Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 13:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe
-
Size
333KB
-
MD5
5e91f6bce69652115c4f7547d9437a60
-
SHA1
bedb645e6348ed24ac2bc99cf89a5c84014b7fe9
-
SHA256
7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36e
-
SHA512
2beedb7ebb7d6b6338a8fdae4aa32d28591b9b076045bc6121fdb5436457b4e92a6b58e67574f7457111103d509eacc2b73c2fdac3a988e24694d5b7f5b64c03
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhp:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTZ
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4944-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-1345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4944 3bttnb.exe 1564 5dvvp.exe 224 nhhtbb.exe 4804 rfrrrff.exe 3848 djvjj.exe 2868 fxllrrl.exe 4496 hbtnhh.exe 3652 thhhhn.exe 3528 djjdv.exe 948 xxlfrrl.exe 936 hnbbbb.exe 1592 pdjdv.exe 952 dvjdd.exe 1604 lffxffl.exe 4972 hbbhhn.exe 2796 btnnhh.exe 2800 7pjdv.exe 4976 nbbthh.exe 3120 ppvpd.exe 1008 flxrlff.exe 3860 tnnhbb.exe 3456 9nhbbt.exe 3252 bhnhtn.exe 4692 djvpd.exe 1028 rrxrlff.exe 2712 vpvvp.exe 1932 frffrrl.exe 460 bthhbb.exe 4908 httbtb.exe 2616 pvdvj.exe 4840 fflfrrl.exe 2512 rfrrlrr.exe 3696 vvvpj.exe 4648 thnhbb.exe 1528 dpdvp.exe 464 hbnbtn.exe 3440 nbbbtn.exe 2936 vjddv.exe 2904 lfxlfxl.exe 1096 nbnbth.exe 1076 vddpv.exe 2952 lfffxfx.exe 5092 xlrlffx.exe 4424 tbhnhh.exe 1636 7jpjv.exe 4072 lxrffxr.exe 2892 1bnhtt.exe 3980 dpjdv.exe 1632 dddjv.exe 4360 xxxlllr.exe 2816 btthbb.exe 3912 vvdpp.exe 1352 jdvjv.exe 3036 flfrfff.exe 448 bnbttt.exe 1896 tnnhhh.exe 2152 jdpjj.exe 4804 xrrrffx.exe 2780 hhbtbt.exe 2260 7jpjd.exe 3816 1lxlxxr.exe 3608 fxfrfxl.exe 3516 tnbbnn.exe 756 dvvjp.exe -
resource yara_rule behavioral2/memory/4944-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-914-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fflfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxflr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4944 2524 7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe 82 PID 2524 wrote to memory of 4944 2524 7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe 82 PID 2524 wrote to memory of 4944 2524 7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe 82 PID 4944 wrote to memory of 1564 4944 3bttnb.exe 83 PID 4944 wrote to memory of 1564 4944 3bttnb.exe 83 PID 4944 wrote to memory of 1564 4944 3bttnb.exe 83 PID 1564 wrote to memory of 224 1564 5dvvp.exe 84 PID 1564 wrote to memory of 224 1564 5dvvp.exe 84 PID 1564 wrote to memory of 224 1564 5dvvp.exe 84 PID 224 wrote to memory of 4804 224 nhhtbb.exe 85 PID 224 wrote to memory of 4804 224 nhhtbb.exe 85 PID 224 wrote to memory of 4804 224 nhhtbb.exe 85 PID 4804 wrote to memory of 3848 4804 rfrrrff.exe 86 PID 4804 wrote to memory of 3848 4804 rfrrrff.exe 86 PID 4804 wrote to memory of 3848 4804 rfrrrff.exe 86 PID 3848 wrote to memory of 2868 3848 djvjj.exe 87 PID 3848 wrote to memory of 2868 3848 djvjj.exe 87 PID 3848 wrote to memory of 2868 3848 djvjj.exe 87 PID 2868 wrote to memory of 4496 2868 fxllrrl.exe 88 PID 2868 wrote to memory of 4496 2868 fxllrrl.exe 88 PID 2868 wrote to memory of 4496 2868 fxllrrl.exe 88 PID 4496 