Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
-
Size
454KB
-
MD5
6c9da21d88244cb781408df9098bb230
-
SHA1
d531aacd9800e304df526c8e8dcad56f18acc9a1
-
SHA256
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3
-
SHA512
167c74891a181137f60fd1ddc9e459fa9618baf7fb01f4cda50a5c727daf9c18325cdb1a6d1c64c42c88485ac1b74dffebde40653b203ab95f6e2ec1685655bf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3616-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-993-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-1244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-1821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4968 ddvpp.exe 444 llxrflr.exe 4420 3xfxlrl.exe 1856 lflrrrl.exe 3268 nnthnt.exe 4572 dpjpv.exe 1532 tbtbbb.exe 2440 rxfflrx.exe 3536 5nnbnn.exe 380 jpdjp.exe 2068 bnthhh.exe 4992 dvddv.exe 2660 tntbbh.exe 2448 9dddd.exe 3744 hbtnbb.exe 816 xllrlrr.exe 552 ttttbh.exe 4100 vdvdd.exe 1504 hhntbn.exe 1564 pdvvd.exe 3928 lxflrfr.exe 1592 hbhhnt.exe 4348 lflllrr.exe 1432 xrrxrlx.exe 1132 tthhhn.exe 64 xrxffrf.exe 3712 bbhnnt.exe 4340 ddjpv.exe 1984 1frfffl.exe 4456 pdjjd.exe 2148 bbhnnb.exe 4360 xlxlflf.exe 2228 dppvv.exe 4976 llrfxff.exe 4988 thhbnb.exe 2680 rlxxxfx.exe 1848 nnbhhh.exe 2840 dpjdd.exe 1772 fxxlrrl.exe 3464 tbbhbh.exe 2380 jvpjd.exe 3268 lxxfxlr.exe 844 httbbh.exe 4560 jvdjd.exe 3196 vjvdj.exe 1972 xfflflf.exe 2728 pjjpv.exe 2504 vdvjv.exe 2908 rxfrllr.exe 3204 bntnht.exe 4488 dpvdd.exe 1708 lxrlfrl.exe 4760 5tbhhb.exe 1312 dpddj.exe 4580 ffxrflr.exe 4920 bntbbb.exe 2964 pvdjv.exe 700 ntttnh.exe 4864 hbbhbh.exe 816 vjvdv.exe 2212 7tnntn.exe 2244 jddvv.exe 1248 nttttn.exe 1504 jjdjd.exe -
resource yara_rule behavioral2/memory/3616-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-752-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpvd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3616 wrote to memory of 4968 3616 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 84 PID 3616 wrote to memory of 4968 3616 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 84 PID 3616 wrote to memory of 4968 3616 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 84 PID 4968 wrote to memory of 444 4968 ddvpp.exe 85 PID 4968 wrote to memory of 444 4968 ddvpp.exe 85 PID 4968 wrote to memory of 444 4968 ddvpp.exe 85 PID 444 wrote to memory of 4420 444 llxrflr.exe 86 PID 444 wrote to memory of 4420 444 llxrflr.exe 86 PID 444 wrote to memory of 4420 444 llxrflr.exe 86 PID 4420 wrote to memory of 1856 4420 3xfxlrl.exe 87 PID 4420 wrote to memory of 1856 4420 3xfxlrl.exe 87 PID 4420 wrote to memory of 1856 4420 3xfxlrl.exe 87 PID 1856 wrote to memory of 3268 1856 lflrrrl.exe 88 PID 1856 wrote to memory of 3268 1856 lflrrrl.exe 88 PID 1856 wrote to memory of 3268 1856 lflrrrl.exe 88 PID 3268 wrote to memory of 4572 3268 nnthnt.exe 89 PID 3268 wrote to memory of 4572 3268 nnthnt.exe 89 PID 3268 wrote to memory of 4572 3268 nnthnt.exe 89 PID 4572 wrote to memory of 1532 4572 dpjpv.exe 90 PID 4572 wrote to memory of 1532 4572 dpjpv.exe 90 PID 4572 wrote to memory of 1532 4572 dpjpv.exe 90 PID 1532 wrote to memory of 2440 1532 tbtbbb.exe 92 PID 1532 wrote to memory of 2440 1532 