Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 00:22
Behavioral task
behavioral1
Sample
762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe
-
Size
489KB
-
MD5
c3156355465f843270ce4bd2b64e1924
-
SHA1
4053185936c2ef47ecff8f7461bd67290107b6e6
-
SHA256
762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7
-
SHA512
0c41f948840bc7446b18afa1683c001351d8805708f251599c20d1bd15492825bf19e2ed55cb03261ef75ebd56be41b6c804805f5f919b6a9d6feee171505534
-
SSDEEP
6144:xcm4FmowdHoSkhraHcpOFltH4t+IDvSXrh5g8hZTydOAkOCOu0EajNVBZr6y2WXG:74wFHoSceFp3IDvSbh5nP+aiI
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4948-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4864 9tttnn.exe 4884 vjjdv.exe 3692 xxxrlfx.exe 3080 nnbnnh.exe 2540 hhnbtt.exe 2700 llrfxrl.exe 4748 vvpvp.exe 1076 xxxlxlr.exe 640 jjvpd.exe 1736 7jjdd.exe 4928 1vjjv.exe 1432 tbnhtn.exe 1556 xrxrrlr.exe 2152 tbhtnn.exe 540 7pvjj.exe 4876 7xxrfxl.exe 3804 1rfrfxl.exe 3612 7hbbth.exe 960 rflfrll.exe 3140 bbhbtn.exe 4572 vdvpd.exe 3492 lxlxlfx.exe 2600 nhbbtb.exe 1224 vdddv.exe 2732 fxfrlfl.exe 2548 9bnhtn.exe 1384 3vvjv.exe 4408 llfxxrr.exe 2712 ntbbtb.exe 2880 pjjpj.exe 3768 lflfrrf.exe 60 lllfrxr.exe 4244 tththb.exe 3512 pdvjv.exe 4224 5dddp.exe 4700 xlrfxxr.exe 5020 nhtnhh.exe 4972 7vvvd.exe 4488 lflffrr.exe 4468 frxlrll.exe 1244 7hbnbh.exe 1564 dpvjv.exe 4916 pjpdp.exe 3692 htbnbn.exe 1768 bhhhbt.exe 1944 vvvpd.exe 1824 flxlxrf.exe 1952 thbnhn.exe 1624 9vppj.exe 4292 xrxrlrl.exe 4676 nbthbb.exe 1884 7nhthb.exe 4540 ppjdv.exe 4816 7nhbtb.exe 2640 hbtnbt.exe 3292 vjjdp.exe 2688 xfrrxrl.exe 368 xfrfxrf.exe 4444 bnhnbn.exe 2784 vvvjj.exe 1732 xrxrxrx.exe 1760 9nnbhb.exe 3348 pjdvp.exe 928 rffxxlf.exe -
resource yara_rule behavioral2/memory/4948-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0008000000023486-3.dat upx behavioral2/memory/4948-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348a-9.dat upx behavioral2/files/0x000700000002348b-13.dat upx behavioral2/memory/3692-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348c-22.dat upx behavioral2/memory/3080-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348d-30.dat upx behavioral2/memory/3080-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348e-34.dat upx behavioral2/memory/2540-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002348f-40.dat upx behavioral2/memory/2700-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023490-47.dat upx behavioral2/memory/4748-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023491-56.dat upx behavioral2/files/0x0007000000023492-59.dat upx behavioral2/memory/1736-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023493-67.dat upx behavioral2/files/0x0007000000023494-71.dat upx behavioral2/memory/4928-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023495-79.dat upx behavioral2/memory/1432-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023496-84.dat upx behavioral2/files/0x0008000000023487-90.dat upx