Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe
-
Size
454KB
-
MD5
860567e1d47173adfb2ede47bd9ebd36
-
SHA1
8b82b66ec7724c6921b8308793705320508b16c4
-
SHA256
086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783
-
SHA512
9aba77808cad8b9169a0b58583681609f035e125e48203e0cfdc679521917e76ffb1228a04fbce40f58eed6bc5b02fe9c6d3131c148738781680282075f5af84
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4720-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-1072-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-1732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-1821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1664 vvppj.exe 1384 xlrrrrr.exe 4340 ffxxxxl.exe 1528 bhtthn.exe 1792 9thbnn.exe 228 pjdvj.exe 2180 3thtnh.exe 3992 vvpdv.exe 1584 lxfxrlx.exe 4044 ddppv.exe 4504 bbbnnh.exe 3960 fllffff.exe 1804 bbbnbh.exe 1332 7vvpd.exe 4076 9bbntn.exe 5052 vvddj.exe 696 rxxxrrr.exe 3180 fllfxll.exe 2964 vvjdp.exe 3092 dpvjv.exe 3896 xfrfrlx.exe 4556 vvjpd.exe 2800 vjvjd.exe 4588 jjvpd.exe 5000 btthth.exe 1572 hnnbnh.exe 1868 ntbnhb.exe 4236 rlfxrrl.exe 5024 1jdvp.exe 3316 nththb.exe 772 9djjv.exe 1028 bnnnhb.exe 4080 lllfxlr.exe 4432 xrfxrfx.exe 440 nbbtnb.exe 4648 vdjvd.exe 2752 xllxlfr.exe 4804 7frrflf.exe 1472 hnbnhb.exe 2200 ppvjd.exe 4916 rllfrrl.exe 3248 ttbnnh.exe 2376 7vpjv.exe 4528 vpppp.exe 3528 9rxxrxl.exe 1384 thbhtn.exe 4008 tbbbbt.exe 4696 jvvjd.exe 1528 xfxxxfl.exe 3852 fffxllx.exe 1484 hhtnbt.exe 3656 vjpdp.exe 3652 ffxrffx.exe 2888 9llxllx.exe 4136 nthtnb.exe 2348 dvpjv.exe 976 jppjv.exe 2600 1frxrlf.exe 5100 tnhtnb.exe 3208 btbtnh.exe 4020 7jpdd.exe 2216 1rflfxr.exe 4904 hnbthb.exe 1984 jppjv.exe -
resource yara_rule behavioral2/memory/4720-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-669-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 1664 4720 086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe 83 PID 4720 wrote to memory of 1664 4720 086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe 83 PID 4720 wrote to memory of 1664 4720 086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe 83 PID 1664 wrote to memory of 1384 1664 vvppj.exe 84 PID 1664 wrote to memory of 1384 1664 vvppj.exe 84 PID 1664 wrote to memory of 1384 1664 vvppj.exe 84 PID 1384 wrote to memory of 4340 1384 xlrrrrr.exe 85 PID 1384 wrote to memory of 4340 1384 xlrrrrr.exe 85 PID 1384 wrote to memory of 4340 1384 xlrrrrr.exe 85 PID 4340 wrote to memory of 1528 4340 ffxxxxl.exe 86 PID 4340 wrote to memory of 1528 4340 ffxxxxl.exe 86 PID 4340 wrote to memory of 1528 4340 ffxxxxl.exe 86 PID 1528 wrote to memory of 1792 1528 bhtthn.exe 87 PID 1528 wrote to memory of 1792 1528 bhtthn.exe 87 PID 1528 wrote to memory of 1792 1528 bhtthn.exe 87 PID 1792 wrote to memory of 228 1792 9thbnn.exe 88 PID 1792 wrote to memory of 228 1792 9thbnn.exe 88 PID 1792 wrote to memory of 228 1792 9thbnn.exe 88 PID 228 wrote to memory of 2180 228 pjdvj.exe 89 PID 228 wrote to memory of 2180 228 pjdvj.exe 89 PID 228 wrote to memory of 2180 228 pjdvj.exe 89 PID 2180 wrote to memory of 3992 2180 3thtnh.exe 90 PID 