Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe
-
Size
456KB
-
MD5
cdb1e57bdfa00fa8b9fc12c3c5331be1
-
SHA1
e31f2af6c65a1ae7640715749da46332f412374c
-
SHA256
a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b
-
SHA512
715fbb0bbcd12cca42fe8ab941c25d341d2d2cee7578e5545bedfc121411987838afce16d4e7d75beb4961df4f596ba6e2a937b271427415649c83a11ca604c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRk:q7Tc2NYHUrAwfMp3CDRk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5096-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-1197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1872 jpvvd.exe 1340 xllfxxr.exe 3004 ttbthh.exe 3584 5jvvp.exe 4296 3xlflrx.exe 4884 lllfxxr.exe 2392 ntnhhh.exe 116 vdvvp.exe 2164 vddvj.exe 4032 rrrrlff.exe 1360 7bbbtt.exe 2852 hntnhh.exe 1068 ppppj.exe 2512 1xrlffl.exe 956 xffxrrr.exe 4148 1bnhtb.exe 2252 5pppp.exe 4156 ddvvp.exe 3416 lfffxxr.exe 3000 5hbtnn.exe 4572 nbhtnn.exe 1820 9vvvv.exe 2152 lrlfxxr.exe 2608 1lxlffx.exe 1472 9nhbtt.exe 4068 jpddd.exe 2704 pppjd.exe 1560 1frlllr.exe 1776 ttbbbb.exe 3016 tntttt.exe 1408 vvvpj.exe 3104 fffxrlf.exe 4524 flrrxrx.exe 1752 bhhhbb.exe 4752 ddpjp.exe 1724 1ppjd.exe 2916 5rlllff.exe 1584 5bbtnn.exe 3596 ntnnht.exe 1760 ddjjp.exe 4956 xlrlffx.exe 1468 btnbnn.exe 4580 ttbbbb.exe 532 3pppj.exe 1952 5lfrllf.exe 4208 rrrllfx.exe 364 bbbbtt.exe 3816 bbnnhn.exe 2820 1djdv.exe 3964 9xrlffl.exe 2996 5btbtt.exe 4328 nhnhbn.exe 3100 djjjd.exe 4468 jvpjd.exe 444 xflxrrf.exe 1476 9hbbnn.exe 3536 nhnhbb.exe 3056 jpvvd.exe 2284 lrxrrrr.exe 2412 ffllxxl.exe 2220 vdvdd.exe 3204 xrxxxlf.exe 1052 fxrrlll.exe 1676 tntttt.exe -
resource yara_rule behavioral2/memory/5096-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-774-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 1872 5096 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 83 PID 5096 wrote to memory of 1872 5096 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 83 PID 5096 wrote to memory of 1872 5096 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 83 PID 1872 wrote to memory of 1340 1872 jpvvd.exe 84 PID 1872 wrote to memory of 1340 1872 jpvvd.exe 84 PID 1872 wrote to memory of 1340 1872 jpvvd.exe 84 PID 1340 wrote to memory of 3004 1340 xllfxxr.exe 148 PID 1340 wrote to memory of 3004 1340 xllfxxr.exe 148 PID 1340 wrote to memory of 3004 1340 xllfxxr.exe 148 PID 3004 wrote to memory of 3584 3004 ttbthh.exe 86 PID 3004 wrote to memory of 3584 3004 ttbthh.exe 86 PID 3004 wrote to memory of 3584 3004 ttbthh.exe 86 PID 3584 wrote to memory of 4296 3584 5jvvp.exe 87 PID 3584 wrote to memory of 4296 3584 5jvvp.exe 87 PID 3584 wrote to memory of 4296 3584 5jvvp.exe 87 PID 4296 wrote to memory of 4884 4296 3xlflrx.exe 152 PID 4296 wrote to memory of 4884 4296 3xlflrx.exe 152 PID 4296 wrote to memory of 4884 4296 3xlflrx.exe 152 PID 4884 wrote to memory of 2392 4884 lllfxxr.exe 89 PID 4884 wrote to memory of 2392 4884 lllfxxr.exe 89 PID 4884 wrote to memory of 2392 4884 lllfxxr.exe 89 PID 2392 wrote to memory of 116 2392 ntnhhh.exe 90 PID 2392 wrote to memory of 116 2392 ntnhhh.exe 90 