Analysis
-
max time kernel
93s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 14:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe
-
Size
455KB
-
MD5
19284ed11f96c554f8d5384c60e5f050
-
SHA1
ee195535422fff1bdb983ac8c01b9e09efac4e36
-
SHA256
329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027
-
SHA512
d10edff61f8d00a55a568d2ea090e07b5af79ac8665a4b3b35015ac066cd7c756ecc84cb45884fd0f5677732fe479a4b44f841bfcf2ced51a41d7dd7171e2afc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRn:q7Tc2NYHUrAwfMp3CDRn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1600-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-1132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3388 pdvvv.exe 4584 xfrlfrx.exe 3464 hhbntn.exe 464 ttnntb.exe 2988 bnbhbh.exe 1532 vvjjj.exe 3456 hbhhhb.exe 4940 nbtntb.exe 2312 fllrfrf.exe 232 vvvdv.exe 1300 frflxfx.exe 2536 llflrrx.exe 1508 vpddv.exe 4776 vjjjp.exe 4616 rrlrlfl.exe 3452 1jdjj.exe 384 thnhnn.exe 4560 xlxxrxx.exe 1272 ttbhnn.exe 1220 rlrrflf.exe 1664 rllrlrl.exe 1496 bhnntb.exe 4628 flxxlxf.exe 4192 rllllll.exe 4340 thtttb.exe 3936 nhnnnt.exe 3532 7bhntn.exe 648 pvjvj.exe 2664 flrlrxf.exe 3976 jvpjv.exe 4552 ffrxxxx.exe 2260 ntnnnn.exe 2180 jjjvd.exe 4384 bhhhnt.exe 1604 vjjvj.exe 3132 htbbth.exe 3388 djdjj.exe 3204 tbnthh.exe 4752 llrxfll.exe 3520 pdvpp.exe 1800 llrfxrf.exe 3428 htbtht.exe 4992 dppvd.exe 8 rfflrxl.exe 3456 djdjp.exe 1996 xrllrxx.exe 4456 tnnbhn.exe 2176 jvddp.exe 3944 lxlxfll.exe 3220 5vjdp.exe 1300 llfxxxl.exe 1788 hbhnhh.exe 2528 jjvvp.exe 636 lflllxf.exe 3412 pvdjj.exe 4988 fxfllrr.exe 1224 httbtb.exe 3356 dvjdv.exe 1528 fflrflx.exe 2500 tbtnth.exe 5044 vjppd.exe 4088 xllrxfl.exe 4476 tbthbn.exe 1572 dpppv.exe -
resource yara_rule behavioral2/memory/1600-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-652-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 3388 1600 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 84 PID 1600 wrote to memory of 3388 1600 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 84 PID 1600 wrote to memory of 3388 1600 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 84 PID 3388 wrote to memory of 4584 3388 pdvvv.exe 85 PID 3388 wrote to memory of 4584 3388 pdvvv.exe 85 PID 3388 wrote to memory of 4584 3388 pdvvv.exe 85 PID 4584 wrote to memory of 3464 4584 xfrlfrx.exe 86 PID 4584 wrote to memory of 3464 4584 xfrlfrx.exe 86 PID 4584 wrote to memory of 3464 4584 xfrlfrx.exe 86 PID 3464 wrote to memory of 464 3464 hhbntn.exe 87 PID 3464 wrote to memory of 464 3464 hhbntn.exe 87 PID 3464 wrote to memory of 464 3464 hhbntn.exe 87 PID 464 wrote to memory of 2988 464 ttnntb.exe 88 PID 464 wrote to memory of 2988 464 ttnntb.exe 88 PID 464 wrote to memory of 2988 464 ttnntb.exe 88 PID 2988 wrote to memory of 1532 2988 bnbhbh.exe 89 PID 2988 wrote to memory of 1532 2988 bnbhbh.exe 89 PID 2988 wrote to memory of 1532 2988 bnbhbh.exe 89 PID 1532 wrote to memory of 3456 1532 vvjjj.exe 91 PID 1532 wrote to memory of 3456 1532 vvjjj.exe 91 PID 1532 wrote to memory of 3456 1532 vvjjj.exe 91 PID 3456 wrote to memory of 4940 3456 hbhhhb.exe 92 PID 3456 wrote to memory of 4940 3456 hbhhhb.exe 92 PID 3456 wrote to memory of 4940 