Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe
-
Size
453KB
-
MD5
b6069f55293d90d8180456273010b670
-
SHA1
c6d4b9564ad3268bad75abcd8107e0c26e533cdf
-
SHA256
a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357
-
SHA512
7efc6d8cfbd4e49b78e3e74e1188be415a0e2cce1a189b355ea11d06970c6353feb3b5e64632125c8338b418afd0b40a3b0727c1cf0f95e8925eb297305da64e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4080-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-1063-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-1110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-1263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-1552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 716 pjjdd.exe 3092 bttnhh.exe 2772 httnhh.exe 2208 vjpjj.exe 1264 lffxllf.exe 4816 btnnhh.exe 3528 dddvp.exe 5088 pjjdv.exe 3628 frlfffx.exe 2816 hbnnnt.exe 2932 pjjjv.exe 4172 7djdd.exe 1748 bbttnn.exe 640 pjjdv.exe 1556 djpjj.exe 1492 7xxlrrr.exe 1928 hbhhbn.exe 3104 9jpdj.exe 2008 jpvpd.exe 956 xlxxxxf.exe 816 xrrlflf.exe 64 nhhbnt.exe 4128 jpvpp.exe 2028 ffxxrrr.exe 1584 tbbbtt.exe 1244 5dvpd.exe 3084 xxxxxxx.exe 1972 djpjj.exe 464 jjvpj.exe 3936 fxfxffr.exe 2312 tnthnt.exe 5040 7pvpj.exe 4496 lflfxxr.exe 5008 nhhbbt.exe 3392 nhhbbb.exe 1800 vvddd.exe 3472 xxffxfx.exe 3032 bnthbt.exe 3208 pjddv.exe 4796 lllfxxr.exe 3064 9tnbbb.exe 4856 btthbh.exe 1508 jvvvv.exe 2964 9xxfxxl.exe 4484 fxxxrxr.exe 1948 btttnn.exe 2792 vvpjj.exe 4644 dvvvd.exe 232 lfrlrfl.exe 4000 ttnnhh.exe 2324 vvddp.exe 5036 jdddp.exe 3964 ffflfrr.exe 3440 7ffxrff.exe 5088 hbnnbt.exe 2488 jdjdd.exe 3756 jjdvj.exe 3300 xxxrrrx.exe 2576 1ffxrrl.exe 3088 ntbtnn.exe 2220 1ddpp.exe 5100 7flfxxr.exe 1748 fxlfflr.exe 2080 nhnnhn.exe -
resource yara_rule behavioral2/memory/4080-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-645-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 716 4080 a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe 82 PID 4080 wrote to memory of 716 4080 a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe 82 PID 4080 wrote to memory of 716 4080 a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe 82 PID 716 wrote to memory of 3092 716 pjjdd.exe 83 PID 716 wrote to memory of 3092 716 pjjdd.exe 83 PID 716 wrote to memory of 3092 716 pjjdd.exe 83 PID 3092 wrote to memory of 2772 3092 bttnhh.exe 84 PID 3092 wrote to memory of 2772 3092 bttnhh.exe 84 PID 3092 wrote to memory of 2772 3092 bttnhh.exe 84 PID 2772 wrote to memory of 2208 2772 httnhh.exe 85 PID 2772 wrote to memory of 2208 2772 httnhh.exe 85 PID 2772 wrote to memory of 2208 2772 httnhh.exe 85 PID 2208 wrote to memory of 1264 2208 vjpjj.exe 86 PID 2208 wrote to memory of 1264 2208 vjpjj.exe 86 PID 2208 wrote to memory of 1264 2208 vjpjj.exe 86 PID 1264 wrote to memory of 4816 1264 lffxllf.exe 87 PID 1264 wrote to memory of 4816 1264 lffxllf.exe 87 PID 1264 wrote to memory of 4816 1264 lffxllf.exe 87 PID 4816 wrote to memory of 3528 4816 btnnhh.exe 88 PID 4816 wrote to memory of 3528 4816 btnnhh.exe 88 PID 4816 wrote to memory of 3528 4816 btnnhh.exe 88 PID 3528 wrote to memory of 5088 3528 dddvp.exe 89 PID 3528 wrote to memory of 5088 3528 dddvp.exe 89 PID 3528 wrote to memory of 5088 