Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe
-
Size
454KB
-
MD5
7886bff74d479f96c5130cb071e9eb6f
-
SHA1
11f83b51668647de96085a3b5d8866a859a98924
-
SHA256
a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c
-
SHA512
6f638a23de292d556ff6235fdeb6eb91bcdf2eaf01b91d159fe869f5432780c2211ddc009e9c6c9829a9f8ff30898d8982165f8bd57087a963df83bc04da697e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2912-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-1030-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-1874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4516 vpdvv.exe 4492 xlllfff.exe 2304 pjpjd.exe 3872 thhtth.exe 4868 djjdv.exe 768 rfrfxxr.exe 5040 vddpj.exe 1704 9llfrxr.exe 1664 tnnhbt.exe 948 vddvj.exe 2680 nthbnt.exe 4460 vvvdp.exe 3028 1xrrllf.exe 4628 btnhbb.exe 2640 jdvpv.exe 2832 tntnnb.exe 1288 9llrfff.exe 3424 nbbnbt.exe 1512 jpvpj.exe 3952 bnbthb.exe 2008 vpvpj.exe 2908 nnnhhh.exe 3416 jjjdv.exe 3064 nbhbtn.exe 4832 ntbnbt.exe 4788 7pvjv.exe 2228 bbttnb.exe 376 3pvpv.exe 4872 nhttbb.exe 1996 lrrfffx.exe 452 bhhtnh.exe 2540 ppdvj.exe 1172 vvdvj.exe 4748 3fflxrl.exe 1956 bttnnn.exe 2720 fxfllxx.exe 2312 nbbtnn.exe 4104 jdjdp.exe 436 3vdvj.exe 3108 7btnbt.exe 2664 hbhbnn.exe 5008 dpjpj.exe 2332 7flxrlx.exe 4480 5ttntn.exe 1616 jjjdv.exe 3904 fflrffx.exe 2884 1hhnnn.exe 856 5vdjd.exe 2912 lllrlll.exe 2932 nhnnnn.exe 2108 3ddvp.exe 3348 fxrlfxr.exe 1672 btbbtb.exe 3636 9dppp.exe 2464 xxxxrrl.exe 4868 tbbtnn.exe 2148 bttnnn.exe 3624 3pvpp.exe 404 3llxlfr.exe 3516 htbtnn.exe 60 pjjdv.exe 3436 rrrfxrr.exe 1664 flxxrrl.exe 228 tttnhh.exe -
resource yara_rule behavioral2/memory/2912-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-878-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2912 wrote to memory of 4516 2912 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 82 PID 2912 wrote to memory of 4516 2912 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 82 PID 2912 wrote to memory of 4516 2912 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 82 PID 4516 wrote to memory of 4492 4516 vpdvv.exe 83 PID 4516 wrote to memory of 4492 4516 vpdvv.exe 83 PID 4516 wrote to memory of 4492 4516 vpdvv.exe 83 PID 4492 wrote to memory of 2304 4492 xlllfff.exe 84 PID 4492 wrote to memory of 2304 4492 xlllfff.exe 84 PID 4492 wrote to memory of 2304 4492 xlllfff.exe 84 PID 2304 wrote to memory of 3872 2304 pjpjd.exe 85 PID 2304 wrote to memory of 3872 2304 pjpjd.exe 85 PID 2304 wrote to memory of 3872 2304 pjpjd.exe 85 PID 3872 wrote to memory of 4868 3872 thhtth.exe 86 PID 3872 wrote to memory of 4868 3872 thhtth.exe 86 PID 3872 wrote to memory of 4868 3872 thhtth.exe 86 PID 4868 wrote to memory of 768 4868 djjdv.exe 87 PID 4868 wrote to memory of 768 4868 djjdv.exe 87 PID 4868 wrote to memory of 768 4868 djjdv.exe 87 PID 768 wrote to memory of 5040 768 rfrfxxr.exe 88 PID 768 wrote to memory of 5040 768 rfrfxxr.exe 88 PID 768 wrote to memory of 5040 768 rfrfxxr.exe 88 PID 5040 wrote to memory of 1704 5040 vddpj.exe 89 PID 5040 wrote to memory of 1704 5040 vddpj.exe 89 PID 5040 wrote to memory of 1704 5040 vddpj.exe 89 PID 1704 wrote to memory