Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe
-
Size
453KB
-
MD5
f179f37b553998161af1c2ce6dc4f906
-
SHA1
b1dae539d1ecb918e4d674dafbf40771937507d2
-
SHA256
808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700
-
SHA512
a44108ad09ecb3803abaa077b93cd3cca95a1de32d9b2192a37677dd68bb08dbae0b214a71b76b123645b78aa41168abb6cc59e2b4a7ac0bd1d5bf92d883f58f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4008-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-1148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-1170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-1674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-1765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-1823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1600 1lrfrfr.exe 832 djdpd.exe 4880 btnnhn.exe 4280 frxllxl.exe 400 9hhnth.exe 3788 jvjvv.exe 3128 rfxllfl.exe 3888 btnbtn.exe 4876 dvjdp.exe 1160 3hthtn.exe 2636 lrrfrfr.exe 1012 dddvj.exe 1280 lxrflfr.exe 1116 vdddd.exe 4968 rlrxlfr.exe 2788 vvvdd.exe 1432 jvpvj.exe 3448 3hnbtt.exe 3840 9jvjd.exe 5004 xrrfllr.exe 3652 jjjpj.exe 2120 fxxlrlx.exe 4840 bnbttn.exe 4616 5xfxfxr.exe 4720 bbbtnh.exe 1056 jvvjj.exe 1544 7fxrxrx.exe 3688 xlrlfxx.exe 4712 5bbnht.exe 1704 ddjdp.exe 1448 3hbtbb.exe 3216 dddpj.exe 1692 rllfxrl.exe 1700 bhhbtt.exe 4716 vpvpj.exe 2228 xrxrfff.exe 1032 1nttbh.exe 4440 hhnbbh.exe 1168 xxfrllf.exe 4924 bthbbt.exe 4124 bttnhh.exe 1424 7pdjj.exe 2796 1xxrxxx.exe 632 htbbbb.exe 4364 ppppd.exe 4312 9vdpj.exe 4088 llxrlff.exe 2164 nbhhhb.exe 4564 9jdvp.exe 4592 ppvpj.exe 2512 rlxfllr.exe 1204 ttttnh.exe 4532 vdpjd.exe 3256 9btnhb.exe 3788 dpvpj.exe 4844 rflxrrf.exe 216 bnthbb.exe 1332 tnnhhh.exe 1760 vdpvv.exe 3928 flfxllf.exe 3692 nbnnhh.exe 2264 7nbnbt.exe 4404 vppvp.exe 1404 xflfxlf.exe -
resource yara_rule behavioral2/memory/4008-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-1148-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4008 wrote to memory of 1600 4008 808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe 82 PID 4008 wrote to memory of 1600 4008 808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe 82 PID 4008 wrote to memory of 1600 4008 808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe 82 PID 1600 wrote to memory of 832 1600 1lrfrfr.exe 83 PID 1600 wrote to memory of 832 1600 1lrfrfr.exe 83 PID 1600 wrote to memory of 832 1600 1lrfrfr.exe 83 PID 832 wrote to memory of 4880 832 djdpd.exe 84 PID 832 wrote to memory of 4880 832 djdpd.exe 84 PID 832 wrote to memory of 4880 832 djdpd.exe 84 PID 4880 wrote to memory of 4280 4880 btnnhn.exe 85 PID 4880 wrote to memory of 4280 4880 btnnhn.exe 85 PID 4880 wrote to memory of 4280 4880 btnnhn.exe 85 PID 4280 wrote to memory of 400 4280 frxllxl.exe 86 PID 4280 wrote to memory of 400 4280 frxllxl.exe 86 PID 4280 wrote to memory of 400 4280 frxllxl.exe 86 PID 400 wrote to memory of 3788 400 9hhnth.exe 87 PID 400 wrote to memory of 3788 400 9hhnth.exe 87 PID 400 wrote to memory of 3788 400 9hhnth.exe 87 PID 3788 wrote to memory of 3128 3788 jvjvv.exe 88 PID 3788 wrote to memory of 3128 3788 jvjvv.exe 88 PID 3788 wrote to memory of 3128 3788 jvjvv.exe 88 PID 3128 wrote to memory