Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe
-
Size
454KB
-
MD5
f2e6db9fc4283e9353312ec59723ffe6
-
SHA1
0289e9674d8981ed4e983bf1e266d1a4d6023a62
-
SHA256
066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9
-
SHA512
1778e4b0286edd2f38129bf8b7d0849b544c152b38ee8418f1dd1811580c711fc831e59f38db48a46ad6c87cdafa438612be8218043f1846e734f78e30fa0e78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 lxfllff.exe 2028 vppdv.exe 1752 ntthbt.exe 4744 5fxlffx.exe 4372 httnhh.exe 3540 frlflfr.exe 2320 ppvjj.exe 2948 tttttb.exe 3760 1jvjd.exe 1496 7pdvp.exe 3260 hhtnhh.exe 4164 5lrlfxr.exe 3420 7hnhbt.exe 428 3jpjp.exe 1964 bhhthb.exe 1352 dvvjv.exe 4252 llxllff.exe 1480 dppdp.exe 2872 7xrlfxr.exe 3924 3rxrlfx.exe 4128 thhbtn.exe 4704 pddvd.exe 2008 frrlffx.exe 1372 fxxfrrf.exe 2932 pjvpj.exe 4920 pdjpv.exe 1404 tnhtnh.exe 4580 jvvvd.exe 4552 rlrlxrl.exe 3448 nhhbtn.exe 2440 pjdvj.exe 4732 jpvjv.exe 4720 tnnhhb.exe 2332 7bhbtn.exe 5016 jddpd.exe 1500 9jdvd.exe 3716 1vvvv.exe 4692 1dpdv.exe 4412 1rlfrrl.exe 2728 htnbbt.exe 3692 dvvpp.exe 872 fxrrlfx.exe 4876 7xrlxrf.exe 4448 hnhthb.exe 1276 djjdv.exe 3464 ffxlfxr.exe 3092 htbthb.exe 3968 7hbnhh.exe 4148 vjvjd.exe 1116 rllxlfx.exe 4744 1bhtnh.exe 3644 jppjv.exe 1504 xffxlff.exe 3880 tnnbbt.exe 1328 9tnbnn.exe 976 5jjvv.exe 4936 rfrrxxf.exe 220 1nnhtb.exe 2180 7ddpv.exe 828 xlfxlrl.exe 4248 fllfrlf.exe 1108 tnnhbt.exe 4228 dpjvd.exe 2084 rrrlxrl.exe -
resource yara_rule behavioral2/memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-756-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rffxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4188 2988 066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe 82 PID 2988 wrote to memory of 4188 2988 066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe 82 PID 2988 wrote to memory of 4188 2988 066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe 82 PID 4188 wrote to memory of 2028 4188 lxfllff.exe 83 PID 4188 wrote to memory of 2028 4188 lxfllff.exe 83 PID 4188 wrote to memory of 2028 4188 lxfllff.exe 83 PID 2028 wrote to memory of 1752 2028 vppdv.exe 84 PID 2028 wrote to memory of 1752 2028 vppdv.exe 84 PID 2028 wrote to memory of 1752 2028 vppdv.exe 84 PID 1752 wrote to memory of 4744 1752 ntthbt.exe 85 PID 1752 wrote to memory of 4744 1752 ntthbt.exe 85 PID 1752 wrote to memory of 4744 1752 ntthbt.exe 85 PID 4744 wrote to memory of 4372 4744 5fxlffx.exe 86 PID 4744 wrote to memory of 4372 4744 5fxlffx.exe 86 PID 4744 wrote to memory of 4372 4744 5fxlffx.exe 86 PID 4372 wrote to memory of 3540 4372 httnhh.exe 87 PID 4372 wrote to memory of 3540 4372 httnhh.exe 87 PID 4372 wrote to memory of 3540 4372 httnhh.exe 87 PID 3540 wrote to memory of 2320 3540 frlflfr.exe 88 PID 3540 wrote to memory of 2320 3540 frlflfr.exe 88 PID 3540 wrote to memory of 2320 3540 frlflfr.exe 88 PID 2320 wrote to memory of 2948 2320 ppvjj.exe 89 PID 2320 wrote to memory of 2948 2320 ppvjj.exe 89 PID 2320 wrote to memory of 2948 2320 ppvjj.exe 89 PID 2948 wrote to memory of 3760 2948 tttttb.exe 90 PID 2948 wrote to memory of 3760 2948 tttttb.exe 90 