Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 13:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe
-
Size
454KB
-
MD5
3e4a6ff5aa3bc6d80d6b0bcd852c22cf
-
SHA1
cd9ab18cf7e2680e15c1632b0be7e9a11e916476
-
SHA256
a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8
-
SHA512
cef8a338d35b18b72c8121a80d6f58edc01939ccb89e8e5ee80541a9cbc660c64a43aebe9600007d9a3851c523a69d8391a08e66355f8e56824b26a3d48f169d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3504-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-971-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-1640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4240 jvvpj.exe 2432 lrrrllf.exe 4252 7hnbth.exe 3996 1bhhnn.exe 1008 bbhbhh.exe 1500 rlrrrrx.exe 972 htbtnh.exe 4924 rlflflf.exe 4212 btthbh.exe 720 fffxffl.exe 1068 jdpjd.exe 3056 flrlfrl.exe 4992 xlrrllf.exe 3848 bthhtt.exe 2248 vpppj.exe 2236 hbtnnh.exe 3828 jpvpj.exe 4752 tbhbbt.exe 1964 btbntt.exe 1752 pvdvv.exe 4220 xxfrllf.exe 4812 fxxxrxr.exe 736 1hhnhh.exe 3076 jjdpj.exe 2616 xlxrlfx.exe 2940 5hbbtt.exe 1784 jpvpj.exe 4476 frlfrrr.exe 3612 hntnhh.exe 4376 ntbtnh.exe 3332 djpjv.exe 1984 lxfxrrf.exe 2128 frffxxr.exe 5088 nbtnhh.exe 2612 3nhtnn.exe 4496 pdjjd.exe 1284 fxxxrrl.exe 1628 1xfxllf.exe 5076 hbbtnn.exe 1760 jddvv.exe 220 dvvpj.exe 3136 rxlfrrf.exe 2040 lfxfrfl.exe 1996 htntbh.exe 1432 9jvvv.exe 1684 dvjdj.exe 2816 lffxrlr.exe 1228 nbhhbb.exe 3968 jvvpj.exe 2476 ffrlllf.exe 3632 thnhbb.exe 5028 pjpjd.exe 2848 nbnbbt.exe 4392 bntnnn.exe 2724 dvvvp.exe 456 fxlxlxl.exe 2436 1dppj.exe 3168 3xfxflr.exe 956 nhttbb.exe 980 nnhbbb.exe 3124 3djdv.exe 3524 lfffxxr.exe 2876 htnhbb.exe 972 pdjdd.exe -
resource yara_rule behavioral2/memory/3504-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-1444-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3504 wrote to memory of 4240 3504 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 82 PID 3504 wrote to memory of 4240 3504 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 82 PID 3504 wrote to memory of 4240 3504 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 82 PID 4240 wrote to memory of 2432 4240 jvvpj.exe 83 PID 4240 wrote to memory of 2432 4240 jvvpj.exe 83 PID 4240 wrote to memory of 2432 4240 jvvpj.exe 83 PID 2432 wrote to memory of 4252 2432 lrrrllf.exe 84 PID 2432 wrote to memory of 4252 2432 lrrrllf.exe 84 PID 2432 wrote to memory of 4252 2432 lrrrllf.exe 84 PID 4252 wrote to memory of 3996 4252 7hnbth.exe 85 PID 4252 wrote to memory of 3996 4252 7hnbth.exe 85 PID 4252 wrote to memory of 3996 4252 7hnbth.exe 85 PID 3996 wrote to memory of 1008 3996 1bhhnn.exe 86 PID 3996 wrote to memory of 1008 3996 1bhhnn.exe 86 PID 3996 wrote to memory of 1008 3996 1bhhnn.exe 86 PID 1008 wrote to memory of 1500 1008 bbhbhh.exe 87 PID 1008 wrote to memory of 1500 1008 bbhbhh.exe 87 PID 1008 wrote to memory of 1500 1008 bbhbhh.exe 87 PID 1500 wrote to memory of 972 1500 rlrrrrx.exe 88 PID 1500 wrote to memory of 972 1500 rlrrrrx.exe 88 PID 1500 wrote to memory of 972 1500 rlrrrrx.exe 88 PID 972 wrote to memory of 4924 972 htbtnh.exe 89 PID 972 wrote to memory