Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe
-
Size
453KB
-
MD5
cb390e21885a25dc8d43d7e42848491f
-
SHA1
170dd046d2fade01929acab663c59f03b09683c5
-
SHA256
a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177
-
SHA512
4d6835f61e6eb5d08a4bee62e588949f1905233994e3ce82e9beb4fc465790cb3f144b6d0f16d6ea088dc0c598374629fafd17035c0134ed2f17dfb10eb12551
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4552-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-1418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-1554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2332 tbbtnn.exe 1752 lflfxfl.exe 3148 7pjvp.exe 1052 lffxxrx.exe 4736 xrfxxxx.exe 3788 1vvpd.exe 1740 ffflflf.exe 3136 jjppp.exe 2216 jvdvp.exe 1000 thhnht.exe 2648 5tbttt.exe 2116 nthbhb.exe 552 1xxrrrl.exe 1924 djpjd.exe 3928 7djdv.exe 4652 rfrrxrl.exe 1364 pdpjj.exe 2744 bnhnbb.exe 3612 jdddd.exe 3016 1xxxllf.exe 2976 3hbbtn.exe 848 ntnnnn.exe 1420 jdjdd.exe 2532 frxxrfx.exe 4016 lrrlxxr.exe 1820 nhtntt.exe 2948 jjppd.exe 2684 pjjdv.exe 1536 rffxrrx.exe 3120 5llfffr.exe 232 nhtntn.exe 2940 pjjdv.exe 4224 pjjdp.exe 5068 9rxrxxl.exe 1156 7xlxlff.exe 1060 hbbthb.exe 2804 vvpjd.exe 368 rrrfxrf.exe 4564 rlrlxrl.exe 3152 thtnhb.exe 2412 nbnbnh.exe 3128 vppdv.exe 4640 xrxxfxf.exe 1180 lffxxrl.exe 944 ththhh.exe 4796 ddjjp.exe 4176 vdjdp.exe 5020 rffrlfr.exe 736 htbbtn.exe 3932 btbtnh.exe 2500 7pvpj.exe 2336 1xffxfx.exe 1528 lxlxrrr.exe 3480 htbbbb.exe 380 frflllr.exe 4172 nbhttb.exe 4344 vdjjd.exe 3164 xlrrrrl.exe 3032 tnbhbh.exe 1504 lxlffxf.exe 3700 jppjv.exe 4044 bnnhbt.exe 5064 jjpdp.exe 3552 nhhbnh.exe -
resource yara_rule behavioral2/memory/4552-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-1133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-1248-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 2332 4552 a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe 82 PID 4552 wrote to memory of 2332 4552 a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe 82 PID 4552 wrote to memory of 2332 4552 a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe 82 PID 2332 wrote to memory of 1752 2332 tbbtnn.exe 83 PID 2332 wrote to memory of 1752 2332 tbbtnn.exe 83 PID 2332 wrote to memory of 1752 2332 tbbtnn.exe 83 PID 1752 wrote to memory of 3148 1752 lflfxfl.exe 84 PID 1752 wrote to memory of 3148 1752 lflfxfl.exe 84 PID 1752 wrote to memory of 3148 1752 lflfxfl.exe 84 PID 3148 wrote to memory of 1052 3148 7pjvp.exe 85 PID 3148 wrote to memory of 1052 3148 7pjvp.exe 85 PID 3148 wrote to memory of 1052 3148 7pjvp.exe 85 PID 1052 wrote to memory of 4736 1052 lffxxrx.exe 86 PID 1052 wrote to memory of 4736 1052 lffxxrx.exe 86 PID 1052 wrote to memory of 4736 1052 lffxxrx.exe 86 PID 4736 wrote to memory of 3788 4736 xrfxxxx.exe 87 PID 4736 wrote to memory of 3788 4736 xrfxxxx.exe 87 PID 4736 wrote to memory of 3788 4736 xrfxxxx.exe 87 PID 3788 wrote to memory of 1740 3788 1vvpd.exe 88 PID 3788 wrote to memory of 1740 3788 1vvpd.exe 88 PID 3788 wrote to memory of 1740 3788 1vvpd.exe 88 PID 1740 wrote to memory of 3136 1740 ffflflf.exe 89 PID 1740 wrote to memory of 3136 1740 ffflflf.exe 89 PID 1740 