Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 19:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe
-
Size
453KB
-
MD5
c9c07b4997b436d1457289c48f295623
-
SHA1
83d7e2b1148265917c4ab59b3547e5d25f04cd88
-
SHA256
011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f
-
SHA512
dba7be233759ec602541531b72df212fdd4c60547d940678b5fc0f4006def09493e4f0258a749822c2cc3d774f08bf90827b1a93ba20c5d0cf9e6e31fd49b3a4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4676-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-1138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-1645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4676 llxrlxl.exe 3584 hnnhtt.exe 2132 lxfrlfr.exe 4900 9rxrlfx.exe 224 ntttnh.exe 228 bnnbtt.exe 3104 rflfxrr.exe 1040 flrlffr.exe 3636 hbnhnh.exe 3812 dpvpd.exe 800 xrlflff.exe 3280 hbnhnh.exe 5032 dpdpj.exe 1160 rfxrrlf.exe 3140 htnhbb.exe 3500 hhtnhb.exe 2332 xxlflll.exe 4364 httbth.exe 2568 vvjdd.exe 3656 dvvpj.exe 4240 xrrlfxr.exe 4136 9nnbnh.exe 2412 hnhbtn.exe 1116 vdjvp.exe 184 llrfxrf.exe 4744 frxlfxl.exe 2620 btbbbb.exe 1184 httnhb.exe 3164 vvdvj.exe 1736 frxxlfr.exe 4456 lxrfrlx.exe 1144 nnthth.exe 2000 jpvjd.exe 4308 jddvp.exe 4548 lxlxffr.exe 4772 hhtnhb.exe 4496 hhtntt.exe 4688 pjdvv.exe 2200 jpddv.exe 3096 rlxrxxr.exe 1584 nbhhbb.exe 1244 ntbtnh.exe 2692 jvddp.exe 4960 xflfxrl.exe 1000 7rxllll.exe 2080 hbbtnt.exe 3976 jvvvp.exe 3584 vpjdj.exe 3856 xllfxrf.exe 3680 1llxllx.exe 1864 bnnhbt.exe 4900 7vpvp.exe 2108 pvjdv.exe 3476 flrlfxr.exe 4028 bbbtnn.exe 3432 nnbthb.exe 1124 ppvjv.exe 4948 xlfrxfr.exe 3876 llxrrlf.exe 3636 vjpdv.exe 3808 7ppvj.exe 4480 frrfxrl.exe 3800 hthbtt.exe 1064 tnbttn.exe -
resource yara_rule behavioral2/memory/4676-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-885-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lflfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3268 wrote to memory of 4676 3268 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 83 PID 3268 wrote to memory of 4676 3268 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 83 PID 3268 wrote to memory of 4676 3268 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 83 PID 4676 wrote to memory of 3584 4676 llxrlxl.exe 84 PID 4676 wrote to memory of 3584 4676 llxrlxl.exe 84 PID 4676 wrote to memory of 3584 4676 llxrlxl.exe 84 PID 3584 wrote to memory of 2132 3584 hnnhtt.exe 85 PID 3584 wrote to memory of 2132 3584 hnnhtt.exe 85 PID 3584 wrote to memory of 2132 3584 hnnhtt.exe 85 PID 2132 wrote to memory of 4900 2132 lxfrlfr.exe 86 PID 2132 wrote to memory of 4900 2132 lxfrlfr.exe 86 PID 2132 wrote to memory of 4900 2132 lxfrlfr.exe 86 PID 4900 wrote to memory of 224 4900 9rxrlfx.exe 87 PID 4900 wrote to memory of 224 4900 9rxrlfx.exe 87 PID 4900 wrote to memory of 224 4900 9rxrlfx.exe 87 PID 224 wrote to memory of 228 224 ntttnh.exe 88 PID 224 wrote to memory of 228 224 ntttnh.exe 88 PID 224 wrote to memory of 228 224 ntttnh.exe 88 PID 228 wrote to memory of 3104 228 bnnbtt.exe 89 PID 228 wrote to memory of 3104 228 bnnbtt.exe 89 PID 228 wrote to memory of 3104 228 bnnbtt.exe 89 PID 3104 wrote to memory of 1040 3104 rflfxrr.exe 