of 4924 972 htbtnh.exe 89 PID 972 wrote to memory of 4924 972 htbtnh.exe 89 PID 4924 wrote to memory of 4212 4924 rlflflf.exe 90 PID 4924 wrote to memory of 4212 4924 rlflflf.exe 90 PID 4924 wrote to memory of 4212 4924 rlflflf.exe 90 PID 4212 wrote to memory of 720 4212 btthbh.exe 91 PID 4212 wrote to memory of 720 4212 btthbh.exe 91 PID 4212 wrote to memory of 720 4212 btthbh.exe 91 PID 720 wrote to memory of 1068 720 fffxffl.exe 92 PID 720 wrote to memory of 1068 720 fffxffl.exe 92 PID 720 wrote to memory of 1068 720 fffxffl.exe 92 PID 1068 wrote to memory of 3056 1068 jdpjd.exe 93 PID 1068 wrote to memory of 3056 1068 jdpjd.exe 93 PID 1068 wrote to memory of 3056 1068 jdpjd.exe 93 PID 3056 wrote to memory of 4992 3056 flrlfrl.exe 94 PID 3056 wrote to memory of 4992 3056 flrlfrl.exe 94 PID 3056 wrote to memory of 4992 3056 flrlfrl.exe 94 PID 4992 wrote to memory of 3848 4992 xlrrllf.exe 95 PID 4992 wrote to memory of 3848 4992 xlrrllf.exe 95 PID 4992 wrote to memory of 3848 4992 xlrrllf.exe 95 PID 3848 wrote to memory of 2248 3848 bthhtt.exe 96 PID 3848 wrote to memory of 2248 3848 bthhtt.exe 96 PID 3848 wrote to memory of 2248 3848 bthhtt.exe 96 PID 2248 wrote to memory of 2236 2248 vpppj.exe 97 PID 2248 wrote to memory of 2236 2248 vpppj.exe 97 PID 2248 wrote to memory of 2236 2248 vpppj.exe 97 PID 2236 wrote to memory of 3828 2236 hbtnnh.exe 98 PID 2236 wrote to memory of 3828 2236 hbtnnh.exe 98 PID 2236 wrote to memory of 3828 2236 hbtnnh.exe 98 PID 3828 wrote to memory of 4752 3828 jpvpj.exe 99 PID 3828 wrote to memory of 4752 3828 jpvpj.exe 99 PID 3828 wrote to memory of 4752 3828 jpvpj.exe 99 PID 4752 wrote to memory of 1964 4752 tbhbbt.exe 100 PID 4752 wrote to memory of 1964 4752 tbhbbt.exe 100 PID 4752 wrote to memory of 1964 4752 tbhbbt.exe 100 PID 1964 wrote to memory of 1752 1964 btbntt.exe 101 PID 1964 wrote to memory of 1752 1964 btbntt.exe 101 PID 1964 wrote to memory of 1752 1964 btbntt.exe 101 PID 1752 wrote to memory of 4220 1752 pvdvv.exe 102 PID 1752 wrote to memory of 4220 1752 pvdvv.exe 102 PID 1752 wrote to memory of 4220 1752 pvdvv.exe 102 PID 4220 wrote to memory of 4812 4220 xxfrllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe"C:\Users\Admin\AppData\Local\Temp\a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\jvvpj.exec:\jvvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\lrrrllf.exec:\lrrrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\7hnbth.exec:\7hnbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\1bhhnn.exec:\1bhhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\bbhbhh.exec:\bbhbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\htbtnh.exec:\htbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\rlflflf.exec:\rlflflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\btthbh.exec:\btthbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\fffxffl.exec:\fffxffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\jdpjd.exec:\jdpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\flrlfrl.exec:\flrlfrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\xlrrllf.exec:\xlrrