Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe
-
Size
456KB
-
MD5
dbe348da744b30037024dd7262361b8e
-
SHA1
5e7852ab769e3bce8cd22044f22c25000fea1399
-
SHA256
a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2
-
SHA512
98d00dfa5284a8488aa8c25cb634546ed03e8e5734e99d5bfa809c7b301c99917c589d41495168ddfc1a226fb145e0d73790d1e3ee76a664a1ebf272228c7e8e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1620-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-1049-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-1512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-1853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2056 llfxrrl.exe 4708 htbtnh.exe 4496 pjjdd.exe 508 lrrlllf.exe 2604 bttnnn.exe 216 jpvjd.exe 3968 dvvdd.exe 5048 rrlxlxl.exe 552 xxfxffl.exe 3608 thhtbt.exe 4848 fxxrlff.exe 1700 5vjjp.exe 5068 lfffffl.exe 116 5hhbbt.exe 760 dpvpv.exe 836 jdjvd.exe 3024 fllfffx.exe 2832 bhthbb.exe 4360 pddvv.exe 3544 rlrrlff.exe 3316 nbbttt.exe 3412 3bnhhh.exe 3476 vjjvp.exe 3104 1rxrxfl.exe 2888 frrfxfx.exe 2760 btnnhh.exe 3660 xlrlfxr.exe 3940 5hhhhn.exe 4576 ddjdd.exe 5044 httnhb.exe 1856 pvvdp.exe 1960 xlxlxlx.exe 4156 bttnnn.exe 3244 btnhnh.exe 4676 lllfxrl.exe 4692 llrrrlf.exe 1480 tbnnbn.exe 2932 pvvvp.exe 4240 xrxrlff.exe 2872 thnhbb.exe 1848 jpvpj.exe 4348 5nbtnt.exe 1128 lxfrfxr.exe 3332 hbhnht.exe 4732 3jdpv.exe 668 9lllxfx.exe 4868 9hhbtt.exe 4328 3ddpj.exe 2336 flrflfx.exe 3176 3hhbbt.exe 3164 dpvjp.exe 1548 dpvjj.exe 4140 1lrlxxr.exe 4884 btbthb.exe 4820 btbtbt.exe 3740 vjdjd.exe 2640 fflrrxx.exe 1600 lrrrfxr.exe 3528 hhhtnh.exe 5048 5djdd.exe 4512 frfxrfl.exe 552 lxfrfxr.exe 5036 tbhnhh.exe 2788 bnbthh.exe -
resource yara_rule behavioral2/memory/1620-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-803-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2056 1620 a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe 82 PID 1620 wrote to memory of 2056 1620 a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe 82 PID 1620 wrote to memory of 2056 1620 a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe 82 PID 2056 wrote to memory of 4708 2056 llfxrrl.exe 83 PID 2056 wrote to memory of 4708 2056 llfxrrl.exe 83 PID 2056 wrote to memory of 4708 2056 llfxrrl.exe 83 PID 4708 wrote to memory of 4496 4708 htbtnh.exe 84 PID 4708 wrote to memory of 4496 4708 htbtnh.exe 84 PID 4708 wrote to memory of 4496 4708 htbtnh.exe 84 PID 4496 wrote to memory of 508 4496 pjjdd.exe 85 PID 4496 wrote to memory of 508 4496 pjjdd.exe 85 PID 4496 wrote to memory of 508 4496 pjjdd.exe 85 PID 508 wrote to memory of 2604 508 lrrlllf.exe 86 PID 508 wrote to memory of 2604 508 lrrlllf.exe 86 PID 508 wrote to memory of 2604 508 lrrlllf.exe 86 PID 2604 wrote to memory of 216 2604 bttnnn.exe 87 PID 2604 wrote to memory of 216 2604 bttnnn.exe 87 PID 2604 wrote to memory of 216 2604 bttnnn.exe 87 PID 216 wrote to memory of 3968 216 jpvjd.exe 88 PID 216 wrote to memory of 3968 216 jpvjd.exe 88 PID 216 wrote to memory of 3968 216 jpvjd.exe 88 PID 3968 wrote to memory of 5048 3968 dvvdd.exe 89 PID 3968 wrote to memory of 5048 3968 dvvdd.exe 