3528 dddvp.exe 89 PID 5088 wrote to memory of 3628 5088 pjjdv.exe 90 PID 5088 wrote to memory of 3628 5088 pjjdv.exe 90 PID 5088 wrote to memory of 3628 5088 pjjdv.exe 90 PID 3628 wrote to memory of 2816 3628 frlfffx.exe 91 PID 3628 wrote to memory of 2816 3628 frlfffx.exe 91 PID 3628 wrote to memory of 2816 3628 frlfffx.exe 91 PID 2816 wrote to memory of 2932 2816 hbnnnt.exe 92 PID 2816 wrote to memory of 2932 2816 hbnnnt.exe 92 PID 2816 wrote to memory of 2932 2816 hbnnnt.exe 92 PID 2932 wrote to memory of 4172 2932 pjjjv.exe 93 PID 2932 wrote to memory of 4172 2932 pjjjv.exe 93 PID 2932 wrote to memory of 4172 2932 pjjjv.exe 93 PID 4172 wrote to memory of 1748 4172 7djdd.exe 94 PID 4172 wrote to memory of 1748 4172 7djdd.exe 94 PID 4172 wrote to memory of 1748 4172 7djdd.exe 94 PID 1748 wrote to memory of 640 1748 bbttnn.exe 95 PID 1748 wrote to memory of 640 1748 bbttnn.exe 95 PID 1748 wrote to memory of 640 1748 bbttnn.exe 95 PID 640 wrote to memory of 1556 640 pjjdv.exe 96 PID 640 wrote to memory of 1556 640 pjjdv.exe 96 PID 640 wrote to memory of 1556 640 pjjdv.exe 96 PID 1556 wrote to memory of 1492 1556 djpjj.exe 97 PID 1556 wrote to memory of 1492 1556 djpjj.exe 97 PID 1556 wrote to memory of 1492 1556 djpjj.exe 97 PID 1492 wrote to memory of 1928 1492 7xxlrrr.exe 98 PID 1492 wrote to memory of 1928 1492 7xxlrrr.exe 98 PID 1492 wrote to memory of 1928 1492 7xxlrrr.exe 98 PID 1928 wrote to memory of 3104 1928 hbhhbn.exe 99 PID 1928 wrote to memory of 3104 1928 hbhhbn.exe 99 PID 1928 wrote to memory of 3104 1928 hbhhbn.exe 99 PID 3104 wrote to memory of 2008 3104 9jpdj.exe 100 PID 3104 wrote to memory of 2008 3104 9jpdj.exe 100 PID 3104 wrote to memory of 2008 3104 9jpdj.exe 100 PID 2008 wrote to memory of 956 2008 jpvpd.exe 153 PID 2008 wrote to memory of 956 2008 jpvpd.exe 153 PID 2008 wrote to memory of 956 2008 jpvpd.exe 153 PID 956 wrote to memory of 816 956 xlxxxxf.exe 102 PID 956 wrote to memory of 816 956 xlxxxxf.exe 102 PID 956 wrote to memory of 816 956 xlxxxxf.exe 102 PID 816 wrote to memory of 64 816 xrrlflf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe"C:\Users\Admin\AppData\Local\Temp\a289940191a2e646c7463e1a9ccea564677fab7e0b3ec44d102984baeed0a357.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\pjjdd.exec:\pjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\bttnhh.exec:\bttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\httnhh.exec:\httnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\vjpjj.exec:\vjpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\lffxllf.exec:\lffxllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\btnnhh.exec:\btnnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\dddvp.exec:\dddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\pjjdv.exec:\pjjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\frlfffx.exec:\frlfffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\hbnnnt.exec:\hbnnnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\pjjjv.exec:\pjjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\7djdd.exec:\7djdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\bbttnn.exec:\bbttnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\pjjdv.exec