Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 19:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe
-
Size
347KB
-
MD5
41a40469aecb754b54f5d734d4fdefaf
-
SHA1
f37e7457487d325dd306c91de657c9d14af64f27
-
SHA256
f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136
-
SHA512
edeb2ca5c6821dfda7c52c384d7f53a16c02630fde7103df5d63a4b967910a86d632b84c1224df320cb83ccf7a7025a6bd24df6c5f230ab4fc2d08e5feb3da3b
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAv:l7TcbWXZshJX2VGdv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1112-6-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2952-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2312-17-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2288-22-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3608-33-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3900-38-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3488-50-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2572-56-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3688-61-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1344-69-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2756-75-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3016-94-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4444-87-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5032-105-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5040-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4792-109-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4260-123-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1444-122-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4632-130-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/992-141-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4380-140-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1728-147-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3560-163-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1252-162-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3660-171-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3264-179-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/940-192-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3716-187-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3056-186-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4616-210-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2460-217-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1732-227-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/796-234-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4816-240-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2368-243-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4316-262-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3024-266-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2000-273-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2464-286-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3596-290-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4196-297-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4060-301-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1364-311-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1896-318-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2004-337-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1140-347-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3936-351-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/408-364-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1440-374-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/876-409-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2132-428-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2704-453-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1652-469-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1956-482-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3940-540-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1220-602-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4464-618-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/232-743-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3416-779-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4244-789-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3396-1141-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1316-1223-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3944-1329-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2952 