Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 02:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe
-
Size
453KB
-
MD5
583ba20a8bdfea7b1180693c4946e417
-
SHA1
5e41004bf7b360d0acbe4814aa781192db6a1acc
-
SHA256
b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952
-
SHA512
c338b7699572062f9a84a1279f7ce03de8abdaedfb514e4f24fc8e53a5020cfdb5df93f8b647a1b166cc9d78cd862deaf5985ea4e6d2fdad234f11b965c506bb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/528-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-1339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4032 ddppj.exe 1268 lfxxffl.exe 1912 btnhbt.exe 4876 jddvp.exe 988 ddjdv.exe 1932 lllfxrl.exe 4520 bbtnhb.exe 4576 fflrfxr.exe 5060 jdvpj.exe 4484 5bhhnn.exe 3980 xflfffl.exe 540 frllfll.exe 4444 jpdvp.exe 1556 xrxrlll.exe 3372 1ppjp.exe 1156 lflfffr.exe 4912 bthnhh.exe 3900 pppjp.exe 2856 5hnhtn.exe 4288 3vdvd.exe 1796 ddjvj.exe 1428 xlrlffx.exe 880 5rlrlll.exe 5068 ffxrllf.exe 2736 frxrrrr.exe 4656 nbhtnh.exe 2336 pvdjd.exe 4548 1fllllr.exe 4980 ddjdj.exe 2680 9xfxffl.exe 2100 tbttnn.exe 2544 1jjdv.exe 3272 nnhhbb.exe 4232 hbbthn.exe 3736 pvpjv.exe 1860 rffxrlf.exe 3692 nnthtn.exe 220 1vpvj.exe 2900 rflrlrr.exe 3712 ttthbt.exe 1320 vdvjv.exe 4320 5xxxrxr.exe 4392 fxxrlff.exe 4376 tntnnn.exe 528 vdjpd.exe 524 htnbnh.exe 936 1pvpv.exe 3912 vdpjj.exe 928 7lxrrlx.exe 3840 vpjjd.exe 4864 rlrxlfr.exe 3232 1flxrfr.exe 1808 btthhb.exe 2500 djpjv.exe 2256 lfllfff.exe 1652 llrlxrf.exe 912 tbbnhn.exe 2704 vjdvd.exe 4004 3vjdd.exe 2108 5xrllxr.exe 2668 thbtbb.exe 2860 hbnnhb.exe 1004 9djdp.exe 1036 rfxlfrr.exe -
resource yara_rule behavioral2/memory/528-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-770-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 528 wrote to memory of 4032 528 b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe 82 PID 528 wrote to memory of 4032 528 b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe 82 PID 528 wrote to memory of 4032 528 b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe 82 PID 4032 wrote to memory of 1268 4032 ddppj.exe 83 PID 4032 wrote to memory of 1268 4032 ddppj.exe 83 PID 4032 wrote to memory of 1268 4032 ddppj.exe 83 PID 1268 wrote to memory of 1912 1268 lfxxffl.exe 84 PID 1268 wrote to memory of 1912 1268 lfxxffl.exe 84 PID 1268 wrote to memory of 1912 1268 lfxxffl.exe 84 PID 1912 wrote to memory of 4876 1912 btnhbt.exe 85 PID 1912 wrote to memory of 4876 1912 btnhbt.exe 85 PID 1912 wrote to memory of 4876 1912 btnhbt.exe 85 PID 4876 wrote to memory of 988 4876 jddvp.exe 86 PID 4876 wrote to memory of 988 4876 jddvp.exe 86 PID 4876 wrote to memory of 988 4876 jddvp.exe 86 PID 988 wrote to memory of 1932 988 ddjdv.exe 87 PID 988 wrote to memory of 1932 988 ddjdv.exe 87 PID 988 wrote to memory of 1932 988 ddjdv.exe 87 PID 1932 wrote to memory of 4520 1932 lllfxrl.exe 88 PID 1932 wrote to memory of 4520 1932 lllfxrl.exe 88 PID 1932 wrote to memory of 4520 1932 lllfxrl.exe 88 PID 4520 wrote to memory of 4576 4520 bbtnhb.exe 89 PID 4520 wrote to memory of 4576 4520 bbtnhb.exe 89 PID 4520 wrote to memory of 4576 