Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe
-
Size
453KB
-
MD5
5cb0fe068e0095b13380f6a762545866
-
SHA1
0114c744a2dacf2c8f7f5535e833855a0dd30037
-
SHA256
acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af
-
SHA512
8b864fb4b72ecb8b9d418e8075bb533530679322b096988cde43035a1c80f3e64ea6c8ba7cc350559ba278ed19e2c7eae7aa2798d047b435a04d7cf3c98a211d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2896-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-1355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-1650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5008 lxfxrlf.exe 1484 dpppj.exe 1692 9tbbht.exe 4460 lxfrrlf.exe 2708 fxrlrrl.exe 3740 lrxxrrr.exe 180 hnnhhh.exe 972 rfrlrrx.exe 1952 bntnnn.exe 4832 frxrlll.exe 4160 thtnnn.exe 60 9djdp.exe 2436 jdppv.exe 1824 thtnnn.exe 808 rrfffrr.exe 3812 7hnhbb.exe 4356 rflfffx.exe 2692 bttnhn.exe 2052 3tbbtt.exe 632 jvpjj.exe 4504 5bthtt.exe 3980 frrfrlr.exe 2304 nhnhhh.exe 4912 frlxlfr.exe 2796 jppjv.exe 4236 xxlrllf.exe 1840 dppjj.exe 4240 9ddpj.exe 3280 jvjvp.exe 2992 llfxxrl.exe 3536 llrflfl.exe 4612 thbbtn.exe 1848 7ppjd.exe 1536 5rfrrrr.exe 1988 xfflrxl.exe 4856 bbttnn.exe 3880 ddpjp.exe 2212 9rxrllf.exe 2620 hnnhhh.exe 2860 3djdd.exe 4700 dvppj.exe 3212 7xxfxxr.exe 992 btnhtt.exe 2904 vvdjv.exe 4372 vpdvp.exe 1208 lflxrlf.exe 1052 hnnnnn.exe 100 5btnbb.exe 2884 xrrrllf.exe 796 hhhbtn.exe 4608 hbtntn.exe 2868 ddjdd.exe 1484 llrrfxr.exe 2592 7hhhbt.exe 1068 vdjvp.exe 4524 djjdp.exe 4532 flllllf.exe 2500 pjjvp.exe 4848 jdddd.exe 3188 fxlflll.exe 760 htbnhn.exe 1636 9dpdj.exe 456 5rxrrrr.exe 1564 lrxrlrl.exe -
resource yara_rule behavioral2/memory/2896-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-1355-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrflfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 5008 2896 acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe 83 PID 2896 wrote to memory of 5008 2896 acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe 83 PID 2896 wrote to memory of 5008 2896 acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe 83 PID 5008 wrote to memory of 1484 5008 lxfxrlf.exe 84 PID 5008 wrote to memory of 1484 5008 lxfxrlf.exe 84 PID 5008 wrote to memory of 1484 5008 lxfxrlf.exe 84 PID 1484 wrote to memory of 1692 1484 dpppj.exe 85 PID 1484 wrote to memory of 1692 1484 dpppj.exe 85 PID 1484 wrote to memory of 1692 1484 dpppj.exe 85 PID 1692 wrote to memory of 4460 1692 9tbbht.exe 86 PID 1692 wrote to memory of 4460 1692 9tbbht.exe 86 PID 1692 wrote to memory of 4460 1692 9tbbht.exe 86 PID 4460 wrote to memory of 2708 4460 lxfrrlf.exe 87 PID 4460 wrote to memory of 2708 4460 lxfrrlf.exe 87 PID 4460 wrote to memory of 2708 4460 lxfrrlf.exe 87 PID 2708 wrote to memory of 3740 2708 fxrlrrl.exe 88 PID 2708 wrote to memory of 3740 2708 fxrlrrl.exe 88 PID 2708 wrote to memory of 3740 2708 fxrlrrl.exe 88 PID 3740 wrote to memory of 180 3740 lrxxrrr.exe 89 PID 3740 wrote to memory of 180 3740 lrxxrrr.exe 89 PID 3740 wrote to memory of 180 3740 lrxxrrr.exe 89 PID 180 wrote to memory of 972 180 hnnhhh.exe 90 PID 180 wrote to memory of 972 180 hnnhhh.exe 90 PID 180 