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\bthhtt.exec:\bthhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\vpppj.exec:\vpppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\hbtnnh.exec:\hbtnnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\jpvpj.exec:\jpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\tbhbbt.exec:\tbhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\btbntt.exec:\btbntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\pvdvv.exec:\pvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\xxfrllf.exec:\xxfrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe23⤵
- Executes dropped EXE
PID:4812 -
\??\c:\1hhnhh.exec:\1hhnhh.exe24⤵
- Executes dropped EXE
PID:736 -
\??\c:\jjdpj.exec:\jjdpj.exe25⤵
- Executes dropped EXE
PID:3076 -
\??\c:\xlxrlfx.exec:\xlxrlfx.exe26⤵
- Executes dropped EXE
PID:2616 -
\??\c:\5hbbtt.exec:\5hbbtt.exe27⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jpvpj.exec:\jpvpj.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\frlfrrr.exec:\frlfrrr.exe29⤵
- Executes dropped EXE
PID:4476 -
\??\c:\hntnhh.exec:\hntnhh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
\??\c:\ntbtnh.exec:\ntbtnh.exe31⤵
- Executes dropped EXE
PID:4376 -
\??\c:\djpjv.exec:\djpjv.exe32⤵
- Executes dropped EXE
PID:3332 -
\??\c:\lxfxrrf.exec:\lxfxrrf.exe33⤵
- Executes dropped EXE
PID:1984 -
\??\c:\frffxxr.exec:\frffxxr.exe34⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nbtnhh.exec:\nbtnhh.exe35⤵
- Executes dropped EXE
PID:5088 -
\??\c:\3nhtnn.exec:\3nhtnn.exe36⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pdjjd.exec:\pdjjd.exe37⤵
- Executes dropped EXE
PID:4496 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe38⤵
- Executes dropped EXE
PID:1284 -
\??\c:\1xfxllf.exec:\1xfxllf.exe39⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hbbtnn.exec:\hbbtnn.exe40⤵
- Executes dropped EXE
PID:5076 -
\??\c:\jddvv.exec:\jddvv.exe41⤵
- Executes dropped EXE
PID:1760 -
\??\c:\dvvpj.exec:\dvvpj.exe42⤵
- Executes dropped EXE
PID:220 -
\??\c:\rxlfrrf.exec:\rxlfrrf.exe43⤵
- Executes dropped EXE
PID:3136 -
\??\c:\lfxfrfl.exec:\lfxfrfl.exe44⤵
- Executes dropped EXE
PID:2040 -
\??\c:\htntbh.exec:\htntbh.exe45⤵
- Executes dropped EXE
PID:1996 -
\??\c:\9jvvv.exec:\9jvvv.exe46⤵
- Executes dropped EXE
PID:1432 -
\??\c:\dvjdj.exec:\dvjdj.exe47⤵
- Executes dropped EXE
PID:1684 -
\??\c:\lffxrlr.exec:\lffxrlr.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\nbhhbb.exec:\nbhhbb.exe49⤵
- Executes dropped EXE
PID:1228 -
\??\c:\jvvpj.exec:\jvvpj.exe50⤵
- Executes dropped EXE
PID:3968 -
\??\c:\ffrlllf.exec:\ffrlllf.exe51⤵
- Executes dropped EXE
PID:2476 -
\??\c:\thnhbb.exec:\thnhbb.exe52⤵
- Executes dropped EXE
PID:3632 -
\??\c:\pjpjd.exec:\pjpjd.exe53⤵
- Executes dropped EXE
PID:5028 -
\??\c:\nbnbbt.exec:\nbnbbt.exe54⤵
- Executes dropped EXE
PID:2848 -
\??\c:\bntnnn.exec:\bntnnn.exe55⤵
- Executes dropped EXE
PID:4392 -
\??\c:\dvvvp.exec:\dvvvp.exe56⤵
- Executes dropped EXE
PID:2724 -
\??\c:\fxlxlxl.exec:\fxlxlxl.exe57⤵
- Executes dropped EXE
PID:456 -
\??\c:\1dppj.exec:\1dppj.exe58⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3xfxflr.exec:\3xfxflr.exe59⤵
