Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:28
Behavioral task
behavioral1
Sample
01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe
-
Size
335KB
-
MD5
56c45793661b41de45c09951d3c18977
-
SHA1
4a56c6c793614ff525b34aff609dcca985484f77
-
SHA256
01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e
-
SHA512
7de1a8778278908287072ac3e31705ce6b652c6cbc8897889aa704a57e773ed81ed23de22d8f153d55c197e716cced429d2d5feb929e1b6bb3aef23d8079a742
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRX:R4wFHoSHYHUrAwfMp3CDRX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1652-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1760-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4648-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1312-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/912-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/720-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1000-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-665-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-974-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1920-1385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4832 3bnntt.exe 4144 hntttt.exe 3996 5jddd.exe 3180 jjvpp.exe 3556 dpvjv.exe 4696 jdjdv.exe 4432 tnnnnt.exe 3948 xxxlrrf.exe 1388 rlrlllf.exe 2824 btbbtb.exe 5076 vvdvj.exe 3124 xflfxxr.exe 3060 7vppd.exe 4828 xfrrfrx.exe 3308 pvvvj.exe 2424 flllfff.exe 2628 ddvvv.exe 4804 xfrrrxx.exe 4036 vvddd.exe 412 jpvvv.exe 1760 ffffxrl.exe 2580 pvddd.exe 2484 nbnbtb.exe 4284 xfllfff.exe 4648 bhbhnb.exe 1312 rrrlrrr.exe 3012 djpvv.exe 912 3lfffll.exe 4824 jdvdj.exe 3684 xfrrfrf.exe 3224 jjddv.exe 3932 1lxxxxr.exe 3160 vpppv.exe 1164 djjvv.exe 2328 1hbbbh.exe 2656 vdddj.exe 968 pjjpp.exe 1968 lfffxrl.exe 3840 1bbbtb.exe 3312 jdddp.exe 4808 fffxxxx.exe 1584 hhbbtt.exe 4112 jpjjd.exe 3912 lrlllrr.exe 3248 nbnntb.exe 2928 nbbbnh.exe 2196 vdddv.exe 4184 flxlfxl.exe 3460 9hbbhh.exe 464 vdvjj.exe 32 5fllfff.exe 4584 frfxxxr.exe 1852 bbbhhh.exe 4460 vdddd.exe 2784 llxlxxx.exe 2188 jjvvd.exe 4392 jvjpp.exe 4440 rlfffxx.exe 5036 tthhhn.exe 4832 hntbnt.exe 1632 ddpjj.exe 4160 lfrxfxf.exe 3996 1rrllff.exe 4700 btbbbb.exe -
resource yara_rule behavioral2/memory/1652-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bae-3.dat upx behavioral2/memory/1652-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ca0-8.dat upx behavioral2/memory/4832-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-11.dat upx behavioral2/memory/4144-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-18.dat upx behavioral2/memory/3996-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-24.dat upx behavioral2/memory/3180-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-28.dat upx behavioral2/memory/3556-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-33.dat upx behavioral2/memory/4696-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-39.dat upx behavioral2/files/0x0007000000023cae-42.dat upx behavioral2/files/0x0007000000023caf-46.dat upx behavioral2/memory/1388-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-51.dat upx behavioral2/memory/5076-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-57.dat