Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 11:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f05b0c52180f69ff68b152297abda5f0N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
f05b0c52180f69ff68b152297abda5f0N.exe
-
Size
453KB
-
MD5
f05b0c52180f69ff68b152297abda5f0
-
SHA1
837beda544983a1cdbff250959e41fb277839e19
-
SHA256
675ecc33f649ba80ce46bfb190d068ef42f9ad97f659aabdf0a2cdff090c7e90
-
SHA512
7efbeb20047aed7561f1b6a38e02a8255ce4bcaa4fd555be7fe08a2575bc32efeba4638d9aca08dbeef6c1068cb2594460360cc49c536f30092dbcd63af2d07f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2136-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-1074-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-1822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3704 fllflfr.exe 5020 3hhbbb.exe 8 vddpv.exe 3452 vdvjv.exe 1744 fxrflxr.exe 4304 nhtbnh.exe 3640 jvjvp.exe 4032 rxrxrlx.exe 4664 hhhhtn.exe 3356 lxxlflf.exe 4748 thbnbn.exe 4856 bntnnb.exe 1388 dppjj.exe 3376 pvjdj.exe 1164 1lfrrff.exe 3476 nbnbbt.exe 1920 xxrlxrl.exe 3484 ntbtth.exe 3236 7fllfxr.exe 768 hhhnhb.exe 3760 pjpjd.exe 4548 tnbtnn.exe 408 pdvjv.exe 976 ttbthb.exe 2388 bhbnnn.exe 1896 lrxlflx.exe 1916 7nnhhh.exe 2832 fllfxxr.exe 2720 nhbnbb.exe 2004 pvvjp.exe 4904 rfffffx.exe 388 htthbt.exe 1436 xxxrllf.exe 3840 3bbnhh.exe 3612 vppjj.exe 3168 ppvpd.exe 4000 lllxlff.exe 2156 thnhhb.exe 4172 vjjdd.exe 3388 fffxrfx.exe 3864 nbhthn.exe 4444 nhhtnh.exe 2952 jvjvv.exe 592 3rxrlfr.exe 4012 nbnttn.exe 3660 hntnht.exe 5020 dvpjd.exe 3988 pddjd.exe 3188 5fxrfxr.exe 3680 pjvpj.exe 1928 1vvdp.exe 1744 rllxflx.exe 3348 htthbn.exe 2676 vdjjv.exe 2120 vjvvj.exe 876 rrrfrxl.exe 2024 3hhbhb.exe 4856 htnbnb.exe 4872 dpvpj.exe 1940 lrfxlll.exe 432 btbhhn.exe 1692 nhhbtt.exe 1424 dddvp.exe 2876 rlrrlll.exe -
resource yara_rule behavioral2/memory/2136-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-851-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 3704 2136 f05b0c52180f69ff68b152297abda5f0N.exe 85 PID 2136 wrote to memory of 3704 2136 f05b0c52180f69ff68b152297abda5f0N.exe 85 PID 2136 wrote to memory of 3704 2136 f05b0c52180f69ff68b152297abda5f0N.exe 85 PID 3704 wrote to memory of 5020 3704 fllflfr.exe 86 PID 3704 wrote to memory of 5020 3704 fllflfr.exe 86 PID 3704 wrote to memory of 5020 3704 fllflfr.exe 86 PID 5020 wrote to memory of 8 5020 3hhbbb.exe 87 PID 5020 wrote to memory of 8 5020 3hhbbb.exe 87 PID 5020 wrote to memory of 8 5020 3hhbbb.exe 87 PID 8 wrote to memory of 3452 8 vddpv.exe 88 PID 8 wrote to memory of 3452 8 vddpv.exe 88 PID 8 wrote to memory of 3452 8 vddpv.exe 88 PID 3452 wrote to memory of 1744 3452 vdvjv.exe 89 PID 3452 wrote to memory of 1744 3452 vdvjv.exe 89 PID 3452 wrote to memory of 1744 3452 vdvjv.exe 89 PID 1744 wrote to memory of 4304 1744 fxrflxr.exe 90 PID 1744 wrote to memory of 4304 1744 fxrflxr.exe 90 PID 1744 wrote to memory of 4304 1744 fxrflxr.exe 90 PID 4304 wrote to memory of 3640 4304 nhtbnh.exe 91 PID 4304 wrote to memory of 3640 4304 nhtbnh.exe 91 PID 4304 wrote to memory of 3640 4304 nhtbnh.exe 91 PID 3640 wrote to memory of 4032 3640 jvjvp.exe 92 PID 3640 wrote