Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe
-
Size
454KB
-
MD5
91b83f548e6ff4e1aafa1da5ec7ea0f7
-
SHA1
2dad9079c4200d8a47abeabf148ba9486b4ced37
-
SHA256
ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479
-
SHA512
9fe3a8b586bcc65d2a6dd3305090f38fcb4faeba0263f41e5f8e69de76fe4c6ccace3e9880b031ba9c6f673b5273146e37de19c355299e29368257837fd7bd61
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3796-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-1135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-1229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4388 lffxrrl.exe 3968 hnnbtt.exe 4132 jjpjv.exe 384 xfxlllf.exe 2764 5lxlffx.exe 2436 hhhbhh.exe 1932 jjjvp.exe 2680 vdpjv.exe 3320 7rlxrlx.exe 1804 hbbtnn.exe 2164 3hhbht.exe 440 vjpdd.exe 4912 9xrlxlf.exe 3220 lrlfxlf.exe 768 nthbtt.exe 3280 7jppp.exe 1920 dddvp.exe 2292 7lrxrrl.exe 2220 xrxlfxr.exe 1540 bbhbtt.exe 2544 jjpjj.exe 1852 jjjdv.exe 1444 xrffllr.exe 1232 tntnnn.exe 3192 nbhbtt.exe 4040 1jpdj.exe 4292 lrfrffx.exe 3164 lxlfrrx.exe 2228 bhthhb.exe 1492 dvdjd.exe 4384 pppvp.exe 5000 llxrxrx.exe 2844 tnbtnh.exe 3040 nhtnbb.exe 680 3pdvp.exe 1456 pdjdv.exe 4772 1ffxrrl.exe 1212 hnntnn.exe 3176 ntnhtt.exe 4252 pdjdd.exe 2252 3xrlffx.exe 1400 xlrrlfx.exe 4276 nhtbhh.exe 1060 ppdvp.exe 2012 dvdvp.exe 2796 9rfxlrl.exe 2024 xlxrrrr.exe 3620 hntnhh.exe 2484 jpdvp.exe 412 vpdvp.exe 1376 rxxrlll.exe 2216 7lxrrrr.exe 2508 nhhbth.exe 4128 jppjd.exe 4472 rlrfxxx.exe 3968 tbnhbt.exe 2004 bbnhhh.exe 880 jvppp.exe 4696 rrfxlll.exe 552 thtnhb.exe 1296 7hntnn.exe 3540 vpdvp.exe 2976 vdjdv.exe 3352 xxxrlll.exe -
resource yara_rule behavioral2/memory/4388-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-920-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3796 wrote to memory of 4388 3796 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 83 PID 3796 wrote to memory of 4388 3796 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 83 PID 3796 wrote to memory of 4388 3796 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 83 PID 4388 wrote to memory of 3968 4388 lffxrrl.exe 139 PID 4388 wrote to memory of 3968 4388 lffxrrl.exe 139 PID 4388 wrote to memory of 3968 4388 lffxrrl.exe 139 PID 3968 wrote to memory of 4132 3968 hnnbtt.exe 85 PID 3968 wrote to memory of 4132 3968 hnnbtt.exe 85 PID 3968 wrote to memory of 4132 3968 hnnbtt.exe 85 PID 4132 wrote to memory of 384 4132 jjpjv.exe 86 PID 4132 wrote to memory of 384 4132 jjpjv.exe 86 PID 4132 wrote to memory of 384 4132 jjpjv.exe 86 PID 384 wrote to memory of 2764 384 xfxlllf.exe 87 PID 384 wrote to memory of 2764 384 xfxlllf.exe 87 PID 384 wrote to memory of 2764 384 xfxlllf.exe 87 PID 2764 wrote to memory of 2436 2764 5lxlffx.exe 88 PID 2764 wrote to memory of 2436 2764 5lxlffx.exe 88 PID 2764 wrote to memory of 2436 2764 5lxlffx.exe 88 PID 2436 wrote to memory of 1932 2436 hhhbhh.exe 89 PID 2436 wrote to memory of 1932 2436 hhhbhh.exe 89 PID 2436 wrote to memory of 1932 2436 hhhbhh.exe 89 PID 1932 wrote to memory of 2680 1932 jjjvp.exe 90 PID 1932 wrote to memory of 2680 1932 jjjvp.exe 90 PID 1932 wrote to memory of 2680 1932 jjjvp.exe 