4520 bbtnhb.exe 89 PID 4576 wrote to memory of 5060 4576 fflrfxr.exe 90 PID 4576 wrote to memory of 5060 4576 fflrfxr.exe 90 PID 4576 wrote to memory of 5060 4576 fflrfxr.exe 90 PID 5060 wrote to memory of 4484 5060 jdvpj.exe 91 PID 5060 wrote to memory of 4484 5060 jdvpj.exe 91 PID 5060 wrote to memory of 4484 5060 jdvpj.exe 91 PID 4484 wrote to memory of 3980 4484 5bhhnn.exe 92 PID 4484 wrote to memory of 3980 4484 5bhhnn.exe 92 PID 4484 wrote to memory of 3980 4484 5bhhnn.exe 92 PID 3980 wrote to memory of 540 3980 xflfffl.exe 93 PID 3980 wrote to memory of 540 3980 xflfffl.exe 93 PID 3980 wrote to memory of 540 3980 xflfffl.exe 93 PID 540 wrote to memory of 4444 540 frllfll.exe 94 PID 540 wrote to memory of 4444 540 frllfll.exe 94 PID 540 wrote to memory of 4444 540 frllfll.exe 94 PID 4444 wrote to memory of 1556 4444 jpdvp.exe 95 PID 4444 wrote to memory of 1556 4444 jpdvp.exe 95 PID 4444 wrote to memory of 1556 4444 jpdvp.exe 95 PID 1556 wrote to memory of 3372 1556 xrxrlll.exe 96 PID 1556 wrote to memory of 3372 1556 xrxrlll.exe 96 PID 1556 wrote to memory of 3372 1556 xrxrlll.exe 96 PID 3372 wrote to memory of 1156 3372 1ppjp.exe 97 PID 3372 wrote to memory of 1156 3372 1ppjp.exe 97 PID 3372 wrote to memory of 1156 3372 1ppjp.exe 97 PID 1156 wrote to memory of 4912 1156 lflfffr.exe 98 PID 1156 wrote to memory of 4912 1156 lflfffr.exe 98 PID 1156 wrote to memory of 4912 1156 lflfffr.exe 98 PID 4912 wrote to memory of 3900 4912 bthnhh.exe 99 PID 4912 wrote to memory of 3900 4912 bthnhh.exe 99 PID 4912 wrote to memory of 3900 4912 bthnhh.exe 99 PID 3900 wrote to memory of 2856 3900 pppjp.exe 100 PID 3900 wrote to memory of 2856 3900 pppjp.exe 100 PID 3900 wrote to memory of 2856 3900 pppjp.exe 100 PID 2856 wrote to memory of 4288 2856 5hnhtn.exe 101 PID 2856 wrote to memory of 4288 2856 5hnhtn.exe 101 PID 2856 wrote to memory of 4288 2856 5hnhtn.exe 101 PID 4288 wrote to memory of 1796 4288 3vdvd.exe 102 PID 4288 wrote to memory of 1796 4288 3vdvd.exe 102 PID 4288 wrote to memory of 1796 4288 3vdvd.exe 102 PID 1796 wrote to memory of 1428 1796 ddjvj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe"C:\Users\Admin\AppData\Local\Temp\b8aaad3172eeee5465da7cd25b3d6334217387034eed5be55931670dd5d5c952.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\ddppj.exec:\ddppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\lfxxffl.exec:\lfxxffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\btnhbt.exec:\btnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\ddjdv.exec:\ddjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\lllfxrl.exec:\lllfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\bbtnhb.exec:\bbtnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\fflrfxr.exec:\fflrfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\jdvpj.exec:\jdvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\5bhhnn.exec:\5bhhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\xflfffl.exec:\xflfffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\frllfll.exec:\frllfll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\jpdvp.exec