Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 03:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe
-
Size
347KB
-
MD5
ebb7ae3467d22a97a49ee1786fc8dd4c
-
SHA1
5f5d1ec09fed52585fccbead1bb2d118da741fe2
-
SHA256
bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4
-
SHA512
e090127dec120b9248a082deb4acd3632d36d2eb56adab8376f933420b5b614887c7b7140206441c14a051bdb4b257d290f5f2d310d2c7c07a7a03343f87241b
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAw:l7TcbWXZshJX2VGdw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/828-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3312-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3260-17-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4776-23-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5036-29-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/112-41-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2016-47-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2528-57-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4840-63-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3148-71-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/364-78-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2696-80-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5116-96-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1852-101-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3192-111-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4960-117-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4968-122-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2268-129-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2028-136-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/644-142-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1840-153-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2096-158-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2280-164-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1784-175-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4856-197-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3528-210-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1792-214-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3472-218-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2056-232-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4352-239-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2308-249-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4804-256-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3908-260-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4580-270-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/112-274-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3532-278-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2872-288-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3020-307-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1748-311-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2052-321-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/400-334-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2888-338-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4636-360-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/964-373-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/992-392-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1700-399-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4852-416-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4472-443-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3532-450-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4840-463-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4880-467-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3968-474-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2692-484-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3568-522-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1428-592-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3804-632-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3680-678-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3404-730-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4500-837-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1056-919-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1504-929-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1644-1017-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4800-1362-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3312 