89 PID 3968 wrote to memory of 5048 3968 dvvdd.exe 89 PID 5048 wrote to memory of 552 5048 rrlxlxl.exe 90 PID 5048 wrote to memory of 552 5048 rrlxlxl.exe 90 PID 5048 wrote to memory of 552 5048 rrlxlxl.exe 90 PID 552 wrote to memory of 3608 552 xxfxffl.exe 91 PID 552 wrote to memory of 3608 552 xxfxffl.exe 91 PID 552 wrote to memory of 3608 552 xxfxffl.exe 91 PID 3608 wrote to memory of 4848 3608 thhtbt.exe 92 PID 3608 wrote to memory of 4848 3608 thhtbt.exe 92 PID 3608 wrote to memory of 4848 3608 thhtbt.exe 92 PID 4848 wrote to memory of 1700 4848 fxxrlff.exe 93 PID 4848 wrote to memory of 1700 4848 fxxrlff.exe 93 PID 4848 wrote to memory of 1700 4848 fxxrlff.exe 93 PID 1700 wrote to memory of 5068 1700 5vjjp.exe 94 PID 1700 wrote to memory of 5068 1700 5vjjp.exe 94 PID 1700 wrote to memory of 5068 1700 5vjjp.exe 94 PID 5068 wrote to memory of 116 5068 lfffffl.exe 95 PID 5068 wrote to memory of 116 5068 lfffffl.exe 95 PID 5068 wrote to memory of 116 5068 lfffffl.exe 95 PID 116 wrote to memory of 760 116 5hhbbt.exe 96 PID 116 wrote to memory of 760 116 5hhbbt.exe 96 PID 116 wrote to memory of 760 116 5hhbbt.exe 96 PID 760 wrote to memory of 836 760 dpvpv.exe 97 PID 760 wrote to memory of 836 760 dpvpv.exe 97 PID 760 wrote to memory of 836 760 dpvpv.exe 97 PID 836 wrote to memory of 3024 836 jdjvd.exe 98 PID 836 wrote to memory of 3024 836 jdjvd.exe 98 PID 836 wrote to memory of 3024 836 jdjvd.exe 98 PID 3024 wrote to memory of 2832 3024 fllfffx.exe 99 PID 3024 wrote to memory of 2832 3024 fllfffx.exe 99 PID 3024 wrote to memory of 2832 3024 fllfffx.exe 99 PID 2832 wrote to memory of 4360 2832 bhthbb.exe 100 PID 2832 wrote to memory of 4360 2832 bhthbb.exe 100 PID 2832 wrote to memory of 4360 2832 bhthbb.exe 100 PID 4360 wrote to memory of 3544 4360 pddvv.exe 101 PID 4360 wrote to memory of 3544 4360 pddvv.exe 101 PID 4360 wrote to memory of 3544 4360 pddvv.exe 101 PID 3544 wrote to memory of 3316 3544 rlrrlff.exe 102 PID 3544 wrote to memory of 3316 3544 rlrrlff.exe 102 PID 3544 wrote to memory of 3316 3544 rlrrlff.exe 102 PID 3316 wrote to memory of 3412 3316 nbbttt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe"C:\Users\Admin\AppData\Local\Temp\a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\llfxrrl.exec:\llfxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\htbtnh.exec:\htbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\pjjdd.exec:\pjjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\lrrlllf.exec:\lrrlllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\bttnnn.exec:\bttnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\jpvjd.exec:\jpvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\dvvdd.exec:\dvvdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\rrlxlxl.exec:\rrlxlxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\xxfxffl.exec:\xxfxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\thhtbt.exec:\thhtbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\fxxrlff.exec:\fxxrlff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\5vjjp.exec:\5vjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