2180 wrote to memory of 3992 2180 3thtnh.exe 90 PID 2180 wrote to memory of 3992 2180 3thtnh.exe 90 PID 3992 wrote to memory of 1584 3992 vvpdv.exe 91 PID 3992 wrote to memory of 1584 3992 vvpdv.exe 91 PID 3992 wrote to memory of 1584 3992 vvpdv.exe 91 PID 1584 wrote to memory of 4044 1584 lxfxrlx.exe 92 PID 1584 wrote to memory of 4044 1584 lxfxrlx.exe 92 PID 1584 wrote to memory of 4044 1584 lxfxrlx.exe 92 PID 4044 wrote to memory of 4504 4044 ddppv.exe 93 PID 4044 wrote to memory of 4504 4044 ddppv.exe 93 PID 4044 wrote to memory of 4504 4044 ddppv.exe 93 PID 4504 wrote to memory of 3960 4504 bbbnnh.exe 94 PID 4504 wrote to memory of 3960 4504 bbbnnh.exe 94 PID 4504 wrote to memory of 3960 4504 bbbnnh.exe 94 PID 3960 wrote to memory of 1804 3960 fllffff.exe 95 PID 3960 wrote to memory of 1804 3960 fllffff.exe 95 PID 3960 wrote to memory of 1804 3960 fllffff.exe 95 PID 1804 wrote to memory of 1332 1804 bbbnbh.exe 96 PID 1804 wrote to memory of 1332 1804 bbbnbh.exe 96 PID 1804 wrote to memory of 1332 1804 bbbnbh.exe 96 PID 1332 wrote to memory of 4076 1332 7vvpd.exe 97 PID 1332 wrote to memory of 4076 1332 7vvpd.exe 97 PID 1332 wrote to memory of 4076 1332 7vvpd.exe 97 PID 4076 wrote to memory of 5052 4076 9bbntn.exe 98 PID 4076 wrote to memory of 5052 4076 9bbntn.exe 98 PID 4076 wrote to memory of 5052 4076 9bbntn.exe 98 PID 5052 wrote to memory of 696 5052 vvddj.exe 99 PID 5052 wrote to memory of 696 5052 vvddj.exe 99 PID 5052 wrote to memory of 696 5052 vvddj.exe 99 PID 696 wrote to memory of 3180 696 rxxxrrr.exe 100 PID 696 wrote to memory of 3180 696 rxxxrrr.exe 100 PID 696 wrote to memory of 3180 696 rxxxrrr.exe 100 PID 3180 wrote to memory of 2964 3180 fllfxll.exe 101 PID 3180 wrote to memory of 2964 3180 fllfxll.exe 101 PID 3180 wrote to memory of 2964 3180 fllfxll.exe 101 PID 2964 wrote to memory of 3092 2964 vvjdp.exe 102 PID 2964 wrote to memory of 3092 2964 vvjdp.exe 102 PID 2964 wrote to memory of 3092 2964 vvjdp.exe 102 PID 3092 wrote to memory of 3896 3092 dpvjv.exe 103 PID 3092 wrote to memory of 3896 3092 dpvjv.exe 103 PID 3092 wrote to memory of 3896 3092 dpvjv.exe 103 PID 3896 wrote to memory of 4556 3896 xfrfrlx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe"C:\Users\Admin\AppData\Local\Temp\086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\vvppj.exec:\vvppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\ffxxxxl.exec:\ffxxxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\bhtthn.exec:\bhtthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\9thbnn.exec:\9thbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\pjdvj.exec:\pjdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\3thtnh.exec:\3thtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vvpdv.exec:\vvpdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\lxfxrlx.exec:\lxfxrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\ddppv.exec:\ddppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\bbbnnh.exec:\bbbnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\fllffff.exec:\fllffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\bbbnbh.exec:\bbbnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\7vvpd.exec:\7vvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\9bbntn.exec:\9bbntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\vvddj.exec:\vvddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\fllfxll.exec:\fllfxll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\vvjdp.exec:\vvjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\dpvjv.exec:\dpvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\xfrfrlx.exec:\xfrfrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\vvjpd.exec:\vvjpd.exe23⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vjvjd.exec:\vjvjd.exe24⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jjvpd.exec:\jjvpd.exe25⤵
- Executes dropped EXE
PID:4588 -
\??\c:\btthth.exec:\btthth.exe26⤵
- Executes dropped EXE
PID:5000 -
\??\c:\hnnbnh.exec:\hnnbnh.exe27⤵
- Executes dropped EXE
PID:1572 -
\??\c:\ntbnhb.exec:\ntbnhb.exe28⤵
- Executes dropped EXE
PID:1868 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe29⤵
- Executes dropped EXE
PID:4236 -
\??\c:\1jdvp.exec:\1jdvp.exe30⤵
- Executes dropped EXE
PID:5024 -
\??\c:\nththb.exec:\nththb.exe31⤵
- Executes dropped EXE
PID:3316 -
\??\c:\9djjv.exec:\9djjv.exe32⤵
- Executes dropped EXE
PID:772 -
\??\c:\bnnnhb.exec:\bnnnhb.exe33⤵
- Executes dropped EXE
PID:1028 -
\??\c:\lllfxlr.exec:\lllfxlr.exe34⤵
- Executes dropped EXE
PID:4080 -
\??\c:\xrfxrfx.exec:\xrfxrfx.exe35⤵
- Executes dropped EXE
PID:4432 -
\??\c:\nbbtnb.exec:\nbbtnb.exe36⤵
- Executes dropped EXE
PID:440 -
\??\c:\vdjvd.exec:\vdjvd.exe37⤵
- Executes dropped EXE
PID:4648 -
\??\c:\xllxlfr.exec:\xllxlfr.exe38⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7frrflf.exec:\7frrflf.exe39⤵
- Executes dropped EXE
PID:4804 -
\??\c:\hnbnhb.exec:\hnbnhb.exe40⤵
- Executes dropped EXE
PID:1472 -
\??\c:\ppvjd.exec:\ppvjd.exe41⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rllfrrl.exec:\rllfrrl.exe42⤵
- Executes dropped EXE
PID:4916 -
\??\c:\ttbnnh.exec:\ttbnnh.exe43⤵
- Executes dropped EXE
PID:3248 -
\??\c:\7vpjv.exec:\7vpjv.exe44⤵
- Executes dropped EXE
PID:2376 -
\??\c:\vpppp.exec:\vpppp.exe45⤵
- Executes dropped EXE
PID:4528 -
\??\c:\9rxxrxl.exec:\9rxxrxl.exe46⤵
- Executes dropped EXE
PID:3528 -
\??\c:\thbhtn.exec:\thbhtn.exe47⤵
- Executes dropped EXE
PID:1384 -
\??\c:\tbbbbt.exec:\tbbbbt.exe48⤵
- Executes dropped EXE
PID:4008 -
\??\c:\jvvjd.exec:\jvvjd.exe49⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xfxxxfl.exec:\xfxxxfl.exe50⤵
- Executes dropped EXE
PID:1528 -
\??\c:\fffxllx.exec:\fffxllx.exe51⤵
- Executes dropped EXE
PID:3852 -
\??\c:\hhtnbt.exec:\hhtnbt.exe52⤵
- Executes dropped EXE
PID:1484 -
\??\c:\vjpdp.exec:\vjpdp.exe53⤵
- Executes dropped EXE
PID:3656 -
\??\c:\ffxrffx.exec:\ffxrffx.exe54⤵
- Executes dropped EXE
PID:3652 -
\??\c:\9llxllx.exec:\9llxllx.exe55⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nthtnb.exec:\nthtnb.exe56⤵
- Executes dropped EXE
PID:4136 -
\??\c:\dvpjv.exec:\dvpjv.exe57⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jppjv.exec:\jppjv.exe58⤵