wrote to memory of 3136 1740 ffflflf.exe 89 PID 3136 wrote to memory of 2216 3136 jjppp.exe 90 PID 3136 wrote to memory of 2216 3136 jjppp.exe 90 PID 3136 wrote to memory of 2216 3136 jjppp.exe 90 PID 2216 wrote to memory of 1000 2216 jvdvp.exe 91 PID 2216 wrote to memory of 1000 2216 jvdvp.exe 91 PID 2216 wrote to memory of 1000 2216 jvdvp.exe 91 PID 1000 wrote to memory of 2648 1000 thhnht.exe 92 PID 1000 wrote to memory of 2648 1000 thhnht.exe 92 PID 1000 wrote to memory of 2648 1000 thhnht.exe 92 PID 2648 wrote to memory of 2116 2648 5tbttt.exe 93 PID 2648 wrote to memory of 2116 2648 5tbttt.exe 93 PID 2648 wrote to memory of 2116 2648 5tbttt.exe 93 PID 2116 wrote to memory of 552 2116 nthbhb.exe 94 PID 2116 wrote to memory of 552 2116 nthbhb.exe 94 PID 2116 wrote to memory of 552 2116 nthbhb.exe 94 PID 552 wrote to memory of 1924 552 1xxrrrl.exe 95 PID 552 wrote to memory of 1924 552 1xxrrrl.exe 95 PID 552 wrote to memory of 1924 552 1xxrrrl.exe 95 PID 1924 wrote to memory of 3928 1924 djpjd.exe 96 PID 1924 wrote to memory of 3928 1924 djpjd.exe 96 PID 1924 wrote to memory of 3928 1924 djpjd.exe 96 PID 3928 wrote to memory of 4652 3928 7djdv.exe 97 PID 3928 wrote to memory of 4652 3928 7djdv.exe 97 PID 3928 wrote to memory of 4652 3928 7djdv.exe 97 PID 4652 wrote to memory of 1364 4652 rfrrxrl.exe 98 PID 4652 wrote to memory of 1364 4652 rfrrxrl.exe 98 PID 4652 wrote to memory of 1364 4652 rfrrxrl.exe 98 PID 1364 wrote to memory of 2744 1364 pdpjj.exe 99 PID 1364 wrote to memory of 2744 1364 pdpjj.exe 99 PID 1364 wrote to memory of 2744 1364 pdpjj.exe 99 PID 2744 wrote to memory of 3612 2744 bnhnbb.exe 100 PID 2744 wrote to memory of 3612 2744 bnhnbb.exe 100 PID 2744 wrote to memory of 3612 2744 bnhnbb.exe 100 PID 3612 wrote to memory of 3016 3612 jdddd.exe 101 PID 3612 wrote to memory of 3016 3612 jdddd.exe 101 PID 3612 wrote to memory of 3016 3612 jdddd.exe 101 PID 3016 wrote to memory of 2976 3016 1xxxllf.exe 102 PID 3016 wrote to memory of 2976 3016 1xxxllf.exe 102 PID 3016 wrote to memory of 2976 3016 1xxxllf.exe 102 PID 2976 wrote to memory of 848 2976 3hbbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe"C:\Users\Admin\AppData\Local\Temp\a217160b8daff8c1cc5b04ed9a915c516b4fed853535a86162c88d105738b177.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\tbbtnn.exec:\tbbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\lflfxfl.exec:\lflfxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\7pjvp.exec:\7pjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\lffxxrx.exec:\lffxxrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\1vvpd.exec:\1vvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\ffflflf.exec:\ffflflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\jjppp.exec:\jjppp.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\thhnht.exec:\thhnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\5tbttt.exec:\5tbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\nthbhb.exec:\nthbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\1xxrrrl.exec:\1xxrrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\djpjd.exec:\djpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\7djdv.exec:\7djdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\rfrrxrl.exec:\rfrrxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\pdpjj.exec:\pdpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\bnhnbb.exec:\bnhnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\jdddd.exec:\jdddd.