upx behavioral2/memory/5076-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2824-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-62.dat upx behavioral2/memory/3124-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-67.dat upx behavioral2/memory/3060-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4828-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca4-74.dat upx behavioral2/files/0x0007000000023cb4-77.dat upx behavioral2/memory/3308-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2424-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-84.dat upx behavioral2/memory/2628-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-87.dat upx behavioral2/files/0x0007000000023cb8-93.dat upx behavioral2/memory/4036-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-98.dat upx behavioral2/memory/412-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-104.dat upx behavioral2/memory/1760-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4804-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-109.dat upx behavioral2/memory/2580-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-114.dat upx behavioral2/files/0x0007000000023cbd-118.dat upx behavioral2/memory/2484-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-122.dat upx behavioral2/memory/4284-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-128.dat upx behavioral2/memory/4648-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-132.dat upx behavioral2/memory/1312-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-137.dat upx behavioral2/files/0x0007000000023cc2-141.dat upx behavioral2/memory/912-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-146.dat upx behavioral2/files/0x0007000000023cc4-150.dat upx behavioral2/files/0x0007000000023cc5-154.dat upx behavioral2/memory/1164-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2328-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2656-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/968-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4832 1652 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 85 PID 1652 wrote to memory of 4832 1652 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 85 PID 1652 wrote to memory of 4832 1652 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 85 PID 4832 wrote to memory of 4144 4832 3bnntt.exe 86 PID 4832 wrote to memory of 4144 4832 3bnntt.exe 86 PID 4832 wrote to memory of 4144 4832 3bnntt.exe 86 PID 4144 wrote to memory of 3996 4144 hntttt.exe 87 PID 4144 wrote to memory of 3996 4144 hntttt.exe 87 PID 4144 wrote to memory of 3996 4144 hntttt.exe 87 PID 3996 wrote to memory of 3180 3996 5jddd.exe 88 PID 3996 wrote to memory of 3180 3996 5jddd.exe 88 PID 3996 wrote to memory of 3180 3996 5jddd.exe 88 PID 3180 wrote to memory of 3556 3180 jjvpp.exe 89 PID 3180 wrote to memory of 3556 3180 jjvpp.exe 89 PID 3180 wrote to memory of 3556 3180 jjvpp.exe 89 PID 3556 wrote to memory of 4696 3556 dpvjv.exe 90 PID 3556 wrote to memory of 4696 3556 dpvjv.exe 90 PID 3556 wrote to memory of 4696 3556 dpvjv.exe 90 PID 4696 wrote to memory of 4432 4696 jdjdv.exe 91 PID 4696 wrote to