Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe
-
Size
456KB
-
MD5
443052e9800f0d61d60aabbb01a4ea5d
-
SHA1
d1507fdaa9daaf8610623bcc0807908f3cb6777f
-
SHA256
0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a
-
SHA512
38a918615a30154265eb75cadee19c197c9c871ffa103da4523b91d0e051bb4148c584f07f44f3b5299f3ef4129c1866975c140934bd48167e334c375fcdf990
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRc:q7Tc2NYHUrAwfMp3CDRc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2608-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-1239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-1413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-1418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4404 rxxxxxl.exe 4760 bbbbth.exe 2284 xfrlrxl.exe 4904 jvddd.exe 4960 lxxrlll.exe 5036 bbnhhh.exe 2292 pvdvp.exe 4984 rfrfrlr.exe 4804 htttnn.exe 2860 7dppj.exe 4296 pjddd.exe 4672 flrxrrl.exe 2404 vdpdp.exe 3084 pppdv.exe 404 xfxrrrx.exe 2056 ttnhbb.exe 3076 tnttnn.exe 2924 vpvpv.exe 1628 3xxrllx.exe 1640 9vddv.exe 2992 rlrllrr.exe 4916 lrxrlll.exe 1088 bntnhh.exe 4704 vjpjj.exe 4100 7ddvj.exe 2664 9lfxrrl.exe 3808 thnhbb.exe 2980 thnhbb.exe 1504 vppjd.exe 4772 rxrlllf.exe 3580 rflffxr.exe 1672 hbhnhh.exe 4764 jddjd.exe 2172 jvdvp.exe 4452 frrlfxr.exe 4532 btthtb.exe 876 thnhbt.exe 3856 vdvjv.exe 4252 xrrfxrl.exe 4720 xlrfxxr.exe 720 bnnnnn.exe 752 djpdv.exe 1232 vjjdp.exe 3488 9xfrllf.exe 816 nthbtn.exe 1532 thhbtt.exe 2368 jpvpd.exe 1480 5xlfllx.exe 1856 hnttht.exe 1208 jvpjj.exe 4424 xrxxffx.exe 1084 tbhbnn.exe 2212 tntnnh.exe 4528 dpvvj.exe 5068 xfllffr.exe 3648 bbnntt.exe 3048 rxfrrrr.exe 1860 nbhbbh.exe 232 vdjjv.exe 220 frfxllf.exe 460 5tbbtn.exe 5036 ddvvp.exe 1900 lffxrlf.exe 4156 hnthbb.exe -
resource yara_rule behavioral2/memory/2608-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-1049-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-1361-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 4404 2608 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 82 PID 2608 wrote to memory of 4404 2608 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 82 PID 2608 wrote to memory of 4404 2608 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 82 PID 4404 wrote to memory of 4760 4404 rxxxxxl.exe 83 PID 4404 wrote to memory of 4760 4404 rxxxxxl.exe 83 PID 4404 wrote to memory of 4760 4404 rxxxxxl.exe 83 PID 4760 wrote to memory of 2284 4760 bbbbth.exe 84 PID 4760 wrote to memory of 2284 4760 bbbbth.exe 84 PID 4760 wrote to memory of 2284 4760 bbbbth.exe 84 PID 2284 wrote to memory of 4904 2284 xfrlrxl.exe 85 PID 2284 wrote to memory of 4904 2284 xfrlrxl.exe 85 PID 2284 wrote to memory of 4904 2284 xfrlrxl.exe 85 PID 4904 wrote to memory of 4960 4904 jvddd.exe 86 PID 4904 wrote to memory of 4960 4904 jvddd.exe 86 PID 4904 wrote to memory of 4960 4904 jvddd.exe 86 PID 4960 wrote to memory of 5036 4960 lxxrlll.exe 87 PID 4960 wrote to memory of 5036 4960 lxxrlll.exe 87 PID 4960 wrote to memory of 5036 4960 lxxrlll.exe 87 PID 5036 wrote to memory of 2292 5036 bbnhhh.exe 88 PID 5036 wrote to memory of 2292 5036 bbnhhh.exe 88 PID 5036 wrote to memory of 2292 5036 bbnhhh.exe 