wrote to memory of 972 180 hnnhhh.exe 90 PID 972 wrote to memory of 1952 972 rfrlrrx.exe 91 PID 972 wrote to memory of 1952 972 rfrlrrx.exe 91 PID 972 wrote to memory of 1952 972 rfrlrrx.exe 91 PID 1952 wrote to memory of 4832 1952 bntnnn.exe 92 PID 1952 wrote to memory of 4832 1952 bntnnn.exe 92 PID 1952 wrote to memory of 4832 1952 bntnnn.exe 92 PID 4832 wrote to memory of 4160 4832 frxrlll.exe 93 PID 4832 wrote to memory of 4160 4832 frxrlll.exe 93 PID 4832 wrote to memory of 4160 4832 frxrlll.exe 93 PID 4160 wrote to memory of 60 4160 thtnnn.exe 94 PID 4160 wrote to memory of 60 4160 thtnnn.exe 94 PID 4160 wrote to memory of 60 4160 thtnnn.exe 94 PID 60 wrote to memory of 2436 60 9djdp.exe 95 PID 60 wrote to memory of 2436 60 9djdp.exe 95 PID 60 wrote to memory of 2436 60 9djdp.exe 95 PID 2436 wrote to memory of 1824 2436 jdppv.exe 96 PID 2436 wrote to memory of 1824 2436 jdppv.exe 96 PID 2436 wrote to memory of 1824 2436 jdppv.exe 96 PID 1824 wrote to memory of 808 1824 thtnnn.exe 97 PID 1824 wrote to memory of 808 1824 thtnnn.exe 97 PID 1824 wrote to memory of 808 1824 thtnnn.exe 97 PID 808 wrote to memory of 3812 808 rrfffrr.exe 98 PID 808 wrote to memory of 3812 808 rrfffrr.exe 98 PID 808 wrote to memory of 3812 808 rrfffrr.exe 98 PID 3812 wrote to memory of 4356 3812 7hnhbb.exe 99 PID 3812 wrote to memory of 4356 3812 7hnhbb.exe 99 PID 3812 wrote to memory of 4356 3812 7hnhbb.exe 99 PID 4356 wrote to memory of 2692 4356 rflfffx.exe 100 PID 4356 wrote to memory of 2692 4356 rflfffx.exe 100 PID 4356 wrote to memory of 2692 4356 rflfffx.exe 100 PID 2692 wrote to memory of 2052 2692 bttnhn.exe 101 PID 2692 wrote to memory of 2052 2692 bttnhn.exe 101 PID 2692 wrote to memory of 2052 2692 bttnhn.exe 101 PID 2052 wrote to memory of 632 2052 3tbbtt.exe 102 PID 2052 wrote to memory of 632 2052 3tbbtt.exe 102 PID 2052 wrote to memory of 632 2052 3tbbtt.exe 102 PID 632 wrote to memory of 4504 632 jvpjj.exe 103 PID 632 wrote to memory of 4504 632 jvpjj.exe 103 PID 632 wrote to memory of 4504 632 jvpjj.exe 103 PID 4504 wrote to memory of 3980 4504 5bthtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe"C:\Users\Admin\AppData\Local\Temp\acd5f6be16fd28828f0c53f02b03e17bc2573ee9ea3021236c7d4ac7f1c9d7af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\dpppj.exec:\dpppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\9tbbht.exec:\9tbbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\lxfrrlf.exec:\lxfrrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\fxrlrrl.exec:\fxrlrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\lrxxrrr.exec:\lrxxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\hnnhhh.exec:\hnnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\bntnnn.exec:\bntnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\frxrlll.exec:\frxrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\thtnnn.exec:\thtnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\9djdp.exec:\9djdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\jdppv.exec:\jdppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\thtnnn.exec:\thtnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