memory of 4432 4696 jdjdv.exe 91 PID 4696 wrote to memory of 4432 4696 jdjdv.exe 91 PID 4432 wrote to memory of 3948 4432 tnnnnt.exe 92 PID 4432 wrote to memory of 3948 4432 tnnnnt.exe 92 PID 4432 wrote to memory of 3948 4432 tnnnnt.exe 92 PID 3948 wrote to memory of 1388 3948 xxxlrrf.exe 93 PID 3948 wrote to memory of 1388 3948 xxxlrrf.exe 93 PID 3948 wrote to memory of 1388 3948 xxxlrrf.exe 93 PID 1388 wrote to memory of 2824 1388 rlrlllf.exe 94 PID 1388 wrote to memory of 2824 1388 rlrlllf.exe 94 PID 1388 wrote to memory of 2824 1388 rlrlllf.exe 94 PID 2824 wrote to memory of 5076 2824 btbbtb.exe 95 PID 2824 wrote to memory of 5076 2824 btbbtb.exe 95 PID 2824 wrote to memory of 5076 2824 btbbtb.exe 95 PID 5076 wrote to memory of 3124 5076 vvdvj.exe 96 PID 5076 wrote to memory of 3124 5076 vvdvj.exe 96 PID 5076 wrote to memory of 3124 5076 vvdvj.exe 96 PID 3124 wrote to memory of 3060 3124 xflfxxr.exe 97 PID 3124 wrote to memory of 3060 3124 xflfxxr.exe 97 PID 3124 wrote to memory of 3060 3124 xflfxxr.exe 97 PID 3060 wrote to memory of 4828 3060 7vppd.exe 98 PID 3060 wrote to memory of 4828 3060 7vppd.exe 98 PID 3060 wrote to memory of 4828 3060 7vppd.exe 98 PID 4828 wrote to memory of 3308 4828 xfrrfrx.exe 99 PID 4828 wrote to memory of 3308 4828 xfrrfrx.exe 99 PID 4828 wrote to memory of 3308 4828 xfrrfrx.exe 99 PID 3308 wrote to memory of 2424 3308 pvvvj.exe 100 PID 3308 wrote to memory of 2424 3308 pvvvj.exe 100 PID 3308 wrote to memory of 2424 3308 pvvvj.exe 100 PID 2424 wrote to memory of 2628 2424 flllfff.exe 101 PID 2424 wrote to memory of 2628 2424 flllfff.exe 101 PID 2424 wrote to memory of 2628 2424 flllfff.exe 101 PID 2628 wrote to memory of 4804 2628 ddvvv.exe 102 PID 2628 wrote to memory of 4804 2628 ddvvv.exe 102 PID 2628 wrote to memory of 4804 2628 ddvvv.exe 102 PID 4804 wrote to memory of 4036 4804 xfrrrxx.exe 103 PID 4804 wrote to memory of 4036 4804 xfrrrxx.exe 103 PID 4804 wrote to memory of 4036 4804 xfrrrxx.exe 103 PID 4036 wrote to memory of 412 4036 vvddd.exe 104 PID 4036 wrote to memory of 412 4036 vvddd.exe 104 PID 4036 wrote to memory of 412 4036 vvddd.exe 104 PID 412 wrote to memory of 1760 412 jpvvv.exe 105 PID 412 wrote to memory of 1760 412 jpvvv.exe 105 PID 412 wrote to memory of 1760 412 jpvvv.exe 105 PID 1760 wrote to memory of 2580 1760 ffffxrl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe"C:\Users\Admin\AppData\Local\Temp\01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\3bnntt.exec:\3bnntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\hntttt.exec:\hntttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\5jddd.exec:\5jddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\jjvpp.exec:\jjvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\dpvjv.exec:\dpvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\jdjdv.exec:\jdjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\tnnnnt.exec:\tnnnnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\xxxlrrf.exec:\xxxlrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\rlrlllf.exec:\rlrlllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\btbbtb.exec:\btbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