Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 10:59
Behavioral task
behavioral1
Sample
d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe
-
Size
71KB
-
MD5
52d6350fc10a9e0f8208bc588a97bbea
-
SHA1
4fb858b8b0942c736796f8b5bb3274205420aec3
-
SHA256
d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a
-
SHA512
b2c32c976fa0e01ec5e807e2b41070d599d099e39b76cf291b01d91be40ef4f5cc74e61836978f70b3202e22a225b80c10433e358a82a567fb94ffd9800c5e4d
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8HglW8waWaN:chOmTsF93UYfwC6GIout3t7aN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4448-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/716-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/896-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-558-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-603-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-619-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-677-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-1180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-1515-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-1532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-1561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-1652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/764-1798-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jvdvd.exerlfrlxr.exe7rlfxrl.exehnthnb.exeppvdd.exefrflxlx.exe5nhtnn.exejjvjd.exexxlllxx.exebnttnn.exehbnbhb.exeppdjp.exexlrrrrx.exehbbhnn.exejpddv.exevpdjp.exehbhhtt.exehnhbtt.exepvjvd.exe3jjjv.exerflfxxr.exethtttt.exebhnnnb.exejdddv.exe3xfxffr.exefxrrxxl.exebnbhtb.exe5jvdd.exedjvvj.exexxfxxxx.exebbthhh.exe3bbhhh.exevppvd.exeflxllrr.exexrxxfff.exethnntb.exepvvvp.exedvjvv.exexxfrffx.exenntnnn.exefrxxxxl.exepjvpv.exepjddd.exe5xfffll.exexrrrlrr.exejjjvd.exexrllflr.exe1rffxxr.exetbnnnn.exejdjjj.exellxxxfx.exefllflxf.exe9nnhtb.exe5jppj.exexlxlxfx.exefflrlrx.exe7htnnn.exejjjdv.exevpjdd.exe9rrlllf.exexxxxlrr.exebhbhtt.exe1tnnhn.exeddjdd.exepid Process 3036 jvdvd.exe 1868 rlfrlxr.exe 2772 7rlfxrl.exe 4604 hnthnb.exe 4264 ppvdd.exe 5076 frflxlx.exe 932 5nhtnn.exe 4200 jjvjd.exe 4804 xxlllxx.exe 3352 bnttnn.exe 2404 hbnbhb.exe 2744 ppdjp.exe 2684 xlrrrrx.exe 1440 hbbhnn.exe 664 jpddv.exe 636 vpdjp.exe 2596 hbhhtt.exe 4184 hnhbtt.exe 2280 pvjvd.exe 3960 3jjjv.exe 3236 rflfxxr.exe 4416 thtttt.exe 4916 bhnnnb.exe 2064 jdddv.exe 3408 3xfxffr.exe 1732 fxrrxxl.exe 3000 bnbhtb.exe 1028 5jvdd.exe 4728 djvvj.exe 1704 xxfxxxx.exe 4864 bbthhh.exe 4800 3bbhhh.exe 3988 vppvd.exe 4996 flxllrr.exe 3840 xrxxfff.exe 2696 thnntb.exe 4704 pvvvp.exe 1608 dvjvv.exe 624 xxfrffx.exe 4252 nntnnn.exe 2468 frxxxxl.exe 3212 pjvpv.exe 2784 pjddd.exe 3400 5xfffll.exe 2964 xrrrlrr.exe 1444 jjjvd.exe 2348 xrllflr.exe 232 1rffxxr.exe 3092 tbnnnn.exe 1008 jdjjj.exe 2748 llxxxfx.exe 4312 fllflxf.exe 4000 9nnhtb.exe 5092 5jppj.exe 4248 xlxlxfx.exe 2860 fflrlrx.exe 404 7htnnn.exe 4200 jjjdv.exe 1644 vpjdd.exe 428 9rrlllf.exe 3564 xxxxlrr.exe 3756 bhbhtt.exe 1408 1tnnhn.exe 3304 ddjdd.exe -
Processes:
resource yara_rule behavioral2/memory/4448-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b18-3.dat upx behavioral2/memory/4448-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b75-8.dat upx behavioral2/memory/1868-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3036-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-10.dat upx behavioral2/files/0x000a000000023b77-20.dat upx behavioral2/memory/2772-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-26.dat upx behavioral2/memory/4604-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-32.dat upx behavioral2/memory/4264-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-38.dat upx behavioral2/memory/932-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-44.dat upx behavioral2/files/0x000a000000023b7c-48.dat upx behavioral2/memory/4200-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-54.dat upx behavioral2/memory/3352-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4804-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-63.dat upx behavioral2/files/0x000a000000023b7f-66.dat upx behavioral2/files/0x000a000000023b80-73.dat upx behavioral2/memory/2744-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-79.dat upx behavioral2/memory/2684-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-83.dat upx behavioral2/memory/1440-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-89.dat upx behavioral2/memory/636-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-96.dat upx behavioral2/files/0x000a000000023b85-100.dat upx behavioral2/files/0x000a000000023b86-105.dat upx behavioral2/memory/4184-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-111.dat upx behavioral2/memory/2280-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-117.dat upx behavioral2/memory/3960-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-123.dat upx behavioral2/files/0x000a000000023b8a-128.dat upx behavioral2/memory/4416-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-134.dat upx behavioral2/memory/4916-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-142.dat upx behavioral2/files/0x000a000000023b8d-147.dat upx behavioral2/memory/3408-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-151.dat upx behavioral2/files/0x000a000000023b8f-156.dat upx behavioral2/files/0x000a000000023b90-162.dat upx behavioral2/files/0x000a000000023b91-167.dat upx behavioral2/files/0x000a000000023b92-172.dat upx behavioral2/memory/1704-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-177.dat upx behavioral2/memory/4800-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2696-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4704-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4252-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2468-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2784-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3400-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3092-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2748-247-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4248-260-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tbhntt.exexrllffr.exehbhhht.exehntbtt.exe9rrflff.exepjpjd.exepdjdp.exerxrrrrr.exepvvdd.exetbbtnt.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exejvdvd.exerlfrlxr.exe7rlfxrl.exehnthnb.exeppvdd.exefrflxlx.exe5nhtnn.exejjvjd.exexxlllxx.exebnttnn.exehbnbhb.exeppdjp.exexlrrrrx.exehbbhnn.exejpddv.exevpdjp.exehbhhtt.exehnhbtt.exepvjvd.exe3jjjv.exerflfxxr.exedescription pid Process procid_target PID 4448 wrote to memory of 3036 4448 d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe 82 PID 4448 wrote to memory of 3036 4448 d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe 82 PID 4448 wrote to memory of 3036 4448 d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe 82 PID 3036 wrote to memory of 1868 3036 jvdvd.exe 83 PID 3036 wrote to memory of 1868 