tbtbbb.exe 92 PID 1532 wrote to memory of 2440 1532 tbtbbb.exe 92 PID 2440 wrote to memory of 3536 2440 rxfflrx.exe 93 PID 2440 wrote to memory of 3536 2440 rxfflrx.exe 93 PID 2440 wrote to memory of 3536 2440 rxfflrx.exe 93 PID 3536 wrote to memory of 380 3536 5nnbnn.exe 94 PID 3536 wrote to memory of 380 3536 5nnbnn.exe 94 PID 3536 wrote to memory of 380 3536 5nnbnn.exe 94 PID 380 wrote to memory of 2068 380 jpdjp.exe 95 PID 380 wrote to memory of 2068 380 jpdjp.exe 95 PID 380 wrote to memory of 2068 380 jpdjp.exe 95 PID 2068 wrote to memory of 4992 2068 bnthhh.exe 96 PID 2068 wrote to memory of 4992 2068 bnthhh.exe 96 PID 2068 wrote to memory of 4992 2068 bnthhh.exe 96 PID 4992 wrote to memory of 2660 4992 dvddv.exe 98 PID 4992 wrote to memory of 2660 4992 dvddv.exe 98 PID 4992 wrote to memory of 2660 4992 dvddv.exe 98 PID 2660 wrote to memory of 2448 2660 tntbbh.exe 99 PID 2660 wrote to memory of 2448 2660 tntbbh.exe 99 PID 2660 wrote to memory of 2448 2660 tntbbh.exe 99 PID 2448 wrote to memory of 3744 2448 9dddd.exe 100 PID 2448 wrote to memory of 3744 2448 9dddd.exe 100 PID 2448 wrote to memory of 3744 2448 9dddd.exe 100 PID 3744 wrote to memory of 816 3744 hbtnbb.exe 101 PID 3744 wrote to memory of 816 3744 hbtnbb.exe 101 PID 3744 wrote to memory of 816 3744 hbtnbb.exe 101 PID 816 wrote to memory of 552 816 xllrlrr.exe 102 PID 816 wrote to memory of 552 816 xllrlrr.exe 102 PID 816 wrote to memory of 552 816 xllrlrr.exe 102 PID 552 wrote to memory of 4100 552 ttttbh.exe 104 PID 552 wrote to memory of 4100 552 ttttbh.exe 104 PID 552 wrote to memory of 4100 552 ttttbh.exe 104 PID 4100 wrote to memory of 1504 4100 vdvdd.exe 105 PID 4100 wrote to memory of 1504 4100 vdvdd.exe 105 PID 4100 wrote to memory of 1504 4100 vdvdd.exe 105 PID 1504 wrote to memory of 1564 1504 hhntbn.exe 106 PID 1504 wrote to memory of 1564 1504 hhntbn.exe 106 PID 1504 wrote to memory of 1564 1504 hhntbn.exe 106 PID 1564 wrote to memory of 3928 1564 pdvvd.exe 107 PID 1564 wrote to memory of 3928 1564 pdvvd.exe 107 PID 1564 wrote to memory of 3928 1564 pdvvd.exe 107 PID 3928 wrote to memory of 1592 3928 lxflrfr.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\ddvpp.exec:\ddvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\llxrflr.exec:\llxrflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\3xfxlrl.exec:\3xfxlrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\lflrrrl.exec:\lflrrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\nnthnt.exec:\nnthnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\dpjpv.exec:\dpjpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\tbtbbb.exec:\tbtbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\rxfflrx.exec:\rxfflrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\5nnbnn.exec:\5nnbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\jpdjp.exec:\jpdjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\bnthhh.exec:\bnthhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\dvddv.exec:\dvddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\tntbbh.exec:\tntbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\9dddd.exec:\9dddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