Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe
-
Size
454KB
-
MD5
f2b11c4f394ea83ecdfef520530ba332
-
SHA1
db73e90f002b0bb57efd28c41e97518a70c33de9
-
SHA256
906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a
-
SHA512
3d1e311877f9bedc34158147aee13b3be7131addc77528d4f511fad1830aa5b372cf5b3618a952859c5764c1b4dd094044017c7d4e7b7d055bf462ec6c9a7b3f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeVn:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2416-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-1091-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-1299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-1310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4576 9lrllrx.exe 3828 dvdpj.exe 4704 hbnnht.exe 2796 7lrlrrf.exe 2224 thbhth.exe 2364 fllfxrr.exe 3932 pjvjd.exe 1532 jjdvj.exe 2836 xfxrxll.exe 1984 tbbtnh.exe 1640 ppvvj.exe 452 bhbhtt.exe 3752 1vjvp.exe 792 7xfflxx.exe 3140 1vvpd.exe 3452 xxxlxrl.exe 4604 jdjjd.exe 2964 xrxrlll.exe 700 7ntntn.exe 1392 pdjdp.exe 4108 lrlxlfr.exe 4984 rlxrlrl.exe 392 jvvjd.exe 1496 hththt.exe 2556 fxfxrlx.exe 620 7nnbnn.exe 3712 djjdj.exe 1576 llfrxlr.exe 3800 1bnbth.exe 4012 9dvpd.exe 4304 hbtbnb.exe 804 fxfffrl.exe 3056 tbhnbb.exe 3316 rfxlflx.exe 1712 rrrfxrx.exe 2136 bthnhh.exe 4964 rfrllll.exe 2268 pjjjd.exe 2720 7ffxfff.exe 4248 xrxlrlf.exe 3960 bntnnb.exe 4816 dvjdj.exe 4280 bbthbn.exe 2332 jvvjv.exe 1704 hnnbnh.exe 5008 vjvpd.exe 2192 xrfrlxr.exe 1972 btbnbt.exe 4156 pjdvp.exe 3104 lxxlxlx.exe 4496 lfrrflf.exe 2832 nbbnhb.exe 3108 jddvv.exe 3184 lrrfxff.exe 3660 hbhnhh.exe 1580 9pvjv.exe 2328 frrfrfr.exe 2652 hhnbnh.exe 1172 dvpdp.exe 1868 xlrfxrr.exe 4824 xlrlflf.exe 4180 nttnbt.exe 3148 pdpdd.exe 4968 lffrlrf.exe -
resource yara_rule behavioral2/memory/2416-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-679-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 4576 2416 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 82 PID 2416 wrote to memory of 4576 2416 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 82 PID 2416 wrote to memory of 4576 2416 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 82 PID 4576 wrote to memory of 3828 4576 9lrllrx.exe 83 PID 4576 wrote to memory of 3828 4576 9lrllrx.exe 83 PID 4576 wrote to memory of 3828 4576 9lrllrx.exe 83 PID 3828 wrote to memory of 4704 3828 dvdpj.exe 84 PID 3828 wrote to memory of 4704 3828 dvdpj.exe 84 PID 3828 wrote to memory of 4704 3828 dvdpj.exe 84 PID 4704 wrote to memory of 2796 4704 hbnnht.exe 85 PID 4704 wrote to memory of 2796 4704 hbnnht.exe 85 PID 4704 wrote to memory of 2796 4704 hbnnht.exe 85 PID 2796 wrote to memory of 2224 2796 7lrlrrf.exe 86 PID 2796 wrote to memory of 2224 2796 7lrlrrf.exe 86 PID 2796 wrote to memory of 2224 2796 7lrlrrf.exe 86 PID 2224 wrote to memory of 2364 2224 thbhth.exe 87 PID 2224 wrote to memory of 2364 2224 thbhth.exe 87 PID 2224 wrote to memory of 2364 2224 thbhth.exe 87 PID 2364 wrote to memory of 3932 2364 fllfxrr.exe 88 PID 2364 wrote to memory of 3932 2364 fllfxrr.exe 88 PID 2364 wrote to memory of 3932 2364 fllfxrr.exe 88 PID 3932 wrote to memory of 1532 3932 pjvjd.exe 89 PID 3932 wrote to