88 PID 2292 wrote to memory of 4984 2292 pvdvp.exe 89 PID 2292 wrote to memory of 4984 2292 pvdvp.exe 89 PID 2292 wrote to memory of 4984 2292 pvdvp.exe 89 PID 4984 wrote to memory of 4804 4984 rfrfrlr.exe 90 PID 4984 wrote to memory of 4804 4984 rfrfrlr.exe 90 PID 4984 wrote to memory of 4804 4984 rfrfrlr.exe 90 PID 4804 wrote to memory of 2860 4804 htttnn.exe 91 PID 4804 wrote to memory of 2860 4804 htttnn.exe 91 PID 4804 wrote to memory of 2860 4804 htttnn.exe 91 PID 2860 wrote to memory of 4296 2860 7dppj.exe 92 PID 2860 wrote to memory of 4296 2860 7dppj.exe 92 PID 2860 wrote to memory of 4296 2860 7dppj.exe 92 PID 4296 wrote to memory of 4672 4296 pjddd.exe 93 PID 4296 wrote to memory of 4672 4296 pjddd.exe 93 PID 4296 wrote to memory of 4672 4296 pjddd.exe 93 PID 4672 wrote to memory of 2404 4672 flrxrrl.exe 94 PID 4672 wrote to memory of 2404 4672 flrxrrl.exe 94 PID 4672 wrote to memory of 2404 4672 flrxrrl.exe 94 PID 2404 wrote to memory of 3084 2404 vdpdp.exe 95 PID 2404 wrote to memory of 3084 2404 vdpdp.exe 95 PID 2404 wrote to memory of 3084 2404 vdpdp.exe 95 PID 3084 wrote to memory of 404 3084 pppdv.exe 96 PID 3084 wrote to memory of 404 3084 pppdv.exe 96 PID 3084 wrote to memory of 404 3084 pppdv.exe 96 PID 404 wrote to memory of 2056 404 xfxrrrx.exe 97 PID 404 wrote to memory of 2056 404 xfxrrrx.exe 97 PID 404 wrote to memory of 2056 404 xfxrrrx.exe 97 PID 2056 wrote to memory of 3076 2056 ttnhbb.exe 98 PID 2056 wrote to memory of 3076 2056 ttnhbb.exe 98 PID 2056 wrote to memory of 3076 2056 ttnhbb.exe 98 PID 3076 wrote to memory of 2924 3076 tnttnn.exe 99 PID 3076 wrote to memory of 2924 3076 tnttnn.exe 99 PID 3076 wrote to memory of 2924 3076 tnttnn.exe 99 PID 2924 wrote to memory of 1628 2924 vpvpv.exe 100 PID 2924 wrote to memory of 1628 2924 vpvpv.exe 100 PID 2924 wrote to memory of 1628 2924 vpvpv.exe 100 PID 1628 wrote to memory of 1640 1628 3xxrllx.exe 101 PID 1628 wrote to memory of 1640 1628 3xxrllx.exe 101 PID 1628 wrote to memory of 1640 1628 3xxrllx.exe 101 PID 1640 wrote to memory of 2992 1640 9vddv.exe 102 PID 1640 wrote to memory of 2992 1640 9vddv.exe 102 PID 1640 wrote to memory of 2992 1640 9vddv.exe 102 PID 2992 wrote to memory of 4916 2992 rlrllrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe"C:\Users\Admin\AppData\Local\Temp\0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rxxxxxl.exec:\rxxxxxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\bbbbth.exec:\bbbbth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\xfrlrxl.exec:\xfrlrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\jvddd.exec:\jvddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\lxxrlll.exec:\lxxrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\bbnhhh.exec:\bbnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\pvdvp.exec:\pvdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\rfrfrlr.exec:\rfrfrlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\htttnn.exec:\htttnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\7dppj.exec:\7dppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\pjddd.exec:\pjddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