wrote to memory of 3652 4496 hbtnhh.exe 89 PID 4496 wrote to memory of 3652 4496 hbtnhh.exe 89 PID 4496 wrote to memory of 3652 4496 hbtnhh.exe 89 PID 3652 wrote to memory of 3528 3652 thhhhn.exe 90 PID 3652 wrote to memory of 3528 3652 thhhhn.exe 90 PID 3652 wrote to memory of 3528 3652 thhhhn.exe 90 PID 3528 wrote to memory of 948 3528 djjdv.exe 91 PID 3528 wrote to memory of 948 3528 djjdv.exe 91 PID 3528 wrote to memory of 948 3528 djjdv.exe 91 PID 948 wrote to memory of 936 948 xxlfrrl.exe 92 PID 948 wrote to memory of 936 948 xxlfrrl.exe 92 PID 948 wrote to memory of 936 948 xxlfrrl.exe 92 PID 936 wrote to memory of 1592 936 hnbbbb.exe 93 PID 936 wrote to memory of 1592 936 hnbbbb.exe 93 PID 936 wrote to memory of 1592 936 hnbbbb.exe 93 PID 1592 wrote to memory of 952 1592 pdjdv.exe 94 PID 1592 wrote to memory of 952 1592 pdjdv.exe 94 PID 1592 wrote to memory of 952 1592 pdjdv.exe 94 PID 952 wrote to memory of 1604 952 dvjdd.exe 95 PID 952 wrote to memory of 1604 952 dvjdd.exe 95 PID 952 wrote to memory of 1604 952 dvjdd.exe 95 PID 1604 wrote to memory of 4972 1604 lffxffl.exe 96 PID 1604 wrote to memory of 4972 1604 lffxffl.exe 96 PID 1604 wrote to memory of 4972 1604 lffxffl.exe 96 PID 4972 wrote to memory of 2796 4972 hbbhhn.exe 97 PID 4972 wrote to memory of 2796 4972 hbbhhn.exe 97 PID 4972 wrote to memory of 2796 4972 hbbhhn.exe 97 PID 2796 wrote to memory of 2800 2796 btnnhh.exe 98 PID 2796 wrote to memory of 2800 2796 btnnhh.exe 98 PID 2796 wrote to memory of 2800 2796 btnnhh.exe 98 PID 2800 wrote to memory of 4976 2800 7pjdv.exe 99 PID 2800 wrote to memory of 4976 2800 7pjdv.exe 99 PID 2800 wrote to memory of 4976 2800 7pjdv.exe 99 PID 4976 wrote to memory of 3120 4976 nbbthh.exe 100 PID 4976 wrote to memory of 3120 4976 nbbthh.exe 100 PID 4976 wrote to memory of 3120 4976 nbbthh.exe 100 PID 3120 wrote to memory of 1008 3120 ppvpd.exe 101 PID 3120 wrote to memory of 1008 3120 ppvpd.exe 101 PID 3120 wrote to memory of 1008 3120 ppvpd.exe 101 PID 1008 wrote to memory of 3860 1008 flxrlff.exe 102 PID 1008 wrote to memory of 3860 1008 flxrlff.exe 102 PID 1008 wrote to memory of 3860 1008 flxrlff.exe 102 PID 3860 wrote to memory of 3456 3860 tnnhbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe"C:\Users\Admin\AppData\Local\Temp\7d00ffa54690f4174f1ebdb4fac792c4e32b3cfb1ab2ab0ddb01eb7e0d9bd36eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\3bttnb.exec:\3bttnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\5dvvp.exec:\5dvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\nhhtbb.exec:\nhhtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\rfrrrff.exec:\rfrrrff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\djvjj.exec:\djvjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\fxllrrl.exec:\fxllrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hbtnhh.exec:\hbtnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\thhhhn.exec:\thhhhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\djjdv.exec:\djjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\xxlfrrl.exec:\xxlfrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\hnbbbb.exec:\hnbbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