Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe
-
Size
454KB
-
MD5
e1258f33e37bb8e85519387e4160093e
-
SHA1
2b1ff1bd8a4f316580dc51e2b0bf7933415024c7
-
SHA256
8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2
-
SHA512
61ca0decd6a4408585497ca2396522a166c74fe39bed95d7647dcfc0ede5906b2a549134f557aa5ba81653df4e23907051117bab59599fc058d1660fef37d823
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4368-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-1473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4368 5dpjd.exe 3624 xrfxxxf.exe 4568 3hhbtt.exe 3588 nhnhbb.exe 4116 jvvpj.exe 1980 nhhnbh.exe 5012 3jjdp.exe 1288 lxxrffx.exe 2700 ttnhbb.exe 1132 nbhtbb.exe 3208 5ddvp.exe 1748 lllfrrl.exe 444 lrrlffx.exe 3556 1tbtnn.exe 1208 vpjdv.exe 3816 9vdpj.exe 4620 rlrlxrl.exe 2768 bhhbbt.exe 4260 jjvdj.exe 1020 3ddvj.exe 2660 lfxrlfx.exe 2380 nhhtth.exe 2820 hhnhtt.exe 3648 9lfxrrr.exe 3076 lxxrlff.exe 5004 hbbtnn.exe 4032 pdpdv.exe 4224 pvdpd.exe 3716 xrrlllf.exe 3396 7tnhbn.exe 4696 jdjvd.exe 3200 5llfxxr.exe 4784 frrlfxr.exe 2436 7hnhhh.exe 1384 jdddv.exe 3288 lffffll.exe 4884 bbttnh.exe 4160 hnnhtt.exe 2708 9vpjv.exe 4916 frrlffx.exe 4748 llxxfxl.exe 2520 bntnhn.exe 5088 jpvdv.exe 4192 rllxxrr.exe 3132 rlffxxf.exe 3248 ddvdd.exe 2624 3pvjv.exe 2416 rxfrfrl.exe 4740 7bnbhb.exe 4472 1nhtnh.exe 4448 dpvvv.exe 4220 lxrllff.exe 3964 bththb.exe 4596 3djvp.exe 3596 jvvpd.exe 4592 9xxrflf.exe 4688 rxrfrlx.exe 2032 nnbttb.exe 4100 pppjd.exe 3984 dvvpd.exe 380 9xlxlfx.exe 1656 5xrfrlf.exe 4464 hnhbnh.exe 976 ddvpv.exe -
resource yara_rule behavioral2/memory/4368-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-49-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 4368 2272 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 83 PID 2272 wrote to memory of 4368 2272 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 83 PID 2272 wrote to memory of 4368 2272 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 83 PID 4368 wrote to memory of 3624 4368 5dpjd.exe 84 PID 4368 wrote to memory of 3624 4368 5dpjd.exe 84 PID 4368 wrote to memory of 3624 4368 5dpjd.exe 84 PID 3624 wrote to memory of 4568 3624 xrfxxxf.exe 85 PID 3624 wrote to memory of 4568 3624 xrfxxxf.exe 85 PID 3624 wrote to memory of 4568 3624 xrfxxxf.exe 85 PID 4568 wrote to memory of 3588 4568 3hhbtt.exe 86 PID 4568 wrote to memory of 3588 4568 3hhbtt.exe 86 PID 4568 wrote to memory of 3588 4568 3hhbtt.exe 86 PID 3588 wrote to memory of 4116 3588 nhnhbb.exe 87 PID 3588 wrote to memory of 4116 3588 nhnhbb.exe 87 PID 3588 wrote to memory of 4116 3588 nhnhbb.exe 87 PID 4116 wrote to memory of 1980 4116 jvvpj.exe 88 PID 4116 wrote to memory of 1980 4116 jvvpj.exe 88 PID 4116 wrote to memory of 1980 4116 jvvpj.exe 88 PID 1980 wrote to memory of 5012 1980 nhhnbh.exe 89 PID 1980 wrote to memory of 5012 1980 nhhnbh.exe 89 PID 1980 wrote to memory of 5012 1980 nhhnbh.exe 89 PID 5012 wrote to memory of 1288 5012 3jjdp.exe 90 PID 5012 wrote to memory of 1288 5012 3jjdp.exe 90 PID 5012 wrote to memory of 1288 5012 3jjdp.exe 90 PID 1288 wrote to memory of 2700 