Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 23:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe
-
Size
455KB
-
MD5
7f0e082ecf12f780f656a1f600435a80
-
SHA1
ed1a01ac895d11d94a3bf0caa6c1654a8103c546
-
SHA256
7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084
-
SHA512
120acb9c99c7a5dbcbfcf0b7b719ba99fa32d25b0f3f9097e87eb8508396d07f99bf88c751c1f259a5a2a58ca03f872f1a8370b8ed70a7a13c4b35ea07cc7f31
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRC:q7Tc2NYHUrAwfMp3CDRC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/956-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-1350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-1610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5072 lfrlffx.exe 1876 lfllffx.exe 4400 lxfxxrl.exe 4892 7hbtnn.exe 3772 3jjdv.exe 1384 xxfxxxx.exe 3144 lxrrlfr.exe 4812 hntnbt.exe 2592 vjvpd.exe 1128 rfxxfxl.exe 4388 rlxlfxl.exe 1544 thnhhh.exe 2516 1jdvp.exe 1440 lflfxrf.exe 2116 pjjvv.exe 4780 xrlrllf.exe 4568 jvpjp.exe 2972 ttbnbt.exe 2896 vpvpd.exe 4736 rlrlxrf.exe 4688 bnnnhb.exe 4456 btthtn.exe 3248 bthtbh.exe 4576 tnhthb.exe 4648 hhbnbt.exe 1740 fffxlfx.exe 1476 pvvjv.exe 2512 bbbnbt.exe 4496 vddpj.exe 3136 7xxrffr.exe 1620 dvvjd.exe 3412 hbbnbh.exe 3768 jdjdj.exe 2220 xlxlrll.exe 4416 bhbnht.exe 1572 fxlxlfx.exe 1536 hbtthh.exe 368 hbhbnh.exe 4420 flrffxl.exe 1668 ntttnn.exe 4644 dvddp.exe 2984 5vpjv.exe 4188 3xlfxxr.exe 4040 bttnnh.exe 816 vvpjd.exe 2212 lrxrffx.exe 4372 hhhbtt.exe 824 dvpjd.exe 4060 vdjdp.exe 956 htbnhb.exe 1980 vpvpv.exe 1876 xrxrffr.exe 1640 frrxlrl.exe 3984 thhbnh.exe 820 pddpd.exe 2364 xrrlfxr.exe 1956 btttnn.exe 4052 pdvjv.exe 1112 rfrxlfl.exe 4828 7fxrfxr.exe 3912 hbnbbt.exe 3016 jjpdp.exe 1680 xxfxrlf.exe 1524 5bbbtt.exe -
resource yara_rule behavioral2/memory/956-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-914-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-1101-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 5072 956 7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe 82 PID 956 wrote to memory of 5072 956 7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe 82 PID 956 wrote to memory of 5072 956 7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe 82 PID 5072 wrote to memory of 1876 5072 lfrlffx.exe 83 PID 5072 wrote to memory of 1876 5072 lfrlffx.exe 83 PID 5072 wrote to memory of 1876 5072 lfrlffx.exe 83 PID 1876 wrote to memory of 4400 1876 lfllffx.exe 84 PID 1876 wrote to memory of 4400 1876 lfllffx.exe 84 PID 1876 wrote to memory of 4400 1876 lfllffx.exe 84 PID 4400 wrote to memory of 4892 4400 lxfxxrl.exe 85 PID 4400 wrote to memory of 4892 4400 lxfxxrl.exe 85 PID 4400 wrote to memory of 4892 4400 lxfxxrl.exe 85 PID 4892 wrote to memory of 3772 4892 7hbtnn.exe 86 PID 4892 wrote to memory of 3772 4892 7hbtnn.exe 86 PID 4892 wrote to memory of 3772 4892 7hbtnn.exe 86 PID 3772 wrote to memory of 1384 3772 3jjdv.exe 87 PID 3772 wrote to memory of 1384 3772 3jjdv.exe 87 PID 3772 wrote to memory of 1384 3772 3jjdv.exe 87 PID 1384 wrote to memory of 3144 1384 xxfxxxx.exe 88 PID 1384 wrote to memory of 3144 1384 xxfxxxx.exe 88 PID 1384 wrote