PID 2392 wrote to memory of 116 2392 ntnhhh.exe 90 PID 116 wrote to memory of 2164 116 vdvvp.exe 91 PID 116 wrote to memory of 2164 116 vdvvp.exe 91 PID 116 wrote to memory of 2164 116 vdvvp.exe 91 PID 2164 wrote to memory of 4032 2164 vddvj.exe 92 PID 2164 wrote to memory of 4032 2164 vddvj.exe 92 PID 2164 wrote to memory of 4032 2164 vddvj.exe 92 PID 4032 wrote to memory of 1360 4032 rrrrlff.exe 93 PID 4032 wrote to memory of 1360 4032 rrrrlff.exe 93 PID 4032 wrote to memory of 1360 4032 rrrrlff.exe 93 PID 1360 wrote to memory of 2852 1360 7bbbtt.exe 94 PID 1360 wrote to memory of 2852 1360 7bbbtt.exe 94 PID 1360 wrote to memory of 2852 1360 7bbbtt.exe 94 PID 2852 wrote to memory of 1068 2852 hntnhh.exe 95 PID 2852 wrote to memory of 1068 2852 hntnhh.exe 95 PID 2852 wrote to memory of 1068 2852 hntnhh.exe 95 PID 1068 wrote to memory of 2512 1068 ppppj.exe 96 PID 1068 wrote to memory of 2512 1068 ppppj.exe 96 PID 1068 wrote to memory of 2512 1068 ppppj.exe 96 PID 2512 wrote to memory of 956 2512 1xrlffl.exe 97 PID 2512 wrote to memory of 956 2512 1xrlffl.exe 97 PID 2512 wrote to memory of 956 2512 1xrlffl.exe 97 PID 956 wrote to memory of 4148 956 xffxrrr.exe 98 PID 956 wrote to memory of 4148 956 xffxrrr.exe 98 PID 956 wrote to memory of 4148 956 xffxrrr.exe 98 PID 4148 wrote to memory of 2252 4148 1bnhtb.exe 99 PID 4148 wrote to memory of 2252 4148 1bnhtb.exe 99 PID 4148 wrote to memory of 2252 4148 1bnhtb.exe 99 PID 2252 wrote to memory of 4156 2252 5pppp.exe 100 PID 2252 wrote to memory of 4156 2252 5pppp.exe 100 PID 2252 wrote to memory of 4156 2252 5pppp.exe 100 PID 4156 wrote to memory of 3416 4156 ddvvp.exe 101 PID 4156 wrote to memory of 3416 4156 ddvvp.exe 101 PID 4156 wrote to memory of 3416 4156 ddvvp.exe 101 PID 3416 wrote to memory of 3000 3416 lfffxxr.exe 162 PID 3416 wrote to memory of 3000 3416 lfffxxr.exe 162 PID 3416 wrote to memory of 3000 3416 lfffxxr.exe 162 PID 3000 wrote to memory of 4572 3000 5hbtnn.exe 103 PID 3000 wrote to memory of 4572 3000 5hbtnn.exe 103 PID 3000 wrote to memory of 4572 3000 5hbtnn.exe 103 PID 4572 wrote to memory of 1820 4572 nbhtnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe"C:\Users\Admin\AppData\Local\Temp\a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\jpvvd.exec:\jpvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\xllfxxr.exec:\xllfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\ttbthh.exec:\ttbthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\5jvvp.exec:\5jvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\3xlflrx.exec:\3xlflrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\lllfxxr.exec:\lllfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\ntnhhh.exec:\ntnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\vdvvp.exec:\vdvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\vddvj.exec:\vddvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\rrrrlff.exec:\rrrrlff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\7bbbtt.exec:\7bbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\hntnhh.exec:\hntnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\ppppj.exec:\ppppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\1xrlffl.exec:\1xrlffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\xffxrrr.exec:\xffxrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\1bnhtb.exec:\1bnhtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\5pppp.exec:\5pppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\ddvvp.exec:\ddvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\lfffxxr.exec:\lfffxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\5hbtnn.exec:\5hbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\nbhtnn.exec:\nbhtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\9vvvv.exec:\9vvvv.exe23⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lrlfxxr.exec:\lrlfxxr.exe24⤵
- Executes dropped EXE
PID:2152 -
\??\c:\1lxlffx.exec:\1lxlffx.exe25⤵
- Executes dropped EXE
PID:2608 -
\??\c:\9nhbtt.exec:\9nhbtt.exe26⤵
- Executes dropped EXE
PID:1472 -
\??\c:\jpddd.exec:\jpddd.exe27⤵
- Executes dropped EXE
PID:4068 -
\??\c:\pppjd.exec:\pppjd.exe28⤵
- Executes dropped EXE
PID:2704 -
\??\c:\1frlllr.exec:\1frlllr.exe29⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ttbbbb.exec:\ttbbbb.exe30⤵
- Executes dropped EXE
PID:1776 -
\??\c:\tntttt.exec:\tntttt.exe31⤵
- Executes dropped EXE
PID:3016 -
\??\c:\vvvpj.exec:\vvvpj.exe32⤵
- Executes dropped EXE
PID:1408 -
\??\c:\fffxrlf.exec:\fffxrlf.exe33⤵
- Executes dropped EXE
PID:3104 -
\??\c:\flrrxrx.exec:\flrrxrx.exe34⤵
- Executes dropped EXE
PID:4524 -
\??\c:\bhhhbb.exec:\bhhhbb.exe35⤵
- Executes dropped EXE
PID:1752 -
\??\c:\ddpjp.exec:\ddpjp.exe36⤵
- Executes dropped EXE
PID:4752 -
\??\c:\1ppjd.exec:\1ppjd.exe37⤵
- Executes dropped EXE
PID:1724 -
\??\c:\5rlllff.exec:\5rlllff.exe38⤵
- Executes dropped EXE
PID:2916 -
\??\c:\5bbtnn.exec:\5bbtnn.exe39⤵
- Executes dropped EXE
PID:1584 -
\??\c:\ntnnht.exec:\ntnnht.exe40⤵
- Executes dropped EXE
PID:3596 -
\??\c:\ddjjp.exec:\ddjjp.exe41⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xlrlffx.exec:\xlrlffx.exe42⤵
- Executes dropped EXE
PID:4956 -
\??\c:\btnbnn.exec:\btnbnn.exe43⤵
- Executes dropped EXE
PID:1468 -
\??\c:\ttbbbb.exec:\ttbbbb.exe44⤵
- Executes dropped EXE
PID:4580 -
\??\c:\3pppj.exec:\3pppj.exe45⤵
- Executes dropped EXE
PID:532 -
\??\c:\5lfrllf.exec:\5lfrllf.exe46⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rrrllfx.exec:\rrrllfx.exe47⤵
- Executes dropped EXE
PID:4208 -
\??\c:\bbbbtt.exec:\bbbbtt.exe48⤵
- Executes dropped EXE
PID:364 -
\??\c:\bbnnhn.exec:\bbnnhn.exe49⤵
- Executes dropped EXE
PID:3816 -
\??\c:\1djdv.exec:\1djdv.exe50⤵
- Executes dropped EXE
PID:2820 -
\??\c:\9xrlffl.exec:\9xrlffl.exe51⤵
- Executes dropped EXE
PID:3964 -
\??\c:\5btbtt.exec:\5btbtt.exe52⤵
- Executes dropped EXE
PID:2996 -
\??\c:\nhnhbn.exec:\nhnhbn.exe53⤵
- Executes dropped EXE
PID:4328 -
\??\c:\djjjd.exec:\djjjd.exe54⤵
- Executes dropped EXE
PID:3100 -
\??\c:\jvpjd.exec:\jvpjd.exe55⤵
- Executes dropped EXE
PID:4468 -
\??\c:\xflxrrf.exec:\xflxrrf.exe56⤵
- Executes dropped EXE
PID:444 -
\??\c:\9hbbnn.exec:\9hbbnn.exe57⤵
- Executes dropped EXE
PID:1476 -
