Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 05:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe
-
Size
454KB
-
MD5
41eb7578cc7fc82e14a32a8875ede202
-
SHA1
db5c4f47082b3ebd99a1e414599a127e29bf7127
-
SHA256
b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217
-
SHA512
6e0526104efce0ffed26c02c400cb6eb3feb80b773994e31b357bf02863603702fcbbd199dfe3ce35f706d281fc64f53f72df3058357cd81c7ec03bc4ef2971e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ6:q7Tc2NYHUrAwfMp3CDJ6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-876-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-1070-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-1564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-1748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4088 9lllrrr.exe 4100 hnttnn.exe 4300 jjpvd.exe 3724 lfrlxll.exe 2336 btbnbh.exe 2200 pvjdp.exe 4648 ffrrrxx.exe 3168 tnhhnt.exe 3772 7pppp.exe 3684 hnhbhb.exe 3408 7vjpp.exe 2652 hbnbbt.exe 2392 9rfxxrx.exe 1796 btbbbb.exe 3292 jpddd.exe 944 7tbnhh.exe 4188 dpvpp.exe 764 hntnhb.exe 2260 dpdvj.exe 4880 fxlllfl.exe 696 frxxrrl.exe 4712 lxxrrrr.exe 4488 tbbhbt.exe 2592 pjdvj.exe 3220 thnbnb.exe 4260 lflffxx.exe 3448 tnthth.exe 1452 fxrlrrr.exe 4632 xfrlffx.exe 2932 ddvdj.exe 4296 fxflllr.exe 3608 3bhbtn.exe 3844 frxxlxx.exe 4068 thhthb.exe 4616 jjdpv.exe 4164 rflxxrx.exe 1012 nntnbt.exe 3368 vpjvp.exe 432 fxxlfxl.exe 1100 hbbtnh.exe 3796 9ppjp.exe 3172 xrrlfrf.exe 1180 hhttbh.exe 4588 jjdjd.exe 2228 xlxlxrf.exe 4476 hhntbt.exe 2160 jdpdv.exe 1632 1xfrxrx.exe 1932 9lfxrll.exe 1020 httnbb.exe 2152 pddpv.exe 4020 lrrfrlx.exe 3452 xlxflfx.exe 1748 nnthth.exe 2996 1pdpd.exe 4696 3fxlffr.exe 4548 tnnnhb.exe 2652 bbhbnh.exe 3028 ppvpd.exe 2004 5rrfrlx.exe 1796 nbthbt.exe 3388 pvpdp.exe 3600 xrrrrll.exe 4420 tttnnh.exe -
resource yara_rule behavioral2/memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-988-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4088 3148 b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe 83 PID 3148 wrote to memory of 4088 3148 b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe 83 PID 3148 wrote to memory of 4088 3148 b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe 83 PID 4088 wrote to memory of 4100 4088 9lllrrr.exe 84 PID 4088 wrote to memory of 4100 4088 9lllrrr.exe 84 PID 4088 wrote to memory of 4100 4088 9lllrrr.exe 84 PID 4100 wrote to memory of 4300 4100 hnttnn.exe 85 PID 4100 wrote to memory of 4300 4100 hnttnn.exe 85 PID 4100 wrote to memory of 4300 4100 hnttnn.exe 85 PID 4300 wrote to memory of 3724 4300 jjpvd.exe 86 PID 4300 wrote to memory of 3724 4300 jjpvd.exe 86 PID 4300 wrote to memory of 3724 4300 jjpvd.exe 86 PID 3724 wrote to memory of 2336 3724 lfrlxll.exe 87 PID 3724 wrote to memory of 2336 3724 lfrlxll.exe 87 PID 3724 wrote to memory of 2336 3724 lfrlxll.exe 87 PID 2336 wrote to memory of 2200 2336 btbnbh.exe 88 PID 2336 wrote to memory of 2200 2336 btbnbh.exe 88 PID 2336 wrote to memory of 2200 2336 btbnbh.exe 88 PID 2200 wrote to memory of 4648 2200 pvjdp.exe 89 PID 2200 wrote to memory of 4648 2200 pvjdp.exe 89 PID 2200 wrote to memory of 4648 2200 pvjdp.exe 89 PID 4648 wrote to memory of 3168 