to memory of 3144 1384 xxfxxxx.exe 88 PID 3144 wrote to memory of 4812 3144 lxrrlfr.exe 89 PID 3144 wrote to memory of 4812 3144 lxrrlfr.exe 89 PID 3144 wrote to memory of 4812 3144 lxrrlfr.exe 89 PID 4812 wrote to memory of 2592 4812 hntnbt.exe 90 PID 4812 wrote to memory of 2592 4812 hntnbt.exe 90 PID 4812 wrote to memory of 2592 4812 hntnbt.exe 90 PID 2592 wrote to memory of 1128 2592 vjvpd.exe 91 PID 2592 wrote to memory of 1128 2592 vjvpd.exe 91 PID 2592 wrote to memory of 1128 2592 vjvpd.exe 91 PID 1128 wrote to memory of 4388 1128 rfxxfxl.exe 92 PID 1128 wrote to memory of 4388 1128 rfxxfxl.exe 92 PID 1128 wrote to memory of 4388 1128 rfxxfxl.exe 92 PID 4388 wrote to memory of 1544 4388 rlxlfxl.exe 93 PID 4388 wrote to memory of 1544 4388 rlxlfxl.exe 93 PID 4388 wrote to memory of 1544 4388 rlxlfxl.exe 93 PID 1544 wrote to memory of 2516 1544 thnhhh.exe 94 PID 1544 wrote to memory of 2516 1544 thnhhh.exe 94 PID 1544 wrote to memory of 2516 1544 thnhhh.exe 94 PID 2516 wrote to memory of 1440 2516 1jdvp.exe 95 PID 2516 wrote to memory of 1440 2516 1jdvp.exe 95 PID 2516 wrote to memory of 1440 2516 1jdvp.exe 95 PID 1440 wrote to memory of 2116 1440 lflfxrf.exe 96 PID 1440 wrote to memory of 2116 1440 lflfxrf.exe 96 PID 1440 wrote to memory of 2116 1440 lflfxrf.exe 96 PID 2116 wrote to memory of 4780 2116 pjjvv.exe 97 PID 2116 wrote to memory of 4780 2116 pjjvv.exe 97 PID 2116 wrote to memory of 4780 2116 pjjvv.exe 97 PID 4780 wrote to memory of 4568 4780 xrlrllf.exe 98 PID 4780 wrote to memory of 4568 4780 xrlrllf.exe 98 PID 4780 wrote to memory of 4568 4780 xrlrllf.exe 98 PID 4568 wrote to memory of 2972 4568 jvpjp.exe 99 PID 4568 wrote to memory of 2972 4568 jvpjp.exe 99 PID 4568 wrote to memory of 2972 4568 jvpjp.exe 99 PID 2972 wrote to memory of 2896 2972 ttbnbt.exe 100 PID 2972 wrote to memory of 2896 2972 ttbnbt.exe 100 PID 2972 wrote to memory of 2896 2972 ttbnbt.exe 100 PID 2896 wrote to memory of 4736 2896 vpvpd.exe 101 PID 2896 wrote to memory of 4736 2896 vpvpd.exe 101 PID 2896 wrote to memory of 4736 2896 vpvpd.exe 101 PID 4736 wrote to memory of 4688 4736 rlrlxrf.exe 102 PID 4736 wrote to memory of 4688 4736 rlrlxrf.exe 102 PID 4736 wrote to memory of 4688 4736 rlrlxrf.exe 102 PID 4688 wrote to memory of 4456 4688 bnnnhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe"C:\Users\Admin\AppData\Local\Temp\7f65c29402684cb08fd0157df0f765e0d3142f0dfa0dd71c6c0e1fc3016ce084.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\lfrlffx.exec:\lfrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\lfllffx.exec:\lfllffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\7hbtnn.exec:\7hbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\3jjdv.exec:\3jjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\lxrrlfr.exec:\lxrrlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\hntnbt.exec:\hntnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\vjvpd.exec:\vjvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\rfxxfxl.exec:\rfxxfxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\rlxlfxl.exec:\rlxlfxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