1288 lxxrffx.exe 91 PID 1288 wrote to memory of 2700 1288 lxxrffx.exe 91 PID 1288 wrote to memory of 2700 1288 lxxrffx.exe 91 PID 2700 wrote to memory of 1132 2700 ttnhbb.exe 92 PID 2700 wrote to memory of 1132 2700 ttnhbb.exe 92 PID 2700 wrote to memory of 1132 2700 ttnhbb.exe 92 PID 1132 wrote to memory of 3208 1132 nbhtbb.exe 93 PID 1132 wrote to memory of 3208 1132 nbhtbb.exe 93 PID 1132 wrote to memory of 3208 1132 nbhtbb.exe 93 PID 3208 wrote to memory of 1748 3208 5ddvp.exe 94 PID 3208 wrote to memory of 1748 3208 5ddvp.exe 94 PID 3208 wrote to memory of 1748 3208 5ddvp.exe 94 PID 1748 wrote to memory of 444 1748 lllfrrl.exe 95 PID 1748 wrote to memory of 444 1748 lllfrrl.exe 95 PID 1748 wrote to memory of 444 1748 lllfrrl.exe 95 PID 444 wrote to memory of 3556 444 lrrlffx.exe 96 PID 444 wrote to memory of 3556 444 lrrlffx.exe 96 PID 444 wrote to memory of 3556 444 lrrlffx.exe 96 PID 3556 wrote to memory of 1208 3556 1tbtnn.exe 97 PID 3556 wrote to memory of 1208 3556 1tbtnn.exe 97 PID 3556 wrote to memory of 1208 3556 1tbtnn.exe 97 PID 1208 wrote to memory of 3816 1208 vpjdv.exe 98 PID 1208 wrote to memory of 3816 1208 vpjdv.exe 98 PID 1208 wrote to memory of 3816 1208 vpjdv.exe 98 PID 3816 wrote to memory of 4620 3816 9vdpj.exe 99 PID 3816 wrote to memory of 4620 3816 9vdpj.exe 99 PID 3816 wrote to memory of 4620 3816 9vdpj.exe 99 PID 4620 wrote to memory of 2768 4620 rlrlxrl.exe 155 PID 4620 wrote to memory of 2768 4620 rlrlxrl.exe 155 PID 4620 wrote to memory of 2768 4620 rlrlxrl.exe 155 PID 2768 wrote to memory of 4260 2768 bhhbbt.exe 101 PID 2768 wrote to memory of 4260 2768 bhhbbt.exe 101 PID 2768 wrote to memory of 4260 2768 bhhbbt.exe 101 PID 4260 wrote to memory of 1020 4260 jjvdj.exe 102 PID 4260 wrote to memory of 1020 4260 jjvdj.exe 102 PID 4260 wrote to memory of 1020 4260 jjvdj.exe 102 PID 1020 wrote to memory of 2660 1020 3ddvj.exe 103 PID 1020 wrote to memory of 2660 1020 3ddvj.exe 103 PID 1020 wrote to memory of 2660 1020 3ddvj.exe 103 PID 2660 wrote to memory of 2380 2660 lfxrlfx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe"C:\Users\Admin\AppData\Local\Temp\8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\5dpjd.exec:\5dpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\xrfxxxf.exec:\xrfxxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\3hhbtt.exec:\3hhbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\nhnhbb.exec:\nhnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\jvvpj.exec:\jvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\nhhnbh.exec:\nhhnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\3jjdp.exec:\3jjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\lxxrffx.exec:\lxxrffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\ttnhbb.exec:\ttnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\nbhtbb.exec:\nbhtbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\5ddvp.exec:\5ddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\lllfrrl.exec:\lllfrrl.