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\1xxxllf.exec:\1xxxllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\3hbbtn.exec:\3hbbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\ntnnnn.exec:\ntnnnn.exe23⤵
- Executes dropped EXE
PID:848 -
\??\c:\jdjdd.exec:\jdjdd.exe24⤵
- Executes dropped EXE
PID:1420 -
\??\c:\frxxrfx.exec:\frxxrfx.exe25⤵
- Executes dropped EXE
PID:2532 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe26⤵
- Executes dropped EXE
PID:4016 -
\??\c:\nhtntt.exec:\nhtntt.exe27⤵
- Executes dropped EXE
PID:1820 -
\??\c:\jjppd.exec:\jjppd.exe28⤵
- Executes dropped EXE
PID:2948 -
\??\c:\pjjdv.exec:\pjjdv.exe29⤵
- Executes dropped EXE
PID:2684 -
\??\c:\rffxrrx.exec:\rffxrrx.exe30⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5llfffr.exec:\5llfffr.exe31⤵
- Executes dropped EXE
PID:3120 -
\??\c:\nhtntn.exec:\nhtntn.exe32⤵
- Executes dropped EXE
PID:232 -
\??\c:\pjjdv.exec:\pjjdv.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\pjjdp.exec:\pjjdp.exe34⤵
- Executes dropped EXE
PID:4224 -
\??\c:\9rxrxxl.exec:\9rxrxxl.exe35⤵
- Executes dropped EXE
PID:5068 -
\??\c:\7xlxlff.exec:\7xlxlff.exe36⤵
- Executes dropped EXE
PID:1156 -
\??\c:\hbbthb.exec:\hbbthb.exe37⤵
- Executes dropped EXE
PID:1060 -
\??\c:\vvpjd.exec:\vvpjd.exe38⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rrrfxrf.exec:\rrrfxrf.exe39⤵
- Executes dropped EXE
PID:368 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe40⤵
- Executes dropped EXE
PID:4564 -
\??\c:\thtnhb.exec:\thtnhb.exe41⤵
- Executes dropped EXE
PID:3152 -
\??\c:\nbnbnh.exec:\nbnbnh.exe42⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vppdv.exec:\vppdv.exe43⤵
- Executes dropped EXE
PID:3128 -
\??\c:\xrxxfxf.exec:\xrxxfxf.exe44⤵
- Executes dropped EXE
PID:4640 -
\??\c:\lffxxrl.exec:\lffxxrl.exe45⤵
- Executes dropped EXE
PID:1180 -
\??\c:\ththhh.exec:\ththhh.exe46⤵
- Executes dropped EXE
PID:944 -
\??\c:\ddjjp.exec:\ddjjp.exe47⤵
- Executes dropped EXE
PID:4796 -
\??\c:\vdjdp.exec:\vdjdp.exe48⤵
- Executes dropped EXE
PID:4176 -
\??\c:\rffrlfr.exec:\rffrlfr.exe49⤵
- Executes dropped EXE
PID:5020 -
\??\c:\htbbtn.exec:\htbbtn.exe50⤵
- Executes dropped EXE
PID:736 -
\??\c:\btbtnh.exec:\btbtnh.exe51⤵
- Executes dropped EXE
PID:3932 -
\??\c:\7pvpj.exec:\7pvpj.exe52⤵
- Executes dropped EXE
PID:2500 -
\??\c:\1xffxfx.exec:\1xffxfx.exe53⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lxlxrrr.exec:\lxlxrrr.exe54⤵
- Executes dropped EXE
PID:1528 -
\??\c:\htbbbb.exec:\htbbbb.exe55⤵
- Executes dropped EXE
PID:3480 -
\??\c:\frflllr.exec:\frflllr.exe56⤵
- Executes dropped EXE
PID:380 -
\??\c:\nbhttb.exec:\nbhttb.exe57⤵
- Executes dropped EXE
PID:4172 -
\??\c:\vdjjd.exec:\vdjjd.exe58⤵
- Executes dropped EXE
PID:4344 -
\??\c:\xlrrrrl.exec:\xlrrrrl.exe59⤵
- Executes dropped EXE
PID:3164 -