to memory of 4032 3640 jvjvp.exe 92 PID 3640 wrote to memory of 4032 3640 jvjvp.exe 92 PID 4032 wrote to memory of 4664 4032 rxrxrlx.exe 93 PID 4032 wrote to memory of 4664 4032 rxrxrlx.exe 93 PID 4032 wrote to memory of 4664 4032 rxrxrlx.exe 93 PID 4664 wrote to memory of 3356 4664 hhhhtn.exe 94 PID 4664 wrote to memory of 3356 4664 hhhhtn.exe 94 PID 4664 wrote to memory of 3356 4664 hhhhtn.exe 94 PID 3356 wrote to memory of 4748 3356 lxxlflf.exe 95 PID 3356 wrote to memory of 4748 3356 lxxlflf.exe 95 PID 3356 wrote to memory of 4748 3356 lxxlflf.exe 95 PID 4748 wrote to memory of 4856 4748 thbnbn.exe 96 PID 4748 wrote to memory of 4856 4748 thbnbn.exe 96 PID 4748 wrote to memory of 4856 4748 thbnbn.exe 96 PID 4856 wrote to memory of 1388 4856 bntnnb.exe 97 PID 4856 wrote to memory of 1388 4856 bntnnb.exe 97 PID 4856 wrote to memory of 1388 4856 bntnnb.exe 97 PID 1388 wrote to memory of 3376 1388 dppjj.exe 99 PID 1388 wrote to memory of 3376 1388 dppjj.exe 99 PID 1388 wrote to memory of 3376 1388 dppjj.exe 99 PID 3376 wrote to memory of 1164 3376 pvjdj.exe 100 PID 3376 wrote to memory of 1164 3376 pvjdj.exe 100 PID 3376 wrote to memory of 1164 3376 pvjdj.exe 100 PID 1164 wrote to memory of 3476 1164 1lfrrff.exe 102 PID 1164 wrote to memory of 3476 1164 1lfrrff.exe 102 PID 1164 wrote to memory of 3476 1164 1lfrrff.exe 102 PID 3476 wrote to memory of 1920 3476 nbnbbt.exe 103 PID 3476 wrote to memory of 1920 3476 nbnbbt.exe 103 PID 3476 wrote to memory of 1920 3476 nbnbbt.exe 103 PID 1920 wrote to memory of 3484 1920 xxrlxrl.exe 104 PID 1920 wrote to memory of 3484 1920 xxrlxrl.exe 104 PID 1920 wrote to memory of 3484 1920 xxrlxrl.exe 104 PID 3484 wrote to memory of 3236 3484 ntbtth.exe 106 PID 3484 wrote to memory of 3236 3484 ntbtth.exe 106 PID 3484 wrote to memory of 3236 3484 ntbtth.exe 106 PID 3236 wrote to memory of 768 3236 7fllfxr.exe 107 PID 3236 wrote to memory of 768 3236 7fllfxr.exe 107 PID 3236 wrote to memory of 768 3236 7fllfxr.exe 107 PID 768 wrote to memory of 3760 768 hhhnhb.exe 108 PID 768 wrote to memory of 3760 768 hhhnhb.exe 108 PID 768 wrote to memory of 3760 768 hhhnhb.exe 108 PID 3760 wrote to memory of 4548 3760 pjpjd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\f05b0c52180f69ff68b152297abda5f0N.exe"C:\Users\Admin\AppData\Local\Temp\f05b0c52180f69ff68b152297abda5f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\fllflfr.exec:\fllflfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\3hhbbb.exec:\3hhbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\vddpv.exec:\vddpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\vdvjv.exec:\vdvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\fxrflxr.exec:\fxrflxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\nhtbnh.exec:\nhtbnh.