Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 23:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe
-
Size
454KB
-
MD5
767e95cbb3788d229908c341e53fb148
-
SHA1
2240ee838263c5e49311adc28e9ef4f70e78cf8a
-
SHA256
11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498
-
SHA512
27416b4ab219269e677134b231603e909caa15ac4704ecac0693ba301c528c5533086e7d9010fff9c17fba89142ea45006c9a3f4246ff95a714a03a0cbee42a5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4400-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-1384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-1786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 640 tbhbbh.exe 216 3lrrlrl.exe 1040 tbtbth.exe 2336 7nhbtb.exe 2136 dvvvj.exe 3964 nhhbtt.exe 4664 vvddv.exe 2264 3tnnhh.exe 1392 lfxrllx.exe 4100 bntntt.exe 2384 dpdvj.exe 1000 7nthbt.exe 1556 jvjdv.exe 232 xffrlrl.exe 3516 ttbttt.exe 4032 flxrllf.exe 4500 bnhbnn.exe 1188 fxrrlff.exe 1552 bnthbt.exe 4484 vpvpj.exe 3608 1xfxflf.exe 3936 hhnbht.exe 1140 lllfrrl.exe 2392 1lllllf.exe 4228 hntnhn.exe 4336 xrxxxxf.exe 456 xfxxxxl.exe 676 vdjdv.exe 848 ddpjp.exe 4440 9xxrffl.exe 3164 vpvvp.exe 2120 dvjvp.exe 2624 fxxrxfx.exe 1068 tthhhh.exe 3832 ddpjj.exe 4996 rllxrfx.exe 1600 3fllflf.exe 4936 ddjdp.exe 3776 pjdpd.exe 1980 rffxllf.exe 2396 tnntnn.exe 2356 vpdpp.exe 1868 lxfxllf.exe 2880 3htnhn.exe 4036 nnnnhh.exe 968 pddvp.exe 8 frxrrll.exe 2304 9tbttt.exe 1592 7nttnn.exe 2772 jpvvj.exe 4480 xxfxxxr.exe 4540 tntthh.exe 844 1jvpd.exe 3024 vppvj.exe 640 1ffxllf.exe 4232 hnbtnt.exe 3440 vpppd.exe 516 rllfxxr.exe 4704 xxlllll.exe 5000 3ntnhn.exe 628 vpvjd.exe 4820 5rrlxff.exe 4552 9flfffl.exe 1992 tnnhbb.exe -
resource yara_rule behavioral2/memory/640-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-783-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 640 4400 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 82 PID 4400 wrote to memory of 640 4400 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 82 PID 4400 wrote to memory of 640 4400 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 82 PID 640 wrote to memory of 216 640 tbhbbh.exe 83 PID 640 wrote to memory of 216 640 tbhbbh.exe 83 PID 640 wrote to memory of 216 640 tbhbbh.exe 83 PID 216 wrote to memory of 1040 216 3lrrlrl.exe 84 PID 216 wrote to memory of 1040 216 3lrrlrl.exe 84 PID 216 wrote to memory of 1040 216 3lrrlrl.exe 84 PID 1040 wrote to memory of 2336 1040 tbtbth.exe 85 PID 1040 wrote to memory of 2336 1040 tbtbth.exe 85 PID 1040 wrote to memory of 2336 1040 tbtbth.exe 85 PID 2336 wrote to memory of 2136 2336 7nhbtb.exe 86 PID 2336 wrote to memory of 2136 2336 7nhbtb.exe 86 PID 2336 wrote to memory of 2136 2336 7nhbtb.exe 86 PID 2136 wrote to memory of 3964 2136 dvvvj.exe 87 PID 2136 wrote to memory of 3964 2136 dvvvj.exe 87 PID 2136 wrote to memory of 3964 2136 dvvvj.exe 87 PID 3964 wrote to memory of 4664 3964 nhhbtt.exe 88 PID 3964 wrote to memory of 4664 3964 nhhbtt.exe 88 PID 3964 wrote to memory of 4664 3964 nhhbtt.exe 88 PID 4664 wrote to memory of 2264 4664 vvddv.exe 89 PID 4664 wrote to memory of 2264 4664 vvddv.exe 89 PID 4664 wrote to memory