Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe
-
Size
453KB
-
MD5
82b621c3b330f9263a847ed8bcf6e2ef
-
SHA1
e406e62e1e15012c52d2dfc6027e9e0498adeaa2
-
SHA256
a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c
-
SHA512
a25c39abec151e031fce45c4d10724da9adfd48a3c8bd04b0644886ee8ef62106a290657c4a0683225c3a1606461552d2e728308bcd50f41bdb256dd56368adc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4808-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-1181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2064 lxrlxrx.exe 1360 hbnnnn.exe 320 1pvpj.exe 3988 xrxrlfx.exe 2356 rflfrlf.exe 1512 hbnbtn.exe 2192 vdjvd.exe 3024 lxxfrlf.exe 1552 nttnhb.exe 4120 jpvdj.exe 4568 lxfxrll.exe 1944 tnthth.exe 4100 5bnbnh.exe 5016 jvjdp.exe 4748 rfffrlf.exe 3788 1vdpd.exe 4180 pdvpj.exe 3460 hbthbt.exe 3056 pddpd.exe 5012 xfxrlfr.exe 4792 bbhthb.exe 964 hbnbnh.exe 4204 pvvpd.exe 5088 7rrfrll.exe 2020 hhhbnh.exe 1060 vvpjv.exe 3304 jddpp.exe 4140 rffrxrf.exe 452 bhhbnh.exe 4080 3pdpv.exe 3092 ffxrrlf.exe 1248 bnhbth.exe 4012 ppdvp.exe 1396 vjjvj.exe 3964 jjddv.exe 4136 bnnnth.exe 4988 bbthtn.exe 1988 jvpdv.exe 1296 xllxfxr.exe 2300 xrlfrrf.exe 4424 jdjdv.exe 3144 9llfrrl.exe 2736 1xlffxr.exe 1704 htbtbb.exe 2404 3jvpj.exe 4372 xrllxxr.exe 1224 lllfrrl.exe 2856 bnhhbb.exe 2964 7jdvj.exe 4092 fffrfrx.exe 4516 1xrllfx.exe 4540 tbtttt.exe 1316 pjjvj.exe 3972 ppppp.exe 3872 rffrxlr.exe 2516 nthbnh.exe 3648 djpjj.exe 1476 vppdd.exe 2356 frfxrlr.exe 3800 nhnbht.exe 1464 jjjdv.exe 1268 7lfrrrl.exe 4740 nhtthb.exe 3396 nbbtnh.exe -
resource yara_rule behavioral2/memory/4808-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-748-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4808 wrote to memory of 2064 4808 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 83 PID 4808 wrote to memory of 2064 4808 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 83 PID 4808 wrote to memory of 2064 4808 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 83 PID 2064 wrote to memory of 1360 2064 lxrlxrx.exe 84 PID 2064 wrote to memory of 1360 2064 lxrlxrx.exe 84 PID 2064 wrote to memory of 1360 2064 lxrlxrx.exe 84 PID 1360 wrote to memory of 320 1360 hbnnnn.exe 85 PID 1360 wrote to memory of 320 1360 hbnnnn.exe 85 PID 1360 wrote to memory of 320 1360 hbnnnn.exe 85 PID 320 wrote to memory of 3988 320 1pvpj.exe 86 PID 320 wrote to memory of 3988 320 1pvpj.exe 86 PID 320 wrote to memory of 3988 320 1pvpj.exe 86 PID 3988 wrote to memory of 2356 3988 xrxrlfx.exe 141 PID 3988 wrote to memory of 2356 3988 xrxrlfx.exe 141 PID 3988 wrote to memory of 2356 3988 xrxrlfx.exe 141 PID 2356 wrote to memory of 1512 2356 rflfrlf.exe 88 PID 2356 wrote to memory of 1512 2356 rflfrlf.exe 88 PID 2356 wrote to memory of 1512 2356 rflfrlf.exe 88 PID 1512 wrote to memory of 2192 1512 hbnbtn.exe 210 PID 1512 wrote to memory of 2192 1512 hbnbtn.exe 210 PID 1512 wrote to memory of 2192 1512 hbnbtn.exe 210 PID 2192 wrote to memory of 3024 2192 vdjvd.exe 211 PID 2192 wrote to memory of 3024 2192 vdjvd.exe 211 PID 2192 wrote to memory of 3024 