1rrrlrr.exe 2312 pjpjv.exe 2288 jvdvp.exe 1968 ttnhhb.exe 3608 vpvjj.exe 3900 nntnbt.exe 2552 lxlfxrx.exe 3488 btnttn.exe 2572 rrfxxxx.exe 3688 bhtbhh.exe 1344 dvddd.exe 2916 lfllflf.exe 2756 ttbntn.exe 4444 1nhbbt.exe 1556 hhtbht.exe 3016 bbbthb.exe 5032 djvpj.exe 5040 lllflrf.exe 4792 pjjdv.exe 4260 xrxrlxr.exe 1444 xrlllrr.exe 4632 thtnhn.exe 4380 jpdjj.exe 992 llllfxr.exe 1728 xrrlffr.exe 5052 hbbtnn.exe 1252 tbhbbt.exe 3560 vpvjd.exe 3660 lfrlrxl.exe 3264 7bhbtb.exe 3056 tbthhn.exe 3716 rrxrxrr.exe 940 hthhbt.exe 3344 hthbtt.exe 1772 fxfxxrl.exe 2124 3bhnhh.exe 3864 jjdvv.exe 4616 lrffxfx.exe 1780 xlfxxff.exe 2460 bnbbtt.exe 936 vpvdv.exe 3828 ffxrlxr.exe 1732 nnnhbb.exe 2704 7jppd.exe 796 lfrrxxf.exe 2172 lrlrlxr.exe 4816 hhhnnn.exe 2368 pdvpj.exe 1652 xxffrlx.exe 2196 bttnhh.exe 800 jdppv.exe 1012 jpjdv.exe 2404 lxfxlrl.exe 4316 bbbtbt.exe 3024 pjjdv.exe 4624 ddjdd.exe 2000 7xfrrrl.exe 1792 nttbtn.exe 1020 pvpvd.exe 3436 xfxrfff.exe 2464 bthbhh.exe 3596 ntbtnh.exe 3608 jdvpj.exe 4196 lrfxlfx.exe -
resource yara_rule behavioral2/memory/1112-6-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2952-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2312-17-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2288-22-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3608-33-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3900-38-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3488-50-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2572-56-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3688-61-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1344-69-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4444-80-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2756-75-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3016-94-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4444-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5032-105-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5040-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4792-109-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4260-123-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1444-122-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4632-130-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/992-141-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4380-140-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1728-147-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3560-163-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1252-162-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3660-171-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3264-179-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/940-192-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3716-187-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3056-186-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4616-210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2460-217-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1732-227-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/796-234-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4816-240-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2368-243-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4316-262-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3024-266-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2000-273-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2464-286-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3596-290-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4196-297-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