3036 jvdvd.exe 83 PID 3036 wrote to memory of 1868 3036 jvdvd.exe 83 PID 1868 wrote to memory of 2772 1868 rlfrlxr.exe 84 PID 1868 wrote to memory of 2772 1868 rlfrlxr.exe 84 PID 1868 wrote to memory of 2772 1868 rlfrlxr.exe 84 PID 2772 wrote to memory of 4604 2772 7rlfxrl.exe 85 PID 2772 wrote to memory of 4604 2772 7rlfxrl.exe 85 PID 2772 wrote to memory of 4604 2772 7rlfxrl.exe 85 PID 4604 wrote to memory of 4264 4604 hnthnb.exe 86 PID 4604 wrote to memory of 4264 4604 hnthnb.exe 86 PID 4604 wrote to memory of 4264 4604 hnthnb.exe 86 PID 4264 wrote to memory of 5076 4264 ppvdd.exe 87 PID 4264 wrote to memory of 5076 4264 ppvdd.exe 87 PID 4264 wrote to memory of 5076 4264 ppvdd.exe 87 PID 5076 wrote to memory of 932 5076 frflxlx.exe 88 PID 5076 wrote to memory of 932 5076 frflxlx.exe 88 PID 5076 wrote to memory of 932 5076 frflxlx.exe 88 PID 932 wrote to memory of 4200 932 5nhtnn.exe 89 PID 932 wrote to memory of 4200 932 5nhtnn.exe 89 PID 932 wrote to memory of 4200 932 5nhtnn.exe 89 PID 4200 wrote to memory of 4804 4200 jjvjd.exe 90 PID 4200 wrote to memory of 4804 4200 jjvjd.exe 90 PID 4200 wrote to memory of 4804 4200 jjvjd.exe 90 PID 4804 wrote to memory of 3352 4804 xxlllxx.exe 91 PID 4804 wrote to memory of 3352 4804 xxlllxx.exe 91 PID 4804 wrote to memory of 3352 4804 xxlllxx.exe 91 PID 3352 wrote to memory of 2404 3352 bnttnn.exe 92 PID 3352 wrote to memory of 2404 3352 bnttnn.exe 92 PID 3352 wrote to memory of 2404 3352 bnttnn.exe 92 PID 2404 wrote to memory of 2744 2404 hbnbhb.exe 93 PID 2404 wrote to memory of 2744 2404 hbnbhb.exe 93 PID 2404 wrote to memory of 2744 2404 hbnbhb.exe 93 PID 2744 wrote to memory of 2684 2744 ppdjp.exe 94 PID 2744 wrote to memory of 2684 2744 ppdjp.exe 94 PID 2744 wrote to memory of 2684 2744 ppdjp.exe 94 PID 2684 wrote to memory of 1440 2684 xlrrrrx.exe 95 PID 2684 wrote to memory of 1440 2684 xlrrrrx.exe 95 PID 2684 wrote to memory of 1440 2684 xlrrrrx.exe 95 PID 1440 wrote to memory of 664 1440 hbbhnn.exe 96 PID 1440 wrote to memory of 664 1440 hbbhnn.exe 96 PID 1440 wrote to memory of 664 1440 hbbhnn.exe 96 PID 664 wrote to memory of 636 664 jpddv.exe 97 PID 664 wrote to memory of 636 664 jpddv.exe 97 PID 664 wrote to memory of 636 664 jpddv.exe 97 PID 636 wrote to memory of 2596 636 vpdjp.exe 98 PID 636 wrote to memory of 2596 636 vpdjp.exe 98 PID 636 wrote to memory of 2596 636 vpdjp.exe 98 PID 2596 wrote to memory of 4184 2596 hbhhtt.exe 99 PID 2596 wrote to memory of 4184 2596 hbhhtt.exe 99 PID 2596 wrote to memory of 4184 2596 hbhhtt.exe 99 PID 4184 wrote to memory of 2280 4184 hnhbtt.exe 100 PID 4184 wrote to memory of 2280 4184 hnhbtt.exe 100 PID 4184 wrote to memory of 2280 4184 hnhbtt.exe 100 PID 2280 wrote to memory of 3960 2280 pvjvd.exe 101 PID 2280 wrote to memory of 3960 2280 pvjvd.exe 101 PID 2280 wrote to memory of 3960 2280 pvjvd.exe 101 PID 3960 wrote to memory of 3236 3960 3jjjv.exe 102 PID 3960 wrote to memory of 3236 3960 3jjjv.exe 102 PID 3960 wrote to memory of 3236 3960 3jjjv.exe 102 PID 3236 wrote to memory of 4416 3236 rflfxxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe"C:\Users\Admin\AppData\Local\Temp\d07852c288f661f8b16077a5f3c86579e2a2827ca8906787db2cfa159d9e005a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\jvdvd.exec:\jvdvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\rlfrlxr.exec:\rlfrlxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\7rlfxrl.exec:\7rlfxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\hnthnb.exec:\hnthnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\ppvdd.exec:\ppvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\frflxlx.exec:\frflxlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\5nhtnn.exec:\5nhtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\jjvjd.exec:\jjvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\xxlllxx.exec:\xxlllxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\bnttnn.exec:\bnttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\hbnbhb.exec:\hbnbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\ppdjp.exec:\ppdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\xlrrrrx.exec:\xlrrrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\hbbhnn.exec:\hbbhnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\jpddv.exec:\jpddv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\vpdjp.exec:\vpdjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\hbhhtt.exec:\hbhhtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\hnhbtt.exec:\hnhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\pvjvd.exec:\pvjvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\3jjjv.exec:\3jjjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\rflfxxr.exec:\rflfxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\thtttt.exec:\thtttt.exe23⤵
- Executes dropped EXE
PID:4416 -
\??\c:\bhnnnb.exec:\bhnnnb.exe24⤵
- Executes dropped EXE
PID:4916 -
\??\c:\jdddv.exec:\jdddv.exe25⤵
- Executes dropped EXE
PID:2064 -
\??\c:\3xfxffr.exec:\3xfxffr.exe26⤵
- Executes dropped EXE
PID:3408 -
\??\c:\fxrrxxl.exec:\fxrrxxl.exe27⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bnbhtb.exec:\bnbhtb.exe28⤵
- Executes dropped EXE
PID:3000 -
\??\c:\5jvdd.exec:\5jvdd.exe29⤵
- Executes dropped EXE
PID:1028 -
\??\c:\djvvj.exec:\djvvj.exe30⤵
- Executes dropped EXE
PID:4728 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe31⤵
- Executes dropped EXE
PID:1704 -
\??\c:\bbthhh.exec:\bbthhh.exe32⤵
- Executes dropped EXE
PID:4864 -
\??\c:\3bbhhh.exec:\3bbhhh.exe33⤵
- Executes dropped EXE
PID:4800 -
\??\c:\vppvd.exec:\vppvd.exe34⤵
- Executes dropped EXE
PID:3988 -
\??\c:\flxllrr.exec:\flxllrr.exe35⤵
- Executes dropped EXE
PID:4996 -
\??\c:\xrxxfff.exec:\xrxxfff.exe36⤵
- Executes dropped EXE
PID:3840 -
\??\c:\thnntb.exec:\thnntb.exe37⤵
- Executes dropped EXE
PID:2696 -
\??\c:\pvvvp.exec:\pvvvp.exe38⤵
- Executes dropped EXE
PID:4704 -
\??\c:\dvjvv.exec:\dvjvv.exe39⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xxfrffx.exec:\xxfrffx.exe40⤵
- Executes dropped EXE
PID:624 -
\??\c:\nntnnn.exec:\nntnnn.exe41⤵
- Executes dropped EXE
PID:4252 -
\??\c:\frxxxxl.exec:\frxxxxl.exe42⤵
- Executes dropped EXE
PID:2468 -
\??\c:\pjvpv.exec:\pjvpv.exe43⤵
- Executes dropped EXE
PID:3212 -
\??\c:\pjddd.exec:\pjddd.exe44⤵
- Executes dropped EXE
PID:2784 -
\??\c:\5xfffll.exec:\5xfffll.exe45⤵
- Executes dropped EXE
PID:3400 -
\??\c:\xrrrlrr.exec:\xrrrlrr.exe46⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jjjvd.exec:\jjjvd.exe47⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xrllflr.exec:\xrllflr.exe48⤵
- Executes dropped EXE
PID:2348 -
\??\c:\1rffxxr.exec:\1rffxxr.exe49⤵
- Executes dropped EXE
PID:232 -
\??\c:\tbnnnn.exec:\tbnnnn.exe50⤵
- Executes dropped EXE
PID:3092 -
\??\c:\jdjjj.exec:\jdjjj.exe51⤵
- Executes dropped EXE
PID:1008 -
\??\c:\llxxxfx.exec:\llxxxfx.exe52⤵
- Executes dropped EXE
PID:2748 -
\??\c:\fllflxf.exec:\fllflxf.exe53⤵
- Executes dropped EXE
PID:4312 -
