Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 04:15
Behavioral task
behavioral1
Sample
94e04c8fcd1408de38c83ca37d717d20N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
94e04c8fcd1408de38c83ca37d717d20N.exe
-
Size
89KB
-
MD5
94e04c8fcd1408de38c83ca37d717d20
-
SHA1
ce05c79578cbc50fa4029d8e6a8765184769e107
-
SHA256
93eeba47e00f025cdb737a0818fdcd3adaa4da192b22a538a395d44ab20e2e82
-
SHA512
481d3fd7b436cad43a74c00604462cfcf19f5902920d62dc3fb16ffb4548d7ef3c49021a2401b8129c814ace0cbe28ea82a8eb044f933413c7737a46a9744f71
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy8q5kNJ8mGltIIgKsQRVUVMkOkp:xhOmTsF93UYfwC6GIoutqiJ8mqtbfUVj
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4764-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2536-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/344-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-551-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-727-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-839-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-873-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-994-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-1606-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2756 jjjdj.exe 2740 jpdpj.exe 4108 lfffrrl.exe 2656 djpjd.exe 1416 5ppjv.exe 1420 3rlxrfx.exe 1644 hhbbtb.exe 4816 5vdvd.exe 404 fxfffll.exe 4532 nnnhbt.exe 4636 bnttnn.exe 3240 jdvpj.exe 4436 5jpjd.exe 1092 9hnhhh.exe 4060 1ttnbh.exe 4244 pjvpj.exe 860 dpdvj.exe 2760 xrrlrxr.exe 4984 9tbbtn.exe 1380 vpjdv.exe 5056 vvdpj.exe 2648 llxrlfx.exe 2628 5ntnnn.exe 1528 htbttt.exe 4064 dpdpp.exe 3260 frlfrll.exe 1524 9xrllff.exe 228 nhhtnn.exe 2700 9ntnbb.exe 1128 lrrlxxr.exe 3520 nhbbbh.exe 4752 hhtttt.exe 3560 3djdp.exe 1796 9rrlfxr.exe 4660 7rlxlff.exe 3352 3ttnbt.exe 2332 vdpjv.exe 4456 llxxrlf.exe 4840 1lrlrlr.exe 4724 1hbnhb.exe 4296 pvvjd.exe 2536 rrlllxr.exe 5096 rffllrr.exe 400 1tnnbn.exe 3540 hnntnh.exe 2916 pvvpj.exe 3448 1vvpd.exe 344 fxfxxxf.exe 3224 1llfxxr.exe 1352 bbbbtn.exe 2644 nbnnhn.exe 1852 ppjjd.exe 4872 frrlffx.exe 4940 7rrlxrl.exe 1732 bnbtnt.exe 4436 hhbbbh.exe 4072 vvvpj.exe 4012 1dvvj.exe 3068 flxxrrf.exe 2964 3rxrffx.exe 4480 nbtnnn.exe 860 jvvpd.exe 2760 3pvjj.exe 3976 xffxfff.exe -
resource yara_rule behavioral2/memory/4764-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000234b1-4.dat upx behavioral2/memory/2756-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4764-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000234c7-10.dat upx behavioral2/memory/2756-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cc-14.dat upx behavioral2/memory/2740-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cd-22.dat upx behavioral2/memory/4108-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ce-28.dat upx behavioral2/memory/2656-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cf-34.dat upx behavioral2/memory/1416-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d0-40.dat upx behavioral2/memory/1420-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1644-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d1-47.dat upx behavioral2/files/0x00070000000234d2-51.dat upx