90 PID 2680 wrote to memory of 3320 2680 vdpjv.exe 91 PID 2680 wrote to memory of 3320 2680 vdpjv.exe 91 PID 2680 wrote to memory of 3320 2680 vdpjv.exe 91 PID 3320 wrote to memory of 1804 3320 7rlxrlx.exe 92 PID 3320 wrote to memory of 1804 3320 7rlxrlx.exe 92 PID 3320 wrote to memory of 1804 3320 7rlxrlx.exe 92 PID 1804 wrote to memory of 2164 1804 hbbtnn.exe 93 PID 1804 wrote to memory of 2164 1804 hbbtnn.exe 93 PID 1804 wrote to memory of 2164 1804 hbbtnn.exe 93 PID 2164 wrote to memory of 440 2164 3hhbht.exe 94 PID 2164 wrote to memory of 440 2164 3hhbht.exe 94 PID 2164 wrote to memory of 440 2164 3hhbht.exe 94 PID 440 wrote to memory of 4912 440 vjpdd.exe 95 PID 440 wrote to memory of 4912 440 vjpdd.exe 95 PID 440 wrote to memory of 4912 440 vjpdd.exe 95 PID 4912 wrote to memory of 3220 4912 9xrlxlf.exe 96 PID 4912 wrote to memory of 3220 4912 9xrlxlf.exe 96 PID 4912 wrote to memory of 3220 4912 9xrlxlf.exe 96 PID 3220 wrote to memory of 768 3220 lrlfxlf.exe 97 PID 3220 wrote to memory of 768 3220 lrlfxlf.exe 97 PID 3220 wrote to memory of 768 3220 lrlfxlf.exe 97 PID 768 wrote to memory of 3280 768 nthbtt.exe 98 PID 768 wrote to memory of 3280 768 nthbtt.exe 98 PID 768 wrote to memory of 3280 768 nthbtt.exe 98 PID 3280 wrote to memory of 1920 3280 7jppp.exe 99 PID 3280 wrote to memory of 1920 3280 7jppp.exe 99 PID 3280 wrote to memory of 1920 3280 7jppp.exe 99 PID 1920 wrote to memory of 2292 1920 dddvp.exe 100 PID 1920 wrote to memory of 2292 1920 dddvp.exe 100 PID 1920 wrote to memory of 2292 1920 dddvp.exe 100 PID 2292 wrote to memory of 2220 2292 7lrxrrl.exe 101 PID 2292 wrote to memory of 2220 2292 7lrxrrl.exe 101 PID 2292 wrote to memory of 2220 2292 7lrxrrl.exe 101 PID 2220 wrote to memory of 1540 2220 xrxlfxr.exe 102 PID 2220 wrote to memory of 1540 2220 xrxlfxr.exe 102 PID 2220 wrote to memory of 1540 2220 xrxlfxr.exe 102 PID 1540 wrote to memory of 2544 1540 bbhbtt.exe 103 PID 1540 wrote to memory of 2544 1540 bbhbtt.exe 103 PID 1540 wrote to memory of 2544 1540 bbhbtt.exe 103 PID 2544 wrote to memory of 1852 2544 jjpjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe"C:\Users\Admin\AppData\Local\Temp\ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\lffxrrl.exec:\lffxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\hnnbtt.exec:\hnnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\jjpjv.exec:\jjpjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\xfxlllf.exec:\xfxlllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\5lxlffx.exec:\5lxlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\hhhbhh.exec:\hhhbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\jjjvp.exec:\jjjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\vdpjv.exec:\vdpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\7rlxrlx.exec:\7rlxrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\hbbtnn.exec:\hbbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\3hhbht.exec:\3hhbht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\vjpdd.exec:\vjpdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\9xrlxlf.exec:\9xrlxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