Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 00:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe
-
Size
454KB
-
MD5
3860349dc828caa159a980ff515ced7a
-
SHA1
a6c9539a393e8f21e53539243a679d6b9a62fc8f
-
SHA256
83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1
-
SHA512
f97d8bbb88f60f1a138819a7e52711238aea8759746c5834535cf0dd9d8fcb3739009437c08cf48ce0fbb7f25aae5c02e289efa01a8dc4e019a9493ee5494167
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2724-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-1292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-1818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1908 lxxrlxr.exe 3168 7rxrlfl.exe 316 jvvpj.exe 840 bnhbbt.exe 1380 lffxrlf.exe 1520 pvdvd.exe 4596 hnnbht.exe 1116 frrlfxr.exe 2452 nbhhbb.exe 2640 hntnbt.exe 1068 1pdvj.exe 3856 bhnbhb.exe 2524 9xrlfxr.exe 4504 nbthbb.exe 4664 rllfxrl.exe 1404 pddvj.exe 3992 jvvpd.exe 1428 xllfffx.exe 5024 nbthbt.exe 4220 1tnnhh.exe 3960 3ddvj.exe 3476 dppdv.exe 808 tnhbhb.exe 4860 vpppj.exe 4856 rrrrfxf.exe 1536 tbhhth.exe 4320 5xffxfx.exe 1960 vjjdp.exe 1644 nhhbbb.exe 4520 3rlfxlf.exe 4544 fllxrrl.exe 2804 vjpjd.exe 2324 thhtnn.exe 1608 jvpdp.exe 1628 1vpjv.exe 5076 rrrlxxr.exe 3572 hbtntn.exe 220 dpvpj.exe 4876 lllxlfr.exe 3584 9nbhbb.exe 2900 3pjdp.exe 1432 rxfrffx.exe 2192 ntthbt.exe 2808 bbhbtn.exe 2812 5jjdv.exe 3812 lxxrxrf.exe 2156 thnbtn.exe 836 hbbnhb.exe 732 vjvpd.exe 3760 lfxrxrx.exe 4316 btnhbb.exe 2392 jvvjj.exe 456 7vvdv.exe 1908 xffxlfx.exe 4252 1bbnbt.exe 1572 pvvpd.exe 2680 7pvpd.exe 4988 flfxrfl.exe 5068 hhntbb.exe 3716 1vpdv.exe 4868 5rlfllx.exe 1860 nnnhtn.exe 2880 djpjp.exe 4216 lfxflrl.exe -
resource yara_rule behavioral2/memory/2724-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-848-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 1908 2724 83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe 82 PID 2724 wrote to memory of 1908 2724 83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe 82 PID 2724 wrote to memory of 1908 2724 83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe 82 PID 1908 wrote to memory of 3168 1908 lxxrlxr.exe 83 PID 1908 wrote to memory of 3168 1908 lxxrlxr.exe 83 PID 1908 wrote to memory of 3168 1908 lxxrlxr.exe 83 PID 3168 wrote to memory of 316 3168 7rxrlfl.exe 84 PID 3168 wrote to memory of 316 3168 7rxrlfl.exe 84 PID 3168 wrote to memory of 316 3168 7rxrlfl.exe 84 PID 316 wrote to memory of 840 316 jvvpj.exe 85 PID 316 wrote to memory of 840 316 jvvpj.exe 85 PID 316 wrote to memory of 840 316 jvvpj.exe 85 PID 840 wrote to memory of 1380 840 bnhbbt.exe 86 PID 840 wrote to memory of 1380 840 bnhbbt.exe 86 PID 840 wrote to memory of 1380 840 bnhbbt.exe 86 PID 1380 wrote to memory of 1520 1380 lffxrlf.exe 87 PID 1380 wrote to memory of 1520 1380 lffxrlf.exe 87 PID 1380 wrote to memory of 1520 1380 lffxrlf.exe 87 PID 1520 wrote to memory of 4596 1520 pvdvd.exe 88 PID 1520 wrote to memory of 4596 1520 pvdvd.exe 88 PID 1520 wrote to memory of 4596 1520 pvdvd.exe 88 PID 4596 wrote to memory of 1116 4596 hnnbht.exe 89 PID 4596 wrote to memory of 1116 4596 hnnbht.exe 89 PID 4596 wrote to memory