behavioral2/memory/4816-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d3-56.dat upx behavioral2/memory/404-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d4-63.dat upx behavioral2/memory/4532-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d5-68.dat upx behavioral2/memory/4636-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3240-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d6-78.dat upx behavioral2/memory/3240-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d7-81.dat upx behavioral2/memory/4436-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d9-93.dat upx behavioral2/memory/1092-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d8-88.dat upx behavioral2/files/0x00070000000234da-98.dat upx behavioral2/memory/4244-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234db-103.dat upx behavioral2/memory/2760-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/860-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234dc-110.dat upx behavioral2/memory/2760-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234dd-116.dat upx behavioral2/files/0x00070000000234de-121.dat upx behavioral2/memory/1380-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234df-127.dat upx behavioral2/memory/5056-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e0-133.dat upx behavioral2/memory/2628-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e1-139.dat upx behavioral2/files/0x00070000000234e2-144.dat upx behavioral2/files/0x00070000000234e3-150.dat upx behavioral2/files/0x00070000000234e4-154.dat upx behavioral2/memory/3260-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e5-160.dat upx behavioral2/memory/1524-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/228-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e6-167.dat upx behavioral2/files/0x00080000000234c8-172.dat upx behavioral2/memory/2700-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e7-179.dat upx behavioral2/files/0x00070000000234e8-183.dat upx behavioral2/memory/3520-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4752-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3560-194-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflrfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 2756 4764 94e04c8fcd1408de38c83ca37d717d20N.exe 84 PID 4764 wrote to memory of 2756 4764 94e04c8fcd1408de38c83ca37d717d20N.exe 84 PID 4764 wrote to memory of 2756 4764 94e04c8fcd1408de38c83ca37d717d20N.exe 84 PID 2756 wrote to memory of 2740 2756 jjjdj.exe 85 PID 2756 wrote to memory of 2740 2756 jjjdj.exe 85 PID 2756 wrote to memory of 2740 2756 jjjdj.exe 85 PID 2740 wrote to memory of 4108 2740 jpdpj.exe 86 PID 2740 wrote to memory of 4108 2740 jpdpj.exe 86 PID 2740 wrote to memory of 4108 2740 jpdpj.exe 86 PID 4108 wrote to memory of 2656 4108 lfffrrl.exe 87 PID 4108 wrote to memory of 2656 4108 lfffrrl.exe 87 PID 4108 wrote to memory of 2656 4108 lfffrrl.exe 87 PID 2656 wrote to memory of 1416 2656 djpjd.exe 88 PID 2656 wrote to memory of 1416 2656 djpjd.exe 88 PID 2656 wrote to memory of 1416 2656 djpjd.exe 88 PID 1416 wrote to memory of 1420 1416 5ppjv.exe 89 PID 1416 wrote to memory of 1420 1416 5ppjv.exe 89 PID 1416 wrote to memory of 1420 1416 5ppjv.exe 89 PID 1420 wrote to