- Executes dropped EXE
PID:976 -
\??\c:\1frxrlf.exec:\1frxrlf.exe59⤵
- Executes dropped EXE
PID:2600 -
\??\c:\tnhtnb.exec:\tnhtnb.exe60⤵
- Executes dropped EXE
PID:5100 -
\??\c:\btbtnh.exec:\btbtnh.exe61⤵
- Executes dropped EXE
PID:3208 -
\??\c:\7jpdd.exec:\7jpdd.exe62⤵
- Executes dropped EXE
PID:4020 -
\??\c:\1rflfxr.exec:\1rflfxr.exe63⤵
- Executes dropped EXE
PID:2216 -
\??\c:\hnbthb.exec:\hnbthb.exe64⤵
- Executes dropped EXE
PID:4904 -
\??\c:\jppjv.exec:\jppjv.exe65⤵
- Executes dropped EXE
PID:1984 -
\??\c:\7rrlxxl.exec:\7rrlxxl.exe66⤵PID:4428
-
\??\c:\nhbbtt.exec:\nhbbtt.exe67⤵PID:2740
-
\??\c:\jjvvp.exec:\jjvvp.exe68⤵PID:4952
-
\??\c:\flfxlfx.exec:\flfxlfx.exe69⤵PID:3712
-
\??\c:\tnnnhh.exec:\tnnnhh.exe70⤵PID:3252
-
\??\c:\9hbtnn.exec:\9hbtnn.exe71⤵PID:5064
-
\??\c:\1pppj.exec:\1pppj.exe72⤵PID:3296
-
\??\c:\1llxfxx.exec:\1llxfxx.exe73⤵PID:3228
-
\??\c:\nbbthb.exec:\nbbthb.exe74⤵PID:1692
-
\??\c:\pvdvp.exec:\pvdvp.exe75⤵PID:552
-
\??\c:\pdpdv.exec:\pdpdv.exe76⤵PID:4704
-
\??\c:\rlrfxrx.exec:\rlrfxrx.exe77⤵PID:412
-
\??\c:\ttttnn.exec:\ttttnn.exe78⤵PID:2260
-
\??\c:\vppjj.exec:\vppjj.exe79⤵PID:2684
-
\??\c:\1rlffxl.exec:\1rlffxl.exe80⤵PID:3484
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe81⤵PID:1016
-
\??\c:\1nnnnt.exec:\1nnnnt.exe82⤵PID:3400
-
\??\c:\vvppj.exec:\vvppj.exe83⤵PID:1356
-
\??\c:\lfrrfll.exec:\lfrrfll.exe84⤵PID:3464
-
\??\c:\tthhnn.exec:\tthhnn.exe85⤵PID:1368
-
\??\c:\dddjv.exec:\dddjv.exe86⤵PID:4880
-
\??\c:\fxfllrr.exec:\fxfllrr.exe87⤵PID:5024
-
\??\c:\bhbbtt.exec:\bhbbtt.exe88⤵PID:2160
-
\??\c:\7dpjd.exec:\7dpjd.exe89⤵PID:3336
-
\??\c:\ddjdp.exec:\ddjdp.exe90⤵PID:1044
-
\??\c:\9rlfxfx.exec:\9rlfxfx.exe91⤵PID:3760
-
\??\c:\nhhbbt.exec:\nhhbbt.exe92⤵PID:408
-
\??\c:\dvjvd.exec:\dvjvd.exe93⤵PID:2780
-
\??\c:\3vddv.exec:\3vddv.exe94⤵PID:4432
-
\??\c:\rlrffxx.exec:\rlrffxx.exe95⤵PID:440
-
\??\c:\tbbbtt.exec:\tbbbtt.exe96⤵PID:1544
-
\??\c:\jddvj.exec:\jddvj.exe97⤵PID:3592
-
\??\c:\3jjvp.exec:\3jjvp.exe98⤵PID:4804
-
\??\c:\lxfxxll.exec:\lxfxxll.exe99⤵PID:5096
-
\??\c:\hbhhbh.exec:\hbhhbh.exe100⤵PID:4100
-
\??\c:\djjpd.exec:\djjpd.exe101⤵PID:540
-
\??\c:\jppjv.exec:\jppjv.exe102⤵PID:4720
-
\??\c:\rxlrlrl.exec:\rxlrlrl.exe103⤵PID:4572
-
\??\c:\hthbnh.exec:\hthbnh.exe104⤵PID:3932
-
\??\c:\jvvpj.exec:\jvvpj.exe105⤵PID:4000
-
\??\c:\fxxxxxl.exec:\fxxxxxl.exe106⤵PID:3264
-
\??\c:\9llflrl.exec:\9llflrl.exe107⤵PID:388
-
\??\c:\3ntnhh.exec:\3ntnhh.exe108⤵PID:3080
-
\??\c:\jjpjp.exec:\jjpjp.exe109⤵PID:3648
-
\??\c:\3dvpd.exec:\3dvpd.exe110⤵PID:4496
-
\??\c:\9xrrfrr.exec:\9xrrfrr.exe111⤵PID:4420
-
\??\c:\bbbbtt.exec:\bbbbtt.exe112⤵PID:228
-
\??\c:\pdvjj.exec:\pdvjj.exe113⤵PID:2180
-
\??\c:\jvvvp.exec:\jvvvp.exe114⤵PID:3856
-
\??\c:\fxlxrrx.exec:\fxlxrrx.exe115⤵PID:1340
-
\??\c:\bbbbnn.exec:\bbbbnn.exe116⤵PID:4524
-
\??\c:\jpdvp.exec:\jpdvp.exe117⤵PID:1552
-
\??\c:\3xxxrrl.exec:\3xxxrrl.exe118⤵PID:4912
-
\??\c:\thhbtt.exec:\thhbtt.exe119⤵PID:3964
-
\??\c:\tbbttn.exec:\tbbttn.exe120⤵PID:5028
-
\??\c:\ddpjp.exec:\ddpjp.exe121⤵PID:2328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-