\lrlfxlf.exec:\lrlfxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\nthbtt.exec:\nthbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\7jppp.exec:\7jppp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\dddvp.exec:\dddvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\7lrxrrl.exec:\7lrxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\bbhbtt.exec:\bbhbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\jjpjj.exec:\jjpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\jjjdv.exec:\jjjdv.exe23⤵
- Executes dropped EXE
PID:1852 -
\??\c:\xrffllr.exec:\xrffllr.exe24⤵
- Executes dropped EXE
PID:1444 -
\??\c:\tntnnn.exec:\tntnnn.exe25⤵
- Executes dropped EXE
PID:1232 -
\??\c:\nbhbtt.exec:\nbhbtt.exe26⤵
- Executes dropped EXE
PID:3192 -
\??\c:\1jpdj.exec:\1jpdj.exe27⤵
- Executes dropped EXE
PID:4040 -
\??\c:\lrfrffx.exec:\lrfrffx.exe28⤵
- Executes dropped EXE
PID:4292 -
\??\c:\lxlfrrx.exec:\lxlfrrx.exe29⤵
- Executes dropped EXE
PID:3164 -
\??\c:\bhthhb.exec:\bhthhb.exe30⤵
- Executes dropped EXE
PID:2228 -
\??\c:\dvdjd.exec:\dvdjd.exe31⤵
- Executes dropped EXE
PID:1492 -
\??\c:\pppvp.exec:\pppvp.exe32⤵
- Executes dropped EXE
PID:4384 -
\??\c:\llxrxrx.exec:\llxrxrx.exe33⤵
- Executes dropped EXE
PID:5000 -
\??\c:\tnbtnh.exec:\tnbtnh.exe34⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nhtnbb.exec:\nhtnbb.exe35⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3pdvp.exec:\3pdvp.exe36⤵
- Executes dropped EXE
PID:680 -
\??\c:\pdjdv.exec:\pdjdv.exe37⤵
- Executes dropped EXE
PID:1456 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe38⤵
- Executes dropped EXE
PID:4772 -
\??\c:\hnntnn.exec:\hnntnn.exe39⤵
- Executes dropped EXE
PID:1212 -
\??\c:\ntnhtt.exec:\ntnhtt.exe40⤵
- Executes dropped EXE
PID:3176 -
\??\c:\pdjdd.exec:\pdjdd.exe41⤵
- Executes dropped EXE
PID:4252 -
\??\c:\3xrlffx.exec:\3xrlffx.exe42⤵
- Executes dropped EXE
PID:2252 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe43⤵
- Executes dropped EXE
PID:1400 -
\??\c:\nhtbhh.exec:\nhtbhh.exe44⤵
- Executes dropped EXE
PID:4276 -
\??\c:\ppdvp.exec:\ppdvp.exe45⤵
- Executes dropped EXE
PID:1060 -
\??\c:\dvdvp.exec:\dvdvp.exe46⤵
- Executes dropped EXE
PID:2012 -
\??\c:\9rfxlrl.exec:\9rfxlrl.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe48⤵
- Executes dropped EXE
PID:2024 -
\??\c:\hntnhh.exec:\hntnhh.exe49⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jpdvp.exec:\jpdvp.exe50⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vpdvp.exec:\vpdvp.exe51⤵
- Executes dropped EXE
PID:412 -
\??\c:\rxxrlll.exec:\rxxrlll.exe52⤵
- Executes dropped EXE
PID:1376 -
\??\c:\7lxrrrr.exec:\7lxrrrr.exe53⤵
- Executes dropped EXE
PID:2216 -
\??\c:\nhhbth.exec:\nhhbth.exe54⤵
- Executes dropped EXE
PID:2508 -
\??\c:\vpvpp.exec:\vpvpp.exe55⤵PID:4344
-
\??\c:\jppjd.exec:\jppjd.exe56⤵
- Executes dropped EXE
PID:4128 -
\??\c:\rlrfxxx.exec:\rlrfxxx.exe57⤵
- Executes dropped EXE
PID:4472 -
\??\c:\tbnhbt.exec:\tbnhbt.exe58⤵
- Executes dropped EXE
PID:3968 -
\??\c:\bbnhhh.exec:\bbnhhh.exe59⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jvppp.exec:\jvppp.exe60⤵
- Executes dropped EXE
PID:880 -