90 PID 3104 wrote to memory of 1040 3104 rflfxrr.exe 90 PID 3104 wrote to memory of 1040 3104 rflfxrr.exe 90 PID 1040 wrote to memory of 3636 1040 flrlffr.exe 142 PID 1040 wrote to memory of 3636 1040 flrlffr.exe 142 PID 1040 wrote to memory of 3636 1040 flrlffr.exe 142 PID 3636 wrote to memory of 3812 3636 hbnhnh.exe 92 PID 3636 wrote to memory of 3812 3636 hbnhnh.exe 92 PID 3636 wrote to memory of 3812 3636 hbnhnh.exe 92 PID 3812 wrote to memory of 800 3812 dpvpd.exe 93 PID 3812 wrote to memory of 800 3812 dpvpd.exe 93 PID 3812 wrote to memory of 800 3812 dpvpd.exe 93 PID 800 wrote to memory of 3280 800 xrlflff.exe 94 PID 800 wrote to memory of 3280 800 xrlflff.exe 94 PID 800 wrote to memory of 3280 800 xrlflff.exe 94 PID 3280 wrote to memory of 5032 3280 hbnhnh.exe 95 PID 3280 wrote to memory of 5032 3280 hbnhnh.exe 95 PID 3280 wrote to memory of 5032 3280 hbnhnh.exe 95 PID 5032 wrote to memory of 1160 5032 dpdpj.exe 96 PID 5032 wrote to memory of 1160 5032 dpdpj.exe 96 PID 5032 wrote to memory of 1160 5032 dpdpj.exe 96 PID 1160 wrote to memory of 3140 1160 rfxrrlf.exe 97 PID 1160 wrote to memory of 3140 1160 rfxrrlf.exe 97 PID 1160 wrote to memory of 3140 1160 rfxrrlf.exe 97 PID 3140 wrote to memory of 3500 3140 htnhbb.exe 98 PID 3140 wrote to memory of 3500 3140 htnhbb.exe 98 PID 3140 wrote to memory of 3500 3140 htnhbb.exe 98 PID 3500 wrote to memory of 2332 3500 hhtnhb.exe 99 PID 3500 wrote to memory of 2332 3500 hhtnhb.exe 99 PID 3500 wrote to memory of 2332 3500 hhtnhb.exe 99 PID 2332 wrote to memory of 4364 2332 xxlflll.exe 100 PID 2332 wrote to memory of 4364 2332 xxlflll.exe 100 PID 2332 wrote to memory of 4364 2332 xxlflll.exe 100 PID 4364 wrote to memory of 2568 4364 httbth.exe 101 PID 4364 wrote to memory of 2568 4364 httbth.exe 101 PID 4364 wrote to memory of 2568 4364 httbth.exe 101 PID 2568 wrote to memory of 3656 2568 vvjdd.exe 102 PID 2568 wrote to memory of 3656 2568 vvjdd.exe 102 PID 2568 wrote to memory of 3656 2568 vvjdd.exe 102 PID 3656 wrote to memory of 4240 3656 dvvpj.exe 103 PID 3656 wrote to memory of 4240 3656 dvvpj.exe 103 PID 3656 wrote to memory of 4240 3656 dvvpj.exe 103 PID 4240 wrote to memory of 4136 4240 xrrlfxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe"C:\Users\Admin\AppData\Local\Temp\011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\llxrlxl.exec:\llxrlxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\hnnhtt.exec:\hnnhtt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\lxfrlfr.exec:\lxfrlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\9rxrlfx.exec:\9rxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\ntttnh.exec:\ntttnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\bnnbtt.exec:\bnnbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\rflfxrr.exec:\rflfxrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\flrlffr.exec:\flrlffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\hbnhnh.exec:\hbnhnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\dpvpd.exec:\dpvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\xrlflff.exec:\xrlflff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\hbnhnh.exec:\hbnhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\dpdpj.exec:\dpdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\rfxrrlf.exec:\rfxrrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\htnhbb.exec:\htnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\hhtnhb.exec:\hhtnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\xxlflll.exec:\xxlflll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\httbth.exec:\httbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\vvjdd.exec:\vvjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\dvvpj.exec:\dvvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\9nnbnh.exec:\9nnbnh.exe23⤵
- Executes dropped EXE
PID:4136 -
\??\c:\hnhbtn.exec:\hnhbtn.exe24⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vdjvp.exec:\vdjvp.exe25⤵
- Executes dropped EXE
PID:1116 -
\??\c:\llrfxrf.exec:\llrfxrf.exe26⤵
- Executes dropped EXE
PID:184 -
\??\c:\frxlfxl.exec:\frxlfxl.exe27⤵
- Executes dropped EXE
PID:4744 -
\??\c:\btbbbb.exec:\btbbbb.exe28⤵
- Executes dropped EXE
PID:2620 -
\??\c:\httnhb.exec:\httnhb.exe29⤵
- Executes dropped EXE
PID:1184 -
\??\c:\vvdvj.exec:\vvdvj.exe30⤵
- Executes dropped EXE
PID:3164 -
\??\c:\frxxlfr.exec:\frxxlfr.exe31⤵
- Executes dropped EXE
PID:1736 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe32⤵
- Executes dropped EXE
PID:4456 -
\??\c:\nnthth.exec:\nnthth.exe33⤵
- Executes dropped EXE
PID:1144 -
\??\c:\jpvjd.exec:\jpvjd.exe34⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jddvp.exec:\jddvp.exe35⤵
- Executes dropped EXE
PID:4308 -
\??\c:\lxlxffr.exec:\lxlxffr.exe36⤵
- Executes dropped EXE
PID:4548 -
\??\c:\hhtnhb.exec:\hhtnhb.exe37⤵
- Executes dropped EXE
PID:4772 -
\??\c:\hhtntt.exec:\hhtntt.exe38⤵
- Executes dropped EXE
PID:4496 -
\??\c:\pjdvv.exec:\pjdvv.exe39⤵
- Executes dropped EXE
PID:4688 -
\??\c:\jpddv.exec:\jpddv.exe40⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rlxrxxr.exec:\rlxrxxr.exe41⤵
- Executes dropped EXE
PID:3096 -
\??\c:\nbhhbb.exec:\nbhhbb.exe42⤵
- Executes dropped EXE
PID:1584 -
\??\c:\ntbtnh.exec:\ntbtnh.exe43⤵
- Executes dropped EXE
PID:1244 -
\??\c:\jvddp.exec:\jvddp.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xflfxrl.exec:\xflfxrl.exe45⤵
- Executes dropped EXE
PID:4960 -
\??\c:\7rxllll.exec:\7rxllll.exe46⤵
- Executes dropped EXE
PID:1000 -
\??\c:\hbbtnt.exec:\hbbtnt.exe47⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jvvvp.exec:\jvvvp.exe48⤵
- Executes dropped EXE
PID:3976 -
\??\c:\vpjdj.exec:\vpjdj.exe49⤵
- Executes dropped EXE
PID:3584 -
\??\c:\xllfxrf.exec:\xllfxrf.exe50⤵
- Executes dropped EXE
PID:3856 -
\??\c:\1llxllx.exec:\1llxllx.exe51⤵
- Executes dropped EXE
PID:3680 -
\??\c:\bnnhbt.exec:\bnnhbt.exe52⤵
- Executes dropped EXE
PID:1864 -
\??\c:\7vpvp.exec:\7vpvp.exe53⤵
- Executes dropped EXE
PID:4900 -
\??\c:\pvjdv.exec:\pvjdv.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\flrlfxr.exec:\flrlfxr.exe55⤵
- Executes dropped EXE
PID:3476 -
\??\c:\bbbtnn.exec:\bbbtnn.exe56⤵
- Executes dropped EXE
PID:4028 -
\??\c:\nnbthb.exec:\nnbthb.exe57⤵
- Executes dropped EXE
PID:3432 -
\??\c:\ppvjv.exec:\ppvjv.exe58⤵
- Executes dropped EXE