of 3888 3128 rfxllfl.exe 89 PID 3128 wrote to memory of 3888 3128 rfxllfl.exe 89 PID 3128 wrote to memory of 3888 3128 rfxllfl.exe 89 PID 3888 wrote to memory of 4876 3888 btnbtn.exe 90 PID 3888 wrote to memory of 4876 3888 btnbtn.exe 90 PID 3888 wrote to memory of 4876 3888 btnbtn.exe 90 PID 4876 wrote to memory of 1160 4876 dvjdp.exe 91 PID 4876 wrote to memory of 1160 4876 dvjdp.exe 91 PID 4876 wrote to memory of 1160 4876 dvjdp.exe 91 PID 1160 wrote to memory of 2636 1160 3hthtn.exe 92 PID 1160 wrote to memory of 2636 1160 3hthtn.exe 92 PID 1160 wrote to memory of 2636 1160 3hthtn.exe 92 PID 2636 wrote to memory of 1012 2636 lrrfrfr.exe 93 PID 2636 wrote to memory of 1012 2636 lrrfrfr.exe 93 PID 2636 wrote to memory of 1012 2636 lrrfrfr.exe 93 PID 1012 wrote to memory of 1280 1012 dddvj.exe 94 PID 1012 wrote to memory of 1280 1012 dddvj.exe 94 PID 1012 wrote to memory of 1280 1012 dddvj.exe 94 PID 1280 wrote to memory of 1116 1280 lxrflfr.exe 95 PID 1280 wrote to memory of 1116 1280 lxrflfr.exe 95 PID 1280 wrote to memory of 1116 1280 lxrflfr.exe 95 PID 1116 wrote to memory of 4968 1116 vdddd.exe 96 PID 1116 wrote to memory of 4968 1116 vdddd.exe 96 PID 1116 wrote to memory of 4968 1116 vdddd.exe 96 PID 4968 wrote to memory of 2788 4968 rlrxlfr.exe 97 PID 4968 wrote to memory of 2788 4968 rlrxlfr.exe 97 PID 4968 wrote to memory of 2788 4968 rlrxlfr.exe 97 PID 2788 wrote to memory of 1432 2788 vvvdd.exe 98 PID 2788 wrote to memory of 1432 2788 vvvdd.exe 98 PID 2788 wrote to memory of 1432 2788 vvvdd.exe 98 PID 1432 wrote to memory of 3448 1432 jvpvj.exe 99 PID 1432 wrote to memory of 3448 1432 jvpvj.exe 99 PID 1432 wrote to memory of 3448 1432 jvpvj.exe 99 PID 3448 wrote to memory of 3840 3448 3hnbtt.exe 100 PID 3448 wrote to memory of 3840 3448 3hnbtt.exe 100 PID 3448 wrote to memory of 3840 3448 3hnbtt.exe 100 PID 3840 wrote to memory of 5004 3840 9jvjd.exe 101 PID 3840 wrote to memory of 5004 3840 9jvjd.exe 101 PID 3840 wrote to memory of 5004 3840 9jvjd.exe 101 PID 5004 wrote to memory of 3652 5004 xrrfllr.exe 102 PID 5004 wrote to memory of 3652 5004 xrrfllr.exe 102 PID 5004 wrote to memory of 3652 5004 xrrfllr.exe 102 PID 3652 wrote to memory of 2120 3652 jjjpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe"C:\Users\Admin\AppData\Local\Temp\808f91658173c613b6f61664a018f1c64dbf206350e775922f7ac74290f65700.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\1lrfrfr.exec:\1lrfrfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\djdpd.exec:\djdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\btnnhn.exec:\btnnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\frxllxl.exec:\frxllxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\9hhnth.exec:\9hhnth.