Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe
-
Size
453KB
-
MD5
7b13c325b4816296c67343bead78647f
-
SHA1
36edad457e248e5f90af82b53f9d604dcf027eef
-
SHA256
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f
-
SHA512
c1673e203329c17c9d19a942126538ce1e3d2d78eca523ea54596099337eaaf12912a251a785db966f862c28b2849302fb7717f4c0b82e45286b39c29ee5e647
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4256-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-1072-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-1356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 552 vvdvd.exe 1348 xlrrrll.exe 4256 9lrlffx.exe 224 bbhhnh.exe 2504 lxllffx.exe 3544 9jjdv.exe 980 rlxrlll.exe 4460 vjpjj.exe 1852 9hbbtb.exe 4940 ttnhbb.exe 1352 rllfrlx.exe 4620 dvpjd.exe 5116 nhbthh.exe 396 5vdvp.exe 2912 1fxrffx.exe 4200 hbttnn.exe 4792 tnbttt.exe 3304 pjppd.exe 1752 lxlffxx.exe 4912 tbtbtb.exe 1624 llfxfxx.exe 2320 nhnhhh.exe 1388 vjvvp.exe 3036 3llfxlf.exe 1772 tthbbb.exe 4644 xxxlflf.exe 3044 bthbnn.exe 2496 dppjd.exe 3708 frrlxrl.exe 4168 nhhbtn.exe 4568 lrrlxrr.exe 4012 tnhbth.exe 2432 3dvpd.exe 3552 1xfxffr.exe 2172 jddvp.exe 5104 vpjpd.exe 2568 xflxrrf.exe 1680 ntbhbt.exe 1600 pjvpd.exe 4664 fxxfffr.exe 4920 hbtthn.exe 4320 vjdpv.exe 4724 fffxxxf.exe 3536 rxffxrl.exe 2732 vdvpd.exe 1356 rrlfrlf.exe 4380 llxfrlf.exe 1632 hbnhtn.exe 3012 ppvpj.exe 2016 1xxlrrl.exe 1520 bhhtnh.exe 4528 ppvpd.exe 4344 3lffrfr.exe 1004 lxlxfxr.exe 4860 hbhbhh.exe 3836 jjdvp.exe 1036 rlrxlfl.exe 3968 9xlffff.exe 4640 1nnhbt.exe 2976 vdpdv.exe 4400 1xxxrxr.exe 4260 3bnbht.exe 3676 3bnbhb.exe 2944 pvjpv.exe -
resource yara_rule behavioral2/memory/4256-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-849-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3300 wrote to memory of 552 3300 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 82 PID 3300 wrote to memory of 552 3300 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 82 PID 3300 wrote to memory of 552 3300 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 82 PID 552 wrote to memory of 1348 552 vvdvd.exe 83 PID 552 wrote to memory of 1348 552 vvdvd.exe 83 PID 552 wrote to memory of 1348 552 vvdvd.exe 83 PID 1348 wrote to memory of 4256 1348 xlrrrll.exe 84 PID 1348 wrote to memory of 4256 1348 xlrrrll.exe 84 PID 1348 wrote to memory of 4256 1348 xlrrrll.exe 84 PID 4256 wrote to memory of 224 4256 9lrlffx.exe 85 PID 4256 wrote to memory of 224 4256 9lrlffx.exe 85 PID 4256 wrote to memory of 224 4256 9lrlffx.exe 85 PID 224 wrote to memory of 2504 224 bbhhnh.exe 86 PID 224 wrote to memory of 2504 224 bbhhnh.exe 86 PID 224 wrote to memory of 2504 224 bbhhnh.exe 86 PID 2504 wrote to memory of 3544 2504 lxllffx.exe 87 PID 2504 wrote to memory of 3544 2504 lxllffx.exe 87 PID 2504 wrote to memory of 3544 2504 lxllffx.exe 87 PID 3544 wrote to memory of 980 3544 9jjdv.exe 88 PID 3544 wrote to memory of 980 3544 9jjdv.exe 88 PID 3544 wrote to memory of 980 3544 9jjdv.exe 88 PID 980 wrote to memory of 4460 980 rlxrlll.exe 89 PID 980 wrote to memory of 4460 980 rlxrlll.exe 89 PID 980 wrote to memory