Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe
-
Size
453KB
-
MD5
51a96bedf6759a90bcc40ea80e72e9e4
-
SHA1
1366a83a0ba7213347a5925b45c4b307fe5aee70
-
SHA256
171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14
-
SHA512
e7d5867dd197433ce899f34dcbda6d62cc703d307a33ff6b1d1799479e89f82dcc0d9b38f490b76fbdfd34fc601eb331f37c9513baeae09cf773b19f0e12a2fe
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2324-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-1068-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5040 xlrlrlf.exe 1612 1lrllll.exe 4752 ttnnnh.exe 4144 tthhnt.exe 404 lllfxfx.exe 116 jddvp.exe 3416 lffrlfr.exe 820 nhhbtt.exe 2248 hhhhnh.exe 3808 vjvpd.exe 2920 bnnbtn.exe 3080 jvjjd.exe 4340 tthhbn.exe 1492 lffrllx.exe 2996 pvdvd.exe 3472 hnnbtn.exe 2932 dvdjd.exe 776 lrrfrlf.exe 4992 tnhbnh.exe 2904 fxrfxrl.exe 2304 jpvjd.exe 3804 rrrxllx.exe 1520 fxxxrrl.exe 3268 pdpdp.exe 2936 hthbhh.exe 1540 3jpvp.exe 5116 vjjvp.exe 3168 3lfxxxl.exe 4108 nhhbnh.exe 892 xrxrfxx.exe 4264 bnthhh.exe 1936 lffxrrx.exe 3480 5jpdd.exe 4576 xxllllf.exe 3432 jvpjd.exe 2880 vvdvd.exe 3532 9ffrlfl.exe 4132 tnhnnh.exe 4052 jppjp.exe 4076 lfxrlfx.exe 3864 hnnhbt.exe 4816 tbnhbb.exe 2916 pvdvj.exe 2712 frlfrff.exe 1564 nbhnhb.exe 1700 nhbttb.exe 1512 lfxxrrr.exe 984 nbhbnn.exe 3164 ppdvj.exe 2876 xflfrlf.exe 4908 lffxrrr.exe 380 tbhbtn.exe 2560 9dvjd.exe 4864 1jpjv.exe 1360 xllfxrl.exe 4436 tnnhbt.exe 4240 dvpjd.exe 2472 vdjvj.exe 2524 fffrxrr.exe 1496 thhbnh.exe 3416 dvpjv.exe 716 dppjj.exe 2440 fflffrx.exe 4872 tnhbbt.exe -
resource yara_rule behavioral2/memory/2324-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-867-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 5040 2324 171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe 83 PID 2324 wrote to memory of 5040 2324 171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe 83 PID 2324 wrote to memory of 5040 2324 171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe 83 PID 5040 wrote to memory of 1612 5040 xlrlrlf.exe 84 PID 5040 wrote to memory of 1612 5040 xlrlrlf.exe 84 PID 5040 wrote to memory of 1612 5040 xlrlrlf.exe 84 PID 1612 wrote to memory of 4752 1612 1lrllll.exe 85 PID 1612 wrote to memory of 4752 1612 1lrllll.exe 85 PID 1612 wrote to memory of 4752 1612 1lrllll.exe 85 PID 4752 wrote to memory of 4144 4752 ttnnnh.exe 86 PID 4752 wrote to memory of 4144 4752 ttnnnh.exe 86 PID 4752 wrote to memory of 4144 4752 ttnnnh.exe 86 PID 4144 wrote to memory of 404 4144 tthhnt.exe 87 PID 4144 wrote to memory of 404 4144 tthhnt.exe 87 PID 4144 wrote to memory of 404 4144 tthhnt.exe 87 PID 404 wrote to memory of 116 404 lllfxfx.exe 88 PID 404 wrote to memory of 116 404 lllfxfx.exe 88 PID 404 wrote to memory of 116 404 lllfxfx.exe 88 PID 116 wrote to memory of 3416 116 jddvp.exe 89 PID 116 wrote to memory of 3416 116 jddvp.exe 89 PID 116 wrote to memory of 3416 116 jddvp.exe 89 PID 3416 wrote to memory of 820 3416 lffrlfr.exe 90 PID 3416 wrote to memory of 820 3416 lffrlfr.exe 90 PID 3416 wrote to memory of 820 3416 lffrlfr.exe 90 PID 820 wrote