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\jvjvv.exec:\jvjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\rfxllfl.exec:\rfxllfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\btnbtn.exec:\btnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\dvjdp.exec:\dvjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\3hthtn.exec:\3hthtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\lrrfrfr.exec:\lrrfrfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dddvj.exec:\dddvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\lxrflfr.exec:\lxrflfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\vdddd.exec:\vdddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\rlrxlfr.exec:\rlrxlfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\vvvdd.exec:\vvvdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\jvpvj.exec:\jvpvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\3hnbtt.exec:\3hnbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\9jvjd.exec:\9jvjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\xrrfllr.exec:\xrrfllr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\jjjpj.exec:\jjjpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\fxxlrlx.exec:\fxxlrlx.exe23⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bnbttn.exec:\bnbttn.exe24⤵
- Executes dropped EXE
PID:4840 -
\??\c:\5xfxfxr.exec:\5xfxfxr.exe25⤵
- Executes dropped EXE
PID:4616 -
\??\c:\bbbtnh.exec:\bbbtnh.exe26⤵
- Executes dropped EXE
PID:4720 -
\??\c:\jvvjj.exec:\jvvjj.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
\??\c:\7fxrxrx.exec:\7fxrxrx.exe28⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe29⤵
- Executes dropped EXE
PID:3688 -
\??\c:\5bbnht.exec:\5bbnht.exe30⤵
- Executes dropped EXE
PID:4712 -
\??\c:\ddjdp.exec:\ddjdp.exe31⤵
- Executes dropped EXE
PID:1704 -
\??\c:\3hbtbb.exec:\3hbtbb.exe32⤵
- Executes dropped EXE
PID:1448 -
\??\c:\dddpj.exec:\dddpj.exe33⤵
- Executes dropped EXE
PID:3216 -
\??\c:\rllfxrl.exec:\rllfxrl.exe34⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bhhbtt.exec:\bhhbtt.exe35⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vpvpj.exec:\vpvpj.exe36⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xrxrfff.exec:\xrxrfff.exe37⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1nttbh.exec:\1nttbh.exe38⤵
- Executes dropped EXE
PID:1032 -
\??\c:\hhnbbh.exec:\hhnbbh.exe39⤵
- Executes dropped EXE
PID:4440 -
\??\c:\xxfrllf.exec:\xxfrllf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168 -
\??\c:\bthbbt.exec:\bthbbt.exe41⤵
- Executes dropped EXE
PID:4924 -
\??\c:\bttnhh.exec:\bttnhh.exe42⤵
- Executes dropped EXE
PID:4124 -
\??\c:\7pdjj.exec:\7pdjj.exe43⤵
- Executes dropped EXE
PID:1424 -
\??\c:\1xxrxxx.exec:\1xxrxxx.exe44⤵
- Executes dropped EXE
PID:2796 -
\??\c:\htbbbb.exec:\htbbbb.exe45⤵
- Executes dropped EXE
PID:632 -
\??\c:\ppppd.exec:\ppppd.exe46⤵
- Executes dropped EXE
PID:4364 -
\??\c:\9vdpj.exec:\9vdpj.exe47⤵
- Executes dropped EXE
PID:4312 -
\??\c:\llxrlff.exec:\llxrlff.exe48⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nbhhhb.exec:\nbhhhb.exe49⤵
- Executes dropped EXE
PID:2164 -
\??\c:\9jdvp.exec:\9jdvp.exe50⤵
- Executes dropped EXE
PID:4564 -
\??\c:\ppvpj.exec:\ppvpj.exe51⤵
- Executes dropped EXE
PID:4592 -
\??\c:\rlxfllr.exec:\rlxfllr.exe52⤵
- Executes dropped EXE
PID:2512 -
\??\c:\ttttnh.exec:\ttttnh.exe53⤵
- Executes dropped EXE
PID:1204 -
\??\c:\vdpjd.exec:\vdpjd.exe54⤵
- Executes dropped EXE
PID:4532 -
\??\c:\9btnhb.exec:\9btnhb.exe55⤵
- Executes dropped EXE
PID:3256 -
\??\c:\dpvpj.exec:\dpvpj.exe56⤵
- Executes dropped EXE
PID:3788 -
