Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2024 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e4139af8432476340c8bdeb9fa666d0N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
6e4139af8432476340c8bdeb9fa666d0N.exe
-
Size
332KB
-
MD5
6e4139af8432476340c8bdeb9fa666d0
-
SHA1
487630b5ef0ff37ba62964e868ebebf7857c1b21
-
SHA256
8420a5edbff96330ea9e470a2211a039d7a472ad28457c354d1585d91cf0315e
-
SHA512
c31c2180256b739bfbd715a64a64c86ca84e2e5ec1099bc472bdbe0abf59b8e953ab245e7522d1cc3fbdfd7301b8232fbe57d9fc89d7f3ff7c336821697a702a
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhp:F7Tc8JdSjylh2b77BoTMA9gX59sTsuT5
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4820-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-1169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-1215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2564 rrrfrlx.exe 1044 dvdpv.exe 4908 dppjv.exe 4652 jvvdv.exe 348 7xxlxlx.exe 1204 hbnbtn.exe 1756 lxlfxxr.exe 4180 bttnhh.exe 2976 djjjd.exe 2248 1flfxlf.exe 1604 nttnhh.exe 1912 3rrllll.exe 2448 nthbtb.exe 1396 jjjdv.exe 4848 vvvdj.exe 3488 nhnbnh.exe 2972 dvvjp.exe 4168 3lrflfl.exe 5000 jddvj.exe 3860 djjvp.exe 2616 ttbnbt.exe 228 3nbnbt.exe 2300 frxllff.exe 636 xfxrxrf.exe 2740 hnbnbn.exe 3676 dppjv.exe 4160 3flfrlx.exe 1844 tbnhnh.exe 1684 xfxfrfr.exe 4044 5ththb.exe 3152 jvpvj.exe 3108 fxrfxrf.exe 4976 1nbntb.exe 4100 3dvpd.exe 4144 lrrflfr.exe 3628 9nhbtb.exe 1576 hbtntt.exe 4060 jdvjd.exe 4312 lrxxrrr.exe 1152 bbtnnn.exe 800 jvvpp.exe 1284 jdpdv.exe 3580 xffrlfx.exe 764 dvvvp.exe 3896 lfxlxrf.exe 1044 bnnbnb.exe 1332 bhbthh.exe 2224 pdjdp.exe 1296 xlxxllf.exe 1488 hbbthb.exe 4256 thhthb.exe 3296 5ffrfxr.exe 4624 nhhhbb.exe 2868 hnnhnh.exe 4384 jvpdv.exe 648 dppdv.exe 872 rxfrlxr.exe 1832 bnhtnh.exe 404 nhhtbt.exe 2444 jpvpd.exe 4020 fffrfxl.exe 1520 bhnhtn.exe 1128 bnnbbt.exe 1396 jdvpj.exe -
resource yara_rule behavioral2/memory/4820-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 2564 4820 6e4139af8432476340c8bdeb9fa666d0N.exe 83 PID 4820 wrote to memory of 2564 4820 6e4139af8432476340c8bdeb9fa666d0N.exe 83 PID 4820 wrote to memory of 2564 4820 6e4139af8432476340c8bdeb9fa666d0N.exe 83 PID 2564 wrote to memory of 1044 2564 rrrfrlx.exe 84 PID 2564 wrote to memory of 1044 2564 rrrfrlx.exe 84 PID 2564 wrote to memory of 1044 2564 rrrfrlx.exe 84 PID 1044 wrote to memory of 4908 1044 dvdpv.exe 85 PID 1044 wrote to memory of 4908 1044 dvdpv.exe 85 PID 1044 wrote to memory of 4908 1044 dvdpv.exe 85 PID 4908 wrote to memory of 4652 4908 dppjv.exe 87 PID 4908 wrote to memory of 4652 4908 dppjv.exe 87 PID 4908 wrote to memory of 4652 4908 dppjv.exe 87 PID 4652 wrote to memory of 348 4652 jvvdv.exe 88 PID 4652 wrote to memory of 348 4652 jvvdv.exe 88 PID 4652 wrote to memory of 348 4652 jvvdv.exe 88 PID 348 wrote to memory of 1204 348 7xxlxlx.exe 89 PID 348 wrote to memory of 1204 348 7xxlxlx.exe 89 PID 348 wrote to memory of 1204 348 7xxlxlx.exe 89 PID 1204 wrote to memory of 1756 1204 hbnbtn.exe 91 PID 1204 wrote to memory of 1756 1204 hbnbtn.exe 91 PID 1204 wrote to memory of 1756 1204 hbnbtn.exe 91 PID 