:\jpdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\xrxrlll.exec:\xrxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\1ppjp.exec:\1ppjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\lflfffr.exec:\lflfffr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\bthnhh.exec:\bthnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\pppjp.exec:\pppjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\5hnhtn.exec:\5hnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\3vdvd.exec:\3vdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\ddjvj.exec:\ddjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\xlrlffx.exec:\xlrlffx.exe23⤵
- Executes dropped EXE
PID:1428 -
\??\c:\5rlrlll.exec:\5rlrlll.exe24⤵
- Executes dropped EXE
PID:880 -
\??\c:\ffxrllf.exec:\ffxrllf.exe25⤵
- Executes dropped EXE
PID:5068 -
\??\c:\frxrrrr.exec:\frxrrrr.exe26⤵
- Executes dropped EXE
PID:2736 -
\??\c:\nbhtnh.exec:\nbhtnh.exe27⤵
- Executes dropped EXE
PID:4656 -
\??\c:\pvdjd.exec:\pvdjd.exe28⤵
- Executes dropped EXE
PID:2336 -
\??\c:\1fllllr.exec:\1fllllr.exe29⤵
- Executes dropped EXE
PID:4548 -
\??\c:\ddjdj.exec:\ddjdj.exe30⤵
- Executes dropped EXE
PID:4980 -
\??\c:\9xfxffl.exec:\9xfxffl.exe31⤵
- Executes dropped EXE
PID:2680 -
\??\c:\tbttnn.exec:\tbttnn.exe32⤵
- Executes dropped EXE
PID:2100 -
\??\c:\1jjdv.exec:\1jjdv.exe33⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nnhhbb.exec:\nnhhbb.exe34⤵
- Executes dropped EXE
PID:3272 -
\??\c:\hbbthn.exec:\hbbthn.exe35⤵
- Executes dropped EXE
PID:4232 -
\??\c:\pvpjv.exec:\pvpjv.exe36⤵
- Executes dropped EXE
PID:3736 -
\??\c:\rffxrlf.exec:\rffxrlf.exe37⤵
- Executes dropped EXE
PID:1860 -
\??\c:\nnthtn.exec:\nnthtn.exe38⤵
- Executes dropped EXE
PID:3692 -
\??\c:\1vpvj.exec:\1vpvj.exe39⤵
- Executes dropped EXE
PID:220 -
\??\c:\rflrlrr.exec:\rflrlrr.exe40⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ttthbt.exec:\ttthbt.exe41⤵
- Executes dropped EXE
PID:3712 -
\??\c:\vdvjv.exec:\vdvjv.exe42⤵
- Executes dropped EXE
PID:1320 -
\??\c:\5xxxrxr.exec:\5xxxrxr.exe43⤵
- Executes dropped EXE
PID:4320 -
\??\c:\fxxrlff.exec:\fxxrlff.exe44⤵
- Executes dropped EXE
PID:4392 -
\??\c:\tntnnn.exec:\tntnnn.exe45⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vdjpd.exec:\vdjpd.exe46⤵
- Executes dropped EXE
PID:528 -
\??\c:\htnbnh.exec:\htnbnh.exe47⤵
- Executes dropped EXE
PID:524 -
\??\c:\1pvpv.exec:\1pvpv.exe48⤵
- Executes dropped EXE
PID:936 -
\??\c:\vdpjj.exec:\vdpjj.exe49⤵
- Executes dropped EXE
PID:3912 -
\??\c:\7lxrrlx.exec:\7lxrrlx.exe50⤵
- Executes dropped EXE
PID:928 -
\??\c:\vpjjd.exec:\vpjjd.exe51⤵
- Executes dropped EXE
PID:3840 -
\??\c:\rlrxlfr.exec:\rlrxlfr.exe52⤵
- Executes dropped EXE
PID:4864 -
\??\c:\1flxrfr.exec:\1flxrfr.exe53⤵
- Executes dropped EXE
PID:3232 -
\??\c:\btthhb.exec:\btthhb.exe54⤵
- Executes dropped EXE
PID:1808 -
\??\c:\djpjv.exec:\djpjv.exe55⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lfllfff.exec:\lfllfff.exe56⤵
- Executes dropped EXE
PID:2256 -
\??\c:\llrlxrf.exec:\llrlxrf.exe57⤵
- Executes dropped EXE
PID:1652 -
\??\c:\tbbnhn.exec:\tbbnhn.exe58⤵
- Executes dropped EXE