- Executes dropped EXE
PID:3168 -
\??\c:\nhttbb.exec:\nhttbb.exe60⤵
- Executes dropped EXE
PID:956 -
\??\c:\nnhbbb.exec:\nnhbbb.exe61⤵
- Executes dropped EXE
PID:980 -
\??\c:\3djdv.exec:\3djdv.exe62⤵
- Executes dropped EXE
PID:3124 -
\??\c:\lfffxxr.exec:\lfffxxr.exe63⤵
- Executes dropped EXE
PID:3524 -
\??\c:\htnhbb.exec:\htnhbb.exe64⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pdjdd.exec:\pdjdd.exe65⤵
- Executes dropped EXE
PID:972 -
\??\c:\5llxllf.exec:\5llxllf.exe66⤵PID:628
-
\??\c:\bbntbb.exec:\bbntbb.exe67⤵PID:468
-
\??\c:\bnnhbh.exec:\bnnhbh.exe68⤵PID:4932
-
\??\c:\pjdpv.exec:\pjdpv.exe69⤵PID:3588
-
\??\c:\lfxrxxr.exec:\lfxrxxr.exe70⤵PID:4448
-
\??\c:\tnnhtn.exec:\tnnhtn.exe71⤵PID:1192
-
\??\c:\9jpjp.exec:\9jpjp.exe72⤵PID:4660
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe73⤵PID:1480
-
\??\c:\9thhtn.exec:\9thhtn.exe74⤵PID:1260
-
\??\c:\djvpv.exec:\djvpv.exe75⤵PID:3848
-
\??\c:\frlfrlx.exec:\frlfrlx.exe76⤵PID:5040
-
\??\c:\httnhh.exec:\httnhh.exe77⤵PID:1792
-
\??\c:\pvvpj.exec:\pvvpj.exe78⤵PID:3540
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe79⤵PID:768
-
\??\c:\bnntnh.exec:\bnntnh.exe80⤵PID:4480
-
\??\c:\hntnhb.exec:\hntnhb.exe81⤵PID:4816
-
\??\c:\jddpp.exec:\jddpp.exe82⤵PID:2028
-
\??\c:\xllfxxr.exec:\xllfxxr.exe83⤵PID:1944
-
\??\c:\frxrlfx.exec:\frxrlfx.exe84⤵PID:4208
-
\??\c:\hbbbtt.exec:\hbbbtt.exe85⤵PID:3476
-
\??\c:\tnnnhh.exec:\tnnnhh.exe86⤵PID:1680
-
\??\c:\5jpjj.exec:\5jpjj.exe87⤵PID:1916
-
\??\c:\rllxllx.exec:\rllxllx.exe88⤵PID:4408
-
\??\c:\nthbnh.exec:\nthbnh.exe89⤵PID:716
-
\??\c:\djjdp.exec:\djjdp.exe90⤵PID:4736
-
\??\c:\lxxlxxx.exec:\lxxlxxx.exe91⤵PID:3928
-
\??\c:\bnthbt.exec:\bnthbt.exe92⤵PID:4320
-
\??\c:\ntbbbt.exec:\ntbbbt.exe93⤵PID:1420
-
\??\c:\pvdvp.exec:\pvdvp.exe94⤵PID:2744
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe95⤵PID:3500
-
\??\c:\hntnnh.exec:\hntnnh.exe96⤵PID:2336
-
\??\c:\bnhhbb.exec:\bnhhbb.exe97⤵PID:3400
-
\??\c:\7djdj.exec:\7djdj.exe98⤵PID:3080
-
\??\c:\llrlfxf.exec:\llrlfxf.exe99⤵PID:2804
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe100⤵PID:2612
-
\??\c:\httbbt.exec:\httbbt.exe101⤵PID:2448
-
\??\c:\vvdjd.exec:\vvdjd.exe102⤵PID:1284
-
\??\c:\lxfrfrf.exec:\lxfrfrf.exe103⤵PID:2332
-
\??\c:\3ntnnt.exec:\3ntnnt.exe104⤵PID:3980
-
\??\c:\vppjd.exec:\vppjd.exe105⤵PID:3544
-
\??\c:\dvjdd.exec:\dvjdd.exe106⤵PID:460
-
\??\c:\lrxrffx.exec:\lrxrffx.exe107⤵PID:4492
-
\??\c:\btbbbb.exec:\btbbbb.exe108⤵PID:2788
-
\??\c:\djjjd.exec:\djjjd.exe109⤵PID:4112
-
\??\c:\vjjvj.exec:\vjjvj.exe110⤵PID:1592
-
\??\c:\rlxxxrl.exec:\rlxxxrl.exe111⤵PID:676
-
\??\c:\9vddj.exec:\9vddj.exe112⤵PID:4188
-
\??\c:\rrlxlfx.exec:\rrlxlfx.exe113⤵PID:3140
-
\??\c:\xlrrlll.exec:\xlrrlll.exe114⤵PID:4940
-
\??\c:\htbtnn.exec:\htbtnn.exe115⤵PID:2144
-
\??\c:\pjdvp.exec:\pjdvp.exe116⤵PID:4164
-
\??\c:\lxlxfxl.exec:\lxlxfxl.exe117⤵PID:4232
-
\??\c:\rflfffx.exec:\rflfffx.exe118⤵PID:2928
-
\??\c:\hhhbtb.exec:\hhhbtb.exe119⤵PID:1948
-
\??\c:\dpjvv.exec:\dpjvv.exe120⤵PID:1524
-
\??\c:\frlxlfr.exec:\frlxlfr.exe121⤵PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-