PID:1124 -
\??\c:\xlfrxfr.exec:\xlfrxfr.exe59⤵
- Executes dropped EXE
PID:4948 -
\??\c:\llxrrlf.exec:\llxrrlf.exe60⤵
- Executes dropped EXE
PID:3876 -
\??\c:\vjpdv.exec:\vjpdv.exe61⤵
- Executes dropped EXE
PID:3636 -
\??\c:\7ppvj.exec:\7ppvj.exe62⤵
- Executes dropped EXE
PID:3808 -
\??\c:\frrfxrl.exec:\frrfxrl.exe63⤵
- Executes dropped EXE
PID:4480 -
\??\c:\hthbtt.exec:\hthbtt.exe64⤵
- Executes dropped EXE
PID:3800 -
\??\c:\tnbttn.exec:\tnbttn.exe65⤵
- Executes dropped EXE
PID:1064 -
\??\c:\7vdvp.exec:\7vdvp.exe66⤵PID:520
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe67⤵PID:5072
-
\??\c:\thhtnh.exec:\thhtnh.exe68⤵PID:2244
-
\??\c:\jdvpj.exec:\jdvpj.exe69⤵PID:3032
-
\??\c:\hhhbtn.exec:\hhhbtn.exe70⤵PID:1952
-
\??\c:\vjdpj.exec:\vjdpj.exe71⤵PID:3496
-
\??\c:\5rrfrlx.exec:\5rrfrlx.exe72⤵PID:3008
-
\??\c:\fflfffx.exec:\fflfffx.exe73⤵PID:2568
-
\??\c:\bnthbn.exec:\bnthbn.exe74⤵PID:1672
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe75⤵PID:1344
-
\??\c:\9hbthb.exec:\9hbthb.exe76⤵PID:4556
-
\??\c:\pdpjp.exec:\pdpjp.exe77⤵PID:1980
-
\??\c:\pjppp.exec:\pjppp.exe78⤵PID:184
-
\??\c:\jjpjd.exec:\jjpjd.exe79⤵PID:4820
-
\??\c:\rrfrfxl.exec:\rrfrfxl.exe80⤵PID:440
-
\??\c:\hhhtnn.exec:\hhhtnn.exe81⤵PID:3620
-
\??\c:\dpjdd.exec:\dpjdd.exe82⤵PID:1168
-
\??\c:\5rxxrll.exec:\5rxxrll.exe83⤵PID:1568
-
\??\c:\djdvj.exec:\djdvj.exe84⤵PID:4640
-
\??\c:\frlfrfx.exec:\frlfrfx.exe85⤵PID:2328
-
\??\c:\httnbt.exec:\httnbt.exe86⤵PID:2192
-
\??\c:\dppdp.exec:\dppdp.exe87⤵PID:4468
-
\??\c:\lllfrfr.exec:\lllfrfr.exe88⤵PID:436
-
\??\c:\bntbbn.exec:\bntbbn.exe89⤵PID:4496
-
\??\c:\lllfrlx.exec:\lllfrlx.exe90⤵PID:2944
-
\??\c:\ntbbtt.exec:\ntbbtt.exe91⤵PID:4292
-
\??\c:\vpvvj.exec:\vpvvj.exe92⤵PID:3096
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe93⤵PID:1092
-
\??\c:\thhtnh.exec:\thhtnh.exe94⤵PID:4776
-
\??\c:\jjvpv.exec:\jjvpv.exe95⤵PID:1244
-
\??\c:\thnbbb.exec:\thnbbb.exe96⤵PID:4972
-
\??\c:\pjjdj.exec:\pjjdj.exe97⤵PID:4960
-
\??\c:\ttnhhb.exec:\ttnhhb.exe98⤵PID:1532
-
\??\c:\bbthhn.exec:\bbthhn.exe99⤵PID:2976
-
\??\c:\jpjdp.exec:\jpjdp.exe100⤵PID:3976
-
\??\c:\lxflxrf.exec:\lxflxrf.exe101⤵PID:4076
-
\??\c:\hthbtn.exec:\hthbtn.exe102⤵PID:4000
-
\??\c:\3fxxrrl.exec:\3fxxrrl.exe103⤵PID:4728
-
\??\c:\tbbnhb.exec:\tbbnhb.exe104⤵PID:4784
-
\??\c:\hththn.exec:\hththn.exe105⤵PID:3932
-
\??\c:\1ppjd.exec:\1ppjd.exe106⤵PID:724
-
\??\c:\vjjdp.exec:\vjjdp.exe107⤵PID:4764
-
\??\c:\rrxrxrr.exec:\rrxrxrr.exe108⤵PID:4028
-
\??\c:\thhbtn.exec:\thhbtn.exe109⤵PID:116
-
\??\c:\nbnbbt.exec:\nbnbbt.exe110⤵PID:1576
-
\??\c:\jdvpd.exec:\jdvpd.exe111⤵PID:4008
-
\??\c:\pdvjd.exec:\pdvjd.exe112⤵PID:3432
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe113⤵PID:848
-
\??\c:\bbtbht.exec:\bbtbht.exe114⤵PID:3984
-
\??\c:\jvdvv.exec:\jvdvv.exe115⤵PID:2860
-
\??\c:\7jjdv.exec:\7jjdv.exe116⤵PID:3896
-
\??\c:\flrlfxr.exec:\flrlfxr.exe117⤵PID:3516
-
\??\c:\xfxrrlf.exec:\xfxrrlf.exe118⤵PID:5080
-
\??\c:\5ttnhh.exec:\5ttnhh.exe119⤵PID:3280
-
\??\c:\vjpjd.exec:\vjpjd.exe120⤵PID:800
-
\??\c:\fxllflr.exec:\fxllflr.exe121⤵PID:4464
-
\??\c:\bttnbh.exec:\bttnbh.exe122⤵PID:368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-