memory of 1644 1420 3rlxrfx.exe 90 PID 1420 wrote to memory of 1644 1420 3rlxrfx.exe 90 PID 1420 wrote to memory of 1644 1420 3rlxrfx.exe 90 PID 1644 wrote to memory of 4816 1644 hhbbtb.exe 91 PID 1644 wrote to memory of 4816 1644 hhbbtb.exe 91 PID 1644 wrote to memory of 4816 1644 hhbbtb.exe 91 PID 4816 wrote to memory of 404 4816 5vdvd.exe 92 PID 4816 wrote to memory of 404 4816 5vdvd.exe 92 PID 4816 wrote to memory of 404 4816 5vdvd.exe 92 PID 404 wrote to memory of 4532 404 fxfffll.exe 93 PID 404 wrote to memory of 4532 404 fxfffll.exe 93 PID 404 wrote to memory of 4532 404 fxfffll.exe 93 PID 4532 wrote to memory of 4636 4532 nnnhbt.exe 94 PID 4532 wrote to memory of 4636 4532 nnnhbt.exe 94 PID 4532 wrote to memory of 4636 4532 nnnhbt.exe 94 PID 4636 wrote to memory of 3240 4636 bnttnn.exe 95 PID 4636 wrote to memory of 3240 4636 bnttnn.exe 95 PID 4636 wrote to memory of 3240 4636 bnttnn.exe 95 PID 3240 wrote to memory of 4436 3240 jdvpj.exe 96 PID 3240 wrote to memory of 4436 3240 jdvpj.exe 96 PID 3240 wrote to memory of 4436 3240 jdvpj.exe 96 PID 4436 wrote to memory of 1092 4436 5jpjd.exe 97 PID 4436 wrote to memory of 1092 4436 5jpjd.exe 97 PID 4436 wrote to memory of 1092 4436 5jpjd.exe 97 PID 1092 wrote to memory of 4060 1092 9hnhhh.exe 98 PID 1092 wrote to memory of 4060 1092 9hnhhh.exe 98 PID 1092 wrote to memory of 4060 1092 9hnhhh.exe 98 PID 4060 wrote to memory of 4244 4060 1ttnbh.exe 100 PID 4060 wrote to memory of 4244 4060 1ttnbh.exe 100 PID 4060 wrote to memory of 4244 4060 1ttnbh.exe 100 PID 4244 wrote to memory of 860 4244 pjvpj.exe 101 PID 4244 wrote to memory of 860 4244 pjvpj.exe 101 PID 4244 wrote to memory of 860 4244 pjvpj.exe 101 PID 860 wrote to memory of 2760 860 dpdvj.exe 102 PID 860 wrote to memory of 2760 860 dpdvj.exe 102 PID 860 wrote to memory of 2760 860 dpdvj.exe 102 PID 2760 wrote to memory of 4984 2760 xrrlrxr.exe 103 PID 2760 wrote to memory of 4984 2760 xrrlrxr.exe 103 PID 2760 wrote to memory of 4984 2760 xrrlrxr.exe 103 PID 4984 wrote to memory of 1380 4984 9tbbtn.exe 104 PID 4984 wrote to memory of 1380 4984 9tbbtn.exe 104 PID 4984 wrote to memory of 1380 4984 9tbbtn.exe 104 PID 1380 wrote to memory of 5056 1380 vpjdv.exe 105 PID 1380 wrote to memory of 5056 1380 vpjdv.exe 105 PID 1380 wrote to memory of 5056 1380 vpjdv.exe 105 PID 5056 wrote to memory of 2648 5056 vvdpj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e04c8fcd1408de38c83ca37d717d20N.exe"C:\Users\Admin\AppData\Local\Temp\94e04c8fcd1408de38c83ca37d717d20N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\jjjdj.exec:\jjjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\jpdpj.exec:\jpdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\lfffrrl.exec:\lfffrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\djpjd.exec:\djpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\5ppjv.exec:\5ppjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\3rlxrfx.exec:\3rlxrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\hhbbtb.exec:\hhbbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\5vdvd.exec:\5vdvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\fxfffll.exec:\fxfffll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\nnnhbt.exec:\nnnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\bnttnn.exec:\bnttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\jdvpj.exec:\jdvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\5jpjd.exec:\5jpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\9hnhhh.exec:\9hnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\1ttnbh.exec:\1ttnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\pjvpj.exec:\pjvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\dpdvj.exec:\dpdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\xrrlrxr.exec:\xrrlrxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\9tbbtn.exec:\9tbbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\vpjdv.exec:\vpjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\vvdpj.exec:\vvdpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\llxrlfx.exec:\llxrlfx.exe23⤵
- Executes dropped EXE
PID:2648 -
\??\c:\5ntnnn.exec:\5ntnnn.exe24⤵
- Executes dropped EXE
PID:2628 -
\??\c:\htbttt.exec:\htbttt.exe25⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dpdpp.exec:\dpdpp.exe26⤵
- Executes dropped EXE
PID:4064 -
\??\c:\frlfrll.exec:\frlfrll.exe27⤵
- Executes dropped EXE
PID:3260 -
\??\c:\9xrllff.exec:\9xrllff.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\nhhtnn.exec:\nhhtnn.exe29⤵
- Executes dropped EXE
PID:228 -
\??\c:\9ntnbb.exec:\9ntnbb.exe30⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe31⤵
- Executes dropped EXE
PID:1128 -
\??\c:\nhbbbh.exec:\nhbbbh.exe32⤵
- Executes dropped EXE
PID:3520 -
\??\c:\hhtttt.exec:\hhtttt.exe33⤵
- Executes dropped EXE
PID:4752 -
\??\c:\3djdp.exec:\3djdp.exe34⤵
- Executes dropped EXE
PID:3560 -
\??\c:\9rrlfxr.exec:\9rrlfxr.exe35⤵
- Executes dropped EXE
PID:1796 -
\??\c:\7rlxlff.exec:\7rlxlff.exe36⤵
- Executes dropped EXE
PID:4660 -
\??\c:\3ttnbt.exec:\3ttnbt.exe37⤵
- Executes dropped EXE
PID:3352 -
\??\c:\vdpjv.exec:\vdpjv.exe38⤵
- Executes dropped EXE
PID:2332 -
\??\c:\llxxrlf.exec:\llxxrlf.exe39⤵
- Executes dropped EXE
PID:4456 -
\??\c:\1lrlrlr.exec:\1lrlrlr.exe40⤵
- Executes dropped EXE
PID:4840 -
\??\c:\1hbnhb.exec:\1hbnhb.exe41⤵
- Executes dropped EXE
PID:4724 -
\??\c:\pvvjd.exec:\pvvjd.exe42⤵
- Executes dropped EXE
PID:4296 -
\??\c:\rrlllxr.exec:\rrlllxr.exe43⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rffllrr.exec:\rffllrr.exe44⤵
- Executes dropped EXE
PID:5096 -
\??\c:\1tnnbn.exec:\1tnnbn.exe45⤵
- Executes dropped EXE
PID:400 -
\??\c:\hnntnh.exec:\hnntnh.exe46⤵
- Executes dropped EXE
PID:3540 -
\??\c:\pvvpj.exec:\pvvpj.exe47⤵
- Executes dropped EXE
PID:2916 -
\??\c:\1vvpd.exec:\1vvpd.exe48⤵
- Executes dropped EXE
PID:3448 -
\??\c:\fxfxxxf.exec:\fxfxxxf.exe49⤵
- Executes dropped EXE
PID:344 -
\??\c:\1llfxxr.exec:\1llfxxr.exe50⤵
- Executes dropped EXE
PID:3224 -
\??\c:\bbbbtn.exec:\bbbbtn.exe51⤵
- Executes dropped EXE
PID:1352 -
\??\c:\nbnnhn.exec:\nbnnhn.exe52⤵
- Executes dropped EXE
PID:2644 -
\??\c:\ppjjd.exec:\ppjjd.exe53⤵
- Executes dropped EXE
PID:1852 -
\??\c:\frrlffx.exec:\frrlffx.exe54⤵
- Executes dropped EXE
PID:4872 -
\??\c:\7rrlxrl.exec:\7rrlxrl.exe55⤵
- Executes dropped EXE
PID:4940 -
\??\c:\bnbtnt.exec:\bnbtnt.exe56⤵
- Executes dropped EXE
PID:1732 -
\??\c:\hhbbbh.exec:\hhbbbh.exe57⤵