3456 hbhhhb.exe 92 PID 4940 wrote to memory of 2312 4940 nbtntb.exe 93 PID 4940 wrote to memory of 2312 4940 nbtntb.exe 93 PID 4940 wrote to memory of 2312 4940 nbtntb.exe 93 PID 2312 wrote to memory of 232 2312 fllrfrf.exe 94 PID 2312 wrote to memory of 232 2312 fllrfrf.exe 94 PID 2312 wrote to memory of 232 2312 fllrfrf.exe 94 PID 232 wrote to memory of 1300 232 vvvdv.exe 96 PID 232 wrote to memory of 1300 232 vvvdv.exe 96 PID 232 wrote to memory of 1300 232 vvvdv.exe 96 PID 1300 wrote to memory of 2536 1300 frflxfx.exe 97 PID 1300 wrote to memory of 2536 1300 frflxfx.exe 97 PID 1300 wrote to memory of 2536 1300 frflxfx.exe 97 PID 2536 wrote to memory of 1508 2536 llflrrx.exe 98 PID 2536 wrote to memory of 1508 2536 llflrrx.exe 98 PID 2536 wrote to memory of 1508 2536 llflrrx.exe 98 PID 1508 wrote to memory of 4776 1508 vpddv.exe 99 PID 1508 wrote to memory of 4776 1508 vpddv.exe 99 PID 1508 wrote to memory of 4776 1508 vpddv.exe 99 PID 4776 wrote to memory of 4616 4776 vjjjp.exe 100 PID 4776 wrote to memory of 4616 4776 vjjjp.exe 100 PID 4776 wrote to memory of 4616 4776 vjjjp.exe 100 PID 4616 wrote to memory of 3452 4616 rrlrlfl.exe 101 PID 4616 wrote to memory of 3452 4616 rrlrlfl.exe 101 PID 4616 wrote to memory of 3452 4616 rrlrlfl.exe 101 PID 3452 wrote to memory of 384 3452 1jdjj.exe 102 PID 3452 wrote to memory of 384 3452 1jdjj.exe 102 PID 3452 wrote to memory of 384 3452 1jdjj.exe 102 PID 384 wrote to memory of 4560 384 thnhnn.exe 104 PID 384 wrote to memory of 4560 384 thnhnn.exe 104 PID 384 wrote to memory of 4560 384 thnhnn.exe 104 PID 4560 wrote to memory of 1272 4560 xlxxrxx.exe 105 PID 4560 wrote to memory of 1272 4560 xlxxrxx.exe 105 PID 4560 wrote to memory of 1272 4560 xlxxrxx.exe 105 PID 1272 wrote to memory of 1220 1272 ttbhnn.exe 106 PID 1272 wrote to memory of 1220 1272 ttbhnn.exe 106 PID 1272 wrote to memory of 1220 1272 ttbhnn.exe 106 PID 1220 wrote to memory of 1664 1220 rlrrflf.exe 107 PID 1220 wrote to memory of 1664 1220 rlrrflf.exe 107 PID 1220 wrote to memory of 1664 1220 rlrrflf.exe 107 PID 1664 wrote to memory of 1496 1664 rllrlrl.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe"C:\Users\Admin\AppData\Local\Temp\329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\pdvvv.exec:\pdvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\xfrlfrx.exec:\xfrlfrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\hhbntn.exec:\hhbntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\ttnntb.exec:\ttnntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\bnbhbh.exec:\bnbhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\vvjjj.exec:\vvjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\hbhhhb.exec:\hbhhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\nbtntb.exec:\nbtntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\fllrfrf.exec:\fllrfrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\vvvdv.exec:\vvvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\frflxfx.exec:\frflxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\llflrrx.exec:\llflrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\vpddv.exec:\vpddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\vjjjp.