\thnhhh.exec:\thnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\1jdvp.exec:\1jdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\lflfxrf.exec:\lflfxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\pjjvv.exec:\pjjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\xrlrllf.exec:\xrlrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\jvpjp.exec:\jvpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\ttbnbt.exec:\ttbnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\vpvpd.exec:\vpvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rlrlxrf.exec:\rlrlxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\bnnnhb.exec:\bnnnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\btthtn.exec:\btthtn.exe23⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bthtbh.exec:\bthtbh.exe24⤵
- Executes dropped EXE
PID:3248 -
\??\c:\tnhthb.exec:\tnhthb.exe25⤵
- Executes dropped EXE
PID:4576 -
\??\c:\hhbnbt.exec:\hhbnbt.exe26⤵
- Executes dropped EXE
PID:4648 -
\??\c:\fffxlfx.exec:\fffxlfx.exe27⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pvvjv.exec:\pvvjv.exe28⤵
- Executes dropped EXE
PID:1476 -
\??\c:\bbbnbt.exec:\bbbnbt.exe29⤵
- Executes dropped EXE
PID:2512 -
\??\c:\vddpj.exec:\vddpj.exe30⤵
- Executes dropped EXE
PID:4496 -
\??\c:\7xxrffr.exec:\7xxrffr.exe31⤵
- Executes dropped EXE
PID:3136 -
\??\c:\dvvjd.exec:\dvvjd.exe32⤵
- Executes dropped EXE
PID:1620 -
\??\c:\hbbnbh.exec:\hbbnbh.exe33⤵
- Executes dropped EXE
PID:3412 -
\??\c:\jdjdj.exec:\jdjdj.exe34⤵
- Executes dropped EXE
PID:3768 -
\??\c:\xlxlrll.exec:\xlxlrll.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
\??\c:\bhbnht.exec:\bhbnht.exe36⤵
- Executes dropped EXE
PID:4416 -
\??\c:\fxlxlfx.exec:\fxlxlfx.exe37⤵
- Executes dropped EXE
PID:1572 -
\??\c:\hbtthh.exec:\hbtthh.exe38⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hbhbnh.exec:\hbhbnh.exe39⤵
- Executes dropped EXE
PID:368 -
\??\c:\flrffxl.exec:\flrffxl.exe40⤵
- Executes dropped EXE
PID:4420 -
\??\c:\ntttnn.exec:\ntttnn.exe41⤵
- Executes dropped EXE
PID:1668 -
\??\c:\dvddp.exec:\dvddp.exe42⤵
- Executes dropped EXE
PID:4644 -
\??\c:\5vpjv.exec:\5vpjv.exe43⤵
- Executes dropped EXE
PID:2984 -
\??\c:\3xlfxxr.exec:\3xlfxxr.exe44⤵
- Executes dropped EXE
PID:4188 -
\??\c:\bttnnh.exec:\bttnnh.exe45⤵
- Executes dropped EXE
PID:4040 -
\??\c:\vvpjd.exec:\vvpjd.exe46⤵
- Executes dropped EXE
PID:816 -
\??\c:\lrxrffx.exec:\lrxrffx.exe47⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hhhbtt.exec:\hhhbtt.exe48⤵
- Executes dropped EXE
PID:4372 -
\??\c:\dvpjd.exec:\dvpjd.exe49⤵
- Executes dropped EXE
PID:824 -
\??\c:\vdjdp.exec:\vdjdp.exe50⤵
- Executes dropped EXE
PID:4060 -
\??\c:\xxfrffx.exec:\xxfrffx.exe51⤵PID:5032
-
\??\c:\htbnhb.exec:\htbnhb.exe52⤵
- Executes dropped EXE
PID:956 -
\??\c:\vpvpv.exec:\vpvpv.exe53⤵
- Executes dropped EXE
PID:1980 -
\??\c:\xrxrffr.exec:\xrxrffr.exe54⤵
- Executes dropped EXE
PID:1876 -
\??\c:\frrxlrl.exec:\frrxlrl.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\thhbnh.exec:\thhbnh.exe56⤵
- Executes dropped EXE
PID:3984 -
\??\c:\pddpd.exec:\pddpd.exe57⤵
- Executes dropped EXE
