xrffxlx.exe 760 nhtnbt.exe 4524 3nbnht.exe 4132 vpjvp.exe 2232 9dvjv.exe 3744 lrxlrff.exe -
resource yara_rule behavioral2/memory/3852-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-659-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3852 wrote to memory of 3780 3852 fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe 85 PID 3852 wrote to memory of 3780 3852 fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe 85 PID 3852 wrote to memory of 3780 3852 fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe 85 PID 3780 wrote to memory of 2344 3780 lfrrrrr.exe 86 PID 3780 wrote to memory of 2344 3780 lfrrrrr.exe 86 PID 3780 wrote to memory of 2344 3780 lfrrrrr.exe 86 PID 2344 wrote to memory of 1000 2344 bnttnn.exe 87 PID 2344 wrote to memory of 1000 2344 bnttnn.exe 87 PID 2344 wrote to memory of 1000 2344 bnttnn.exe 87 PID 1000 wrote to memory of 1664 1000 pvpdv.exe 88 PID 1000 wrote to memory of 1664 1000 pvpdv.exe 88 PID 1000 wrote to memory of 1664 1000 pvpdv.exe 88 PID 1664 wrote to memory of 4804 1664 5xfrfxl.exe 89 PID 1664 wrote to memory of 4804 1664 5xfrfxl.exe 89 PID 1664 wrote to memory of 4804 1664 5xfrfxl.exe 89 PID 4804 wrote to memory of 904 4804 5lrllff.exe 91 PID 4804 wrote to memory of 904 4804 5lrllff.exe 91 PID 4804 wrote to memory of 904 4804 5lrllff.exe 91 PID 904 wrote to memory of 4872 904 3thtnb.exe 92 PID 904 wrote to memory of 4872 904 3thtnb.exe 92 PID 904 wrote to memory of 4872 904 3thtnb.exe 92 PID 4872 wrote to memory of 2140 4872 5vjvp.exe 93 PID 4872 wrote to memory of 2140 4872 5vjvp.exe 93 PID 4872 wrote to memory of 2140 4872 5vjvp.exe 93 PID 2140 wrote to memory of 2288 2140 xlrfrlx.exe 94 PID 2140 wrote to memory of 2288 2140 xlrfrlx.exe 94 PID 2140 wrote to memory of 2288 2140 xlrfrlx.exe 94 PID 2288 wrote to memory of 4492 2288 rrlfrll.exe 95 PID 2288 wrote to memory of 4492 2288 rrlfrll.exe 95 PID 2288 wrote to memory of 4492 2288 rrlfrll.exe 95 PID 4492 wrote to memory of 880 4492 1hhtnh.exe 96 PID 4492 wrote to memory of 880 4492 1hhtnh.exe 96 PID 4492 wrote to memory of 880 4492 1hhtnh.exe 96 PID 880 wrote to memory of 3740 880 nnbnht.exe 97 PID 880 wrote to memory of 3740 880 nnbnht.exe 97 PID 880 wrote to memory of 3740 880 nnbnht.exe 97 PID 3740 wrote to memory of 2188 3740 ttthhb.exe 98 PID 3740 wrote to memory of 2188 3740 ttthhb.exe 98 PID 3740 wrote to memory of 2188 3740 ttthhb.exe 98 PID 2188 wrote to memory of 448 2188 ppjdd.exe 99 PID 2188 wrote to memory of 448 2188 ppjdd.exe 99 PID 2188 wrote to memory of 448 2188 ppjdd.exe 99 PID 448 wrote to memory of 1108 448 7xrfrfr.exe 101 PID 448 wrote to memory of 1108 448 7xrfrfr.exe 101 PID 448 wrote to memory of 1108 448 7xrfrfr.exe 101 PID 1108 wrote to memory