of 2264 4664 vvddv.exe 89 PID 2264 wrote to memory of 1392 2264 3tnnhh.exe 90 PID 2264 wrote to memory of 1392 2264 3tnnhh.exe 90 PID 2264 wrote to memory of 1392 2264 3tnnhh.exe 90 PID 1392 wrote to memory of 4100 1392 lfxrllx.exe 91 PID 1392 wrote to memory of 4100 1392 lfxrllx.exe 91 PID 1392 wrote to memory of 4100 1392 lfxrllx.exe 91 PID 4100 wrote to memory of 2384 4100 bntntt.exe 92 PID 4100 wrote to memory of 2384 4100 bntntt.exe 92 PID 4100 wrote to memory of 2384 4100 bntntt.exe 92 PID 2384 wrote to memory of 1000 2384 dpdvj.exe 93 PID 2384 wrote to memory of 1000 2384 dpdvj.exe 93 PID 2384 wrote to memory of 1000 2384 dpdvj.exe 93 PID 1000 wrote to memory of 1556 1000 7nthbt.exe 94 PID 1000 wrote to memory of 1556 1000 7nthbt.exe 94 PID 1000 wrote to memory of 1556 1000 7nthbt.exe 94 PID 1556 wrote to memory of 232 1556 jvjdv.exe 95 PID 1556 wrote to memory of 232 1556 jvjdv.exe 95 PID 1556 wrote to memory of 232 1556 jvjdv.exe 95 PID 232 wrote to memory of 3516 232 xffrlrl.exe 96 PID 232 wrote to memory of 3516 232 xffrlrl.exe 96 PID 232 wrote to memory of 3516 232 xffrlrl.exe 96 PID 3516 wrote to memory of 4032 3516 ttbttt.exe 97 PID 3516 wrote to memory of 4032 3516 ttbttt.exe 97 PID 3516 wrote to memory of 4032 3516 ttbttt.exe 97 PID 4032 wrote to memory of 4500 4032 flxrllf.exe 98 PID 4032 wrote to memory of 4500 4032 flxrllf.exe 98 PID 4032 wrote to memory of 4500 4032 flxrllf.exe 98 PID 4500 wrote to memory of 1188 4500 bnhbnn.exe 99 PID 4500 wrote to memory of 1188 4500 bnhbnn.exe 99 PID 4500 wrote to memory of 1188 4500 bnhbnn.exe 99 PID 1188 wrote to memory of 1552 1188 fxrrlff.exe 100 PID 1188 wrote to memory of 1552 1188 fxrrlff.exe 100 PID 1188 wrote to memory of 1552 1188 fxrrlff.exe 100 PID 1552 wrote to memory of 4484 1552 bnthbt.exe 101 PID 1552 wrote to memory of 4484 1552 bnthbt.exe 101 PID 1552 wrote to memory of 4484 1552 bnthbt.exe 101 PID 4484 wrote to memory of 3608 4484 vpvpj.exe 102 PID 4484 wrote to memory of 3608 4484 vpvpj.exe 102 PID 4484 wrote to memory of 3608 4484 vpvpj.exe 102 PID 3608 wrote to memory of 3936 3608 1xfxflf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe"C:\Users\Admin\AppData\Local\Temp\11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\tbhbbh.exec:\tbhbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\3lrrlrl.exec:\3lrrlrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\tbtbth.exec:\tbtbth.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\7nhbtb.exec:\7nhbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\dvvvj.exec:\dvvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\nhhbtt.exec:\nhhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\vvddv.exec:\vvddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\3tnnhh.exec:\3tnnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\lfxrllx.exec:\lfxrllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\bntntt.exec:\bntntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\dpdvj.exec:\dpdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\7nthbt.exec:\7nthbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\jvjdv.exec:\jvjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\xffrlrl.exec:\xffrlrl.