exec:\vjjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\rrlrlfl.exec:\rrlrlfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\1jdjj.exec:\1jdjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\thnhnn.exec:\thnhnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\xlxxrxx.exec:\xlxxrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\ttbhnn.exec:\ttbhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\rlrrflf.exec:\rlrrflf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\rllrlrl.exec:\rllrlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\bhnntb.exec:\bhnntb.exe23⤵
- Executes dropped EXE
PID:1496 -
\??\c:\flxxlxf.exec:\flxxlxf.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628 -
\??\c:\rllllll.exec:\rllllll.exe25⤵
- Executes dropped EXE
PID:4192 -
\??\c:\thtttb.exec:\thtttb.exe26⤵
- Executes dropped EXE
PID:4340 -
\??\c:\nhnnnt.exec:\nhnnnt.exe27⤵
- Executes dropped EXE
PID:3936 -
\??\c:\7bhntn.exec:\7bhntn.exe28⤵
- Executes dropped EXE
PID:3532 -
\??\c:\pvjvj.exec:\pvjvj.exe29⤵
- Executes dropped EXE
PID:648 -
\??\c:\flrlrxf.exec:\flrlrxf.exe30⤵
- Executes dropped EXE
PID:2664 -
\??\c:\jvpjv.exec:\jvpjv.exe31⤵
- Executes dropped EXE
PID:3976 -
\??\c:\ffrxxxx.exec:\ffrxxxx.exe32⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ntnnnn.exec:\ntnnnn.exe33⤵
- Executes dropped EXE
PID:2260 -
\??\c:\jjjvd.exec:\jjjvd.exe34⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bhhhnt.exec:\bhhhnt.exe35⤵
- Executes dropped EXE
PID:4384 -
\??\c:\vjjvj.exec:\vjjvj.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\htbbth.exec:\htbbth.exe37⤵
- Executes dropped EXE
PID:3132 -
\??\c:\djdjj.exec:\djdjj.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3388 -
\??\c:\tbnthh.exec:\tbnthh.exe39⤵
- Executes dropped EXE
PID:3204 -
\??\c:\llrxfll.exec:\llrxfll.exe40⤵
- Executes dropped EXE
PID:4752 -
\??\c:\pdvpp.exec:\pdvpp.exe41⤵
- Executes dropped EXE
PID:3520 -
\??\c:\llrfxrf.exec:\llrfxrf.exe42⤵
- Executes dropped EXE
PID:1800 -
\??\c:\htbtht.exec:\htbtht.exe43⤵
- Executes dropped EXE
PID:3428 -
\??\c:\dppvd.exec:\dppvd.exe44⤵
- Executes dropped EXE
PID:4992 -
\??\c:\rfflrxl.exec:\rfflrxl.exe45⤵
- Executes dropped EXE
PID:8 -
\??\c:\djdjp.exec:\djdjp.exe46⤵
- Executes dropped EXE
PID:3456 -
\??\c:\xrllrxx.exec:\xrllrxx.exe47⤵
- Executes dropped EXE
PID:1996 -
\??\c:\tnnbhn.exec:\tnnbhn.exe48⤵
- Executes dropped EXE
PID:4456 -
\??\c:\jvddp.exec:\jvddp.exe49⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lxlxfll.exec:\lxlxfll.exe50⤵
- Executes dropped EXE
PID:3944 -
\??\c:\5vjdp.exec:\5vjdp.exe51⤵
- Executes dropped EXE
PID:3220 -
\??\c:\llfxxxl.exec:\llfxxxl.exe52⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hbhnhh.exec:\hbhnhh.exe53⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jjvvp.exec:\jjvvp.exe54⤵
- Executes dropped EXE
PID:2528 -
\??\c:\lflllxf.exec:\lflllxf.exe55⤵
- Executes dropped EXE
PID:636 -
\??\c:\pvdjj.exec:\pvdjj.exe56⤵
- Executes dropped EXE
PID:3412 -
\??\c:\fxfllrr.exec:\fxfllrr.exe57⤵
- Executes dropped EXE
PID:4988 -
\??\c:\httbtb.exec:\httbtb.exe58⤵
- Executes dropped EXE
PID:1224 -
\??\c:\dvjdv.exec:\dvjdv.exe59⤵
- Executes dropped EXE
PID:3356 -