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\lrrlffx.exec:\lrrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\1tbtnn.exec:\1tbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\vpjdv.exec:\vpjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\9vdpj.exec:\9vdpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\bhhbbt.exec:\bhhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\jjvdj.exec:\jjvdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\3ddvj.exec:\3ddvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\nhhtth.exec:\nhhtth.exe23⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hhnhtt.exec:\hhnhtt.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
\??\c:\9lfxrrr.exec:\9lfxrrr.exe25⤵
- Executes dropped EXE
PID:3648 -
\??\c:\lxxrlff.exec:\lxxrlff.exe26⤵
- Executes dropped EXE
PID:3076 -
\??\c:\hbbtnn.exec:\hbbtnn.exe27⤵
- Executes dropped EXE
PID:5004 -
\??\c:\pdpdv.exec:\pdpdv.exe28⤵
- Executes dropped EXE
PID:4032 -
\??\c:\pvdpd.exec:\pvdpd.exe29⤵
- Executes dropped EXE
PID:4224 -
\??\c:\xrrlllf.exec:\xrrlllf.exe30⤵
- Executes dropped EXE
PID:3716 -
\??\c:\7tnhbn.exec:\7tnhbn.exe31⤵
- Executes dropped EXE
PID:3396 -
\??\c:\jdjvd.exec:\jdjvd.exe32⤵
- Executes dropped EXE
PID:4696 -
\??\c:\5llfxxr.exec:\5llfxxr.exe33⤵
- Executes dropped EXE
PID:3200 -
\??\c:\frrlfxr.exec:\frrlfxr.exe34⤵
- Executes dropped EXE
PID:4784 -
\??\c:\7hnhhh.exec:\7hnhhh.exe35⤵
- Executes dropped EXE
PID:2436 -
\??\c:\jdddv.exec:\jdddv.exe36⤵
- Executes dropped EXE
PID:1384 -
\??\c:\lffffll.exec:\lffffll.exe37⤵
- Executes dropped EXE
PID:3288 -
\??\c:\bbttnh.exec:\bbttnh.exe38⤵
- Executes dropped EXE
PID:4884 -
\??\c:\hnnhtt.exec:\hnnhtt.exe39⤵
- Executes dropped EXE
PID:4160 -
\??\c:\9vpjv.exec:\9vpjv.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\frrlffx.exec:\frrlffx.exe41⤵
- Executes dropped EXE
PID:4916 -
\??\c:\llxxfxl.exec:\llxxfxl.exe42⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bntnhn.exec:\bntnhn.exe43⤵
- Executes dropped EXE
PID:2520 -
\??\c:\jpvdv.exec:\jpvdv.exe44⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rllxxrr.exec:\rllxxrr.exe45⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rlffxxf.exec:\rlffxxf.exe46⤵
- Executes dropped EXE
PID:3132 -
\??\c:\ddvdd.exec:\ddvdd.exe47⤵
- Executes dropped EXE
PID:3248 -
\??\c:\3pvjv.exec:\3pvjv.exe48⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe49⤵
- Executes dropped EXE
PID:2416 -
\??\c:\7bnbhb.exec:\7bnbhb.exe50⤵
- Executes dropped EXE
PID:4740 -
\??\c:\1nhtnh.exec:\1nhtnh.exe51⤵
- Executes dropped EXE
PID:4472 -
\??\c:\dpvvv.exec:\dpvvv.exe52⤵
- Executes dropped EXE
PID:4448 -
\??\c:\lxrllff.exec:\lxrllff.exe53⤵
- Executes dropped EXE
PID:4220 -
\??\c:\bththb.exec:\bththb.exe54⤵
- Executes dropped EXE
PID:3964 -
\??\c:\3djvp.exec:\3djvp.exe55⤵
- Executes dropped EXE
PID:4596 -
\??\c:\jvvpd.exec:\jvvpd.exe56⤵
- Executes dropped EXE
PID:3596 -
\??\c:\9xxrflf.exec:\9xxrflf.exe57⤵
- Executes dropped EXE
PID:4592 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe58⤵
- Executes dropped EXE
PID:4688 -
\??\c:\nnbttb.exec:\nnbttb.exe59⤵
- Executes dropped EXE
PID:2032 -
\??\c:\pppjd.exec:\pppjd.exe60⤵