of 4460 980 rlxrlll.exe 89 PID 4460 wrote to memory of 1852 4460 vjpjj.exe 90 PID 4460 wrote to memory of 1852 4460 vjpjj.exe 90 PID 4460 wrote to memory of 1852 4460 vjpjj.exe 90 PID 1852 wrote to memory of 4940 1852 9hbbtb.exe 91 PID 1852 wrote to memory of 4940 1852 9hbbtb.exe 91 PID 1852 wrote to memory of 4940 1852 9hbbtb.exe 91 PID 4940 wrote to memory of 1352 4940 ttnhbb.exe 92 PID 4940 wrote to memory of 1352 4940 ttnhbb.exe 92 PID 4940 wrote to memory of 1352 4940 ttnhbb.exe 92 PID 1352 wrote to memory of 4620 1352 rllfrlx.exe 93 PID 1352 wrote to memory of 4620 1352 rllfrlx.exe 93 PID 1352 wrote to memory of 4620 1352 rllfrlx.exe 93 PID 4620 wrote to memory of 5116 4620 dvpjd.exe 94 PID 4620 wrote to memory of 5116 4620 dvpjd.exe 94 PID 4620 wrote to memory of 5116 4620 dvpjd.exe 94 PID 5116 wrote to memory of 396 5116 nhbthh.exe 95 PID 5116 wrote to memory of 396 5116 nhbthh.exe 95 PID 5116 wrote to memory of 396 5116 nhbthh.exe 95 PID 396 wrote to memory of 2912 396 5vdvp.exe 96 PID 396 wrote to memory of 2912 396 5vdvp.exe 96 PID 396 wrote to memory of 2912 396 5vdvp.exe 96 PID 2912 wrote to memory of 4200 2912 1fxrffx.exe 97 PID 2912 wrote to memory of 4200 2912 1fxrffx.exe 97 PID 2912 wrote to memory of 4200 2912 1fxrffx.exe 97 PID 4200 wrote to memory of 4792 4200 hbttnn.exe 98 PID 4200 wrote to memory of 4792 4200 hbttnn.exe 98 PID 4200 wrote to memory of 4792 4200 hbttnn.exe 98 PID 4792 wrote to memory of 3304 4792 tnbttt.exe 99 PID 4792 wrote to memory of 3304 4792 tnbttt.exe 99 PID 4792 wrote to memory of 3304 4792 tnbttt.exe 99 PID 3304 wrote to memory of 1752 3304 pjppd.exe 100 PID 3304 wrote to memory of 1752 3304 pjppd.exe 100 PID 3304 wrote to memory of 1752 3304 pjppd.exe 100 PID 1752 wrote to memory of 4912 1752 lxlffxx.exe 101 PID 1752 wrote to memory of 4912 1752 lxlffxx.exe 101 PID 1752 wrote to memory of 4912 1752 lxlffxx.exe 101 PID 4912 wrote to memory of 1624 4912 tbtbtb.exe 102 PID 4912 wrote to memory of 1624 4912 tbtbtb.exe 102 PID 4912 wrote to memory of 1624 4912 tbtbtb.exe 102 PID 1624 wrote to memory of 2320 1624 llfxfxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe"C:\Users\Admin\AppData\Local\Temp\e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\vvdvd.exec:\vvdvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\xlrrrll.exec:\xlrrrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\9lrlffx.exec:\9lrlffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\bbhhnh.exec:\bbhhnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\lxllffx.exec:\lxllffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\9jjdv.exec:\9jjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\rlxrlll.exec:\rlxrlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\vjpjj.exec:\vjpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\9hbbtb.exec:\9hbbtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\ttnhbb.exec:\ttnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\rllfrlx.exec:\rllfrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\dvpjd.exec:\dvpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