1756 wrote to memory of 4180 1756 lxlfxxr.exe 92 PID 1756 wrote to memory of 4180 1756 lxlfxxr.exe 92 PID 1756 wrote to memory of 4180 1756 lxlfxxr.exe 92 PID 4180 wrote to memory of 2976 4180 bttnhh.exe 94 PID 4180 wrote to memory of 2976 4180 bttnhh.exe 94 PID 4180 wrote to memory of 2976 4180 bttnhh.exe 94 PID 2976 wrote to memory of 2248 2976 djjjd.exe 95 PID 2976 wrote to memory of 2248 2976 djjjd.exe 95 PID 2976 wrote to memory of 2248 2976 djjjd.exe 95 PID 2248 wrote to memory of 1604 2248 1flfxlf.exe 96 PID 2248 wrote to memory of 1604 2248 1flfxlf.exe 96 PID 2248 wrote to memory of 1604 2248 1flfxlf.exe 96 PID 1604 wrote to memory of 1912 1604 nttnhh.exe 97 PID 1604 wrote to memory of 1912 1604 nttnhh.exe 97 PID 1604 wrote to memory of 1912 1604 nttnhh.exe 97 PID 1912 wrote to memory of 2448 1912 3rrllll.exe 98 PID 1912 wrote to memory of 2448 1912 3rrllll.exe 98 PID 1912 wrote to memory of 2448 1912 3rrllll.exe 98 PID 2448 wrote to memory of 1396 2448 nthbtb.exe 99 PID 2448 wrote to memory of 1396 2448 nthbtb.exe 99 PID 2448 wrote to memory of 1396 2448 nthbtb.exe 99 PID 1396 wrote to memory of 4848 1396 jjjdv.exe 100 PID 1396 wrote to memory of 4848 1396 jjjdv.exe 100 PID 1396 wrote to memory of 4848 1396 jjjdv.exe 100 PID 4848 wrote to memory of 3488 4848 vvvdj.exe 101 PID 4848 wrote to memory of 3488 4848 vvvdj.exe 101 PID 4848 wrote to memory of 3488 4848 vvvdj.exe 101 PID 3488 wrote to memory of 2972 3488 nhnbnh.exe 102 PID 3488 wrote to memory of 2972 3488 nhnbnh.exe 102 PID 3488 wrote to memory of 2972 3488 nhnbnh.exe 102 PID 2972 wrote to memory of 4168 2972 dvvjp.exe 103 PID 2972 wrote to memory of 4168 2972 dvvjp.exe 103 PID 2972 wrote to memory of 4168 2972 dvvjp.exe 103 PID 4168 wrote to memory of 5000 4168 3lrflfl.exe 104 PID 4168 wrote to memory of 5000 4168 3lrflfl.exe 104 PID 4168 wrote to memory of 5000 4168 3lrflfl.exe 104 PID 5000 wrote to memory of 3860 5000 jddvj.exe 105 PID 5000 wrote to memory of 3860 5000 jddvj.exe 105 PID 5000 wrote to memory of 3860 5000 jddvj.exe 105 PID 3860 wrote to memory of 2616 3860 djjvp.exe 106 PID 3860 wrote to memory of 2616 3860 djjvp.exe 106 PID 3860 wrote to memory of 2616 3860 djjvp.exe 106 PID 2616 wrote to memory of 228 2616 ttbnbt.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4139af8432476340c8bdeb9fa666d0N.exe"C:\Users\Admin\AppData\Local\Temp\6e4139af8432476340c8bdeb9fa666d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\dvdpv.exec:\dvdpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\dppjv.exec:\dppjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\jvvdv.exec:\jvvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\7xxlxlx.exec:\7xxlxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\hbnbtn.exec:\hbnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\bttnhh.exec:\bttnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\djjjd.exec:\djjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\1flfxlf.exec:\1flfxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\nttnhh.exec:\nttnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\3rrllll.exec:\3rrllll