4060-301-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1364-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1896-318-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2004-337-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1140-347-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3936-351-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/408-364-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1440-374-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3756-375-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/876-409-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2132-428-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2704-453-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1652-469-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1956-482-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3940-540-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1744-580-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1220-602-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4464-618-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/232-743-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3416-779-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4244-789-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3396-1141-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllffrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2952 1112 f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe 82 PID 1112 wrote to memory of 2952 1112 f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe 82 PID 1112 wrote to memory of 2952 1112 f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe 82 PID 2952 wrote to memory of 2312 2952 1rrrlrr.exe 83 PID 2952 wrote to memory of 2312 2952 1rrrlrr.exe 83 PID 2952 wrote to memory of 2312 2952 1rrrlrr.exe 83 PID 2312 wrote to memory of 2288 2312 pjpjv.exe 84 PID 2312 wrote to memory of 2288 2312 pjpjv.exe 84 PID 2312 wrote to memory of 2288 2312 pjpjv.exe 84 PID 2288 wrote to memory of 1968 2288 jvdvp.exe 85 PID 2288 wrote to memory of 1968 2288 jvdvp.exe 85 PID 2288 wrote to memory of 1968 2288 jvdvp.exe 85 PID 1968 wrote to memory of 3608 1968 ttnhhb.exe 86 PID 1968 wrote to memory of 3608 1968 ttnhhb.exe 86 PID 1968 wrote to memory of 3608 1968 ttnhhb.exe 86 PID 3608 wrote to memory of 3900 3608 vpvjj.exe 87 PID 3608 wrote to memory of 3900 3608 vpvjj.exe 87 PID 3608 wrote to memory of 3900 3608 vpvjj.exe 87 PID 3900 wrote to memory of 2552 3900 nntnbt.exe 88 PID 3900 wrote to memory of 2552 3900 nntnbt.exe 88 PID 3900 wrote to memory of 2552 3900 nntnbt.exe 88 PID 2552 wrote to memory of 3488 2552 lxlfxrx.exe 89 PID 2552 wrote to memory of 3488 2552 lxlfxrx.exe 89 PID 2552 wrote to memory of 3488 2552 lxlfxrx.exe 89 PID 3488 wrote to memory of 2572 3488 btnttn.exe 90 PID 3488 wrote to memory of 2572 3488 btnttn.exe 90 PID 3488 wrote to memory of 2572 3488 btnttn.exe 90 PID 2572 wrote to memory of 3688 2572 rrfxxxx.exe 91 PID 2572 wrote to memory of 3688 2572 rrfxxxx.exe 91 PID 2572 wrote to memory of 3688 2572 rrfxxxx.exe 91 PID 3688 wrote to memory of 1344 3688 bhtbhh.exe 92 PID 3688 wrote to memory of 1344 3688 bhtbhh.exe 92 PID 3688 wrote to memory of 1344 3688 bhtbhh.exe 92 PID 1344 wrote to memory of 2916 1344 dvddd.exe 93 PID 1344 wrote to memory of 2916 1344 dvddd.exe 93 PID 1344 wrote to memory of 2916 1344 dvddd.exe 93 PID 2916 wrote to memory of 2756 2916 lfllflf.exe 94 PID 2916 wrote to memory of 2756 2916 lfllflf.exe 94 PID 2916 wrote to memory of 2756 2916 lfllflf.exe 94 PID 2756 wrote to memory of 4444 2756 ttbntn.exe 95 PID 2756 wrote to memory of 4444 2756 ttbntn.exe 95 PID 2756 wrote to memory of 4444 2756 ttbntn.exe 95 PID 4444 wrote to memory of 1556 4444 1nhbbt.exe 96 PID 4444 wrote to memory of 1556 4444 1nhbbt.exe 96 PID 4444 wrote to memory of 1556 4444 1nhbbt.exe 96 PID 1556 wrote to memory of 3016 1556 hhtbht.exe 97 PID 1556 wrote to memory of 3016 1556 hhtbht.exe 97 PID 1556 wrote to memory of 3016 1556 