\nhbthh.exec:\nhbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\5vdvp.exec:\5vdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\1fxrffx.exec:\1fxrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hbttnn.exec:\hbttnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\tnbttt.exec:\tnbttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\pjppd.exec:\pjppd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\lxlffxx.exec:\lxlffxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\tbtbtb.exec:\tbtbtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\llfxfxx.exec:\llfxfxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\nhnhhh.exec:\nhnhhh.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
\??\c:\vjvvp.exec:\vjvvp.exe24⤵
- Executes dropped EXE
PID:1388 -
\??\c:\3llfxlf.exec:\3llfxlf.exe25⤵
- Executes dropped EXE
PID:3036 -
\??\c:\tthbbb.exec:\tthbbb.exe26⤵
- Executes dropped EXE
PID:1772 -
\??\c:\xxxlflf.exec:\xxxlflf.exe27⤵
- Executes dropped EXE
PID:4644 -
\??\c:\bthbnn.exec:\bthbnn.exe28⤵
- Executes dropped EXE
PID:3044 -
\??\c:\dppjd.exec:\dppjd.exe29⤵
- Executes dropped EXE
PID:2496 -
\??\c:\frrlxrl.exec:\frrlxrl.exe30⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nhhbtn.exec:\nhhbtn.exe31⤵
- Executes dropped EXE
PID:4168 -
\??\c:\lrrlxrr.exec:\lrrlxrr.exe32⤵
- Executes dropped EXE
PID:4568 -
\??\c:\tnhbth.exec:\tnhbth.exe33⤵
- Executes dropped EXE
PID:4012 -
\??\c:\3dvpd.exec:\3dvpd.exe34⤵
- Executes dropped EXE
PID:2432 -
\??\c:\1xfxffr.exec:\1xfxffr.exe35⤵
- Executes dropped EXE
PID:3552 -
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vpjpd.exec:\vpjpd.exe37⤵
- Executes dropped EXE
PID:5104 -
\??\c:\xflxrrf.exec:\xflxrrf.exe38⤵
- Executes dropped EXE
PID:2568 -
\??\c:\ntbhbt.exec:\ntbhbt.exe39⤵
- Executes dropped EXE
PID:1680 -
\??\c:\pjvpd.exec:\pjvpd.exe40⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxxfffr.exec:\fxxfffr.exe41⤵
- Executes dropped EXE
PID:4664 -
\??\c:\hbtthn.exec:\hbtthn.exe42⤵
- Executes dropped EXE
PID:4920 -
\??\c:\vjdpv.exec:\vjdpv.exe43⤵
- Executes dropped EXE
PID:4320 -
\??\c:\fffxxxf.exec:\fffxxxf.exe44⤵
- Executes dropped EXE
PID:4724 -
\??\c:\rxffxrl.exec:\rxffxrl.exe45⤵
- Executes dropped EXE
PID:3536 -
\??\c:\vdvpd.exec:\vdvpd.exe46⤵
- Executes dropped EXE
PID:2732 -
\??\c:\rrlfrlf.exec:\rrlfrlf.exe47⤵
- Executes dropped EXE
PID:1356 -
\??\c:\llxfrlf.exec:\llxfrlf.exe48⤵
- Executes dropped EXE
PID:4380 -
\??\c:\hbnhtn.exec:\hbnhtn.exe49⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ppvpj.exec:\ppvpj.exe50⤵
- Executes dropped EXE
PID:3012 -
\??\c:\1xxlrrl.exec:\1xxlrrl.exe51⤵
- Executes dropped EXE
PID:2016 -
\??\c:\bhhtnh.exec:\bhhtnh.exe52⤵
- Executes dropped EXE
PID:1520 -
\??\c:\ppvpd.exec:\ppvpd.exe53⤵
- Executes dropped EXE
PID:4528 -
\??\c:\3lffrfr.exec:\3lffrfr.exe54⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lxlxfxr.exec:\lxlxfxr.exe55⤵
- Executes dropped EXE
PID:1004 -
\??\c:\hbhbhh.exec:\hbhbhh.exe56⤵
- Executes dropped EXE
PID:4860 -
\??\c:\jjdvp.exec:\jjdvp.exe57⤵
- Executes dropped EXE
PID:3836 -
\??\c:\rlrxlfl.exec:\rlrxlfl.exe58⤵