behavioral2/memory/540-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023497-97.dat upx behavioral2/files/0x0007000000023498-103.dat upx behavioral2/files/0x0007000000023499-110.dat upx behavioral2/memory/3804-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349b-114.dat upx behavioral2/files/0x000700000002349c-122.dat upx behavioral2/files/0x000700000002349d-126.dat upx behavioral2/memory/4572-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349e-132.dat upx behavioral2/memory/3492-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000700000002349f-139.dat upx behavioral2/memory/2600-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a0-145.dat upx behavioral2/memory/1224-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a1-151.dat upx behavioral2/files/0x00070000000234a2-157.dat upx behavioral2/files/0x00070000000234a3-159.dat upx behavioral2/memory/1384-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a4-167.dat upx behavioral2/memory/4408-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000b0000000233ec-174.dat upx behavioral2/files/0x00070000000234a5-177.dat upx behavioral2/memory/2712-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00070000000234a6-184.dat upx behavioral2/memory/3768-186-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 4864 4948 762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe 84 PID 4948 wrote to memory of 4864 4948 762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe 84 PID 4948 wrote to memory of 4864 4948 762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe 84 PID 4864 wrote to memory of 4884 4864 9tttnn.exe 85 PID 4864 wrote to memory of 4884 4864 9tttnn.exe 85 PID 4864 wrote to memory of 4884 4864 9tttnn.exe 85 PID 4884 wrote to memory of 3692 4884 vjjdv.exe 86 PID 4884 wrote to memory of 3692 4884 vjjdv.exe 86 PID 4884 wrote to memory of 3692 4884 vjjdv.exe 86 PID 3692 wrote to memory of 3080 3692 xxxrlfx.exe 87 PID 3692 wrote to memory of 3080 3692 xxxrlfx.exe 87 PID 3692 wrote to memory of 3080 3692 xxxrlfx.exe 87 PID 3080 wrote to memory of 2540 3080 nnbnnh.exe 88 PID 3080 wrote to memory of 2540 3080 nnbnnh.exe 88 PID 3080 wrote to memory of 2540 3080 nnbnnh.exe 88 PID 2540 wrote to memory of 2700 2540 hhnbtt.exe 89 PID 2540 wrote to memory of 2700 2540 hhnbtt.exe 89 PID 2540 wrote to memory of 2700 2540 hhnbtt.exe 89 PID 2700 wrote to memory of 4748 2700 llrfxrl.exe 90 PID 2700 wrote to memory of 4748 2700 llrfxrl.exe 90 PID 2700 wrote to memory of 4748 2700 llrfxrl.exe 90 PID 4748 wrote to memory of 1076 4748 vvpvp.exe 91 PID 4748 wrote to memory of 1076 4748 vvpvp.exe 91 PID 4748 wrote to memory of 1076 4748 vvpvp.exe 91 PID 1076 wrote to memory of 640 1076 xxxlxlr.exe 92 PID 1076 wrote to memory of 640 1076 xxxlxlr.exe 92 PID 1076 wrote to memory of 640 1076 xxxlxlr.exe 92 PID 640 wrote to memory of 1736 640 jjvpd.exe 95 PID 640 wrote to memory of 1736 640 jjvpd.exe 95 PID 640 wrote to memory of 1736 640 jjvpd.exe 95 PID 1736 wrote to memory of 4928 1736 7jjdd.exe 