to memory of 2248 820 nhhbtt.exe 91 PID 820 wrote to memory of 2248 820 nhhbtt.exe 91 PID 820 wrote to memory of 2248 820 nhhbtt.exe 91 PID 2248 wrote to memory of 3808 2248 hhhhnh.exe 92 PID 2248 wrote to memory of 3808 2248 hhhhnh.exe 92 PID 2248 wrote to memory of 3808 2248 hhhhnh.exe 92 PID 3808 wrote to memory of 2920 3808 vjvpd.exe 93 PID 3808 wrote to memory of 2920 3808 vjvpd.exe 93 PID 3808 wrote to memory of 2920 3808 vjvpd.exe 93 PID 2920 wrote to memory of 3080 2920 bnnbtn.exe 94 PID 2920 wrote to memory of 3080 2920 bnnbtn.exe 94 PID 2920 wrote to memory of 3080 2920 bnnbtn.exe 94 PID 3080 wrote to memory of 4340 3080 jvjjd.exe 95 PID 3080 wrote to memory of 4340 3080 jvjjd.exe 95 PID 3080 wrote to memory of 4340 3080 jvjjd.exe 95 PID 4340 wrote to memory of 1492 4340 tthhbn.exe 96 PID 4340 wrote to memory of 1492 4340 tthhbn.exe 96 PID 4340 wrote to memory of 1492 4340 tthhbn.exe 96 PID 1492 wrote to memory of 2996 1492 lffrllx.exe 97 PID 1492 wrote to memory of 2996 1492 lffrllx.exe 97 PID 1492 wrote to memory of 2996 1492 lffrllx.exe 97 PID 2996 wrote to memory of 3472 2996 pvdvd.exe 98 PID 2996 wrote to memory of 3472 2996 pvdvd.exe 98 PID 2996 wrote to memory of 3472 2996 pvdvd.exe 98 PID 3472 wrote to memory of 2932 3472 hnnbtn.exe 99 PID 3472 wrote to memory of 2932 3472 hnnbtn.exe 99 PID 3472 wrote to memory of 2932 3472 hnnbtn.exe 99 PID 2932 wrote to memory of 776 2932 dvdjd.exe 100 PID 2932 wrote to memory of 776 2932 dvdjd.exe 100 PID 2932 wrote to memory of 776 2932 dvdjd.exe 100 PID 776 wrote to memory of 4992 776 lrrfrlf.exe 101 PID 776 wrote to memory of 4992 776 lrrfrlf.exe 101 PID 776 wrote to memory of 4992 776 lrrfrlf.exe 101 PID 4992 wrote to memory of 2904 4992 tnhbnh.exe 102 PID 4992 wrote to memory of 2904 4992 tnhbnh.exe 102 PID 4992 wrote to memory of 2904 4992 tnhbnh.exe 102 PID 2904 wrote to memory of 2304 2904 fxrfxrl.exe 103 PID 2904 wrote to memory of 2304 2904 fxrfxrl.exe 103 PID 2904 wrote to memory of 2304 2904 fxrfxrl.exe 103 PID 2304 wrote to memory of 3804 2304 jpvjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe"C:\Users\Admin\AppData\Local\Temp\171ba2aeb5aefb87780ced85d4998d9c1af8009479e532d93ebbae0cf69b8c14.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\xlrlrlf.exec:\xlrlrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\1lrllll.exec:\1lrllll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ttnnnh.exec:\ttnnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\tthhnt.exec:\tthhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\lllfxfx.exec:\lllfxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\jddvp.exec:\jddvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\lffrlfr.exec:\lffrlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\nhhbtt.exec:\nhhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\hhhhnh.exec:\hhhhnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\vjvpd.exec:\vjvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\bnnbtn.exec:\bnnbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\jvjjd.exec:\jvjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\tthhbn.exec:\tthhbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\lffrllx.exec:\lffrllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\pvdvd.exec:\pvdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\hnnbtn.exec:\hnnbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\dvdjd.exec:\dvdjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\tnhbnh.exec:\tnhbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\jpvjd.exec:\jpvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\rrrxllx.exec:\rrrxllx.exe23⤵
- Executes dropped EXE
PID:3804 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe24⤵
- Executes dropped EXE
PID:1520 -
\??\c:\pdpdp.exec:\pdpdp.exe25⤵
- Executes dropped EXE
PID:3268 -
\??\c:\hthbhh.exec:\hthbhh.exe26⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3jpvp.exec:\3jpvp.exe27⤵
- Executes dropped EXE
PID:1540 -
\??\c:\vjjvp.exec:\vjjvp.exe28⤵
- Executes dropped EXE
PID:5116 -
\??\c:\3lfxxxl.exec:\3lfxxxl.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168 -
\??\c:\nhhbnh.exec:\nhhbnh.exe30⤵
- Executes dropped EXE
PID:4108 -
\??\c:\xrxrfxx.exec:\xrxrfxx.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\bnthhh.exec:\bnthhh.exe32⤵
- Executes dropped EXE
PID:4264 -
\??\c:\lffxrrx.exec:\lffxrrx.exe33⤵
- Executes dropped EXE
PID:1936 -
\??\c:\5jpdd.exec:\5jpdd.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480 -
\??\c:\xxllllf.exec:\xxllllf.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576 -
\??\c:\jvpjd.exec:\jvpjd.exe36⤵
- Executes dropped EXE
PID:3432 -
\??\c:\vvdvd.exec:\vvdvd.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\9ffrlfl.exec:\9ffrlfl.exe38⤵
- Executes dropped EXE
PID:3532 -
\??\c:\tnhnnh.exec:\tnhnnh.exe39⤵
- Executes dropped EXE
PID:4132 -
\??\c:\jppjp.exec:\jppjp.exe40⤵
- Executes dropped EXE
PID:4052 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe41⤵
- Executes dropped EXE
PID:4076 -
\??\c:\hnnhbt.exec:\hnnhbt.exe42⤵
- Executes dropped EXE
PID:3864 -
\??\c:\tbnhbb.exec:\tbnhbb.exe43⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pvdvj.exec:\pvdvj.exe44⤵
- Executes dropped EXE
PID:2916 -
\??\c:\frlfrff.exec:\frlfrff.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\nbhnhb.exec:\nbhnhb.exe46⤵
- Executes dropped EXE
PID:1564 -
\??\c:\nhbttb.exec:\nhbttb.exe47⤵
- Executes dropped EXE
PID:1700 -
\??\c:\lfxxrrr.exec:\lfxxrrr.exe48⤵
- Executes dropped EXE
PID:1512 -
\??\c:\nbhbnn.exec:\nbhbnn.exe49⤵
- Executes dropped EXE
PID:984 -
\??\c:\ppdvj.exec:\ppdvj.exe50⤵
- Executes dropped EXE
PID:3164 -
\??\c:\xflfrlf.exec:\xflfrlf.exe51⤵
- Executes dropped EXE
PID:2876 -
\??\c:\lffxrrr.exec:\lffxrrr.exe52⤵
- Executes dropped EXE
PID:4908 -
\??\c:\tbhbtn.exec:\tbhbtn.exe53⤵
- Executes dropped EXE
PID:380 -
\??\c:\9dvjd.exec:\9dvjd.exe54⤵
- Executes dropped EXE
PID:2560 -
\??\c:\1jpjv.exec:\1jpjv.exe55⤵
- Executes dropped EXE
PID:4864 -
\??\c:\xllfxrl.exec:\xllfxrl.exe56⤵
- Executes dropped EXE
PID:1360 -
\??\c:\tnnhbt.exec:\tnnhbt.exe57⤵
- Executes dropped EXE
PID:4436 -
\??\c:\dvpjd.exec:\dvpjd.exe58⤵