\rrfffrr.exec:\rrfffrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\7hnhbb.exec:\7hnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\rflfffx.exec:\rflfffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\bttnhn.exec:\bttnhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\3tbbtt.exec:\3tbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\jvpjj.exec:\jvpjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\5bthtt.exec:\5bthtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\frrfrlr.exec:\frrfrlr.exe23⤵
- Executes dropped EXE
PID:3980 -
\??\c:\nhnhhh.exec:\nhnhhh.exe24⤵
- Executes dropped EXE
PID:2304 -
\??\c:\frlxlfr.exec:\frlxlfr.exe25⤵
- Executes dropped EXE
PID:4912 -
\??\c:\jppjv.exec:\jppjv.exe26⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xxlrllf.exec:\xxlrllf.exe27⤵
- Executes dropped EXE
PID:4236 -
\??\c:\dppjj.exec:\dppjj.exe28⤵
- Executes dropped EXE
PID:1840 -
\??\c:\9ddpj.exec:\9ddpj.exe29⤵
- Executes dropped EXE
PID:4240 -
\??\c:\jvjvp.exec:\jvjvp.exe30⤵
- Executes dropped EXE
PID:3280 -
\??\c:\llfxxrl.exec:\llfxxrl.exe31⤵
- Executes dropped EXE
PID:2992 -
\??\c:\llrflfl.exec:\llrflfl.exe32⤵
- Executes dropped EXE
PID:3536 -
\??\c:\thbbtn.exec:\thbbtn.exe33⤵
- Executes dropped EXE
PID:4612 -
\??\c:\7ppjd.exec:\7ppjd.exe34⤵
- Executes dropped EXE
PID:1848 -
\??\c:\5rfrrrr.exec:\5rfrrrr.exe35⤵
- Executes dropped EXE
PID:1536 -
\??\c:\xfflrxl.exec:\xfflrxl.exe36⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bbttnn.exec:\bbttnn.exe37⤵
- Executes dropped EXE
PID:4856 -
\??\c:\ddpjp.exec:\ddpjp.exe38⤵
- Executes dropped EXE
PID:3880 -
\??\c:\9rxrllf.exec:\9rxrllf.exe39⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hnnhhh.exec:\hnnhhh.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3djdd.exec:\3djdd.exe41⤵
- Executes dropped EXE
PID:2860 -
\??\c:\dvppj.exec:\dvppj.exe42⤵
- Executes dropped EXE
PID:4700 -
\??\c:\7xxfxxr.exec:\7xxfxxr.exe43⤵
- Executes dropped EXE
PID:3212 -
\??\c:\btnhtt.exec:\btnhtt.exe44⤵
- Executes dropped EXE
PID:992 -
\??\c:\vvdjv.exec:\vvdjv.exe45⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vpdvp.exec:\vpdvp.exe46⤵
- Executes dropped EXE
PID:4372 -
\??\c:\lflxrlf.exec:\lflxrlf.exe47⤵
- Executes dropped EXE
PID:1208 -
\??\c:\hnnnnn.exec:\hnnnnn.exe48⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5btnbb.exec:\5btnbb.exe49⤵
- Executes dropped EXE
PID:100 -
\??\c:\xrrrllf.exec:\xrrrllf.exe50⤵
- Executes dropped EXE
PID:2884 -
\??\c:\hhhbtn.exec:\hhhbtn.exe51⤵
- Executes dropped EXE
PID:796 -
\??\c:\hbtntn.exec:\hbtntn.exe52⤵
- Executes dropped EXE
PID:4608 -
\??\c:\ddjdd.exec:\ddjdd.exe53⤵
- Executes dropped EXE
PID:2868 -
\??\c:\llrrfxr.exec:\llrrfxr.exe54⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7hhhbt.exec:\7hhhbt.exe55⤵
- Executes dropped EXE
PID:2592 -
\??\c:\vdjvp.exec:\vdjvp.exe56⤵
- Executes dropped EXE
PID:1068 -
\??\c:\djjdp.exec:\djjdp.exe57⤵
- Executes dropped EXE
PID:4524 -
\??\c:\flllllf.exec:\flllllf.exe58⤵
- Executes dropped EXE
PID:4532 -
\??\c:\pjjvp.exec:\pjjvp.exe59⤵
- Executes dropped EXE
PID:2500 -
\??\c:\jdddd.exec:\jdddd.exe60⤵
- Executes dropped EXE