\flrxrrl.exec:\flrxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\vdpdp.exec:\vdpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\pppdv.exec:\pppdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\xfxrrrx.exec:\xfxrrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\ttnhbb.exec:\ttnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\tnttnn.exec:\tnttnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\vpvpv.exec:\vpvpv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\3xxrllx.exec:\3xxrllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\9vddv.exec:\9vddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\rlrllrr.exec:\rlrllrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\lrxrlll.exec:\lrxrlll.exe23⤵
- Executes dropped EXE
PID:4916 -
\??\c:\bntnhh.exec:\bntnhh.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\vjpjj.exec:\vjpjj.exe25⤵
- Executes dropped EXE
PID:4704 -
\??\c:\7ddvj.exec:\7ddvj.exe26⤵
- Executes dropped EXE
PID:4100 -
\??\c:\9lfxrrl.exec:\9lfxrrl.exe27⤵
- Executes dropped EXE
PID:2664 -
\??\c:\thnhbb.exec:\thnhbb.exe28⤵
- Executes dropped EXE
PID:3808 -
\??\c:\thnhbb.exec:\thnhbb.exe29⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vppjd.exec:\vppjd.exe30⤵
- Executes dropped EXE
PID:1504 -
\??\c:\rxrlllf.exec:\rxrlllf.exe31⤵
- Executes dropped EXE
PID:4772 -
\??\c:\rflffxr.exec:\rflffxr.exe32⤵
- Executes dropped EXE
PID:3580 -
\??\c:\hbhnhh.exec:\hbhnhh.exe33⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jddjd.exec:\jddjd.exe34⤵
- Executes dropped EXE
PID:4764 -
\??\c:\jvdvp.exec:\jvdvp.exe35⤵
- Executes dropped EXE
PID:2172 -
\??\c:\frrlfxr.exec:\frrlfxr.exe36⤵
- Executes dropped EXE
PID:4452 -
\??\c:\btthtb.exec:\btthtb.exe37⤵
- Executes dropped EXE
PID:4532 -
\??\c:\thnhbt.exec:\thnhbt.exe38⤵
- Executes dropped EXE
PID:876 -
\??\c:\vdvjv.exec:\vdvjv.exe39⤵
- Executes dropped EXE
PID:3856 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe40⤵
- Executes dropped EXE
PID:4252 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe41⤵
- Executes dropped EXE
PID:4720 -
\??\c:\bnnnnn.exec:\bnnnnn.exe42⤵
- Executes dropped EXE
PID:720 -
\??\c:\djpdv.exec:\djpdv.exe43⤵
- Executes dropped EXE
PID:752 -
\??\c:\vjjdp.exec:\vjjdp.exe44⤵
- Executes dropped EXE
PID:1232 -
\??\c:\9xfrllf.exec:\9xfrllf.exe45⤵
- Executes dropped EXE
PID:3488 -
\??\c:\nthbtn.exec:\nthbtn.exe46⤵
- Executes dropped EXE
PID:816 -
\??\c:\thhbtt.exec:\thhbtt.exe47⤵
- Executes dropped EXE
PID:1532 -
\??\c:\jpvpd.exec:\jpvpd.exe48⤵
- Executes dropped EXE
PID:2368 -
\??\c:\5xlfllx.exec:\5xlfllx.exe49⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hnttht.exec:\hnttht.exe50⤵
- Executes dropped EXE
PID:1856 -
\??\c:\jvpjj.exec:\jvpjj.exe51⤵
- Executes dropped EXE
PID:1208 -
\??\c:\xrxxffx.exec:\xrxxffx.exe52⤵
- Executes dropped EXE
PID:4424 -
\??\c:\tbhbnn.exec:\tbhbnn.exe53⤵
- Executes dropped EXE
PID:1084 -
\??\c:\tntnnh.exec:\tntnnh.exe54⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dpvvj.exec:\dpvvj.exe55⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xfllffr.exec:\xfllffr.exe56⤵
- Executes dropped EXE
PID:5068 -