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\jvjvp.exec:\jvjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\rxrxrlx.exec:\rxrxrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\hhhhtn.exec:\hhhhtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\lxxlflf.exec:\lxxlflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\thbnbn.exec:\thbnbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\bntnnb.exec:\bntnnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\dppjj.exec:\dppjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\pvjdj.exec:\pvjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\1lfrrff.exec:\1lfrrff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\nbnbbt.exec:\nbnbbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\xxrlxrl.exec:\xxrlxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\ntbtth.exec:\ntbtth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\7fllfxr.exec:\7fllfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\hhhnhb.exec:\hhhnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\pjpjd.exec:\pjpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\tnbtnn.exec:\tnbtnn.exe23⤵
- Executes dropped EXE
PID:4548 -
\??\c:\pdvjv.exec:\pdvjv.exe24⤵
- Executes dropped EXE
PID:408 -
\??\c:\ttbthb.exec:\ttbthb.exe25⤵
- Executes dropped EXE
PID:976 -
\??\c:\bhbnnn.exec:\bhbnnn.exe26⤵
- Executes dropped EXE
PID:2388 -
\??\c:\lrxlflx.exec:\lrxlflx.exe27⤵
- Executes dropped EXE
PID:1896 -
\??\c:\7nnhhh.exec:\7nnhhh.exe28⤵
- Executes dropped EXE
PID:1916 -
\??\c:\fllfxxr.exec:\fllfxxr.exe29⤵
- Executes dropped EXE
PID:2832 -
\??\c:\nhbnbb.exec:\nhbnbb.exe30⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pvvjp.exec:\pvvjp.exe31⤵
- Executes dropped EXE
PID:2004 -
\??\c:\rfffffx.exec:\rfffffx.exe32⤵
- Executes dropped EXE
PID:4904 -
\??\c:\htthbt.exec:\htthbt.exe33⤵
- Executes dropped EXE
PID:388 -
\??\c:\xxxrllf.exec:\xxxrllf.exe34⤵
- Executes dropped EXE
PID:1436 -
\??\c:\3bbnhh.exec:\3bbnhh.exe35⤵
- Executes dropped EXE
PID:3840 -
\??\c:\vppjj.exec:\vppjj.exe36⤵
- Executes dropped EXE
PID:3612 -
\??\c:\ppvpd.exec:\ppvpd.exe37⤵
- Executes dropped EXE
PID:3168 -
\??\c:\lllxlff.exec:\lllxlff.exe38⤵
- Executes dropped EXE
PID:4000 -
\??\c:\thnhhb.exec:\thnhhb.exe39⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vjjdd.exec:\vjjdd.exe40⤵
- Executes dropped EXE
PID:4172 -
\??\c:\fffxrfx.exec:\fffxrfx.exe41⤵
- Executes dropped EXE
PID:3388 -
\??\c:\nbhthn.exec:\nbhthn.exe42⤵
- Executes dropped EXE
PID:3864 -
\??\c:\nhhtnh.exec:\nhhtnh.exe43⤵
- Executes dropped EXE
PID:4444 -
\??\c:\jvjvv.exec:\jvjvv.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3rxrlfr.exec:\3rxrlfr.exe45⤵
- Executes dropped EXE
PID:592 -
\??\c:\nbnttn.exec:\nbnttn.exe46⤵
- Executes dropped EXE
PID:4012 -
\??\c:\hntnht.exec:\hntnht.exe47⤵
- Executes dropped EXE
PID:3660 -
\??\c:\dvpjd.exec:\dvpjd.exe48⤵
- Executes dropped EXE
PID:5020 -
\??\c:\pddjd.exec:\pddjd.exe49⤵
- Executes dropped EXE
PID:3988 -
\??\c:\5fxrfxr.exec:\5fxrfxr.exe50⤵
- Executes dropped EXE
PID:3188 -
\??\c:\pjvpj.exec:\pjvpj.exe51⤵
- Executes dropped EXE
PID:3680 -
\??\c:\1vvdp.exec:\1vvdp.exe52⤵
- Executes dropped EXE
PID:1928 -
\??\c:\rllxflx.exec:\rllxflx.exe53⤵
- Executes dropped EXE
PID:1744 -
\??\c:\htthbn.exec:\htthbn.exe54⤵
- Executes dropped EXE
PID:3348 -
\??\c:\vdjjv.exec:\vdjjv.exe55⤵
- Executes dropped EXE
PID:2676 -
\??\c:\vjvvj.exec:\vjvvj.exe56⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rrrfrxl.exec:\rrrfrxl.exe57⤵