memory of 1532 3932 pjvjd.exe 89 PID 3932 wrote to memory of 1532 3932 pjvjd.exe 89 PID 1532 wrote to memory of 2836 1532 jjdvj.exe 90 PID 1532 wrote to memory of 2836 1532 jjdvj.exe 90 PID 1532 wrote to memory of 2836 1532 jjdvj.exe 90 PID 2836 wrote to memory of 1984 2836 xfxrxll.exe 91 PID 2836 wrote to memory of 1984 2836 xfxrxll.exe 91 PID 2836 wrote to memory of 1984 2836 xfxrxll.exe 91 PID 1984 wrote to memory of 1640 1984 tbbtnh.exe 92 PID 1984 wrote to memory of 1640 1984 tbbtnh.exe 92 PID 1984 wrote to memory of 1640 1984 tbbtnh.exe 92 PID 1640 wrote to memory of 452 1640 ppvvj.exe 93 PID 1640 wrote to memory of 452 1640 ppvvj.exe 93 PID 1640 wrote to memory of 452 1640 ppvvj.exe 93 PID 452 wrote to memory of 3752 452 bhbhtt.exe 94 PID 452 wrote to memory of 3752 452 bhbhtt.exe 94 PID 452 wrote to memory of 3752 452 bhbhtt.exe 94 PID 3752 wrote to memory of 792 3752 1vjvp.exe 95 PID 3752 wrote to memory of 792 3752 1vjvp.exe 95 PID 3752 wrote to memory of 792 3752 1vjvp.exe 95 PID 792 wrote to memory of 3140 792 7xfflxx.exe 96 PID 792 wrote to memory of 3140 792 7xfflxx.exe 96 PID 792 wrote to memory of 3140 792 7xfflxx.exe 96 PID 3140 wrote to memory of 3452 3140 1vvpd.exe 97 PID 3140 wrote to memory of 3452 3140 1vvpd.exe 97 PID 3140 wrote to memory of 3452 3140 1vvpd.exe 97 PID 3452 wrote to memory of 4604 3452 xxxlxrl.exe 98 PID 3452 wrote to memory of 4604 3452 xxxlxrl.exe 98 PID 3452 wrote to memory of 4604 3452 xxxlxrl.exe 98 PID 4604 wrote to memory of 2964 4604 jdjjd.exe 99 PID 4604 wrote to memory of 2964 4604 jdjjd.exe 99 PID 4604 wrote to memory of 2964 4604 jdjjd.exe 99 PID 2964 wrote to memory of 700 2964 xrxrlll.exe 100 PID 2964 wrote to memory of 700 2964 xrxrlll.exe 100 PID 2964 wrote to memory of 700 2964 xrxrlll.exe 100 PID 700 wrote to memory of 1392 700 7ntntn.exe 101 PID 700 wrote to memory of 1392 700 7ntntn.exe 101 PID 700 wrote to memory of 1392 700 7ntntn.exe 101 PID 1392 wrote to memory of 4108 1392 pdjdp.exe 102 PID 1392 wrote to memory of 4108 1392 pdjdp.exe 102 PID 1392 wrote to memory of 4108 1392 pdjdp.exe 102 PID 4108 wrote to memory of 4984 4108 lrlxlfr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe"C:\Users\Admin\AppData\Local\Temp\906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\9lrllrx.exec:\9lrllrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\dvdpj.exec:\dvdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\hbnnht.exec:\hbnnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\7lrlrrf.exec:\7lrlrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\thbhth.exec:\thbhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\fllfxrr.exec:\fllfxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\pjvjd.exec:\pjvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\jjdvj.exec:\jjdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\xfxrxll.exec:\xfxrxll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\tbbtnh.exec:\tbbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\ppvvj.exec:\ppvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\bhbhtt.exec:\bhbhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\1vjvp.exec:\1vjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\7xfflxx.exec:\7xfflxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\1vvpd.exec:\1vvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\jdjjd.exec:\jdjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\xrxrlll.exec:\xrxrlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\7ntntn.exec:\7ntntn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\pdjdp.exec:\pdjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\lrlxlfr.exec:\lrlxlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\rlxrlrl.exec:\rlxrlrl.exe23⤵
- Executes dropped EXE
PID:4984 -
\??\c:\jvvjd.exec:\jvvjd.exe24⤵
- Executes dropped EXE
PID:392 -
\??\c:\hththt.exec:\hththt.exe25⤵
- Executes dropped EXE
PID:1496 -
\??\c:\fxfxrlx.exec:\fxfxrlx.exe26⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7nnbnn.exec:\7nnbnn.exe27⤵
- Executes dropped EXE
PID:620 -
\??\c:\djjdj.exec:\djjdj.exe28⤵
- Executes dropped EXE
PID:3712 -
\??\c:\llfrxlr.exec:\llfrxlr.exe29⤵
- Executes dropped EXE
PID:1576 -
\??\c:\1bnbth.exec:\1bnbth.exe30⤵
- Executes dropped EXE
PID:3800 -
\??\c:\9dvpd.exec:\9dvpd.exe31⤵
- Executes dropped EXE
PID:4012 -
\??\c:\hbtbnb.exec:\hbtbnb.exe32⤵
- Executes dropped EXE
PID:4304 -
\??\c:\fxfffrl.exec:\fxfffrl.exe33⤵
- Executes dropped EXE
PID:804 -
\??\c:\tbhnbb.exec:\tbhnbb.exe34⤵
- Executes dropped EXE
PID:3056 -
\??\c:\rfxlflx.exec:\rfxlflx.exe35⤵
- Executes dropped EXE
PID:3316 -
\??\c:\rrrfxrx.exec:\rrrfxrx.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\bthnhh.exec:\bthnhh.exe37⤵
- Executes dropped EXE
PID:2136 -
\??\c:\rfrllll.exec:\rfrllll.exe38⤵
- Executes dropped EXE
PID:4964 -
\??\c:\pjjjd.exec:\pjjjd.exe39⤵
- Executes dropped EXE
PID:2268 -
\??\c:\7ffxfff.exec:\7ffxfff.exe40⤵
- Executes dropped EXE
PID:2720 -
\??\c:\xrxlrlf.exec:\xrxlrlf.exe41⤵
- Executes dropped EXE
PID:4248 -
\??\c:\bntnnb.exec:\bntnnb.exe42⤵
- Executes dropped EXE
PID:3960 -
\??\c:\dvjdj.exec:\dvjdj.exe43⤵
- Executes dropped EXE
PID:4816 -
\??\c:\bbthbn.exec:\bbthbn.exe44⤵
- Executes dropped EXE
PID:4280 -
\??\c:\jvvjv.exec:\jvvjv.exe45⤵
- Executes dropped EXE
PID:2332 -
\??\c:\rfxrffx.exec:\rfxrffx.exe46⤵PID:4512
-
\??\c:\hnnbnh.exec:\hnnbnh.exe47⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vjvpd.exec:\vjvpd.exe48⤵
- Executes dropped EXE
PID:5008 -
\??\c:\xrfrlxr.exec:\xrfrlxr.exe49⤵
- Executes dropped EXE
PID:2192 -
\??\c:\btbnbt.exec:\btbnbt.exe50⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pjdvp.exec:\pjdvp.exe51⤵
- Executes dropped EXE
PID:4156 -
\??\c:\lxxlxlx.exec:\lxxlxlx.exe52⤵
- Executes dropped EXE
PID:3104 -
\??\c:\lfrrflf.exec:\lfrrflf.exe53⤵
- Executes dropped EXE
PID:4496 -
\??\c:\nbbnhb.exec:\nbbnhb.exe54⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jddvv.exec:\jddvv.exe55⤵
- Executes dropped EXE
PID:3108 -
\??\c:\lrrfxff.exec:\lrrfxff.exe56⤵
- Executes dropped EXE
PID:3184 -
\??\c:\hbhnhh.exec:\hbhnhh.exe57⤵
- Executes dropped EXE
PID:3660 -
\??\c:\9pvjv.exec:\9pvjv.exe58⤵
- Executes dropped EXE
PID:1580 -
\??\c:\frrfrfr.exec:\frrfrfr.exe59⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hhnbnh.exec:\hhnbnh.exe60⤵
- Executes dropped EXE