96 PID 1736 wrote to memory of 4928 1736 7jjdd.exe 96 PID 1736 wrote to memory of 4928 1736 7jjdd.exe 96 PID 4928 wrote to memory of 1432 4928 1vjjv.exe 97 PID 4928 wrote to memory of 1432 4928 1vjjv.exe 97 PID 4928 wrote to memory of 1432 4928 1vjjv.exe 97 PID 1432 wrote to memory of 1556 1432 tbnhtn.exe 99 PID 1432 wrote to memory of 1556 1432 tbnhtn.exe 99 PID 1432 wrote to memory of 1556 1432 tbnhtn.exe 99 PID 1556 wrote to memory of 2152 1556 xrxrrlr.exe 100 PID 1556 wrote to memory of 2152 1556 xrxrrlr.exe 100 PID 1556 wrote to memory of 2152 1556 xrxrrlr.exe 100 PID 2152 wrote to memory of 540 2152 tbhtnn.exe 101 PID 2152 wrote to memory of 540 2152 tbhtnn.exe 101 PID 2152 wrote to memory of 540 2152 tbhtnn.exe 101 PID 540 wrote to memory of 4876 540 7pvjj.exe 102 PID 540 wrote to memory of 4876 540 7pvjj.exe 102 PID 540 wrote to memory of 4876 540 7pvjj.exe 102 PID 4876 wrote to memory of 3804 4876 7xxrfxl.exe 103 PID 4876 wrote to memory of 3804 4876 7xxrfxl.exe 103 PID 4876 wrote to memory of 3804 4876 7xxrfxl.exe 103 PID 3804 wrote to memory of 3612 3804 1rfrfxl.exe 104 PID 3804 wrote to memory of 3612 3804 1rfrfxl.exe 104 PID 3804 wrote to memory of 3612 3804 1rfrfxl.exe 104 PID 3612 wrote to memory of 960 3612 7hbbth.exe 105 PID 3612 wrote to memory of 960 3612 7hbbth.exe 105 PID 3612 wrote to memory of 960 3612 7hbbth.exe 105 PID 960 wrote to memory of 3140 960 rflfrll.exe 106 PID 960 wrote to memory of 3140 960 rflfrll.exe 106 PID 960 wrote to memory of 3140 960 rflfrll.exe 106 PID 3140 wrote to memory of 4572 3140 bbhbtn.exe 107 PID 3140 wrote to memory of 4572 3140 bbhbtn.exe 107 PID 3140 wrote to memory of 4572 3140 bbhbtn.exe 107 PID 4572 wrote to memory of 3492 4572 vdvpd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe"C:\Users\Admin\AppData\Local\Temp\762d9a2a011e78ad7507d11e3db454a9db693371f85340c53b36f5ae611c05a7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\9tttnn.exec:\9tttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\vjjdv.exec:\vjjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\nnbnnh.exec:\nnbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\hhnbtt.exec:\hhnbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\llrfxrl.exec:\llrfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\vvpvp.exec:\vvpvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\xxxlxlr.exec:\xxxlxlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\jjvpd.exec:\jjvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\7jjdd.exec:\7jjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\1vjjv.exec:\1vjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\tbnhtn.exec:\tbnhtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\tbhtnn.exec:\tbhtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\7pvjj.exec:\7pvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\7xxrfxl.exec:\7xxrfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\1rfrfxl.exec:\1rfrfxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\7hbbth.exec:\7hbbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\rflfrll.exec:\rflfrll.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\bbhbtn.exec:\bbhbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\vdvpd.exec:\vdvpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\lxlxlfx.exec:\lxlxlfx.exe23⤵