fflrrrx.exe 3260 3xlxxlr.exe 4776 1pdvv.exe 5036 nhtnnh.exe 4312 dvvjv.exe 112 1vvpj.exe 1504 hntnht.exe 2016 jjjdv.exe 2528 ddvpj.exe 4840 nnbtht.exe 3148 httnhn.exe 364 vdpjd.exe 2696 xlxlllf.exe 808 dvpvp.exe 3812 flrlllf.exe 5116 nnnhtn.exe 1852 bttnhh.exe 3192 9pvvv.exe 4960 jjpjj.exe 4968 rlfxrrl.exe 2268 1tbhhh.exe 2028 5rrrlrl.exe 644 vdppj.exe 4276 rrxxrrr.exe 1840 vpppd.exe 2096 ntnhnt.exe 2280 tttnhn.exe 4868 vvvdd.exe 1784 lxxlrlx.exe 3176 fxfxffx.exe 1164 vjpjj.exe 1644 ddvvv.exe 2700 5xxxxxx.exe 4856 btttnn.exe 2712 xlllrlx.exe 2208 hhbtbb.exe 380 dvddv.exe 3528 3bnhhn.exe 1792 jvpjj.exe 3472 ffxrfxf.exe 5016 hntbhb.exe 2740 jvdpj.exe 4444 lrrrxxx.exe 2056 bhhhhb.exe 3640 djpjj.exe 4352 1rrllll.exe 4852 ttbhnt.exe 2868 dpppp.exe 2308 1rrllll.exe 4884 lxlllrx.exe 4804 ttbttt.exe 3908 djpvv.exe 3012 bhhhtn.exe 5012 jpppp.exe 4580 fxrlfll.exe 112 lffxxxx.exe 3532 1pppp.exe 1856 rxxxrrr.exe 3804 bbbttt.exe 2872 pjvpp.exe 4840 3rxxrxf.exe 2724 bbnntb.exe 1192 vpdvp.exe 1464 9pvvv.exe -
resource yara_rule behavioral2/memory/828-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3312-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3260-17-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4776-23-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5036-29-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/112-41-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2528-52-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2016-47-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2528-57-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4840-63-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/364-72-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3148-71-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/364-78-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2696-80-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5116-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1852-101-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3192-111-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4960-117-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4968-122-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2268-129-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2028-136-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/644-142-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1840-153-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2096-158-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2280-164-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1784-175-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4856-197-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3528-210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1792-214-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5016-219-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3472-218-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2056-232-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4352-239-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2308-249-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4804-256-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3908-260-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4580-270-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/112-274-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3532-278-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2872-288-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3020-307-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1748-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