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\nthbtb.exec:\nthbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\vvvdj.exec:\vvvdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\nhnbnh.exec:\nhnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\dvvjp.exec:\dvvjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\3lrflfl.exec:\3lrflfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\jddvj.exec:\jddvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\djjvp.exec:\djjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\ttbnbt.exec:\ttbnbt.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\3nbnbt.exec:\3nbnbt.exe23⤵
- Executes dropped EXE
PID:228 -
\??\c:\frxllff.exec:\frxllff.exe24⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xfxrxrf.exec:\xfxrxrf.exe25⤵
- Executes dropped EXE
PID:636 -
\??\c:\hnbnbn.exec:\hnbnbn.exe26⤵
- Executes dropped EXE
PID:2740 -
\??\c:\dppjv.exec:\dppjv.exe27⤵
- Executes dropped EXE
PID:3676 -
\??\c:\3flfrlx.exec:\3flfrlx.exe28⤵
- Executes dropped EXE
PID:4160 -
\??\c:\tbnhnh.exec:\tbnhnh.exe29⤵
- Executes dropped EXE
PID:1844 -
\??\c:\xfxfrfr.exec:\xfxfrfr.exe30⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5ththb.exec:\5ththb.exe31⤵
- Executes dropped EXE
PID:4044 -
\??\c:\jvpvj.exec:\jvpvj.exe32⤵
- Executes dropped EXE
PID:3152 -
\??\c:\fxrfxrf.exec:\fxrfxrf.exe33⤵
- Executes dropped EXE
PID:3108 -
\??\c:\1nbntb.exec:\1nbntb.exe34⤵
- Executes dropped EXE
PID:4976 -
\??\c:\3dvpd.exec:\3dvpd.exe35⤵
- Executes dropped EXE
PID:4100 -
\??\c:\lrrflfr.exec:\lrrflfr.exe36⤵
- Executes dropped EXE
PID:4144 -
\??\c:\9nhbtb.exec:\9nhbtb.exe37⤵
- Executes dropped EXE
PID:3628 -
\??\c:\hbtntt.exec:\hbtntt.exe38⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jdvjd.exec:\jdvjd.exe39⤵
- Executes dropped EXE
PID:4060 -
\??\c:\lrxxrrr.exec:\lrxxrrr.exe40⤵
- Executes dropped EXE
PID:4312 -
\??\c:\bbtnnn.exec:\bbtnnn.exe41⤵
- Executes dropped EXE
PID:1152 -
\??\c:\jvvpp.exec:\jvvpp.exe42⤵
- Executes dropped EXE
PID:800 -
\??\c:\jdpdv.exec:\jdpdv.exe43⤵
- Executes dropped EXE
PID:1284 -
\??\c:\xffrlfx.exec:\xffrlfx.exe44⤵
- Executes dropped EXE
PID:3580 -
\??\c:\tnhhbn.exec:\tnhhbn.exe45⤵PID:1904
-
\??\c:\dvvvp.exec:\dvvvp.exe46⤵
- Executes dropped EXE
PID:764 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe47⤵
- Executes dropped EXE
PID:3896 -
\??\c:\bnnbnb.exec:\bnnbnb.exe48⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bhbthh.exec:\bhbthh.exe49⤵
- Executes dropped EXE
PID:1332 -
\??\c:\pdjdp.exec:\pdjdp.exe50⤵
- Executes dropped EXE
PID:2224 -
\??\c:\xlxxllf.exec:\xlxxllf.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hbbthb.exec:\hbbthb.exe52⤵
- Executes dropped EXE
PID:1488 -
\??\c:\thhthb.exec:\thhthb.exe53⤵
- Executes dropped EXE
PID:4256 -
\??\c:\5ffrfxr.exec:\5ffrfxr.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3296 -
\??\c:\nhhhbb.exec:\nhhhbb.exe55⤵
- Executes dropped EXE
PID:4624 -
\??\c:\hnnhnh.exec:\hnnhnh.exe56⤵
- Executes dropped EXE
PID:2868 -
\??\c:\jvpdv.exec:\jvpdv.exe57⤵
- Executes dropped EXE
PID:4384 -
\??\c:\dppdv.exec:\dppdv.exe58⤵
- Executes dropped EXE