:\pjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\djpjj.exec:\djpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\7xxlrrr.exec:\7xxlrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\hbhhbn.exec:\hbhhbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\9jpdj.exec:\9jpdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\jpvpd.exec:\jpvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\xlxxxxf.exec:\xlxxxxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\xrrlflf.exec:\xrrlflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\nhhbnt.exec:\nhhbnt.exe23⤵
- Executes dropped EXE
PID:64 -
\??\c:\jpvpp.exec:\jpvpp.exe24⤵
- Executes dropped EXE
PID:4128 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe25⤵
- Executes dropped EXE
PID:2028 -
\??\c:\tbbbtt.exec:\tbbbtt.exe26⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5dvpd.exec:\5dvpd.exe27⤵
- Executes dropped EXE
PID:1244 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe28⤵
- Executes dropped EXE
PID:3084 -
\??\c:\djpjj.exec:\djpjj.exe29⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jjvpj.exec:\jjvpj.exe30⤵
- Executes dropped EXE
PID:464 -
\??\c:\fxfxffr.exec:\fxfxffr.exe31⤵
- Executes dropped EXE
PID:3936 -
\??\c:\tnthnt.exec:\tnthnt.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\7pvpj.exec:\7pvpj.exe33⤵
- Executes dropped EXE
PID:5040 -
\??\c:\lflfxxr.exec:\lflfxxr.exe34⤵
- Executes dropped EXE
PID:4496 -
\??\c:\nhhbbt.exec:\nhhbbt.exe35⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nhhbbb.exec:\nhhbbb.exe36⤵
- Executes dropped EXE
PID:3392 -
\??\c:\vvddd.exec:\vvddd.exe37⤵
- Executes dropped EXE
PID:1800 -
\??\c:\xxffxfx.exec:\xxffxfx.exe38⤵
- Executes dropped EXE
PID:3472 -
\??\c:\bnthbt.exec:\bnthbt.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\pjddv.exec:\pjddv.exe40⤵
- Executes dropped EXE
PID:3208 -
\??\c:\lllfxxr.exec:\lllfxxr.exe41⤵
- Executes dropped EXE
PID:4796 -
\??\c:\9tnbbb.exec:\9tnbbb.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
\??\c:\btthbh.exec:\btthbh.exe43⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jvvvv.exec:\jvvvv.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\9xxfxxl.exec:\9xxfxxl.exe45⤵
- Executes dropped EXE
PID:2964 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe46⤵
- Executes dropped EXE
PID:4484 -
\??\c:\btttnn.exec:\btttnn.exe47⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vvpjj.exec:\vvpjj.exe48⤵
- Executes dropped EXE
PID:2792 -
\??\c:\dvvvd.exec:\dvvvd.exe49⤵
- Executes dropped EXE
PID:4644 -
\??\c:\lfrlrfl.exec:\lfrlrfl.exe50⤵
- Executes dropped EXE
PID:232 -
\??\c:\ttnnhh.exec:\ttnnhh.exe51⤵
- Executes dropped EXE
PID:4000 -
\??\c:\vvddp.exec:\vvddp.exe52⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jdddp.exec:\jdddp.exe53⤵
- Executes dropped EXE
PID:5036 -
\??\c:\ffflfrr.exec:\ffflfrr.exe54⤵
- Executes dropped EXE
PID:3964 -
\??\c:\7ffxrff.exec:\7ffxrff.exe55⤵
- Executes dropped EXE
PID:3440 -
\??\c:\hbnnbt.exec:\hbnnbt.exe56⤵
- Executes dropped EXE
PID:5088 -
\??\c:\jdjdd.exec:\jdjdd.exe57⤵
- Executes dropped EXE
PID:2488 -
\??\c:\jjdvj.exec:\jjdvj.exe58⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xxxrrrx.exec:\xxxrrrx.exe59⤵