\vvdvj.exec:\vvdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\xflfxxr.exec:\xflfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\7vppd.exec:\7vppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\xfrrfrx.exec:\xfrrfrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\pvvvj.exec:\pvvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\flllfff.exec:\flllfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\ddvvv.exec:\ddvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\xfrrrxx.exec:\xfrrrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\vvddd.exec:\vvddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\jpvvv.exec:\jpvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\ffffxrl.exec:\ffffxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\pvddd.exec:\pvddd.exe23⤵
- Executes dropped EXE
PID:2580 -
\??\c:\nbnbtb.exec:\nbnbtb.exe24⤵
- Executes dropped EXE
PID:2484 -
\??\c:\xfllfff.exec:\xfllfff.exe25⤵
- Executes dropped EXE
PID:4284 -
\??\c:\bhbhnb.exec:\bhbhnb.exe26⤵
- Executes dropped EXE
PID:4648 -
\??\c:\rrrlrrr.exec:\rrrlrrr.exe27⤵
- Executes dropped EXE
PID:1312 -
\??\c:\djpvv.exec:\djpvv.exe28⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3lfffll.exec:\3lfffll.exe29⤵
- Executes dropped EXE
PID:912 -
\??\c:\jdvdj.exec:\jdvdj.exe30⤵
- Executes dropped EXE
PID:4824 -
\??\c:\xfrrfrf.exec:\xfrrfrf.exe31⤵
- Executes dropped EXE
PID:3684 -
\??\c:\jjddv.exec:\jjddv.exe32⤵
- Executes dropped EXE
PID:3224 -
\??\c:\1lxxxxr.exec:\1lxxxxr.exe33⤵
- Executes dropped EXE
PID:3932 -
\??\c:\vpppv.exec:\vpppv.exe34⤵
- Executes dropped EXE
PID:3160 -
\??\c:\djjvv.exec:\djjvv.exe35⤵
- Executes dropped EXE
PID:1164 -
\??\c:\1hbbbh.exec:\1hbbbh.exe36⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vdddj.exec:\vdddj.exe37⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pjjpp.exec:\pjjpp.exe38⤵
- Executes dropped EXE
PID:968 -
\??\c:\lfffxrl.exec:\lfffxrl.exe39⤵
- Executes dropped EXE
PID:1968 -
\??\c:\1bbbtb.exec:\1bbbtb.exe40⤵
- Executes dropped EXE
PID:3840 -
\??\c:\jdddp.exec:\jdddp.exe41⤵
- Executes dropped EXE
PID:3312 -
\??\c:\fffxxxx.exec:\fffxxxx.exe42⤵
- Executes dropped EXE
PID:4808 -
\??\c:\hhbbtt.exec:\hhbbtt.exe43⤵
- Executes dropped EXE
PID:1584 -
\??\c:\jpjjd.exec:\jpjjd.exe44⤵
- Executes dropped EXE
PID:4112 -
\??\c:\lrlllrr.exec:\lrlllrr.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
\??\c:\nbnntb.exec:\nbnntb.exe46⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nbbbnh.exec:\nbbbnh.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vdddv.exec:\vdddv.exe48⤵
- Executes dropped EXE
PID:2196 -
\??\c:\flxlfxl.exec:\flxlfxl.exe49⤵
- Executes dropped EXE
PID:4184 -
\??\c:\9hbbhh.exec:\9hbbhh.exe50⤵
- Executes dropped EXE
PID:3460 -
\??\c:\vdvjj.exec:\vdvjj.exe51⤵
- Executes dropped EXE
PID:464 -
\??\c:\5fllfff.exec:\5fllfff.exe52⤵
- Executes dropped EXE
PID:32 -
\??\c:\frfxxxr.exec:\frfxxxr.exe53⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bbbhhh.exec:\bbbhhh.exe54⤵
- Executes dropped EXE
PID:1852 -
\??\c:\vdddd.exec:\vdddd.exe55⤵
- Executes dropped EXE
PID:4460 -
\??\c:\llxlxxx.exec:\llxlxxx.exe56⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jjvvd.exec:\jjvvd.exe57⤵