of 1116 4596 hnnbht.exe 89 PID 1116 wrote to memory of 2452 1116 frrlfxr.exe 90 PID 1116 wrote to memory of 2452 1116 frrlfxr.exe 90 PID 1116 wrote to memory of 2452 1116 frrlfxr.exe 90 PID 2452 wrote to memory of 2640 2452 nbhhbb.exe 91 PID 2452 wrote to memory of 2640 2452 nbhhbb.exe 91 PID 2452 wrote to memory of 2640 2452 nbhhbb.exe 91 PID 2640 wrote to memory of 1068 2640 hntnbt.exe 92 PID 2640 wrote to memory of 1068 2640 hntnbt.exe 92 PID 2640 wrote to memory of 1068 2640 hntnbt.exe 92 PID 1068 wrote to memory of 3856 1068 1pdvj.exe 93 PID 1068 wrote to memory of 3856 1068 1pdvj.exe 93 PID 1068 wrote to memory of 3856 1068 1pdvj.exe 93 PID 3856 wrote to memory of 2524 3856 bhnbhb.exe 94 PID 3856 wrote to memory of 2524 3856 bhnbhb.exe 94 PID 3856 wrote to memory of 2524 3856 bhnbhb.exe 94 PID 2524 wrote to memory of 4504 2524 9xrlfxr.exe 95 PID 2524 wrote to memory of 4504 2524 9xrlfxr.exe 95 PID 2524 wrote to memory of 4504 2524 9xrlfxr.exe 95 PID 4504 wrote to memory of 4664 4504 nbthbb.exe 96 PID 4504 wrote to memory of 4664 4504 nbthbb.exe 96 PID 4504 wrote to memory of 4664 4504 nbthbb.exe 96 PID 4664 wrote to memory of 1404 4664 rllfxrl.exe 97 PID 4664 wrote to memory of 1404 4664 rllfxrl.exe 97 PID 4664 wrote to memory of 1404 4664 rllfxrl.exe 97 PID 1404 wrote to memory of 3992 1404 pddvj.exe 98 PID 1404 wrote to memory of 3992 1404 pddvj.exe 98 PID 1404 wrote to memory of 3992 1404 pddvj.exe 98 PID 3992 wrote to memory of 1428 3992 jvvpd.exe 99 PID 3992 wrote to memory of 1428 3992 jvvpd.exe 99 PID 3992 wrote to memory of 1428 3992 jvvpd.exe 99 PID 1428 wrote to memory of 5024 1428 xllfffx.exe 100 PID 1428 wrote to memory of 5024 1428 xllfffx.exe 100 PID 1428 wrote to memory of 5024 1428 xllfffx.exe 100 PID 5024 wrote to memory of 4220 5024 nbthbt.exe 101 PID 5024 wrote to memory of 4220 5024 nbthbt.exe 101 PID 5024 wrote to memory of 4220 5024 nbthbt.exe 101 PID 4220 wrote to memory of 3960 4220 1tnnhh.exe 102 PID 4220 wrote to memory of 3960 4220 1tnnhh.exe 102 PID 4220 wrote to memory of 3960 4220 1tnnhh.exe 102 PID 3960 wrote to memory of 3476 3960 3ddvj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe"C:\Users\Admin\AppData\Local\Temp\83ecdb61aa4be397d1158ba61fc376200931168502162694350696ae07a2abd1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\lxxrlxr.exec:\lxxrlxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\7rxrlfl.exec:\7rxrlfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\jvvpj.exec:\jvvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\bnhbbt.exec:\bnhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\lffxrlf.exec:\lffxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\pvdvd.exec:\pvdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\hnnbht.exec:\hnnbht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\frrlfxr.exec:\frrlfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\nbhhbb.exec:\nbhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\hntnbt.exec:\hntnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\1pdvj.exec:\1pdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\bhnbhb.exec:\bhnbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\9xrlfxr.exec:\9xrlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nbthbb.exec:\nbthbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rllfxrl.exec:\rllfxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\pddvj.exec:\pddvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\jvvpd.exec:\jvvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\xllfffx.exec:\xllfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\nbthbt.exec:\nbthbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\1tnnhh.exec:\1tnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\3ddvj.exec:\3ddvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\dppdv.exec:\dppdv.exe23⤵
- Executes dropped EXE
PID:3476 -
\??\c:\tnhbhb.exec:\tnhbhb.exe24⤵
- Executes dropped EXE
PID:808 -
\??\c:\vpppj.exec:\vpppj.exe25⤵
- Executes dropped EXE
PID:4860 -
\??\c:\rrrrfxf.exec:\rrrrfxf.exe26⤵
- Executes dropped EXE
PID:4856 -
\??\c:\tbhhth.exec:\tbhhth.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5xffxfx.exec:\5xffxfx.exe28⤵
- Executes dropped EXE
PID:4320 -
\??\c:\vjjdp.exec:\vjjdp.exe29⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nhhbbb.exec:\nhhbbb.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\3rlfxlf.exec:\3rlfxlf.exe31⤵
- Executes dropped EXE
PID:4520 -
\??\c:\fllxrrl.exec:\fllxrrl.exe32⤵
- Executes dropped EXE
PID:4544 -
\??\c:\vjpjd.exec:\vjpjd.exe33⤵
- Executes dropped EXE
PID:2804 -
\??\c:\thhtnn.exec:\thhtnn.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jvpdp.exec:\jvpdp.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\1vpjv.exec:\1vpjv.exe36⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rrrlxxr.exec:\rrrlxxr.exe37⤵
- Executes dropped EXE
PID:5076 -
\??\c:\hbtntn.exec:\hbtntn.exe38⤵
- Executes dropped EXE
PID:3572 -
\??\c:\dpvpj.exec:\dpvpj.exe39⤵
- Executes dropped EXE
PID:220 -
\??\c:\lllxlfr.exec:\lllxlfr.exe40⤵
- Executes dropped EXE
PID:4876 -
\??\c:\9nbhbb.exec:\9nbhbb.exe41⤵
- Executes dropped EXE
PID:3584 -
\??\c:\3pjdp.exec:\3pjdp.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\rxfrffx.exec:\rxfrffx.exe43⤵
- Executes dropped EXE
PID:1432 -
\??\c:\ntthbt.exec:\ntthbt.exe44⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bbhbtn.exec:\bbhbtn.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\5jjdv.exec:\5jjdv.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\lxxrxrf.exec:\lxxrxrf.exe47⤵
- Executes dropped EXE
PID:3812 -
\??\c:\thnbtn.exec:\thnbtn.exe48⤵
- Executes dropped EXE
PID:2156 -
\??\c:\hbbnhb.exec:\hbbnhb.exe49⤵
- Executes dropped EXE
PID:836 -
\??\c:\vjvpd.exec:\vjvpd.exe50⤵
- Executes dropped EXE
PID:732 -
\??\c:\lfxrxrx.exec:\lfxrxrx.exe51⤵
- Executes dropped EXE
PID:3760 -
\??\c:\btnhbb.exec:\btnhbb.exe52⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jvvjj.exec:\jvvjj.exe53⤵
- Executes dropped EXE
PID:2392 -
\??\c:\7vvdv.exec:\7vvdv.exe54⤵
- Executes dropped EXE
PID:456 -
\??\c:\xffxlfx.exec:\xffxlfx.exe55⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1bbnbt.exec:\1bbnbt.exe56⤵
- Executes dropped EXE
PID:4252 -
\??\c:\pvvpd.exec:\pvvpd.exe57⤵
- Executes dropped EXE
PID:1572 -