PID:2652 -
\??\c:\dvpdp.exec:\dvpdp.exe61⤵
- Executes dropped EXE
PID:1172 -
\??\c:\xlrfxrr.exec:\xlrfxrr.exe62⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xlrlflf.exec:\xlrlflf.exe63⤵
- Executes dropped EXE
PID:4824 -
\??\c:\nttnbt.exec:\nttnbt.exe64⤵
- Executes dropped EXE
PID:4180 -
\??\c:\pdpdd.exec:\pdpdd.exe65⤵
- Executes dropped EXE
PID:3148 -
\??\c:\lffrlrf.exec:\lffrlrf.exe66⤵
- Executes dropped EXE
PID:4968 -
\??\c:\bthbbt.exec:\bthbbt.exe67⤵PID:3748
-
\??\c:\tbhbtn.exec:\tbhbtn.exe68⤵PID:4048
-
\??\c:\dvvjv.exec:\dvvjv.exe69⤵PID:3924
-
\??\c:\frlxlfr.exec:\frlxlfr.exe70⤵PID:3032
-
\??\c:\btttnh.exec:\btttnh.exe71⤵PID:1456
-
\??\c:\dpvjj.exec:\dpvjj.exe72⤵PID:4024
-
\??\c:\rllllrx.exec:\rllllrx.exe73⤵PID:3440
-
\??\c:\9bnbbt.exec:\9bnbbt.exe74⤵PID:1412
-
\??\c:\pvpdp.exec:\pvpdp.exe75⤵PID:4044
-
\??\c:\frrlxrf.exec:\frrlxrf.exe76⤵PID:2660
-
\??\c:\hnthbt.exec:\hnthbt.exe77⤵PID:1644
-
\??\c:\hnnbbn.exec:\hnnbbn.exe78⤵PID:2828
-
\??\c:\djpdd.exec:\djpdd.exe79⤵PID:2156
-
\??\c:\fffxffx.exec:\fffxffx.exe80⤵PID:1244
-
\??\c:\5tbntn.exec:\5tbntn.exe81⤵PID:4376
-
\??\c:\5pjpj.exec:\5pjpj.exe82⤵PID:2556
-
\??\c:\pjdjv.exec:\pjdjv.exe83⤵PID:3296
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe84⤵PID:860
-
\??\c:\3bbthb.exec:\3bbthb.exe85⤵PID:3448
-
\??\c:\dddpj.exec:\dddpj.exe86⤵
- System Location Discovery: System Language Discovery
PID:4844 -
\??\c:\lxxlffr.exec:\lxxlffr.exe87⤵PID:3800
-
\??\c:\thbnhb.exec:\thbnhb.exe88⤵PID:1864
-
\??\c:\7nbbbt.exec:\7nbbbt.exe89⤵PID:2484
-
\??\c:\jvdvj.exec:\jvdvj.exe90⤵PID:1224
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe91⤵PID:1416
-
\??\c:\hhhtnh.exec:\hhhtnh.exe92⤵PID:3288
-
\??\c:\tnhthb.exec:\tnhthb.exe93⤵PID:2620
-
\??\c:\djpdp.exec:\djpdp.exe94⤵PID:3508
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe95⤵PID:2604
-
\??\c:\lffxxrr.exec:\lffxxrr.exe96⤵PID:1376
-
\??\c:\hbthbt.exec:\hbthbt.exe97⤵PID:4684
-
\??\c:\pvvjv.exec:\pvvjv.exe98⤵PID:1964
-
\??\c:\llrfxlf.exec:\llrfxlf.exe99⤵PID:5100
-
\??\c:\9btthh.exec:\9btthh.exe100⤵PID:5028
-
\??\c:\tnhhtb.exec:\tnhhtb.exe101⤵PID:3732
-
\??\c:\dvjvp.exec:\dvjvp.exe102⤵PID:4816
-
\??\c:\lxlffxr.exec:\lxlffxr.exe103⤵PID:4420
-
\??\c:\nthbth.exec:\nthbth.exe104⤵PID:4388
-
\??\c:\bhthth.exec:\bhthth.exe105⤵PID:2440
-
\??\c:\dpvpd.exec:\dpvpd.exe106⤵PID:1704
-
\??\c:\1rrlxrf.exec:\1rrlxrf.exe107⤵PID:5016
-
\??\c:\nhbbnb.exec:\nhbbnb.exe108⤵PID:2576
-
\??\c:\jjvjd.exec:\jjvjd.exe109⤵PID:3436
-
\??\c:\vdppv.exec:\vdppv.exe110⤵PID:2796
-
\??\c:\flrxlfx.exec:\flrxlfx.exe111⤵
- System Location Discovery: System Language Discovery
PID:4168 -
\??\c:\nbnhhb.exec:\nbnhhb.exe112⤵PID:4616
-
\??\c:\7vpdp.exec:\7vpdp.exe113⤵PID:3652
-
\??\c:\djpdp.exec:\djpdp.exe114⤵PID:4996
-
\??\c:\7fxlxrl.exec:\7fxlxrl.exe115⤵PID:2876
-
\??\c:\3tnnbn.exec:\3tnnbn.exe116⤵PID:4896
-
\??\c:\jddvp.exec:\jddvp.exe117⤵PID:2216
-
\??\c:\frffrll.exec:\frffrll.exe118⤵PID:3640
-
\??\c:\rflxlfx.exec:\rflxlfx.exe119⤵PID:4756
-
\??\c:\bttnbt.exec:\bttnbt.exe120⤵PID:4492
-
\??\c:\dvppv.exec:\dvppv.exe121⤵PID:4000
-
\??\c:\xlrfrlx.exec:\xlrfrlx.exe122⤵PID:3696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-