- Executes dropped EXE
PID:3492 -
\??\c:\nhbbtb.exec:\nhbbtb.exe24⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vdddv.exec:\vdddv.exe25⤵
- Executes dropped EXE
PID:1224 -
\??\c:\fxfrlfl.exec:\fxfrlfl.exe26⤵
- Executes dropped EXE
PID:2732 -
\??\c:\9bnhtn.exec:\9bnhtn.exe27⤵
- Executes dropped EXE
PID:2548 -
\??\c:\3vvjv.exec:\3vvjv.exe28⤵
- Executes dropped EXE
PID:1384 -
\??\c:\llfxxrr.exec:\llfxxrr.exe29⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ntbbtb.exec:\ntbbtb.exe30⤵
- Executes dropped EXE
PID:2712 -
\??\c:\pjjpj.exec:\pjjpj.exe31⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lflfrrf.exec:\lflfrrf.exe32⤵
- Executes dropped EXE
PID:3768 -
\??\c:\lllfrxr.exec:\lllfrxr.exe33⤵
- Executes dropped EXE
PID:60 -
\??\c:\tththb.exec:\tththb.exe34⤵
- Executes dropped EXE
PID:4244 -
\??\c:\pdvjv.exec:\pdvjv.exe35⤵
- Executes dropped EXE
PID:3512 -
\??\c:\5dddp.exec:\5dddp.exe36⤵
- Executes dropped EXE
PID:4224 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe37⤵
- Executes dropped EXE
PID:4700 -
\??\c:\nhtnhh.exec:\nhtnhh.exe38⤵
- Executes dropped EXE
PID:5020 -
\??\c:\7vvvd.exec:\7vvvd.exe39⤵
- Executes dropped EXE
PID:4972 -
\??\c:\lflffrr.exec:\lflffrr.exe40⤵
- Executes dropped EXE
PID:4488 -
\??\c:\frxlrll.exec:\frxlrll.exe41⤵
- Executes dropped EXE
PID:4468 -
\??\c:\7hbnbh.exec:\7hbnbh.exe42⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dpvjv.exec:\dpvjv.exe43⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pjpdp.exec:\pjpdp.exe44⤵
- Executes dropped EXE
PID:4916 -
\??\c:\htbnbn.exec:\htbnbn.exe45⤵
- Executes dropped EXE
PID:3692 -
\??\c:\bhhhbt.exec:\bhhhbt.exe46⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vvvpd.exec:\vvvpd.exe47⤵
- Executes dropped EXE
PID:1944 -
\??\c:\flxlxrf.exec:\flxlxrf.exe48⤵
- Executes dropped EXE
PID:1824 -
\??\c:\thbnhn.exec:\thbnhn.exe49⤵
- Executes dropped EXE
PID:1952 -
\??\c:\9vppj.exec:\9vppj.exe50⤵
- Executes dropped EXE
PID:1624 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe51⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nbthbb.exec:\nbthbb.exe52⤵
- Executes dropped EXE
PID:4676 -
\??\c:\7nhthb.exec:\7nhthb.exe53⤵
- Executes dropped EXE
PID:1884 -
\??\c:\ppjdv.exec:\ppjdv.exe54⤵
- Executes dropped EXE
PID:4540 -
\??\c:\7nhbtb.exec:\7nhbtb.exe55⤵
- Executes dropped EXE
PID:4816 -
\??\c:\hbtnbt.exec:\hbtnbt.exe56⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vjjdp.exec:\vjjdp.exe57⤵
- Executes dropped EXE
PID:3292 -
\??\c:\xfrrxrl.exec:\xfrrxrl.exe58⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xfrfxrf.exec:\xfrfxrf.exe59⤵
- Executes dropped EXE
PID:368 -