\??\c:\9nnhtb.exec:\9nnhtb.exe54⤵
- Executes dropped EXE
PID:4000 -
\??\c:\5jppj.exec:\5jppj.exe55⤵
- Executes dropped EXE
PID:5092 -
\??\c:\xlxlxfx.exec:\xlxlxfx.exe56⤵
- Executes dropped EXE
PID:4248 -
\??\c:\fflrlrx.exec:\fflrlrx.exe57⤵
- Executes dropped EXE
PID:2860 -
\??\c:\7htnnn.exec:\7htnnn.exe58⤵
- Executes dropped EXE
PID:404 -
\??\c:\jjjdv.exec:\jjjdv.exe59⤵
- Executes dropped EXE
PID:4200 -
\??\c:\vpjdd.exec:\vpjdd.exe60⤵
- Executes dropped EXE
PID:1644 -
\??\c:\9rrlllf.exec:\9rrlllf.exe61⤵
- Executes dropped EXE
PID:428 -
\??\c:\xxxxlrr.exec:\xxxxlrr.exe62⤵
- Executes dropped EXE
PID:3564 -
\??\c:\bhbhtt.exec:\bhbhtt.exe63⤵
- Executes dropped EXE
PID:3756 -
\??\c:\1tnnhn.exec:\1tnnhn.exe64⤵
- Executes dropped EXE
PID:1408 -
\??\c:\ddjdd.exec:\ddjdd.exe65⤵
- Executes dropped EXE
PID:3304 -
\??\c:\vvvpj.exec:\vvvpj.exe66⤵PID:2316
-
\??\c:\lxrrrrl.exec:\lxrrrrl.exe67⤵PID:3980
-
\??\c:\fffxrff.exec:\fffxrff.exe68⤵PID:1436
-
\??\c:\tnthhn.exec:\tnthhn.exe69⤵PID:2788
-
\??\c:\jvjjp.exec:\jvjjp.exe70⤵PID:5112
-
\??\c:\9bnnhh.exec:\9bnnhh.exe71⤵PID:968
-
\??\c:\tbtttt.exec:\tbtttt.exe72⤵PID:1220
-
\??\c:\pdpjd.exec:\pdpjd.exe73⤵PID:2524
-
\??\c:\jjjvp.exec:\jjjvp.exe74⤵PID:1352
-
\??\c:\flxrfff.exec:\flxrfff.exe75⤵PID:2612
-
\??\c:\hhbbhh.exec:\hhbbhh.exe76⤵PID:1604
-
\??\c:\djdpj.exec:\djdpj.exe77⤵PID:5016
-
\??\c:\frrxrlx.exec:\frrxrlx.exe78⤵PID:2976
-
\??\c:\3xfxxxr.exec:\3xfxxxr.exe79⤵PID:212
-
\??\c:\btttbb.exec:\btttbb.exe80⤵PID:224
-
\??\c:\dvpjd.exec:\dvpjd.exe81⤵PID:4688
-
\??\c:\jjpvj.exec:\jjpvj.exe82⤵PID:532
-
\??\c:\rllfffx.exec:\rllfffx.exe83⤵PID:1244
-
\??\c:\bthhht.exec:\bthhht.exe84⤵PID:1048
-
\??\c:\9dpjd.exec:\9dpjd.exe85⤵PID:3000
-
\??\c:\jjvvv.exec:\jjvvv.exe86⤵PID:4932
-
\??\c:\xlxrlll.exec:\xlxrlll.exe87⤵PID:2900
-
\??\c:\frxfxfl.exec:\frxfxfl.exe88⤵PID:1824
-
\??\c:\5nbbnt.exec:\5nbbnt.exe89⤵PID:1212
-
\??\c:\1nbbhn.exec:\1nbbhn.exe90⤵PID:2880
-
\??\c:\jdpjv.exec:\jdpjv.exe91⤵PID:3844
-
\??\c:\xlfxrxx.exec:\xlfxrxx.exe92⤵PID:4004
-
\??\c:\rfrfxlr.exec:\rfrfxlr.exe93⤵PID:1284
-
\??\c:\nnhnbb.exec:\nnhnbb.exe94⤵PID:2500
-
\??\c:\ddvvj.exec:\ddvvj.exe95⤵PID:924
-
\??\c:\jjvpj.exec:\jjvpj.exe96⤵PID:400
-
\??\c:\1frrlrx.exec:\1frrlrx.exe97⤵PID:896
-
\??\c:\tnhbtt.exec:\tnhbtt.exe98⤵PID:2928
-
\??\c:\djpjj.exec:\djpjj.exe99⤵PID:2540
-
\??\c:\lxxxxll.exec:\lxxxxll.exe100⤵PID:3212
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe101⤵PID:4436
-
\??\c:\1bbttt.exec:\1bbttt.exe102⤵PID:1056
-
\??\c:\3nhbtt.exec:\3nhbtt.exe103⤵PID:4384
-
\??\c:\pvjjv.exec:\pvjjv.exe104⤵PID:4448
-
\??\c:\xlxlrlr.exec:\xlxlrlr.exe105⤵PID:716
-
\??\c:\rrlrlxf.exec:\rrlrlxf.exe106⤵PID:3800
-
\??\c:\tbbbtb.exec:\tbbbtb.exe107⤵PID:2772
-
\??\c:\ppdpd.exec:\ppdpd.exe108⤵PID:4504
-
\??\c:\dpvpj.exec:\dpvpj.exe109⤵PID:952
-
\??\c:\xrxrlll.exec:\xrxrlll.exe110⤵PID:4604
-
\??\c:\ttbhnt.exec:\ttbhnt.exe111⤵PID:4092
-
\??\c:\9nbbhh.exec:\9nbbhh.exe112⤵PID:5092
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe113⤵PID:4248
-
\??\c:\nhhbbn.exec:\nhhbbn.exe114⤵PID:3004
-
\??\c:\pjvpv.exec:\pjvpv.exe115⤵PID:4216
-
\??\c:\xxflxxl.exec:\xxflxxl.exe116⤵PID:4948
-
\??\c:\tthhtt.exec:\tthhtt.exe117⤵PID:1644
-
\??\c:\hbhhht.exec:\hbhhht.exe118⤵
- System Location Discovery: System Language Discovery
PID:3088 -
\??\c:\vvddp.exec:\vvddp.exe119⤵PID:3876
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe120⤵PID:2488
-
\??\c:\llrrrxx.exec:\llrrrxx.exe121⤵PID:1452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-