- Executes dropped EXE
PID:1036 -
\??\c:\9xlffff.exec:\9xlffff.exe59⤵
- Executes dropped EXE
PID:3968 -
\??\c:\1nnhbt.exec:\1nnhbt.exe60⤵
- Executes dropped EXE
PID:4640 -
\??\c:\vdpdv.exec:\vdpdv.exe61⤵
- Executes dropped EXE
PID:2976 -
\??\c:\1xxxrxr.exec:\1xxxrxr.exe62⤵
- Executes dropped EXE
PID:4400 -
\??\c:\3bnbht.exec:\3bnbht.exe63⤵
- Executes dropped EXE
PID:4260 -
\??\c:\3bnbhb.exec:\3bnbhb.exe64⤵
- Executes dropped EXE
PID:3676 -
\??\c:\pvjpv.exec:\pvjpv.exe65⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lfxrxrl.exec:\lfxrxrl.exe66⤵PID:980
-
\??\c:\5hhbtt.exec:\5hhbtt.exe67⤵PID:3560
-
\??\c:\tbnbnn.exec:\tbnbnn.exe68⤵PID:3792
-
\??\c:\9pvdp.exec:\9pvdp.exe69⤵PID:1132
-
\??\c:\xxlrxlr.exec:\xxlrxlr.exe70⤵PID:2764
-
\??\c:\fffxrfx.exec:\fffxrfx.exe71⤵PID:2648
-
\??\c:\thhnhh.exec:\thhnhh.exe72⤵PID:3200
-
\??\c:\pvvpj.exec:\pvvpj.exe73⤵PID:4856
-
\??\c:\1rxrlll.exec:\1rxrlll.exe74⤵PID:5116
-
\??\c:\ntbtnn.exec:\ntbtnn.exe75⤵PID:396
-
\??\c:\hbnbbb.exec:\hbnbbb.exe76⤵PID:4552
-
\??\c:\7jjdv.exec:\7jjdv.exe77⤵PID:2912
-
\??\c:\lfrxrxr.exec:\lfrxrxr.exe78⤵PID:1912
-
\??\c:\hnhhbb.exec:\hnhhbb.exe79⤵PID:1796
-
\??\c:\pddvp.exec:\pddvp.exe80⤵PID:2856
-
\??\c:\lrlxxlf.exec:\lrlxxlf.exe81⤵PID:1976
-
\??\c:\1hhbtn.exec:\1hhbtn.exe82⤵PID:1752
-
\??\c:\vvvpj.exec:\vvvpj.exe83⤵PID:4544
-
\??\c:\vppdp.exec:\vppdp.exe84⤵PID:2224
-
\??\c:\tnhnbn.exec:\tnhnbn.exe85⤵PID:4556
-
\??\c:\btbtnn.exec:\btbtnn.exe86⤵PID:5000
-
\??\c:\5vvpj.exec:\5vvpj.exe87⤵PID:860
-
\??\c:\1lfxlfx.exec:\1lfxlfx.exe88⤵PID:3060
-
\??\c:\bnhntt.exec:\bnhntt.exe89⤵PID:2196
-
\??\c:\jvdvd.exec:\jvdvd.exe90⤵PID:3400
-
\??\c:\frxlfxr.exec:\frxlfxr.exe91⤵PID:4192
-
\??\c:\1lxrrrx.exec:\1lxrrrx.exe92⤵PID:1512
-
\??\c:\nhhhbt.exec:\nhhhbt.exe93⤵PID:2308
-
\??\c:\vvjdd.exec:\vvjdd.exe94⤵PID:2084
-
\??\c:\rlxlffx.exec:\rlxlffx.exe95⤵PID:4784
-
\??\c:\xfxxrlx.exec:\xfxxrlx.exe96⤵PID:4500
-
\??\c:\5nnbbh.exec:\5nnbbh.exe97⤵PID:3704
-
\??\c:\ddddv.exec:\ddddv.exe98⤵PID:3376
-
\??\c:\flrlxrr.exec:\flrlxrr.exe99⤵PID:2616
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe100⤵PID:2876
-
\??\c:\btnnht.exec:\btnnht.exe101⤵PID:3032
-
\??\c:\dpvpp.exec:\dpvpp.exe102⤵PID:1924
-
\??\c:\lxfrlfx.exec:\lxfrlfx.exe103⤵PID:3588
-
\??\c:\bnnhbn.exec:\bnnhbn.exe104⤵PID:2804
-
\??\c:\hbtnbt.exec:\hbtnbt.exe105⤵PID:3668
-
\??\c:\vpddp.exec:\vpddp.exe106⤵PID:3892
-
\??\c:\fxllllr.exec:\fxllllr.exe107⤵PID:4520
-
\??\c:\hhhhbb.exec:\hhhhbb.exe108⤵PID:1928
-
\??\c:\dvvpd.exec:\dvvpd.exe109⤵PID:4020
-
\??\c:\rffxrxx.exec:\rffxrxx.exe110⤵PID:2192
-
\??\c:\1ntnnt.exec:\1ntnnt.exe111⤵PID:4596
-
\??\c:\jdjdd.exec:\jdjdd.exe112⤵PID:208
-
\??\c:\frlflrf.exec:\frlflrf.exe113⤵PID:4832
-
\??\c:\1bbttb.exec:\1bbttb.exe114⤵PID:4564
-
\??\c:\dpddd.exec:\dpddd.exe115⤵PID:2424
-
\??\c:\pddvp.exec:\pddvp.exe116⤵PID:1896
-
\??\c:\flrxllx.exec:\flrxllx.exe117⤵PID:2564
-
\??\c:\ththnn.exec:\ththnn.exe118⤵PID:4196
-
\??\c:\vpvpj.exec:\vpvpj.exe119⤵PID:2688
-
\??\c:\rlrrllf.exec:\rlrrllf.exe120⤵PID:2736
-
\??\c:\nnbbtt.exec:\nnbbtt.exe121⤵PID:4468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-