of 1960 1108 thhttn.exe 102 PID 1108 wrote to memory of 1960 1108 thhttn.exe 102 PID 1108 wrote to memory of 1960 1108 thhttn.exe 102 PID 1960 wrote to memory of 4144 1960 tbthnh.exe 103 PID 1960 wrote to memory of 4144 1960 tbthnh.exe 103 PID 1960 wrote to memory of 4144 1960 tbthnh.exe 103 PID 4144 wrote to memory of 2212 4144 9dpvp.exe 104 PID 4144 wrote to memory of 2212 4144 9dpvp.exe 104 PID 4144 wrote to memory of 2212 4144 9dpvp.exe 104 PID 2212 wrote to memory of 804 2212 7fxfrlf.exe 105 PID 2212 wrote to memory of 804 2212 7fxfrlf.exe 105 PID 2212 wrote to memory of 804 2212 7fxfrlf.exe 105 PID 804 wrote to memory of 1180 804 nhnhtn.exe 106 PID 804 wrote to memory of 1180 804 nhnhtn.exe 106 PID 804 wrote to memory of 1180 804 nhnhtn.exe 106 PID 1180 wrote to memory of 4104 1180 vpdjv.exe 107 PID 1180 wrote to memory of 4104 1180 vpdjv.exe 107 PID 1180 wrote to memory of 4104 1180 vpdjv.exe 107 PID 4104 wrote to memory of 4988 4104 dvpjv.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe"C:\Users\Admin\AppData\Local\Temp\fb4c6e82b6cd2da31223dbab1b100b119af2364e16ce77309dbfe56b1d626f9c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\bnttnn.exec:\bnttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\pvpdv.exec:\pvpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\5xfrfxl.exec:\5xfrfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\5lrllff.exec:\5lrllff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\3thtnb.exec:\3thtnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\5vjvp.exec:\5vjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\xlrfrlx.exec:\xlrfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\rrlfrll.exec:\rrlfrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\1hhtnh.exec:\1hhtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\nnbnht.exec:\nnbnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\ttthhb.exec:\ttthhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\ppjdd.exec:\ppjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\7xrfrfr.exec:\7xrfrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\thhttn.exec:\thhttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\tbthnh.exec:\tbthnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\9dpvp.exec:\9dpvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\7fxfrlf.exec:\7fxfrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\nhnhtn.exec:\nhnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\vpdjv.exec:\vpdjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\dvpjv.exec:\dvpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\fllxlff.exec:\fllxlff.exe23⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nhnhhh.exec:\nhnhhh.exe24⤵
- Executes dropped EXE