of 1664 1704 9llfrxr.exe 90 PID 1704 wrote to memory of 1664 1704 9llfrxr.exe 90 PID 1704 wrote to memory of 1664 1704 9llfrxr.exe 90 PID 1664 wrote to memory of 948 1664 tnnhbt.exe 91 PID 1664 wrote to memory of 948 1664 tnnhbt.exe 91 PID 1664 wrote to memory of 948 1664 tnnhbt.exe 91 PID 948 wrote to memory of 2680 948 vddvj.exe 92 PID 948 wrote to memory of 2680 948 vddvj.exe 92 PID 948 wrote to memory of 2680 948 vddvj.exe 92 PID 2680 wrote to memory of 4460 2680 nthbnt.exe 93 PID 2680 wrote to memory of 4460 2680 nthbnt.exe 93 PID 2680 wrote to memory of 4460 2680 nthbnt.exe 93 PID 4460 wrote to memory of 3028 4460 vvvdp.exe 94 PID 4460 wrote to memory of 3028 4460 vvvdp.exe 94 PID 4460 wrote to memory of 3028 4460 vvvdp.exe 94 PID 3028 wrote to memory of 4628 3028 1xrrllf.exe 95 PID 3028 wrote to memory of 4628 3028 1xrrllf.exe 95 PID 3028 wrote to memory of 4628 3028 1xrrllf.exe 95 PID 4628 wrote to memory of 2640 4628 btnhbb.exe 96 PID 4628 wrote to memory of 2640 4628 btnhbb.exe 96 PID 4628 wrote to memory of 2640 4628 btnhbb.exe 96 PID 2640 wrote to memory of 2832 2640 jdvpv.exe 97 PID 2640 wrote to memory of 2832 2640 jdvpv.exe 97 PID 2640 wrote to memory of 2832 2640 jdvpv.exe 97 PID 2832 wrote to memory of 1288 2832 tntnnb.exe 98 PID 2832 wrote to memory of 1288 2832 tntnnb.exe 98 PID 2832 wrote to memory of 1288 2832 tntnnb.exe 98 PID 1288 wrote to memory of 3424 1288 9llrfff.exe 99 PID 1288 wrote to memory of 3424 1288 9llrfff.exe 99 PID 1288 wrote to memory of 3424 1288 9llrfff.exe 99 PID 3424 wrote to memory of 1512 3424 nbbnbt.exe 100 PID 3424 wrote to memory of 1512 3424 nbbnbt.exe 100 PID 3424 wrote to memory of 1512 3424 nbbnbt.exe 100 PID 1512 wrote to memory of 3952 1512 jpvpj.exe 101 PID 1512 wrote to memory of 3952 1512 jpvpj.exe 101 PID 1512 wrote to memory of 3952 1512 jpvpj.exe 101 PID 3952 wrote to memory of 2008 3952 bnbthb.exe 102 PID 3952 wrote to memory of 2008 3952 bnbthb.exe 102 PID 3952 wrote to memory of 2008 3952 bnbthb.exe 102 PID 2008 wrote to memory of 2908 2008 vpvpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe"C:\Users\Admin\AppData\Local\Temp\a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\vpdvv.exec:\vpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\xlllfff.exec:\xlllfff.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\pjpjd.exec:\pjpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\thhtth.exec:\thhtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\djjdv.exec:\djjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\rfrfxxr.exec:\rfrfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\vddpj.exec:\vddpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\9llfrxr.exec:\9llfrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\tnnhbt.exec:\tnnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\vddvj.exec:\vddvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\nthbnt.exec:\nthbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vvvdp.exec:\vvvdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\1xrrllf.exec:\1xrrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\btnhbb.exec:\btnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\jdvpv.exec:\jdvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\tntnnb.exec:\tntnnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\9llrfff.exec:\9llrfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\nbbnbt.exec:\nbbnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\jpvpj.exec:\jpvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\bnbthb.exec:\bnbthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\vpvpj.exec:\vpvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\nnnhhh.exec:\nnnhhh.exe23⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jjjdv.exec:\jjjdv.exe24⤵
- Executes dropped EXE
PID:3416 -
\??\c:\nbhbtn.exec:\nbhbtn.exe25⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ntbnbt.exec:\ntbnbt.exe26⤵
- Executes dropped EXE
PID:4832 -
\??\c:\7pvjv.exec:\7pvjv.exe27⤵
- Executes dropped EXE
PID:4788 -
\??\c:\bbttnb.exec:\bbttnb.exe28⤵
- Executes dropped EXE
PID:2228 -
\??\c:\3pvpv.exec:\3pvpv.exe29⤵
- Executes dropped EXE
PID:376 -
\??\c:\nhttbb.exec:\nhttbb.exe30⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lrrfffx.exec:\lrrfffx.exe31⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bhhtnh.exec:\bhhtnh.exe32⤵
- Executes dropped EXE
PID:452 -
\??\c:\ppdvj.exec:\ppdvj.exe33⤵
- Executes dropped EXE
PID:2540 -
\??\c:\vvdvj.exec:\vvdvj.exe34⤵
- Executes dropped EXE
PID:1172 -
\??\c:\3fflxrl.exec:\3fflxrl.exe35⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bttnnn.exec:\bttnnn.exe36⤵
- Executes dropped EXE
PID:1956 -
\??\c:\fxfllxx.exec:\fxfllxx.exe37⤵
- Executes dropped EXE
PID:2720 -
\??\c:\nbbtnn.exec:\nbbtnn.exe38⤵
- Executes dropped EXE
PID:2312 -
\??\c:\jdjdp.exec:\jdjdp.exe39⤵
- Executes dropped EXE
PID:4104 -
\??\c:\3vdvj.exec:\3vdvj.exe40⤵
- Executes dropped EXE
PID:436 -
\??\c:\7btnbt.exec:\7btnbt.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\hbhbnn.exec:\hbhbnn.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\dpjpj.exec:\dpjpj.exe43⤵
- Executes dropped EXE
PID:5008 -
\??\c:\7flxrlx.exec:\7flxrlx.exe44⤵
- Executes dropped EXE
PID:2332 -
\??\c:\5ttntn.exec:\5ttntn.exe45⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jjjdv.exec:\jjjdv.exe46⤵
- Executes dropped EXE
PID:1616 -
\??\c:\fflrffx.exec:\fflrffx.exe47⤵
- Executes dropped EXE
PID:3904 -
\??\c:\1hhnnn.exec:\1hhnnn.exe48⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5vdjd.exec:\5vdjd.exe49⤵
- Executes dropped EXE
PID:856 -
\??\c:\lllrlll.exec:\lllrlll.exe50⤵
- Executes dropped EXE
PID:2912 -
\??\c:\nhnnnn.exec:\nhnnnn.exe51⤵
- Executes dropped EXE
PID:2932 -
\??\c:\3ddvp.exec:\3ddvp.exe52⤵
- Executes dropped EXE
PID:2108 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe53⤵
- Executes dropped EXE
PID:3348 -
\??\c:\btbbtb.exec:\btbbtb.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\9dppp.exec:\9dppp.exe55⤵
- Executes dropped EXE
PID:3636 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe56⤵
- Executes dropped EXE
PID:2464 -
\??\c:\tbbtnn.exec:\tbbtnn.exe57⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bttnnn.exec:\bttnnn.exe58⤵
- Executes dropped EXE
PID:2148 -