2192 vdjvd.exe 211 PID 3024 wrote to memory of 1552 3024 lxxfrlf.exe 91 PID 3024 wrote to memory of 1552 3024 lxxfrlf.exe 91 PID 3024 wrote to memory of 1552 3024 lxxfrlf.exe 91 PID 1552 wrote to memory of 4120 1552 nttnhb.exe 92 PID 1552 wrote to memory of 4120 1552 nttnhb.exe 92 PID 1552 wrote to memory of 4120 1552 nttnhb.exe 92 PID 4120 wrote to memory of 4568 4120 jpvdj.exe 93 PID 4120 wrote to memory of 4568 4120 jpvdj.exe 93 PID 4120 wrote to memory of 4568 4120 jpvdj.exe 93 PID 4568 wrote to memory of 1944 4568 lxfxrll.exe 94 PID 4568 wrote to memory of 1944 4568 lxfxrll.exe 94 PID 4568 wrote to memory of 1944 4568 lxfxrll.exe 94 PID 1944 wrote to memory of 4100 1944 tnthth.exe 218 PID 1944 wrote to memory of 4100 1944 tnthth.exe 218 PID 1944 wrote to memory of 4100 1944 tnthth.exe 218 PID 4100 wrote to memory of 5016 4100 5bnbnh.exe 96 PID 4100 wrote to memory of 5016 4100 5bnbnh.exe 96 PID 4100 wrote to memory of 5016 4100 5bnbnh.exe 96 PID 5016 wrote to memory of 4748 5016 jvjdp.exe 221 PID 5016 wrote to memory of 4748 5016 jvjdp.exe 221 PID 5016 wrote to memory of 4748 5016 jvjdp.exe 221 PID 4748 wrote to memory of 3788 4748 rfffrlf.exe 222 PID 4748 wrote to memory of 3788 4748 rfffrlf.exe 222 PID 4748 wrote to memory of 3788 4748 rfffrlf.exe 222 PID 3788 wrote to memory of 4180 3788 1vdpd.exe 99 PID 3788 wrote to memory of 4180 3788 1vdpd.exe 99 PID 3788 wrote to memory of 4180 3788 1vdpd.exe 99 PID 4180 wrote to memory of 3460 4180 pdvpj.exe 100 PID 4180 wrote to memory of 3460 4180 pdvpj.exe 100 PID 4180 wrote to memory of 3460 4180 pdvpj.exe 100 PID 3460 wrote to memory of 3056 3460 hbthbt.exe 101 PID 3460 wrote to memory of 3056 3460 hbthbt.exe 101 PID 3460 wrote to memory of 3056 3460 hbthbt.exe 101 PID 3056 wrote to memory of 5012 3056 pddpd.exe 102 PID 3056 wrote to memory of 5012 3056 pddpd.exe 102 PID 3056 wrote to memory of 5012 3056 pddpd.exe 102 PID 5012 wrote to memory of 4792 5012 xfxrlfr.exe 103 PID 5012 wrote to memory of 4792 5012 xfxrlfr.exe 103 PID 5012 wrote to memory of 4792 5012 xfxrlfr.exe 103 PID 4792 wrote to memory of 964 4792 bbhthb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe"C:\Users\Admin\AppData\Local\Temp\a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\lxrlxrx.exec:\lxrlxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\hbnnnn.exec:\hbnnnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\1pvpj.exec:\1pvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\rflfrlf.exec:\rflfrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\hbnbtn.exec:\hbnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\vdjvd.exec:\vdjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\lxxfrlf.exec:\lxxfrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\nttnhb.exec:\nttnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\jpvdj.exec:\jpvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\lxfxrll.exec:\lxfxrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\tnthth.exec:\tnthth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\5bnbnh.exec:\5bnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\jvjdp.exec:\jvjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\rfffrlf.exec:\rfffrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\1vdpd.exec:\1vdpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\pdvpj.exec:\pdvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\hbthbt.exec:\hbthbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\pddpd.exec:\pddpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\xfxrlfr.exec:\xfxrlfr.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\bbhthb.exec:\bbhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\hbnbnh.exec:\hbnbnh.exe23⤵
- Executes dropped EXE
PID:964 -
\??\c:\pvvpd.exec:\pvvpd.exe24⤵
- Executes dropped EXE
PID:4204 -
\??\c:\7rrfrll.exec:\7rrfrll.exe25⤵
- Executes dropped EXE
PID:5088 -
\??\c:\hhhbnh.exec:\hhhbnh.exe26⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vvpjv.exec:\vvpjv.exe27⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jddpp.exec:\jddpp.exe28⤵
- Executes dropped EXE
PID:3304 -
\??\c:\rffrxrf.exec:\rffrxrf.exe29⤵
- Executes dropped EXE
PID:4140 -
\??\c:\bhhbnh.exec:\bhhbnh.exe30⤵
- Executes dropped EXE
PID:452 -
\??\c:\3pdpv.exec:\3pdpv.exe31⤵
- Executes dropped EXE
PID:4080 -
\??\c:\ffxrrlf.exec:\ffxrrlf.exe32⤵
- Executes dropped EXE
PID:3092 -
\??\c:\bnhbth.exec:\bnhbth.exe33⤵
- Executes dropped EXE
PID:1248 -
\??\c:\ppdvp.exec:\ppdvp.exe34⤵
- Executes dropped EXE
PID:4012 -
\??\c:\vjjvj.exec:\vjjvj.exe35⤵
- Executes dropped EXE
PID:1396 -
\??\c:\jjddv.exec:\jjddv.exe36⤵
- Executes dropped EXE
PID:3964 -
\??\c:\bnnnth.exec:\bnnnth.exe37⤵
- Executes dropped EXE
PID:4136 -
\??\c:\bbthtn.exec:\bbthtn.exe38⤵
- Executes dropped EXE
PID:4988 -
\??\c:\jvpdv.exec:\jvpdv.exe39⤵
- Executes dropped EXE
PID:1988 -
\??\c:\xllxfxr.exec:\xllxfxr.exe40⤵
- Executes dropped EXE
PID:1296 -
\??\c:\xrlfrrf.exec:\xrlfrrf.exe41⤵
- Executes dropped EXE
PID:2300 -
\??\c:\jdjdv.exec:\jdjdv.exe42⤵
- Executes dropped EXE
PID:4424 -
\??\c:\9llfrrl.exec:\9llfrrl.exe43⤵
- Executes dropped EXE
PID:3144 -
\??\c:\1xlffxr.exec:\1xlffxr.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\htbtbb.exec:\htbtbb.exe45⤵
- Executes dropped EXE
PID:1704 -
\??\c:\3jvpj.exec:\3jvpj.exe46⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xrllxxr.exec:\xrllxxr.exe47⤵
- Executes dropped EXE
PID:4372 -
\??\c:\lllfrrl.exec:\lllfrrl.exe48⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bnhhbb.exec:\bnhhbb.exe49⤵
- Executes dropped EXE
PID:2856 -
\??\c:\7jdvj.exec:\7jdvj.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\fffrfrx.exec:\fffrfrx.exe51⤵
- Executes dropped EXE
PID:4092 -
\??\c:\1xrllfx.exec:\1xrllfx.exe52⤵
- Executes dropped EXE
PID:4516 -
\??\c:\tbtttt.exec:\tbtttt.exe53⤵
- Executes dropped EXE
PID:4540 -
\??\c:\pjjvj.exec:\pjjvj.exe54⤵
- Executes dropped EXE
PID:1316 -
\??\c:\ppppp.exec:\ppppp.exe55⤵
- Executes dropped EXE
PID:3972 -
\??\c:\rffrxlr.exec:\rffrxlr.exe56⤵
- Executes dropped EXE
PID:3872 -
\??\c:\nthbnh.exec:\nthbnh.exe57⤵
- Executes dropped EXE
PID:2516 -