PID:648 -
\??\c:\rxfrlxr.exec:\rxfrlxr.exe59⤵
- Executes dropped EXE
PID:872 -
\??\c:\bnhtnh.exec:\bnhtnh.exe60⤵
- Executes dropped EXE
PID:1832 -
\??\c:\nhhtbt.exec:\nhhtbt.exe61⤵
- Executes dropped EXE
PID:404 -
\??\c:\jpvpd.exec:\jpvpd.exe62⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fffrfxl.exec:\fffrfxl.exe63⤵
- Executes dropped EXE
PID:4020 -
\??\c:\bhnhtn.exec:\bhnhtn.exe64⤵
- Executes dropped EXE
PID:1520 -
\??\c:\bnnbbt.exec:\bnnbbt.exe65⤵
- Executes dropped EXE
PID:1128 -
\??\c:\jdvpj.exec:\jdvpj.exe66⤵
- Executes dropped EXE
PID:1396 -
\??\c:\3lrrlfx.exec:\3lrrlfx.exe67⤵PID:1460
-
\??\c:\bntnbh.exec:\bntnbh.exe68⤵PID:2124
-
\??\c:\tnnhbb.exec:\tnnhbb.exe69⤵PID:116
-
\??\c:\jddjj.exec:\jddjj.exe70⤵PID:4156
-
\??\c:\vjjvp.exec:\vjjvp.exe71⤵PID:3916
-
\??\c:\rllfxlr.exec:\rllfxlr.exe72⤵PID:2876
-
\??\c:\hntnhh.exec:\hntnhh.exe73⤵PID:3772
-
\??\c:\tthbhh.exec:\tthbhh.exe74⤵PID:1532
-
\??\c:\ddppv.exec:\ddppv.exe75⤵PID:880
-
\??\c:\rxxlxlf.exec:\rxxlxlf.exe76⤵PID:3924
-
\??\c:\9rxlxlx.exec:\9rxlxlx.exe77⤵PID:928
-
\??\c:\nbbntn.exec:\nbbntn.exe78⤵PID:716
-
\??\c:\ttbnbn.exec:\ttbnbn.exe79⤵PID:4836
-
\??\c:\pdpjv.exec:\pdpjv.exe80⤵PID:5044
-
\??\c:\djjvp.exec:\djjvp.exe81⤵PID:3224
-
\??\c:\5ffrxrx.exec:\5ffrxrx.exe82⤵PID:4764
-
\??\c:\1lxrlfx.exec:\1lxrlfx.exe83⤵PID:452
-
\??\c:\7hhbtt.exec:\7hhbtt.exe84⤵PID:4544
-
\??\c:\3tthtn.exec:\3tthtn.exe85⤵PID:3412
-
\??\c:\jvjdv.exec:\jvjdv.exe86⤵PID:2716
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe87⤵PID:3616
-
\??\c:\lrrffxr.exec:\lrrffxr.exe88⤵PID:1724
-
\??\c:\ntnnth.exec:\ntnnth.exe89⤵PID:60
-
\??\c:\dpdpp.exec:\dpdpp.exe90⤵PID:1992
-
\??\c:\pvpdv.exec:\pvpdv.exe91⤵PID:4408
-
\??\c:\xfxflff.exec:\xfxflff.exe92⤵PID:4192
-
\??\c:\htbntt.exec:\htbntt.exe93⤵PID:2404
-
\??\c:\bttnbh.exec:\bttnbh.exe94⤵PID:632
-
\??\c:\ppvpd.exec:\ppvpd.exe95⤵PID:2032
-
\??\c:\rrrffxl.exec:\rrrffxl.exe96⤵PID:2588
-
\??\c:\xlfrflf.exec:\xlfrflf.exe97⤵PID:4368
-
\??\c:\tnbnbn.exec:\tnbnbn.exe98⤵PID:4460
-
\??\c:\ppvdj.exec:\ppvdj.exe99⤵PID:3520
-
\??\c:\lfllrrr.exec:\lfllrrr.exe100⤵PID:8
-
\??\c:\nttbnn.exec:\nttbnn.exe101⤵PID:4288
-
\??\c:\ntbthb.exec:\ntbthb.exe102⤵PID:4292
-
\??\c:\pddvp.exec:\pddvp.exe103⤵PID:4392
-
\??\c:\5rlxlfr.exec:\5rlxlfr.exe104⤵PID:2900
-
\??\c:\7bhbbh.exec:\7bhbbh.exe105⤵PID:1172
-
\??\c:\hhbtht.exec:\hhbtht.exe106⤵PID:3952
-
\??\c:\3dpjj.exec:\3dpjj.exe107⤵PID:212
-
\??\c:\1ppjv.exec:\1ppjv.exe108⤵PID:4696
-
\??\c:\frxffxx.exec:\frxffxx.exe109⤵
- System Location Discovery: System Language Discovery
PID:4516 -
\??\c:\thhnbt.exec:\thhnbt.exe110⤵PID:1516
-
\??\c:\tntnnb.exec:\tntnnb.exe111⤵PID:2012
-
\??\c:\1pjdv.exec:\1pjdv.exe112⤵PID:2036
-
\??\c:\pddvd.exec:\pddvd.exe113⤵PID:2780
-
\??\c:\frxllfr.exec:\frxllfr.exe114⤵PID:3408
-
\??\c:\hhnhbt.exec:\hhnhbt.exe115⤵PID:408
-
\??\c:\3vvpj.exec:\3vvpj.exe116⤵PID:3940
-
\??\c:\jjpdp.exec:\jjpdp.exe117⤵PID:3984
-
\??\c:\3xxlfxx.exec:\3xxlfxx.exe118⤵PID:2248
-
\??\c:\llrllll.exec:\llrllll.exe119⤵PID:3300
-
\??\c:\httnbb.exec:\httnbb.exe120⤵PID:404
-
\??\c:\3pjvj.exec:\3pjvj.exe121⤵PID:2444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-