- Executes dropped EXE
PID:3300 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe60⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ntbtnn.exec:\ntbtnn.exe61⤵
- Executes dropped EXE
PID:3088 -
\??\c:\1ddpp.exec:\1ddpp.exe62⤵
- Executes dropped EXE
PID:2220 -
\??\c:\7flfxxr.exec:\7flfxxr.exe63⤵
- Executes dropped EXE
PID:5100 -
\??\c:\fxlfflr.exec:\fxlfflr.exe64⤵
- Executes dropped EXE
PID:1748 -
\??\c:\nhnnhn.exec:\nhnnhn.exe65⤵
- Executes dropped EXE
PID:2080 -
\??\c:\rrfrlrx.exec:\rrfrlrx.exe66⤵PID:1780
-
\??\c:\nbtnnn.exec:\nbtnnn.exe67⤵PID:4412
-
\??\c:\nhhhnh.exec:\nhhhnh.exe68⤵PID:1964
-
\??\c:\5jjdj.exec:\5jjdj.exe69⤵
- System Location Discovery: System Language Discovery
PID:3364 -
\??\c:\dvpvj.exec:\dvpvj.exe70⤵PID:2524
-
\??\c:\1xlfrrx.exec:\1xlfrrx.exe71⤵PID:1736
-
\??\c:\hbhhbb.exec:\hbhhbb.exe72⤵PID:3744
-
\??\c:\7vjdj.exec:\7vjdj.exe73⤵PID:956
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe74⤵PID:3656
-
\??\c:\7nbttt.exec:\7nbttt.exe75⤵PID:212
-
\??\c:\btbnhh.exec:\btbnhh.exe76⤵PID:2184
-
\??\c:\pdddv.exec:\pdddv.exe77⤵PID:1224
-
\??\c:\fxrlrxf.exec:\fxrlrxf.exe78⤵PID:532
-
\??\c:\bnhbhh.exec:\bnhbhh.exe79⤵PID:628
-
\??\c:\vpvpd.exec:\vpvpd.exe80⤵PID:1244
-
\??\c:\vvjjd.exec:\vvjjd.exe81⤵PID:3484
-
\??\c:\rxlxrxl.exec:\rxlxrxl.exe82⤵PID:544
-
\??\c:\5pdpj.exec:\5pdpj.exe83⤵PID:1828
-
\??\c:\ddjdv.exec:\ddjdv.exe84⤵PID:464
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe85⤵PID:4908
-
\??\c:\nhnntn.exec:\nhnntn.exe86⤵PID:2312
-
\??\c:\bhhhbt.exec:\bhhhbt.exe87⤵PID:3008
-
\??\c:\pdvjv.exec:\pdvjv.exe88⤵PID:2696
-
\??\c:\ntthtn.exec:\ntthtn.exe89⤵PID:3840
-
\??\c:\rrrfrrl.exec:\rrrfrrl.exe90⤵PID:2876
-
\??\c:\jvpdj.exec:\jvpdj.exe91⤵PID:4824
-
\??\c:\vjvpp.exec:\vjvpp.exe92⤵PID:4472
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe93⤵PID:1704
-
\??\c:\htnthn.exec:\htnthn.exe94⤵PID:3472
-
\??\c:\rfrrxxr.exec:\rfrrxxr.exe95⤵PID:3520
-
\??\c:\7ppdd.exec:\7ppdd.exe96⤵PID:2824
-
\??\c:\1jdvp.exec:\1jdvp.exe97⤵PID:3212
-
\??\c:\1rlxlfx.exec:\1rlxlfx.exe98⤵PID:1892
-
\??\c:\nhhbbb.exec:\nhhbbb.exe99⤵PID:908
-
\??\c:\hbbthh.exec:\hbbthh.exe100⤵PID:4364
-
\??\c:\9jvdp.exec:\9jvdp.exe101⤵PID:216
-
\??\c:\1rfxfxr.exec:\1rfxfxr.exe102⤵PID:3036
-
\??\c:\9nnbbb.exec:\9nnbbb.exe103⤵PID:1868
-
\??\c:\5ddpj.exec:\5ddpj.exe104⤵
- System Location Discovery: System Language Discovery
PID:4912 -
\??\c:\llxrlrl.exec:\llxrlrl.exe105⤵PID:716
-
\??\c:\lxfrlfx.exec:\lxfrlfx.exe106⤵PID:3048
-
\??\c:\hbbthh.exec:\hbbthh.exe107⤵PID:1120
-
\??\c:\jvvjd.exec:\jvvjd.exe108⤵PID:2208
-
\??\c:\lxfrlll.exec:\lxfrlll.exe109⤵PID:4000
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe110⤵PID:2128
-
\??\c:\ntbnht.exec:\ntbnht.exe111⤵PID:5036
-
\??\c:\5vpdp.exec:\5vpdp.exe112⤵PID:4700
-
\??\c:\lxxflfx.exec:\lxxflfx.exe113⤵PID:3440
-
\??\c:\3ntnhn.exec:\3ntnhn.exe114⤵PID:1380
-
\??\c:\bntnhb.exec:\bntnhb.exe115⤵PID:2816
-
\??\c:\fllfxff.exec:\fllfxff.exe116⤵PID:980
-
\??\c:\ffxrffx.exec:\ffxrffx.exe117⤵PID:4892
-
\??\c:\ththnn.exec:\ththnn.exe118⤵PID:4620
-
\??\c:\jjpjj.exec:\jjpjj.exe119⤵PID:1832
-
\??\c:\1vvvp.exec:\1vvvp.exe120⤵PID:3632
-
\??\c:\3xfxrrr.exec:\3xfxrrr.exe121⤵PID:1440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-