\??\c:\djpjj.exec:\djpjj.exe58⤵
- Executes dropped EXE
PID:3648 -
\??\c:\vppdd.exec:\vppdd.exe59⤵
- Executes dropped EXE
PID:1476 -
\??\c:\frfxrlr.exec:\frfxrlr.exe60⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhnbht.exec:\nhnbht.exe61⤵
- Executes dropped EXE
PID:3800 -
\??\c:\jjjdv.exec:\jjjdv.exe62⤵
- Executes dropped EXE
PID:1464 -
\??\c:\7lfrrrl.exec:\7lfrrrl.exe63⤵
- Executes dropped EXE
PID:1268 -
\??\c:\nhtthb.exec:\nhtthb.exe64⤵
- Executes dropped EXE
PID:4740 -
\??\c:\nbbtnh.exec:\nbbtnh.exe65⤵
- Executes dropped EXE
PID:3396 -
\??\c:\vdjdv.exec:\vdjdv.exe66⤵PID:4828
-
\??\c:\frrfrfr.exec:\frrfrfr.exe67⤵PID:1540
-
\??\c:\ttnnhn.exec:\ttnnhn.exe68⤵PID:4400
-
\??\c:\3nbttt.exec:\3nbttt.exe69⤵PID:4060
-
\??\c:\pppvv.exec:\pppvv.exe70⤵PID:1612
-
\??\c:\jvjdp.exec:\jvjdp.exe71⤵PID:1116
-
\??\c:\fxxxxrr.exec:\fxxxxrr.exe72⤵PID:3408
-
\??\c:\9llfxxr.exec:\9llfxxr.exe73⤵PID:4620
-
\??\c:\5hnhhh.exec:\5hnhhh.exe74⤵PID:2464
-
\??\c:\vddvp.exec:\vddvp.exe75⤵PID:3908
-
\??\c:\pppjd.exec:\pppjd.exe76⤵PID:2984
-
\??\c:\xxxxlfl.exec:\xxxxlfl.exe77⤵PID:228
-
\??\c:\5bbbtt.exec:\5bbbtt.exe78⤵PID:4572
-
\??\c:\vpjjv.exec:\vpjjv.exe79⤵PID:3076
-
\??\c:\vjjvp.exec:\vjjvp.exe80⤵PID:5012
-
\??\c:\7rrlllf.exec:\7rrlllf.exe81⤵PID:4792
-
\??\c:\xlrrllf.exec:\xlrrllf.exe82⤵PID:3412
-
\??\c:\hnhtnt.exec:\hnhtnt.exe83⤵PID:4064
-
\??\c:\djpdd.exec:\djpdd.exe84⤵PID:2788
-
\??\c:\3jjdp.exec:\3jjdp.exe85⤵PID:5088
-
\??\c:\1flfrrl.exec:\1flfrrl.exe86⤵PID:1984
-
\??\c:\fllrrrl.exec:\fllrrrl.exe87⤵PID:1060
-
\??\c:\thbttn.exec:\thbttn.exe88⤵PID:3304
-
\??\c:\vjpjj.exec:\vjpjj.exe89⤵PID:1688
-
\??\c:\djjdd.exec:\djjdd.exe90⤵PID:908
-
\??\c:\5lrlxrr.exec:\5lrlxrr.exe91⤵PID:2312
-
\??\c:\rfllffx.exec:\rfllffx.exe92⤵PID:1992
-
\??\c:\hbbbnt.exec:\hbbbnt.exe93⤵PID:632
-
\??\c:\dpvdv.exec:\dpvdv.exe94⤵PID:864
-
\??\c:\jvvpd.exec:\jvvpd.exe95⤵PID:1716
-
\??\c:\rxfrrlx.exec:\rxfrrlx.exe96⤵PID:1288
-
\??\c:\9tbnbb.exec:\9tbnbb.exe97⤵PID:3720
-
\??\c:\3nthtn.exec:\3nthtn.exe98⤵PID:2044
-
\??\c:\jddpj.exec:\jddpj.exe99⤵PID:1156
-
\??\c:\lrlfxfl.exec:\lrlfxfl.exe100⤵PID:3332
-
\??\c:\tbhtnh.exec:\tbhtnh.exe101⤵PID:3968
-
\??\c:\pddpd.exec:\pddpd.exe102⤵PID:4988
-
\??\c:\vpdvv.exec:\vpdvv.exe103⤵PID:1880
-
\??\c:\9lrxlxr.exec:\9lrxlxr.exe104⤵PID:4984
-
\??\c:\btbbbt.exec:\btbbbt.exe105⤵PID:4192
-
\??\c:\nbhnnb.exec:\nbhnnb.exe106⤵PID:1016
-
\??\c:\jjjvd.exec:\jjjvd.exe107⤵PID:4424
-
\??\c:\lffxrlr.exec:\lffxrlr.exe108⤵PID:3436
-
\??\c:\lfrrffx.exec:\lfrrffx.exe109⤵PID:3172
-
\??\c:\tthtnh.exec:\tthtnh.exe110⤵PID:3528
-
\??\c:\vpvjv.exec:\vpvjv.exe111⤵PID:936
-
\??\c:\5vpdj.exec:\5vpdj.exe112⤵PID:3464
-
\??\c:\fxrrlxr.exec:\fxrrlxr.exe113⤵PID:60
-
\??\c:\hnnnhb.exec:\hnnnhb.exe114⤵PID:2400
-
\??\c:\bbtnnh.exec:\bbtnnh.exe115⤵PID:2504
-
\??\c:\dvdjd.exec:\dvdjd.exe116⤵PID:1856
-
\??\c:\lllrflf.exec:\lllrflf.exe117⤵PID:4092
-
\??\c:\rrfffxl.exec:\rrfffxl.exe118⤵PID:4544
-
\??\c:\nhhhbh.exec:\nhhhbh.exe119⤵PID:4540
-
\??\c:\dddvd.exec:\dddvd.exe120⤵PID:1492
-
\??\c:\ppdvj.exec:\ppdvj.exe121⤵PID:4132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-