- Executes dropped EXE
PID:4240 -
\??\c:\vdjvj.exec:\vdjvj.exe59⤵
- Executes dropped EXE
PID:2472 -
\??\c:\fffrxrr.exec:\fffrxrr.exe60⤵
- Executes dropped EXE
PID:2524 -
\??\c:\thhbnh.exec:\thhbnh.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\dvpjv.exec:\dvpjv.exe62⤵
- Executes dropped EXE
PID:3416 -
\??\c:\dppjj.exec:\dppjj.exe63⤵
- Executes dropped EXE
PID:716 -
\??\c:\fflffrx.exec:\fflffrx.exe64⤵
- Executes dropped EXE
PID:2440 -
\??\c:\tnhbbt.exec:\tnhbbt.exe65⤵
- Executes dropped EXE
PID:4872 -
\??\c:\vdjdj.exec:\vdjdj.exe66⤵PID:2520
-
\??\c:\vpdpv.exec:\vpdpv.exe67⤵PID:3668
-
\??\c:\xffrfxr.exec:\xffrfxr.exe68⤵PID:4384
-
\??\c:\7hnhbn.exec:\7hnhbn.exe69⤵PID:3632
-
\??\c:\djvvp.exec:\djvvp.exe70⤵PID:784
-
\??\c:\xlxlfff.exec:\xlxlfff.exe71⤵PID:1832
-
\??\c:\bhnthh.exec:\bhnthh.exe72⤵PID:4852
-
\??\c:\jddvj.exec:\jddvj.exe73⤵PID:4396
-
\??\c:\jdvvp.exec:\jdvvp.exe74⤵PID:3428
-
\??\c:\llllfff.exec:\llllfff.exe75⤵PID:1864
-
\??\c:\htbtnn.exec:\htbtnn.exe76⤵PID:2932
-
\??\c:\pjjjv.exec:\pjjjv.exe77⤵PID:2732
-
\??\c:\rrffffl.exec:\rrffffl.exe78⤵PID:4696
-
\??\c:\bbthbt.exec:\bbthbt.exe79⤵PID:4992
-
\??\c:\nnnnhn.exec:\nnnnhn.exe80⤵PID:2904
-
\??\c:\1pddv.exec:\1pddv.exe81⤵PID:3844
-
\??\c:\lfffxxf.exec:\lfffxxf.exe82⤵PID:2588
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe83⤵PID:4888
-
\??\c:\bttttt.exec:\bttttt.exe84⤵PID:2984
-
\??\c:\pvvvj.exec:\pvvvj.exe85⤵PID:3660
-
\??\c:\fxffflf.exec:\fxffflf.exe86⤵PID:3016
-
\??\c:\9xlxrrl.exec:\9xlxrrl.exe87⤵PID:972
-
\??\c:\bhnnhn.exec:\bhnnhn.exe88⤵PID:1692
-
\??\c:\vvdvd.exec:\vvdvd.exe89⤵PID:4916
-
\??\c:\fxflffx.exec:\fxflffx.exe90⤵PID:4412
-
\??\c:\9tbnhb.exec:\9tbnhb.exe91⤵PID:4544
-
\??\c:\dvdjd.exec:\dvdjd.exe92⤵PID:2316
-
\??\c:\pvvvp.exec:\pvvvp.exe93⤵PID:1348
-
\??\c:\rrxrxxr.exec:\rrxrxxr.exe94⤵PID:892
-
\??\c:\btnbnt.exec:\btnbnt.exe95⤵PID:2512
-
\??\c:\7ppdj.exec:\7ppdj.exe96⤵PID:3364
-
\??\c:\5lffrrf.exec:\5lffrrf.exe97⤵PID:1340
-
\??\c:\bhhtht.exec:\bhhtht.exe98⤵PID:5020
-
\??\c:\5hhnhh.exec:\5hhnhh.exe99⤵PID:4604
-
\??\c:\dvdvp.exec:\dvdvp.exe100⤵PID:4368
-
\??\c:\rxffffx.exec:\rxffffx.exe101⤵PID:1444
-
\??\c:\7ntthh.exec:\7ntthh.exe102⤵PID:4596
-
\??\c:\1ddvv.exec:\1ddvv.exe103⤵PID:1904
-
\??\c:\djjvd.exec:\djjvd.exe104⤵PID:4832
-
\??\c:\3xrfxlf.exec:\3xrfxlf.exe105⤵PID:2036
-
\??\c:\hbthnh.exec:\hbthnh.exe106⤵PID:4180
-
\??\c:\ppjdp.exec:\ppjdp.exe107⤵PID:3148
-
\??\c:\frlxlfx.exec:\frlxlfx.exe108⤵PID:5056
-
\??\c:\7bnnbh.exec:\7bnnbh.exe109⤵PID:232
-
\??\c:\jvdpp.exec:\jvdpp.exe110⤵PID:4524
-
\??\c:\rlxrlll.exec:\rlxrlll.exe111⤵PID:1536
-
\??\c:\xxlfxrr.exec:\xxlfxrr.exe112⤵PID:1700
-
\??\c:\tnhbhb.exec:\tnhbhb.exe113⤵PID:4300
-
\??\c:\dvdvv.exec:\dvdvv.exe114⤵PID:336
-
\??\c:\frrlllx.exec:\frrlllx.exe115⤵PID:3352
-
\??\c:\9ttnnn.exec:\9ttnnn.exe116⤵PID:1256
-
\??\c:\jdpjj.exec:\jdpjj.exe117⤵PID:3924
-
\??\c:\9ddvj.exec:\9ddvj.exe118⤵PID:380
-
\??\c:\rffxfxr.exec:\rffxfxr.exe119⤵PID:4392
-
\??\c:\7ntnhh.exec:\7ntnhh.exe120⤵PID:4752
-
\??\c:\ppjdp.exec:\ppjdp.exe121⤵PID:3536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-