4648 ffrrrxx.exe 90 PID 4648 wrote to memory of 3168 4648 ffrrrxx.exe 90 PID 4648 wrote to memory of 3168 4648 ffrrrxx.exe 90 PID 3168 wrote to memory of 3772 3168 tnhhnt.exe 91 PID 3168 wrote to memory of 3772 3168 tnhhnt.exe 91 PID 3168 wrote to memory of 3772 3168 tnhhnt.exe 91 PID 3772 wrote to memory of 3684 3772 7pppp.exe 92 PID 3772 wrote to memory of 3684 3772 7pppp.exe 92 PID 3772 wrote to memory of 3684 3772 7pppp.exe 92 PID 3684 wrote to memory of 3408 3684 hnhbhb.exe 93 PID 3684 wrote to memory of 3408 3684 hnhbhb.exe 93 PID 3684 wrote to memory of 3408 3684 hnhbhb.exe 93 PID 3408 wrote to memory of 2652 3408 7vjpp.exe 94 PID 3408 wrote to memory of 2652 3408 7vjpp.exe 94 PID 3408 wrote to memory of 2652 3408 7vjpp.exe 94 PID 2652 wrote to memory of 2392 2652 hbnbbt.exe 95 PID 2652 wrote to memory of 2392 2652 hbnbbt.exe 95 PID 2652 wrote to memory of 2392 2652 hbnbbt.exe 95 PID 2392 wrote to memory of 1796 2392 9rfxxrx.exe 96 PID 2392 wrote to memory of 1796 2392 9rfxxrx.exe 96 PID 2392 wrote to memory of 1796 2392 9rfxxrx.exe 96 PID 1796 wrote to memory of 3292 1796 btbbbb.exe 97 PID 1796 wrote to memory of 3292 1796 btbbbb.exe 97 PID 1796 wrote to memory of 3292 1796 btbbbb.exe 97 PID 3292 wrote to memory of 944 3292 jpddd.exe 98 PID 3292 wrote to memory of 944 3292 jpddd.exe 98 PID 3292 wrote to memory of 944 3292 jpddd.exe 98 PID 944 wrote to memory of 4188 944 7tbnhh.exe 99 PID 944 wrote to memory of 4188 944 7tbnhh.exe 99 PID 944 wrote to memory of 4188 944 7tbnhh.exe 99 PID 4188 wrote to memory of 764 4188 dpvpp.exe 100 PID 4188 wrote to memory of 764 4188 dpvpp.exe 100 PID 4188 wrote to memory of 764 4188 dpvpp.exe 100 PID 764 wrote to memory of 2260 764 hntnhb.exe 101 PID 764 wrote to memory of 2260 764 hntnhb.exe 101 PID 764 wrote to memory of 2260 764 hntnhb.exe 101 PID 2260 wrote to memory of 4880 2260 dpdvj.exe 102 PID 2260 wrote to memory of 4880 2260 dpdvj.exe 102 PID 2260 wrote to memory of 4880 2260 dpdvj.exe 102 PID 4880 wrote to memory of 696 4880 fxlllfl.exe 103 PID 4880 wrote to memory of 696 4880 fxlllfl.exe 103 PID 4880 wrote to memory of 696 4880 fxlllfl.exe 103 PID 696 wrote to memory of 4712 696 frxxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe"C:\Users\Admin\AppData\Local\Temp\b087d408416b8988357bacf4ff9529f80b93264314f44678d690d56fb5db0217.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\9lllrrr.exec:\9lllrrr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\hnttnn.exec:\hnttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\jjpvd.exec:\jjpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\lfrlxll.exec:\lfrlxll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\btbnbh.exec:\btbnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\pvjdp.exec:\pvjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\ffrrrxx.exec:\ffrrrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\tnhhnt.exec:\tnhhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\7pppp.exec:\7pppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\hnhbhb.exec:\hnhbhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\7vjpp.exec:\7vjpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\hbnbbt.exec:\hbnbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\9rfxxrx.exec:\9rfxxrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\btbbbb.exec:\btbbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\jpddd.exec:\jpddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\7tbnhh.exec:\7tbnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\dpvpp.exec:\dpvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\hntnhb.exec:\hntnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\dpdvj.exec:\dpdvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\fxlllfl.exec:\fxlllfl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\frxxrrl.exec:\frxxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe23⤵
- Executes dropped EXE
PID:4712 -
\??\c:\tbbhbt.exec:\tbbhbt.exe24⤵
- Executes dropped EXE
PID:4488 -
\??\c:\pjdvj.exec:\pjdvj.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592 -
\??\c:\thnbnb.exec:\thnbnb.exe26⤵
- Executes dropped EXE
PID:3220 -
\??\c:\lflffxx.exec:\lflffxx.exe27⤵
- Executes dropped EXE
PID:4260 -
\??\c:\tnthth.exec:\tnthth.exe28⤵
- Executes dropped EXE
PID:3448 -
\??\c:\fxrlrrr.exec:\fxrlrrr.exe29⤵
- Executes dropped EXE
PID:1452 -
\??\c:\xfrlffx.exec:\xfrlffx.exe30⤵
- Executes dropped EXE
PID:4632 -
\??\c:\ddvdj.exec:\ddvdj.exe31⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fxflllr.exec:\fxflllr.exe32⤵
- Executes dropped EXE
PID:4296 -
\??\c:\3bhbtn.exec:\3bhbtn.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608 -
\??\c:\frxxlxx.exec:\frxxlxx.exe34⤵
- Executes dropped EXE
PID:3844 -
\??\c:\thhthb.exec:\thhthb.exe35⤵
- Executes dropped EXE
PID:4068 -
\??\c:\jjdpv.exec:\jjdpv.exe36⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rflxxrx.exec:\rflxxrx.exe37⤵
- Executes dropped EXE
PID:4164 -
\??\c:\nntnbt.exec:\nntnbt.exe38⤵
- Executes dropped EXE
PID:1012 -
\??\c:\vpjvp.exec:\vpjvp.exe39⤵
- Executes dropped EXE
PID:3368 -
\??\c:\fxxlfxl.exec:\fxxlfxl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432 -
\??\c:\hbbtnh.exec:\hbbtnh.exe41⤵
- Executes dropped EXE
PID:1100 -
\??\c:\9ppjp.exec:\9ppjp.exe42⤵
- Executes dropped EXE
PID:3796 -
\??\c:\xrrlfrf.exec:\xrrlfrf.exe43⤵
- Executes dropped EXE
PID:3172 -
\??\c:\hhttbh.exec:\hhttbh.exe44⤵
- Executes dropped EXE
PID:1180 -
\??\c:\jjdjd.exec:\jjdjd.exe45⤵
- Executes dropped EXE
PID:4588 -
\??\c:\xlxlxrf.exec:\xlxlxrf.exe46⤵
- Executes dropped EXE
PID:2228 -
\??\c:\hhntbt.exec:\hhntbt.exe47⤵
- Executes dropped EXE
PID:4476 -
\??\c:\jdpdv.exec:\jdpdv.exe48⤵
- Executes dropped EXE
PID:2160 -
\??\c:\1xfrxrx.exec:\1xfrxrx.exe49⤵
- Executes dropped EXE
PID:1632 -
\??\c:\9lfxrll.exec:\9lfxrll.exe50⤵
- Executes dropped EXE
PID:1932 -
\??\c:\httnbb.exec:\httnbb.exe51⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pddpv.exec:\pddpv.exe52⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe53⤵
- Executes dropped EXE
PID:4020 -
\??\c:\xlxflfx.exec:\xlxflfx.exe54⤵
- Executes dropped EXE
PID:3452 -
\??\c:\nnthth.exec:\nnthth.exe55⤵
- Executes dropped EXE
PID:1748 -
\??\c:\1pdpd.exec:\1pdpd.exe56⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3fxlffr.exec:\3fxlffr.exe57⤵
- Executes dropped EXE
PID:4696 -
\??\c:\tnnnhb.exec:\tnnnhb.exe58⤵