2052-321-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/400-334-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2888-338-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4636-360-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/964-373-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/992-392-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1700-399-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4852-416-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4472-443-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3532-450-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4840-463-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4880-467-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3968-474-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2692-484-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3568-522-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1428-592-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3804-632-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3680-678-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3404-730-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4500-837-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1056-919-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1504-929-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 3312 828 bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe 83 PID 828 wrote to memory of 3312 828 bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe 83 PID 828 wrote to memory of 3312 828 bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe 83 PID 3312 wrote to memory of 3260 3312 fflrrrx.exe 84 PID 3312 wrote to memory of 3260 3312 fflrrrx.exe 84 PID 3312 wrote to memory of 3260 3312 fflrrrx.exe 84 PID 3260 wrote to memory of 4776 3260 3xlxxlr.exe 85 PID 3260 wrote to memory of 4776 3260 3xlxxlr.exe 85 PID 3260 wrote to memory of 4776 3260 3xlxxlr.exe 85 PID 4776 wrote to memory of 5036 4776 1pdvv.exe 86 PID 4776 wrote to memory of 5036 4776 1pdvv.exe 86 PID 4776 wrote to memory of 5036 4776 1pdvv.exe 86 PID 5036 wrote to memory of 4312 5036 nhtnnh.exe 87 PID 5036 wrote to memory of 4312 5036 nhtnnh.exe 87 PID 5036 wrote to memory of 4312 5036 nhtnnh.exe 87 PID 4312 wrote to memory of 112 4312 dvvjv.exe 88 PID 4312 wrote to memory of 112 4312 dvvjv.exe 88 PID 4312 wrote to memory of 112 4312 dvvjv.exe 88 PID 112 wrote to memory of 1504 112 1vvpj.exe 89 PID 112 wrote to memory of 1504 112 1vvpj.exe 89 PID 112 wrote to memory of 1504 112 1vvpj.exe 89 PID 1504 wrote to memory of 2016 1504 hntnht.exe 90 PID 1504 wrote to memory of 2016 1504 hntnht.exe 90 PID 1504 wrote to memory of 2016 1504 hntnht.exe 90 PID 2016 wrote to memory of 2528 2016 jjjdv.exe 91 PID 2016 wrote to memory of 2528 2016 jjjdv.exe 91 PID 2016 wrote to memory of 2528 2016 jjjdv.exe 91 PID 2528 wrote to memory of 4840 2528 ddvpj.exe 92 PID 2528 wrote to memory of 4840 2528 ddvpj.exe 92 PID 2528 wrote to memory of 4840 2528 ddvpj.exe 92 PID 4840 wrote to memory of 3148 4840 nnbtht.exe 93 PID 4840 wrote to memory of 3148 4840 nnbtht.exe 93 PID 4840 wrote to memory of 3148 4840 nnbtht.exe 93 PID 3148 wrote to memory of 364 3148 httnhn.exe 94 PID 3148 wrote to memory of 364 3148 httnhn.exe 94 PID 3148 wrote to memory of 364 3148 httnhn.exe 94 PID 364 wrote to memory of 2696 364 vdpjd.exe 95 PID 364 wrote to memory of 2696 364 vdpjd.exe 95 PID 364 wrote to memory of 2696 364 vdpjd.exe 95 PID 2696 wrote to memory of 808 2696 xlxlllf.exe 96 PID 2696 wrote to memory of 808 2696 xlxlllf.exe 96 PID 2696 wrote to memory of 808 2696 xlxlllf.exe 96 PID 808 wrote to memory of 3812 808 dvpvp.exe 97 PID 808 wrote to memory of 3812 808 dvpvp.exe 97 PID 808 wrote to memory of 3812 808 dvpvp.exe 97 PID 3812 wrote to memory of 5116 3812 flrlllf.exe 98 PID 3812 wrote to memory of 5116 3812 flrlllf.exe 98 PID 3812 wrote to memory of 5116 3812 flrlllf.exe 98 PID 5116 wrote to memory of 1852 5116 nnnhtn.exe 99 PID 5116 wrote to memory