- Executes dropped EXE
PID:4100 -
\??\c:\dvvpd.exec:\dvvpd.exe61⤵
- Executes dropped EXE
PID:3984 -
\??\c:\9xlxlfx.exec:\9xlxlfx.exe62⤵
- Executes dropped EXE
PID:380 -
\??\c:\5xrfrlf.exec:\5xrfrlf.exe63⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hnhbnh.exec:\hnhbnh.exe64⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ddvpv.exec:\ddvpv.exe65⤵
- Executes dropped EXE
PID:976 -
\??\c:\3xfxfff.exec:\3xfxfff.exe66⤵PID:1984
-
\??\c:\llxrrxr.exec:\llxrrxr.exe67⤵PID:1336
-
\??\c:\7ttnnn.exec:\7ttnnn.exe68⤵PID:4340
-
\??\c:\dvjdp.exec:\dvjdp.exe69⤵PID:4440
-
\??\c:\dppjp.exec:\dppjp.exe70⤵PID:4744
-
\??\c:\fxrfxfr.exec:\fxrfxfr.exe71⤵PID:4692
-
\??\c:\thnnhh.exec:\thnnhh.exe72⤵PID:840
-
\??\c:\hhtnbt.exec:\hhtnbt.exe73⤵PID:4620
-
\??\c:\dvpdp.exec:\dvpdp.exe74⤵PID:2768
-
\??\c:\1rxlxrr.exec:\1rxlxrr.exe75⤵PID:472
-
\??\c:\lflfxxr.exec:\lflfxxr.exe76⤵PID:1524
-
\??\c:\thhtnh.exec:\thhtnh.exe77⤵PID:1848
-
\??\c:\1hthtt.exec:\1hthtt.exe78⤵PID:1696
-
\??\c:\ddjdp.exec:\ddjdp.exe79⤵PID:1520
-
\??\c:\flfrfxr.exec:\flfrfxr.exe80⤵PID:2172
-
\??\c:\rfrxrlf.exec:\rfrxrlf.exe81⤵PID:3648
-
\??\c:\bhnnbt.exec:\bhnnbt.exe82⤵PID:3076
-
\??\c:\httbth.exec:\httbth.exe83⤵PID:5004
-
\??\c:\1pjdj.exec:\1pjdj.exe84⤵PID:3436
-
\??\c:\1rxlrxl.exec:\1rxlrxl.exe85⤵PID:3236
-
\??\c:\lfxrllf.exec:\lfxrllf.exe86⤵PID:4224
-
\??\c:\nbbbnn.exec:\nbbbnn.exe87⤵PID:1784
-
\??\c:\dppvp.exec:\dppvp.exe88⤵PID:4924
-
\??\c:\9vvjj.exec:\9vvjj.exe89⤵PID:3620
-
\??\c:\xrrllfx.exec:\xrrllfx.exe90⤵PID:4800
-
\??\c:\nnbttt.exec:\nnbttt.exe91⤵PID:4756
-
\??\c:\ttnnhh.exec:\ttnnhh.exe92⤵PID:4468
-
\??\c:\djjjv.exec:\djjjv.exe93⤵PID:1152
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe94⤵
- System Location Discovery: System Language Discovery
PID:5028 -
\??\c:\7lflxfr.exec:\7lflxfr.exe95⤵PID:1136
-
\??\c:\bhhbnh.exec:\bhhbnh.exe96⤵PID:2464
-
\??\c:\3nnhnh.exec:\3nnhnh.exe97⤵PID:1640
-
\??\c:\3jvpv.exec:\3jvpv.exe98⤵PID:2720
-
\??\c:\ffrlrlf.exec:\ffrlrlf.exe99⤵PID:4752
-
\??\c:\fffxxrl.exec:\fffxxrl.exe100⤵PID:1440
-
\??\c:\thttnh.exec:\thttnh.exe101⤵PID:1284
-
\??\c:\5nbtht.exec:\5nbtht.exe102⤵PID:972
-
\??\c:\7ddpd.exec:\7ddpd.exe103⤵PID:3756
-
\??\c:\xfrrfff.exec:\xfrrfff.exe104⤵PID:5036
-
\??\c:\frrlxlf.exec:\frrlxlf.exe105⤵PID:3360
-
\??\c:\9tnbnh.exec:\9tnbnh.exe106⤵PID:4780
-
\??\c:\1ppdp.exec:\1ppdp.exe107⤵PID:3444
-
\??\c:\lxrxlrl.exec:\lxrxlrl.exe108⤵PID:4600
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe109⤵PID:4612
-
\??\c:\hbtnbt.exec:\hbtnbt.exe110⤵PID:1728
-
\??\c:\bnnbnh.exec:\bnnbnh.exe111⤵PID:2356
-
\??\c:\pjpjj.exec:\pjpjj.exe112⤵PID:3844
-
\??\c:\9ffxfxr.exec:\9ffxfxr.exe113⤵PID:4288
-
\??\c:\7ffrrll.exec:\7ffrrll.exe114⤵PID:1232
-
\??\c:\3hnttt.exec:\3hnttt.exe115⤵PID:3596
-
\??\c:\hbnnbn.exec:\hbnnbn.exe116⤵PID:3048
-
\??\c:\djdvj.exec:\djdvj.exe117⤵
- System Location Discovery: System Language Discovery
PID:4648 -
\??\c:\rllfrlx.exec:\rllfrlx.exe118⤵PID:3724
-
\??\c:\lllfxxx.exec:\lllfxxx.exe119⤵PID:4252
-
\??\c:\hntnhh.exec:\hntnhh.exe120⤵PID:4660
-
\??\c:\5jjdd.exec:\5jjdd.exe121⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-