PID 2948 wrote to memory of 3760 2948 tttttb.exe 90 PID 3760 wrote to memory of 1496 3760 1jvjd.exe 91 PID 3760 wrote to memory of 1496 3760 1jvjd.exe 91 PID 3760 wrote to memory of 1496 3760 1jvjd.exe 91 PID 1496 wrote to memory of 3260 1496 7pdvp.exe 92 PID 1496 wrote to memory of 3260 1496 7pdvp.exe 92 PID 1496 wrote to memory of 3260 1496 7pdvp.exe 92 PID 3260 wrote to memory of 4164 3260 hhtnhh.exe 93 PID 3260 wrote to memory of 4164 3260 hhtnhh.exe 93 PID 3260 wrote to memory of 4164 3260 hhtnhh.exe 93 PID 4164 wrote to memory of 3420 4164 5lrlfxr.exe 94 PID 4164 wrote to memory of 3420 4164 5lrlfxr.exe 94 PID 4164 wrote to memory of 3420 4164 5lrlfxr.exe 94 PID 3420 wrote to memory of 428 3420 7hnhbt.exe 95 PID 3420 wrote to memory of 428 3420 7hnhbt.exe 95 PID 3420 wrote to memory of 428 3420 7hnhbt.exe 95 PID 428 wrote to memory of 1964 428 3jpjp.exe 96 PID 428 wrote to memory of 1964 428 3jpjp.exe 96 PID 428 wrote to memory of 1964 428 3jpjp.exe 96 PID 1964 wrote to memory of 1352 1964 bhhthb.exe 97 PID 1964 wrote to memory of 1352 1964 bhhthb.exe 97 PID 1964 wrote to memory of 1352 1964 bhhthb.exe 97 PID 1352 wrote to memory of 4252 1352 dvvjv.exe 98 PID 1352 wrote to memory of 4252 1352 dvvjv.exe 98 PID 1352 wrote to memory of 4252 1352 dvvjv.exe 98 PID 4252 wrote to memory of 1480 4252 llxllff.exe 99 PID 4252 wrote to memory of 1480 4252 llxllff.exe 99 PID 4252 wrote to memory of 1480 4252 llxllff.exe 99 PID 1480 wrote to memory of 2872 1480 dppdp.exe 100 PID 1480 wrote to memory of 2872 1480 dppdp.exe 100 PID 1480 wrote to memory of 2872 1480 dppdp.exe 100 PID 2872 wrote to memory of 3924 2872 7xrlfxr.exe 101 PID 2872 wrote to memory of 3924 2872 7xrlfxr.exe 101 PID 2872 wrote to memory of 3924 2872 7xrlfxr.exe 101 PID 3924 wrote to memory of 4128 3924 3rxrlfx.exe 102 PID 3924 wrote to memory of 4128 3924 3rxrlfx.exe 102 PID 3924 wrote to memory of 4128 3924 3rxrlfx.exe 102 PID 4128 wrote to memory of 4704 4128 thhbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe"C:\Users\Admin\AppData\Local\Temp\066654143a6cfce0b064d32e47a9f731384c15eb562c581b5db4c07d26907fd9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\lxfllff.exec:\lxfllff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\vppdv.exec:\vppdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\ntthbt.exec:\ntthbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\5fxlffx.exec:\5fxlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\httnhh.exec:\httnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\frlflfr.exec:\frlflfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\ppvjj.exec:\ppvjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\tttttb.exec:\tttttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\1jvjd.exec:\1jvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\7pdvp.exec:\7pdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\hhtnhh.exec:\hhtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\5lrlfxr.exec:\5lrlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\7hnhbt.exec:\7hnhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\3jpjp.exec:\3jpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\bhhthb.exec:\bhhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\dvvjv.exec:\dvvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\llxllff.exec:\llxllff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\dppdp.exec:\dppdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\7xrlfxr.exec:\7xrlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\3rxrlfx.exec:\3rxrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\thhbtn.exec:\thhbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\pddvd.exec:\pddvd.exe23⤵
- Executes dropped EXE
PID:4704 -
\??\c:\frrlffx.exec:\frrlffx.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxxfrrf.exec:\fxxfrrf.exe25⤵
- Executes dropped EXE
PID:1372 -
\??\c:\pjvpj.exec:\pjvpj.exe26⤵
- Executes dropped EXE
PID:2932 -
\??\c:\pdjpv.exec:\pdjpv.exe27⤵
- Executes dropped EXE
PID:4920 -
\??\c:\tnhtnh.exec:\tnhtnh.exe28⤵
- Executes dropped EXE
PID:1404 -
\??\c:\jvvvd.exec:\jvvvd.exe29⤵
- Executes dropped EXE
PID:4580 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe30⤵
- Executes dropped EXE
PID:4552 -
\??\c:\nhhbtn.exec:\nhhbtn.exe31⤵
- Executes dropped EXE
PID:3448 -
\??\c:\pjdvj.exec:\pjdvj.exe32⤵
- Executes dropped EXE
PID:2440 -
\??\c:\jpvjv.exec:\jpvjv.exe33⤵
- Executes dropped EXE
PID:4732 -
\??\c:\tnnhhb.exec:\tnnhhb.exe34⤵
- Executes dropped EXE
PID:4720 -
\??\c:\7bhbtn.exec:\7bhbtn.exe35⤵
- Executes dropped EXE
PID:2332 -
\??\c:\jddpd.exec:\jddpd.exe36⤵
- Executes dropped EXE
PID:5016 -
\??\c:\9jdvd.exec:\9jdvd.exe37⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1vvvv.exec:\1vvvv.exe38⤵
- Executes dropped EXE
PID:3716 -
\??\c:\1dpdv.exec:\1dpdv.exe39⤵
- Executes dropped EXE
PID:4692 -
\??\c:\1rlfrrl.exec:\1rlfrrl.exe40⤵
- Executes dropped EXE
PID:4412 -
\??\c:\htnbbt.exec:\htnbbt.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\dvvpp.exec:\dvvpp.exe42⤵
- Executes dropped EXE
PID:3692 -
\??\c:\fxrrlfx.exec:\fxrrlfx.exe43⤵
- Executes dropped EXE
PID:872 -
\??\c:\7xrlxrf.exec:\7xrlxrf.exe44⤵
- Executes dropped EXE
PID:4876 -
\??\c:\hnhthb.exec:\hnhthb.exe45⤵
- Executes dropped EXE
PID:4448 -
\??\c:\djjdv.exec:\djjdv.exe46⤵
- Executes dropped EXE
PID:1276 -
\??\c:\ffxlfxr.exec:\ffxlfxr.exe47⤵
- Executes dropped EXE
PID:3464 -
\??\c:\htbthb.exec:\htbthb.exe48⤵
- Executes dropped EXE
PID:3092 -
\??\c:\7hbnhh.exec:\7hbnhh.exe49⤵
- Executes dropped EXE
PID:3968 -
\??\c:\vjvjd.exec:\vjvjd.exe50⤵
- Executes dropped EXE
PID:4148 -
\??\c:\rllxlfx.exec:\rllxlfx.exe51⤵
- Executes dropped EXE
PID:1116 -
\??\c:\1bhtnh.exec:\1bhtnh.exe52⤵
- Executes dropped EXE
PID:4744 -
\??\c:\jppjv.exec:\jppjv.exe53⤵
- Executes dropped EXE
PID:3644 -
\??\c:\xffxlff.exec:\xffxlff.exe54⤵
- Executes dropped EXE
PID:1504 -
\??\c:\tnnbbt.exec:\tnnbbt.exe55⤵
- Executes dropped EXE
PID:3880 -
\??\c:\9tnbnn.exec:\9tnbnn.exe56⤵
- Executes dropped EXE
PID:1328 -
\??\c:\5jjvv.exec:\5jjvv.exe57⤵
- Executes dropped EXE
PID:976 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe58⤵
- Executes dropped EXE
PID:4936 -
\??\c:\1nnhtb.exec:\1nnhtb.exe59⤵