\??\c:\3pvpp.exec:\3pvpp.exe59⤵
- Executes dropped EXE
PID:3624 -
\??\c:\3llxlfr.exec:\3llxlfr.exe60⤵
- Executes dropped EXE
PID:404 -
\??\c:\htbtnn.exec:\htbtnn.exe61⤵
- Executes dropped EXE
PID:3516 -
\??\c:\pjjdv.exec:\pjjdv.exe62⤵
- Executes dropped EXE
PID:60 -
\??\c:\rrrfxrr.exec:\rrrfxrr.exe63⤵
- Executes dropped EXE
PID:3436 -
\??\c:\flxxrrl.exec:\flxxrrl.exe64⤵
- Executes dropped EXE
PID:1664 -
\??\c:\tttnhh.exec:\tttnhh.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:228 -
\??\c:\djpjd.exec:\djpjd.exe66⤵PID:4232
-
\??\c:\rxfrlfr.exec:\rxfrlfr.exe67⤵PID:3092
-
\??\c:\nthhhh.exec:\nthhhh.exe68⤵PID:700
-
\??\c:\pjpdd.exec:\pjpdd.exe69⤵PID:3520
-
\??\c:\fffxllf.exec:\fffxllf.exe70⤵PID:1936
-
\??\c:\htnhbt.exec:\htnhbt.exe71⤵PID:4628
-
\??\c:\dddvv.exec:\dddvv.exe72⤵PID:2640
-
\??\c:\lxxlrlx.exec:\lxxlrlx.exe73⤵PID:2856
-
\??\c:\llrlffx.exec:\llrlffx.exe74⤵PID:3788
-
\??\c:\nthnhb.exec:\nthnhb.exe75⤵PID:3512
-
\??\c:\ppjjv.exec:\ppjjv.exe76⤵PID:3424
-
\??\c:\fxxxrrx.exec:\fxxxrrx.exe77⤵PID:3832
-
\??\c:\1lrlllr.exec:\1lrlllr.exe78⤵PID:4236
-
\??\c:\7hhbbb.exec:\7hhbbb.exe79⤵PID:3952
-
\??\c:\ppjjp.exec:\ppjjp.exe80⤵PID:2008
-
\??\c:\hbhnht.exec:\hbhnht.exe81⤵PID:2908
-
\??\c:\bttttt.exec:\bttttt.exe82⤵PID:464
-
\??\c:\3jjjd.exec:\3jjjd.exe83⤵PID:980
-
\??\c:\fffxxxx.exec:\fffxxxx.exe84⤵PID:5112
-
\??\c:\rxlrfrx.exec:\rxlrfrx.exe85⤵PID:536
-
\??\c:\ppjpj.exec:\ppjpj.exe86⤵PID:712
-
\??\c:\vvvpj.exec:\vvvpj.exe87⤵PID:1192
-
\??\c:\tnbtnh.exec:\tnbtnh.exe88⤵PID:4548
-
\??\c:\5hbthb.exec:\5hbthb.exe89⤵PID:2128
-
\??\c:\xrfxxxx.exec:\xrfxxxx.exe90⤵PID:4980
-
\??\c:\lfffxxr.exec:\lfffxxr.exe91⤵PID:5024
-
\??\c:\hhnhhh.exec:\hhnhhh.exe92⤵PID:1996
-
\??\c:\7dvpj.exec:\7dvpj.exe93⤵PID:2204
-
\??\c:\dvddd.exec:\dvddd.exe94⤵PID:3452
-
\??\c:\9rrlllf.exec:\9rrlllf.exe95⤵PID:3500
-
\??\c:\bhnhbb.exec:\bhnhbb.exe96⤵PID:3256
-
\??\c:\vdddv.exec:\vdddv.exe97⤵PID:2936
-
\??\c:\lfxrlff.exec:\lfxrlff.exe98⤵PID:4600
-
\??\c:\rlxfllr.exec:\rlxfllr.exe99⤵PID:2720
-
\??\c:\bbnhnh.exec:\bbnhnh.exe100⤵PID:2312
-
\??\c:\vjjjd.exec:\vjjjd.exe101⤵PID:4104
-
\??\c:\1ppjv.exec:\1ppjv.exe102⤵PID:1856
-
\??\c:\xxlrfrx.exec:\xxlrfrx.exe103⤵PID:3108
-
\??\c:\bttnnh.exec:\bttnnh.exe104⤵PID:2664
-
\??\c:\1ddvd.exec:\1ddvd.exe105⤵PID:4984
-
\??\c:\9xxxrff.exec:\9xxxrff.exe106⤵PID:2332
-
\??\c:\1fxrllf.exec:\1fxrllf.exe107⤵PID:2292
-
\??\c:\tntnhn.exec:\tntnhn.exe108⤵PID:2552
-
\??\c:\ddddd.exec:\ddddd.exe109⤵PID:4284
-
\??\c:\dpvpp.exec:\dpvpp.exe110⤵PID:4304
-
\??\c:\1lrlrxx.exec:\1lrlrxx.exe111⤵
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\hhbthh.exec:\hhbthh.exe112⤵PID:4472
-
\??\c:\tnntnn.exec:\tnntnn.exe113⤵PID:1736
-
\??\c:\pjdvv.exec:\pjdvv.exe114⤵PID:4492
-
\??\c:\rlrlffx.exec:\rlrlffx.exe115⤵PID:320
-
\??\c:\hnbtbb.exec:\hnbtbb.exe116⤵PID:2904
-
\??\c:\vvvvp.exec:\vvvvp.exe117⤵
- System Location Discovery: System Language Discovery
PID:4332 -
\??\c:\dvpjp.exec:\dvpjp.exe118⤵PID:5028
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe119⤵PID:3456
-
\??\c:\tttbth.exec:\tttbth.exe120⤵PID:2804
-
\??\c:\vvvpj.exec:\vvvpj.exe121⤵PID:1944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-