of 1852 5116 nnnhtn.exe 99 PID 5116 wrote to memory of 1852 5116 nnnhtn.exe 99 PID 1852 wrote to memory of 3192 1852 bttnhh.exe 100 PID 1852 wrote to memory of 3192 1852 bttnhh.exe 100 PID 1852 wrote to memory of 3192 1852 bttnhh.exe 100 PID 3192 wrote to memory of 4960 3192 9pvvv.exe 101 PID 3192 wrote to memory of 4960 3192 9pvvv.exe 101 PID 3192 wrote to memory of 4960 3192 9pvvv.exe 101 PID 4960 wrote to memory of 4968 4960 jjpjj.exe 102 PID 4960 wrote to memory of 4968 4960 jjpjj.exe 102 PID 4960 wrote to memory of 4968 4960 jjpjj.exe 102 PID 4968 wrote to memory of 2268 4968 rlfxrrl.exe 103 PID 4968 wrote to memory of 2268 4968 rlfxrrl.exe 103 PID 4968 wrote to memory of 2268 4968 rlfxrrl.exe 103 PID 2268 wrote to memory of 2028 2268 1tbhhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe"C:\Users\Admin\AppData\Local\Temp\bd581ef6101ad92557c142d1dad2a42f4980174cd5e7ffa5a291c35748a6abc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\fflrrrx.exec:\fflrrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\3xlxxlr.exec:\3xlxxlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\1pdvv.exec:\1pdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\nhtnnh.exec:\nhtnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\dvvjv.exec:\dvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\1vvpj.exec:\1vvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\hntnht.exec:\hntnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\jjjdv.exec:\jjjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\ddvpj.exec:\ddvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\nnbtht.exec:\nnbtht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\httnhn.exec:\httnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\vdpjd.exec:\vdpjd.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\xlxlllf.exec:\xlxlllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\dvpvp.exec:\dvpvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\flrlllf.exec:\flrlllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\nnnhtn.exec:\nnnhtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\bttnhh.exec:\bttnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\9pvvv.exec:\9pvvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\jjpjj.exec:\jjpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\1tbhhh.exec:\1tbhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\5rrrlrl.exec:\5rrrlrl.exe23⤵
- Executes dropped EXE
PID:2028 -
\??\c:\vdppj.exec:\vdppj.exe24⤵
- Executes dropped EXE
PID:644 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe25⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vpppd.exec:\vpppd.exe26⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ntnhnt.exec:\ntnhnt.exe27⤵
- Executes dropped EXE
PID:2096 -
\??\c:\tttnhn.exec:\tttnhn.exe28⤵
- Executes dropped EXE
PID:2280 -
\??\c:\vvvdd.exec:\vvvdd.exe29⤵
- Executes dropped EXE
PID:4868 -
\??\c:\lxxlrlx.exec:\lxxlrlx.exe30⤵
- Executes dropped EXE
PID:1784 -
\??\c:\fxfxffx.exec:\fxfxffx.exe31⤵
- Executes dropped EXE
PID:3176 -
\??\c:\vjpjj.exec:\vjpjj.exe32⤵
- Executes dropped EXE
PID:1164 -
\??\c:\ddvvv.exec:\ddvvv.exe33⤵
- Executes dropped EXE
PID:1644 -
\??\c:\5xxxxxx.exec:\5xxxxxx.exe34⤵
- Executes dropped EXE
PID:2700 -
\??\c:\btttnn.exec:\btttnn.exe35⤵
- Executes dropped EXE
PID:4856 -
\??\c:\xlllrlx.exec:\xlllrlx.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hhbtbb.exec:\hhbtbb.exe37⤵
- Executes dropped EXE
PID:2208 -
\??\c:\dvddv.exec:\dvddv.exe38⤵
- Executes dropped EXE
PID:380 -
\??\c:\3bnhhn.exec:\3bnhhn.exe39⤵
- Executes dropped EXE
PID:3528 -
\??\c:\jvpjj.exec:\jvpjj.exe40⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffxrfxf.exec:\ffxrfxf.exe41⤵
- Executes dropped EXE
PID:3472 -
\??\c:\hntbhb.exec:\hntbhb.exe42⤵
- Executes dropped EXE
PID:5016 -
\??\c:\jvdpj.exec:\jvdpj.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\lrrrxxx.exec:\lrrrxxx.exe44⤵
- Executes dropped EXE
PID:4444 -
\??\c:\bhhhhb.exec:\bhhhhb.exe45⤵
- Executes dropped EXE
PID:2056 -
\??\c:\djpjj.exec:\djpjj.exe46⤵