\??\c:\rrfxlll.exec:\rrfxlll.exe61⤵
- Executes dropped EXE
PID:4696 -
\??\c:\thtnhb.exec:\thtnhb.exe62⤵
- Executes dropped EXE
PID:552 -
\??\c:\7hntnn.exec:\7hntnn.exe63⤵
- Executes dropped EXE
PID:1296 -
\??\c:\vpdvp.exec:\vpdvp.exe64⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vdjdv.exec:\vdjdv.exe65⤵
- Executes dropped EXE
PID:2976 -
\??\c:\xxxrlll.exec:\xxxrlll.exe66⤵
- Executes dropped EXE
PID:3352 -
\??\c:\3tnbbb.exec:\3tnbbb.exe67⤵PID:3260
-
\??\c:\hbnbtn.exec:\hbnbtn.exe68⤵PID:4912
-
\??\c:\9vddv.exec:\9vddv.exe69⤵PID:1900
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe70⤵PID:1392
-
\??\c:\lxfxlxx.exec:\lxfxlxx.exe71⤵PID:1972
-
\??\c:\nnbtnb.exec:\nnbtnb.exe72⤵PID:4808
-
\??\c:\9jpjd.exec:\9jpjd.exe73⤵PID:3276
-
\??\c:\xrxxrxf.exec:\xrxxrxf.exe74⤵PID:1980
-
\??\c:\xrfrlff.exec:\xrfrlff.exe75⤵PID:4972
-
\??\c:\bttnhb.exec:\bttnhb.exe76⤵PID:3348
-
\??\c:\7jjdv.exec:\7jjdv.exe77⤵PID:4404
-
\??\c:\vpvvj.exec:\vpvvj.exe78⤵PID:576
-
\??\c:\xllxxxr.exec:\xllxxxr.exe79⤵PID:4184
-
\??\c:\tnbntt.exec:\tnbntt.exe80⤵PID:1448
-
\??\c:\tnnhbb.exec:\tnnhbb.exe81⤵PID:3816
-
\??\c:\1tbtbb.exec:\1tbtbb.exe82⤵PID:4644
-
\??\c:\5bttnb.exec:\5bttnb.exe83⤵PID:456
-
\??\c:\ppvpv.exec:\ppvpv.exe84⤵PID:4764
-
\??\c:\ffxxxrx.exec:\ffxxxrx.exe85⤵PID:1064
-
\??\c:\1hhbtn.exec:\1hhbtn.exe86⤵PID:5028
-
\??\c:\htbtnn.exec:\htbtnn.exe87⤵PID:5100
-
\??\c:\dvvpj.exec:\dvvpj.exe88⤵PID:1716
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe89⤵PID:3000
-
\??\c:\tbhbtt.exec:\tbhbtt.exe90⤵PID:3068
-
\??\c:\vdjdv.exec:\vdjdv.exe91⤵PID:544
-
\??\c:\jdpjj.exec:\jdpjj.exe92⤵PID:2972
-
\??\c:\llxrxxf.exec:\llxrxxf.exe93⤵PID:980
-
\??\c:\nhbthn.exec:\nhbthn.exe94⤵PID:1848
-
\??\c:\jvdvp.exec:\jvdvp.exe95⤵PID:1240
-
\??\c:\5pdjj.exec:\5pdjj.exe96⤵PID:4568
-
\??\c:\xxlflff.exec:\xxlflff.exe97⤵PID:2012
-
\??\c:\nnhhtt.exec:\nnhhtt.exe98⤵PID:1488
-
\??\c:\pvpvj.exec:\pvpvj.exe99⤵PID:3436
-
\??\c:\lxrllll.exec:\lxrllll.exe100⤵PID:2688
-
\??\c:\bbtbbn.exec:\bbtbbn.exe101⤵PID:2828
-
\??\c:\httttt.exec:\httttt.exe102⤵PID:1352
-
\??\c:\7ddjd.exec:\7ddjd.exe103⤵PID:4172
-
\??\c:\3rfxxfl.exec:\3rfxxfl.exe104⤵PID:3720
-
\??\c:\bnnhbn.exec:\bnnhbn.exe105⤵PID:4880
-
\??\c:\pdvjd.exec:\pdvjd.exe106⤵PID:1388
-
\??\c:\frfrrlr.exec:\frfrrlr.exe107⤵PID:4128
-
\??\c:\tttnbt.exec:\tttnbt.exe108⤵PID:2600
-
\??\c:\rrfrlfx.exec:\rrfrlfx.exe109⤵PID:4488
-
\??\c:\rrxrffx.exec:\rrxrffx.exe110⤵PID:3968
-
\??\c:\nnnhtt.exec:\nnnhtt.exe111⤵PID:3928
-
\??\c:\pdvpp.exec:\pdvpp.exe112⤵PID:1836
-
\??\c:\xrxllrf.exec:\xrxllrf.exe113⤵
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\hhnhtn.exec:\hhnhtn.exe114⤵PID:2680
-
\??\c:\3pvjj.exec:\3pvjj.exe115⤵PID:3156
-
\??\c:\flfxrrr.exec:\flfxrrr.exe116⤵PID:4360
-
\??\c:\5nhbnh.exec:\5nhbnh.exe117⤵PID:3540
-
\??\c:\jpjvj.exec:\jpjvj.exe118⤵
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\ffxlfrl.exec:\ffxlfrl.exe119⤵PID:2164
-
\??\c:\5hbtnn.exec:\5hbtnn.exe120⤵PID:1916
-
\??\c:\9jpjd.exec:\9jpjd.exe121⤵
- System Location Discovery: System Language Discovery
PID:336 -
\??\c:\lffxrlr.exec:\lffxrlr.exe122⤵PID:1968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-