- Executes dropped EXE
PID:220 -
\??\c:\7ddpv.exec:\7ddpv.exe60⤵
- Executes dropped EXE
PID:2180 -
\??\c:\xlfxlrl.exec:\xlfxlrl.exe61⤵
- Executes dropped EXE
PID:828 -
\??\c:\fllfrlf.exec:\fllfrlf.exe62⤵
- Executes dropped EXE
PID:4248 -
\??\c:\tnnhbt.exec:\tnnhbt.exe63⤵
- Executes dropped EXE
PID:1108 -
\??\c:\dpjvd.exec:\dpjvd.exe64⤵
- Executes dropped EXE
PID:4228 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe65⤵
- Executes dropped EXE
PID:2084 -
\??\c:\lrxrfxl.exec:\lrxrfxl.exe66⤵PID:1232
-
\??\c:\hnhnbn.exec:\hnhnbn.exe67⤵PID:1548
-
\??\c:\3pvpv.exec:\3pvpv.exe68⤵PID:1684
-
\??\c:\7lfrflx.exec:\7lfrflx.exe69⤵PID:1600
-
\??\c:\frxrffr.exec:\frxrffr.exe70⤵PID:2056
-
\??\c:\btbttt.exec:\btbttt.exe71⤵PID:1480
-
\??\c:\vpjdp.exec:\vpjdp.exe72⤵PID:1428
-
\??\c:\rllxrlf.exec:\rllxrlf.exe73⤵PID:2628
-
\??\c:\3bbnhb.exec:\3bbnhb.exe74⤵PID:3548
-
\??\c:\9bnhtt.exec:\9bnhtt.exe75⤵PID:3680
-
\??\c:\djjdv.exec:\djjdv.exe76⤵PID:5024
-
\??\c:\jdvdp.exec:\jdvdp.exe77⤵PID:4860
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe78⤵PID:4724
-
\??\c:\bnnhbb.exec:\bnnhbb.exe79⤵PID:4752
-
\??\c:\jpvdj.exec:\jpvdj.exe80⤵PID:2964
-
\??\c:\lxxxllr.exec:\lxxxllr.exe81⤵PID:4816
-
\??\c:\hnnhbt.exec:\hnnhbt.exe82⤵PID:4920
-
\??\c:\htbthh.exec:\htbthh.exe83⤵PID:4992
-
\??\c:\jvjdv.exec:\jvjdv.exe84⤵PID:2024
-
\??\c:\xxlflfx.exec:\xxlflfx.exe85⤵PID:2856
-
\??\c:\tnnnbt.exec:\tnnnbt.exe86⤵
- System Location Discovery: System Language Discovery
PID:3632 -
\??\c:\bnbbnt.exec:\bnbbnt.exe87⤵PID:3348
-
\??\c:\pddpj.exec:\pddpj.exe88⤵PID:2440
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe89⤵PID:3340
-
\??\c:\bhthtn.exec:\bhthtn.exe90⤵PID:4088
-
\??\c:\3nhhtn.exec:\3nhhtn.exe91⤵PID:4720
-
\??\c:\dvjdv.exec:\dvjdv.exe92⤵PID:916
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe93⤵PID:3528
-
\??\c:\7xrllfx.exec:\7xrllfx.exe94⤵PID:3020
-
\??\c:\bhnhbb.exec:\bhnhbb.exe95⤵PID:3468
-
\??\c:\vvjdj.exec:\vvjdj.exe96⤵PID:4620
-
\??\c:\jpdvj.exec:\jpdvj.exe97⤵PID:536
-
\??\c:\1xfrlff.exec:\1xfrlff.exe98⤵PID:2564
-
\??\c:\hbttnh.exec:\hbttnh.exe99⤵PID:2296
-
\??\c:\7htnhb.exec:\7htnhb.exe100⤵PID:1784
-
\??\c:\vpdvj.exec:\vpdvj.exe101⤵PID:1568
-
\??\c:\xrflrfl.exec:\xrflrfl.exe102⤵PID:4528
-
\??\c:\htnhnh.exec:\htnhnh.exe103⤵PID:948
-
\??\c:\3nnhtn.exec:\3nnhtn.exe104⤵PID:2904
-
\??\c:\dpdvd.exec:\dpdvd.exe105⤵PID:832
-
\??\c:\xlrrllf.exec:\xlrrllf.exe106⤵PID:3092
-
\??\c:\hthbbt.exec:\hthbbt.exe107⤵PID:812
-
\??\c:\jpvpp.exec:\jpvpp.exe108⤵PID:1256
-
\??\c:\jjpdv.exec:\jjpdv.exe109⤵PID:2524
-
\??\c:\xllfxrl.exec:\xllfxrl.exe110⤵PID:4204
-
\??\c:\nhnhhh.exec:\nhnhhh.exe111⤵PID:1952
-
\??\c:\3dvpj.exec:\3dvpj.exe112⤵PID:2996
-
\??\c:\9ppjp.exec:\9ppjp.exe113⤵PID:3916
-
\??\c:\5frfrlx.exec:\5frfrlx.exe114⤵PID:4300
-
\??\c:\hnnbnh.exec:\hnnbnh.exe115⤵PID:1080
-
\??\c:\jdpdd.exec:\jdpdd.exe116⤵PID:2060
-
\??\c:\dvdpj.exec:\dvdpj.exe117⤵PID:3760
-
\??\c:\9rfxflx.exec:\9rfxflx.exe118⤵PID:1496
-
\??\c:\htbnbn.exec:\htbnbn.exe119⤵PID:4980
-
\??\c:\nnnbnh.exec:\nnnbnh.exe120⤵PID:4156
-
\??\c:\ddjvv.exec:\ddjvv.exe121⤵PID:3120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-