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ttbttt.exec:\ttbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\flxrllf.exec:\flxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\bnhbnn.exec:\bnhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\fxrrlff.exec:\fxrrlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\bnthbt.exec:\bnthbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\vpvpj.exec:\vpvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\1xfxflf.exec:\1xfxflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\hhnbht.exec:\hhnbht.exe23⤵
- Executes dropped EXE
PID:3936 -
\??\c:\lllfrrl.exec:\lllfrrl.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\1lllllf.exec:\1lllllf.exe25⤵
- Executes dropped EXE
PID:2392 -
\??\c:\hntnhn.exec:\hntnhn.exe26⤵
- Executes dropped EXE
PID:4228 -
\??\c:\xrxxxxf.exec:\xrxxxxf.exe27⤵
- Executes dropped EXE
PID:4336 -
\??\c:\xfxxxxl.exec:\xfxxxxl.exe28⤵
- Executes dropped EXE
PID:456 -
\??\c:\vdjdv.exec:\vdjdv.exe29⤵
- Executes dropped EXE
PID:676 -
\??\c:\ddpjp.exec:\ddpjp.exe30⤵
- Executes dropped EXE
PID:848 -
\??\c:\9xxrffl.exec:\9xxrffl.exe31⤵
- Executes dropped EXE
PID:4440 -
\??\c:\vpvvp.exec:\vpvvp.exe32⤵
- Executes dropped EXE
PID:3164 -
\??\c:\dvjvp.exec:\dvjvp.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\fxxrxfx.exec:\fxxrxfx.exe34⤵
- Executes dropped EXE
PID:2624 -
\??\c:\tthhhh.exec:\tthhhh.exe35⤵
- Executes dropped EXE
PID:1068 -
\??\c:\ddpjj.exec:\ddpjj.exe36⤵
- Executes dropped EXE
PID:3832 -
\??\c:\rllxrfx.exec:\rllxrfx.exe37⤵
- Executes dropped EXE
PID:4996 -
\??\c:\3fllflf.exec:\3fllflf.exe38⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ddjdp.exec:\ddjdp.exe39⤵
- Executes dropped EXE
PID:4936 -
\??\c:\pjdpd.exec:\pjdpd.exe40⤵
- Executes dropped EXE
PID:3776 -
\??\c:\rffxllf.exec:\rffxllf.exe41⤵
- Executes dropped EXE
PID:1980 -
\??\c:\tnntnn.exec:\tnntnn.exe42⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vpdpp.exec:\vpdpp.exe43⤵
- Executes dropped EXE
PID:2356 -
\??\c:\lxfxllf.exec:\lxfxllf.exe44⤵
- Executes dropped EXE
PID:1868 -
\??\c:\3htnhn.exec:\3htnhn.exe45⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nnnnhh.exec:\nnnnhh.exe46⤵
- Executes dropped EXE
PID:4036 -
\??\c:\pddvp.exec:\pddvp.exe47⤵
- Executes dropped EXE
PID:968 -
\??\c:\frxrrll.exec:\frxrrll.exe48⤵
- Executes dropped EXE
PID:8 -
\??\c:\9tbttt.exec:\9tbttt.exe49⤵
- Executes dropped EXE
PID:2304 -
\??\c:\7nttnn.exec:\7nttnn.exe50⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jpvvj.exec:\jpvvj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe52⤵
- Executes dropped EXE
PID:4480 -
\??\c:\tntthh.exec:\tntthh.exe53⤵
- Executes dropped EXE
PID:4540 -
\??\c:\1jvpd.exec:\1jvpd.exe54⤵
- Executes dropped EXE
PID:844 -
\??\c:\vppvj.exec:\vppvj.exe55⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1ffxllf.exec:\1ffxllf.exe56⤵
- Executes dropped EXE
PID:640 -
\??\c:\hnbtnt.exec:\hnbtnt.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232 -
\??\c:\vpppd.exec:\vpppd.exe58⤵
- Executes dropped EXE