PID:820 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe58⤵
- Executes dropped EXE
PID:2364 -
\??\c:\btttnn.exec:\btttnn.exe59⤵
- Executes dropped EXE
PID:1956 -
\??\c:\pdvjv.exec:\pdvjv.exe60⤵
- Executes dropped EXE
PID:4052 -
\??\c:\rfrxlfl.exec:\rfrxlfl.exe61⤵
- Executes dropped EXE
PID:1112 -
\??\c:\7fxrfxr.exec:\7fxrfxr.exe62⤵
- Executes dropped EXE
PID:4828 -
\??\c:\hbnbbt.exec:\hbnbbt.exe63⤵
- Executes dropped EXE
PID:3912 -
\??\c:\jjpdp.exec:\jjpdp.exe64⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe65⤵
- Executes dropped EXE
PID:1680 -
\??\c:\5bbbtt.exec:\5bbbtt.exe66⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jvvjd.exec:\jvvjd.exe67⤵PID:2440
-
\??\c:\djppj.exec:\djppj.exe68⤵PID:948
-
\??\c:\xrfxllr.exec:\xrfxllr.exe69⤵PID:1180
-
\??\c:\nbnbbt.exec:\nbnbbt.exe70⤵PID:4968
-
\??\c:\vjpjd.exec:\vjpjd.exe71⤵PID:216
-
\??\c:\dpppv.exec:\dpppv.exe72⤵PID:3304
-
\??\c:\frrfxlx.exec:\frrfxlx.exe73⤵PID:1744
-
\??\c:\7xxrfxr.exec:\7xxrfxr.exe74⤵PID:1320
-
\??\c:\tnntnh.exec:\tnntnh.exe75⤵PID:3648
-
\??\c:\5pvjv.exec:\5pvjv.exe76⤵PID:5084
-
\??\c:\frrfxrf.exec:\frrfxrf.exe77⤵PID:3100
-
\??\c:\bhthth.exec:\bhthth.exe78⤵PID:1836
-
\??\c:\dppdp.exec:\dppdp.exe79⤵PID:3208
-
\??\c:\pjjdv.exec:\pjjdv.exe80⤵PID:444
-
\??\c:\fxrlffx.exec:\fxrlffx.exe81⤵PID:4584
-
\??\c:\hbbbht.exec:\hbbbht.exe82⤵PID:3920
-
\??\c:\5djdv.exec:\5djdv.exe83⤵PID:4980
-
\??\c:\lrxfxrl.exec:\lrxfxrl.exe84⤵PID:4456
-
\??\c:\nbhtnn.exec:\nbhtnn.exe85⤵PID:4296
-
\??\c:\1jdvp.exec:\1jdvp.exe86⤵PID:4988
-
\??\c:\jdvpj.exec:\jdvpj.exe87⤵PID:4704
-
\??\c:\fxlfllr.exec:\fxlfllr.exe88⤵PID:4460
-
\??\c:\hbbtnt.exec:\hbbtnt.exe89⤵PID:1504
-
\??\c:\3vjvv.exec:\3vjvv.exe90⤵PID:1260
-
\??\c:\fllxrxr.exec:\fllxrxr.exe91⤵PID:2512
-
\??\c:\xrxrrll.exec:\xrxrrll.exe92⤵PID:3104
-
\??\c:\htnhbt.exec:\htnhbt.exe93⤵PID:1488
-
\??\c:\pjpjp.exec:\pjpjp.exe94⤵PID:4528
-
\??\c:\rffxlrl.exec:\rffxlrl.exe95⤵PID:3180
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe96⤵PID:3412
-
\??\c:\hnthtn.exec:\hnthtn.exe97⤵PID:320
-
\??\c:\jvjdp.exec:\jvjdp.exe98⤵PID:3204
-
\??\c:\llfrlfx.exec:\llfrlfx.exe99⤵PID:4512
-
\??\c:\nbhbbt.exec:\nbhbbt.exe100⤵PID:1612
-
\??\c:\7vpjv.exec:\7vpjv.exe101⤵PID:2088
-
\??\c:\lfllxrr.exec:\lfllxrr.exe102⤵PID:1536
-
\??\c:\tbhbnh.exec:\tbhbnh.exe103⤵PID:368
-
\??\c:\vjpdv.exec:\vjpdv.exe104⤵PID:2748
-
\??\c:\dddvv.exec:\dddvv.exe105⤵PID:788
-
\??\c:\llfrlfx.exec:\llfrlfx.exe106⤵PID:2064
-
\??\c:\rllrrlr.exec:\rllrrlr.exe107⤵PID:3112
-
\??\c:\jvdpd.exec:\jvdpd.exe108⤵PID:1376
-
\??\c:\jddpd.exec:\jddpd.exe109⤵PID:4444
-
\??\c:\7lfxllx.exec:\7lfxllx.exe110⤵PID:1628
-
\??\c:\5bhtnb.exec:\5bhtnb.exe111⤵PID:1564
-
\??\c:\pjdvp.exec:\pjdvp.exe112⤵PID:2912
-
\??\c:\fxlffxf.exec:\fxlffxf.exe113⤵PID:864
-
\??\c:\5tnhnn.exec:\5tnhnn.exe114⤵PID:1780
-
\??\c:\tthtnh.exec:\tthtnh.exe115⤵PID:5048
-
\??\c:\jvdvd.exec:\jvdvd.exe116⤵PID:5072
-
\??\c:\rlrlrrr.exec:\rlrlrrr.exe117⤵PID:756
-
\??\c:\3hhhbb.exec:\3hhhbb.exe118⤵PID:2524
-
\??\c:\bthtbt.exec:\bthtbt.exe119⤵PID:2724
-
\??\c:\ddpjp.exec:\ddpjp.exe120⤵PID:1832
-
\??\c:\rrxxrxl.exec:\rrxxrxl.exe121⤵PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-