\lfffffl.exec:\lfffffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\5hhbbt.exec:\5hhbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\dpvpv.exec:\dpvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\jdjvd.exec:\jdjvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\fllfffx.exec:\fllfffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\bhthbb.exec:\bhthbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\pddvv.exec:\pddvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\rlrrlff.exec:\rlrrlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\nbbttt.exec:\nbbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\3bnhhh.exec:\3bnhhh.exe23⤵
- Executes dropped EXE
PID:3412 -
\??\c:\vjjvp.exec:\vjjvp.exe24⤵
- Executes dropped EXE
PID:3476 -
\??\c:\1rxrxfl.exec:\1rxrxfl.exe25⤵
- Executes dropped EXE
PID:3104 -
\??\c:\frrfxfx.exec:\frrfxfx.exe26⤵
- Executes dropped EXE
PID:2888 -
\??\c:\btnnhh.exec:\btnnhh.exe27⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe28⤵
- Executes dropped EXE
PID:3660 -
\??\c:\5hhhhn.exec:\5hhhhn.exe29⤵
- Executes dropped EXE
PID:3940 -
\??\c:\ddjdd.exec:\ddjdd.exe30⤵
- Executes dropped EXE
PID:4576 -
\??\c:\httnhb.exec:\httnhb.exe31⤵
- Executes dropped EXE
PID:5044 -
\??\c:\pvvdp.exec:\pvvdp.exe32⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe33⤵
- Executes dropped EXE
PID:1960 -
\??\c:\bttnnn.exec:\bttnnn.exe34⤵
- Executes dropped EXE
PID:4156 -
\??\c:\btnhnh.exec:\btnhnh.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3244 -
\??\c:\lllfxrl.exec:\lllfxrl.exe36⤵
- Executes dropped EXE
PID:4676 -
\??\c:\llrrrlf.exec:\llrrrlf.exe37⤵
- Executes dropped EXE
PID:4692 -
\??\c:\tbnnbn.exec:\tbnnbn.exe38⤵
- Executes dropped EXE
PID:1480 -
\??\c:\pvvvp.exec:\pvvvp.exe39⤵
- Executes dropped EXE
PID:2932 -
\??\c:\xrxrlff.exec:\xrxrlff.exe40⤵
- Executes dropped EXE
PID:4240 -
\??\c:\thnhbb.exec:\thnhbb.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jpvpj.exec:\jpvpj.exe42⤵
- Executes dropped EXE
PID:1848 -
\??\c:\5nbtnt.exec:\5nbtnt.exe43⤵
- Executes dropped EXE
PID:4348 -
\??\c:\lxfrfxr.exec:\lxfrfxr.exe44⤵
- Executes dropped EXE
PID:1128 -
\??\c:\hbhnht.exec:\hbhnht.exe45⤵
- Executes dropped EXE
PID:3332 -
\??\c:\3jdpv.exec:\3jdpv.exe46⤵
- Executes dropped EXE
PID:4732 -
\??\c:\9lllxfx.exec:\9lllxfx.exe47⤵
- Executes dropped EXE
PID:668 -
\??\c:\9hhbtt.exec:\9hhbtt.exe48⤵
- Executes dropped EXE
PID:4868 -
\??\c:\3ddpj.exec:\3ddpj.exe49⤵
- Executes dropped EXE
PID:4328 -
\??\c:\flrflfx.exec:\flrflfx.exe50⤵
- Executes dropped EXE
PID:2336 -
\??\c:\3hhbbt.exec:\3hhbbt.exe51⤵
- Executes dropped EXE
PID:3176 -
\??\c:\dpvjp.exec:\dpvjp.exe52⤵
- Executes dropped EXE
PID:3164 -
\??\c:\dpvjj.exec:\dpvjj.exe53⤵
- Executes dropped EXE
PID:1548 -
\??\c:\1lrlxxr.exec:\1lrlxxr.exe54⤵
- Executes dropped EXE
PID:4140 -
\??\c:\btbthb.exec:\btbthb.exe55⤵
- Executes dropped EXE
PID:4884 -
\??\c:\btbtbt.exec:\btbtbt.exe56⤵
- Executes dropped EXE
PID:4820 -
\??\c:\vjdjd.exec:\vjdjd.exe57⤵
- Executes dropped EXE
PID:3740 -
\??\c:\fflrrxx.exec:\fflrrxx.exe58⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lrrrfxr.exec:\lrrrfxr.exe59⤵