\??\c:\bnhnbn.exec:\bnhnbn.exe60⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vvvjj.exec:\vvvjj.exe61⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe62⤵
- Executes dropped EXE
PID:1732 -
\??\c:\9nnbhb.exec:\9nnbhb.exe63⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pjdvp.exec:\pjdvp.exe64⤵
- Executes dropped EXE
PID:3348 -
\??\c:\rffxxlf.exec:\rffxxlf.exe65⤵
- Executes dropped EXE
PID:928 -
\??\c:\fffrfxr.exec:\fffrfxr.exe66⤵PID:4680
-
\??\c:\thnbtb.exec:\thnbtb.exe67⤵PID:4976
-
\??\c:\7dvpv.exec:\7dvpv.exe68⤵PID:3048
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe69⤵PID:4148
-
\??\c:\rffxrll.exec:\rffxrll.exe70⤵PID:4752
-
\??\c:\hntnhb.exec:\hntnhb.exe71⤵PID:4480
-
\??\c:\hbbttt.exec:\hbbttt.exe72⤵PID:2976
-
\??\c:\vddpd.exec:\vddpd.exe73⤵PID:4980
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe74⤵PID:3084
-
\??\c:\lflfxrl.exec:\lflfxrl.exe75⤵PID:3188
-
\??\c:\bntnhh.exec:\bntnhh.exe76⤵PID:892
-
\??\c:\pvjdp.exec:\pvjdp.exe77⤵PID:624
-
\??\c:\jddpj.exec:\jddpj.exe78⤵PID:668
-
\??\c:\9xfxrrl.exec:\9xfxrrl.exe79⤵PID:1052
-
\??\c:\bnnhbh.exec:\bnnhbh.exe80⤵PID:2996
-
\??\c:\7ttnbt.exec:\7ttnbt.exe81⤵PID:4408
-
\??\c:\vdvjv.exec:\vdvjv.exe82⤵PID:4076
-
\??\c:\llffrrl.exec:\llffrrl.exe83⤵PID:4364
-
\??\c:\fxxrrlf.exec:\fxxrrlf.exe84⤵PID:4288
-
\??\c:\bbhbbb.exec:\bbhbbb.exe85⤵PID:1628
-
\??\c:\pjdpd.exec:\pjdpd.exe86⤵PID:2352
-
\??\c:\frxrfxf.exec:\frxrfxf.exe87⤵PID:2268
-
\??\c:\htbbbh.exec:\htbbbh.exe88⤵PID:4224
-
\??\c:\frfrxrx.exec:\frfrxrx.exe89⤵PID:1864
-
\??\c:\lxlxlfr.exec:\lxlxlfr.exe90⤵PID:1676
-
\??\c:\bbbbbb.exec:\bbbbbb.exe91⤵PID:4972
-
\??\c:\jppdv.exec:\jppdv.exe92⤵PID:4344
-
\??\c:\rrxrfll.exec:\rrxrfll.exe93⤵PID:4468
-
\??\c:\llfxrfx.exec:\llfxrfx.exe94⤵PID:4864
-
\??\c:\7nhthb.exec:\7nhthb.exe95⤵PID:1564
-
\??\c:\9pjjd.exec:\9pjjd.exe96⤵PID:4916
-
\??\c:\djdpj.exec:\djdpj.exe97⤵PID:880
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe98⤵PID:3420
-
\??\c:\tbthtn.exec:\tbthtn.exe99⤵PID:1944
-
\??\c:\nbnbnh.exec:\nbnbnh.exe100⤵PID:1956
-
\??\c:\jvjdv.exec:\jvjdv.exe101⤵PID:4732
-
\??\c:\fxxlfxl.exec:\fxxlfxl.exe102⤵PID:780
-
\??\c:\9fxlxrx.exec:\9fxlxrx.exe103⤵PID:4292
-
\??\c:\httthb.exec:\httthb.exe104⤵PID:3252
-
\??\c:\5ddvv.exec:\5ddvv.exe105⤵PID:1884
-
\??\c:\rxfxffr.exec:\rxfxffr.exe106⤵PID:3540
-
\??\c:\hhttbb.exec:\hhttbb.exe107⤵PID:1692
-
\??\c:\tttthn.exec:\tttthn.exe108⤵PID:2692
-
\??\c:\7dvjv.exec:\7dvjv.exe109⤵PID:556
-
\??\c:\xfxlfxr.exec:\xfxlfxr.exe110⤵PID:1576
-
\??\c:\5nhhtt.exec:\5nhhtt.exe111⤵PID:2552
-
\??\c:\vpvvj.exec:\vpvvj.exe112⤵PID:1556
-
\??\c:\dppjj.exec:\dppjj.exe113⤵PID:1708
-
\??\c:\xfxxrfx.exec:\xfxxrfx.exe114⤵PID:2132
-
\??\c:\7hbtnn.exec:\7hbtnn.exe115⤵PID:1500
-
\??\c:\thhbtt.exec:\thhbtt.exe116⤵PID:4820
-
\??\c:\vpvpj.exec:\vpvpj.exe117⤵PID:3544
-
\??\c:\jjjdp.exec:\jjjdp.exe118⤵PID:4692
-
\??\c:\rlrfrlf.exec:\rlrfrlf.exe119⤵PID:4148
-
\??\c:\thnhhh.exec:\thnhhh.exe120⤵PID:4480
-
\??\c:\dvvpj.exec:\dvvpj.exe121⤵PID:720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-