PID:912 -
\??\c:\vjdvd.exec:\vjdvd.exe59⤵
- Executes dropped EXE
PID:2704 -
\??\c:\3vjdd.exec:\3vjdd.exe60⤵
- Executes dropped EXE
PID:4004 -
\??\c:\5xrllxr.exec:\5xrllxr.exe61⤵
- Executes dropped EXE
PID:2108 -
\??\c:\thbtbb.exec:\thbtbb.exe62⤵
- Executes dropped EXE
PID:2668 -
\??\c:\hbnnhb.exec:\hbnnhb.exe63⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9djdp.exec:\9djdp.exe64⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rfxlfrr.exec:\rfxlfrr.exe65⤵
- Executes dropped EXE
PID:1036 -
\??\c:\hhtttt.exec:\hhtttt.exe66⤵PID:4120
-
\??\c:\bbhbnn.exec:\bbhbnn.exe67⤵PID:4932
-
\??\c:\9jjdv.exec:\9jjdv.exe68⤵PID:2132
-
\??\c:\7xxllfr.exec:\7xxllfr.exe69⤵PID:3372
-
\??\c:\nbbttn.exec:\nbbttn.exe70⤵PID:1156
-
\??\c:\1jjdp.exec:\1jjdp.exe71⤵PID:1016
-
\??\c:\vpjdv.exec:\vpjdv.exe72⤵PID:3572
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe73⤵PID:3844
-
\??\c:\hbnnnn.exec:\hbnnnn.exe74⤵PID:3724
-
\??\c:\btbttn.exec:\btbttn.exe75⤵PID:2612
-
\??\c:\9dddp.exec:\9dddp.exe76⤵PID:2176
-
\??\c:\frlfrfr.exec:\frlfrfr.exe77⤵PID:1728
-
\??\c:\htbnbt.exec:\htbnbt.exe78⤵PID:4500
-
\??\c:\dpjjv.exec:\dpjjv.exe79⤵PID:3472
-
\??\c:\flfflll.exec:\flfflll.exe80⤵PID:1816
-
\??\c:\hhhbnh.exec:\hhhbnh.exe81⤵PID:3508
-
\??\c:\nntntt.exec:\nntntt.exe82⤵PID:2736
-
\??\c:\jvvjv.exec:\jvvjv.exe83⤵PID:4168
-
\??\c:\lllxrrl.exec:\lllxrrl.exe84⤵PID:3628
-
\??\c:\5nhhtt.exec:\5nhhtt.exe85⤵PID:1736
-
\??\c:\vpjjv.exec:\vpjjv.exe86⤵PID:1684
-
\??\c:\5xlxrxf.exec:\5xlxrxf.exe87⤵PID:5052
-
\??\c:\7nhbnh.exec:\7nhbnh.exe88⤵PID:2680
-
\??\c:\7bhbbb.exec:\7bhbbb.exe89⤵PID:1148
-
\??\c:\9vpdv.exec:\9vpdv.exe90⤵PID:1012
-
\??\c:\xfffxxr.exec:\xfffxxr.exe91⤵PID:3056
-
\??\c:\hnnbnb.exec:\hnnbnb.exe92⤵PID:2544
-
\??\c:\1hhbnh.exec:\1hhbnh.exe93⤵PID:3332
-
\??\c:\7vdpj.exec:\7vdpj.exe94⤵PID:4232
-
\??\c:\fxlxlfr.exec:\fxlxlfr.exe95⤵PID:3736
-
\??\c:\tnnhbb.exec:\tnnhbb.exe96⤵PID:4712
-
\??\c:\hnnhtt.exec:\hnnhtt.exe97⤵PID:4248
-
\??\c:\1jvjp.exec:\1jvjp.exe98⤵PID:4116
-
\??\c:\9llfxxr.exec:\9llfxxr.exe99⤵PID:2688
-
\??\c:\7lrxrrl.exec:\7lrxrrl.exe100⤵PID:4856
-
\??\c:\tttnbt.exec:\tttnbt.exe101⤵PID:4716
-
\??\c:\5vjpd.exec:\5vjpd.exe102⤵PID:4380
-
\??\c:\7ffxrrl.exec:\7ffxrrl.exe103⤵PID:4320
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe104⤵PID:2396
-
\??\c:\hnttnn.exec:\hnttnn.exe105⤵PID:396
-
\??\c:\djpdv.exec:\djpdv.exe106⤵PID:4668
-
\??\c:\dvpjp.exec:\dvpjp.exe107⤵PID:1268
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe108⤵PID:1892
-
\??\c:\bbnhbt.exec:\bbnhbt.exe109⤵PID:2916
-
\??\c:\pvdvp.exec:\pvdvp.exe110⤵PID:2364
-
\??\c:\5ddpd.exec:\5ddpd.exe111⤵PID:988
-
\??\c:\3xxrfxl.exec:\3xxrfxl.exe112⤵PID:4244
-
\??\c:\tttnbt.exec:\tttnbt.exe113⤵PID:4820
-
\??\c:\pjvpd.exec:\pjvpd.exe114⤵PID:460
-
\??\c:\xlxllrr.exec:\xlxllrr.exe115⤵PID:1132
-
\??\c:\tnhhhb.exec:\tnhhhb.exe116⤵PID:3568
-
\??\c:\vpjvv.exec:\vpjvv.exe117⤵PID:1000
-
\??\c:\frxrffx.exec:\frxrffx.exe118⤵PID:4484
-
\??\c:\hhbnbh.exec:\hhbnbh.exe119⤵PID:464
-
\??\c:\bttnhh.exec:\bttnhh.exe120⤵PID:2472
-
\??\c:\pvjdv.exec:\pvjdv.exe121⤵PID:4284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-