\??\c:\nhnhbb.exec:\nhnhbb.exe58⤵
- Executes dropped EXE
PID:3536 -
\??\c:\jpvvd.exec:\jpvvd.exe59⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe60⤵
- Executes dropped EXE
PID:2284 -
\??\c:\ffllxxl.exec:\ffllxxl.exe61⤵
- Executes dropped EXE
PID:2412 -
\??\c:\3bhbhh.exec:\3bhbhh.exe62⤵PID:2812
-
\??\c:\vdvdd.exec:\vdvdd.exe63⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xrxxxlf.exec:\xrxxxlf.exe64⤵
- Executes dropped EXE
PID:3204 -
\??\c:\fxrrlll.exec:\fxrrlll.exe65⤵
- Executes dropped EXE
PID:1052 -
\??\c:\tntttt.exec:\tntttt.exe66⤵
- Executes dropped EXE
PID:1676 -
\??\c:\1dddv.exec:\1dddv.exe67⤵PID:3004
-
\??\c:\5vjvp.exec:\5vjvp.exe68⤵PID:5044
-
\??\c:\flffxxl.exec:\flffxxl.exe69⤵PID:1400
-
\??\c:\hnhhtt.exec:\hnhhtt.exe70⤵PID:372
-
\??\c:\hbhbnn.exec:\hbhbnn.exe71⤵PID:4884
-
\??\c:\vvvvp.exec:\vvvvp.exe72⤵PID:4332
-
\??\c:\xfllrrx.exec:\xfllrrx.exe73⤵PID:632
-
\??\c:\bhhbtt.exec:\bhhbtt.exe74⤵PID:4016
-
\??\c:\vvvdd.exec:\vvvdd.exe75⤵PID:3524
-
\??\c:\vddvp.exec:\vddvp.exe76⤵PID:1588
-
\??\c:\5fffxfx.exec:\5fffxfx.exe77⤵PID:4712
-
\??\c:\bnnttt.exec:\bnnttt.exe78⤵PID:3340
-
\??\c:\jdvpd.exec:\jdvpd.exe79⤵PID:1220
-
\??\c:\lfxxfff.exec:\lfxxfff.exe80⤵PID:4448
-
\??\c:\nhnnbb.exec:\nhnnbb.exe81⤵PID:3000
-
\??\c:\vjpdp.exec:\vjpdp.exe82⤵PID:5036
-
\??\c:\fffxxxr.exec:\fffxxxr.exe83⤵PID:1232
-
\??\c:\hnttbt.exec:\hnttbt.exe84⤵PID:4560
-
\??\c:\ddppp.exec:\ddppp.exe85⤵PID:2436
-
\??\c:\dddpp.exec:\dddpp.exe86⤵PID:5016
-
\??\c:\frfxrlf.exec:\frfxrlf.exe87⤵PID:1416
-
\??\c:\tbhbhb.exec:\tbhbhb.exe88⤵PID:1708
-
\??\c:\5hbbtb.exec:\5hbbtb.exe89⤵PID:856
-
\??\c:\ppjvj.exec:\ppjvj.exe90⤵PID:2004
-
\??\c:\rrffxxr.exec:\rrffxxr.exe91⤵PID:4528
-
\??\c:\bntnhh.exec:\bntnhh.exe92⤵PID:4524
-
\??\c:\ppvvd.exec:\ppvvd.exe93⤵PID:432
-
\??\c:\ppvpp.exec:\ppvpp.exe94⤵PID:3768
-
\??\c:\lrlfllr.exec:\lrlfllr.exe95⤵PID:1584
-
\??\c:\nhnnhh.exec:\nhnnhh.exe96⤵PID:3384
-
\??\c:\jjjjj.exec:\jjjjj.exe97⤵PID:1760
-
\??\c:\5rrllll.exec:\5rrllll.exe98⤵PID:4240
-
\??\c:\ppvvp.exec:\ppvvp.exe99⤵PID:1652
-
\??\c:\vdppj.exec:\vdppj.exe100⤵PID:3180
-
\??\c:\rrrlfff.exec:\rrrlfff.exe101⤵PID:4128
-
\??\c:\tbbttb.exec:\tbbttb.exe102⤵PID:4444
-
\??\c:\vdjvv.exec:\vdjvv.exe103⤵PID:3744
-
\??\c:\rlrfrlf.exec:\rlrfrlf.exe104⤵PID:1484
-
\??\c:\ffxxffx.exec:\ffxxffx.exe105⤵PID:1728
-
\??\c:\1bbhbh.exec:\1bbhbh.exe106⤵PID:3876
-
\??\c:\dpddd.exec:\dpddd.exe107⤵PID:1280
-
\??\c:\9rxxrrr.exec:\9rxxrrr.exe108⤵PID:3100
-
\??\c:\3bnnhh.exec:\3bnnhh.exe109⤵PID:3388
-
\??\c:\vvjdp.exec:\vvjdp.exe110⤵PID:2384
-
\??\c:\lrfffff.exec:\lrfffff.exe111⤵PID:1548
-
\??\c:\bbbbtn.exec:\bbbbtn.exe112⤵PID:2360
-
\??\c:\xfxxxfx.exec:\xfxxxfx.exe113⤵PID:3516
-
\??\c:\ddddd.exec:\ddddd.exe114⤵PID:3828
-
\??\c:\3rxfxlf.exec:\3rxfxlf.exe115⤵PID:2116
-
\??\c:\xrrrlll.exec:\xrrrlll.exe116⤵PID:3008
-
\??\c:\vpvpv.exec:\vpvpv.exe117⤵PID:4260
-
\??\c:\lxfrlrr.exec:\lxfrlrr.exe118⤵PID:2812
-
\??\c:\tttttt.exec:\tttttt.exe119⤵PID:4108
-
\??\c:\frxrrrr.exec:\frxrrrr.exe120⤵PID:3204
-
\??\c:\tbbtnn.exec:\tbbtnn.exe121⤵PID:4892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-