\hbtnbb.exec:\hbtnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\xllrlrr.exec:\xllrlrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\ttttbh.exec:\ttttbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\vdvdd.exec:\vdvdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\hhntbn.exec:\hhntbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\pdvvd.exec:\pdvvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\lxflrfr.exec:\lxflrfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\hbhhnt.exec:\hbhhnt.exe23⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lflllrr.exec:\lflllrr.exe24⤵
- Executes dropped EXE
PID:4348 -
\??\c:\xrrxrlx.exec:\xrrxrlx.exe25⤵
- Executes dropped EXE
PID:1432 -
\??\c:\tthhhn.exec:\tthhhn.exe26⤵
- Executes dropped EXE
PID:1132 -
\??\c:\xrxffrf.exec:\xrxffrf.exe27⤵
- Executes dropped EXE
PID:64 -
\??\c:\bbhnnt.exec:\bbhnnt.exe28⤵
- Executes dropped EXE
PID:3712 -
\??\c:\ddjpv.exec:\ddjpv.exe29⤵
- Executes dropped EXE
PID:4340 -
\??\c:\1frfffl.exec:\1frfffl.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\pdjjd.exec:\pdjjd.exe31⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bbhnnb.exec:\bbhnnb.exe32⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xlxlflf.exec:\xlxlflf.exe33⤵
- Executes dropped EXE
PID:4360 -
\??\c:\dppvv.exec:\dppvv.exe34⤵
- Executes dropped EXE
PID:2228 -
\??\c:\llrfxff.exec:\llrfxff.exe35⤵
- Executes dropped EXE
PID:4976 -
\??\c:\thhbnb.exec:\thhbnb.exe36⤵
- Executes dropped EXE
PID:4988 -
\??\c:\rlxxxfx.exec:\rlxxxfx.exe37⤵
- Executes dropped EXE
PID:2680 -
\??\c:\nnbhhh.exec:\nnbhhh.exe38⤵
- Executes dropped EXE
PID:1848 -
\??\c:\dpjdd.exec:\dpjdd.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxxlrrl.exec:\fxxlrrl.exe40⤵
- Executes dropped EXE
PID:1772 -
\??\c:\tbbhbh.exec:\tbbhbh.exe41⤵
- Executes dropped EXE
PID:3464 -
\??\c:\jvpjd.exec:\jvpjd.exe42⤵
- Executes dropped EXE
PID:2380 -
\??\c:\lxxfxlr.exec:\lxxfxlr.exe43⤵
- Executes dropped EXE
PID:3268 -
\??\c:\httbbh.exec:\httbbh.exe44⤵
- Executes dropped EXE
PID:844 -
\??\c:\jvdjd.exec:\jvdjd.exe45⤵
- Executes dropped EXE
PID:4560 -
\??\c:\vjvdj.exec:\vjvdj.exe46⤵
- Executes dropped EXE
PID:3196 -
\??\c:\xfflflf.exec:\xfflflf.exe47⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pjjpv.exec:\pjjpv.exe48⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vdvjv.exec:\vdvjv.exe49⤵
- Executes dropped EXE
PID:2504 -
\??\c:\rxfrllr.exec:\rxfrllr.exe50⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bntnht.exec:\bntnht.exe51⤵
- Executes dropped EXE
PID:3204 -
\??\c:\dpvdd.exec:\dpvdd.exe52⤵
- Executes dropped EXE
PID:4488 -
\??\c:\lxrlfrl.exec:\lxrlfrl.exe53⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5tbhhb.exec:\5tbhhb.exe54⤵
- Executes dropped EXE
PID:4760 -
\??\c:\dpddj.exec:\dpddj.exe55⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ffxrflr.exec:\ffxrflr.exe56⤵
- Executes dropped EXE
PID:4580 -
\??\c:\bntbbb.exec:\bntbbb.exe57⤵
- Executes dropped EXE
PID:4920 -
\??\c:\pvdjv.exec:\pvdjv.exe58⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ntttnh.exec:\ntttnh.exe59⤵
- Executes dropped EXE
PID:700 -
\??\c:\hbbhbh.exec:\hbbhbh.exe60⤵