\??\c:\7pvpd.exec:\7pvpd.exe58⤵
- Executes dropped EXE
PID:2680 -
\??\c:\flfxrfl.exec:\flfxrfl.exe59⤵
- Executes dropped EXE
PID:4988 -
\??\c:\hhntbb.exec:\hhntbb.exe60⤵
- Executes dropped EXE
PID:5068 -
\??\c:\1vpdv.exec:\1vpdv.exe61⤵
- Executes dropped EXE
PID:3716 -
\??\c:\5rlfllx.exec:\5rlfllx.exe62⤵
- Executes dropped EXE
PID:4868 -
\??\c:\nnnhtn.exec:\nnnhtn.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\djpjp.exec:\djpjp.exe64⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lfxflrl.exec:\lfxflrl.exe65⤵
- Executes dropped EXE
PID:4216 -
\??\c:\thhhbh.exec:\thhhbh.exe66⤵PID:3968
-
\??\c:\vppjd.exec:\vppjd.exe67⤵PID:3388
-
\??\c:\xlrlllf.exec:\xlrlllf.exe68⤵PID:4456
-
\??\c:\nbbbtt.exec:\nbbbtt.exe69⤵PID:660
-
\??\c:\1pjdp.exec:\1pjdp.exe70⤵PID:2492
-
\??\c:\dpdpd.exec:\dpdpd.exe71⤵PID:4660
-
\??\c:\7llfflr.exec:\7llfflr.exe72⤵PID:368
-
\??\c:\3nbnbb.exec:\3nbnbb.exe73⤵PID:1260
-
\??\c:\djvpp.exec:\djvpp.exe74⤵PID:4504
-
\??\c:\pvdvj.exec:\pvdvj.exe75⤵PID:4608
-
\??\c:\fffxllf.exec:\fffxllf.exe76⤵PID:2280
-
\??\c:\bnbtnn.exec:\bnbtnn.exe77⤵PID:4344
-
\??\c:\5jdpj.exec:\5jdpj.exe78⤵PID:3992
-
\??\c:\3vvjd.exec:\3vvjd.exe79⤵PID:768
-
\??\c:\rflflll.exec:\rflflll.exe80⤵PID:1964
-
\??\c:\ttbnbt.exec:\ttbnbt.exe81⤵PID:5108
-
\??\c:\vjpvv.exec:\vjpvv.exe82⤵PID:3652
-
\??\c:\xrflrll.exec:\xrflrll.exe83⤵PID:1196
-
\??\c:\lfxrffx.exec:\lfxrffx.exe84⤵PID:764
-
\??\c:\3bthtt.exec:\3bthtt.exe85⤵PID:5004
-
\??\c:\pddvv.exec:\pddvv.exe86⤵PID:420
-
\??\c:\vvddv.exec:\vvddv.exe87⤵PID:4728
-
\??\c:\3flxlfr.exec:\3flxlfr.exe88⤵PID:4644
-
\??\c:\bhhbbt.exec:\bhhbbt.exe89⤵PID:3876
-
\??\c:\3dvpd.exec:\3dvpd.exe90⤵PID:2332
-
\??\c:\jvddv.exec:\jvddv.exe91⤵PID:2872
-
\??\c:\frlxxll.exec:\frlxxll.exe92⤵PID:4588
-
\??\c:\tnhtht.exec:\tnhtht.exe93⤵PID:2744
-
\??\c:\jdvpj.exec:\jdvpj.exe94⤵PID:4904
-
\??\c:\xrrlllf.exec:\xrrlllf.exe95⤵PID:3332
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe96⤵PID:2792
-
\??\c:\htthbb.exec:\htthbb.exe97⤵PID:5000
-
\??\c:\pjdvv.exec:\pjdvv.exe98⤵PID:5088
-
\??\c:\lfrlfrl.exec:\lfrlfrl.exe99⤵PID:2448
-
\??\c:\nbbnbt.exec:\nbbnbt.exe100⤵PID:2804
-
\??\c:\vvvvp.exec:\vvvvp.exe101⤵PID:2064
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe102⤵PID:1120
-
\??\c:\7bbnhb.exec:\7bbnhb.exe103⤵PID:1728
-
\??\c:\nthbhh.exec:\nthbhh.exe104⤵PID:3268
-
\??\c:\7jdvv.exec:\7jdvv.exe105⤵PID:3204
-
\??\c:\xlxlfxf.exec:\xlxlfxf.exe106⤵PID:4616
-
\??\c:\tnnnhh.exec:\tnnnhh.exe107⤵PID:4224
-
\??\c:\vpdvd.exec:\vpdvd.exe108⤵PID:4720
-
\??\c:\jvddv.exec:\jvddv.exe109⤵PID:3800
-
\??\c:\frfxllf.exec:\frfxllf.exe110⤵PID:3140
-
\??\c:\7thnbt.exec:\7thnbt.exe111⤵PID:4312
-
\??\c:\dvppj.exec:\dvppj.exe112⤵PID:2192
-
\??\c:\frrfrlx.exec:\frrfrlx.exe113⤵PID:520
-
\??\c:\lffrlfr.exec:\lffrlfr.exe114⤵PID:4416
-
\??\c:\1htnhb.exec:\1htnhb.exe115⤵PID:2428
-
\??\c:\jvdpd.exec:\jvdpd.exe116⤵PID:2476
-
\??\c:\xrrfrfx.exec:\xrrfrfx.exe117⤵PID:1072
-
\??\c:\hbtnhh.exec:\hbtnhh.exe118⤵PID:776
-
\??\c:\3pvpv.exec:\3pvpv.exe119⤵PID:4304
-
\??\c:\rrfxxrr.exec:\rrfxxrr.exe120⤵PID:4300
-
\??\c:\xlffxxr.exec:\xlffxxr.exe121⤵PID:4620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-