hhtbht.exe 97 PID 3016 wrote to memory of 5032 3016 bbbthb.exe 98 PID 3016 wrote to memory of 5032 3016 bbbthb.exe 98 PID 3016 wrote to memory of 5032 3016 bbbthb.exe 98 PID 5032 wrote to memory of 5040 5032 djvpj.exe 99 PID 5032 wrote to memory of 5040 5032 djvpj.exe 99 PID 5032 wrote to memory of 5040 5032 djvpj.exe 99 PID 5040 wrote to memory of 4792 5040 lllflrf.exe 100 PID 5040 wrote to memory of 4792 5040 lllflrf.exe 100 PID 5040 wrote to memory of 4792 5040 lllflrf.exe 100 PID 4792 wrote to memory of 4260 4792 pjjdv.exe 101 PID 4792 wrote to memory of 4260 4792 pjjdv.exe 101 PID 4792 wrote to memory of 4260 4792 pjjdv.exe 101 PID 4260 wrote to memory of 1444 4260 xrxrlxr.exe 102 PID 4260 wrote to memory of 1444 4260 xrxrlxr.exe 102 PID 4260 wrote to memory of 1444 4260 xrxrlxr.exe 102 PID 1444 wrote to memory of 4632 1444 xrlllrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe"C:\Users\Admin\AppData\Local\Temp\f9e7379291507c5c5d8ce1fdf54566697fc1f4debf511928a5f0ff0a16e25136.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\1rrrlrr.exec:\1rrrlrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\pjpjv.exec:\pjpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jvdvp.exec:\jvdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\ttnhhb.exec:\ttnhhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\vpvjj.exec:\vpvjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\nntnbt.exec:\nntnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\lxlfxrx.exec:\lxlfxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\btnttn.exec:\btnttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\bhtbhh.exec:\bhtbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\dvddd.exec:\dvddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\lfllflf.exec:\lfllflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\ttbntn.exec:\ttbntn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\1nhbbt.exec:\1nhbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\hhtbht.exec:\hhtbht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\bbbthb.exec:\bbbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\djvpj.exec:\djvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\lllflrf.exec:\lllflrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\pjjdv.exec:\pjjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\xrxrlxr.exec:\xrxrlxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\xrlllrr.exec:\xrlllrr.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\thtnhn.exec:\thtnhn.exe23⤵
- Executes dropped EXE
PID:4632 -
\??\c:\jpdjj.exec:\jpdjj.exe24⤵
- Executes dropped EXE
PID:4380 -
\??\c:\llllfxr.exec:\llllfxr.exe25⤵
- Executes dropped EXE
PID:992 -
\??\c:\xrrlffr.exec:\xrrlffr.exe26⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hbbtnn.exec:\hbbtnn.exe27⤵
- Executes dropped EXE
PID:5052 -
\??\c:\tbhbbt.exec:\tbhbbt.exe28⤵
- Executes dropped EXE
PID:1252 -
\??\c:\vpvjd.exec:\vpvjd.exe29⤵
- Executes dropped EXE
PID:3560 -
\??\c:\lfrlrxl.exec:\lfrlrxl.exe30⤵
- Executes dropped EXE
PID:3660 -
\??\c:\7bhbtb.exec:\7bhbtb.exe31⤵
- Executes dropped EXE
PID:3264 -
\??\c:\tbthhn.exec:\tbthhn.exe32⤵
- Executes dropped EXE
PID:3056 -
\??\c:\rrxrxrr.exec:\rrxrxrr.exe33⤵
- Executes dropped EXE
PID:3716 -
\??\c:\hthhbt.exec:\hthhbt.exe34⤵
- Executes dropped EXE
PID:940 -
\??\c:\hthbtt.exec:\hthbtt.exe35⤵
- Executes dropped EXE
PID:3344 -
\??\c:\fxfxxrl.exec:\fxfxxrl.exe36⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3bhnhh.exec:\3bhnhh.exe37⤵
- Executes dropped EXE
PID:2124 -
\??\c:\jjdvv.exec:\jjdvv.exe38⤵
- Executes dropped EXE
PID:3864 -
\??\c:\lrffxfx.exec:\lrffxfx.exe39⤵
- Executes dropped EXE
PID:4616 -
\??\c:\xlfxxff.exec:\xlfxxff.exe40⤵
- Executes dropped EXE
PID:1780 -
\??\c:\bnbbtt.exec:\bnbbtt.exe41⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vpvdv.exec:\vpvdv.exe42⤵
- Executes dropped EXE
PID:936 -
\??\c:\ffxrlxr.exec:\ffxrlxr.exe43⤵
- Executes dropped EXE
PID:3828 -
\??\c:\nnnhbb.exec:\nnnhbb.exe44⤵
- Executes dropped EXE
PID:1732 -
\??\c:\7jppd.exec:\7jppd.exe45⤵