- Executes dropped EXE
PID:2188 -
\??\c:\jvjpp.exec:\jvjpp.exe58⤵
- Executes dropped EXE
PID:4392 -
\??\c:\rlfffxx.exec:\rlfffxx.exe59⤵
- Executes dropped EXE
PID:4440 -
\??\c:\tthhhn.exec:\tthhhn.exe60⤵
- Executes dropped EXE
PID:5036 -
\??\c:\hntbnt.exec:\hntbnt.exe61⤵
- Executes dropped EXE
PID:4832 -
\??\c:\ddpjj.exec:\ddpjj.exe62⤵
- Executes dropped EXE
PID:1632 -
\??\c:\lfrxfxf.exec:\lfrxfxf.exe63⤵
- Executes dropped EXE
PID:4160 -
\??\c:\1rrllff.exec:\1rrllff.exe64⤵
- Executes dropped EXE
PID:3996 -
\??\c:\btbbbb.exec:\btbbbb.exe65⤵
- Executes dropped EXE
PID:4700 -
\??\c:\vjdpp.exec:\vjdpp.exe66⤵PID:3184
-
\??\c:\xxllffl.exec:\xxllffl.exe67⤵PID:2088
-
\??\c:\lfrfxff.exec:\lfrfxff.exe68⤵PID:1940
-
\??\c:\bhbhnb.exec:\bhbhnb.exe69⤵PID:4108
-
\??\c:\vvjdd.exec:\vvjdd.exe70⤵PID:2592
-
\??\c:\xlllflx.exec:\xlllflx.exe71⤵PID:3448
-
\??\c:\htnhtn.exec:\htnhtn.exe72⤵PID:2952
-
\??\c:\ntnbtt.exec:\ntnbtt.exe73⤵PID:720
-
\??\c:\djdpj.exec:\djdpj.exe74⤵PID:752
-
\??\c:\llfffll.exec:\llfffll.exe75⤵PID:4980
-
\??\c:\ttbnnt.exec:\ttbnnt.exe76⤵PID:4360
-
\??\c:\pvvvv.exec:\pvvvv.exe77⤵PID:220
-
\??\c:\vpdjj.exec:\vpdjj.exe78⤵PID:3100
-
\??\c:\ffrrxff.exec:\ffrrxff.exe79⤵PID:3060
-
\??\c:\fflllll.exec:\fflllll.exe80⤵PID:3560
-
\??\c:\thbttt.exec:\thbttt.exe81⤵PID:4196
-
\??\c:\vjvpv.exec:\vjvpv.exe82⤵PID:1952
-
\??\c:\xxlrrrr.exec:\xxlrrrr.exe83⤵PID:2252
-
\??\c:\hbbnht.exec:\hbbnht.exe84⤵PID:1712
-
\??\c:\hhntbh.exec:\hhntbh.exe85⤵PID:2628
-
\??\c:\ppjjd.exec:\ppjjd.exe86⤵PID:3056
-
\??\c:\5fffflf.exec:\5fffflf.exe87⤵PID:3844
-
\??\c:\tbbbht.exec:\tbbbht.exe88⤵PID:4036
-
\??\c:\jvvvd.exec:\jvvvd.exe89⤵PID:4168
-
\??\c:\vpdjd.exec:\vpdjd.exe90⤵PID:4960
-
\??\c:\xrlxrlr.exec:\xrlxrlr.exe91⤵PID:1460
-
\??\c:\nhbtht.exec:\nhbtht.exe92⤵PID:4540
-
\??\c:\vpvvp.exec:\vpvvp.exe93⤵PID:2484
-
\??\c:\vvjdj.exec:\vvjdj.exe94⤵PID:4192
-
\??\c:\frfrfxl.exec:\frfrfxl.exe95⤵PID:1104
-
\??\c:\nhhtnb.exec:\nhhtnb.exe96⤵PID:2504
-
\??\c:\ddvpp.exec:\ddvpp.exe97⤵PID:452
-
\??\c:\rlxxxxx.exec:\rlxxxxx.exe98⤵PID:1468
-
\??\c:\nnnbbh.exec:\nnnbbh.exe99⤵PID:3892
-
\??\c:\tthhhn.exec:\tthhhn.exe100⤵PID:4088
-
\??\c:\dpppp.exec:\dpppp.exe101⤵PID:4188
-
\??\c:\5xxrrfx.exec:\5xxrrfx.exe102⤵PID:3236
-
\??\c:\bnhnnn.exec:\bnhnnn.exe103⤵PID:3420
-
\??\c:\5ttnnt.exec:\5ttnnt.exe104⤵PID:3176
-
\??\c:\djdvv.exec:\djdvv.exe105⤵PID:3540
-
\??\c:\rlrffrl.exec:\rlrffrl.exe106⤵PID:4372
-
\??\c:\tntttb.exec:\tntttb.exe107⤵PID:764
-
\??\c:\jdjvj.exec:\jdjvj.exe108⤵PID:932
-
\??\c:\dvpdv.exec:\dvpdv.exe109⤵PID:4636
-
\??\c:\xlrxffl.exec:\xlrxffl.exe110⤵PID:4996
-
\??\c:\flfffll.exec:\flfffll.exe111⤵PID:4076
-
\??\c:\nbhhnn.exec:\nbhhnn.exe112⤵PID:968
-
\??\c:\ddjjj.exec:\ddjjj.exe113⤵PID:5080
-
\??\c:\xfxrxxl.exec:\xfxrxxl.exe114⤵PID:4776
-
\??\c:\1tnnnt.exec:\1tnnnt.exe115⤵PID:3312
-
\??\c:\tbhttt.exec:\tbhttt.exe116⤵PID:2604
-
\??\c:\jpjjj.exec:\jpjjj.exe117⤵PID:1944
-
\??\c:\1xfflll.exec:\1xfflll.exe118⤵PID:3108
-
\??\c:\rrfxllx.exec:\rrfxllx.exe119⤵PID:4100
-
\??\c:\3ntttt.exec:\3ntttt.exe120⤵PID:4672
-
\??\c:\jvddv.exec:\jvddv.exe121⤵PID:1352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-