PID:3440 -
\??\c:\rllfxxr.exec:\rllfxxr.exe59⤵
- Executes dropped EXE
PID:516 -
\??\c:\xxlllll.exec:\xxlllll.exe60⤵
- Executes dropped EXE
PID:4704 -
\??\c:\3ntnhn.exec:\3ntnhn.exe61⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vpvjd.exec:\vpvjd.exe62⤵
- Executes dropped EXE
PID:628 -
\??\c:\5rrlxff.exec:\5rrlxff.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820 -
\??\c:\9flfffl.exec:\9flfffl.exe64⤵
- Executes dropped EXE
PID:4552 -
\??\c:\tnnhbb.exec:\tnnhbb.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\nhnhbb.exec:\nhnhbb.exe66⤵PID:1224
-
\??\c:\dddvj.exec:\dddvj.exe67⤵PID:3408
-
\??\c:\flxrfxf.exec:\flxrfxf.exe68⤵PID:3520
-
\??\c:\hbhbbb.exec:\hbhbbb.exe69⤵PID:4100
-
\??\c:\jvddv.exec:\jvddv.exe70⤵PID:4308
-
\??\c:\pvpdv.exec:\pvpdv.exe71⤵PID:2676
-
\??\c:\rffxllf.exec:\rffxllf.exe72⤵PID:2200
-
\??\c:\htbtnn.exec:\htbtnn.exe73⤵PID:2344
-
\??\c:\9ddvd.exec:\9ddvd.exe74⤵PID:4940
-
\??\c:\5fxfxlf.exec:\5fxfxlf.exe75⤵PID:976
-
\??\c:\5flfxrl.exec:\5flfxrl.exe76⤵PID:5024
-
\??\c:\hnhbtn.exec:\hnhbtn.exe77⤵PID:4032
-
\??\c:\dppjv.exec:\dppjv.exe78⤵PID:4828
-
\??\c:\frxrffr.exec:\frxrffr.exe79⤵PID:4596
-
\??\c:\frxrrrl.exec:\frxrrrl.exe80⤵PID:4556
-
\??\c:\hnnnnn.exec:\hnnnnn.exe81⤵PID:3420
-
\??\c:\5vpjv.exec:\5vpjv.exe82⤵PID:4932
-
\??\c:\ffrlffl.exec:\ffrlffl.exe83⤵PID:3052
-
\??\c:\htbtnh.exec:\htbtnh.exe84⤵PID:3608
-
\??\c:\ntbthh.exec:\ntbthh.exe85⤵PID:3620
-
\??\c:\vdjdp.exec:\vdjdp.exe86⤵PID:3528
-
\??\c:\lrxrffx.exec:\lrxrffx.exe87⤵PID:3564
-
\??\c:\bttnhh.exec:\bttnhh.exe88⤵PID:4260
-
\??\c:\vjjdv.exec:\vjjdv.exe89⤵PID:3920
-
\??\c:\rllfrrl.exec:\rllfrrl.exe90⤵PID:1760
-
\??\c:\bhtthh.exec:\bhtthh.exe91⤵PID:4892
-
\??\c:\1ntnbb.exec:\1ntnbb.exe92⤵PID:456
-
\??\c:\ppvpj.exec:\ppvpj.exe93⤵PID:856
-
\??\c:\lflfffl.exec:\lflfffl.exe94⤵PID:536
-
\??\c:\3ffxrrf.exec:\3ffxrrf.exe95⤵PID:1132
-
\??\c:\tnthnt.exec:\tnthnt.exe96⤵PID:4460
-
\??\c:\pjdvp.exec:\pjdvp.exe97⤵PID:1964
-
\??\c:\pdjvp.exec:\pdjvp.exe98⤵PID:4536
-
\??\c:\lxfxlff.exec:\lxfxlff.exe99⤵PID:2440
-
\??\c:\nbnbtt.exec:\nbnbtt.exe100⤵PID:1128
-
\??\c:\pdjdp.exec:\pdjdp.exe101⤵PID:2172
-
\??\c:\fxxrffx.exec:\fxxrffx.exe102⤵PID:2436
-
\??\c:\nnbtbb.exec:\nnbtbb.exe103⤵PID:1948
-
\??\c:\nhtnhb.exec:\nhtnhb.exe104⤵PID:1636
-
\??\c:\1jdpv.exec:\1jdpv.exe105⤵PID:3060
-
\??\c:\dpppp.exec:\dpppp.exe106⤵PID:2852
-
\??\c:\ffffrrr.exec:\ffffrrr.exe107⤵PID:3632
-
\??\c:\nhtntn.exec:\nhtntn.exe108⤵PID:2396
-
\??\c:\bbtnhb.exec:\bbtnhb.exe109⤵
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\3ppjd.exec:\3ppjd.exe110⤵PID:3064
-
\??\c:\1rrrfxr.exec:\1rrrfxr.exe111⤵PID:3364
-
\??\c:\bnthbt.exec:\bnthbt.exe112⤵PID:3320
-
\??\c:\3bbbbb.exec:\3bbbbb.exe113⤵PID:2884
-
\??\c:\vppjv.exec:\vppjv.exe114⤵PID:4020
-
\??\c:\rfflxxx.exec:\rfflxxx.exe115⤵PID:3160
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe116⤵PID:1240
-
\??\c:\nbnhbt.exec:\nbnhbt.exe117⤵PID:1900
-
\??\c:\vdjdp.exec:\vdjdp.exe118⤵PID:2772
-
\??\c:\flffxfx.exec:\flffxfx.exe119⤵PID:4496
-
\??\c:\1rlxrxl.exec:\1rlxrxl.exe120⤵PID:4540
-
\??\c:\nbnhtb.exec:\nbnhtb.exe121⤵PID:844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-