PID:4848 -
\??\c:\fxlflll.exec:\fxlflll.exe61⤵
- Executes dropped EXE
PID:3188 -
\??\c:\htbnhn.exec:\htbnhn.exe62⤵
- Executes dropped EXE
PID:760 -
\??\c:\9dpdj.exec:\9dpdj.exe63⤵
- Executes dropped EXE
PID:1636 -
\??\c:\5rxrrrr.exec:\5rxrrrr.exe64⤵
- Executes dropped EXE
PID:456 -
\??\c:\lrxrlrl.exec:\lrxrlrl.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\tnnhbt.exec:\tnnhbt.exe66⤵PID:208
-
\??\c:\ppvjd.exec:\ppvjd.exe67⤵PID:4744
-
\??\c:\jjdpd.exec:\jjdpd.exe68⤵PID:2520
-
\??\c:\frfrxlf.exec:\frfrxlf.exe69⤵PID:3368
-
\??\c:\nnnhbb.exec:\nnnhbb.exe70⤵PID:2436
-
\??\c:\vppjd.exec:\vppjd.exe71⤵PID:3136
-
\??\c:\ffrflfx.exec:\ffrflfx.exe72⤵PID:3064
-
\??\c:\xlrfxrr.exec:\xlrfxrr.exe73⤵PID:2124
-
\??\c:\tbthhh.exec:\tbthhh.exe74⤵PID:4128
-
\??\c:\pvdvp.exec:\pvdvp.exe75⤵PID:4920
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe76⤵
- System Location Discovery: System Language Discovery
PID:4644 -
\??\c:\htbtbb.exec:\htbtbb.exe77⤵PID:868
-
\??\c:\tthbbn.exec:\tthbbn.exe78⤵PID:2612
-
\??\c:\jvjdv.exec:\jvjdv.exe79⤵PID:4960
-
\??\c:\rffrlfx.exec:\rffrlfx.exe80⤵PID:3516
-
\??\c:\tbhbtt.exec:\tbhbtt.exe81⤵PID:3684
-
\??\c:\nhhtht.exec:\nhhtht.exe82⤵PID:5088
-
\??\c:\vjdvp.exec:\vjdvp.exe83⤵PID:4488
-
\??\c:\rfflxxr.exec:\rfflxxr.exe84⤵PID:2356
-
\??\c:\bnnttn.exec:\bnnttn.exe85⤵PID:1004
-
\??\c:\bhthbt.exec:\bhthbt.exe86⤵PID:4912
-
\??\c:\jjpdv.exec:\jjpdv.exe87⤵PID:2684
-
\??\c:\llrfrlf.exec:\llrfrlf.exe88⤵PID:4236
-
\??\c:\tnnhbb.exec:\tnnhbb.exe89⤵PID:3864
-
\??\c:\nthbtb.exec:\nthbtb.exe90⤵PID:1016
-
\??\c:\pvvjv.exec:\pvvjv.exe91⤵PID:4636
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe92⤵PID:4868
-
\??\c:\hbbtnb.exec:\hbbtnb.exe93⤵PID:3232
-
\??\c:\pdvvj.exec:\pdvvj.exe94⤵PID:1308
-
\??\c:\vdjdv.exec:\vdjdv.exe95⤵PID:848
-
\??\c:\1lfxlff.exec:\1lfxlff.exe96⤵PID:1316
-
\??\c:\tnnnhn.exec:\tnnnhn.exe97⤵PID:1652
-
\??\c:\jdvpj.exec:\jdvpj.exe98⤵PID:640
-
\??\c:\fxxlxrf.exec:\fxxlxrf.exe99⤵PID:2700
-
\??\c:\lxfrrff.exec:\lxfrrff.exe100⤵PID:4384
-
\??\c:\3thtnh.exec:\3thtnh.exe101⤵PID:2712
-
\??\c:\pdpvv.exec:\pdpvv.exe102⤵PID:3880
-
\??\c:\fflffxf.exec:\fflffxf.exe103⤵PID:1064
-
\??\c:\7rxxfff.exec:\7rxxfff.exe104⤵PID:2900
-
\??\c:\nhnntn.exec:\nhnntn.exe105⤵PID:3948
-
\??\c:\vpjdv.exec:\vpjdv.exe106⤵PID:4700
-
\??\c:\frrlxxr.exec:\frrlxxr.exe107⤵
- System Location Discovery: System Language Discovery
PID:2376 -
\??\c:\5bbbtt.exec:\5bbbtt.exe108⤵PID:992
-
\??\c:\ppdpd.exec:\ppdpd.exe109⤵PID:2904
-
\??\c:\vppdp.exec:\vppdp.exe110⤵PID:1716
-
\??\c:\lrxrllf.exec:\lrxrllf.exe111⤵PID:3292
-
\??\c:\ntbbtt.exec:\ntbbtt.exe112⤵
- System Location Discovery: System Language Discovery
PID:1052 -
\??\c:\djpjd.exec:\djpjd.exe113⤵PID:740
-
\??\c:\frrrlff.exec:\frrrlff.exe114⤵
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\bhnhbt.exec:\bhnhbt.exe115⤵PID:796
-
\??\c:\nbnhbb.exec:\nbnhbb.exe116⤵PID:4608
-
\??\c:\pvvdv.exec:\pvvdv.exe117⤵PID:4220
-
\??\c:\3lffrlf.exec:\3lffrlf.exe118⤵PID:4696
-
\??\c:\hhnbnn.exec:\hhnbnn.exe119⤵PID:5036
-
\??\c:\bttnhh.exec:\bttnhh.exe120⤵PID:4732
-
\??\c:\dvddd.exec:\dvddd.exe121⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-