\??\c:\bbnntt.exec:\bbnntt.exe57⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rxfrrrr.exec:\rxfrrrr.exe58⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nbhbbh.exec:\nbhbbh.exe59⤵
- Executes dropped EXE
PID:1860 -
\??\c:\vdjjv.exec:\vdjjv.exe60⤵
- Executes dropped EXE
PID:232 -
\??\c:\frfxllf.exec:\frfxllf.exe61⤵
- Executes dropped EXE
PID:220 -
\??\c:\5tbbtn.exec:\5tbbtn.exe62⤵
- Executes dropped EXE
PID:460 -
\??\c:\ddvvp.exec:\ddvvp.exe63⤵
- Executes dropped EXE
PID:5036 -
\??\c:\lffxrlf.exec:\lffxrlf.exe64⤵
- Executes dropped EXE
PID:1900 -
\??\c:\hnthbb.exec:\hnthbb.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156 -
\??\c:\httnbt.exec:\httnbt.exe66⤵PID:3616
-
\??\c:\jvvpp.exec:\jvvpp.exe67⤵PID:5084
-
\??\c:\bbnhnt.exec:\bbnhnt.exe68⤵PID:408
-
\??\c:\ppvpp.exec:\ppvpp.exe69⤵PID:4296
-
\??\c:\rxlfrxr.exec:\rxlfrxr.exe70⤵PID:4712
-
\??\c:\bnnntt.exec:\bnnntt.exe71⤵PID:4064
-
\??\c:\jpvpj.exec:\jpvpj.exe72⤵PID:3868
-
\??\c:\fxffxfx.exec:\fxffxfx.exe73⤵PID:3144
-
\??\c:\bbhbnh.exec:\bbhbnh.exe74⤵PID:4556
-
\??\c:\jvdvv.exec:\jvdvv.exe75⤵PID:2412
-
\??\c:\fxffxxx.exec:\fxffxxx.exe76⤵PID:4488
-
\??\c:\tbbbbt.exec:\tbbbbt.exe77⤵PID:2528
-
\??\c:\pjvpj.exec:\pjvpj.exe78⤵PID:1628
-
\??\c:\xxffffx.exec:\xxffffx.exe79⤵PID:1640
-
\??\c:\btnbtb.exec:\btnbtb.exe80⤵PID:2992
-
\??\c:\vdvpp.exec:\vdvpp.exe81⤵PID:2408
-
\??\c:\fffxlxl.exec:\fffxlxl.exe82⤵PID:916
-
\??\c:\hnthht.exec:\hnthht.exe83⤵PID:2880
-
\??\c:\vpvvv.exec:\vpvvv.exe84⤵PID:3428
-
\??\c:\7htnnn.exec:\7htnnn.exe85⤵PID:868
-
\??\c:\vjvpp.exec:\vjvpp.exe86⤵PID:2700
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe87⤵PID:2760
-
\??\c:\nnhbhh.exec:\nnhbhh.exe88⤵PID:1504
-
\??\c:\vdpjj.exec:\vdpjj.exe89⤵PID:3924
-
\??\c:\lxffxxx.exec:\lxffxxx.exe90⤵PID:4468
-
\??\c:\dvdvd.exec:\dvdvd.exe91⤵PID:3300
-
\??\c:\1bnhbb.exec:\1bnhbb.exe92⤵PID:4764
-
\??\c:\jpppj.exec:\jpppj.exe93⤵PID:1108
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe94⤵PID:4944
-
\??\c:\9nbbbt.exec:\9nbbbt.exe95⤵PID:3244
-
\??\c:\jddvv.exec:\jddvv.exe96⤵PID:3856
-
\??\c:\5fxrlfx.exec:\5fxrlfx.exe97⤵PID:4252
-
\??\c:\5bhbhh.exec:\5bhbhh.exe98⤵PID:4720
-
\??\c:\jpvpj.exec:\jpvpj.exe99⤵PID:1508
-
\??\c:\9rlfrrx.exec:\9rlfrrx.exe100⤵PID:1316
-
\??\c:\hbbhhb.exec:\hbbhhb.exe101⤵PID:3304
-
\??\c:\dvdvp.exec:\dvdvp.exe102⤵PID:4236
-
\??\c:\rlrrflx.exec:\rlrrflx.exe103⤵PID:532
-
\??\c:\thnhtt.exec:\thnhtt.exe104⤵PID:3528
-
\??\c:\dppjd.exec:\dppjd.exe105⤵PID:4696
-
\??\c:\xllxrll.exec:\xllxrll.exe106⤵PID:4936
-
\??\c:\3nhbtn.exec:\3nhbtn.exe107⤵PID:1140
-
\??\c:\hnbntb.exec:\hnbntb.exe108⤵PID:1176
-
\??\c:\djpjd.exec:\djpjd.exe109⤵PID:4636
-
\??\c:\tttnhh.exec:\tttnhh.exe110⤵PID:2904
-
\??\c:\vdjdd.exec:\vdjdd.exe111⤵PID:4768
-
\??\c:\lxfrfxx.exec:\lxfrfxx.exe112⤵PID:4000
-
\??\c:\3bbbbb.exec:\3bbbbb.exe113⤵PID:4328
-
\??\c:\hnnhbb.exec:\hnnhbb.exe114⤵PID:2608
-
\??\c:\jvjpd.exec:\jvjpd.exe115⤵PID:4332
-
\??\c:\3lflxxf.exec:\3lflxxf.exe116⤵PID:3640
-
\??\c:\1rxxffr.exec:\1rxxffr.exe117⤵PID:4528
-
\??\c:\nhhbnn.exec:\nhhbnn.exe118⤵PID:3940
-
\??\c:\jddvv.exec:\jddvv.exe119⤵PID:3536
-
\??\c:\pjpjd.exec:\pjpjd.exe120⤵PID:1960
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-