- Executes dropped EXE
PID:3640 -
\??\c:\1rrllll.exec:\1rrllll.exe47⤵
- Executes dropped EXE
PID:4352 -
\??\c:\ttbhnt.exec:\ttbhnt.exe48⤵
- Executes dropped EXE
PID:4852 -
\??\c:\dpppp.exec:\dpppp.exe49⤵
- Executes dropped EXE
PID:2868 -
\??\c:\1rrllll.exec:\1rrllll.exe50⤵
- Executes dropped EXE
PID:2308 -
\??\c:\lxlllrx.exec:\lxlllrx.exe51⤵
- Executes dropped EXE
PID:4884 -
\??\c:\ttbttt.exec:\ttbttt.exe52⤵
- Executes dropped EXE
PID:4804 -
\??\c:\djpvv.exec:\djpvv.exe53⤵
- Executes dropped EXE
PID:3908 -
\??\c:\bhhhtn.exec:\bhhhtn.exe54⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jpppp.exec:\jpppp.exe55⤵
- Executes dropped EXE
PID:5012 -
\??\c:\fxrlfll.exec:\fxrlfll.exe56⤵
- Executes dropped EXE
PID:4580 -
\??\c:\lffxxxx.exec:\lffxxxx.exe57⤵
- Executes dropped EXE
PID:112 -
\??\c:\1pppp.exec:\1pppp.exe58⤵
- Executes dropped EXE
PID:3532 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe59⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bbbttt.exec:\bbbttt.exe60⤵
- Executes dropped EXE
PID:3804 -
\??\c:\pjvpp.exec:\pjvpp.exe61⤵
- Executes dropped EXE
PID:2872 -
\??\c:\3rxxrxf.exec:\3rxxrxf.exe62⤵
- Executes dropped EXE
PID:4840 -
\??\c:\bbnntb.exec:\bbnntb.exe63⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vpdvp.exec:\vpdvp.exe64⤵
- Executes dropped EXE
PID:1192 -
\??\c:\9pvvv.exec:\9pvvv.exe65⤵
- Executes dropped EXE
PID:1464 -
\??\c:\fflllll.exec:\fflllll.exe66⤵PID:400
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe67⤵PID:3020
-
\??\c:\hbhnnt.exec:\hbhnnt.exe68⤵PID:1748
-
\??\c:\5vddj.exec:\5vddj.exe69⤵PID:2804
-
\??\c:\5xrfffl.exec:\5xrfffl.exe70⤵PID:4920
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe71⤵PID:2052
-
\??\c:\nbhhbb.exec:\nbhhbb.exe72⤵PID:3300
-
\??\c:\pvdvv.exec:\pvdvv.exe73⤵PID:468
-
\??\c:\lxlflfl.exec:\lxlflfl.exe74⤵PID:3516
-
\??\c:\rflffxx.exec:\rflffxx.exe75⤵PID:372
-
\??\c:\hnttbb.exec:\hnttbb.exe76⤵PID:2888
-
\??\c:\thnhbb.exec:\thnhbb.exe77⤵PID:1448
-
\??\c:\pjdjp.exec:\pjdjp.exe78⤵PID:436
-
\??\c:\lxlrrfl.exec:\lxlrrfl.exe79⤵PID:644
-
\??\c:\nbnbnn.exec:\nbnbnn.exe80⤵PID:4104
-
\??\c:\hbnbth.exec:\hbnbth.exe81⤵PID:2372
-
\??\c:\pjddd.exec:\pjddd.exe82⤵PID:2280
-
\??\c:\llrllll.exec:\llrllll.exe83⤵PID:4636
-
\??\c:\xflllll.exec:\xflllll.exe84⤵PID:4612
-
\??\c:\hnhhhh.exec:\hnhhhh.exe85⤵PID:4440
-
\??\c:\bbbttt.exec:\bbbttt.exe86⤵PID:3676
-
\??\c:\1vvdd.exec:\1vvdd.exe87⤵PID:964
-
\??\c:\flrllrr.exec:\flrllrr.exe88⤵PID:2636
-
\??\c:\xlrrrxx.exec:\xlrrrxx.exe89⤵PID:2832
-
\??\c:\3vvvp.exec:\3vvvp.exe90⤵PID:380
-
\??\c:\9rxrlrf.exec:\9rxrlrf.exe91⤵PID:3528
-
\??\c:\tbhhhh.exec:\tbhhhh.exe92⤵PID:452
-
\??\c:\5jvpp.exec:\5jvpp.exe93⤵PID:992
-
\??\c:\llrxrrr.exec:\llrxrrr.exe94⤵PID:3028
-
\??\c:\1bbthb.exec:\1bbthb.exe95⤵PID:1700
-
\??\c:\jjvpp.exec:\jjvpp.exe96⤵PID:3132
-
\??\c:\xrfffff.exec:\xrfffff.exe97⤵PID:100
-
\??\c:\9tntnb.exec:\9tntnb.exe98⤵PID:4404
-
\??\c:\1thhhh.exec:\1thhhh.exe99⤵PID:2660
-
\??\c:\ppdpj.exec:\ppdpj.exe100⤵PID:4852
-
\??\c:\fxlffrr.exec:\fxlffrr.exe101⤵PID:4712
-
\??\c:\nbnhhn.exec:\nbnhhn.exe102⤵PID:4800
-
\??\c:\bnbhbb.exec:\bnbhbb.exe103⤵PID:3928
-
\??\c:\vppjj.exec:\vppjj.exe104⤵
- System Location Discovery: System Language Discovery
PID:2592 -
\??\c:\llrlflx.exec:\llrlflx.exe105⤵PID:840
-
\??\c:\ffffxxr.exec:\ffffxxr.exe106⤵PID:1056
-
\??\c:\bbtnnn.exec:\bbtnnn.exe107⤵PID:116
-
\??\c:\jdjdj.exec:\jdjdj.exe108⤵PID:3764
-
\??\c:\rxlxlxx.exec:\rxlxlxx.exe109⤵PID:4472
-
\??\c:\xfrrrrr.exec:\xfrrrrr.exe110⤵PID:112
-
\??\c:\bttnhn.exec:\bttnhn.exe111⤵PID:3532
-
\??\c:\pjjpj.exec:\pjjpj.exe112⤵PID:1856
-
\??\c:\jpdpp.exec:\jpdpp.exe113⤵PID:3804
-
\??\c:\9xfffll.exec:\9xfffll.exe114⤵PID:2872
-
\??\c:\tnbthn.exec:\tnbthn.exe115⤵PID:4840
-
\??\c:\hhbtnn.exec:\hhbtnn.exe116⤵PID:4880
-
\??\c:\lflfffx.exec:\lflfffx.exe117⤵PID:1192
-
\??\c:\lflffff.exec:\lflffff.exe118⤵PID:3968
-
\??\c:\ttbthb.exec:\ttbthb.exe119⤵PID:3672
-
\??\c:\vvjpp.exec:\vvjpp.exe120⤵PID:3604
-
\??\c:\lffxlrr.exec:\lffxlrr.exe121⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-