- Executes dropped EXE
PID:4436 -
\??\c:\vvvpj.exec:\vvvpj.exe58⤵
- Executes dropped EXE
PID:4072 -
\??\c:\1dvvj.exec:\1dvvj.exe59⤵
- Executes dropped EXE
PID:4012 -
\??\c:\flxxrrf.exec:\flxxrrf.exe60⤵
- Executes dropped EXE
PID:3068 -
\??\c:\3rxrffx.exec:\3rxrffx.exe61⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nbtnnn.exec:\nbtnnn.exe62⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jvvpd.exec:\jvvpd.exe63⤵
- Executes dropped EXE
PID:860 -
\??\c:\3pvjj.exec:\3pvjj.exe64⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xffxfff.exec:\xffxfff.exe65⤵
- Executes dropped EXE
PID:3976 -
\??\c:\lfxlrxf.exec:\lfxlrxf.exe66⤵PID:1456
-
\??\c:\nhnhnn.exec:\nhnhnn.exe67⤵PID:3060
-
\??\c:\tttnhb.exec:\tttnhb.exe68⤵PID:4748
-
\??\c:\pjpjd.exec:\pjpjd.exe69⤵PID:2448
-
\??\c:\3djdd.exec:\3djdd.exe70⤵PID:1516
-
\??\c:\5ffxllf.exec:\5ffxllf.exe71⤵PID:532
-
\??\c:\1lrlfff.exec:\1lrlfff.exe72⤵PID:3760
-
\??\c:\5hbhhb.exec:\5hbhhb.exe73⤵PID:4064
-
\??\c:\thnbnh.exec:\thnbnh.exe74⤵PID:4716
-
\??\c:\ddjpj.exec:\ddjpj.exe75⤵PID:4880
-
\??\c:\vddvv.exec:\vddvv.exe76⤵PID:1392
-
\??\c:\lrrfffx.exec:\lrrfffx.exe77⤵PID:964
-
\??\c:\fxfxfff.exec:\fxfxfff.exe78⤵PID:2236
-
\??\c:\hnbbtt.exec:\hnbbtt.exe79⤵PID:3044
-
\??\c:\thnhhn.exec:\thnhhn.exe80⤵PID:4772
-
\??\c:\ddpjv.exec:\ddpjv.exe81⤵PID:4728
-
\??\c:\3ppdv.exec:\3ppdv.exe82⤵PID:1744
-
\??\c:\xxxlflx.exec:\xxxlflx.exe83⤵PID:536
-
\??\c:\lfllfll.exec:\lfllfll.exe84⤵PID:3004
-
\??\c:\bnnnhh.exec:\bnnnhh.exe85⤵PID:2172
-
\??\c:\nthbbh.exec:\nthbbh.exe86⤵PID:3576
-
\??\c:\jddvp.exec:\jddvp.exe87⤵PID:1364
-
\??\c:\pjjdp.exec:\pjjdp.exe88⤵PID:4452
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe89⤵PID:1376
-
\??\c:\bntbbh.exec:\bntbbh.exe90⤵PID:3236
-
\??\c:\btbthh.exec:\btbthh.exe91⤵PID:1140
-
\??\c:\jdvpj.exec:\jdvpj.exe92⤵PID:4664
-
\??\c:\3vdvj.exec:\3vdvj.exe93⤵PID:4044
-
\??\c:\fflrfrr.exec:\fflrfrr.exe94⤵
- System Location Discovery: System Language Discovery
PID:1356 -
\??\c:\rfxrllf.exec:\rfxrllf.exe95⤵PID:1580
-
\??\c:\7tttnt.exec:\7tttnt.exe96⤵PID:3308
-
\??\c:\pddvj.exec:\pddvj.exe97⤵PID:1628
-
\??\c:\5lxfllf.exec:\5lxfllf.exe98⤵PID:3988
-
\??\c:\lrxlffx.exec:\lrxlffx.exe99⤵PID:1680
-
\??\c:\hbhnnh.exec:\hbhnnh.exe100⤵PID:1672
-
\??\c:\thhtnt.exec:\thhtnt.exe101⤵PID:1352
-
\??\c:\7jdpj.exec:\7jdpj.exe102⤵PID:2644
-
\??\c:\ppdvd.exec:\ppdvd.exe103⤵PID:116
-
\??\c:\frrlffx.exec:\frrlffx.exe104⤵PID:4636
-
\??\c:\bnnnht.exec:\bnnnht.exe105⤵PID:844
-
\??\c:\hhtnhn.exec:\hhtnhn.exe106⤵PID:4196
-
\??\c:\5ddvj.exec:\5ddvj.exe107⤵PID:2004
-
\??\c:\jpppd.exec:\jpppd.exe108⤵PID:4060
-
\??\c:\7pvvv.exec:\7pvvv.exe109⤵PID:2116
-
\??\c:\rxxrffr.exec:\rxxrffr.exe110⤵PID:4244
-
\??\c:\hhhnhb.exec:\hhhnhb.exe111⤵PID:4736
-
\??\c:\3hthtn.exec:\3hthtn.exe112⤵PID:4760
-
\??\c:\9jpjd.exec:\9jpjd.exe113⤵PID:3020
-
\??\c:\djdvj.exec:\djdvj.exe114⤵PID:4992
-
\??\c:\dvpjj.exec:\dvpjj.exe115⤵PID:2024
-
\??\c:\xffrfff.exec:\xffrfff.exe116⤵PID:3060
-
\??\c:\7xrrllf.exec:\7xrrllf.exe117⤵PID:2248
-
\??\c:\bbhhbt.exec:\bbhhbt.exe118⤵PID:2736
-
\??\c:\nhhbtt.exec:\nhhbtt.exe119⤵PID:4860
-
\??\c:\djppj.exec:\djppj.exe120⤵PID:532
-
\??\c:\1djdv.exec:\1djdv.exe121⤵PID:3760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-