- Executes dropped EXE
PID:4548 -
\??\c:\bbhbnh.exec:\bbhbnh.exe59⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ppvpd.exec:\ppvpd.exe60⤵
- Executes dropped EXE
PID:3028 -
\??\c:\5rrfrlx.exec:\5rrfrlx.exe61⤵
- Executes dropped EXE
PID:2004 -
\??\c:\nbthbt.exec:\nbthbt.exe62⤵
- Executes dropped EXE
PID:1796 -
\??\c:\pvpdp.exec:\pvpdp.exe63⤵
- Executes dropped EXE
PID:3388 -
\??\c:\xrrrrll.exec:\xrrrrll.exe64⤵
- Executes dropped EXE
PID:3600 -
\??\c:\tttnnh.exec:\tttnnh.exe65⤵
- Executes dropped EXE
PID:4420 -
\??\c:\thnhtn.exec:\thnhtn.exe66⤵PID:3676
-
\??\c:\7vvjd.exec:\7vvjd.exe67⤵PID:2488
-
\??\c:\rfxxlrx.exec:\rfxxlrx.exe68⤵PID:4676
-
\??\c:\nbtnnh.exec:\nbtnnh.exe69⤵PID:740
-
\??\c:\vjjdv.exec:\vjjdv.exe70⤵PID:5104
-
\??\c:\vpppd.exec:\vpppd.exe71⤵PID:2540
-
\??\c:\3rrfrlx.exec:\3rrfrlx.exe72⤵PID:3252
-
\??\c:\btbtth.exec:\btbtth.exe73⤵PID:4372
-
\??\c:\dddpv.exec:\dddpv.exe74⤵PID:3988
-
\??\c:\7llfrlx.exec:\7llfrlx.exe75⤵PID:668
-
\??\c:\fflffxf.exec:\fflffxf.exe76⤵PID:3196
-
\??\c:\nnbhnb.exec:\nnbhnb.exe77⤵PID:1244
-
\??\c:\9lllfff.exec:\9lllfff.exe78⤵PID:4936
-
\??\c:\bhnhbb.exec:\bhnhbb.exe79⤵PID:3680
-
\??\c:\hbnhtt.exec:\hbnhtt.exe80⤵PID:5008
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe81⤵PID:4576
-
\??\c:\bbbnbb.exec:\bbbnbb.exe82⤵PID:1008
-
\??\c:\ntbnbn.exec:\ntbnbn.exe83⤵
- System Location Discovery: System Language Discovery
PID:4524 -
\??\c:\vjdvj.exec:\vjdvj.exe84⤵PID:5000
-
\??\c:\fflflll.exec:\fflflll.exe85⤵PID:3448
-
\??\c:\hbbhnn.exec:\hbbhnn.exe86⤵PID:4952
-
\??\c:\pjpjd.exec:\pjpjd.exe87⤵PID:3980
-
\??\c:\pjvjv.exec:\pjvjv.exe88⤵PID:1160
-
\??\c:\rrxlrrf.exec:\rrxlrrf.exe89⤵PID:992
-
\??\c:\bntnbt.exec:\bntnbt.exe90⤵PID:4628
-
\??\c:\tbhtbb.exec:\tbhtbb.exe91⤵PID:1368
-
\??\c:\jppjv.exec:\jppjv.exe92⤵PID:1348
-
\??\c:\lrrfrfx.exec:\lrrfrfx.exe93⤵PID:2616
-
\??\c:\bntttn.exec:\bntttn.exe94⤵PID:912
-
\??\c:\ththtn.exec:\ththtn.exe95⤵PID:656
-
\??\c:\jjjvp.exec:\jjjvp.exe96⤵PID:2316
-
\??\c:\xlrfxxl.exec:\xlrfxxl.exe97⤵PID:2072
-
\??\c:\bbnbtn.exec:\bbnbtn.exe98⤵PID:1012
-
\??\c:\1ppjp.exec:\1ppjp.exe99⤵PID:220
-
\??\c:\jvpdp.exec:\jvpdp.exe100⤵PID:852
-
\??\c:\lffxlfx.exec:\lffxlfx.exe101⤵PID:532
-
\??\c:\bttbhn.exec:\bttbhn.exe102⤵PID:4904
-
\??\c:\dvdpd.exec:\dvdpd.exe103⤵PID:4088
-
\??\c:\7flfllf.exec:\7flfllf.exe104⤵PID:3512
-
\??\c:\nhtntn.exec:\nhtntn.exe105⤵PID:3964
-
\??\c:\3tthnh.exec:\3tthnh.exe106⤵PID:3636
-
\??\c:\jpjvp.exec:\jpjvp.exe107⤵PID:4588
-
\??\c:\rrfxrlf.exec:\rrfxrlf.exe108⤵PID:2228
-
\??\c:\xffrrff.exec:\xffrrff.exe109⤵PID:4476
-
\??\c:\5jjdd.exec:\5jjdd.exe110⤵PID:2160
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe111⤵PID:1632
-
\??\c:\xrxrxrf.exec:\xrxrxrf.exe112⤵PID:2052
-
\??\c:\3bbthb.exec:\3bbthb.exe113⤵PID:2040
-
\??\c:\vppdv.exec:\vppdv.exe114⤵PID:3776
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe115⤵PID:4020
-
\??\c:\bnhhbt.exec:\bnhhbt.exe116⤵PID:3772
-
\??\c:\5vpdp.exec:\5vpdp.exe117⤵PID:1528
-
\??\c:\jdjvv.exec:\jdjvv.exe118⤵PID:3152
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe119⤵PID:2416
-
\??\c:\btthbt.exec:\btthbt.exe120⤵PID:3284
-
\??\c:\5ntnnn.exec:\5ntnnn.exe121⤵PID:4644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-