\??\c:\fflrflx.exec:\fflrflx.exe60⤵
- Executes dropped EXE
PID:1528 -
\??\c:\tbtnth.exec:\tbtnth.exe61⤵
- Executes dropped EXE
PID:2500 -
\??\c:\vjppd.exec:\vjppd.exe62⤵
- Executes dropped EXE
PID:5044 -
\??\c:\xllrxfl.exec:\xllrxfl.exe63⤵
- Executes dropped EXE
PID:4088 -
\??\c:\tbthbn.exec:\tbthbn.exe64⤵
- Executes dropped EXE
PID:4476 -
\??\c:\dpppv.exec:\dpppv.exe65⤵
- Executes dropped EXE
PID:1572 -
\??\c:\bbhhbb.exec:\bbhhbb.exe66⤵PID:4896
-
\??\c:\djjvp.exec:\djjvp.exe67⤵PID:4192
-
\??\c:\fxxflff.exec:\fxxflff.exe68⤵PID:4252
-
\??\c:\nhtbht.exec:\nhtbht.exe69⤵PID:4488
-
\??\c:\vdpvv.exec:\vdpvv.exe70⤵PID:3304
-
\??\c:\7lxxxff.exec:\7lxxxff.exe71⤵PID:4152
-
\??\c:\hbhhhn.exec:\hbhhhn.exe72⤵PID:3504
-
\??\c:\vvddd.exec:\vvddd.exe73⤵PID:4672
-
\??\c:\frrrrrx.exec:\frrrrrx.exe74⤵PID:4552
-
\??\c:\dvpdj.exec:\dvpdj.exe75⤵PID:2544
-
\??\c:\rlrflll.exec:\rlrflll.exe76⤵PID:508
-
\??\c:\bnbhbb.exec:\bnbhbb.exe77⤵PID:1732
-
\??\c:\ppvvp.exec:\ppvvp.exe78⤵PID:4384
-
\??\c:\1xlflxl.exec:\1xlflxl.exe79⤵PID:4780
-
\??\c:\tnbhnn.exec:\tnbhnn.exe80⤵PID:3132
-
\??\c:\jpvvv.exec:\jpvvv.exe81⤵PID:1468
-
\??\c:\rrrlflx.exec:\rrrlflx.exe82⤵PID:3956
-
\??\c:\hhtbbh.exec:\hhtbbh.exe83⤵PID:3320
-
\??\c:\xfxxllr.exec:\xfxxllr.exe84⤵PID:2008
-
\??\c:\tttbbh.exec:\tttbbh.exe85⤵PID:2444
-
\??\c:\vvvdv.exec:\vvvdv.exe86⤵PID:1800
-
\??\c:\nnhnnn.exec:\nnhnnn.exe87⤵PID:3428
-
\??\c:\jpdjp.exec:\jpdjp.exe88⤵
- System Location Discovery: System Language Discovery
PID:756 -
\??\c:\lrlrrxf.exec:\lrlrrxf.exe89⤵PID:5004
-
\??\c:\btbntb.exec:\btbntb.exe90⤵
- System Location Discovery: System Language Discovery
PID:1200 -
\??\c:\lrfrrrx.exec:\lrfrrrx.exe91⤵PID:3496
-
\??\c:\htbbht.exec:\htbbht.exe92⤵PID:2004
-
\??\c:\7jpdd.exec:\7jpdd.exe93⤵PID:2824
-
\??\c:\nbntth.exec:\nbntth.exe94⤵
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\jdvdd.exec:\jdvdd.exe95⤵PID:5016
-
\??\c:\ntntbn.exec:\ntntbn.exe96⤵PID:4480
-
\??\c:\llflrfr.exec:\llflrfr.exe97⤵PID:216
-
\??\c:\ddjpd.exec:\ddjpd.exe98⤵PID:1548
-
\??\c:\ntbhhb.exec:\ntbhhb.exe99⤵PID:3580
-
\??\c:\xrrffrf.exec:\xrrffrf.exe100⤵PID:1092
-
\??\c:\thnbbn.exec:\thnbbn.exe101⤵PID:5088
-
\??\c:\fxlflrl.exec:\fxlflrl.exe102⤵PID:4036
-
\??\c:\bttnnn.exec:\bttnnn.exe103⤵PID:2212
-
\??\c:\thnnnn.exec:\thnnnn.exe104⤵PID:2488
-
\??\c:\lrlfflr.exec:\lrlfflr.exe105⤵PID:1220
-
\??\c:\djjpv.exec:\djjpv.exe106⤵PID:2476
-
\??\c:\xfxflrx.exec:\xfxflrx.exe107⤵PID:5076
-
\??\c:\1htthn.exec:\1htthn.exe108⤵PID:804
-
\??\c:\rlfrlrx.exec:\rlfrlrx.exe109⤵PID:1572
-
\??\c:\bhbbtn.exec:\bhbbtn.exe110⤵PID:2676
-
\??\c:\jvppp.exec:\jvppp.exe111⤵PID:1728
-
\??\c:\ntbbhn.exec:\ntbbhn.exe112⤵PID:1872
-
\??\c:\ddvpd.exec:\ddvpd.exe113⤵PID:3112
-
\??\c:\ffffrrl.exec:\ffffrrl.exe114⤵PID:4744
-
\??\c:\tntnnt.exec:\tntnnt.exe115⤵PID:4692
-
\??\c:\jpvjp.exec:\jpvjp.exe116⤵PID:4932
-
\??\c:\xxflrxf.exec:\xxflrxf.exe117⤵PID:4552
-
\??\c:\bbtbhh.exec:\bbtbhh.exe118⤵PID:2544
-
\??\c:\xxrxfrx.exec:\xxrxfrx.exe119⤵
- System Location Discovery: System Language Discovery
PID:508 -
\??\c:\nhthbt.exec:\nhthbt.exe120⤵PID:3148
-
\??\c:\vdpvd.exec:\vdpvd.exe121⤵PID:1048
-
\??\c:\rrxfflr.exec:\rrxfflr.exe122⤵PID:4780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-