PID:3696 -
\??\c:\lffrlfx.exec:\lffrlfx.exe25⤵
- Executes dropped EXE
PID:4028 -
\??\c:\5htnbt.exec:\5htnbt.exe26⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vvjdp.exec:\vvjdp.exe27⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vpvjv.exec:\vpvjv.exe28⤵
- Executes dropped EXE
PID:5076 -
\??\c:\5rrlxrf.exec:\5rrlxrf.exe29⤵
- Executes dropped EXE
PID:3804 -
\??\c:\bhhbtn.exec:\bhhbtn.exe30⤵
- Executes dropped EXE
PID:2208 -
\??\c:\btthbh.exec:\btthbh.exe31⤵
- Executes dropped EXE
PID:4368 -
\??\c:\vdpjd.exec:\vdpjd.exe32⤵
- Executes dropped EXE
PID:4780 -
\??\c:\rflrllf.exec:\rflrllf.exe33⤵
- Executes dropped EXE
PID:3852 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe34⤵
- Executes dropped EXE
PID:1156 -
\??\c:\ntnhtn.exec:\ntnhtn.exe35⤵
- Executes dropped EXE
PID:4728 -
\??\c:\5bnhbb.exec:\5bnhbb.exe36⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ddvpd.exec:\ddvpd.exe37⤵
- Executes dropped EXE
PID:3868 -
\??\c:\djjvj.exec:\djjvj.exe38⤵
- Executes dropped EXE
PID:1296 -
\??\c:\rfxlxrl.exec:\rfxlxrl.exe39⤵
- Executes dropped EXE
PID:5024 -
\??\c:\bbnbht.exec:\bbnbht.exe40⤵
- Executes dropped EXE
PID:1572 -
\??\c:\thhbhb.exec:\thhbhb.exe41⤵
- Executes dropped EXE
PID:4896 -
\??\c:\7pdvp.exec:\7pdvp.exe42⤵
- Executes dropped EXE
PID:1688 -
\??\c:\ppjdp.exec:\ppjdp.exe43⤵
- Executes dropped EXE
PID:2636 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe44⤵
- Executes dropped EXE
PID:912 -
\??\c:\bhhnhn.exec:\bhhnhn.exe45⤵
- Executes dropped EXE
PID:4716 -
\??\c:\tnbthh.exec:\tnbthh.exe46⤵
- Executes dropped EXE
PID:3244 -
\??\c:\vjvdv.exec:\vjvdv.exe47⤵
- Executes dropped EXE
PID:4968 -
\??\c:\ddvvp.exec:\ddvvp.exe48⤵
- Executes dropped EXE
PID:2320 -
\??\c:\flxrfrf.exec:\flxrfrf.exe49⤵
- Executes dropped EXE
PID:3256 -
\??\c:\frfrflx.exec:\frfrflx.exe50⤵
- Executes dropped EXE
PID:5044 -
\??\c:\llxrlxr.exec:\llxrlxr.exe51⤵
- Executes dropped EXE
PID:1448 -
\??\c:\bbtnnn.exec:\bbtnnn.exe52⤵
- Executes dropped EXE
PID:4172 -
\??\c:\vppjv.exec:\vppjv.exe53⤵
- Executes dropped EXE
PID:3880 -
\??\c:\rllfxxl.exec:\rllfxxl.exe54⤵
- Executes dropped EXE
PID:972 -
\??\c:\flllxxl.exec:\flllxxl.exe55⤵
- Executes dropped EXE
PID:440 -
\??\c:\5nthbn.exec:\5nthbn.exe56⤵
- Executes dropped EXE
PID:3668 -
\??\c:\3nnnhh.exec:\3nnnhh.exe57⤵
- Executes dropped EXE
PID:2980 -
\??\c:\9vpvj.exec:\9vpvj.exe58⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vjjvd.exec:\vjjvd.exe59⤵
- Executes dropped EXE
PID:4212 -
\??\c:\xrffxlx.exec:\xrffxlx.exe60⤵
- Executes dropped EXE
PID:1428 -
\??\c:\nhtnbt.exec:\nhtnbt.exe61⤵
- Executes dropped EXE
PID:760 -
\??\c:\3nbnht.exec:\3nbnht.exe62⤵
- Executes dropped EXE
PID:4524 -
\??\c:\vpjvp.exec:\vpjvp.exe63⤵
- Executes dropped EXE