- Executes dropped EXE
PID:876 -
\??\c:\3hhbhb.exec:\3hhbhb.exe58⤵
- Executes dropped EXE
PID:2024 -
\??\c:\htnbnb.exec:\htnbnb.exe59⤵
- Executes dropped EXE
PID:4856 -
\??\c:\dpvpj.exec:\dpvpj.exe60⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lrfxlll.exec:\lrfxlll.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\btbhhn.exec:\btbhhn.exe62⤵
- Executes dropped EXE
PID:432 -
\??\c:\nhhbtt.exec:\nhhbtt.exe63⤵
- Executes dropped EXE
PID:1692 -
\??\c:\dddvp.exec:\dddvp.exe64⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rlrrlll.exec:\rlrrlll.exe65⤵
- Executes dropped EXE
PID:2876 -
\??\c:\bbnbtt.exec:\bbnbtt.exe66⤵PID:5108
-
\??\c:\dvpjj.exec:\dvpjj.exe67⤵PID:3748
-
\??\c:\vjjjj.exec:\vjjjj.exe68⤵PID:4680
-
\??\c:\5xxrlff.exec:\5xxrlff.exe69⤵PID:4968
-
\??\c:\bttttt.exec:\bttttt.exe70⤵PID:4860
-
\??\c:\7bttnn.exec:\7bttnn.exe71⤵PID:4508
-
\??\c:\vpjdj.exec:\vpjdj.exe72⤵PID:1476
-
\??\c:\dddvp.exec:\dddvp.exe73⤵PID:3524
-
\??\c:\rxrrrll.exec:\rxrrrll.exe74⤵PID:456
-
\??\c:\tthbhh.exec:\tthbhh.exe75⤵PID:3808
-
\??\c:\3nnhbb.exec:\3nnhbb.exe76⤵PID:1924
-
\??\c:\vvvvp.exec:\vvvvp.exe77⤵PID:4596
-
\??\c:\bntnnn.exec:\bntnnn.exe78⤵PID:3272
-
\??\c:\thnhnh.exec:\thnhnh.exe79⤵PID:976
-
\??\c:\vpvvd.exec:\vpvvd.exe80⤵PID:2388
-
\??\c:\jdpdv.exec:\jdpdv.exe81⤵PID:820
-
\??\c:\lflffff.exec:\lflffff.exe82⤵PID:2904
-
\??\c:\bhnhnn.exec:\bhnhnn.exe83⤵PID:2312
-
\??\c:\7hnhhh.exec:\7hnhhh.exe84⤵PID:1880
-
\??\c:\7pvpp.exec:\7pvpp.exe85⤵PID:1376
-
\??\c:\1rlrfrx.exec:\1rlrfrx.exe86⤵PID:2768
-
\??\c:\7hnbtn.exec:\7hnbtn.exe87⤵PID:5112
-
\??\c:\btnhbb.exec:\btnhbb.exe88⤵PID:4700
-
\??\c:\jdjjp.exec:\jdjjp.exe89⤵PID:1524
-
\??\c:\3xfxxxr.exec:\3xfxxxr.exe90⤵PID:3612
-
\??\c:\5bbtnn.exec:\5bbtnn.exe91⤵PID:3456
-
\??\c:\dddpd.exec:\dddpd.exe92⤵PID:2140
-
\??\c:\ddpjd.exec:\ddpjd.exe93⤵PID:1944
-
\??\c:\xrxfllr.exec:\xrxfllr.exe94⤵PID:1908
-
\??\c:\5hnnhh.exec:\5hnnhh.exe95⤵PID:2952
-
\??\c:\tnbhbb.exec:\tnbhbb.exe96⤵PID:1456
-
\??\c:\vpvpd.exec:\vpvpd.exe97⤵PID:3800
-
\??\c:\lffxxxr.exec:\lffxxxr.exe98⤵PID:1664
-
\??\c:\tbbthb.exec:\tbbthb.exe99⤵PID:4724
-
\??\c:\hbnnhn.exec:\hbnnhn.exe100⤵PID:5040
-
\??\c:\jdjdd.exec:\jdjdd.exe101⤵PID:3852
-
\??\c:\lrrxrrr.exec:\lrrxrrr.exe102⤵PID:2152
-
\??\c:\btbbbh.exec:\btbbbh.exe103⤵PID:4108
-
\??\c:\jdjdp.exec:\jdjdp.exe104⤵PID:4220
-
\??\c:\vdjjd.exec:\vdjjd.exe105⤵PID:4032
-
\??\c:\xffxrrl.exec:\xffxrrl.exe106⤵PID:720
-
\??\c:\nhthnh.exec:\nhthnh.exe107⤵PID:1208
-
\??\c:\vppjj.exec:\vppjj.exe108⤵PID:1512
-
\??\c:\pppjd.exec:\pppjd.exe109⤵PID:1400
-
\??\c:\xrxlffr.exec:\xrxlffr.exe110⤵PID:1388
-
\??\c:\5nhhhb.exec:\5nhhhb.exe111⤵PID:4872
-
\??\c:\vjppp.exec:\vjppp.exe112⤵PID:1940
-
\??\c:\fffxxfx.exec:\fffxxfx.exe113⤵PID:1600
-
\??\c:\bthhnt.exec:\bthhnt.exe114⤵PID:4168
-
\??\c:\nhbbtb.exec:\nhbbtb.exe115⤵PID:4772
-
\??\c:\dvjdv.exec:\dvjdv.exe116⤵PID:2060
-
\??\c:\5xffxxf.exec:\5xffxxf.exe117⤵PID:1072
-
\??\c:\fxffxxr.exec:\fxffxxr.exe118⤵PID:5092
-
\??\c:\hnttbb.exec:\hnttbb.exe119⤵PID:3620
-
\??\c:\3nhbth.exec:\3nhbth.exe120⤵PID:2328
-
\??\c:\vpvpd.exec:\vpvpd.exe121⤵PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-