\??\c:\tnbhbh.exec:\tnbhbh.exe60⤵
- Executes dropped EXE
PID:3032 -
\??\c:\lxlffxf.exec:\lxlffxf.exe61⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jppjv.exec:\jppjv.exe62⤵
- Executes dropped EXE
PID:3700 -
\??\c:\bnnhbt.exec:\bnnhbt.exe63⤵
- Executes dropped EXE
PID:4044 -
\??\c:\jjpdp.exec:\jjpdp.exe64⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nhhbnh.exec:\nhhbnh.exe65⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xffxrfx.exec:\xffxrfx.exe66⤵PID:112
-
\??\c:\9btbtt.exec:\9btbtt.exe67⤵PID:2060
-
\??\c:\9jvjp.exec:\9jvjp.exe68⤵PID:4372
-
\??\c:\7xrlfxr.exec:\7xrlfxr.exe69⤵PID:2612
-
\??\c:\httnht.exec:\httnht.exe70⤵
- System Location Discovery: System Language Discovery
PID:2988 -
\??\c:\xllfxrx.exec:\xllfxrx.exe71⤵PID:2472
-
\??\c:\lfllfff.exec:\lfllfff.exe72⤵PID:2700
-
\??\c:\nnbhhn.exec:\nnbhhn.exe73⤵PID:4788
-
\??\c:\ntbtnh.exec:\ntbtnh.exe74⤵PID:1940
-
\??\c:\vvdvp.exec:\vvdvp.exe75⤵PID:2928
-
\??\c:\lfllrrf.exec:\lfllrrf.exe76⤵PID:2796
-
\??\c:\5httnt.exec:\5httnt.exe77⤵PID:4496
-
\??\c:\jvvpj.exec:\jvvpj.exe78⤵PID:416
-
\??\c:\5flfrrl.exec:\5flfrrl.exe79⤵PID:3168
-
\??\c:\rfrllxr.exec:\rfrllxr.exe80⤵PID:3224
-
\??\c:\htnhbt.exec:\htnhbt.exe81⤵PID:2280
-
\??\c:\9ppjv.exec:\9ppjv.exe82⤵PID:2748
-
\??\c:\pdvpj.exec:\pdvpj.exe83⤵PID:1484
-
\??\c:\xrrlfll.exec:\xrrlfll.exe84⤵PID:5052
-
\??\c:\nnbntt.exec:\nnbntt.exe85⤵PID:2092
-
\??\c:\djppj.exec:\djppj.exe86⤵PID:1608
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe87⤵PID:3780
-
\??\c:\tntttt.exec:\tntttt.exe88⤵PID:3664
-
\??\c:\1nbtbb.exec:\1nbtbb.exe89⤵PID:2068
-
\??\c:\jdvvd.exec:\jdvvd.exe90⤵PID:1248
-
\??\c:\llrrlrr.exec:\llrrlrr.exe91⤵PID:2880
-
\??\c:\thnhbb.exec:\thnhbb.exe92⤵PID:2948
-
\??\c:\pdddv.exec:\pdddv.exe93⤵PID:1836
-
\??\c:\dvdvj.exec:\dvdvj.exe94⤵
- System Location Discovery: System Language Discovery
PID:4744 -
\??\c:\xxffxxx.exec:\xxffxxx.exe95⤵PID:396
-
\??\c:\ttttnh.exec:\ttttnh.exe96⤵PID:2864
-
\??\c:\9pjvj.exec:\9pjvj.exe97⤵PID:3572
-
\??\c:\xxfxrrx.exec:\xxfxrrx.exe98⤵PID:1200
-
\??\c:\tntttt.exec:\tntttt.exe99⤵PID:4656
-
\??\c:\jjvpp.exec:\jjvpp.exe100⤵PID:1256
-
\??\c:\1xrrrxx.exec:\1xrrrxx.exe101⤵PID:4588
-
\??\c:\tnttnt.exec:\tnttnt.exe102⤵PID:4564
-
\??\c:\bnnhbt.exec:\bnnhbt.exe103⤵PID:2064
-
\??\c:\dddvp.exec:\dddvp.exe104⤵PID:4024
-
\??\c:\7pvpj.exec:\7pvpj.exe105⤵PID:1328
-
\??\c:\9flfrrl.exec:\9flfrrl.exe106⤵PID:4784
-
\??\c:\9nbtnn.exec:\9nbtnn.exe107⤵PID:888
-
\??\c:\5jjdp.exec:\5jjdp.exe108⤵PID:944
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe109⤵PID:1860
-
\??\c:\fxfxrxx.exec:\fxfxrxx.exe110⤵PID:2444
-
\??\c:\tnbbtt.exec:\tnbbtt.exe111⤵PID:3084
-
\??\c:\dpddj.exec:\dpddj.exe112⤵PID:2556
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe113⤵PID:4324
-
\??\c:\3tbtnn.exec:\3tbtnn.exe114⤵PID:1340
-
\??\c:\5hnhnt.exec:\5hnhnt.exe115⤵PID:4380
-
\??\c:\vjppd.exec:\vjppd.exe116⤵PID:1208
-
\??\c:\3xfxrrf.exec:\3xfxrrf.exe117⤵PID:4776
-
\??\c:\llfxxrr.exec:\llfxxrr.exe118⤵PID:3536
-
\??\c:\bthhtt.exec:\bthhtt.exe119⤵PID:4288
-
\??\c:\djppj.exec:\djppj.exe120⤵PID:4560
-
\??\c:\5lrlxrr.exec:\5lrlxrr.exe121⤵PID:1972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-