PID:4132 -
\??\c:\9dvjv.exec:\9dvjv.exe64⤵
- Executes dropped EXE
PID:2232 -
\??\c:\lrxlrff.exec:\lrxlrff.exe65⤵
- Executes dropped EXE
PID:3744 -
\??\c:\rrfrfxl.exec:\rrfrfxl.exe66⤵PID:2032
-
\??\c:\bbntht.exec:\bbntht.exe67⤵PID:2604
-
\??\c:\pvjdp.exec:\pvjdp.exe68⤵PID:4628
-
\??\c:\1vpjv.exec:\1vpjv.exe69⤵PID:5052
-
\??\c:\ppvjd.exec:\ppvjd.exe70⤵PID:2824
-
\??\c:\xrlxrlx.exec:\xrlxrlx.exe71⤵PID:624
-
\??\c:\rlxxllx.exec:\rlxxllx.exe72⤵PID:4920
-
\??\c:\thnhtt.exec:\thnhtt.exe73⤵PID:4372
-
\??\c:\btnhnh.exec:\btnhnh.exe74⤵PID:4368
-
\??\c:\jddpd.exec:\jddpd.exe75⤵PID:856
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe76⤵PID:4644
-
\??\c:\fffxlfx.exec:\fffxlfx.exe77⤵PID:4736
-
\??\c:\5bnhtn.exec:\5bnhtn.exe78⤵PID:1756
-
\??\c:\bttntn.exec:\bttntn.exe79⤵PID:1000
-
\??\c:\5vjvv.exec:\5vjvv.exe80⤵PID:1720
-
\??\c:\5rxlxrl.exec:\5rxlxrl.exe81⤵PID:1772
-
\??\c:\nnnhbn.exec:\nnnhbn.exe82⤵PID:3312
-
\??\c:\5hthtt.exec:\5hthtt.exe83⤵PID:4808
-
\??\c:\dvpdv.exec:\dvpdv.exe84⤵PID:4816
-
\??\c:\fffxllf.exec:\fffxllf.exe85⤵PID:3572
-
\??\c:\htnhbt.exec:\htnhbt.exe86⤵PID:1916
-
\??\c:\9nnhhb.exec:\9nnhhb.exe87⤵PID:1316
-
\??\c:\pdpjd.exec:\pdpjd.exe88⤵PID:3604
-
\??\c:\nbhnhb.exec:\nbhnhb.exe89⤵PID:3048
-
\??\c:\fxfrrrl.exec:\fxfrrrl.exe90⤵PID:1484
-
\??\c:\nhnbnt.exec:\nhnbnt.exe91⤵PID:3528
-
\??\c:\1ppjj.exec:\1ppjj.exe92⤵PID:3336
-
\??\c:\pjdvj.exec:\pjdvj.exe93⤵PID:4576
-
\??\c:\xffxlfr.exec:\xffxlfr.exe94⤵PID:5116
-
\??\c:\ntnhtt.exec:\ntnhtt.exe95⤵PID:1400
-
\??\c:\ffffxfr.exec:\ffffxfr.exe96⤵PID:1448
-
\??\c:\1hnhtn.exec:\1hnhtn.exe97⤵PID:4172
-
\??\c:\hhtnbb.exec:\hhtnbb.exe98⤵PID:3880
-
\??\c:\xrrrrxf.exec:\xrrrrxf.exe99⤵PID:1768
-
\??\c:\vpjpd.exec:\vpjpd.exe100⤵PID:3532
-
\??\c:\xxxxlfr.exec:\xxxxlfr.exe101⤵PID:4940
-
\??\c:\bttnnb.exec:\bttnnb.exe102⤵PID:2732
-
\??\c:\tbtnhb.exec:\tbtnhb.exe103⤵PID:804
-
\??\c:\5jvjd.exec:\5jvjd.exe104⤵PID:1180
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe105⤵PID:1128
-
\??\c:\llrxrlr.exec:\llrxrlr.exe106⤵PID:2508
-
\??\c:\9hthbt.exec:\9hthbt.exe107⤵PID:1364
-
\??\c:\tttbbb.exec:\tttbbb.exe108⤵PID:3616
-
\??\c:\pdvpj.exec:\pdvpj.exe109⤵PID:4448
-
\??\c:\ffrlrlr.exec:\ffrlrlr.exe110⤵PID:2156
-
\??\c:\fxflffx.exec:\fxflffx.exe111⤵PID:4116
-
\??\c:\bnhbtt.exec:\bnhbtt.exe112⤵PID:3748
-
\??\c:\jjvpj.exec:\jjvpj.exe113⤵PID:1728
-
\??\c:\dvpjd.exec:\dvpjd.exe114⤵PID:5076
-
\??\c:\rllfffr.exec:\rllfffr.exe115⤵PID:1040
-
\??\c:\3thhbb.exec:\3thhbb.exe116⤵PID:1264
-
\??\c:\djjdd.exec:\djjdd.exe117⤵PID:1212
-
\??\c:\vppjv.exec:\vppjv.exe118⤵PID:392
-
\??\c:\1xxrffr.exec:\1xxrffr.exe119⤵PID:4984
-
\??\c:\nnhbbb.exec:\nnhbbb.exe120⤵PID:3360
-
\??\c:\vvdpj.exec:\vvdpj.exe121⤵PID:2292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-