- Executes dropped EXE
PID:1600 -
\??\c:\hhhtnh.exec:\hhhtnh.exe60⤵
- Executes dropped EXE
PID:3528 -
\??\c:\5djdd.exec:\5djdd.exe61⤵
- Executes dropped EXE
PID:5048 -
\??\c:\frfxrfl.exec:\frfxrfl.exe62⤵
- Executes dropped EXE
PID:4512 -
\??\c:\lxfrfxr.exec:\lxfrfxr.exe63⤵
- Executes dropped EXE
PID:552 -
\??\c:\tbhnhh.exec:\tbhnhh.exe64⤵
- Executes dropped EXE
PID:5036 -
\??\c:\bnbthh.exec:\bnbthh.exe65⤵
- Executes dropped EXE
PID:2788 -
\??\c:\9jdvj.exec:\9jdvj.exe66⤵PID:4984
-
\??\c:\lfrllfr.exec:\lfrllfr.exe67⤵PID:3860
-
\??\c:\1tnhnn.exec:\1tnhnn.exe68⤵PID:3632
-
\??\c:\vpdpd.exec:\vpdpd.exe69⤵PID:640
-
\??\c:\lxflfrr.exec:\lxflfrr.exe70⤵PID:3260
-
\??\c:\xlxfllr.exec:\xlxfllr.exe71⤵PID:1756
-
\??\c:\thtnbt.exec:\thtnbt.exe72⤵PID:2344
-
\??\c:\1jdpj.exec:\1jdpj.exe73⤵PID:2780
-
\??\c:\7llxrlf.exec:\7llxrlf.exe74⤵PID:764
-
\??\c:\7xxrllf.exec:\7xxrllf.exe75⤵PID:4012
-
\??\c:\thbtht.exec:\thbtht.exe76⤵PID:2304
-
\??\c:\pvvjd.exec:\pvvjd.exe77⤵PID:3884
-
\??\c:\pvdpv.exec:\pvdpv.exe78⤵PID:1804
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe79⤵PID:732
-
\??\c:\3nhbbb.exec:\3nhbbb.exe80⤵PID:1304
-
\??\c:\jjpdj.exec:\jjpdj.exe81⤵PID:3692
-
\??\c:\7frlffr.exec:\7frlffr.exe82⤵PID:1544
-
\??\c:\5rxrxxf.exec:\5rxrxxf.exe83⤵PID:2164
-
\??\c:\1nnhbb.exec:\1nnhbb.exe84⤵PID:4612
-
\??\c:\pjvjv.exec:\pjvjv.exe85⤵PID:3612
-
\??\c:\fllxlxl.exec:\fllxlxl.exe86⤵PID:4828
-
\??\c:\hnnhbh.exec:\hnnhbh.exe87⤵PID:1424
-
\??\c:\3hhtnh.exec:\3hhtnh.exe88⤵PID:336
-
\??\c:\1dpjd.exec:\1dpjd.exe89⤵PID:2596
-
\??\c:\jvvjv.exec:\jvvjv.exe90⤵PID:4576
-
\??\c:\frrlfxr.exec:\frrlfxr.exe91⤵PID:3516
-
\??\c:\xflfrll.exec:\xflfrll.exe92⤵PID:3832
-
\??\c:\1bhbbb.exec:\1bhbbb.exe93⤵PID:2500
-
\??\c:\dvvpp.exec:\dvvpp.exe94⤵PID:4592
-
\??\c:\xflfxrl.exec:\xflfxrl.exe95⤵PID:3812
-
\??\c:\hnnbtt.exec:\hnnbtt.exe96⤵PID:2836
-
\??\c:\tbnnth.exec:\tbnnth.exe97⤵PID:3688
-
\??\c:\dpvpj.exec:\dpvpj.exe98⤵PID:3396
-
\??\c:\1rffxrl.exec:\1rffxrl.exe99⤵PID:3728
-
\??\c:\flllfxx.exec:\flllfxx.exe100⤵PID:4172
-
\??\c:\hnhbbn.exec:\hnhbbn.exe101⤵PID:700
-
\??\c:\vddpp.exec:\vddpp.exe102⤵PID:1616
-
\??\c:\lllfxrl.exec:\lllfxrl.exe103⤵PID:3088
-
\??\c:\bbnnbb.exec:\bbnnbb.exe104⤵PID:5072
-
\??\c:\jpdvj.exec:\jpdvj.exe105⤵PID:4348
-
\??\c:\9dvpj.exec:\9dvpj.exe106⤵PID:3548
-
\??\c:\xflxllx.exec:\xflxllx.exe107⤵PID:3332
-
\??\c:\7tnnhh.exec:\7tnnhh.exe108⤵PID:1192
-
\??\c:\vjpjv.exec:\vjpjv.exe109⤵PID:4980
-
\??\c:\rrllrfl.exec:\rrllrfl.exe110⤵PID:3872
-
\??\c:\htbtnb.exec:\htbtnb.exe111⤵PID:3200
-
\??\c:\bbnbbb.exec:\bbnbbb.exe112⤵PID:3988
-
\??\c:\jvppd.exec:\jvppd.exe113⤵PID:2956
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe114⤵PID:4660
-
\??\c:\thbthh.exec:\thbthh.exe115⤵PID:508
-
\??\c:\hhbthb.exec:\hhbthb.exe116⤵PID:1140
-
\??\c:\dpvpp.exec:\dpvpp.exe117⤵PID:2472
-
\??\c:\lrxlfrf.exec:\lrxlfrf.exe118⤵PID:3620
-
\??\c:\lxlxrrl.exec:\lxlxrrl.exe119⤵PID:4424
-
\??\c:\bthbtn.exec:\bthbtn.exe120⤵PID:1976
-
\??\c:\jpvpp.exec:\jpvpp.exe121⤵PID:3508
-
\??\c:\fxxrffx.exec:\fxxrffx.exe122⤵PID:3536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-