- Executes dropped EXE
PID:4864 -
\??\c:\vjvdv.exec:\vjvdv.exe61⤵
- Executes dropped EXE
PID:816 -
\??\c:\7tnntn.exec:\7tnntn.exe62⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jddvv.exec:\jddvv.exe63⤵
- Executes dropped EXE
PID:2244 -
\??\c:\nttttn.exec:\nttttn.exe64⤵
- Executes dropped EXE
PID:1248 -
\??\c:\jjdjd.exec:\jjdjd.exe65⤵
- Executes dropped EXE
PID:1504 -
\??\c:\tthntb.exec:\tthntb.exe66⤵PID:4220
-
\??\c:\djvpj.exec:\djvpj.exe67⤵
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\llfllxl.exec:\llfllxl.exe68⤵PID:3576
-
\??\c:\ttbtbh.exec:\ttbtbh.exe69⤵PID:4212
-
\??\c:\pvpjv.exec:\pvpjv.exe70⤵PID:4500
-
\??\c:\xrxrrxx.exec:\xrxrrxx.exe71⤵PID:4848
-
\??\c:\nhnttb.exec:\nhnttb.exe72⤵PID:944
-
\??\c:\rllrrfx.exec:\rllrrfx.exe73⤵PID:2496
-
\??\c:\hnthhb.exec:\hnthhb.exe74⤵PID:4640
-
\??\c:\pvdjp.exec:\pvdjp.exe75⤵PID:3152
-
\??\c:\jdjdd.exec:\jdjdd.exe76⤵PID:1692
-
\??\c:\llfrxlx.exec:\llfrxlx.exe77⤵PID:688
-
\??\c:\9nttbh.exec:\9nttbh.exe78⤵PID:3104
-
\??\c:\7jjpv.exec:\7jjpv.exe79⤵PID:4340
-
\??\c:\xrllrrr.exec:\xrllrrr.exe80⤵PID:2020
-
\??\c:\7nnbbn.exec:\7nnbbn.exe81⤵PID:3408
-
\??\c:\vppjd.exec:\vppjd.exe82⤵PID:540
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe83⤵
- System Location Discovery: System Language Discovery
PID:2996 -
\??\c:\nnbtbh.exec:\nnbtbh.exe84⤵
- System Location Discovery: System Language Discovery
PID:4400 -
\??\c:\ntbnbh.exec:\ntbnbh.exe85⤵PID:4388
-
\??\c:\xxrrrxf.exec:\xxrrrxf.exe86⤵PID:2680
-
\??\c:\hbbbtb.exec:\hbbbtb.exe87⤵PID:1848
-
\??\c:\dvvdd.exec:\dvvdd.exe88⤵PID:3108
-
\??\c:\fflllll.exec:\fflllll.exe89⤵PID:1632
-
\??\c:\thhhnh.exec:\thhhnh.exe90⤵PID:2944
-
\??\c:\9vdvv.exec:\9vdvv.exe91⤵PID:2452
-
\??\c:\rrlflxf.exec:\rrlflxf.exe92⤵PID:4316
-
\??\c:\nnbhtt.exec:\nnbhtt.exe93⤵PID:3716
-
\??\c:\jjpvd.exec:\jjpvd.exe94⤵PID:2504
-
\??\c:\rxxxrff.exec:\rxxxrff.exe95⤵PID:4612
-
\??\c:\nnbnbh.exec:\nnbnbh.exe96⤵PID:3664
-
\??\c:\pjdjd.exec:\pjdjd.exe97⤵PID:3372
-
\??\c:\lxfffrf.exec:\lxfffrf.exe98⤵PID:3660
-
\??\c:\tbhhhh.exec:\tbhhhh.exe99⤵PID:2572
-
\??\c:\dpvpp.exec:\dpvpp.exe100⤵PID:4580
-
\??\c:\flrxfrx.exec:\flrxfrx.exe101⤵PID:2080
-
\??\c:\9tbtnn.exec:\9tbtnn.exe102⤵
- System Location Discovery: System Language Discovery
PID:4652 -
\??\c:\flrfrrx.exec:\flrfrrx.exe103⤵PID:700
-
\??\c:\bhbtht.exec:\bhbtht.exe104⤵PID:4864
-
\??\c:\pjvdv.exec:\pjvdv.exe105⤵PID:3516
-
\??\c:\lrfrxfl.exec:\lrfrxfl.exe106⤵PID:764
-
\??\c:\tnntth.exec:\tnntth.exe107⤵PID:2232
-
\??\c:\djdvd.exec:\djdvd.exe108⤵PID:1016
-
\??\c:\lxfrxff.exec:\lxfrxff.exe109⤵PID:3436
-
\??\c:\tnttbb.exec:\tnttbb.exe110⤵PID:1564
-
\??\c:\jjjpp.exec:\jjjpp.exe111⤵PID:432
-
\??\c:\fllrflr.exec:\fllrflr.exe112⤵PID:3576
-
\??\c:\hthhnb.exec:\hthhnb.exe113⤵PID:4072
-
\??\c:\jjjvv.exec:\jjjvv.exe114⤵PID:912
-
\??\c:\9lxfrfl.exec:\9lxfrfl.exe115⤵PID:4972
-
\??\c:\pjjjj.exec:\pjjjj.exe116⤵PID:2280
-
\??\c:\btnhnt.exec:\btnhnt.exe117⤵PID:452
-
\??\c:\bhbhnt.exec:\bhbhnt.exe118⤵PID:3820
-
\??\c:\pppjd.exec:\pppjd.exe119⤵PID:3136
-
\??\c:\nnnbbh.exec:\nnnbbh.exe120⤵PID:3712
-
\??\c:\pjjjj.exec:\pjjjj.exe121⤵PID:3708
-
\??\c:\flrlflf.exec:\flrlflf.exe122⤵PID:884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-