\??\c:\rflxrrf.exec:\rflxrrf.exe57⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bnthbb.exec:\bnthbb.exe58⤵
- Executes dropped EXE
PID:216 -
\??\c:\tnnhhh.exec:\tnnhhh.exe59⤵
- Executes dropped EXE
PID:1332 -
\??\c:\vdpvv.exec:\vdpvv.exe60⤵
- Executes dropped EXE
PID:1760 -
\??\c:\flfxllf.exec:\flfxllf.exe61⤵
- Executes dropped EXE
PID:3928 -
\??\c:\nbnnhh.exec:\nbnnhh.exe62⤵
- Executes dropped EXE
PID:3692 -
\??\c:\7nbnbt.exec:\7nbnbt.exe63⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vppvp.exec:\vppvp.exe64⤵
- Executes dropped EXE
PID:4404 -
\??\c:\xflfxlf.exec:\xflfxlf.exe65⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9ntnnh.exec:\9ntnnh.exe66⤵PID:1144
-
\??\c:\vdjdd.exec:\vdjdd.exe67⤵PID:1416
-
\??\c:\lxxlxrf.exec:\lxxlxrf.exe68⤵PID:784
-
\??\c:\hthbnh.exec:\hthbnh.exe69⤵PID:1652
-
\??\c:\5bbtnt.exec:\5bbtnt.exe70⤵PID:2788
-
\??\c:\pvvpj.exec:\pvvpj.exe71⤵PID:4828
-
\??\c:\lxxlxrf.exec:\lxxlxrf.exe72⤵PID:1628
-
\??\c:\fffrlfr.exec:\fffrlfr.exe73⤵PID:3448
-
\??\c:\tnnhnh.exec:\tnnhnh.exe74⤵PID:756
-
\??\c:\vpdpp.exec:\vpdpp.exe75⤵PID:1524
-
\??\c:\dddpd.exec:\dddpd.exe76⤵PID:5004
-
\??\c:\fxlfrll.exec:\fxlfrll.exe77⤵PID:1420
-
\??\c:\bntnnh.exec:\bntnnh.exe78⤵PID:4220
-
\??\c:\dvpdp.exec:\dvpdp.exe79⤵PID:1764
-
\??\c:\rrrlxrf.exec:\rrrlxrf.exe80⤵PID:1556
-
\??\c:\7lrlrrr.exec:\7lrlrrr.exe81⤵PID:5108
-
\??\c:\btttnn.exec:\btttnn.exe82⤵PID:3808
-
\??\c:\jppjj.exec:\jppjj.exe83⤵PID:1156
-
\??\c:\xrffffl.exec:\xrffffl.exe84⤵PID:3188
-
\??\c:\nbhbbb.exec:\nbhbbb.exe85⤵PID:3936
-
\??\c:\ntnnhh.exec:\ntnnhh.exe86⤵PID:3688
-
\??\c:\vjvpv.exec:\vjvpv.exe87⤵PID:2292
-
\??\c:\xrrrffr.exec:\xrrrffr.exe88⤵PID:1188
-
\??\c:\bthbbb.exec:\bthbbb.exe89⤵PID:1704
-
\??\c:\htbbtt.exec:\htbbtt.exe90⤵PID:3408
-
\??\c:\vjvpv.exec:\vjvpv.exe91⤵PID:2288
-
\??\c:\frffrrf.exec:\frffrrf.exe92⤵PID:2076
-
\??\c:\bhnhnh.exec:\bhnhnh.exe93⤵PID:1692
-
\??\c:\ttnhbt.exec:\ttnhbt.exe94⤵PID:3644
-
\??\c:\ppvpd.exec:\ppvpd.exe95⤵PID:3704
-
\??\c:\fxrlffx.exec:\fxrlffx.exe96⤵PID:2980
-
\??\c:\tbnnhh.exec:\tbnnhh.exe97⤵PID:2376
-
\??\c:\9bbhbn.exec:\9bbhbn.exe98⤵PID:4808
-
\??\c:\pjppd.exec:\pjppd.exe99⤵PID:4452
-
\??\c:\lrxfxfl.exec:\lrxfxfl.exe100⤵PID:2680
-
\??\c:\rrrrflf.exec:\rrrrflf.exe101⤵PID:4172
-
\??\c:\thhtnn.exec:\thhtnn.exe102⤵PID:1104
-
\??\c:\9pvpv.exec:\9pvpv.exe103⤵PID:4120
-
\??\c:\rrrrfff.exec:\rrrrfff.exe104⤵PID:4428
-
\??\c:\7ffxlff.exec:\7ffxlff.exe105⤵PID:4388
-
\??\c:\bhhbnn.exec:\bhhbnn.exe106⤵PID:1388
-
\??\c:\vjjdd.exec:\vjjdd.exe107⤵PID:2380
-
\??\c:\9lrlxxx.exec:\9lrlxxx.exe108⤵PID:4088
-
\??\c:\nbhhbb.exec:\nbhhbb.exe109⤵PID:3632
-
\??\c:\nhnntt.exec:\nhnntt.exe110⤵PID:3604
-
\??\c:\3vvpj.exec:\3vvpj.exe111⤵PID:1112
-
\??\c:\ffrrffr.exec:\ffrrffr.exe112⤵PID:2560
-
\??\c:\bthnhb.exec:\bthnhb.exe113⤵PID:1964
-
\??\c:\hhbbtt.exec:\hhbbtt.exe114⤵PID:3060
-
\??\c:\jjjvj.exec:\jjjvj.exe115⤵PID:3996
-
\??\c:\lfxlrlx.exec:\lfxlrlx.exe116⤵PID:4748
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe117⤵PID:3888
-
\??\c:\hnhthb.exec:\hnhthb.exe118⤵PID:4896
-
\??\c:\pjppd.exec:\pjppd.exe119⤵PID:684
-
\??\c:\djvdd.exec:\djvdd.exe120⤵PID:4480
-
\??\c:\lxfxllr.exec:\lxfxllr.exe121⤵PID:4912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-