\pdjdv.exec:\pdjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\dvjdd.exec:\dvjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\lffxffl.exec:\lffxffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\hbbhhn.exec:\hbbhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\btnnhh.exec:\btnnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\7pjdv.exec:\7pjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nbbthh.exec:\nbbthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\ppvpd.exec:\ppvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\flxrlff.exec:\flxrlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\tnnhbb.exec:\tnnhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\9nhbbt.exec:\9nhbbt.exe23⤵
- Executes dropped EXE
PID:3456 -
\??\c:\bhnhtn.exec:\bhnhtn.exe24⤵
- Executes dropped EXE
PID:3252 -
\??\c:\djvpd.exec:\djvpd.exe25⤵
- Executes dropped EXE
PID:4692 -
\??\c:\rrxrlff.exec:\rrxrlff.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1028 -
\??\c:\vpvvp.exec:\vpvvp.exe27⤵
- Executes dropped EXE
PID:2712 -
\??\c:\frffrrl.exec:\frffrrl.exe28⤵
- Executes dropped EXE
PID:1932 -
\??\c:\bthhbb.exec:\bthhbb.exe29⤵
- Executes dropped EXE
PID:460 -
\??\c:\httbtb.exec:\httbtb.exe30⤵
- Executes dropped EXE
PID:4908 -
\??\c:\pvdvj.exec:\pvdvj.exe31⤵
- Executes dropped EXE
PID:2616 -
\??\c:\fflfrrl.exec:\fflfrrl.exe32⤵
- Executes dropped EXE
PID:4840 -
\??\c:\rfrrlrr.exec:\rfrrlrr.exe33⤵
- Executes dropped EXE
PID:2512 -
\??\c:\vvvpj.exec:\vvvpj.exe34⤵
- Executes dropped EXE
PID:3696 -
\??\c:\thnhbb.exec:\thnhbb.exe35⤵
- Executes dropped EXE
PID:4648 -
\??\c:\dpdvp.exec:\dpdvp.exe36⤵
- Executes dropped EXE
PID:1528 -
\??\c:\hbnbtn.exec:\hbnbtn.exe37⤵
- Executes dropped EXE
PID:464 -
\??\c:\nbbbtn.exec:\nbbbtn.exe38⤵
- Executes dropped EXE
PID:3440 -
\??\c:\vjddv.exec:\vjddv.exe39⤵
- Executes dropped EXE
PID:2936 -
\??\c:\lfxlfxl.exec:\lfxlfxl.exe40⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nbnbth.exec:\nbnbth.exe41⤵
- Executes dropped EXE
PID:1096 -
\??\c:\vddpv.exec:\vddpv.exe42⤵
- Executes dropped EXE
PID:1076 -
\??\c:\lfffxfx.exec:\lfffxfx.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\xlrlffx.exec:\xlrlffx.exe44⤵
- Executes dropped EXE
PID:5092 -
\??\c:\tbhnhh.exec:\tbhnhh.exe45⤵
- Executes dropped EXE
PID:4424 -
\??\c:\7jpjv.exec:\7jpjv.exe46⤵
- Executes dropped EXE
PID:1636 -
\??\c:\lxrffxr.exec:\lxrffxr.exe47⤵
- Executes dropped EXE
PID:4072 -
\??\c:\1bnhtt.exec:\1bnhtt.exe48⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dpjdv.exec:\dpjdv.exe49⤵
- Executes dropped EXE
PID:3980 -
\??\c:\dddjv.exec:\dddjv.exe50⤵
- Executes dropped EXE
PID:1632 -
\??\c:\xxxlllr.exec:\xxxlllr.exe51⤵
- Executes dropped EXE
PID:4360 -
\??\c:\btthbb.exec:\btthbb.exe52⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vvdpp.exec:\vvdpp.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
\??\c:\jdvjv.exec:\jdvjv.exe54⤵
- Executes dropped EXE
PID:1352 -
\??\c:\flfrfff.exec:\flfrfff.exe55⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bnbttt.exec:\bnbttt.exe56⤵
- Executes dropped EXE
PID:448 -
\??\c:\tnnhhh.exec:\tnnhhh.exe57⤵
- Executes dropped EXE
PID:1896 -
\??\c:\jdpjj.exec:\jdpjj.exe58⤵