- Executes dropped EXE
PID:2704 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe46⤵
- Executes dropped EXE
PID:796 -
\??\c:\lrlrlxr.exec:\lrlrlxr.exe47⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hhhnnn.exec:\hhhnnn.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pdvpj.exec:\pdvpj.exe49⤵
- Executes dropped EXE
PID:2368 -
\??\c:\xxffrlx.exec:\xxffrlx.exe50⤵
- Executes dropped EXE
PID:1652 -
\??\c:\bttnhh.exec:\bttnhh.exe51⤵
- Executes dropped EXE
PID:2196 -
\??\c:\jdppv.exec:\jdppv.exe52⤵
- Executes dropped EXE
PID:800 -
\??\c:\jpjdv.exec:\jpjdv.exe53⤵
- Executes dropped EXE
PID:1012 -
\??\c:\lxfxlrl.exec:\lxfxlrl.exe54⤵
- Executes dropped EXE
PID:2404 -
\??\c:\bbbtbt.exec:\bbbtbt.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\pjjdv.exec:\pjjdv.exe56⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ddjdd.exec:\ddjdd.exe57⤵
- Executes dropped EXE
PID:4624 -
\??\c:\7xfrrrl.exec:\7xfrrrl.exe58⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nttbtn.exec:\nttbtn.exe59⤵
- Executes dropped EXE
PID:1792 -
\??\c:\pvpvd.exec:\pvpvd.exe60⤵
- Executes dropped EXE
PID:1020 -
\??\c:\xfxrfff.exec:\xfxrfff.exe61⤵
- Executes dropped EXE
PID:3436 -
\??\c:\bthbhh.exec:\bthbhh.exe62⤵
- Executes dropped EXE
PID:2464 -
\??\c:\ntbtnh.exec:\ntbtnh.exe63⤵
- Executes dropped EXE
PID:3596 -
\??\c:\jdvpj.exec:\jdvpj.exe64⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lrfxlfx.exec:\lrfxlfx.exe65⤵
- Executes dropped EXE
PID:4196 -
\??\c:\tntnhb.exec:\tntnhb.exe66⤵PID:4060
-
\??\c:\htbbnn.exec:\htbbnn.exe67⤵PID:2184
-
\??\c:\frffxxx.exec:\frffxxx.exe68⤵PID:3848
-
\??\c:\lrxrlll.exec:\lrxrlll.exe69⤵PID:1364
-
\??\c:\tntnhh.exec:\tntnhh.exe70⤵PID:1448
-
\??\c:\dpvpp.exec:\dpvpp.exe71⤵PID:1896
-
\??\c:\frfrfll.exec:\frfrfll.exe72⤵PID:1752
-
\??\c:\rrxllfl.exec:\rrxllfl.exe73⤵PID:212
-
\??\c:\bhhbht.exec:\bhhbht.exe74⤵PID:2924
-
\??\c:\vpvpp.exec:\vpvpp.exe75⤵PID:532
-
\??\c:\rxrlrrf.exec:\rxrlrrf.exe76⤵PID:2988
-
\??\c:\thtnhb.exec:\thtnhb.exe77⤵PID:2004
-
\??\c:\pdjvp.exec:\pdjvp.exe78⤵PID:4852
-
\??\c:\jddvv.exec:\jddvv.exe79⤵PID:2732
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe80⤵PID:1140
-
\??\c:\nhhhbt.exec:\nhhhbt.exe81⤵PID:3936
-
\??\c:\bhtthh.exec:\bhtthh.exe82⤵PID:1548
-
\??\c:\dvjdp.exec:\dvjdp.exe83⤵PID:3268
-
\??\c:\lxffxxr.exec:\lxffxxr.exe84⤵PID:740
-
\??\c:\3rxffrx.exec:\3rxffrx.exe85⤵PID:408
-
\??\c:\hhbbbb.exec:\hhbbbb.exe86⤵PID:4632
-
\??\c:\dvpjd.exec:\dvpjd.exe87⤵PID:4380
-
\??\c:\3rlxffl.exec:\3rlxffl.exe88⤵PID:1440
-
\??\c:\nhhnht.exec:\nhhnht.exe89⤵PID:3756
-
\??\c:\5ppjd.exec:\5ppjd.exe90⤵PID:1776
-
\??\c:\pdjdd.exec:\pdjdd.exe91⤵PID:1916
-
\??\c:\lflfxxr.exec:\lflfxxr.exe92⤵PID:1220
-
\??\c:\hbnhnh.exec:\hbnhnh.exe93⤵PID:2264
-
\??\c:\pjpjd.exec:\pjpjd.exe94⤵PID:2136
-
\??\c:\dddvp.exec:\dddvp.exe95⤵PID:2280
-
\??\c:\rrrlllf.exec:\rrrlllf.exe96⤵PID:548
-
\??\c:\tnnhhh.exec:\tnnhhh.exe97⤵PID:4348
-
\??\c:\jdddp.exec:\jdddp.exe98⤵PID:3064
-
\??\c:\rffxrrl.exec:\rffxrrl.exe99⤵PID:876
-
\??\c:\rrrxlfx.exec:\rrrxlfx.exe100⤵PID:1304
-
\??\c:\bnttnn.exec:\bnttnn.exe101⤵PID:1380
-
\??\c:\pvdvv.exec:\pvdvv.exe102⤵PID:3524
-
\??\c:\xfrlxff.exec:\xfrlxff.exe103⤵PID:1592
-
\??\c:\hbhhhh.exec:\hbhhhh.exe104⤵PID:4408
-
\??\c:\jvvpj.exec:\jvvpj.exe105⤵PID:2132
-
\??\c:\dppjd.exec:\dppjd.exe106⤵PID:2504
-
\??\c:\rlrllff.exec:\rlrllff.exe107⤵PID:4884
-
\??\c:\bbhbhh.exec:\bbhbhh.exe108⤵PID:3948
-
\??\c:\dvdvp.exec:\dvdvp.exe109⤵PID:1540
-
\??\c:\vvdjd.exec:\vvdjd.exe110⤵PID:3812
-
\??\c:\lrxrllf.exec:\lrxrllf.exe111⤵PID:3472
-
\??\c:\bbttnt.exec:\bbttnt.exe112⤵PID:1732
-
\??\c:\dvpjv.exec:\dvpjv.exe113⤵PID:2704
-
\??\c:\dvjjj.exec:\dvjjj.exe114⤵PID:3156
-
\??\c:\fxxlxff.exec:\fxxlxff.exe115⤵PID:2536
-
\??\c:\hhntbb.exec:\hhntbb.exe116⤵PID:4816
-
\??\c:\5hnhhh.exec:\5hnhhh.exe117⤵PID:2268
-
\??\c:\dpppj.exec:\dpppj.exe118⤵PID:1652
-
\??\c:\flrrrrf.exec:\flrrrrf.exe119⤵PID:1632
-
\??\c:\tthbbb.exec:\tthbbb.exe120⤵PID:2688
-
\??\c:\vvdpd.exec:\vvdpd.exe121⤵PID:1660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-