- Executes dropped EXE
PID:2152 -
\??\c:\xrrrffx.exec:\xrrrffx.exe59⤵
- Executes dropped EXE
PID:4804 -
\??\c:\hhbtbt.exec:\hhbtbt.exe60⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7jpjd.exec:\7jpjd.exe61⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1lxlxxr.exec:\1lxlxxr.exe62⤵
- Executes dropped EXE
PID:3816 -
\??\c:\fxfrfxl.exec:\fxfrfxl.exe63⤵
- Executes dropped EXE
PID:3608 -
\??\c:\tnbbnn.exec:\tnbbnn.exe64⤵
- Executes dropped EXE
PID:3516 -
\??\c:\dvvjp.exec:\dvvjp.exe65⤵
- Executes dropped EXE
PID:756 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe66⤵PID:3464
-
\??\c:\ttthtn.exec:\ttthtn.exe67⤵PID:880
-
\??\c:\pjvdv.exec:\pjvdv.exe68⤵PID:3776
-
\??\c:\jdvpd.exec:\jdvpd.exe69⤵PID:4548
-
\??\c:\lffrffx.exec:\lffrffx.exe70⤵PID:2388
-
\??\c:\7bbtnn.exec:\7bbtnn.exe71⤵PID:1592
-
\??\c:\jdjdd.exec:\jdjdd.exe72⤵PID:952
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe73⤵PID:2084
-
\??\c:\3xrxrrl.exec:\3xrxrrl.exe74⤵PID:4980
-
\??\c:\bntnhh.exec:\bntnhh.exe75⤵PID:2028
-
\??\c:\dpdvp.exec:\dpdvp.exe76⤵PID:2796
-
\??\c:\jjjdv.exec:\jjjdv.exe77⤵PID:4876
-
\??\c:\1xrlfxx.exec:\1xrlfxx.exe78⤵PID:2800
-
\??\c:\bbbttt.exec:\bbbttt.exe79⤵PID:4772
-
\??\c:\thhbbb.exec:\thhbbb.exe80⤵PID:4196
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe81⤵PID:5036
-
\??\c:\xllfxxr.exec:\xllfxxr.exe82⤵PID:1644
-
\??\c:\5hnnnn.exec:\5hnnnn.exe83⤵PID:992
-
\??\c:\httttn.exec:\httttn.exe84⤵PID:3668
-
\??\c:\jddvj.exec:\jddvj.exe85⤵PID:4540
-
\??\c:\llfxrff.exec:\llfxrff.exe86⤵PID:2840
-
\??\c:\llxxffr.exec:\llxxffr.exe87⤵PID:4580
-
\??\c:\ntnbtt.exec:\ntnbtt.exe88⤵PID:2008
-
\??\c:\vdjpd.exec:\vdjpd.exe89⤵PID:740
-
\??\c:\ddvpj.exec:\ddvpj.exe90⤵PID:3804
-
\??\c:\xfrrllf.exec:\xfrrllf.exe91⤵PID:620
-
\??\c:\bnbtbb.exec:\bnbtbb.exe92⤵PID:4312
-
\??\c:\dpdpd.exec:\dpdpd.exe93⤵PID:3956
-
\??\c:\vvvpj.exec:\vvvpj.exe94⤵PID:2820
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe95⤵PID:3368
-
\??\c:\lrrrfff.exec:\lrrrfff.exe96⤵PID:3192
-
\??\c:\nhhbtt.exec:\nhhbtt.exe97⤵PID:4840
-
\??\c:\dddvd.exec:\dddvd.exe98⤵PID:1316
-
\??\c:\rllfxxr.exec:\rllfxxr.exe99⤵PID:3336
-
\??\c:\lfllllf.exec:\lfllllf.exe100⤵PID:2516
-
\??\c:\tbbbtt.exec:\tbbbtt.exe101⤵PID:2256
-
\??\c:\nhbnbb.exec:\nhbnbb.exe102⤵PID:864
-
\??\c:\jpvpj.exec:\jpvpj.exe103⤵PID:2432
-
\??\c:\lrffxlf.exec:\lrffxlf.exe104⤵PID:3112
-
\??\c:\7lfxxrl.exec:\7lfxxrl.exe105⤵PID:3616
-
\??\c:\bnnnhb.exec:\bnnnhb.exe106⤵PID:4440
-
\??\c:\nbbnhb.exec:\nbbnhb.exe107⤵PID:408
-
\??\c:\vppjd.exec:\vppjd.exe108⤵PID:400
-
\??\c:\llxfrfx.exec:\llxfrfx.exe109⤵PID:4844
-
\??\c:\btttnh.exec:\btttnh.exe110⤵PID:4516
-
\??\c:\vpvpj.exec:\vpvpj.exe111⤵PID:2056
-
\??\c:\djpjd.exec:\djpjd.exe112⤵PID:1636
-
\??\c:\xrllfff.exec:\xrllfff.exe113⤵PID:4072
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe114⤵PID:2464
-
\??\c:\nthbbb.exec:\nthbbb.exe115⤵PID:4372
-
\??\c:\ddjpj.exec:\ddjpj.exe116⤵PID:1632
-
\??\c:\vpjdj.exec:\vpjdj.exe117⤵PID:4224
-
\??\c:\frfxllf.exec:\frfxllf.exe118⤵PID:3756
-
\??\c:\hhnnhh.exec:\hhnnhh.exe119⤵PID:4368
-
\??\c:\dvdvp.exec:\dvdvp.exe120⤵PID:4568
-
\??\c:\fllfxxr.exec:\fllfxxr.exe121⤵PID:116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-